Misconfigurations represent one of cybersecurity’s most persistent and damaging vulnerabilities. Organizations often fall into the trap of deploying tools with overly permissive “permit everything” default settings, only to struggle with the operational overhead required to lock them down properly. Every configuration change away from these permissive defaults requires extensive testing and validation, creating what amounts to a prohibitive tax on implementing proper security controls. Is it any surprise that teams leave dangerous temporary configurations in place indefinitely?
In this episode, Rob Allen, chief product officer at ThreatLocker, explains how their Defense Against Configuration (DAC) solution addresses these challenges through automated daily security checks across Windows endpoints that identify common misconfigurations before they lead to breaches. Joining him are Andy Ellis, principal at Duha, and Montez Fitzpatrick, CISO at Navvis. The conversation explores how DAC’s automated checks map misconfigurations against compliance frameworks, while ThreatLocker’s broader platform consolidates multiple security functions into a single low-impact agent that can replace multiple endpoint tools.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, ThreatLocker
Threatlocker.com/CISO
Full Transcript
[Voiceover] Connecting security solutions with security leaders, Security You Should Know starts now.
[Rich Stroffolino] Welcome to Security You Should Know. Today, we’re going to be talking with ThreatLocker and what they’re doing with their Defense Against Configuration or DAC solution. Now, the problem that they’re addressing is that misconfigurations continue to be an unsolved Gordian knot within cybersecurity.
Helping us trying to get answers to this problem are Andy Ellis, the principal at Duha, and Montez Fitzpatrick, CISO at Navvis. Montez, I’m going to start with you. Why are we still struggling with misconfigurations?
[Montez Fitzpatrick] Thank you, Rich. That is the second great question, just after the purpose of life.
[Rich Stroffolino] [Laughter]
[Montez Fitzpatrick] Why we struggle with misconfigurations, I believe, in large part is because we often take the default configuration, and that is our permanent configuration. Temporary permanent is what I like to call it. It’s a problem. We get sold on all these tooling.
We sometimes forget about the professional services or the installation of that tooling, and we just sort of turn it on and leave it go.
[Rich Stroffolino] All right, Andy, I’m going to come to you with the same question. Why are we struggling with misconfigurations?
[Andy Ellis] Well, Montez mostly just stole mine, right? We start with maximalist configurations, then we deploy things on top of it, and every single configuration we want to change away from that maximalist permit everything, we have to qualify that it will actually work in that environment.
And if something goes wrong, configuration’s fault or not, everything comes to a halt. So, the amount of energy we have to put into making every single configuration change to make sure that it is safe basically is a Pigouvian tax on making any configuration changes at all.
[Rich Stroffolino] All right. Well, today we’re going to be talking with Rob Allen, one of our favorite people to have on Security You Should Know, the chief product officer also at ThreatLocker. To start out, we’re going to be answering three essential questions.
Rob, you are well versed in these. So, how do I explain the value of your solution to my CEO? What does your solution do and what does it not do? And what is the pricing model? Can you help us out?
[Rob Allen] The value proposition, again, can you put a value on not getting hit by ransomware and not being data breached? Probably we cost a lot less than that. That answers the third question. What do we do? We basically apply controls for the most part to the conversation we’re about to have.
We don’t try and find everything that’s bad. We instead work on the principle of default deny. So, basically block everything that isn’t explicitly allowed. It’s a slightly different approach to cybersecurity, but an extremely effective one. And I think I’ve answered the third question already if I’m not much mistaken.
[Rich Stroffolino] You are not mistaken at all. Do you want to just give a quick overview of what Defense Against Configuration is just for the benefit of the panelists?
[Rob Allen] Yeah, certainly. It basically comes from the fact, I mean, I was actually at a Gartner event recently in Brazil, and one of the slides they had up was extremely relevant to this conversation, and it said 61% of security leaders have suffered a breach because of misconfigured controls in the last 12 months.
And that’s pretty much what we’re aiming at with Defense Against Configurations. It’s about identifying these things, these problems, these misconfigurations before they turn into a breach.
[Rich Stroffolino] All right. Well, esteemed security leaders, you’ve gotten a taste for this solution, but I’m sure you have lots of questions. Andy, I’m going to start with you. What other questions do you have for ThreatLocker about DAC?
[Andy Ellis] So, here’s my first question. What environment do you operate in? Is this my endpoints? Is this my cloud? Is this hybrid? What’s covered? What’s not covered?
[Rob Allen] Endpoint is a short answer to that question. Now, right now, DAC is Windows only, but basically endpoint and Windows. So, we have an agent that is installed on pretty much every endpoint, whether it be workstations, servers, laptops, everything, and each of those agents is obviously doing other things.
As I said, we primarily focus on control. So, it’s allowlisting and ringfencing and network controls and all those kinds of things, but we’ve also now built into that these DAC checks. So, it’s 150 checks basically performed pretty much every day in every machine looking for common misconfigurations.
So, things like firewall rules or overly permissive firewall rules or misconfigurations or USB drive access is permitted. As I said, there’s 150 different checks that are performed every day, and then they’re mapped against various frameworks. So, you’re interested in ISO 27001, or you’re interested in SOC 2 Type 2 or HIPAA or whatever the case may be.
We’ll basically map any of the misconfigurations against those different frameworks so you can get yourself into a better position.
[Rich Stroffolino] All right, Montez, I’m going to come to you. What questions do you have for ThreatLocker and for Rob?
[Montez Fitzpatrick] So, I’ve got two. I won’t say the first one yet because I want Rob to still like me.
[Laughter]
[Montez Fitzpatrick] And so, now the second question, which is now the first. How about our friends over that are doing operational security? Do you have a very large contingent with that? So, I’ve had a lot of discussions lately about reliability engineering and just some of the endpoint, the solutions out there can really put a very heavy tax on that.
So much so that a lot of my compadres tend to run without endpoint protection.
[Rob Allen] Really? Well, there’s a really short answer to that question, which is because most of the decisions that we’re making are binary, they’re yes or no, they’re should this hash of a file be allowed to run or should it not? It’s actually extremely low impact.
It’s minimal. You’re talking about zero to 1% CPU and a couple hundred megs of RAM. So, we’re not using AI or black magic to make decisions about what’s good or bad. We’re not scanning a system constantly looking for, again, trying to identify all the bad things.
We’re literally just waiting there for something to happen, something to try and execute, and we say yes or no based on a set of rules. So, it’s really, really low impact.
The other thing is we do also offer as part of the solution – so obviously, I mentioned allowlisting, ringfencing, network control. So, there are three different parts of the system. We also have web control. We’ve got patch management now built into it as well.
So, fundamentally, we’ve got a detection platform too, which is our EDR. So, fundamentally, we could probably replace three, four, in some cases maybe five different agents that people have installed on their machines with one agent, one portal to manage it, one bill to pay.
So, the idea or the hope is that you could get rid of a lot of those other things that you’re already running to reduce that footprint.
[Andy Ellis] Just going to actually ask you that question, which is what do I get to get rid of? So, I’m going to flip it and say, what do I still need to keep? Obviously, you’re not solving every single endpoint problem I’ve got. What are the sort of core players?
If I’ve got DAC, what else do I still need to make sure I’m focused on?
[Rob Allen] So, what I would say is we’re not an antivirus. Now we do integrate quite heavily with Windows Defender. I mean, it’s something that we’ve commonly said for years that ThreatLocker basically use ThreatLocker and Windows Defender. That is our stack for all intents and purposes.
So, realistically, an antivirus of some description, again, they’re not great, but you do generally have to tick a box to say, “We’ve got an AV.” But we can pretty much, as I said, replace everything from web filtering agents to EDRs to you name it pretty much.
But what I’d say is realistically, an AV is probably all you need if you’re using all of ThreatLocker’s components.
[Montez Fitzpatrick] This really touches on the first question I was going to ask, really. And so, maybe it’s sort of…
[Rob Allen] Is this the one that we’re going to fall out about?
[Montez Fitzpatrick] Yeah, maybe, maybe.
[Rob Allen] I don’t want to fall out with you.
[Montez Fitzpatrick] I promise not to talk about breakfast, but…
[Rob Allen] Okay, yeah, that’s fine. Then we’re not going to fall out. We’ll be cool, we’ll be cool.
[Montez Fitzpatrick] [Laughter] Absolutely, I’m cool with everybody. And so, I was actually going to talk about like co-location of the stack. So, if I were to layer upon some defenses, right? And we all know that maybe it may not be a good thing to have multiple antivirus on a singular work computer, right, unless you’re doing like some sort of bastion host or something.
But how nicely do you play with other vendors who are, basically, have small overlaps, right? So, like, what if I really want to use ThreatLocker, but I’m deeply embedded with another vendor there, are you going to play nicely with what I have?
[Rob Allen] Absolutely. I mean, fundamentally, for the most part, they do different things to what we do. So, as I said, we’re a yes or no there, hmm, is this good or is this bad? Now, you could argue that layering different types of strategies or different types of approaches is very much a good thing.
I mean, that’s what layered defense looks like. It’s okay, I’m going to apply controls, but I’m also going to have detection on top. So, if a control is, for example, to the point of DAC misconfigured, at least I have another layer of protection. Very often the issue we see though, and you mentioned people with three antiviruses, I mean, you’d be amazed at how often we see that.
We’ve got people with layers of, they’ve got an antivirus, they’ve got an EDR, they’ve got an MDR, they’ve got an XDR, they’ve got everything that ends with D and R thinking that makes them safer, not realizing that all of those Ds and Rs are trying to D the same thing.
They’re trying to detect the same known threats and very often falling over each other when they find them.
[Montez Fitzpatrick] I had the same problem in college.
[Rob Allen] [Laughter]
[Andy Ellis] I now have this vision of like the Keystone cops of DRs running around and like running into each other.
[Rob Allen] Yeah, look, the fact of the matter is detection is important, detection is valuable, but the problem is when detection is your only layer, if something is not detected, it’s game over. And detecting and knowing everything that’s bad has been proved, I think, to be pretty much impossible.
[Andy Ellis] Right, so you’re aiming to be preemptive both first by having configurations that just don’t even allow certain things.
[Rob Allen] Correct.
[Andy Ellis] But also by being able to preempt an adversary like sort of in flight, “Oh, they did get something on the box, but let’s not let it run.”
[Rob Allen] Absolutely. I mean, ideally you want to be detecting and responding to things that are attempted and unsuccessful rather than detecting and responding to something that is in progress and is successful.
[Andy Ellis] So, question. Assume I’ve got a big SIEM already, got an MSSP it’s managing, I assume you plug into other SIEM products. So, if I don’t want to use your pane of glass, I can still work with that?
[Rob Allen] Absolutely. You can send information out wherever you want. Interestingly, we have one of our recently added capabilities is we now have what we call a Syslog ingestor. So, I would describe it as a step on the road to us becoming a SIEM. It is not making us a SIEM immediately, but it is a step on that road.
So, we obviously have an incredible amount of information, of metadata coming from everybody’s machine, any of the agents that we’re installed. One of the holes in that visibility has always been things like firewalls and switches and access points, etc.
So, we do actually have a method now of ingesting all of those logs along with all of the endpoint logs into one place, which is our portal. But as I said, if customers want to send information elsewhere, they’re absolutely more than welcome to.
[Montez Fitzpatrick] So, what would you say to an intrepid and handsome young security professional such as myself and Andy, and Andy?
[Rob Allen] [Laughter] I like the “and Andy” at the end.
[Montez Fitzpatrick] At the end, qualify it. Without qualifying the whole thing.
[Andy Ellis] I appreciate that.
[Rob Allen] [Laughter]
[Montez Fitzpatrick] Yeah, you’re very welcome. And so, many a good product has gone the way of the Dodo by getting in the way of the non-tech business executive. So, how do we ensure that we install ThreatLocker and ThreatLocker stays ascribing to workflow?
I won’t mention any names of any to speak ill of the dead, but out there this has been tried several times and it’s always a great idea, but sometimes it crosses the wrong person and gets gone.
[Rob Allen] You’re saying when the rubber hits the road, basically.
[Montez Fitzpatrick] Yeah, exactly.
[Rob Allen] Yeah, no, and look, first of all, you’re not necessarily applying the same restrictions to everyone if you’re not tarring everybody with the same brush. So, basically, you’ve obviously got techs who’ve got specific requirements in terms of what they can do.
You don’t apply the same rules to your finance department as you would to your techs, for example, because your finance department don’t need to be opening PowerShell and navigating to Microsoft 365 to run PowerShell scripts, and it just isn’t a thing in finance.
So, the same would apply to C-suite, the same would apply to whoever else you’ve got concerns about. You don’t need to apply the same restrictions and controls to everybody.
So, I mean, for example, I suppose the core of what we do with application control is deny by default. So, block everything that isn’t explicitly allowed. I don’t want to say it too loud, but technically you don’t have to do that. So, you could, instead of doing default deny, you could say, “Okay, I’m going to do a default permit, but I’m going to ringfence everything that hits that default permit.
So, I’m going to stop it from accessing my files. I’m going to stop it from reaching out to the internet.” So, even if our executive who didn’t want to be controlled in any way is allowed to run everything he wanted, even if he runs ransomware, it’s not going to be able to get access to my files or to reach out to the internet.
So, there are ways to solve that particular problem. As I said, it fundamentally comes down to not tarring every user with the same brush.
[Rich Stroffolino] All right, we’ve got time for about one more question.
[Andy Ellis] Here’s the easy one. Let’s say I wanted to buy it today, which would be weird because I don’t have any Windows boxes in my environment, but hypothetically.
[Rob Allen] Well, we got Linux as well. We’ve got Macs too, so.
[Andy Ellis] Ooh, Mac could be good.
[Rob Allen] Yes.
[Andy Ellis] What does the installation process look like? How long until I’m seeing value? What am I going to have to go through to roll this out into my environment? Like is this a quick agent talking to a cloud? Am I rolling out building something myself?
What does that look like?
[Rob Allen] Oh, it’s cloud management agent based. You basically just roll out your agent using whatever you use to roll out software with. In terms of when are you going to see value? Pretty much immediately. So, what you’re going to get fundamentally is a list of everything that’s running in your environment.
You’re going to see every single piece of software. We’ve got product research, so where that software’s made, what country it was encoded in, what it is. So, you get that pretty much immediately as soon as you deploy the agent. The DAC controls, the Defense Against Configuration information will come through within 24 hours.
So, basically within 24 hours, you’ll get a pretty good picture of what your environment looks like from a software perspective and from a configuration perspective.
Now, obviously, it’ll take a little bit more than that to create policies to get that default deny operational. You’re probably talking maybe two, three weeks typically, depending on the size of the environment. But no, it’s a really easy process. And again, I’d always encourage people to try it out.
Just deploy an agent, see what you see. There will be some surprises there, I can pretty much guarantee it, whether it be a random remote access tool running on somebody’s computer, or as I said, inbound RDP connections. There are going to be surprises there and it doesn’t cost anything to try it out.
[Rich Stroffolino] All right, Rob, what’s one thing we didn’t ask about that we need to know?
[Rob Allen] What’s my other favorite term for DAC? Dumbass Configurations.
[Laughter]
[Andy Ellis] I thought it was going to be a joke about the Cowboys quarterback.
[Montez Fitzpatrick] That’s not where I thought we were going, but I like it.
[Laughter]
[Rob Allen] Yeah, no, that was my affection term for DAC was Dumbass Configurations, but I was overruled, I was outvoted, and it ended up being called Defense Against Configurations.
[Rich Stroffolino] Well, that’s just about it for this episode of Security You Should Know. To learn more, head on over to threatlocker.com. And if you have any feedback for this show, send it over to us at feedback@CISOseries.com. A huge thank you to Andy Ellis and Montez Fitzpatrick for helping us learn more about ThreatLocker, and a huge thank you to Rob Allen for your time and being game to answer all of these questions.
And thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe, tell your friends, and leave us a review. All companies showcased on this program are sponsors of CISO Series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOseries.com or just email us at info@CISOseries.com.
Thank you for listening to Security You Should Know, connecting security solutions with security leaders.