ThreatLocker CEO: Thwart Ransomware With Endpoint Controls
‘What we have [with detection] is three or four alarms in our house, and the front door is not locked ... The house alarms are going to make a lot of noise if somebody breaks in, but it’s not going to stop someone from walking in,’ says ThreatLocker CEO Danny Jenkins.
Businesses must move beyond detection technologies like antivirus and threat hunting and embrace endpoint security controls like application whitelisting and ringfencing to stop ransomware attacks.
ThreatLocker CEO Danny Jenkins said organizations can strengthen their security posture by adopting a least privilege architecture where users and applications have access to only the capabilities they need to function. Specifically, Jenkins urged XChange+ 2021 attendees to implement a zero-trust security posture by denying access to users and applications by default and allowing access only as an exception.
“What we have [with detection] is three or four alarms in our house, and the front door is not locked,” Jenkins said during a keynote address Monday. “There’s no bouncer at the door. The house alarms are going to make a lot of noise if somebody breaks in, but it’s not going to stop someone from walking in and taking the TV.”
Denying access to applications by default makes companies less dependent on the efficacy of their antivirus software or the ability of users to detect and avoid clicking on spear phishing emails, Jenkins said. In most organizations, Jenkins said applications and software running on a user’s computer have access to everything the user does.
In reality, Jenkins said PowerShell doesn’t need to see an company’s network shares nor does Microsoft Office need to be allowed to run PowerShell commands even though the based software giant created such a feature. A Word document that’s in the hands of an adversary and able to call PowerShell can upload the company’s documents to the internet or turn on BitLocker encryption, according to Jenkins.
“If you could ringfence applications and stop them from calling out to other apps that they don‘t need, you take away that risk of the app being weaponized against you, or at least reduce the impact,” Jenkins said.
Similarly, Jenkins said PsExec can be used for benevolent purposes such as providing developers with access deep into the company’s operating system as well as nefarious purposes like disabling most security tools. Adopting a ‘deny by default, allow by exception’ posture means not only that malware will be blocked, but also that greyware tools like PowerShell and PsExec will be subject to more scrutiny.
“By ringfencing an application and saying, ‘This is what you need to talk to,’ by ringfencing PowerShell and saying, ’You don’t need to go to Office 365,’ you avoid the possibility of something malicious being downloaded from that,” Jenkins said.
Application whitelisting is most effective when a company creates a list of what’s in their environment and begins locking down all unnecessary access to things that aren’t a known good, he said. Companies that permit access to an entire folder such as a K drive are going about whitelisting the wrong way, and Jenkins said ThreatLocker can ensure updates and patches from third parties don’t get blocked.
“You can have easy approval and full visibility of everything that‘s happening in your environment, and you’re not going to spend hours in a month on thousands of endpoints,” Jenkins said.
Storage controls, meanwhile, provide more granular control over which applications can access a user’s data rather than tying application access to the level of permission a user has, Jenkins said. For instance, Jenkins said there’s no reason Office 365, Internet Explorer or PowerShell should ever need to access a user’s backup folder, but Veeam would need access to that folder.
Organizations that put storage policies in place that control who and what has access to folders will be more secure, according to Jenkins. As a result, Jenkins said even an application that whitelisted but isn’t ringfenced still won’t be able to access a folder unless access is needed for the app to function properly.
“You‘re going to change the paradigm so you’re in control of your environment,” Jenkins said. “It really isn’t that complicated. It’s very, very simple, and it’s very effective.”
Ringfencing minimizes the potential for customer exposure and damage by limiting how much access applications have to the customer’s network and computer, according to David Cox, vice president of New Haven, Ind.-based solution provider G6 Communications. G6 has been impressed by ThreatLocker in its own evaluations and plans to deploy the tool itself to provide customers with more protection.
“It’s an inexpensive tool that does a lot of good,” Cox said.