The Gately Report: AI Increasing Need for Zero Trust, ThreatLocker
Plus, CryptoChameleon is targeting cryptocurrency platforms and the FCC.
![Zero trust and ThreatLocker Zero trust and ThreatLocker](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltf0341de5ea221800/6523eb464defcb5f392f8c24/4-Zero-Trust.jpg?width=700&auto=webp&quality=80&disable=upscale)
Olivier Le Moal/Shutterstock
Channel Futures: You told attendees you hope they left Zero Trust World smarter and able to take immediate action to stop threats. Is there any way to gauge their progress? Have you seen progress after previous Zero Trust Worlds?
Danny Jenkins: There are two ways to that. So we see existing customer progress. And then we also get feedback. So when we look at existing customers, we immediately see an increase in people deploying and securing more seats, putting more sensible policies in place and doing things. But we also survey, we ask customers what they're doing, and what we found from the last Zero Trust World is so many people took many of the tips home and they executed on those tips immediately. iIt's nice. Sometimes I get on a call and I say, "Oh, you guys are doing that. What made you do that?" And they say, "You told us to last year." It's cool when you see those things, like some small tips that make a big difference to security.
CF: It sounded like attendees could take immediate actions that aren’t necessarily difficult or challenging.
DJ: You have to do things. The reality is if you want to make yourself the most secure organization in the world, that's not one thing. There's a series of culture and changes that take time. If I said to you, "Hey, your house needs painting," and you said, "Oh, I want to paint my house," and you've got a 3,000-square-foot house. If you don't paint every room, your house isn't done now. And you say, "Well, I can't paint the whole house this weekend, so I'm not going to paint it at all." That's not the answer either. You go in, you take one small step, you say, "I'm going to spend two hours; I'm going to paint this wall in this room. I'm going to paint this small room," and then you spend a bit of time in a few weeks' time, eventually progression happens.
And it's the same with security. You just take small steps and progression happens. The steps that I think you should take first, like Allowlisting, our first ever flagship product … is the most important thing you can be turning on in your environment. If you do those steps, you'll win. Eventually you get there. Eventually your house will be painted and it doesn't have to be a full-time job. "I'm going to take a bit of time here, I'm going to do this, I'm going to take a bit of time here, etc." And our job is to give you tools to make your life easier.
CF: What have you learned from attendees at Zero Trust World? And where are they on their zero-trust journey? Are you seeing progress there?
DJ: It ranges. Some companies here are at the very beginning and others are very advanced. They're monitoring everything. They've got good controls in place and they know what they're doing. The nice thing about this is everyone can go further. Some people have gone really far already, and some people are just at the beginning of their journey and they progress. That's the main thing.
CF: Is zero trust a more well-known, mainstream concept now? Are you seeing more acceptance and less resistance?
DJ: I think zero trust is a well-known phrase now. I think it's misquoted and misinterpreted in many cases. We're seeing less resistance. We're seeing more understanding, but there's still a lot of people that don't know what it is. They know that it's something to do with blocking stuff or something to do with hardening your environment. It is a mindset about restricting privileges.
Zero trust network access (ZTNA) is the ability to grant network access at the least privilege, only what you need. We offer zero-trust endpoint (ZTEP), and that's about stopping untrusted software, limiting and ringfencing applications. There's zero trust identity. There are all different types, but it means one thing: least privilege. It's hard in the IT world where marketing people often write billboards, and not IT people or security people, because when you go to RSA, you'll see the words zero trust thrown everywhere and it's not even a zero-trust product. So I think people are more familiar with the name and they understand that it's important. I think it's hard for IT professionals to actually break it down and understand, "What do I need to do to actually implement the zero trust framework?" Because every booth says zero trust on it at RSA, even if it's not.
CF: TheatLocker recently announced it has expanded its endpoint security services and data infrastructure to Australia. How did that expand ThreatLocker’s footprint? Are you targeting other regions for expansion?
DJ: So Australia is ThreatLocker’s second-biggest market, and unlike Europe, Australia would have been more willing to deploy using American data centers. However, given the size of our customer base and Australia being our second-biggest market, we thought it was important to expand and put infrastructure there. So we got data centers there deployed, built, and everything's working very smoothly there. We also have infrastructure in Dublin for Ireland and for Europe. We have infrastructure in multiple places in the United States, and Canada is new as well; that hasn't been [formally] announced. We expect to keep expanding our footprint. We have plans to put data centers in Saudi Arabia. We have plans to put data centers in Turkey and various other places in Europe as well.
CF: What sort of growth is ThreatLocker experiencing and what role are MSPs playing in this growth?
DJ: The first thing is we're doubling year over year growth in customers and revenue, employment count and everything. But what's important about that, what's not doubling, is our response time. It's actually lowering. So our growth is huge. But our ability to deliver is continuously improving. MSPs are a vital part of that market. MSPs actually represent the majority of companies that use ThreatLocker. If we split revenue, it's slightly different. But if we think about the end companies that are using it, the majority are found through MSPs.
CF: You mentioned real zero trust versus not zero trust. Who is your competition in zero trust and how are you staying ahead of them?
DJ: When you think about ZTEP (zero trust endpoint protection), the competition is really very limited. In the MSP space, it doesn't exist. Where it exists in the enterprise space is normally Carbon Black and maybe Airlock Digital, but these aren't comparable products. The effort to deploy and manage, the product research that we do, the ringfencing we do, the understanding of how applications work, the tracked applications updates, we're five years ahead, assuming you can work at the same sense of urgency as ThreatLocker does.
CF: What do you find most surprising and dangerous about the current threat landscape?
DJ: I think what's most dangerous about the current landscape are the vulnerabilities in existing applications. We're constantly seeing all of these vulnerabilities. And I don't know if surprising is the word, but definitely dangerous because more and more companies are putting more and more tools on their computers, more and more software, and more and more vulnerabilities. And it terrifies me. Every time I look at my phone, I go through and delete a load of apps because I'm scared. More apps, more data, more vulnerabilities, more holes in the system.
CF: Looking ahead, what can MSPs and others expect from ThreatLocker the rest of 2024?
DJ: I think enhancements to our product, continuous enhancements to always make it better, and continuation of our top-level support. And the other areas where we're probably going to promote is dealing with more Office 365 and protections around there.
In other cybersecurity news …
Lookout has discovered an advanced phishing kit, CryptoChameleon, which exhibits tactics that target cryptocurrency platforms, as well as the Federal Communications Commission (FCC) via mobile devices.
The intended targets, mostly users of cryptocurrency and single sign-on (SSO) services in the United States, also include Binance and Coinbase employees. Leveraging the CryptoChameleon phishing kit, bad actors utilize text messages and voice calls where they personally reach out to the victim to build a sense of trust while encouraging them to follow the steps of the attack. This has resulted in a high success rate, leading to the collection of quality data, including usernames, passwords, password reset URLs and even photo IDs.
This new phishing kit emulates techniques that have been used by the Scattered Spider cybercriminal group. Operators behind the kit have successfully duplicated pages for solutions like Okta, Outlook and Google. That means it could be used to target any organization that uses these solutions as their SSO provider.
Based on conversations that the Lookout security research team had with several victims, CryptoChameleon uses phone numbers and websites that appear legitimate and reflect a real company’s support team. While CryptoChameleon follows similar tactics, there are enough differences to show this is likely isn’t Scattered Spider operating the kit, and could be a different criminal group or several individual actors.
“We’re seeing a trend of financially motivated threat actors – who typically target cryptocurrency and direct financial fraud – move into breaching enterprise and government organizations for ransom,” said David Richardson, Lookout’s vice president of endpoint and threat intelligence. “We urge cryptocurrency and SSO users and organizations to take steps to protect their devices, work and personal data.”
John Gallagher, vice president of Viakoo Labs at Viakoo, said as cryptocurrencies increase in value, so will threat actors' efforts in breaching accounts.
![Viakoo's John Gallagher Viakoo's John Gallagher](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt457c6977e738ed8f/6537d446fc31840e186d0efd/Gallagher-John_Viakoo.jpg?width=700&auto=webp&quality=80&disable=upscale)
Viakoo's John Gallagher
“What is novel about CryptoChameleon is the detailed focus on what steps a victim will take, and using manual (human) operators to assist in fooling the victim,” he said. “A key question is why the stealing of credentials from FCC users in addition to cryptocurrency users? It is potentially a form of advertising by the threat actor they can be hired to help breach federal agencies, and suggests that while this could be brushed off as just related to crypto, it may be the tip of an iceberg aimed at breaching organizations and not just financial accounts.”
After several years of deliberation, the National Institute of Standards and Technology (NIST) has released its Cybersecurity Framework (CSF) 2.0.
NIST released its first CSF in 2014, at the direction of a presidential executive order, to help organizations, specifically critical infrastructure, mitigate cybersecurity risk.
CSF 2.0 now explicitly aims to help all organizations, not just those in critical infrastructure, its original target audience, to manage and reduce risks. It includes core guidance and a suite of resources to help all organizations achieve their cybersecurity goals, with added emphasis on governance as well as supply chains.
Richard Aviles, senior solution architect at DoControl, said the addition of govern as a basic function of the CSF addresses a “big piece that was previously missing.”
“This function connects both the business/organizational aspect to cybersecurity, for relevance and prioritization, as well as the people and policy dimensions,” he said. “The need for well-informed and correctly communicated policies is well understood, so its addition to the NIST 2.0 CSF helps create a more complete structure around which organizations can build.”
Another important component of the new govern function is the focus on supply chain risk management, Aviles said. On first read, the guidance related to supply chain “appears well thought out and comprehensive if not complete.”
Ken Dunham, cyber threat director at Qualys’ Threat Research Unit, said CSF is considered by many to be the “grandfather of frameworks” defining what must exist in a cybersecurity program. Significant technology changes have occurred since the inception of the framework, in addition to a need for improvements in clarity, alignment and implementation towards consistent use.
“Version 2.0 includes improvements including, but not limited to, removing language specific to infrastructure across the core, prevention of incidents, supply chain risk and governance, resiliency, and leveraging the combination of people, process and technology,” he said. “CSF is, and will continue to be, a strong foundation upon which any solid cybersecurity program may be built towards NIST 800-53 and other frameworks as organizations seek to become framework driven to iteratively reduce risk.”
Claude Mandy, chief evangelist of data security at Symmetry Systems, said it’s great to see the update to the CFS formally released.
![Symmetry Systems' Claude Mandy Symmetry Systems' Claude Mandy](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltd793406bf4f79ff8/65cd1a0345f7ed040a14216c/Mandy_Claude_Symmetry_Systems_2024.jpg?width=700&auto=webp&quality=80&disable=upscale)
Symmetry Systems' Claude Mandy
“It is important that standards and framework that are so widely adopted are continually and frequently updated to address the security needs of modern organizations,” he said. “The inclusion of the govern function is recognition that mature and defensible security is only possible with clear governance to make decisions on what is required. Although this was implicit in the broader NIST CSF, the explicit inclusion as a function elevates the importance of it.”
After several years of deliberation, the National Institute of Standards and Technology (NIST) has released its Cybersecurity Framework (CSF) 2.0.
NIST released its first CSF in 2014, at the direction of a presidential executive order, to help organizations, specifically critical infrastructure, mitigate cybersecurity risk.
CSF 2.0 now explicitly aims to help all organizations, not just those in critical infrastructure, its original target audience, to manage and reduce risks. It includes core guidance and a suite of resources to help all organizations achieve their cybersecurity goals, with added emphasis on governance as well as supply chains.
Richard Aviles, senior solution architect at DoControl, said the addition of govern as a basic function of the CSF addresses a “big piece that was previously missing.”
“This function connects both the business/organizational aspect to cybersecurity, for relevance and prioritization, as well as the people and policy dimensions,” he said. “The need for well-informed and correctly communicated policies is well understood, so its addition to the NIST 2.0 CSF helps create a more complete structure around which organizations can build.”
Another important component of the new govern function is the focus on supply chain risk management, Aviles said. On first read, the guidance related to supply chain “appears well thought out and comprehensive if not complete.”
Ken Dunham, cyber threat director at Qualys’ Threat Research Unit, said CSF is considered by many to be the “grandfather of frameworks” defining what must exist in a cybersecurity program. Significant technology changes have occurred since the inception of the framework, in addition to a need for improvements in clarity, alignment and implementation towards consistent use.
“Version 2.0 includes improvements including, but not limited to, removing language specific to infrastructure across the core, prevention of incidents, supply chain risk and governance, resiliency, and leveraging the combination of people, process and technology,” he said. “CSF is, and will continue to be, a strong foundation upon which any solid cybersecurity program may be built towards NIST 800-53 and other frameworks as organizations seek to become framework driven to iteratively reduce risk.”
Claude Mandy, chief evangelist of data security at Symmetry Systems, said it’s great to see the update to the CFS formally released.
![Symmetry Systems' Claude Mandy Symmetry Systems' Claude Mandy](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltd793406bf4f79ff8/65cd1a0345f7ed040a14216c/Mandy_Claude_Symmetry_Systems_2024.jpg?width=700&auto=webp&quality=80&disable=upscale)
Symmetry Systems' Claude Mandy
“It is important that standards and framework that are so widely adopted are continually and frequently updated to address the security needs of modern organizations,” he said. “The inclusion of the govern function is recognition that mature and defensible security is only possible with clear governance to make decisions on what is required. Although this was implicit in the broader NIST CSF, the explicit inclusion as a function elevates the importance of it.”
Cybercriminals using artificial intelligence (AI) are accelerating the need for zero-trust security, providing more opportunities for ThreatLocker and its partners.
That’s according to Danny Jenkins, co-founder and CEO of ThreatLocker. We caught up with him during last week’s Zero Trust World.
AI is a big buzzword right now because of ChatGPT, but AI itself, of course, isn't anything new, he said. ThreatLocker uses advanced algorithms to learn from data how to permit and understand software.
“We've done that forever, and that allows us to onboard more smoothly,” Jenkins said.
AI-Enabled Attacks Not An Issue with Zero Trust
Because ThreatLocker blocks by default, cybercriminals using AI in attacks aren’t an issue, Jenkins said. It doesn’t have to detect bad things.
![ThreatLocker's Danny Jenkins ThreatLocker's Danny Jenkins](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltc0e55c3cd0afe56d/6525d0903817f60df080131b/Jenkins-Danny_ThreatLocker.jpg?width=700&auto=webp&quality=80&disable=upscale)
ThreatLocker's Danny Jenkins
“Yes, we use AI sometimes to help understand a product better or what it does ... ” he said. “But the core principle of ThreatLocker Protect is to default-deny. And the nice thing about that is it doesn't matter if you recompile it 15 times with AI, we're going to block it every single time. ThreatLocker blocks all the time because we're using zero trust, which is basically rock, paper, scissors in one.”
TheatLocker does respond to threats for Ops, its policy-based endpoint detection and response (EDR) solution that watches for unusual events or indicators of compromise (IoCs), sends alerts and takes automated actions if an anomaly is detected, Jenkins said.
“We don't need to respond to every threat because very rarely it's not being blocked,” he said. “We respond from a validation point of view because we validate and test everything, but when you block by default, the chances are the new threat is going to be blocked. So what we do is whenever there's a new threat, we have our Ops team respond to that. We check it, we validate, we send a notice out to our customers saying you're covered. And I think because we operate on a zero-trust basis, we don't have to block; we don't have to update a new definition every minute.”
While competitors worry about defending against AI-enabled attacks, it’s not an issue for ThreatLocker, Jenkins said.
Scroll through our slideshow above for more from ThreatLocker and more cybersecurity news.
About the Author(s)
You May Also Like