ThreatLocker CEO: ‘Zero Trust Doesn’t Have To Be A Heavy Lift’
‘The people trying to exploit these vulnerabilities aren’t schoolyard bullies anymore. They are big, organized organizations, and they don’t care if you’ve only got 10 employees,’ says CEO Danny Jenkins at XChange 2022.
Organizations should adopt zero-trust architectures that provide applications, users and services with the absolute minimum level of access needed to carry out job functions.
ThreatLocker CEO Danny Jenkins said taking trust away from users, applications and networks is the only way businesses can prevent or minimize damage in the event of a cyberattack. Maitland, Fla.-based ThreatLocker can on-board MSPs looking to provide core zero-trust functions like application whitelisting, ringfencing and least privileged access in just five hours, according to Jenkins.
“Zero trust doesn’t have to be a heavy lift,” Jenkins said Monday during CRN parent The Channel Company‘s XChange 2022 event. “It is very effective. And it’s recommended by pretty much every agency in the world right now as the only way we can fight against organized cybercrime and nation-states.”
[Related: Zero Trust For MSPs: ThreatLocker Unleashes Network Access Control Service]
Applications and programs running on a device typically have access to every piece of data the user has access to even if the user isn’t a local administrator, according to Jenkins. ThreatLocker tested about 90 pieces of ransomware and found that none of them needed local admin privileges to run and all were able to see the data and network shares that users could view, Jenkins said.
“The people trying to exploit these vulnerabilities aren’t schoolyard bullies anymore,” Jenkins said. “They are big, organized organizations, and they don’t care if you’ve only got 10 employees … They will go after you for your money because as long as you have money in your bank account, or your customers have money, they will attack your systems, and they do that every day.”
Zero trust needs to be applied comprehensively across an organization from entry-level employees to the CEO if it’s going to be effective, Jenkins said. For instance, if an organization’s CEO never runs payroll, then he or she shouldn’t have access to payroll data, according to Jenkins. Implementing least privilege policies minimizes the amount of damage that can be inflicted during a cyberattack, he said.
At an application level, Jenkins said this means that organizations should block everything by default and only allow what the company needs to run. Businesses can roll out an agent to block applications, learn what’s in their systems and put a set of policies in place that determines how specific applications are treated. Given that there are thousands of vulnerable applications out there, it’s best to block by default.
“If you block everything and allow only what you need, you’re in a far better position than those who are looking at everything to determine if it’s bad,” Jenkins said. “Blocking everything doesn’t have to be difficult.”
Organizations can reduce trust even further by embracing ringfencing, which limits the ability of applications to communicate with one another if there’s no legitimate business purpose for them to do so. For instance, Jenkins said a user might need to run both Microsoft Office and PowerShell on their computer, but there’s no legitimate reason Microsoft Office would ever need to talk with PowerShell.
Ringfencing is very effective in stopping Office vulnerabilities from calling PowerShell and also stopped SolarWinds Orion from reaching out to malicious sites after the Russian foreign intelligence service (SVR) exploited a flaw in the network monitoring tool. The SolarWinds vulnerability needed to get instructions from an Amazon Web Services server to execute, but ringfencing stopped Orion from contacting the AWS server, he said.
“If or when an application gets compromised, the amount of damage caused is massively limited and potentially completely foiled,” Jenkins said. “Taking away applications’ abilities to do things can stop cyber breaches even if you don’t think about how.”
Organizations often allow every application to access a user’s files or network share even though only a very small number of applications actually need this level of access, he said. For instance, PowerShell rarely needs to see network shares, and in the select cases it does, it’s usually a single share for a single purpose. It’s therefore best to take away the ability of applications to access data when it’s not needed.
“It’s not, ’Do I trust QuickBooks or not?’” Jenkins said. “It’s, ‘Does QuickBooks need to see anything but the QuickBooks database?’ Then when it does get compromised, your damage is limited.”
Even though malware and ransomware don’t need local admin rights to run, Jenkins said unnecessary admin permissions should still be taken away to minimize the damage users can cause. A user with admin privileges can break the operating system, mess around with the kernel and change things at the operating system level, according to Jenkins.
A user might need admin permissions to update their QuickBooks once a month, but that can also be accomplished by implementing elevation that allows only QuickBooks to run as an admin while being ringfenced so that it can’t talk to other applications. This approach ensures a user has admin-level access only to QuickBooks and not other applications like Office and PowerShell where the stakes are higher.
“Taking away these privileges is going to harden your environment,” Jenkins said.
New York-based EisnerAmper has been doing an asset inventory with a number of its customers to determine which accounts have privileged access and why, according to Director of Digital Jason Juliano. Business owners should also examine what dependencies their applications and systems have, particularly in Exchange and Active Directory where integrations are pervasive, he said.
“The biggest challenge is getting clients to do a deeper dive into their assets because what they don’t know could actually hurt them,” Juliano said. “It’s important to really go in there and figure out what are the dependencies across their entire environment.”