Last week, SC UK was invited to attend the Zero Trust World conference in Orlando, the annual conference of cybersecurity vendor Threatlocker.

Among the talks, CEO Danny Jenkins gave the opening keynote, where he discussed the need to consider a different strategy in cyber defense—namely, changing the paradigm of security from default allow to default deny.

The concept of Zero Trust gets a lot of attention. In fact, one noted podcaster said he had asked 11 people for a definition of the term and “received 12 different answers.” However, my understanding is that it is about allowing fewer connections in and managing downloads and installs more effectively.

Allow and Exception

Sitting with Jenkins, we asked about the industry's shift to his concept of ‘default deny.’ He said many companies are practicing “allow by default and deny by exception,” and while that concept is shrinking, “it's not shrinking fast enough.”

Is this a societal thing, where we’re working openly on SaaS platforms and often with remote staff, making the allow concept just easier?

Jenkins says it was just the default in the 80s, when computers were first created. Parts of computers were locked down, and as network protocols and firewalls became more popular, they too were locked down.

“By the 2000s, open relay servers had been locked down, but from a software point of view, it never really caught on, and now we’re starting to see that trend change because we have no choice.”

Switching

So, in terms of moving to default deny, do your customers come to you and say, ‘We want to follow this, how do we do it?’ Is it a switch from one to the other? Jenkins admits it is pretty easy, explaining, “Typically, we’ll go in, look at their environment, put an agent on the endpoints in a learning mode, and show them what they’ve got.”

He says this usually leads to them learning about things they’re not happy about, but Jenkins says a line is drawn in the sand and they say, “From now on, nothing new enters the environment without authorization from the IT department or security department.”

“Then we’ll pull back on the other stuff slowly because sometimes you have a lot of Shadow IT, as people are used to downloading whatever they want,” he says. “So you just have to tell the users, ‘No, you can’t do that anymore,’ but normally, our first goal is to stop it from getting worse. If there’s something really bad, like remote access tools, we’ll squish them straight away.”

He admits that most companies believe they have a clean environment and know what they are running, but the Threatlocker scan will show 500 apps they didn’t know about, including Chinese and Russian applications.

“Now, they haven’t been hit by ransomware, and it only takes one more application for them to suddenly get hit,” he says. “Some of it is changing the culture, like ‘you can’t really run this game anymore on your machine,’ but that’s not the biggest priority. The biggest priority is stopping the unknown—ransomware. The games pose a risk, and you can pull them back as time goes on.”

So, with default deny, are you stopping things, and do you need to check each on a case-by-case basis? Jenkins says a previous problem was that if an application updated, it would be considered new software.

“Threatlocker takes care of all of that for you. We learn everything for you, and that takes away the update part of it. So now, you really only worry about ‘Am I running a new piece of software?’ and it can be approved very quickly.”

Trust Zero Trust?

On the Zero Trust side of things, it suffers from a lot of hype, but with this company naming its main conference after the term, is this about taking the term back? Jenkins admits that Zero Trust is a buzzword, and the problem with it is that three-quarters of the companies using it in their marketing have no relevance.

So, is this Threatlocker putting its stake in the ground on Zero Trust to attract users who are potentially interested in the concept? Jenkins says its mission is to educate people on how they get hit without it. “Three-quarters of our customers had never considered it until they met us, and then we convinced them to look at it. We show them some reasons, and we do a hacking demonstration to help them get themselves in order.”

He believes that with 54,000 companies using Threatlocker, and 99.9% of them having never considered Zero Trust five years ago, “it shows that companies are saying, ‘I’m willing to adopt this methodology.’”

Jenkins also made the point that legislation—such as the executive order on improving the nation's cybersecurity—recommends implementing a Zero Trust architecture. “But I think there’s also a huge risk it becomes a buzzword that’s misinterpreted and not implemented properly.”

Therefore, he says that whenever the company talks about Zero Trust, they define it with additional context, specifically least privilege. “This means blocking what isn’t needed,” he explains. “The same goes for continuous validation; well, anyone can argue that they’re continuously verifying to see if something’s bad, so you get into ambiguity.”

The concept of Zero Trust does suffer from a significant amount of ambiguity, and those various definitions water down the message for those keen to build a strategy around it. For Threatlocker, its message is clear and focuses on default deny and visibility of what is accessing the data. Having spent time in the world of Zero Trust, maybe we’ll see other companies making an effort to amplify their message.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.