Securing endpoints is a persistent challenge, especially in a hybrid working environment. The human factor is an unavoidable element with endpoint security, which means you have to be ready for a lot of unexpected behavior. Centrally managed policies for endpoints can only enhance security if they don’t compromise the flexibility the business needs.
In this episode, Rob Allen, chief product officer at ThreatLocker, discusses how their Network Control solution offers a endpoint-based firewall to protect these devices. Rob is joined by our panelists, Janet Heins, CISO at ChenMed, and Shaun Marion, vp, CSO at Xcel Energy.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, ThreatLocker
Full Transcript
[Voiceover] Connecting security solutions with security leaders, Security You Should Know starts now.
[Rich Stroffolino] Welcome to Security You Should Know. Today, we’re talking about ThreatLocker and what they’re doing in Network Access Control. The problem they’re addressing is securing endpoints in a hybrid world, always a timely conversation, and something everybody is still trying to figure out.
Helping us get answers to these questions are Janet Heinz, CISO at ChenMed, and Shaun Marion, VP and CSO over at Xcel Energy. Janet, I’m going to start with you. Why is securing these endpoints still a problem?
[Janet Heinz] Sure. So we still have people on the other end of them, right? As long as that’s happening, we are going to find some challenges with securing them.
[Rich Stroffolino] All right, Shaun, is it just that simple? The human factor is always going to be the common denominator here.
[Shaun Marion] Yeah, my notes I wrote down here, I was like, “The human element.” I mean, we’ve been racing to the bare bottom for years, you know, to try to get as close as we can to the processor. But whenever you have the human involved, I mean, it’s going to challenge things.
[Rich Stroffolino] All right. Well, helping us get some answers to these and maybe taking some humans out of the equation here is Rob Allen, Chief Product Officer at ThreatLocker. We’re going to be talking about their Network Control solution. So Rob, to start out, we need to answer three essential questions.
How do I explain the value of this to my CEO? What does it do, what does it not do, and what is the pricing model? Can you help us out with these preliminaries?
[Rob Allen] I sure can. You want to sell it to your CEO? Tell your CEO that, “You ain’t going to get your data remotely encrypted,” is probably a good place to start, and we can get into that why and how in a couple of minutes. What does it do? So Network Control, it’s an endpoint-based firewall. So it allows you to do effectively network segmentation, but at the endpoint level, allows you to protect devices in the office, and that’s really important.
I know we’re talking about hybrid, but you have to consider lateral movement within an environment as well as being external as well. But also most of the people here are working from home, a lot of people work from Starbucks, from hotels, or road warriors, they’re basically everywhere, both behind traditional perimeter firewall.
So all of those devices need to be protected as well, and that’s what Network Control does.
[Rich Stroffolino] Excellent. All right. We’ve gotten some initial answers here, but we still got, I’m sure, a lot of questions. Shaun, what other questions do you have for ThreatLocker?
[Shaun Marion] Yeah. So if I take the description, or the short description you gave of like a Windows Firewall, I mean, you’ve got Windows Defender, you’ve got all the endpoint, EDRs, CrowdStrikes, all of that, which sound a lot like a Windows Firewall, and I’m sure that’s not the case. So what differentiates you from the solutions that are already out there?
[Rob Allen] So a couple of things. First of all, it’s centrally managed. So you set up your policies, your rule sets centrally rather than on individual devices, centrally logging, so you got visibility over what is happening from a network perspective, basically from one pane of glass. The other big differentiator is that it’s dynamic.
The policies that we can create are dynamic. So I can set something up that says, “Look, allow SQL, allow port 1433 on this firewall, only to these specific devices, these known protected devices.” So you’re not just opening a port to everything, or even to subnets or specific IPs, you’re opening dynamically.
Whether a port is open or not basically depends on what’s connecting to it. Trusted device, I said it’s okay, it’s going to be allowed to connect. Untrusted device, it isn’t.
[Rich Stroffolino] Janet, what questions do you have for ThreatLocker?
[Janet Heinz] So going back to your statement of value to the CEO, how would you characterize the risks mitigated in business terms?
[Rob Allen] So the remote encryption problem is a huge issue. So, for example, Microsoft, in the Digital Defense Report last year, mentioned that 70% of successful ransomware attacks involved remote encryption. So something unprotected on a network encrypting data on something that is protected. There’s so many different examples.
There was a case last week where a video camera was used. So basically, they got into a video camera and encrypted data on a server from that. Going back to what I said about only trusted devices being allowed to connect, you can create policies that, “File shares, I want trusted devices to be able to connect to this file share.
Everything else cannot.” There’s so many different examples like that. I mean, one of my favorite…favorite’s a terrible use, but one of my favorite cyber-attacks over the last number of years was one on a casino in Vegas. Not the big one. Another one. But it took place from a smart heater in a fish tank.
Why does a smart heater in a fish tank need to connect to your server? Short answer, it does not.
[Janet Heinz] So most of what you’re talking about, or the examples you gave, are the operational technology, the camera, the heater in the fish tank. It sounds like this works across all those endpoints. Is there anything where it doesn’t yet cover?
[Rob Allen] So it’s more about protecting your important network resources from those things, as opposed to protecting those things. As I said, it’s akin to network segmentation. We all know networks like flat networks are a big problem. Network segmentation is a good idea, but it can be a challenge or a struggle to implement it.
It can also be very expensive in terms of hardware and everything else and labor and resources and setting it up. This allows you to do, fundamentally, the same thing, but from the endpoint level. So you’re basically saying, “Look, these devices can connect, these things cannot,” but it’s very specifically done from the endpoint level.
[Shaun Marion] So maybe a use case example here if I could, Rob. I’m sure you’ve got an answer for this, so I hope it’s not a softball.
[Rob Allen] I hope so.
[Shaun Marion] The way you describe this, you know, seems like this would be fairly easy to implement in a small environment. But if we’re talking hundreds of thousands of devices and trying to manage who can talk to who, I mean, I think that was one of the biggest failures of NAC back in the day. I’m not saying you’re a NAC-type solution, but it’s just very, very hard to manage at scale.
So what is your answer to that? How do you guys overcome that to make it easier for the administrators to manage?
[Rob Allen] So we have customers exactly, as you described, hundreds of thousands of endpoints. I mean, look, it’s always going to be that level of size. It’s always going to be somewhat more complex than a typical SME or even medium-sized environment. But again, just because something is hard doesn’t mean something isn’t worth doing.
Just because it is challenging doesn’t mean it can’t keep you safe. As I said, those problems I mentioned them, Microsoft themselves are saying this is a huge issue. I mean, one other thing they mentioned in that report was that 90% of attacks involved unmanaged devices. So unmanaged devices of some description are used in 90% of ransomware somewhere attacks.
So again, just because something is difficult, challenging doesn’t mean it’s not worth doing. This is incredibly valuable.
[Shaun Marion] I hear that. The only challenge I would have for you is, that’s a lot of the reason why a lot of us, security leaders, moved away from things like DLP and others because they were the right things to do. They were just so challenging to implement. They eventually failed and then we pulled the investment and put it elsewhere.
Now, I will say that’s changing now as we see like ML and AI stepping and maybe doing some of those things for us, it’s simplifying. So I wonder, as you guys look further out, how does that apply to your stack? Are you guys integrating some of those capabilities? Do you see that in the future?
[Rob Allen] Possibly. It’s a very loaded question. I mean, fundamentally, we do use a little bit of AI in what we do, but not a huge amount. I mean, fundamentally, one of my frustrations with the cybersecurity industry as a whole has been this race to be, whose AI is better than who else’s AI, neglecting to remember and neglecting to mention that AI is just as likely to be used against you as it is with you.
One of the things that we try to avoid, particularly when it comes to Network Control, is building policies automatically based on what’s there or what’s happening because, again, you don’t know how much of what’s happening is good or bad or should be allowed or not. But again, when you are doing it centrally like this, just having that overall visibility of what network traffic looks like, what ordinary network traffic looks like…
I mean, you know what a file server is. You know the ports that a file server needs. You know what a DC looks like, what an ADDC looks like, you know the ports it needs. So it’s actually not that difficult to build out policies to allow the traffic that’s needed.
[Janet Heinz] So one of my questions has to do… Well, I guess it’s a two-part question, from an implementation standpoint, how much time does it take to get up and running? Then what’s the support resources required? So I have a small, pretty lean security team. So I have to think about, who could take this on and what is that requirement of that resource?
[Rob Allen] Generally speaking, the way our implementations work is we ask customers for an hour a week. So just give us an hour a week, sit on a call, go through it with our solutions engineers who are the best in the business, and they will guide you through setting these policies up. Basically, they’ll show you how everything should work, they’ll show you, “This is old traffic now.
This is what we need to do and allow it,” basically get you up and running. After that, support and, again, best in the business, and it is pretty commonly known. 24/7/365, no AI. Sorry about that John, but no AI. Human being at the end of a chat, somebody who’s ready to help you, as I said, 24/7/365.
It’s super, super important. I mean, what we do is powerful, but with great power comes great responsibility. You need somebody available to help you whenever you need to help. So it’s really important to us.
[Shaun Marion] Maybe you answered it and I don’t remember, but it would have come from Rich, which is the pricing model for the platform. How is that structured, and what is the model?
[Rob Allen] Surprising and reasonable is the answer to the question. I mean, this is obviously part of an overall endpoint protection platform. So it’s not just a Network Control solution. It’s an allow-listing solution. It’s got ring-fencing, it’s got Network Control, it’s got storage control, we’ve got a privileged access management elevation aspect to it as well, we’ve got EDR and MDR as part of it as well.
So it’s all part of a platform. Obviously, you can get everything if you want. If not, if you’re just interested in one part or a couple of parts of it, you can get those, one or a couple of parts as well. Obviously, pricing depends on scale. If it’s 50 endpoints, it’s going to be a certain price. If it’s 50,000 endpoints, it’s obviously going to be a much lower price.
So there’s no one answer to the question you just asked, but reach out to our guys, talk to the team, and they’ll be happy to give people ideas.
[Shaun Marion] I will say just as a kudos. I ask a lot of vendors, “How does AI/ML slide into your long-term strategy?” They either have an answer or they don’t, and when they don’t but they try to have an answer, if that makes sense, that you can kind of pick through it. So I would rather you say, “It’s not on the radar, it’s not what we’re looking at,” like that is…
Because it’s not for every solution. It doesn’t fit every situation, so I totally get that.
[Rob Allen] No. As I said, there are certainly aspects to it, there are things… I mean one of the more recent additions to our product portfolio is web control. So basically, web filtering fundamentally. We’re actually using some AI in categorizing websites. So it’s an additional check like, “We have this web website categorized as a dual content.
Is it a dual content?” So we’re using little bits of it like that but, fundamentally, we don’t believe that the decisions that should be made, if there are decisions, should be made by an AI because, realistically, they get things wrong, probably just as often, if not more often than human beings do.
But certainly, we believe in educating or helping people make educated decisions, and if we augment that information that we’re giving to the people with AI, that’s fine.
[Janet Heinz] So can you tell us what you replaced, because I think I heard you say EDR, MDR. Yeah, whenever we’re looking at new things, it’s nice to know, “Oh, we can maybe eliminate something already in our portfolio.”
[Rob Allen] Probably quite a lot is the short answer to that question. I mean, we’ve got customers that we… Look, in many cases, people are using allow listing. So we can certainly replace anything that does allow listing. I mean, that’s pretty much a no-brainer. Similarly, privileged access management, we can do that much better, much safer.
As I said, EDR and MDR, I mean, the difference between us and some of the other EDR-MDR vendors is that we see EDR and MDR as complementary to those other things that I mentioned. So the controls that we offer, the allow listing, ring-fencing, et cetera, they’re the primary level of protection. They’re what’s going to keep you safe.
The EDR and MDR are basically going to tell you if something’s going on, hopefully, while it’s not actually able to get on, or to go on, if that makes sense. So you’re far better off knowing about an attack that’s been blocked from happening than you are to know about an attack that is active and underway.
So, yeah, we can pretty much tick all of those boxes for people. Plus, as I said, things like web control and patch management, which we’ve recently added.
[Shaun Marion] So going back to… It’s a flip on, “How do we sell this to the CFO?” but maybe a question to you. So a lot of times, I’m having conversations with my engineers and analysts. So besides from the obvious, ideally, I can shrink my tool stacks, they got less manage, but how does this make their lives easier?
What’s in it for them, and what would make them want to reach out to you guys?
[Rob Allen] So if you want, so our general way of looking at things is deny by default. So that applies to Network Control as well. So what we want to get to, ideally, is a position where we’re blocking all network traffic except that which we want. Now sometimes people can get scared by that, worried by that, they think, “That sounds like a hell of a lot of work.” But you can actually be really specific and really, really targeted with this as well.
So for example, you can target an individual port. So you can have a permit and a deny for a particular port. So SMB being a great example. File shares. So I can say, “Look, block all access to file shares on these servers or this set of servers,” and then I can have another policy, which says, “Permit the same ports for only these devices.” So we’re not blocking all network traffic, we’re not interested in everything else, and the same would apply to like RDP for example.
So block RDP across everything, only allowed on this specific set of devices. So you can be really, really targeted with this. You can get a lot of, as I said, value. You can get a lot of security from not a lot of work.
[Janet Heinz] You talked about one pane of glass. How does that work with integration with other existing tools I have? So for example, a SIEM.
[Rob Allen] I actually hate myself for using that expression, one single plane of glass. It’s terrible but, yeah, I mean, fundamentally, we can export logs directly from our agent to any number of different SIEMs, send them out via API calls, or whatever the case may be. So if you want to get… I mean, you do have all of the information within the ThreatLocker portal, but if you want to get that information from the ThreatLocker portal to somewhere else, you can just send them out directly from the devices themselves.
A lot of customers do that already.
[Shaun Marion] Maybe to turn it back on you, so what questions should we have asked that you’re just shocked we didn’t ask that we should have?
[Rob Allen] The thing about Network Control from our perspective is it’s not just outside the network. A lot of people think about it as, it’s people at home, it’s remote workers, it’s all those kinds of things. As far as we’re concerned…and it comes back to this principle or this idea of assume breach.
So assume they’re already in, they’re on your network right now, what can they do? They’ve got access to Shaun’s computer. Where can they go from there? If you basically apply the principle of deny by default, the network internally, as well as outside the network, you’re going to be far, far better off.
You’re going to, at very worst, slow these attacks down, but in a lot of cases, you’re going to stop them at that point because if I get onto Shane’s machine and I can’t get any…Shaun’s machine, I can’t get any further than that, then realistically, that’s attack stopped at that point. So again, don’t just think about when people are outside the firewall, also think about when people are inside as well, because realistically, that’s where most of these attacks, if not start, it’s certainly where they’re going to proliferate.
[Rich Stroffolino] Well, that’s about it for this episode of Security You Should Know. Like Rob said, to learn more, head on over to threatlocker.com. A Huge thank you to Janet Hines and Shaun Marion for helping us learn more about Network Control, and thanks to Rob Allen from ThreatLocker for your time and being game to answer all of these questions.
Thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe, tell your friends, and leave us a review. All companies showcased on this program are sponsors of CISO series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOseries.com or just email us at info@ciso-dev.davidspark.dcgws.com.
Thank you for listening to Security You Should Know, connecting security solutions with security leaders.