Register for Zero Trust World 25!
Back to Blogs Back to Press Releases
Blog header image of a Check list depicting allowlisting for msps
March 7, 2023

Allowlisting for MSPs

Table of Contents

ThreatLocker has a few features intended to help make the life of an MSP easier.  

Global Groups and Applications 

  1. The primary idea here is that you can take your MSP tools and add them to the Global Groups. If an application is meant only for Servers, you would add it to the Global-Servers group. If an application is meant for all devices that you interact with as an MSP, then you would add it to the global group.  
  2. An example of an application that would be allowed via the Global group would be your EDR or RMM Agent.  
  3. If your MSP caters to a particular vertical, and you find that you need to make similar rules for the same application profile constantly, you can move that application to your parent organization. From there, you can associate a policy at the Global group level so that any changes that you make can then be pushed out through a single rule and update, as opposed to going to each client to make the change.  
  4. If your MSP caters to multiple verticals, you can still have an application at the parent level, then have organization-level policies as needed. Updating the parent-level application will still push it out to the client organizations that need it.

Auditing Per Client

  1. If you recently deployed the client, you would want to focus on that client and monitor the deny count. As the count becomes more manageable, you can begin auditing all of your clients together to streamline your process.

Utilizing AND logic 

  1. When you are creating rules based on new file interactions, you are able to enhance the application profile with rules. If you manually choose the options for the rules, you want to pick two or more items from the list of 3-4 items. This creates an AND logic that if both items do not match, the rule would not allow the file to run. This logic also makes the rule more secure in areas where you need to be broader than you may like or are recommended.  
  2. It is worth noting that this is also “Future-proofing” the application. By setting the rules to be based on File Path or Signatures, you allow room for the files to update. In a fair number of cases, vendors keep their file certificates valid for years. In the long run, this means even some of those third-party applications that you are concerned about can be kept up to date with minimal input from you, the MSP.  
  3. You can see Learning Mode utilizing AND logic as well. You are simply taking the same principles and applying them to applications as you encounter them.

  4. Understanding the Unified Audit 
  5. Quite often, the audit is viewed as a checklist that, once addressed, clears an entry. That is not how the unified audit works. It simply reports on what items executed on the endpoints. As you review the audit and write rules, the next time you review the audit, you should no longer see those entries. Auditing on a regular basis means that you are working through items as they are encountered.

  6. Understanding and utilizing the AI Learning mode 
  7. Learning Mode is a key tool to help you ensure that client applications are picked up and allowed. It is important to understand that during the initial learning phase, ThreatLocker is generating both Application Definitions, as well as Control Policies that allow the found programs to run. Pairing Learning with ThreatLocker’s Built-In applications covers a majority of use cases and scenarios. 
  8. After securing a device, you can still set a device to a time-limited learning mode at any point in the future to accommodate your client's needs. By having the change be temporary, it will revert back to secure on its own. Ultimately meaning less time your technicians spend reviewing this information.

  9. Initial Onboarding 
  10. While you are onboarding your first few clients, your Solutions Engineer will be available to help guide you through the necessary steps to get these machines into a Secured state.  
  11. Once Secured, your focus shifts from reviewing the audit often to managing and processing requests as needed.

  12. Cyber Hero Management 
  13. While onboarding a new client, their devices are learning and can be quite noisy. Once you have started securing devices this is when you can enlist the help of ThreatLocker’s Cyber Hero Team. You can write rules as to what can be allowed, and then that’s what the Cyber Hero Team will take action on. This eases the load and can be turned on or adjusted as needed.

  14. Handling and Processing Requests 
  15. Be it through the Cyber Hero Team Management or your own technicians, it is important to note that you can be notified of requests in a variety of ways:  
  16. Integrated PSA Ticketing System 
  17. Utilize your Ticketing system to receive notice. Please note that you will still need to log in to ThreatLocker to action a request.  
  18. General Email Alert 
  19. Just as the name implies, receive your alerts via email.  
  20. Sometimes, this methodology is utilized where PSAs are not officially supported by a ThreatLocker Integration. Simply set up an admin to receive the email alerts, and have your PSA scrape the email to generate the tickets.  
  21. Mobile Phone Application 
  22. Supported on both Android and iOS 
  23. Receive push notifications on your mobile when Requests are generated within the system 
  24. Allows you to process requests on the go.

  25. Organizations 
  26. ThreatLocker’s use of organizations means that you can be multi-tenant, and manage each of your clients' needs separately. Assuming that you are utilizing your deployment method through your RMM, this hierarchy is generated automatically for you.  
  27. You can also view all of your child organizations from the parent level. So, you are still able to centrally manage all clients as needed, while retaining the ability to just review an individual client as needed.

  28. Additional Controls 
  29. ThreatLocker’s other components lend themselves to Allowlisting:  
  30. Elevation Controls 
  31. Cuts down on time spent dealing with Admin requests 
  32. Reduces account footprints by restricting their access and only granting admin rights where needed.  
  33. Skips UAC prompts 
  34. Removes the need for techs to enter complex passwords constantly 
  35. Removes the need for making users Admins at all, even in a temporary capacity 
  36. Storage Controls 
  37. Restrict access on any drive location, be it internal, external, or mapped network shares.  
  38. Tighten access on External drives, including being able to block, have the users request access, and even control what applications can interact with those drives 
  39. Network Access Control 
  40. Allows for Network segmentation, even for clients that cannot afford a physical firewall 
  41. Controls Network access to resources 
  42. Third Wall 
  43. Lockdown areas of the Windows OS to prevent users access even further 
  44. Allows for the devices to be isolated or remotely wiped in case of emergency

It is worth it to say that overall, ThreatLocker is geared towards MSPs, granting a toolset that makes handling Application Allowlisting a breeze. Additionally, ThreatLocker really takes the white glove service to the next level.  

  1. Your Sales Representative is available to answer any non-technical questions that you may have. Need some marketing materials? Or need to adjust your license limit? Your representative is available to assist you.  
  2. Have a technical question that you want to explore or expand your understanding on? Your Solutions Engineer is available for an hour-long consultation to train or educate you on the topic at hand.  
  3. Have an immediate need? The Cyber Hero Team is available via chat right from the ThreatLocker Dashboard. Most can quickly turn into a Zoom call where you are speaking and screen sharing with our technical assets within a few minutes.  
  4. ThreatLocker also accommodates user-based learning. ThreatLocker University is an on-demand training center with articles and bite-sized videos to remind you how to perform daily functions within the platform.  
  5. The Cyber Hero Team also hosts a regular Boot Camp, where you can receive live remote training and ask questions directly.  

With ThreatLocker’s Allowlisting, MSPs are taking proactive steps to prevent major malware and ransomware attacks. Rest easier at night knowing that the only things that have changed in a given environment are just the items that you would expect. Do not be met with surprises. Allow applications to update as needed, as well as allowing the creation of new software while maintaining security. ThreatLocker allows you to be more proactive, as opposed to being reactive or having a plan in place for the nightmare scenarios. ThreatLocker just makes the approach to security easier.  

Interested in ThreatLocker's zero trust endpoint protection platform?

Book a demo with our Cyber Hero Team to learn more.