Managing privileged access across a sprawling IT environment remains one of cybersecurity’s toughest balancing acts. Admin privileges are often granted too broadly and retained for too long, opening dangerous pathways for lateral movement and ransomware.
In this episode, Rob Allen, chief product officer at ThreatLocker, introduces their Elevation Control tool — a solution designed to help security teams remove unnecessary privileges, apply just-in-time elevation for specific apps, and restrict lateral movement, even within elevated sessions. Joining him are Mike Woods, vp of cybersecurity at GE Vernova, and Steve Zalewski, co-host of Defense in Depth.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, ThreatLocker
Full Transcript
[Voiceover] Connecting security solutions with security leaders. Securing You Should Know starts now.
[Rich Stroffolino] Welcome to Security You Should Know. Today we’re going to be talking about ThreatLocker and what they’re doing in privileged access management. The problem that they’re addressing is unnecessary elevated privileges. It’s a big one in the industry. I need to hear how they’re solving it. And helping us get some answers to the questions and how they’re solving this problem are going to be Mike Woods, VP of cyber security at GE Vernova, and Steve Zalewski, Defense in Depth.
Mike, I’m going to start with you. Why are elevated privileges still a problem?
[Mike Woods] Yeah, I think it’s just the differentiation of our landscape from an IT perspective. We’ve got cloud where PAM solutions can work really well. The privilege of that access management solutions. But we still have a lot of differentiation on prem, endpoint databases, applications. I don’t need to go on with this audience probably.
But it’s just the estate is wide and deep, and it’s hard to find a solution that will work for all of those.
[Rich Stroffolino] All right. Steve, I’m going to come to you. Why are we still struggling with elevated privileges?
[Steve Zalewski] Well, because the definition of privilege doesn’t mean that it is a high value account. It means we have lots of things now that are talking to each other, and we’re just looking at daily privileges and trying to be able to manage them appropriately.
[Rich Stroffolino] All right. Well, today we’re going to be talking to Rob Allen, chief product officer over at ThreatLocker, about their storage control and elevation control solutions. So, to start out, Rob, we’re answering three essential questions. How do I explain the value of your solution to my CEO? What does your solution do, and what does it not do?
And what is the pricing model? Can you help us out and give us the answers to these starting questions?
[Rob Allen] So, it’s two different questions really. One is to do with elevation control, which is, as you said, privilege access management. One is to do with storage control, which is also about privilege but a slightly different angle on it. Elevation control is basically allowing you to remove unnecessary admin privileges from users across your entire estate.
You can do it be exceptions. Or you can say, “Look, I want to remove every local administrator except these ones.” Or you can do it specifically for individual ones as well. Those give you visibility as well of what admin accounts are out there because a lot of organizations don’t know that. It also allows you to give it back selectively for individual programs, and that’s the key.
It’s not giving a user administrative rights even for a period. It’s about saying, “Well, this program can run with local admin privileges.” So, it negates the needs for backup accounts, or admin accounts, or any of that kind of stuff. I just say, “Look, Rob is going to be able to run this program as a local administrator.” Policy set up, done, dusted, don’t need to worry about that again.
[Rich Stroffolino] And then what are we talking about with pricing, Rob?
[Rob Allen] Surprisingly reasonable I think is the answer to that question. Fundamentally these are two parts of our overall endpoint protection platform, so we’ve got everything [Inaudible 00:02:55] ring fencing, network control. Storage control or elevation are just two parts of it. But surprisingly reasonable is the answer to that question.
[Rich Stroffolino] All right, well, panelists, you’ve gotten a taste for the solution, but I’m sure you’ve got a lot of questions. A lot of details to dig into. Steve, I’m going to start with you. What other questions do you have for ThreatLocker about storage control and elevation control?
[Steve Zalewski] So, I’m familiar with blacklisting and whitelisting. Those are two ways that we describe least privilege. I blacklist, can’t do it. I allow with whitelisting. Yet you’ve introduced allow listing as a concept. Can you help me…what the definition of allow listing is?
[Rob Allen] PC whitelisting.
[Rich Stroffolino] [Laughs]
[Rob Allen] That is literally the answer to the question. Yes, it’s a more modern term and a more socially acceptable term for what used to be back in the dark days referred to as whitelisting. So, it’s about fundamentally allowing companies to run to run and blocking everything else. It’s not a new concept.
It’s not a new idea. I suppose the differentiator with us is we make it easy, manageable, attainable for organizations. Anyone who has ever done it knows it’s a bit of an…or can be a heavy lift depending on what you use to do it with. But as I said, we make it attainable. But fundamentally, it’s about default and deny by default, permit by exception.
[Rich Stroffolino] And, Mike, let’s get started with you. What questions do you have for ThreatLocker?
[Mike Woods] Yeah, just one off the top around just in time access. It sounds like the product helps with that, and it’s an area that I’m very interested in to push out within my organization just simply because it’s such a usable…from a least functionality standpoint, right? You want to have these privileges be used only for what they need to be used for but only be available for the time they’re being used.
So, can you give us a little bit of a flavor there for what the product does for just in time access?
[Rob Allen] Absolutely. No, it’s a really good question. And, again, the timeframe aspect of it is really important, but there is another aspect that people don’t often consider. Which is, first of all, you don’t want to make Rob an administrator for a period of time because that means Rob can do whatever the hell he wants for that period of time.
So, we narrow it down. So, we say, “Look, this program that Rob is running is going to be able to run as a local administrator.” The other thing that people very often don’t consider is once something is at that level… So, once a program is running with administrative privileges, you can move sideways or laterally into other programs also with administrator privileges.
Basically that lateral movement is kind of baked in. So, if I run Notepad++ as a local administrator, and I can get into a browse window, I can then open PowerShell also as a local administrator. Now, we can solve that problem as well by combining elevation control, by letting that run as an administrator, with ring fencing.
So, it can run as that level, but it’s not able to move sideways or laterally into other programs as well.
[Rich Stroffolino] Got it. So, it’s more limiting to…the granularity is there, if you will, on how to deploy this.
[Rob Allen] Very much so. It’s also…it’s multiple levels of control. It’s not just one level of control. It’s not just giving elevated privileges. It’s giving elevated privileges for a time period for a program with controls around that.
[Steve Zalewski] So, I want to push a little bit on when you made the very simple statement to me that…when we said it’s the laptop. Around what’s the service edge that you’re manifesting. So, unified end point management. Laptop is my service edge. A lot of what we’re talking about now is moving the service edge from the laptop to the browser itself because the laptop no longer really has a direct role because everything is SAS.
So, how do you position that conversation around it’s about the browser, stupid, as opposed to it’s about the laptop.
[Rob Allen] Absolutely. And, again, it’s a conversation for a different day. But it comes back to this concept of ring fencing. So, restricting what applications can do. So, in this case we can restrict what browsers can do. So, I want my browser to be able to access these files in this location but no others.
Or this kind of file but no others. Or I only want browsers…or I want to stop browsers from accessing certain locations and allow it to access others. So, you can put controls in place around what browsers can do, where they can go, what data they can access.
[Rich Stroffolino] Yeah. Do you have any view for how this access works? Has it got capabilities beyond just the typical username, password? Has it got other types of credentials like keys? Can you give us a thought on how it works from that standpoint for things outside of maybe the edge and laptops but in cloud environments let’s say?
[Rob Allen] Not in cloud environments so much. Again, most of our focus… We do have some cloud products, but most of our focus is on the end point. It’s an endpoint protection platform. In terms of extra accounts or anything like that, none of that is needed. We run [Inaudible 00:07:37]
[Rich Stroffolino] Got it.
[Rob Allen] So, we can basically intercept calls to consent. We can allow things to run with certain privileges. So, you don’t need to have an additional user. And additional users are often part of the problem. Because you’re adding another account that can get compromised. With this, you don’t need an additional user.
You just need a user, basic privileges on a machine that can then get elevated, specific programs elevated if needs be.
[Steve Zalewski] All right. So, normally we talk just about products and about what your product does, but you make a clear statement to talk about your cyber heroes and the fact that you have all these people that are available. Why is that important when really what I’m trying to do is buy a product that should just do its job?
[Rob Allen] It is super important. At the risk of stealing a quote from a movie, with great power comes great responsibility. What we do, denying by default, basically is extremely powerful. It’s a very powerful solution. But with great power comes great responsibility. We don’t want customers of ours sitting around, trying to figure something out, not able to do it if they’ve got something important being blocked, or restricted, or whatever the case may be, and they can’t figure that out.
So, it’s super important to us to have people available to help. We’ve got 24/7 365 support. It’s human beings. It’s not bots. You’re not talking to AI. Anybody who’s tried to get through to any sort of support knows the frustration of getting a bot trying to answer your question. We don’t want that.
We want a human being on the other end of a chat who’s able to help you with your problem immediately.
[Mike Woods] How about virtual desktops? Does it deploy there and any benefits there?
[Rob Allen] The benefits are everywhere. But, yeah, absolutely. There’s no issues with deploying [Inaudible 00:09:16] virtual environments. Again, every endpoint is important. Every endpoint is critical really. A chain is only as strong as its weakest link. There’s no point in me protecting my laptop if I’m running stuff in EVDI and the cloud, and it gets compromised as well.
So, every endpoint is equally important from our perspective.
[Steve Zalewski] So, when I look at my security organization and what it traditionally is responsible for with regards to blacklisting, whitelisting, allow listing, they own it. With your ability to have your cyber heroes, are you actually giving me the opportunity to transition the ownership of a security organization and actually have the IT team itself be able to implement those policies so I don’t have to invest my security resources into doing the job, and I can have them do something else.
[Rob Allen] So, first of all, we basically do a lot of the heavy lifting anyway. So, we do a lot of the learning automatically. There’s no need for you as a customer to figure out all the software that’s needed in your environment. We’ll learn them. We’ll see them. We’ll create policies for them automatically.
The what we call cyber hero approvals or cyber hero management is basically whereby you don’t want to deal with a user at three o’clock in the morning trying to run a Chrome extension, and it getting blocked, and then requesting it. We’ll affectively take on that responsibility. And we say, “Look, you give us the instructions.
You tell us what you want to do, the kind of stuff you want us to approve, the kind of stuff you don’t want us to approve.” And our cyber hero team who, again, are working 24/7, 365 will deal with those requests on your behalf. So, again, it’s all about taking the heavy lifting out of this process. It means you don’t have to run a 24/7, 365 support department or support shop.
If somebody tries to run something weird in the middle of the night, we’ll permit it or deny it according to your specific instructions.
[Steve Zalewski] Go, where does AI fit? And the reason why I ask this is the human element that you’ve put in, which is, “No, pick up the phone, and there’s a human there within 15 seconds, and we’ll get it right you,” for me has a lot of value. Right? But AI is supposed to be able to be more efficiency into processes.
And yet here you are simply saying, “We have no interest.” Because it is all about the human interaction. So, how are you positioning that natural friction of having to bring AI in because that’s what everybody expects you should be doing?
[Rob Allen] Just because everybody expects it doesn’t mean it’s the right thing to do. There is value in it. Just because a buzzword comes along doesn’t mean that we’re going to go jump and try and implement our solution around that. AI can add value. AI can be used to defend. But it can also be used by attackers as well.
One of the things that people don’t really consider is the fact that AI has basically lowered the barrier of entry for anyone who wants to get into ransomware. You used to need skills. You need to know how to program. There’s probably a limited number of people worldwide, a couple hundred thousand people, who had the necessary skills to produce a piece of ransomware.
Now all you need is bad intentions and access to an LLM. It will give you the code. It’s just an issue of asking the question in the right way. So, as I said, AI does have value, but realistically we’re very much of the opinion that a well educated human being can make a much better decision than an LLM saying, “Oh, well, this is [Inaudible 00:12:33] I’m going to allow it to run.” Not necessarily.
[Steve Zalewski] Mike, do you want…? I’ll keep going. I just…
[Mike Woods] Yeah. No. I think we’ve covered a lot from my perspective on this one. But I just had a question around… Maybe it’s leading to what Steve was saying around the human piece involved. What can you tell me around your successes and what you think are failures around how this product has been deployed in certain organizations?
This, for me, is something really important. Because when it comes to acquiring a product, one of the things we’ve got to do is be able to show and prove out monetarily but from a metrics standpoint. Like how do we KPI this out? What would you say is a good KPI for this product?
[Rob Allen] That’s a really good question. We had a [Inaudible 00:13:22] report that was just recently updated and released, and it put a dollar figure amount saved per organization on attacks, and that’s not something I’m particularly comfortable with, but it’s… They put a number on it. They said on average people are saving 1.3 million dollars because they’re not getting attacked by ransomware.
But it is difficult. It’s one of the challenges we face is that people even once they’ve deployed it… They’ve seen how easy it is to push it out there. They’ve seen they’ve had no ransomware attacks. People are going, “Well, nothing is happening, so why do we need this awesome service? Can we not get by without this awesome service?” So, it is a constant challenge.
One thing that organizations do find particularly with elevation control is if you take away local admin rights, your calls will immediately go up because users need to install software. They need to do things, the local administrator. And that’s something that’s very easily measurable. So, how many calls do you get right now for users that need local admin rights?
It’s this amount. Put in elevation controls, set up your policies correctly, you won’t get all of those calls. And that’s a really easy way to measure it.
[Steve Zalewski] So, Rob, I want to talk about human identity and nonhuman identity for a minute. Because you protect the laptop. And what I kind of consider this with privileged access management is I normally think about that as service accounts or admin accounts. But what you’re really doing is human augmented role based access control, and you’re giving me finer granularity for what you’re trying to do in your job, not the IT definition of privileged access management.
And so now if I think about that… I do it on the human side. But a lot of the other assets, to your point, the laptop, or the browser, or the applications… So, how are you addressing the “nonhuman identity asset mix” into your product?
[Rob Allen] So, fundamentally we don’t care who’s running something. We don’t care what’s running something. It can be a user. It can be an administrator. It can be running a system. Fundamentally it makes no difference to us because, again, we run at a level below most of these things we can control these things.
So, it doesn’t matter if it’s a system that runs PowerShell, or a user that runs PowerShell, or an administrator, we’re still going to control it equally in either of those or any of those different circumstances. So, as I said, the who isn’t as important to us as the what and the what it can do.
[Rich Stroffolino] All right, Rob, what’s one thing we didn’t ask about that we need to know?
[Rob Allen] So, amazingly we’ve got all the way through this conversation without mentioning the word zero trust once. Now, there’s a probably for that, which is realistically elevation control from our perspective, it’s not that much of a security product. It’s more of a convenience product. And realistically it’s actually taking away security, doing so in a limited way.
But if you just go back to what zero trust is, it’s about giving users what they need and no more. So, giving them the access they need, letting them run the things they need, storage control, giving them access to the data they need but no more. You want them to be able to fulfill their purpose, do their jobs, and no more.
And as I said, that is one of the central principles or tenets of zero trust, and that is very much what we work towards and adhere to.
[Rich Stroffolino] Well, that’s just about it for this episode of Security You Should Know. To learn more, head on over to threatlocker.com. Thanks to Mike Woods and Steve Zalewski for helping us learn more from ThreatLocker. And thanks to Rob Allen for your time and being game to answer all of these questions.
And thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe. Tell your friends and leave us a review. All companies showcased on this program are sponsors of CISO Series. If your company would like to spotlighted and interviewed by our security leaders, go to our contact page on CISOseries.com or just email us at info@CISOseries.com.
Thank you for listening to Security You Should Know, connecting security solutions with security leaders.