Sharon Florentine: Hi everyone, I'm Sharon Florentine. I am the Acting Editorial Director here for SC UK, and I am thrilled to be with you today, I am joined by Rob Allen, who is the Chief Product Officer at ThreatLocker. Rob, welcome, and why don't you tell the audience a little bit about yourself and your role to get started?
Rob Allen: Sure, well, thank you for having me and us on, Sharon. It's a pleasure to be here. I am, as you said, Chief Product Officer here at ThreatLocker. I've been with the company for almost, well, 5 years now, previously an MSP in the past, now a recovering MSP.
But, yeah, I've been with ThreatLocker for 5 years, been an incredible journey, it's unbelievably fulfilling, to help create a product that helps people sleep at night. And I'm lucky enough to get to do a lot of events, I get to meet a lot of customers, and that's probably the biggest feedback and the best feedback I can get from people. And it happens really often, is people literally say, we help you, or you help us sleep at night. And being part of that is just incredibly gratifying.
Sharon Florentine: Yeah, I can imagine. And so, working with the customers that you do, obviously, endpoints are a major focus, but why, after all this time, do endpoints… are endpoints still such a huge threat vector?
Rob Allen: Well, there's a couple of parts to it. I mean, one is, I'm not sure if you're familiar with the concept of PEBKAC.
Sharon Florentine: I am, but let's dive into that so there's no confusion.
Rob Allen: Yeah, well, it's… problem exists between keyboard and chair. Yes. So, yeah, it's generally speaking, the potential issue is very often the squishy thing that's sitting in front of the computer rather than computer itself, which is --
Sharon Florentine: It's the human element.
Rob Allen: Yeah, exactly. And look, not always, but often, you know what I mean? Like, a computer isn't going to click on that link, whereas, you know, Doris in Accounts is probably going to click on that link. So that's part of it. I mean, the fact of the matter is there's a lot of endpoints out there, so it's a very big attack surface. There is a lot of software that people use, a lot of times that software is vulnerable, whether users know it or not. So, the endpoint has historically and continues to be the biggest attack vector in terms of ransomware attacks, in terms of breaches.
There's just so many different variables in most organizations. And the problem is the, I suppose, cybersecurity in general, but the problem of endpoint security is not a solved problem. Despite the fact that we've been fighting the fight for, you know, probably 20 years now at this point, through various different methods, whether it be antiviruses, you know, once upon a time, to EDRs and MDRs and XDRs and TDRs and anything you want to mention that ends with the letters D and R, they fundamentally all take the same approach to the problem of cybersecurity, which is to detect bad things and respond to them.
Now, the problem is, nobody knows everything that's bad. If it was a solved problem, it wouldn't be a problem anymore. Nobody knows everything that's bad, nobody knows every piece of malware, so it's obviously, as I said, it started with antivirus. Antivirus, the idea was that you'd have signatures, you'd have definition, you'd be able to recognize things as being bad, but the fact is, there's 160,000 new pieces of malware released every single day.
So how do you keep up with that? I mean, you just can't. But then, as I said, the approach changed over time, so instead of looking at signatures and definitions, let's look at behaviors. Let's look at heuristics. Let's, again, try and figure out what is bad. But the problem is, as I said, you can't always do that, or it's not always successful, is the best way to describe it.
So, given that is the situation, and continues to be the situation, what we at ThreatLocker do is we take a different approach, which is rather than trying to figure out everything that's bad, and depend on decisions being right 100% of the time, which they never are.
What we do is we changed the paradigm. We changed the approach from what is fundamentally a permit-by-default approach. So that's what your computer does right now, is it allows everything by default, unless it knows it to be bad. Now, as I said, that's been proved not to work, so what we do instead is we deny by default, so we block by default, so we don't allow scripts to run, we don't allow PowerShell to reach out to the internet, we take that deny-by-default approach. With a very important caveat, which is to allow what's needed.
So, you know, I'm a pretty advanced user, but realistically, I use Office, I use Teams, I use Zoom, I use browsers, I use, you know, 4 or 5 other applications. But that's it, that's all I need. So, our approach is to allow those things but to block everything else. So, including malware, including ransomware, including malicious scripts, basically everything that isn't essential isn't allowed to happen. And by taking that approach, and it's a bit of a mind shift change, because people are used to be able to do whatever the hell they want on their computers. Yeah. So it is a bit of a mind shift change, but once you actually get your head around, well, it's really simple. I mean, the example I use, and it's probably not a great example, but it works. Think about your phone. So, your phone that you have in your pocket right now, there are some exceptions to this these days, but generally speaking, I use an iPhone, okay? Now, you can't just download anything you want onto that iPhone and run it.
There's effectively a gatekeeper there. Now, in the case of the iPhone, the gatekeeper is Apple, so you have to submit things through the App Store, they have to be reviewed, checked, approved, all that kind of stuff. I mean, effectively, ThreatLocker is just introducing the same concept, but for Windows. Which, you can't just run anything you want on your machine, there has to be a gatekeeper, there has to be something that says, no, it's going to be checked out. And that's fundamentally the approach the threat locker takes.
Sharon Florentine: Okay. It's really a variation of sorts on the trust but verify, zero trust approach.…
Rob Allen: Well, it's actually the exact opposite of trust but verify. So, trust but verify is fundamentally what antivirus does. It's what EDR does. It says, I'm going to allow this thing to run on your computer, but I'm going to verify if it's okay or not. I'm going to check it out. Okay. Correct. So, zero trust is the opposite of that. Zero trust is, look, only allow what is essential. Only allow what is required. So, it's more zero trust than trust by… but verify, if that makes sense.
Sharon Florentine: 100%. Thank you for clarifying that.
Sharon Florentine: And so, I would assume that with this approach, configurations and misconfigurations would be a huge stumbling block for this, and so I know ThreatLocker has a product that deals with this. Can you talk about that a little bit?
Rob Allen: Sure. It's actually our most recently added, product, which is called Defense Against Configurations. Now, we can talk about the other stuff that we do, the Zero Trust, the control stuff, in a little bit more detail, but we added Defense Against Configurations, recently.
And the genesis of the idea, or why it started, was we wanted a way of automatically checking our customer's ThreatLocker configuration. So, obviously, ThreatLocker's a very powerful tool. You set it up well, you set it up right, and it's going to basically keep you safe. If you set it up badly.
That's a problem. So, if I create a policy that allows anything to run from any user's users folder, that's a problem, because ransomware can run, or malware can run, or remote access tools can run, or all the things that the bad guys will use can run, as long as they're in those locations.
So, Defense Against Configuration began with a way of checking customers' threat locker configurations automatically for them. So, did you set up a dumb application? Did you set up a dumb policy? We're going to tell you about it, rather than it being exploited and you finding out about it when it's too late.
Now, what we realized then was there were a lot more than just ThreatLocker things that we could check. I mean, we fundamentally have an agent that's running on everybody's machine, so there's a lot of other things that would be considered best practice from a security perspective that we can also check on the machine. So, you know, is my computer set to lock after X minutes of time, or is my password, or when did I last change my password, or is there a strong password policy in place? Currently, we run about 200 checks a day on every machine.
Report back to a central location, so you can see very easily what the problem is, explain why it's a problem, and give you solutions to it. Now, often, the solutions are going to be ThreatLocker solutions, so it's going to be something that you can just click on a button, it'll download a policy, and you've solved that problem. Sometimes it will be outside of the scope of ThreatLocker, so it'll be like a Windows configuration, or a group policy configuration, or something that we don't necessarily, control.
But the point is, we're making these misconfigurations visible to people, there's a constant check going on, because you know, organizations might say, look, we adhere to the NIST framework, and we don't have any users that are local administrators, there shouldn't be. This is checking that constantly on every machine in an environment every single day, so you don't have to just hope that your configuration is right. Because, as I said, the problem with these misconfigurations is that very often people only find out about them when it's too late. When a breach has already occurred, when something bad has happened, you discover that, oh, you know, this was misconfigured.
The point about this is it brings it front and center, it makes it visible, it makes it available, everybody knows about it. It's the first page that you're brought into when you log into ThreatLockers, our Defense Against Configurations page, because we want people to know about these things. We don't want them to be swept under the rug, we don't want them to be forgotten about. So, yeah, as I said, it's a recent addition to our suite of products, which is quite extensive, but it is something that our customers have been extremely positive about.
Sharon Florentine: Yeah, it really seems like that would take a lot of the uncertainty out. Like you said, it removes the hoping for the best part of it. You know, it almost automates the process of making sure that things are secure.
Rob Allen: That's exactly the point. It is about automating it. It's about doing it constantly, you know what I mean? It's no good if you do an audit of yourself once every 3 months or 6 months, and something changes after day 1 that makes you less secure, that you're not going to find out about, either for 3 months or 6 months, or when a breach happens.
That's why it's so important that these checks take place constantly, daily, every single machine is checked, and the results are reported back, and again, presented in what is effectively an executive format, where you can see, well, this is how secure our environment is from a configuration perspective.
Sharon Florentine: Okay. Speaking of automation, and obviously closely related to AI…How are you folks leveraging AI in your solutions, and how's that adding value?
Rob Allen: I'm gonna surprise you now, Sharon. The answer is, we're not.
Sharon Florentine: Okay.
Sharon Florentine: I'm intrigued.
Rob Allen: It is one of the… really best things about the approach that we take is that we're not depending on something making decisions. Again, if you think about your AV or your EDRs, I mean, it's one of my frustrations with the cybersecurity industry as a whole, is this obsession with AI. We're powered by AI, we're infused with AI, but fundamentally, what that means is AI is making decisions on what's good and what's bad. And the one thing I've become aware of from using these tools for quite some time is that AI will make decisions, and quite often those decisions will be wrong.
Even if it gets one decision wrong, it might make a million decisions a day about what's good and what's bad. If it gets one decision wrong, then that's one too many, because that could be the difference between breach and not breach, or ransomware and not ransomware. So the beauty about the approach that we take, because we deny by default, we're not depending on decisions. Our decisions are binary. Is this on the list that says it's allowed to happen? Yes. If it's not, it won't.
So, as I said, it's very liberating, it's very freeing to not be depending on those decisions. It means that we don't need to infuse everything with AI to make those decisions better, because fundamentally, the decision is, is it on the list? Yes. Is it not? No.
Sharon Florentine: Right. So AI can introduce additional complexity and additional potential security flaws when you don't have to.
Rob Allen: Right. I'll give you a really good example. So, yeah, the additional complexity is actually a very good point. So, I mean…cybersecurity is a complex problem, whatever way you look at it. So whether it be, you know, Doris in accounts clicking on the link, or whether it be a vulnerability exploited in a piece of software, or, you know, bad actor, threat actor buys access to your environment. I mean, that's more and more common these days.
Rob Allen: So it's a complex problem, but sometimes complex problems have very simple solutions. So, I'll give you an example, which is we actually did a, we did a webinar once upon a time with David Bomball and a guy called Jacoby. Now, Jacobi is an absolute genius. The guy can do anything with PowerShell. I mean, it is terrifying, some of the things he can do. He's got a really cool website. Check him out, look him up, he's on YouTube and everything. The guy's a genius. And he basically uses PowerShell for hacking, in a lot of cases. Now, he came up with a method whereby he was able to create, custom PowerShell that functioned as a remote shell.
So for those who don't know, remote shell is basically… it's the opposite of what you might think an attacker getting onto your machine might be. It's not somebody connecting from here to here, it's your machine reaching out to the attacker and basically saying, come on in.
Okay, it's very often a stager, it can often be the first stage of a lot of ransomware attacks as some sort of reverse shell manages to run. Now, you can do it with PowerShell, ordinary PowerShell. It'll get picked up pretty much immediately, even by Windows Defender, even the dumbest of antivirus will see that this is happening and will stop it. So what he did that was so special and clever was he basically made it polymorphic.
He made it so that every time it ran, it was different, so it wasn't detected, it wasn't known, recognized as being bad.
Now, he tested this against every major EDR, every tool that is out there that he could get his hands on, he tested this against, and it sailed through every single one of them, because it wasn't recognized as bad, it wasn't known as bad. Now, we actually set Jacobi up with a test environment in ThreatLocker. We said, look, you know, go play with that, see what happens.
So, when he tried to do it in ThreatLocker, it wasn't able to happen, because PowerShell wasn't able to reach out to the internet to do the thing that he was trying to do. We actually did a, as I said, a webinar with him about it, and we… he was like, you know, ThreatLocker are doing this amazing behavioral analysis that they were able to recognize what I was doing was bad and shut it down.
And I had to say to him, Jacobi, that's not what's happening. What's happening is we're blocking PowerShell from accessing the internet. We're not…we don't need to recognize that you're doing something bad. We just take the approach that PowerShell does not need to access the internet in the vast majority of cases, so therefore we're not allowing PowerShell to access the internet. It's a function of ThreatLocker called ring fencing.
But the point is, and I know it's a really long way, long-winded way of explaining it, but the point is, sometimes complex problems have very simple solutions. That is a complex problem, trying to recognize this behavior, this, this, you know, this thing as being malicious, whereas we don't have to recognize that behavior as being malicious. We just have to say, look. PowerShell doesn't need to access the internet, we're not going to let it access the internet, so therefore PowerShell isn't going to be able to be used in this malicious fashion.
Sharon Florentine: Right. If it can't do it in the first place, You've stopped it before it's even gone.
Rob Allen: No problem there. I mean, it's a really interesting one. So one… and Microsoft come out with what they call a digital defense report every year. Last year's one was really interesting, because they spoke a lot about remote encryption. And remote encryption is basically where something unprotected is encrypting data on something that is protected, and they said that a huge percentage, like 70% of ransomware attacks involve remote encryption.
And we do have a solution to that as well, it's a thing called network control.
But this year's one was quite interesting, because they said there's been a massive increase year-on-year in what are called click-fix attacks. Now, a click fix attack is basically… an example would be, you go to a website, the website basically goes full screen and looks like a Windows blue screen of death, for argument's sake. But what they'll do is they'll put a series of commands. They'll say, look, if you want to fix this problem, do this. And generally speaking, the do this is you click here to copy, you press Ctrl- or Windows key OR to run, you click paste, and then you press Enter.
And from a user's perspective, your average… I'm not going to say uneducated user, but your average uncomputer-savvy user, they will see that, and they go, oh, there's a problem here, Microsoft are telling me how to fix it. So I'm going to do the click here, I'm going to do the Windows key, or I'm going to press paste, and I'm going to press run.
Now, going back to the Jacobi example, very often what is happening at that point is either malware is being downloaded straight away, or a reverse shell is being set up to give an attacker remote access to their machine.
Now, that's, as I said, Microsoft themselves have said this is an enormous problem now. These click-fix attacks are spreading wildly, because you're… tricking people into doing something that is against their interests. They think they're solving a problem, but in fact, what they're doing is they're giving an attacker access to their machines.
Now, again, that problem is solved by ring fencing. So, one, again, of the things that ThreatLocker does, I mean, the core of our product is about application control, so it's what can run and what can't run, which is what stops ransomware and all that kind of stuff from running, but it's also what things can do when they're running. So, should PowerShell be able to reach out to the entire internet? Should it be able to access my files? Should it be able to, you know, do all of the things that the attackers use it to do. And the reality is, in most instances, it doesn't.
So, as I said, really complex problem, very simple solution. So it's not about detecting all the things that are bad, it's about controls that stop those things from happening.
Sharon Florentine: Amazing.
Sharon Florentine: Well, thank you so much for coming on today and walking me through all this. I really appreciate it. And, any last, final thoughts you want to impart to the audience about ThreatLocker or EDR endpoints?
Rob Allen: So, it's…What I will say is, since I've joined ThreatLocker, ThreatLocker has become a fully-fledged endpoint protection platform, so it used to be just about listing and ring fencing. We added things like storage control or elevation, which are our privilege access management. We added network control a few years ago, which is, as I said, the solution to that remote encryption problem. Since then, we've added web control, which is web filtering. We've added patch management. It is grown to be a fully-fledged, endpoint protection platform.
It may have sounded that I was dismissive about EDRs and all the things that ends with D and R. We do have our own EDR as well, which is what's called ThreatLocker Detect. Now, the slight difference from our perspective is we don't see EDRs being the entire ballgame, which fundamentally is what most EDRs are. They are… if you get by the EDR, you're home free, there's no problem.
So we see EDR as something that is complementary to those other things that I mentioned, so the allow listing, the ring fencing, all that other stuff. Because in an ideal scenario, your EDR is going to alert you about things that are trying to happen, but not able to happen.
Rather than things that are actually happening, which is what happens with most EDRs. So yeah, we do have our own EDR, we've got an MDOR, so basically we've got a team of people who are watching alerts for millions of endpoints now, at this point, so…It is a fully-fledged endpoint protection platform. What that means is, for most organizations, and one of the biggest problems with cybersecurity is agent fatigue, vendor fatigue, bill fatigue, alert fatigue, basically all of those things come from having too many products in play. I mean, most organizations probably have somewhere in excess of 10 different security solutions that they're using at any given time. So whether it be web filtering, or email filtering, or antivirus, or EDR, or MDR, or something like ThreatLocker, basically, you've got 10 different places that you're looking for information that you know, 10 different builds, 10 different products your team needs to understand, 10 different portals you need to log into on a daily basis.
The one thing that ThreatLocker offers with all of these different products and solutions is a single place, a single portal, it's one bill, it's one agent that's running on machines. Again, so many people have said to me, look, we've got six different agents running on our computers, and they're slow as hell.
Sharon Florentine: Yeah.
Rob Allen: all of that goes away when you have everything in one, in one agent and one product. So, yeah, there is a lot to it, and basically anybody can check us out on, obviously, the website, ThreatLocker.com.
We do a lot of this kind of thing, so, check out our YouTubes, our socials, at the risk of sounding like every YouTuber my kids ever watch. Smash that subscribe button. We do webinars ourselves as well, very, generally speaking, very well received. People enjoy them, they are both educational and entertaining sometimes, so we did ones where we shot Wi-Fi pineapples onto the roof of the building, it involved helicopters, it almost involved lawsuits from our landlords.
And last but not least, just to mention, we do have an event, so we run an event every year here in Orlando in March this year, March 6th, 8th, I believe, which is called Zero Trust World. It's the fifth year we've done it now. It's basically doubled in size every year we've done it. It is both educational and entertaining. We've got some really good speakers, sessions.
We do things like how to hack with rubber duckies, or how to use a Wi-Fi pineapple, all that kind of stuff that's useful for defenders to know what attackers might be doing. So yeah, Zero Trust World, I think it's ZTW.com, if people want to check it out, and come. I'm sure we can organize some sort of special code or discount or something, but maybe it's too late for that, but I'm sure we can probably arrange it for people if they're interested.
Sharon Florentine: Amazing. Thank you so much again. Thank you to the audience for tuning in. I am Sharon Florentine. Hope to see you next time.