CHANNEL PARTNERS CONFERENCE & EXPO/MSP SUMMIT, LAS VEGAS — The most effective cybersecurity strategy is zero trust, focusing on control as opposed to only on entry points and threat detection.

That’s according to Danny Jenkins, ThreatLocker‘s CEO. His MSP Summit keynote on Monday focused on zero-trust applications with ThreatLocker.

“Controls are absolutes,” he said. “They’re things you can control. Dual-factor authentication is an absolute. If your user clicks on that phishing link, and the email or the web filtering lets it through, dual-factor authentication saves your backside. Whitelisting, ringfencing, these are controls. If you block all software that you don’t trust, you have control over this. That’s what’s going to save you when everything else fails.”

Last year, attacks on SolarWinds, Kaseya and Microsoft Exchange proved the increasing sophistication of organized crime gangs’ tactics, Jenkins said.

“When you think about how you need to defend yourself from today’s cyber threats, what are they?” he said. “They are businesses with quotas and organization, and planning and support who are trying to get into your company to steal your data to encrypt your files. And they’re not just trying to get into large companies. They’re trying to get into small businesses, dental offices, MSPs and car dealerships. They’re going after everybody with the same intent. And they’re going after different departments and different layers.”

Last year, there were over 21,000 critical vulnerabilities and exposures (CVEs) created for vulnerable pieces of software, Jenkins said.

A Better Approach

What organizations are doing to protect themselves is essentially the same as what’s been done over the last 20 years, Jenkins said.

“A better approach is rather than trying to block everything that’s bad, allow only what’s good,” he said. “Here’s a definition of zero trust that was pulled from the White House executive order, it’s probably the clearest definition I could find. A zero-trust security model eliminates implicit trust in any one element, node or service, essentially only giving the bare minimum required to do their job. Now we’re not just talking about people. We’re talking about services, applications and networks. Take away access where it’s not required. It means least privilege. For us, what that means is block any software that isn’t trusted. So just allow what you need … and block everything else. If somebody manages to get into your file, it cannot run.”

Achieving zero trust control used to be archaic and difficult, Jenkins said.

“Now you just deploy an agent,” he said. “You can do it through your remote monitoring and management (RMM). It will map your clients for you. It will learn everything that’s running on their machine and after about a week of learning it creates a list of policies. We jump on a call with you and review that list of policies and we simulate what would happen if you were locked down, which is surprisingly very little because people don’t generally open things they don’t need. If the applications update, we track them for you so it’s very simple.”

Extending Controls

ThreatLocker has extended its zero-trust control technologies from application control to ringfencing, storage, elevation and network controls, Jenkins said.

“Someone says to me security is about layers,” he said. “It’s like an onion; it’s sour, but it’s not really layers in the way we think. People often say layers in that I’ve got web security, email security and endpoint security. Well, they’re entry points, and if you put an antivirus on all three, it’s going to do the same thing on all three. That’s doing the same thing three times. If you think about security as angles, you put yourself in a better position. If I send malware or phishing email to everyone in this room, if you don’t open it, the threat’s gone, the problem’s gone away. However, you can’t control what your users do. You can hope and train them, and you can reduce your risk, but it’s not a guarantee.”

The next way is detection, Jenkins said.

“I’m not saying in any way you shouldn’t use detection because absolutely you should use detection,” he said. “You’ve got an antivirus, you’ve got extended detection and response (EDR), you’ve got threat hunting and a security operations center (SOC). All of these are looking for potential bad behavior based on profiles or …. whatever buzzword you want to call it today. Again, you have no control over this. Go off and buy a good EDR and hope it does the best, but you don’t have any real control whether it allows today’s malware or not.”