Sponsored article
Eight episodes. Eight ThreatLocker products. One chief product officer who doesn’t sugarcoat anything.
Rob Allen, chief product officer for ThreatLocker, has been on Security You Should Know more times than almost anyone. And across eight episodes covering everything from application control to patch management to MDR, he keeps making the same argument: the industry is stacking detection tools on top of detection tools while ignoring the more fundamental question of what’s allowed to run in the first place.
What follows are our favorite moments from those conversations. If you’ve got feedback, you can join the conversation on LinkedIn.
The detection stack problem
The through-line across every ThreatLocker episode is a critique of how most organizations approach endpoint security. Rob Allen put it plainly in the DAC episode:
“You’d be amazed at how often we see this. We’ve got people with layers of antivirus, EDR, MDR, XDR, everything that ends with D and R โ thinking that makes them safer, not realizing that all of those Ds and Rs are trying to detect the same known threats and very often falling over each other when they find them.” โ Rob Allen, chief product officer, ThreatLocker
Shaun Marion, vp and CSO at Xcel Energy, named the tension first: “I think there’s a thin line between defense in depth and expense in depth.” Rob’s response was that true layered defense means combining different types of strategies, not stacking identical ones. Control and detection together. We don’t need more detection on top of detection.
Listen to the full episode -> Understanding Application Control with ThreatLocker
What “default deny” actually reveals
Most organizations don’t know what’s running in their environments. That’s the finding Rob keeps coming back to, and it hits differently coming from someone whose job is to enumerate it:
“One big eye opener that pretty much every customer has is there are things there that they did not know about and would not have otherwise wanted. A lot of environments have five, six, or seven different remote access tools running on their machines. And they don’t know that.” โ Rob Allen, chief product officer, ThreatLocker
The CrowdStrike moment (when a bug caused a failure in air travel) from the Application Control episode is worth including here because it’s the best illustration of what this kind of visibility enables in a crisis. When Shaun Marion asked what safeguards prevent a ThreatLocker update from causing the same kind of damage that brought down millions of machines in 2024, Rob answered with process controls โ smaller rollout batches โ and then added:
“We were actually able to help quite a number of mutual customers. We created a storage control policy that blocked CrowdStrike’s access to the problematic .sys files. We got loaded before CrowdStrike and blocked it from accessing what caused the problem.” โ Rob Allen, chief product officer, ThreatLocker
Listen to the full episode -> Understanding Application Control with ThreatLocker
Remote encryption, fish tanks, and why network segmentation isn’t enough
A statistic Rob dropped in the Network Control episode deserves more attention than it typically gets:
“Microsoft, in the Digital Defense Report last year, mentioned that 70% of successful ransomware attacks involved remote encryption. Something unprotected on a network encrypting data on something that is protected.” โ Rob Allen, chief product officer, ThreatLocker
He followed that with the fish tank story. A casino in Las Vegas was attacked by a smart heater in an aquarium that was connected to the network. It reached a server. That server became encrypted. “Why does a smart heater in a fish tank need to connect to your server? Short answer, it does not.” The point is that perimeter segmentation doesn’t help when the attacker is already inside, and that dynamic policy at the endpoint level is a different solution than anything the perimeter offers.
Listen to the full episode -> ThreatLocker’s New Solution to Network Control
On misconfigurations, monitoring, and zero trust
Andy Ellis, principal at Duha, described the misconfiguration problem in the DAC episode as precisely as it gets:
“Every configuration change away from the maximalist ‘permit everything’ default requires qualifying that it will work in the environment. The amount of energy we put into making every single configuration change basically is a Pigouvian tax on making any configuration changes at all.” โ Andy Ellis, principal, Duha
The result is that temporary configurations become permanent. DAC runs 150 automated checks across every endpoint daily and maps findings against compliance frameworks before anyone has to ask.
On the monitoring side, Rob’s closing statement in the MDR episode was the bluntest thing he said across all eight conversations:
“You may have all the shiny tools in the world. Unless you have somebody watching your back 24/7, 365, they are as good as useless. You might as well throw them all in the bin. Attacks are not happening on a schedule or a cadence that suits you.” โ Rob Allen, chief product officer, ThreatLocker
And in the Elevation Control episode, Rob connected all of it back to a principle he noted had gone unmentioned the entire conversation: “If you just go back to what zero trust is, it’s about giving users what they need and no more. That is very much what we work towards.”
Listen to the full episode -> Tackling Misconfigurations | MDR | Elevation Control
What eight episodes add up to
Application control, network control, storage control, web control, elevation control, patch management, DAC, MDR. Eight products, one argument: you can’t detect your way to safety, and the question “what are we allowing to run, and why?” is one that most organizations have never seriously answered.
The practitioners across from Rob in these conversations โ CISOs and CSOs from GE Vernova, NextDoor, RSM, ChenMed, Xcel Energy โ pushed back, challenged specifics, and mostly arrived at the same place. The default-deny approach isn’t a new idea. It’s just one that most organizations have treated as too hard to operationalize. ThreatLocker’s argument, across all eight of these conversations, is that it doesn’t have to be.
Explore the full library of ThreatLocker episodes on Security You Should Know at ciso-dev.davidspark.dcgws.com or visit threatlocker.com.
Thanks to our sponsor, ThreatLocker
ThreatLocker makes Zero Trust practical. With Default Deny, Ringfencing, and Elevation Control, CISOs get real control thatโs easy to manage and built to scale. Stop threats before they execute and reduce operational noise without adding complexity. See how simple prevention can be at ThreatLocker.com/CISO.