Why Detection Should Never Be Plan A: ThreatLocker CEO

Zero trust security controls ‘give you time’ to react, with detection merely serving as a backup, according to ThreatLocker co-founder and CEO Danny Jenkins.

If a detection tool spots malicious activity on an endpoint that does not block malware by default, the damage may have already been done by the time you’re alerted that there’s an issue, according to ThreatLocker co-founder and CEO Danny Jenkins.

A better approach: Block malware automatically and use detection in a secondary capacity, Jenkins said Monday during the XChange March 2024 conference.

“When you have these controls in place, you have detection as a backup,” he said. “And you know what this gives you? The controls give you time.”

[Related: Partners: ThreatLocker’s Move Into MDR Shows It Is ‘Owning The Endpoint’]

By taking this deny-by-default approach, ThreatLocker’s recently unveiled managed detection and response (MDR) offering is poised to stand out from others that have come to market, according to Mike Shook, CEO of Cary, N.C.-based 5S Technologies.

The difference is clear from the experience at 5S, a major ThreatLocker partner, in using the vendor’s tool to protect customers, Shook said. For instance, during a recent incident that impacted a customer due to a firewall vulnerability, the attacker was blocked from executing any malware after gaining initial access, he said.

For many organizations, without using a tool such as ThreatLocker, “zero trust is something they don’t have on the endpoint,” Shook said. “That’s been pretty special for us.”

During the session at XChange, which is hosted by CRN parent The Channel Company and being held this week in Orlando, Fla., Jenkins said that blocking malware deployment by default puts attackers at a “disadvantage.”

Ultimately, “using zero trust and detection as the backup, we [give] you time and we also [tell] you that bad things are happening on your machine,” he said.