Table of Contents
Imagine you are tasked with separating all software in existence into two lists:
- The first list being software that you want or need to run in your environment.
- The second list being all the software you do not want in your environment.
The first list may have:
- Email clients
- Web browsers
- Spreadsheet apps
- Other productivity applications necessary for your business operations
The second list would have:
- Malware
- Viruses
- Worms
- Keyloggers
- Rootkits
- Ransomware
- Video games
- Social media
So, how can you protect your environment from the ever-increasing amount of software on the second list?
Implementing Application Allowlisting
The second list would be immeasurably larger than the first, which is why it is more efficient to implement application allowlisting to allow only the software you need and block all other software by default. See below:
Your problem: You need to block every potential threat, which is not an easy task when cybercriminals are using AI to develop new malware and attack campaigns every day.
The solution: You need to adopt Zero Trust into your environment to allow only approved software, like your first list, and stop everything else from running.
How ThreatLocker® helps:
- ThreatLocker® learns what is needed in your environment and creates an allowlist of applications.
- ThreatLocker® then blocks all software not on your allowlist, including viruses, trojans, ransomware, and other malware.
- ThreatLocker® ensures proactive security against evolving threats, protecting you from unknown threats like new malware and zero-days.
Application allowlisting proves to be a more efficient approach than building a pre-determined blocklist with the potential to be overcome by undocumented malware.
Learning Mode — where it all starts
Most IT professionals have a lower confidence level in their application control tool’s ability to identify all the trusted software that should be allowed to run.
Your problem: You are looking for a product that you can trust to identify which applications are trusted for your allowlist.
How ThreatLocker® helps:
- Upon deployment, ThreatLocker enters a Learning Mode and baselines your machine(s).
- ThreatLocker categorizes all software in your environment, including over 7,000 built-in application definitions.
- Built-in application definitions are updated by ThreatLocker as new updates come out to ensure a seamless experience for the end user.
- Learning Mode figures out what applications are in your environment, including the custom applications, and adds them to the allowlist.
- After Learning Mode is complete, your complimentary Solutions Engineer will help you adjust your allowlist to fit your organization’s needs.
The Learning Mode timeframe defaults to a week but can be adjusted as needed. It is recommended that you run the first few machines for the full week.
The subsequent machines you add into your environment can be secured right away as long as it requires the same rules and policies.
How ThreatLocker® identifies applications
Applications in ThreatLocker are made up of a collection of files that ThreatLocker will associate with that application.
ThreatLocker can identify the files by:
- Certificate
- Path
- Process
- Hash (the preferred method)
- Created by process
Applications in your environment can then have policies assigned to them. These policies determine if the application is allowed to run or not. If the application is allowed to run, they can also limit the application’s behavior and automatically elevate if requested.
Additionally, more application control policies can be implemented with ThreatLocker Ringfencing™ and Elevation Control.
Ringfencing™ controls what applications are allowed to do once they are granted permission to run in your environment, preventing threats like zero-days and living off the land (LotL) attacks.
Elevation Control removes the local admin rights from users and gives them to an application temporarily. This streamlines the implementation of software updates without compromising security.
Those policies can then be applied to specific computers, groups, or your entire organization.
Ringfencing™ allowed applications from the everything else
PowerShell can do countless useful things, but it can also be weaponized to harm your environment. A strong example of this is a reverse shell, where attackers gain control over a victim’s computer and can operate it from anywhere in the world.
Your problem: Although you have established certain applications as trusted, they can still be weaponized.
The solution: You need to adopt a strategy to prevent your trusted applications from malicious activity.
How ThreatLocker® Ringfencing™ helps:
ThreatLocker Ringfencing™ gives you the ability to place controls over applications on your allowlist to permit them to only function and interact with the environment as you need them to.
With Ringfencing™ you can control how applications interact with (if at all):
- The internet
- Other applications
- The registry
- Local files
ThreatLocker Ringfencing™ is a second layer of defense over Application Allowlisting that solves the problem of weaponized trusted applications and software.
ThreatLocker built-in applications also often come with suggested Ringfencing™ policies.
Remove local admin privileges with Elevation Control
End users occasionally require local administrator privileges to install new applications.
Your problem:
- Granting users local admin privileges can have unintended consequences.
- Having IT individually manage admin privileges can be time-consuming and widens your attack surface.
The solution: You need a strategy to temporarily elevate the privileges of individual applications either for download or update, without granting these permissions to the end user.
How ThreatLocker® helps:
- ThreatLocker Elevation Control allows specified applications to run with administrative privileges without needing IT to enter their credentials.
- Elevation Control policies can also be set to expire after a predetermined time, ensuring successful installation but not continued administrative access. Administrative privileges can be granted to a user temporarily as well, such as just for installing the application.
How ThreatLocker® streamlines application requests and approvals
If a blocked application is needed for legitimate business use, a request can be submitted by the user and approved within minutes by your IT team:
- Once an application is blocked, the user attempting to run it will receive a message alerting them that it was blocked by ThreatLocker but can request access to it.
- Clicking on the pop-up will open a form that will send an alert to your team requesting access.
- Your IT admin can review the application and run it in the ThreatLocker Testing Environment (a feature included in Application Control) and check to see if Virus Total flags anything before deciding if it is trusted or not.
- If the application is approved, your team can then allow access to just one computer, a group of computers, or the entire organization.
ThreatLocker Application Control is an important component of a Zero Trust environment secured by Threatlocker, but it alone is not enough. To create the ultimate secure Zero Trust environment, you should explore all the options Threatlocker offers such as Network Control and Configuration Manager.
To learn more about how ThreatLocker can harden your security posture, book a demo today!