Default deny: Navigating the new frontier of cybersecurity with ThreatLocker

A glance at mainstream news outlets will convince anyone that there is a natural and present danger to organizations from cybercriminals. High-profile hacks affect millions of people each year and cost organizations significant amounts of money, business, and reputation.

The sophistication of hackers’ methods today is such that most organizations have advanced defensive systems and working methods to lower their chances of falling victim to cybercrime. The specific challenges of protecting dynamic networks mean the security team must choose its tools carefully.

Identity and Trust

In the past, cybersecurity focused on perimeter and node-based protection. Heuristic scanning, pulled or pushed updates, and heavyweight locally-installed agents provided protections based on historical incidents.

It has become more apparent that a barrier-based defense is ineffective, especially against zero-day attacks and user errors, including phishing and exploiting personal information to gain trust.

Zero Trust frameworks offer parity between machine and people identities and, therefore, an acceptance that compromised devices can be as dangerous to an organization’s assets as a member of staff fooled by clever social engineering to download malicious applications.

Many Zero Trust cybersecurity solutions providers do not fit modern cybersecurity demands well. For medium to large organizations and MSPs, discreet business units that work across hybrid topologies and numerous cloud services, the solutions fail on two counts:

1. Endpoint definition. Endpoint instances are static (desktops, servers, network infrastructure), while mobile devices and devices used for remote/hybrid work are a third device classification. They all belong in the same category as endpoints.
2. Historical legacy. Many cybersecurity solutions have evolved from a perimeter/client platform and lack the flexibility to adapt to bad actors’ speed of change and their adoption of advanced technologies, like AI.

Many providers of zero-trust cybersecurity solutions fail on two accounts; Endpoint definition and historical legacy. Source: Shutterstock

Effectiveness Starts at Deny by Default

The Zero Trust framework works from a fundamental precept of deny by default. The concept of deny by default comes from the acknowledgment that compromised devices can (often shipped as default, such as Windows PowerShell) spread malicious code, including ransomware, across networks no longer bound by an organization’s perimeter.

That means an infected device can affect cloud-based assets as easily as it can access local nodes on its LAN. By denying actions such as the ability to execute code, download files, or connect to other applications, ThreatLocker enables cybersecurity teams to control who and what can be present on a distributed network and what they can do. Users can even be blocked from getting basic access by means of conditional access with geofencing.

ThreatLocker Ringfencing™ can prevent applications from running unapproved binaries and only be permitted to access assets given the proper set of circumstances. Administrators can define these as simple (after machine identity is confirmed, for example) or more complex (read-only access permitted between certain hours, emanating from specific IP blocks).

Policies encompass all devices used in distributed networks that include remote access – like home or mobile workers – and can be applied to different nodes, such as servers, network gear, mobile devices, laptops, and IoT devices. That prevents a single compromised device from executing a payload or traversing beyond a limited subnet. The applied controls address issues such as a device joining an unprotected network, infected devices hopping from node to node, and the execution of payloads with delayed execution.

The latest ransomware tactics have moved beyond encryption and extortion to include data exfiltration and blackmail for its return. In a Zero Trust environment, such as one protected by ThreatLocker, even compromised machines can be prevented from connecting beyond the LAN, making exfiltration impossible. And that’s even assuming malicious code will deploy at all.

The ThreatLocker administrative dashboards simplify policy creation and exceptions yet produce powerful results. Source: Shutterstock

Matters of industry

Creating safe policies for specific industries (healthcare, finance, education, etc.) will differ according to threat levels, governance factors, and required levels of data access. The ThreatLocker administrative dashboards simplify policy creation and exceptions yet produce powerful results.

Finding the balance for endpoints between usability and security has traditionally been one of rolling back access (to the internet, for example) and preventing client actions. In the ThreatLocker Zero Trust environment, a policy is defined by what is allowed, which can be determined by intelligently designed templates and customized according to specific organizations and industries.

To learn the differences between traditional cybersecurity and the new paradigm of Zero Trust, reach out to a ThreatLocker Cyber Hero Team Member or enroll in a free trial so your team can test the ThreatLocker Zero Trust Endpoint Protection Platform in your environment.