Security teams today are expected to manage two fronts—building and maintaining proactive defenses, and staying ready to respond at any moment to threats that slip through. But unless someone actively watches those alerts 24/7, your detection tools are expensive noise generators.
In this episode, Rob Allen, chief product officer at ThreatLocker, lays out why their Cyber Hero® MDR offering is built not as a standalone security strategy, but as a complement to a deny-by-default, proactively hardened environment. With real-time visibility, flexible communication, one-click remediation, and human-backed support—not just automation—ThreatLocker’s MDR offering is positioned to deliver value even when the alerts are quiet. Joining him are TC Niedzialkowski, head of IT and security at Opendoor, and Sasha Pereira, CISO at WASH.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, ThreatLocker
Full Transcript
[Voiceover] Connecting security solutions with security leaders. Security You Should Know starts now.
[Host] Welcome to Security You Should Know. Today we’re going to be talking about ThreatLocker and what they’re doing in detection and response. And the problem they’re addressing in that category is just how do you detect and respond to threats in a timely manner. It’s a constant problem in the industry. Helping us get answers to these questions are TC Niedzialkowski, former CISO over at NextDoor and Thumbtack, and Sasha Pereira, CISO over at WASH. So, TC, I’m going to start with you. Why are we still having a problem quickly respond to threats?
[TC Niedzialkowski] Yeah, I think the challenge is security teams, they have to balance between essentially project work, so the preventative work in terms of hardening the infrastructure, putting the key systems in place. If it is an EDR solution, you need to roll it out and maintain it with your fleet. And then the ongoing operations work in terms of monitoring all different staff, all the different endpoints, and applications, infrastructure where you can have these threats operating in in response to a dynamic adversary that you need to protect against.
And so I think that challenge is being able to staff up that accountability for potentially 24/7/365 monitoring and response is really expensive. And it is its own science in terms of what are the latest attacks, how do they work, how do you tell what’s a true positive versus a false positive in this environment. So, that’s really challenging, and that’s why a lot of organizations opt for a managed detection or response service.
[Host] Sasha, I’m going to turn the question to you. Why are we still struggling with response?
[Sasha Pereira] I would like to add to that, I think, a little bit based on the previous firm that I was with as well. Getting a tool to do what traditionally was called EDR is really easy to do. But what’s hard is having someone monitor it and investigate what happens with it. And I’ve had to build teams of five to six people specifically just monitoring tools. And when things don’t happen, it’s very hard to keep those staff engaged.
So, it’s one of those things that’s extremely hard. And I started with one of the early MDR firms I want to say like four to five years ago, and it’s worked really well. Because for a fraction of the price, I was able to get a team of individuals who was also extremely more skilled in a way because they’re dealing with a much better let’s say amount of cases and clients that they would see. I think some firms are still struggling with it, to be honest, because they’re trying to do the traditional approach of trying to build their own teams to manage detection response, and I feel like building a service just makes so much more sense in terms of security operations.
[Host] Well, today we’re going to be talking to Rob Allen, chief product officer at ThreatLocker, about their Treat Locker detect and MDR, as well as cloud detect solutions. There’s a lot out there. So, Rob, we need to start out with some preliminaries. How do I explain the value of your solution to a CEO? What does your solution do? What does it not do? And what’s the pricing model? Can you help us out with these preliminaries?
[Rob Allen] Sure. Well, I suppose if you’re talking to your CEO, what Sasha just said is a really important point, which is you don’t need to build out a team to watch alerts to respond to things happening. Fundamentally let somebody else do that, and it’s going to save you a hell of a lot of money versus hiring a bunch of people. As TC said, one of the big problems is false positives. I know organizations who have deployed detection products.
It’s like the boy who cried wolf basically. The false positives popping up left, and right, and everywhere. Knowing what’s real and what’s a false positive, it’s fundamentally a skill, and it’s something that needs to be managed. And so, yeah, you can save yourself a bunch of money by getting somebody else to manage it for you. Also, we’ll talk a little bit more about this, but you can have all of the detection you want, if you’re not monitoring it 24/7, 356, it’s as good as useless. Because realistically, the bad guys are not working nine to five, your time zone. The bad guys are working in the middle of the night.
They’re working long weekends. They’re working on holidays. Even fake as holidays, as we were discussing a moment ago. And so, yeah, they’re not working nine to five, and so you need somebody to be managing and watching these alerts, and if necessary taking responsive actions, as I said, 24/7, 365. Oh, and surprisingly reasonable was the last.
[Host] [Laughs] The stock answer for the pricing model, yes.
[Rob Allen] What’s the cost, yes.
[Host] All right. Well, CISOs, you’ve gotten a taste of what ThreatLocker is doing here, but I’m sure you have a lot of questions. So, let’s start with you, Sasha. What other questions do you have for ThreatLocker?
[Sasha Pereira] So, mine are going to be a little bit, since I’ve been using MDR quite a bit and am familiar with a lot of the players… I do know that ThreatLocker is sort of new in terms of MDR. In the MDR space. What tools can I replace or eliminate with ThreatLocker?
[Rob Allen] Oh, that’s a really interesting question. Probably many is the short answer. Obviously in this particular instance, we’re talking about your EDR and MDR service. I suppose the approach that we take and the way we look at detection is somewhat different to a lot of tools. So, for a lot of companies, a lot of organizations, detection is their first and last line of defense. So, if something is not detected then basically it’s game over.
It’s got past, something has happened, and there’s a cleanup operation. We see detection and response as an additional layer on top of all the other controls that we offer. So, allow listing, ring fencing, blocking all, that kind of stuff. So, fundamentally what we’re probably alerting you about is things that haven’t happened, whereas some of those other solutions are probably going to be alerting you about things that are happening or have already happening. And you’re far better off being proactive about things than being purely reactive.
[Sasha Pereira] Okay.
[Host] TC, what about you?
[TC Niedzialkowski] Yeah, so I’ve also worked with some MDR providers in the past. One of the challenges I’ve had is articulating the value that the MDR provider is providing the organization if you’re not having urgent security incidents on a regular basis. Because you’ve got the 365 monitoring. You have to do all the instrumentation. Your relationship management, providing the context. But if you’re not having urgent security alerts as a result of this monitoring, why am I paying for this service? So, how do you help your customers articulate that if they’re not having critical alerts all the time?
[Rob Allen] To be perfectly honest, that’s actually one of the reasons why we developed this product. I mean it’s kind of a logical extension of what we do. But fundamentally, we had lots of customers who were running ThreatLocker, the control platform, the proactive platform, alongside something like an EDR, or MDR, or XDR, or anything that ends with DR. And long story short, they very quickly realized with ThreatLocker blocking proactively and stopping these attacks basically before they’ve even happened, there’s nothing really happening to be responded to or detected.
So, they’re basically paying X number of dollars a year for this thing that basically never gets used, a part from, as I said, the occasional false positive. So, that’s one of the reasons that we brought this product to market. Because people had been saying to us, “Well, look, why am I paying all of this money for this detection and response when fundamentally it’s not needed? Or as far as we can see, it’s not needed.” Now, obviously it’s a box that most organizations need to tick. So, they have to have something. So, again, it makes sense for us to add to the control stuff with a layer of detection.
[Host] Floor is open for questions.
[Sasha Pereira] Mine is going to be a little tricky one. [Laughs] So, if I do implement ThreatLocker, is it going to impact my cyber insurance rate?
[Rob Allen] That is probably a question for your cyber insurance company. I’d love to be able to answer it with confidence, but the short answer is I don’t know. What I can tell you is I have actually spoken to insurers from time to time at various events, some of the very large insurance players, and they gave me a really good example about France a couple of years ago. So, the amount that they paid out for one breach was more than all of the money they took in for cyber insurance in that year. So, one breach out spent or out cost rather all the money they took in.
So, they’re being very selective about who they will give cyber insurance to. So, there’s two parts. I did quite simply ask them, “Look, if you do what we do, if you do all of this proactive blocking, is your cyber insurance going to be less expensive?” And he said realistically it probably is, because obviously they weigh it based on a number of factors. But the other thing is it may be the difference between getting cyber insurance and not getting cyber insurance, because that’s a big challenge for a lot of organizations now is just insurers aren’t going to touch them. If you don’t have everything completely squeaky clean and all the protections that you need in place then they’re probably not even going to give you insurance, let alone how much they’re going to charge you for it.
[Sasha Pereira] Okay.
[TC Niedzialkowski] Yeah, I got a follow up. So, how is it that you’re communicating with internal security teams or internal IT infrastructure business system teams as needed? Because when there’s an incident, when you’re monitoring it, is it real? Is it not real? During the escalation process a lot of times there’s a back and forth needed between the organization and the MDR provider. How are you doing that communication today, and do you support tools like Slack and Teams?
[Rob Allen] So, the short answer to your question, TC, is however you want us to communicate with you. So, again, whatever is the method that you choose. Whether it be via the alerts that’s been generated or whatever communication mechanism. It could be pick up the phone, ring me, whatever that happens to be. We have put quite a lot of work recently into what we call our detect dashboard, which is basically a place where you can see all of the things that have been going on, who’s dealt with them, what the communications have been about that. The other thing that we can do is we can make recommendations, because, as I said, of the other parts of the product that we offer. So, things like network control. So, our and your team can make recommendations for things that the customer can implement to avoid this happening again.
So, we often joke that MDR team are basically like the configuration police because it’s very often something wrong or silly that a customer has done that they’re alerting them about. So, 3389 connection from the internet, that kind of thing. So, what they can do as well as obviously logging it and making you aware of it, they can make a recommendation. So, “Why don’t you implement this network control policy which will basically stop this from happening again?” So, it’s kind of a multistage process, but it is something that we’ve worked quite a lot on.
[TC Niedzialkowski] So, do you support…? Would I be able to…if you made a recommendation, would I be able to have the engineer who would take that in a Slack channel or in a Teams channel with you to discuss?
[Rob Allen] Well, we can actually do it on the alert itself. So, we can say, “Look, the recommendation from our MDR team is that you should close 3389 on this machine.” We literally have a policy there. It’s a one click. You don’t have to do anything more than that. It’s, “Okay, this is going to block 3389 on this server.” So, it’s literally a one-click remediation or a one-click solution.
[Sasha Pereira] In terms of integrating… Again, I’m going to not have to go specifically and ask each and every integration. I’m sure you integrate with a lot of products to get feeds in from different sources. And that’s one of the things that I’m having a little bit of challenge of. Go back ten years, and you have a whole ton of products that you would need someone to manage. Now you have an MSSP or someone who’s doing MDR work who will manage it for you.
But what I’m noticing is to get best of breed products, I’m going to have all these different tools including… So, we’re on Microsoft, right? So, we use [Inaudible 00:11:02] So, we have a lot of tools directly from Microsoft. We have a lot of data that they’re able to collect and show in their security tools. For example, I use their CASB. Or there’s email tools coming in. We have Abnormal Security. There’s a lot of other tools that we do have, and we’re getting a lot of feeds from there. How is ThreatLocker able to use that to better augment MDR? Because as you said, the number of tools with the ending DR, there’s so many. But what brings value is the ability to take all that data and make a good, informed, intelligent, calculated decision if it’s important or not.
[Rob Allen] Yeah, absolutely I’d agree. But I would counter to some extent. And I just want to go back to what I said at the beginning, which is we don’t see detection and response as being the entire game. We don’t see detection and response as being the only layer of protection. So, fundamentally if detection response… And this applies to anything. But if detection response… If something is not detected, it cannot be responded to. So, you’re depending on something to make decisions constantly. Now, you’re hoping those decisions are educated decisions. You’re hoping those decisions are informed decisions. But fundamentally, it doesn’t matter how well educated or informed the decisions are.
They’re not going to get every single decision right because there could be tens of thousands, hundreds of thousands, millions of decisions a day – is this thing, or is this thing bad. So, if your only layer of defense is something that’s deciding about what’s good or bad then realistically it’s a recipe for failure. So, that’s why with all the proactive stuff we do, basically blocking by default rather than permitting by default and trying to figure out what’s good or bad, we block by default. And then the MDR, as I said, is more as a response, a mechanism or alerting you to tell that, “Well, this thing tried to happen, but it was blocked.” But we do take information in from… Take the event logs in the machine, for example, for the likes of Window Defender.
So, your defender is doing its stuff, but we’re saying, “Hey, well, an alert came through from Defender. Do you want to do something about it?”
[TC Niedzialkowski] Okay. What is the relationship that your customers have with you when it comes to Right of Boom? So, essentially you’ve got the 24 by 7 by 365 managed detection response service. You alert an incident. It’s a SevOne. It’s a P0. It turns out this is a data breach. There’s been a compromise. We need to go through the containment.
That whole process. And then potentially bring in the lawyers. What was the scope of what was access, potential reporting to customers. What is the relationship with ThreatLocker when you’ve handed me something that’s legitimate? It is a real breach. As an example, do you have an incident response retainer service? Do you work with the lawyers and legal teams in terms of forensics? What’s the services you provide there?
[Rob Allen] So, thankfully… And I’m going to touch all the wood available here. But thankfully the incident response tends not to be something that we need to do very often because of the nature of what we do. Again, coming back to denying by default. Basically the fact of the matter is in most circumstances, in most environments that are ThreatLocker protected, the reality is that, again, touch all the wood, breaches tend to happen a lot less often. Let me just put it that way. So, incident response doesn’t tend to be something we have to do. There are some exceptions to that.
So, we have customer…say they’re in the process of deployment, for example, so they haven’t secured their environments. ThreatLocker isn’t up and running. “Something has happened. Can you help us out?” We do also have customers using ThreatLocker for incident response, so they will deploy ThreatLocker, basically secure it, lock it down immediately, just allow core Windows and a few other needed applications to run, blocking everything else by default. So, affectively allowing organizations to get back up and running again. But in terms of the incident response part itself, we have all the logs. The customers themselves have all the logs. Everything ThreatLocker has logged, so you can see every process, everything that ran, process [Inaudible 00:14:55], reads, writes, copies, moves, information…internet access, what goes where on the internet.
It’s all there by default in the portal. So, in most cases, that can be used directly by the customer themselves. They don’t need us to say, “Hey, look, this is what happened in your environment.” Very often they can see themselves, “Oh, this is what happens in our environment,” because they have all that information. They have all that data accessible to them.
[TC Niedzialkowski] Okay. Would we need to engage a different forensics provider or do that ourselves, or is that something that ThreatLocker would be able to perform?
[Rob Allen] Look, we will always assist customers to the absolute best of our abilities. We have had situations, as I said, like I mentioned with environments that weren’t secured or that were partially secured, or this organization was partially deployed, or that had ThreatLocker on 80% of their machines, but they didn’t have 20% of them deployed, and those 20% were the ones that got hit. That kind of situation, we will always help out to the best of our abilities. But I mean fundamentally, it’s not a core part of what we do because it’s not something that we have to do very often, if that makes sense.
[TC Niedzialkowski] Yeah, thank you.
[Host] Rob, what’s one thing we didn’t ask about that we need to know?
[Rob Allen] I suppose just, again, to highlight again, you may have all the shiny tools in the world. You might have all the detection things. You may have alerts popping off, whatever the case may be. But unless you’re monitoring that, unless you have somebody watching your back basically 24/7, 365, they are as good as useless. You might as well throw them all in the bin because attacks are not happening nine to five. Attacks are not happening on a schedule or a cadence that suits you.
They are probably happening in the middle of the night. And unless you have somebody watching those alerts, monitoring those things, as I said, they’re as good as useless. So, just make sure whatever tools you have that they are monitored by somebody who you trust and somebody who’s going to respond in a timely manner. Because with detection and response, time is everything. You don’t want somebody who’s going to ring you 20 minutes later and say, “Hey, by the way, that machine just got popped.” You need somebody to ring you immediately when that happens or if that happens. Or ideally stop it from happening in the first place, but that’s a whole different conversation.
[Host] Well, that’s just about it for this episode of Security You Should Know. To learn more, head to threatlocker.com. Thanks to TC Niedzialkowski and Sasha Pereira for helping us learn more about ThreatLocker, and a big thanks to Rob Allen from ThreatLocker for your time and being game to answer all of these questions. And thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe, tell your friends, and leave us a review. All companies showcased on this program are sponsors of CISO Series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOseries.com or just email us at info@CISOseries.com. Thank you for listening to Security You Should Know, connecting security solutions with security leaders.