hands using tablet on desk with floating padlock icon

How ThreatLocker Keeps Your Organisation’s Data Safe

More and more businesses are shifting to a full- or part-time home working. At the same time ransomware attacks, phishing attempts, data breaches, and dark web leaks are becoming more prevalent. That’s why it is more important than ever to have full visibility and control over what company data is being accessed, by who, and where from. 

ThreatLocker is a software solution that helps to prevent data breaches and unauthorised access to your data. It does this by operating a zero-trust environment.

What Is A Zero Trust Environment?

Traditionally, cybersecurity has taken the route of blocking known or suspected threats. This may involve having a blacklist (a regularly updated database of well-known ransomware and malware software) as well as detecting common early warning signs of potential malware. This is a good start, but it has the obvious downside that you can only protect against something that you know is a threat. If there is a new piece of ransomware, or a threat which does not act in a predictable way, your defences will not detect it or protect you from it.

Zero Trust environments invert this method of protection. Instead of having a blacklist of blocked applications, you have a whitelist of allowed applications. Everything is assumed to be a threat unless it is on a whitelist. This has the advantage of blocking all new pieces of ransomware by default. 

What Is An Application Whitelist?

Whitelisting can sound confusing or difficult, but in reality, it is very simple. The majority of office workers use the same software every day.

Let’s take someone in the accounts department, they probably use an accounting software like Sage, a web browser like Google Chrome, Office 365 applications like Outlook and Excel, VoIP telecoms programme like 3CX to speak to colleagues and clients, and perhaps they also have Spotify installed so they can listen to music while they work. Beyond these applications, it is unlikely that they will need to use any other applications except for on rare occasions (more on those later).

So, while the number of applications this employee uses is small (less than a dozen), the number they don’t use is theoretically infinite. Therefore, whitelisting trusted apps is a more logical solution than blacklisting suspicious apps. This is the ethos of a zero trust environment, namely “every app is a threat unless directly stated otherwise”.

Do I Have To Manually Whitelist Applications?
No, ThreatLocker has a learning mode specifically for this. When first installed on a machine, you can activate learning mode for a set period of time, perhaps a week, or even just a day (depending on how varied the user’s tasks are). At the end of the learning mode, you can see a list of all the applications accessed during that time frame and add them all to a whitelist (presuming you approve of each one as a legitimate use case).

This process accounts for the different applications used by different users and allows you to secure your data without enforcing a one-size-fits-all policy on all your employees. These whitelists can also be altered and updated as and when the user’s circumstances change, such as if they switched from using one piece of accounting software to another.

What Happens If A User Downloads Malicious Software?
All new pieces of software that are not already whitelisted are assumed to be threats and blocked automatically. When a new piece of software is blocked, the user will receive an alert letting them know. If the user intended to download the software and there is a legitimate use for it, they can request it to be unblocked. ThreatLocker will then alert your IT department or MSP of the request, where it can be reviewed. An application or extension can be unlocked permanently or for a set amount of time if it is only required for a single task.

Ringfence Applications So They Only Access What They Need
Another feature of ThreatLocker is the ability to ringfence an application. Without ringfencing, any application running on your machine potentially has access to all the data on that machine. While this can be useful in some situations, it also poses a risk for businesses as it means that one app becoming compromised can compromise the entire PC and all the data stored on it.

Ringfencing, as the name suggests, allows you fence off an application from accessing data that it doesn’t require. For example, your calendar app probably doesn’t need access to your video files. Ringfencing allows you to ensure that apps have access to everything they need, but not anything they want. This is similar to how permissions work on mobile devices. Something we suggest is to prevent any application from accessing the internet unless it is strictly required, as this make it harder for data on your device to be exfiltrated by an attacker.

This process of ringfencing also helps to prevent “Privilege Escalation Attacks” by preventing applications from accessing each other, except in predetermined and approved scenarios.

Protect Your Machines Today

Carden IT Services are experienced in configuring ThreatLocker for maximum security with minimum friction for your employees – making your environment safer without getting in the way of your work. If you’re interested in learning more, or are concerned about the security of your data, speak to our team today.

Author: Dave King

Dave King is the Co-Founder and Director of Carden IT Services and the wider Carden IT Group. Dave has over 18 years’ experience in business IT networks with a focus on IT consultation and disaster recovery planning/testing.