As cyberthreats continue to increase, it is critical for organisations to ensure greater protection and smoother experiences for their users. Rob Allen, VP of Operations for EMEA at ThreatLocker and a seasoned IT Professional with over two decades of experience, speaks to Intelligent CIO’s Arrey Bate about how organisations can ensure a seamless approach to cloud solution adoption and reduce their exposure to attacks.
What are some of the strategies and products used by organisations to protect their networks and endpoints today?
For a long period of time, people built their security entirely around antivirus. That means they assumed they were protected from threats if they had an antivirus working. But several cyberattacks have proven that security on antiviruses alone is limiting as they function on definitions and signatures.
So, people moved to use EDR, MDR and XDRs which are tools used for detection and response. These tools don’t depend on definitions and signatures, they base on behaviours of heuristics and are fundamentally more successful than antivirus because they are good at stopping and blocking known threats. But the limitation is that recent threats come from both known and unknown destinations. Zero days are a great example of threats like that as hundreds of new pieces of malware are released every day.
So, while EDR is in many ways better than antiviruses, it still provides little security from unknown threats and this clearly demonstrates the evolution in strategies and products organisations have used to protect their networks and endpoints. Today, Zero Trust is the answer to safely securing all endpoints and protecting networks and data from both known and unknown attacks.
What are some of the challenges to endpoint security deployments?
The most common challenge is in configuring and setting tools properly. An EDR is only as good as its configuration and we have seen multiple examples of good tools that are misconfigured to offer little or no protection.
Another challenge is what I term ‘notification fatigue’. These tools are configured to alert when something is going wrong and will usually produce two to five alerts daily. In cases where more than one hundred alerts are produced per day – and these alerts must be checked for security reasons – this produces notification fatigue. Whether responses are automated or manual, these responses must be investigated. So, notification fatigue is a major challenge with the traditional approach.
What would you say is the best approach to implementing the right endpoint security strategy?
My experience serving multiple brands across the world has taught me that EDR and AV each have their place in providing different levels of security and that’s where a lot of organisations may get compromised.
My belief is that combining these approaches with its controls produces a sweet spot from a cybersecurity perspective. And this is where Zero Trust comes in, where detection and controls are based on binary decisions. So, it comes down to rules, controls and absolutes rather than decisions as to whether things are good or bad.
What is Zero Trust and how can the lack of proper implementation lead to security vulnerabilities for a company?
Probably the best definition I have read was in the US government’s comprehensive federal response to the cyberattack targeting the Colonial Pipeline. In May 2021, the US Colonial Pipeline fell victim to a cybersecurity attack that involved ransomware, forcing it to temporarily shut down all pipeline operations. Colonial transports nearly half of the East Coast’s fuel supply through a system that spans over 5,500 miles between Texas and New Jersey. This pipeline supplies the military and transports gasoline, diesel, home heating oil and jet fuel.
The US government, in a bid to fortify its security, released an executive order mandating Zero Trust for all organisations or groups already doing business or intending to deal with the federal government. As part of this mandate, the government defined what it meant by Zero Trust. A part of it said it’s about ‘removing implicit trust. Assume a breach is inevitable or has already likely occurred. So, constantly limit access to only what is needed.’
I think that’s a brilliant way of approaching Zero Trust and security, to assume the bad guy is already in your system. And if you’re removing implicit trust, this means you’re adding explicit trust. When organisations approach security by assuming the bad guy already has access to their servers, knows all their passwords and with the conscious effort to limit access to only what is needed, that approach will change their security level.
What are some of the benefits an organisation will enjoy by implementing the right Zero Trust platform approach?
First, it gives administrators complete control over what runs on the machines and control is such a key factor. Working in this business for over 20 years, a handful of problems we encounter come from letting users run whatever they feel like running.
At ThreatLocker, we authorise administrators to stop people from running operations they shouldn’t be running. It’s called ‘denial by default’ rather than ‘permit by default’ and this is one step ahead of the traditional approach. So, one major benefit an organisation will enjoy by implementing the right Zero Trust platform approach is control – and this control is based on the concept which allows you to trust but verify.
How unique is ThreatLocker’s cybersecurity approach and how do you help clients to protect their networks and assets in an environment that is increasingly complex and digitally hostile?
At ThreatLocker, we start with the principle of default deny, which is: ‘If it doesn’t need to run, don’t let it run and if it needs to run, let it run.’ This removes implicit trust and adds explicit trust.
In terms of a solution, we make it easy and manageable for small and medium businesses to implement Zero Trust within a short period of time. We do a lot of work for organisations in terms of onboarding by learning their environments, understanding where they are security-wise and creating a list of policies and rules to secure their systems.
Basically, ThreatLocker builds a Zero Trust security solution that offers a unified approach to protecting users, devices and networks against the exploitation of zero-day vulnerabilities. We do this through an endpoint security platform that puts you in control with application allowlisting and ringfencing to stop the use of vulnerable software, controlling application elevation, storage and network traffic. So, when businesses under our security step outside their boundaries, ThreatLocker steps in to stop attacks and vulnerabilities.
But cybersecurity is not always about bad things, malware and ransomware being stopped, it’s also about preventing data leaks and stopping data from being stolen. Protecting data is probably the most important thing any IT department or administrator network can achieve. We have experienced ransomware attacks with attackers leaving notes that say ‘we have offloaded X and X amount of your data and will start releasing it on this day…’.
This recently happened with an Irish university where their data is being released on the Dark Web and that’s what causes organisations to pay a ransom. The reality is, most organisations generally have backups that can be restored at any time, so they’re not paying for the data that has been stolen, but for private data that’s about to be released on the Dark Web and other public places. A good example is the attack on the health service with wide-ranging implications affecting the system used to dispatch ambulances, book out-of-hours appointments and issue emergency prescriptions.
So, security is not just about bad things being stopped, but good things that can be misused and that’s where ThreatLocker comes in. We give you complete control to manage your applications and protect endpoints, enable you to block ransomware, gain control over storage devices and network shares and most importantly gain admin control and permissions without stopping productivity.
What is the future of network security and how do you foresee its evolution in the years ahead?
The concept of Zero Trust is the way forward in security. A lot of approaches call themselves Zero Trust as it’s a buzzword, but for any security strategy a real and structured Zero Trust approach is the future.
Security issues may only get worse with talks of recession, economic crisis and lack of money, but the main takeaway is for organisations to fortify themselves with stronger security and Zero Trust because the bad guy only needs to be lucky once to cause years of havoc.