A “Best-of” compilation article, sponsored by ThreatLocker
Zero Trust has achieved near universal buy-in. Even the federal government is on board. So why does implementation keep lagging, and why are we so fearful of the phrase “deny by default”?
It sounds like we’re shutting down the business. We’re not. And you’re not.
The phrase sounds so ominous. Locking things down will break workflows, frustrate users, and generate more tickets than the security team can handle. But if handled well through properly vetted exceptions, it allows the business to run smoothly while also providing a strong initial security control that greatly reduces your attack surface.
Here’s what cybersecurity leaders actually think about what “default deny” means, why it works, and how to make it palatable to the business.
Join the conversation on LinkedIn.
It starts with a state of mind
Default-deny isn’t a product you deploy. It’s a posture you adopt, and that distinction matters before anything else changes.
“Zero trust is a state of mind. If you’re fundamentally changing the state of mind, you’re going to have a lot of consequence.”
Steve Zalewski, co-host, Defense in Depth | Listen to the full episode here
Organizations that succeed with it go in with their eyes open, prepared for the cultural and process conversations that follow.
Assume the software is already compromised
Every security professional knows this to be true, but few state it this plainly.
“You have to assume that the software that you’re using right now is full of holes because the software that you use right now is full of holes.”
Rob Allen, chief product officer, ThreatLocker | Listen to the full episode here
If you accept that premise, a “default allow” posture means every piece of trusted software on your network is a potential attack vector. The question isn’t whether to restrict execution. It’s how.
Block execution, not just access
Rather than chasing every CVE, default-deny changes what an adversary can do even after they’ve found a hole.
“If you block that something from running by default, then you don’t really need to worry about the vulnerability as much.”
Rob Allen, chief product officer, ThreatLocker | Listen to the full episode here
Most breaches progress because something runs after entry: a payload, a script, a remote access tool. Default-deny stops that progression at the source.
Controls aren’t about distrust, they’re about reality
Security leaders sometimes worry that “deny by default” sends the wrong message to employees. That framing misses the point.
“Training is really important, but you have to work on the assumption that they will make mistakes. So, if they do, what controls can we put in place that will stop an attack from progressing?”
Rob Allen, chief product officer, ThreatLocker | Listen to the full episode here
Controls exist because humans are fallible, not because they’re malicious. “Default deny” is how you ensure that an inevitable mistake doesn’t become a breach.
Don’t let good tools do bad things
Necessary tools like PowerShell and browsers live in every environment. Allowing them doesn’t break the model.
“The point with something like PowerShell is not about stopping it from running because it’s a useful tool and it’s a valuable tool for most administrators. It’s about controlling what it can do. So, ‘deny by default’ what PowerShell is allowed to do.”
Rob Allen, chief product officer, ThreatLocker | Listen to the full episode here
PowerShell stays with its defined limitation of actions. That doesn’t include phoning home to a malicious server.
Learn from the CEO who got egg on his face
The best argument for prevention-first security is sometimes a cautionary tale from someone who bet on detection and lost.
“The biggest mistake I ever made was assuming something did what it said on the tin. I fought like hell to get a new security product and I said it was going to stop all of our virus problems, and I got egg on my face.”
Danny Jenkins, CEO, ThreatLocker | Listen to the full episode here
If the tool you’re relying on needs to see an attack to stop it, you’re already a step behind. “Default deny” means the attack has to get past a locked door before detection even enters the picture.
The bottom line
The organizations that have successfully implemented “deny by default” stopped thinking about it as a restriction and started thinking about it as a foundation. They didn’t break the business. They protected it.
Big thanks to our sponsor, ThreatLocker
ThreatLocker is a global leader in Zero Trust endpoint security, offering cybersecurity controls to protect businesses from zero-day attacks and ransomware. ThreatLocker operates with a default-deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. Learn more at ThreatLocker.com.