1 00:00:01,280 --> 00:00:04,609 S1: Welcome to Unsupervised Learning, a security, AI and meaning focused 2 00:00:04,610 --> 00:00:07,490 S1: podcast that looks at how best to thrive as humans 3 00:00:07,490 --> 00:00:11,719 S1: in a post AI world. It combines original ideas, analysis, 4 00:00:11,720 --> 00:00:14,930 S1: and mental models to bring not just the news, but 5 00:00:14,930 --> 00:00:18,440 S1: why it matters and how to respond. All right, Rob, 6 00:00:18,440 --> 00:00:20,150 S1: welcome to Unsupervised Learning. 7 00:00:21,020 --> 00:00:22,430 S2: Hi, Daniel. Thank you for having me. 8 00:00:23,600 --> 00:00:26,210 S1: Excellent. So can we get you to give a brief 9 00:00:26,210 --> 00:00:29,990 S1: intro into yourself and talk about Threatlocker and what you 10 00:00:29,990 --> 00:00:30,980 S1: guys do over there? 11 00:00:31,400 --> 00:00:35,510 S2: Sure. So I'm Rob Allen. I am chief product officer 12 00:00:35,510 --> 00:00:38,720 S2: here at Threatlocker. As you can probably tell from my 13 00:00:39,530 --> 00:00:43,580 S2: Midwest accent, I'm. No, I'm not from the Midwest. I'm 14 00:00:43,580 --> 00:00:47,059 S2: from Ireland. And I've worked at Lockhart for about almost 15 00:00:47,060 --> 00:00:51,620 S2: four years now. And Threatlocker are a zero. Zero trust 16 00:00:51,620 --> 00:00:57,350 S2: cybersecurity solution. So a endpoint protection platform effectively. And we 17 00:00:57,350 --> 00:01:01,830 S2: take a slightly different approach to cybersecurity, to most other tools, 18 00:01:01,980 --> 00:01:08,399 S2: and fundamentally, where other things allow everything except what's known 19 00:01:08,400 --> 00:01:12,179 S2: to be bad. We take the approach of block everything 20 00:01:12,209 --> 00:01:15,870 S2: unless it's explicitly allowed, and a few different ways we 21 00:01:15,870 --> 00:01:18,300 S2: do that, a few different aspects to it. But fundamentally 22 00:01:18,300 --> 00:01:21,149 S2: it's a design by default, permit by exception approach, which 23 00:01:21,150 --> 00:01:23,850 S2: is pretty much a cornerstone of zero trust. 24 00:01:25,140 --> 00:01:28,230 S1: Mhm. Interesting. Yeah. That's one of my next questions is 25 00:01:28,230 --> 00:01:31,650 S1: basically what is what is it that you're doing different. 26 00:01:31,650 --> 00:01:35,610 S1: So that that's fascinating. Um and the reason most people 27 00:01:35,610 --> 00:01:39,030 S1: can't do that, especially back in the firewall days or whatever, 28 00:01:39,060 --> 00:01:42,030 S1: there was just too many things to have to poke 29 00:01:42,030 --> 00:01:45,600 S1: holes through. So I imagine you've found some pretty interesting 30 00:01:45,600 --> 00:01:48,900 S1: ways to, uh, to allow benign behavior. So how are 31 00:01:48,900 --> 00:01:49,710 S1: you doing that? 32 00:01:49,830 --> 00:01:52,350 S2: So there's a few parts of what we do. So 33 00:01:52,350 --> 00:01:53,790 S2: first of all, the core of what we do is 34 00:01:53,790 --> 00:01:57,960 S2: allow listing. So it's basically allowing what needs to run 35 00:01:57,960 --> 00:02:02,410 S2: to run. I'm blocking everything else now. Anybody who's ever 36 00:02:02,410 --> 00:02:06,160 S2: tried to do that probably knows that historically, that has 37 00:02:06,160 --> 00:02:08,050 S2: been somewhat, even though it is kind of the gold 38 00:02:08,050 --> 00:02:11,470 S2: standard in terms of cybersecurity. It is kind of a 39 00:02:11,470 --> 00:02:13,660 S2: heavy lift with some of the tools that are out there. 40 00:02:13,660 --> 00:02:16,330 S2: It's a lot of hard work, basically, and we do 41 00:02:16,330 --> 00:02:20,140 S2: a few things differently that make it manageable. We make 42 00:02:20,139 --> 00:02:23,679 S2: it attainable for even, you know, small and medium organizations. 43 00:02:23,919 --> 00:02:26,950 S2: And first thing that we do differently is we basically 44 00:02:26,950 --> 00:02:30,490 S2: learn everything automatically. So you deploy an agent onto your machines. 45 00:02:30,490 --> 00:02:33,339 S2: It does all the hard work effectively. So it figures 46 00:02:33,340 --> 00:02:35,829 S2: out everything that's required on the machine and creates policies 47 00:02:35,830 --> 00:02:38,860 S2: to allow those things to continue to run once the 48 00:02:38,860 --> 00:02:41,470 S2: threat has been turned on. So that's kind of the 49 00:02:41,470 --> 00:02:45,070 S2: first way that we make this process much easier. The 50 00:02:45,070 --> 00:02:48,639 S2: second way. And again, anybody who's ever tried to implement 51 00:02:48,669 --> 00:02:51,190 S2: a listing will know that one of the biggest problems 52 00:02:51,220 --> 00:02:55,900 S2: is the question of what happens when software updates. And 53 00:02:55,900 --> 00:02:59,760 S2: generally speaking, What happens when software updates? Is it breaks 54 00:02:59,760 --> 00:03:03,090 S2: because whatever licensing solution you're using will say, well, look, 55 00:03:03,120 --> 00:03:05,820 S2: I know that file is called acrobatics, but it doesn't 56 00:03:05,820 --> 00:03:09,839 S2: match my acrobatics, so I'm not going to let it run. Um, 57 00:03:09,870 --> 00:03:13,919 S2: and that has always been one of the biggest hurdles 58 00:03:13,919 --> 00:03:17,400 S2: with implementing this approach. So what we do to solve 59 00:03:17,400 --> 00:03:19,440 S2: that problem is we have this concept of what we 60 00:03:19,440 --> 00:03:23,820 S2: call built in applications, which are effectively application definitions that 61 00:03:23,820 --> 00:03:28,560 S2: we maintain, we manage. We've got over 4000 common applications, 62 00:03:28,560 --> 00:03:33,419 S2: everything from Acrobat to teams to zoom to office. I mean, technically, 63 00:03:33,419 --> 00:03:36,000 S2: windows is kind of a built in application as well, 64 00:03:36,030 --> 00:03:39,600 S2: but every time there's an update for any of those things, 65 00:03:39,630 --> 00:03:42,690 S2: our applications team who are based here in Orlando working 66 00:03:42,720 --> 00:03:46,830 S2: 24 over seven, 365 will run. It will capture any 67 00:03:46,830 --> 00:03:49,890 S2: new files that are included in that application, and it 68 00:03:49,890 --> 00:03:52,950 S2: gets pushed down to people's machines automatically. So anybody who 69 00:03:52,950 --> 00:03:56,470 S2: has a definition for or a policy for teams, for example, 70 00:03:56,500 --> 00:03:59,770 S2: new update comes out, they capture it. It gets pushed 71 00:03:59,770 --> 00:04:03,580 S2: down to every machine that's running teams automatically. So effectively 72 00:04:03,580 --> 00:04:05,350 S2: it takes a lot of the heavy lifting. It takes 73 00:04:05,350 --> 00:04:07,840 S2: a lot of the hard work out of what used 74 00:04:07,840 --> 00:04:10,420 S2: to be quite an involved process. 75 00:04:11,440 --> 00:04:18,040 S1: Oh very interesting. So, so, um, so essentially you're watching 76 00:04:18,040 --> 00:04:22,089 S1: all these core applications. It sounds like roughly 4000 or so. 77 00:04:22,089 --> 00:04:24,789 S1: And then, um, any new update that comes out that 78 00:04:24,790 --> 00:04:28,419 S1: immediately comes to you, you're instrument it and re push 79 00:04:28,420 --> 00:04:30,280 S1: it down as part of the allow list. 80 00:04:30,310 --> 00:04:32,169 S2: So we don't push it down per se. What we 81 00:04:32,170 --> 00:04:34,660 S2: do is we push down hashes. We push down new 82 00:04:34,660 --> 00:04:37,179 S2: files that are allowed. So when our customer tries to 83 00:04:37,180 --> 00:04:40,030 S2: run those new files, they will be allowed to do so. 84 00:04:40,029 --> 00:04:43,989 S2: So yeah we update the application definitions constantly like every 85 00:04:43,990 --> 00:04:45,640 S2: one of those applications, as far as I know, is 86 00:04:45,640 --> 00:04:49,120 S2: checked pretty much once a day. Um, some things far 87 00:04:49,120 --> 00:04:53,140 S2: more often than that. I mean, Chrome updates often and sporadically. 88 00:04:53,140 --> 00:04:56,000 S2: So we might check that for argument's sake, 12 times 89 00:04:56,000 --> 00:04:58,190 S2: a day. And just to make sure that we capture 90 00:04:58,220 --> 00:05:01,159 S2: all those hashes as soon as possible. So by the 91 00:05:01,160 --> 00:05:04,250 S2: time customers come to install them, they don't have any 92 00:05:04,250 --> 00:05:07,850 S2: problems with their software being blocked. We would like this. 93 00:05:08,300 --> 00:05:11,240 S2: Patch Tuesday is our busiest or our OP team's busiest 94 00:05:11,240 --> 00:05:14,659 S2: day of the month. And you know, there could be five, ten, 95 00:05:14,660 --> 00:05:18,920 S2: 15,000 new hashes pushed out by Microsoft as part of 96 00:05:18,950 --> 00:05:21,170 S2: Patch Tuesday. So they all need to be accounted for. 97 00:05:21,200 --> 00:05:24,140 S2: They all need to be allowed when our customers try 98 00:05:24,140 --> 00:05:26,330 S2: and run them. So as I said, our app team 99 00:05:26,360 --> 00:05:30,260 S2: our the it's kind of the secret sauce, the special 100 00:05:30,260 --> 00:05:32,870 S2: sauce as to why Threadlocker is as easy to manage 101 00:05:32,870 --> 00:05:34,730 S2: as it is, because we're taking a lot of that 102 00:05:34,730 --> 00:05:37,760 S2: heavy lifting, a lot of that responsibility. We're taking it 103 00:05:37,760 --> 00:05:39,830 S2: off customers and taking it on ourselves. 104 00:05:40,820 --> 00:05:41,180 S3: Yeah. 105 00:05:41,210 --> 00:05:46,370 S1: Very interesting. Um, you mentioned the vendor putting out hashes. 106 00:05:47,150 --> 00:05:50,090 S1: Is that one option for you to, um, I mean, 107 00:05:50,120 --> 00:05:53,610 S1: could Microsoft actually put out a of thing. I guess 108 00:05:53,610 --> 00:05:56,400 S1: it wouldn't be hashed in your particular way. 109 00:05:56,520 --> 00:05:58,919 S2: Um, no. Well, if most of what we do is 110 00:05:58,920 --> 00:06:03,000 S2: based on Sha 256, so technically it could. But we 111 00:06:03,000 --> 00:06:07,080 S2: have relationships with lots of vendors. So they give us, 112 00:06:07,110 --> 00:06:10,860 S2: you know. Access to their software before it actually gets 113 00:06:10,860 --> 00:06:14,100 S2: pushed out in many cases. And I mean, in some cases, 114 00:06:14,130 --> 00:06:16,560 S2: vendors don't cooperate. And we have to. Literally go out 115 00:06:16,560 --> 00:06:18,870 S2: and buy their software and able to get out in 116 00:06:18,870 --> 00:06:20,910 S2: order to. Get access to it as early as possible. 117 00:06:20,970 --> 00:06:24,570 S2: But a lot of vendors do cooperate. I have to say, 118 00:06:24,600 --> 00:06:28,950 S2: particularly cyber security solutions and cyber security. Security tools. And 119 00:06:28,980 --> 00:06:32,490 S2: they're very good in giving us either access or. Early 120 00:06:32,490 --> 00:06:35,340 S2: access to their software so we can make sure it 121 00:06:35,339 --> 00:06:37,530 S2: doesn't get blocked. On our customer's machines. 122 00:06:38,550 --> 00:06:41,340 S1: Okay. That makes sense. So you don't have too many 123 00:06:41,339 --> 00:06:49,020 S1: situations where um. Somebody just randomly luckily immediately got the 124 00:06:49,020 --> 00:06:52,300 S1: update and they're installing it within, like whatever 30s of 125 00:06:52,300 --> 00:06:53,170 S1: it coming out. 126 00:06:53,320 --> 00:06:53,979 S3: I've been that. 127 00:06:53,980 --> 00:06:57,760 S2: Guy. I've been that guy. So Patch Tuesday some time 128 00:06:57,760 --> 00:07:01,180 S2: ago and my machine prompted me for for an update. 129 00:07:01,180 --> 00:07:03,580 S2: I didn't realize it was Tuesday. I didn't realize it 130 00:07:03,580 --> 00:07:05,620 S2: was Patch Tuesday. It was like, I'll just run the 131 00:07:05,620 --> 00:07:08,830 S2: update now. A few files got blocked, caused a bit 132 00:07:08,830 --> 00:07:12,070 S2: of embarrassment, and I'm basically the guy that they all 133 00:07:12,070 --> 00:07:14,530 S2: tag now when they say, hey, it's Patch Tuesday, don't 134 00:07:14,560 --> 00:07:19,030 S2: update your machines immediately. And but it very, very, very 135 00:07:19,030 --> 00:07:22,600 S2: rarely happens. I mean, people don't normally get updates that 136 00:07:22,600 --> 00:07:26,590 S2: quickly or install them that immediately. And you know, a 137 00:07:26,620 --> 00:07:29,380 S2: lot of obviously bigger enterprises, they'll have, you know, slower 138 00:07:29,380 --> 00:07:32,560 S2: rollout for things like patching or, you know, automated patching even, 139 00:07:32,590 --> 00:07:35,680 S2: you know, MSPs will have something similar and they'll have 140 00:07:35,680 --> 00:07:38,140 S2: patching programs that might update things once a day or 141 00:07:38,140 --> 00:07:40,270 S2: whatever the case may be. So it doesn't tend to 142 00:07:40,270 --> 00:07:42,700 S2: be an issue that somebody gets to something before we do. 143 00:07:42,700 --> 00:07:45,880 S2: But again, one of the other benefits to what we 144 00:07:45,880 --> 00:07:49,120 S2: do is if something gets blocked, it's really easy and 145 00:07:49,120 --> 00:07:52,250 S2: really fast to get it allowed. It's like a 32nd 146 00:07:52,250 --> 00:07:54,860 S2: process where a user goes, hey, I need to run 147 00:07:54,860 --> 00:07:58,100 S2: this thing. And an administrator goes, yeah, okay, you can 148 00:07:58,100 --> 00:08:00,200 S2: run it. So even if something does get blocked, it's 149 00:08:00,200 --> 00:08:03,770 S2: a really smooth, easy, fast approval process. 150 00:08:04,310 --> 00:08:04,580 S3: Yeah. 151 00:08:04,610 --> 00:08:06,800 S1: And like you said, usually we have the opposite problem, right. 152 00:08:06,830 --> 00:08:10,010 S1: People not applying patches, not applying them too quickly. 153 00:08:10,040 --> 00:08:13,760 S2: Well it's actually it's a really interesting point because the 154 00:08:13,760 --> 00:08:16,940 S2: problem I mean, it's obviously a huge problem from a 155 00:08:16,940 --> 00:08:22,070 S2: cybersecurity perspective and vulnerable software and or vulnerabilities in software. 156 00:08:22,100 --> 00:08:24,680 S2: I mean, there's so many different examples. There's a Veeam 157 00:08:24,680 --> 00:08:28,460 S2: one at the moment that allows remote remote code execution. 158 00:08:28,490 --> 00:08:31,070 S2: There's I mean, what I tend to say to people is, look, 159 00:08:31,100 --> 00:08:34,220 S2: just assume the software, even if you patch your stuff 160 00:08:34,280 --> 00:08:37,760 S2: absolutely on the button every time, I'd say assume the 161 00:08:37,760 --> 00:08:40,370 S2: software that you're using, even though patched, is still full 162 00:08:40,370 --> 00:08:42,890 S2: of holes, because it probably is. I mean, again, look 163 00:08:42,920 --> 00:08:46,490 S2: at an average Patch Tuesday. Look at the serious issues 164 00:08:46,490 --> 00:08:49,720 S2: that Microsoft fix every time they release an update for windows, 165 00:08:49,720 --> 00:08:52,330 S2: so assume that those things are there even if your 166 00:08:52,330 --> 00:08:56,350 S2: system is patched. And act accordingly. And it's effectively it's 167 00:08:56,380 --> 00:09:00,340 S2: one of the tenets of zero trust is assume breach, 168 00:09:00,370 --> 00:09:05,950 S2: assume issues, assume vulnerabilities. Assume you know the bad guys 169 00:09:05,950 --> 00:09:09,100 S2: are already in for all intents and purposes. But if 170 00:09:09,100 --> 00:09:12,580 S2: you take that approach, then everything that we do makes sense, 171 00:09:12,580 --> 00:09:14,530 S2: which is okay, they're in now, what can they do? 172 00:09:14,559 --> 00:09:18,160 S2: Can they run things? No. Can they exfiltrate data? No. 173 00:09:18,160 --> 00:09:22,210 S2: Can they run ransomware? No. So again, everything we do 174 00:09:22,240 --> 00:09:23,740 S2: and there is a lot more to it than just 175 00:09:23,830 --> 00:09:26,800 S2: the listing. But everything else that we do just makes 176 00:09:26,800 --> 00:09:29,950 S2: sense when you operate from that assumed breach perspective. 177 00:09:30,580 --> 00:09:33,280 S1: Yeah, I like that a lot. So what are some 178 00:09:33,280 --> 00:09:37,150 S1: other ways that you're you're implementing this zero trust philosophy? 179 00:09:37,179 --> 00:09:40,089 S1: I looked at the site before getting on. I saw 180 00:09:40,090 --> 00:09:44,500 S1: something called ring fencing. Um, is that the same or. 181 00:09:44,500 --> 00:09:45,310 S3: Um, the. 182 00:09:45,610 --> 00:09:48,530 S2: Ring fencing is awesome, if I may say so myself. Yeah. 183 00:09:48,559 --> 00:09:49,189 S1: Go ahead. 184 00:09:49,940 --> 00:09:52,670 S2: So basically what it is, is it takes the principle 185 00:09:52,670 --> 00:09:56,270 S2: of deny by default, permit by exception, and it expands 186 00:09:56,270 --> 00:09:58,790 S2: on it. So it's not so much about it's the 187 00:09:58,790 --> 00:10:00,920 S2: other part of what we call application control, or what 188 00:10:00,920 --> 00:10:03,349 S2: we consider to be application control as to what can 189 00:10:03,350 --> 00:10:06,320 S2: run and what can't run. And then there's what things 190 00:10:06,320 --> 00:10:10,849 S2: can do when they're running. So it's things like application interaction. 191 00:10:10,850 --> 00:10:14,030 S2: So what applications can call what other applications. So like 192 00:10:14,059 --> 00:10:16,520 S2: you may need to run office on your machines. You 193 00:10:16,520 --> 00:10:19,430 S2: may need to run PowerShell on your machines. Does office 194 00:10:19,429 --> 00:10:20,990 S2: need to call PowerShell. 195 00:10:21,290 --> 00:10:22,160 S1: Oh okay. 196 00:10:22,190 --> 00:10:25,580 S2: Absolutely not. So we can control those application interactions to 197 00:10:25,610 --> 00:10:29,390 S2: stop things. You know that lateral movement between applications. But 198 00:10:29,390 --> 00:10:32,630 S2: we can also control for example, what data an application 199 00:10:32,630 --> 00:10:35,240 S2: has access to it. So again PowerShell is a great example. 200 00:10:35,270 --> 00:10:38,990 S2: Does PowerShell need to access all my files, my documents, 201 00:10:38,990 --> 00:10:42,679 S2: my spreadsheets, my network shares my UNC paths? Answer in 202 00:10:42,679 --> 00:10:45,680 S2: most cases is no, but obviously out of the box 203 00:10:45,679 --> 00:10:49,860 S2: it can, which is why it's so often misused. And 204 00:10:49,860 --> 00:10:52,890 S2: so if you can limit what data things like PowerShell 205 00:10:52,920 --> 00:10:55,770 S2: have access to, you're going to minimize the potential for 206 00:10:55,770 --> 00:10:59,490 S2: data exfiltration, you know, and realistically the potential for damage 207 00:10:59,520 --> 00:11:01,860 S2: if something bad does get into an environment. But we 208 00:11:01,860 --> 00:11:06,689 S2: can also control where applications can connect to on the internet. 209 00:11:06,690 --> 00:11:11,040 S2: So again PowerShell, brilliant example. Does PowerShell need to talk 210 00:11:11,040 --> 00:11:17,729 S2: to the entire internet? Absolutely not. By default. Absolutely. Which 211 00:11:17,730 --> 00:11:21,660 S2: is why it's used for data exfiltration or running remote code. 212 00:11:21,780 --> 00:11:23,730 S2: And I mean I'll give you an example. We did 213 00:11:23,760 --> 00:11:28,410 S2: a webinar recently with a guy called Jacobi. And guy 214 00:11:28,410 --> 00:11:32,489 S2: is an absolute genius. I mean, he knows he he's. 215 00:11:32,490 --> 00:11:33,270 S1: A friend of mine, I. 216 00:11:33,270 --> 00:11:34,500 S3: Know him. Oh really? Yeah. 217 00:11:34,530 --> 00:11:37,199 S2: So Jacobi does this really cool thing and you've probably 218 00:11:37,200 --> 00:11:40,530 S2: seen this and he's got this, um, an API that 219 00:11:40,530 --> 00:11:45,580 S2: he set up that basically delivers polymorphic and PowerShell reverse 220 00:11:45,580 --> 00:11:48,550 S2: shell code. So every time it goes out to the API, 221 00:11:48,580 --> 00:11:50,380 S2: it gets a different piece of code back, and it's 222 00:11:50,380 --> 00:11:53,410 S2: not picked up or stopped or blocked by any traditional 223 00:11:53,440 --> 00:11:56,800 S2: tool because again, it's different every time. It's not known bad. 224 00:11:56,830 --> 00:12:00,160 S2: So how does that depends on knowing what's good or bad. 225 00:12:00,160 --> 00:12:04,060 S2: Ever stop it. And but he has done he's done 226 00:12:04,059 --> 00:12:05,620 S2: a couple of webinars now. The first one he kind 227 00:12:05,650 --> 00:12:07,449 S2: of mentioned was he said I've come across this thing 228 00:12:07,480 --> 00:12:09,760 S2: threatlocker and it's awesome. It blocks me every time from 229 00:12:09,760 --> 00:12:14,260 S2: doing this. You know, they're using some amazing behavioral analysis or, 230 00:12:14,290 --> 00:12:17,530 S2: you know, it's it I don't know, somehow knows what 231 00:12:17,530 --> 00:12:20,200 S2: we're doing. And but we did another call with him 232 00:12:20,200 --> 00:12:22,210 S2: last week. I don't think it's been released yet, but 233 00:12:22,210 --> 00:12:24,910 S2: I was able to say to him, look, just to explain, Jacoby, 234 00:12:24,940 --> 00:12:28,090 S2: we're not detecting what you're doing as being bad. We're 235 00:12:28,090 --> 00:12:31,780 S2: not recognizing it as malicious. What we're doing instead is 236 00:12:31,809 --> 00:12:37,689 S2: we're just saying, look, PowerShell can't access the internet. Stopped everything. 237 00:12:37,690 --> 00:12:40,929 S2: He was in his tracks because he was dependent, or 238 00:12:40,929 --> 00:12:42,820 S2: that the hacks that he was doing was dependent on 239 00:12:42,820 --> 00:12:46,260 S2: PowerShell being able to access, in this case his API 240 00:12:46,290 --> 00:12:48,870 S2: to get that polymorphic code, which then reached out to 241 00:12:48,990 --> 00:12:53,010 S2: another reverse shell server. So by, as I said, controlling 242 00:12:53,010 --> 00:12:56,939 S2: what applications can do is almost as important as what 243 00:12:56,940 --> 00:12:58,410 S2: can run and what can't run. 244 00:12:59,100 --> 00:13:02,699 S1: Okay I really love this. Okay. So so the overall 245 00:13:02,700 --> 00:13:05,729 S1: theme is zero trust. But now we've got what can run, 246 00:13:05,730 --> 00:13:10,800 S1: what can't run, what can invoke. Next to it. What 247 00:13:10,800 --> 00:13:13,770 S1: can reach the internet. What are some other sort of, 248 00:13:13,770 --> 00:13:17,310 S1: um zero trust concepts that you're applying. 249 00:13:17,340 --> 00:13:21,480 S2: So we have a we've got a storage control component 250 00:13:21,480 --> 00:13:24,000 S2: as well. Um, and I can I can give you 251 00:13:24,000 --> 00:13:27,090 S2: an example of where storage control is very relevant, but 252 00:13:27,090 --> 00:13:30,390 S2: storage control basically allows you to control which programs have 253 00:13:30,390 --> 00:13:33,900 S2: access to what data. So now what users have access 254 00:13:33,900 --> 00:13:37,109 S2: to what data, but which programs, which individual application can 255 00:13:37,110 --> 00:13:40,920 S2: access what data. So there's a million different examples. I mean, 256 00:13:40,920 --> 00:13:43,089 S2: if you think about it logically, like why would anything 257 00:13:43,120 --> 00:13:47,440 S2: other than Hyper-V need to access a FD or VHDL file? 258 00:13:47,740 --> 00:13:51,040 S2: Why would anything other than SQL server X need to 259 00:13:51,070 --> 00:13:54,820 S2: access a SQL server's database? But again, out of the box. 260 00:13:54,850 --> 00:13:57,520 S2: And it's one of the reasons why ransomware and data 261 00:13:57,520 --> 00:14:00,490 S2: exfiltration are as prevalent as they are. It's because everything 262 00:14:00,490 --> 00:14:02,860 S2: that can run on a system, or everything that you 263 00:14:02,860 --> 00:14:06,130 S2: run on a system has access to everything that you 264 00:14:06,130 --> 00:14:08,530 S2: have access to. So if you've got access to a 265 00:14:08,530 --> 00:14:13,240 S2: management chair, everything you run, whether it be good bad, malware, ransomware, 266 00:14:13,270 --> 00:14:16,420 S2: Angry Birds, they all have access to that data as 267 00:14:16,420 --> 00:14:20,290 S2: well because they're running as you. So what we we 268 00:14:20,470 --> 00:14:26,350 S2: augment or combine your traditional user based controls and add 269 00:14:26,350 --> 00:14:30,160 S2: to that program based controls. So if you have a 270 00:14:30,160 --> 00:14:32,830 S2: folder on the server, if that folder only needs to 271 00:14:32,830 --> 00:14:36,430 S2: be accessed by Office and Acrobat and Teams and Zoom, 272 00:14:36,430 --> 00:14:39,970 S2: why would you let any of the other 500 applications 273 00:14:39,970 --> 00:14:42,560 S2: that are running in your computer, access that location. So again, 274 00:14:42,560 --> 00:14:46,190 S2: it's denied by default permit by exception. But for programs 275 00:14:46,190 --> 00:14:51,590 S2: and data we also have and again same principle with 276 00:14:51,590 --> 00:14:54,440 S2: the same principle for networking. So we've got a firewall 277 00:14:54,470 --> 00:14:57,440 S2: built into the same agent. So it's effectively a default 278 00:14:57,440 --> 00:15:01,370 S2: denies permit by exception. And it's kind of smarter than 279 00:15:01,370 --> 00:15:04,880 S2: your average firewall though. And I mean it's a huge problem. 280 00:15:04,910 --> 00:15:08,210 S2: I mean people are taking, you know, work computers home. 281 00:15:08,210 --> 00:15:10,850 S2: They're taking them to, you know, Starbucks or at events 282 00:15:10,850 --> 00:15:14,690 S2: or in hotels or everywhere. So the time when we 283 00:15:14,690 --> 00:15:17,480 S2: could all kind of hide behind the perimeter firewall and 284 00:15:17,480 --> 00:15:21,440 S2: feel safe is very much gone. But because our firewall 285 00:15:21,440 --> 00:15:23,690 S2: is centrally managed, you can see everything that's happening on 286 00:15:23,690 --> 00:15:25,760 S2: all of your machines from one place, but you can 287 00:15:25,760 --> 00:15:29,060 S2: also control everything. And but when I say it's smarter 288 00:15:29,060 --> 00:15:31,700 S2: than your average firewall, we can use what we call 289 00:15:31,700 --> 00:15:35,390 S2: dynamic ACLs. So I can create a policy that says, look, 290 00:15:35,420 --> 00:15:40,320 S2: only allow machines in my IT group connect to an 291 00:15:40,320 --> 00:15:43,620 S2: RDP port on a server or only allow machines in 292 00:15:43,620 --> 00:15:47,550 S2: my workstations. Group connect to, you know, SQL 1433 on 293 00:15:47,550 --> 00:15:51,120 S2: this server. But what that means is whether a port 294 00:15:51,120 --> 00:15:54,510 S2: is open or not depends on what's connecting to it. 295 00:15:54,510 --> 00:15:58,260 S2: If it's a device that you've explicitly said can access 296 00:15:58,290 --> 00:16:00,120 S2: this resource on the server, it's going to be allowed 297 00:16:00,120 --> 00:16:04,530 S2: to connect. If it's not, it won't. So it's effectively 298 00:16:04,560 --> 00:16:07,350 S2: it's akin to network segmentation, but it's done at the 299 00:16:07,350 --> 00:16:11,010 S2: endpoint level. It's not done with expensive or expensive switches 300 00:16:11,010 --> 00:16:13,710 S2: and hardware and everything else. You're basically saying, look, only 301 00:16:13,710 --> 00:16:17,610 S2: these devices can connect to this port. Now that stops 302 00:16:17,610 --> 00:16:22,020 S2: so many ransomware attacks in their tracks just by blocking 303 00:16:22,020 --> 00:16:25,590 S2: by default network connections. Because again, most of these ransomware 304 00:16:25,590 --> 00:16:29,880 S2: attacks will need some sort of connection to take place. 305 00:16:29,880 --> 00:16:32,130 S2: And in a lot of cases, I mean, the whole 306 00:16:32,130 --> 00:16:35,370 S2: issue with RDP still being open, I mean, we've I've 307 00:16:35,370 --> 00:16:37,560 S2: seen so many instances of RDP being open to the 308 00:16:37,560 --> 00:16:41,620 S2: internet I mean, I'm going to put in or insert 309 00:16:41,620 --> 00:16:47,290 S2: my usual RDP standing for Ransomware delivery protocol joke, but 310 00:16:47,290 --> 00:16:49,930 S2: it's called that for a reason. I mean, it's close 311 00:16:49,930 --> 00:16:54,400 S2: to 20%. Ransomware attacks still include RDP, and it's basically 312 00:16:54,400 --> 00:16:58,600 S2: just servers hanging out with that port available on the internet. 313 00:16:58,630 --> 00:16:59,440 S3: I mean, you're talking about three. 314 00:16:59,470 --> 00:17:01,090 S1: Three, eight, nine like actual. 315 00:17:01,180 --> 00:17:01,510 S3: Yeah. 316 00:17:02,260 --> 00:17:07,120 S2: Um, and so if anybody's bored, um, do try this on. 317 00:17:07,119 --> 00:17:09,790 S2: So go to shodan. So obviously, I'm sure you know 318 00:17:09,790 --> 00:17:11,770 S2: what shodan is. It's effectively a search engine for the 319 00:17:11,770 --> 00:17:14,770 S2: internet of things. Go to Shodan and you can search 320 00:17:14,770 --> 00:17:18,850 S2: in Shodan for a specific port in an area. So 321 00:17:18,850 --> 00:17:22,810 S2: you can look for port colon 3389 city colon Orlando 322 00:17:22,810 --> 00:17:25,720 S2: for example. I did that some time ago for Orlando 323 00:17:25,720 --> 00:17:32,169 S2: and it showed over 900 devices, over 900 servers, machines, 324 00:17:32,170 --> 00:17:35,920 S2: you name it. With that port open to the internet 325 00:17:35,950 --> 00:17:39,470 S2: and those machines, those organizations, those environments are literally a 326 00:17:39,470 --> 00:17:42,859 S2: brute force password away from being the next victims of 327 00:17:42,859 --> 00:17:44,570 S2: a ransomware attack and. 328 00:17:44,930 --> 00:17:45,230 S3: Or. 329 00:17:45,230 --> 00:17:47,060 S1: Being unpatched like RDP. 330 00:17:47,420 --> 00:17:51,199 S2: Yeah, absolutely. Absolutely. And but it really is scary. And 331 00:17:51,200 --> 00:17:52,669 S2: in some cases, I mean, you can literally see the 332 00:17:52,670 --> 00:17:55,040 S2: name of the organization because they've got like the, you know, 333 00:17:55,070 --> 00:17:56,120 S2: domain name header. 334 00:17:56,150 --> 00:17:56,480 S3: Yeah. 335 00:17:56,930 --> 00:17:59,360 S2: They show the user who's logged in. So it's not 336 00:17:59,359 --> 00:18:02,119 S2: as if they have to even guess what the username is. 337 00:18:02,150 --> 00:18:04,820 S2: They can say, oh this machine, the username is Rob. 338 00:18:04,820 --> 00:18:07,580 S2: So I just need to run my, you know, password 339 00:18:07,580 --> 00:18:10,229 S2: attack against the user Rob rather than to try a 340 00:18:10,230 --> 00:18:13,910 S2: million different users. It's terrifying. But again, the point about 341 00:18:13,940 --> 00:18:18,440 S2: network control is you could theoretically and hypothetically you could 342 00:18:18,680 --> 00:18:21,440 S2: open port three, three, eight, nine to the internet. But 343 00:18:21,440 --> 00:18:25,130 S2: you can say you can. Only these machines can connect. 344 00:18:25,130 --> 00:18:28,220 S2: So when the internet tries to connect it, it can't 345 00:18:28,220 --> 00:18:31,070 S2: because that port is closed. But if you're just the devices, 346 00:18:31,070 --> 00:18:32,780 S2: the ones that you want to connect want to connect, 347 00:18:32,869 --> 00:18:35,730 S2: they can't. So again, it's just it's taking that same 348 00:18:35,730 --> 00:18:38,879 S2: principle of deny by default, permit by exception, but applying 349 00:18:38,880 --> 00:18:40,470 S2: it to networking? 350 00:18:41,400 --> 00:18:42,330 S3: Yeah. 351 00:18:43,530 --> 00:18:47,370 S1: Really interesting. So I got a question for you. Have 352 00:18:47,400 --> 00:18:51,840 S1: have you thought about or are you already doing um, 353 00:18:52,560 --> 00:18:56,699 S1: gathering of context from an organization? So what if you 354 00:18:56,700 --> 00:19:00,210 S1: could take an organization and just be like, okay, based 355 00:19:00,210 --> 00:19:04,800 S1: on slack conversations based on internal wikis or whatever? This 356 00:19:04,800 --> 00:19:08,790 S1: is the general flow of how things normally work, right? 357 00:19:08,790 --> 00:19:11,580 S1: And then you could basically build a bunch of allow 358 00:19:11,609 --> 00:19:15,510 S1: list rules across all the different facets, not just like 359 00:19:15,540 --> 00:19:20,880 S1: can an application run, but these, these, uh, applications normally 360 00:19:20,880 --> 00:19:24,270 S1: talk to these, uh, these servers over here should be 361 00:19:24,270 --> 00:19:28,290 S1: accessed by these finance servers or whatever, and then intelligently 362 00:19:28,290 --> 00:19:34,200 S1: build like this profile of different allows and disallows. 363 00:19:35,390 --> 00:19:39,560 S2: To kind of do that already. So the learning mode 364 00:19:39,560 --> 00:19:42,410 S2: and allow listing is effectively doing that. We learn quite 365 00:19:42,410 --> 00:19:44,750 S2: a bit of ring fencing as well. So if applications 366 00:19:44,780 --> 00:19:49,220 S2: need to go into particular locations or access particular internet locations, 367 00:19:49,220 --> 00:19:52,639 S2: we learn that stuff already. I mean, it is your 368 00:19:52,640 --> 00:19:55,879 S2: allow list is effectively that we also and I should 369 00:19:55,910 --> 00:19:57,590 S2: have mentioned this, but we do also have what we 370 00:19:57,590 --> 00:20:01,850 S2: call the unified audit, whereas which is visibility over everything 371 00:20:01,850 --> 00:20:04,580 S2: that's happening on machines. So everything that runs, everything that 372 00:20:04,580 --> 00:20:07,940 S2: can't run, everything that's allowed, everything that's denied network traffic 373 00:20:07,940 --> 00:20:11,870 S2: in and out. So we have complete visibility over what 374 00:20:11,869 --> 00:20:15,980 S2: is happening and also what's not happening in the environments 375 00:20:15,980 --> 00:20:20,030 S2: that that are managed with Docker. And one thing I 376 00:20:20,030 --> 00:20:23,300 S2: should mention, and a lot of what we've spoken about 377 00:20:23,330 --> 00:20:27,830 S2: thus far has been effectively controlled. So as we take 378 00:20:27,830 --> 00:20:31,280 S2: a different approach, we're not about detecting, we're not well, sorry, 379 00:20:31,310 --> 00:20:35,490 S2: we're not primarily about detecting. We are primarily about controls 380 00:20:35,490 --> 00:20:39,780 S2: or about environment effectively as unfriendly as possible to an 381 00:20:39,780 --> 00:20:44,250 S2: attacker while allowing users to do what they need to do. 382 00:20:44,460 --> 00:20:46,949 S2: So users and you know, you have to think or 383 00:20:46,950 --> 00:20:50,490 S2: you have to consider that probably 98% of users do 384 00:20:50,490 --> 00:20:55,200 S2: the same things with the same software every single day. Yep. 385 00:20:55,260 --> 00:20:57,690 S2: I mean, they use office. They use Acrobat. They use 386 00:20:57,690 --> 00:21:02,820 S2: video conferencing team zoom browsers. Obviously, you know, windows operating system, etc. 387 00:21:02,850 --> 00:21:06,600 S2: maybe a line of business application or two. But fundamentally 388 00:21:06,600 --> 00:21:09,030 S2: what we're doing is we're just setting guardrails around that. 389 00:21:09,060 --> 00:21:11,970 S2: We're saying, look, operate within these guardrails and you're not 390 00:21:11,970 --> 00:21:14,400 S2: even going to know we're here. Okay. So it's not 391 00:21:14,400 --> 00:21:16,800 S2: going to affect or get in the way of the vast, 392 00:21:16,800 --> 00:21:20,790 S2: vast majority of users. But back to what you mentioned 393 00:21:20,850 --> 00:21:23,520 S2: a second ago. The other thing that we do as 394 00:21:23,520 --> 00:21:28,260 S2: well as control. So we for many years a lot 395 00:21:28,290 --> 00:21:32,379 S2: of organizations would run us beside some sort of detection. Okay. 396 00:21:32,410 --> 00:21:35,650 S2: So they might run Threadlocker alongside an EDR for example. 397 00:21:35,680 --> 00:21:40,210 S2: Basically Threadlocker offering the control and the EDR as effectively 398 00:21:40,210 --> 00:21:43,600 S2: as a fallback as a okay, you know, somebody allowed 399 00:21:43,600 --> 00:21:46,150 S2: something wrong they shouldn't have done. Now the EDR steps 400 00:21:46,150 --> 00:21:48,040 S2: in and goes, okay, I'm going to detect that and 401 00:21:48,040 --> 00:21:52,030 S2: hopefully clean it up. So what we've added more recently 402 00:21:52,030 --> 00:21:55,690 S2: is what we call Threadlocker detect, which is a EDR 403 00:21:55,720 --> 00:21:59,109 S2: that is attached to Threadlocker. I mean, it's effectively it's 404 00:21:59,109 --> 00:22:01,960 S2: the same agent, it's the same portal, it's the same 405 00:22:02,080 --> 00:22:05,859 S2: everything that you're using. But the beauty about Threadlocker is 406 00:22:05,859 --> 00:22:08,890 S2: detection platform, which is, as I said, detect. And we 407 00:22:08,890 --> 00:22:13,600 S2: also have MDR is we see not only everything that 408 00:22:13,600 --> 00:22:17,620 S2: we have allowed, but we also see everything that we've denied. 409 00:22:17,619 --> 00:22:20,740 S2: Because the problem is, if you're running Threadlocker alongside another 410 00:22:20,740 --> 00:22:24,520 S2: tool like an EDR, we're blocking most of its source. 411 00:22:24,520 --> 00:22:27,820 S2: We're stopping, you know, remote access tools from running. We're 412 00:22:27,820 --> 00:22:31,370 S2: stopping everything from running at source and very often the 413 00:22:31,369 --> 00:22:34,369 S2: editor that's running alongside us won't even know that happened. 414 00:22:34,460 --> 00:22:37,340 S2: You know what I mean? So yes. Yeah, but Angus 415 00:22:37,340 --> 00:22:39,560 S2: has been blocked from running, so it has nothing to detect. 416 00:22:39,560 --> 00:22:42,050 S2: It has nothing to respond to. So the beauty about 417 00:22:42,050 --> 00:22:44,900 S2: us is we see both sides. We see everything that's 418 00:22:44,900 --> 00:22:47,990 S2: been allowed. We also see everything that's been denied. And 419 00:22:47,990 --> 00:22:52,550 S2: we can alert, detect and respond accordingly. Because the thing 420 00:22:52,550 --> 00:22:55,670 S2: is what the layers of control we mentioned are going 421 00:22:55,670 --> 00:22:58,130 S2: to do is they're going to buy you time, okay. 422 00:22:58,160 --> 00:23:01,370 S2: In the event of a cyber attack, having time where 423 00:23:01,400 --> 00:23:03,770 S2: you know, they're in, but they can't do anything because 424 00:23:03,770 --> 00:23:06,140 S2: they keep on banging their heads against the wall. That 425 00:23:06,140 --> 00:23:09,350 S2: is threatlocker that's going to buy you time, but you 426 00:23:09,350 --> 00:23:11,660 S2: still want to know if something's going on. 427 00:23:11,660 --> 00:23:14,570 S1: Yeah, because they might switch tactics to something else that 428 00:23:14,600 --> 00:23:17,090 S1: that you can't block. And you get all that time 429 00:23:17,090 --> 00:23:18,500 S1: if you're seeing it beforehand. 430 00:23:18,590 --> 00:23:21,440 S2: This is exactly the point. So basically if you know 431 00:23:21,470 --> 00:23:23,900 S2: there's a deep connection coming in or if an event 432 00:23:23,930 --> 00:23:26,660 S2: log gets cleared on a server, if there's any other of, 433 00:23:26,690 --> 00:23:30,600 S2: you know, hundreds of indicators of compromise. We see them 434 00:23:30,600 --> 00:23:33,479 S2: and with our detection platform and our EDR sorry, on 435 00:23:33,480 --> 00:23:36,810 S2: our end or basically which is human beings sitting outside 436 00:23:36,810 --> 00:23:39,510 S2: the office here basically looking at these alerts or customers, 437 00:23:39,510 --> 00:23:42,630 S2: but basically they will say or it will tell you 438 00:23:42,630 --> 00:23:46,920 S2: something is happening, whether or not some other EDR might 439 00:23:46,920 --> 00:23:49,830 S2: even know it's going on, which very often they won't. 440 00:23:49,830 --> 00:23:53,970 S2: But look, the point is we see detection as being 441 00:23:53,970 --> 00:23:58,199 S2: complementary to those other layers of protection I mentioned. We 442 00:23:58,200 --> 00:24:00,719 S2: don't see it like for us, detection is not the 443 00:24:00,720 --> 00:24:02,669 S2: entire game for. 444 00:24:02,700 --> 00:24:06,240 S1: Yeah, I've always said I mean probably maybe it's NIST 445 00:24:06,240 --> 00:24:09,510 S1: or something, but I've always said, um, prevent detect respond 446 00:24:09,510 --> 00:24:13,230 S1: in that order. Right. So if you're zero trust prevent 447 00:24:13,260 --> 00:24:16,350 S1: is the number one. But you also want to have 448 00:24:16,350 --> 00:24:19,619 S1: that visibility. So it's nice you have that that that function. 449 00:24:20,190 --> 00:24:22,800 S1: What about respond. Is there any anything you have there 450 00:24:22,800 --> 00:24:25,560 S1: about I guess firing off an alert would be one. 451 00:24:25,590 --> 00:24:27,480 S2: Well, absolutely. We can do a lot of different things 452 00:24:27,500 --> 00:24:30,500 S2: So we can we make people aware, I suppose is 453 00:24:30,500 --> 00:24:32,359 S2: the first thing. So, you know, log a ticket, send 454 00:24:32,359 --> 00:24:34,429 S2: an email, pick up the phone, which is what our 455 00:24:34,430 --> 00:24:38,090 S2: entire team will do depending on a customer's defined playbook 456 00:24:38,119 --> 00:24:41,810 S2: or runbook. And we can take automatic remediating actions. So 457 00:24:41,840 --> 00:24:44,750 S2: like if we see something happening on a machine we 458 00:24:44,750 --> 00:24:47,360 S2: can not only. And I know a lot of solutions 459 00:24:47,359 --> 00:24:50,750 S2: allow you to isolate machines from network. And isolation is 460 00:24:50,750 --> 00:24:53,480 S2: all very well and good and we offer isolation as well. 461 00:24:53,480 --> 00:24:55,610 S2: But the problem is if you isolate a server that's 462 00:24:55,609 --> 00:24:58,370 S2: running ransomware, you're going to do nothing other than allow 463 00:24:58,369 --> 00:25:01,460 S2: that ransomware to continue to run and also have server 464 00:25:01,460 --> 00:25:03,800 S2: isolated from anything it needs to talk to. So we 465 00:25:03,800 --> 00:25:06,410 S2: have what we call lockdown mode. And lockdown mode is 466 00:25:06,410 --> 00:25:11,600 S2: like isolation on steroids basically. So it both blocks everything 467 00:25:11,600 --> 00:25:14,060 S2: from running. And when I say everything, I mean everything 468 00:25:14,090 --> 00:25:17,540 S2: large parts of windows as well. It blocks even, you know, 469 00:25:17,570 --> 00:25:20,480 S2: otherwise good applications, things like Chrome, Internet Explorer, they're all 470 00:25:20,510 --> 00:25:22,310 S2: going to get blocked from running. You can't run office, 471 00:25:22,340 --> 00:25:25,010 S2: you can't run PowerShell, you can't run command prompt effectively. 472 00:25:25,010 --> 00:25:28,139 S2: You can't run anything on the machine, but it also 473 00:25:28,170 --> 00:25:31,290 S2: locks on blocks down access to storage. So any protected 474 00:25:31,290 --> 00:25:33,750 S2: storage location, we say okay. Block all reads and writes 475 00:25:33,750 --> 00:25:36,689 S2: to that. So your your ransomware may be running, but 476 00:25:36,690 --> 00:25:38,670 S2: it's not going to be able to encrypt my data. 477 00:25:38,670 --> 00:25:40,950 S2: But it also and the third thing we do on 478 00:25:40,950 --> 00:25:42,990 S2: top of that is we also isolate from the network. 479 00:25:42,990 --> 00:25:45,240 S2: So if there's incoming outgoing connections, we're going to kill 480 00:25:45,240 --> 00:25:48,420 S2: those connections. That machine is going to stay isolated. So 481 00:25:48,450 --> 00:25:51,629 S2: as I said, lockdown mode is like a much more 482 00:25:51,630 --> 00:25:55,439 S2: extreme version of isolation, but it's one that will actually 483 00:25:55,440 --> 00:25:58,770 S2: stop ransomware in its tracks, whereas isolation is just going 484 00:25:58,800 --> 00:26:01,020 S2: to allow it to continue on its own. And but 485 00:26:01,020 --> 00:26:04,920 S2: we do also have remediation facilities. So basically you can 486 00:26:05,310 --> 00:26:09,389 S2: if a customer wants, we have a separate service called Remediator, 487 00:26:09,390 --> 00:26:12,390 S2: which effectively is a PowerShell access to the machine, which 488 00:26:12,390 --> 00:26:14,970 S2: we can get in and stop things, delete things, do 489 00:26:14,970 --> 00:26:18,060 S2: whatever the customer wants. Again, it's all very much based 490 00:26:18,060 --> 00:26:19,470 S2: on the customer's requirements. 491 00:26:19,800 --> 00:26:20,310 S3: Okay, so. 492 00:26:20,310 --> 00:26:23,550 S1: You mentioned the people out there watching. Um, so is 493 00:26:23,550 --> 00:26:28,960 S1: the MSP service. Is that part of the endpoint product 494 00:26:28,960 --> 00:26:31,930 S1: or is like, is that an add on like that 495 00:26:31,930 --> 00:26:36,159 S1: monitoring piece? How tied into it the product is that? 496 00:26:36,250 --> 00:26:38,770 S2: Oh, it's completely integrated. But we've got we've effectively on 497 00:26:38,770 --> 00:26:42,940 S2: top of the the products as in the software as 498 00:26:42,940 --> 00:26:45,399 S2: a service that you pay for. We do have a 499 00:26:45,400 --> 00:26:48,100 S2: couple of additional services. One is what we call cyber 500 00:26:48,130 --> 00:26:51,670 S2: hero approvals, which is if you don't want the hassle 501 00:26:51,670 --> 00:26:56,169 S2: of dealing with your users, sending requests through and saying 502 00:26:56,170 --> 00:26:57,639 S2: they want to run this thing and they want to 503 00:26:57,640 --> 00:27:00,490 S2: run that thing, you can effectively outsource that to us, 504 00:27:00,490 --> 00:27:05,379 S2: where we'll basically approve or deny applications requests according to 505 00:27:05,410 --> 00:27:09,820 S2: your specific instructions. So you might say look them remote 506 00:27:09,820 --> 00:27:14,920 S2: access tools. Bad. Don't allow them video conferencing video conferencing tools. Yes. 507 00:27:14,950 --> 00:27:17,980 S2: And but you know that's a set of instructions effectively 508 00:27:17,980 --> 00:27:19,570 S2: for us to follow. And we will follow them to 509 00:27:19,600 --> 00:27:21,580 S2: the letter. So somebody tries to run a remote access tool, 510 00:27:21,609 --> 00:27:22,899 S2: we're going to block it if somebody tries to run 511 00:27:22,900 --> 00:27:26,300 S2: a video conferencing tool will permit it for you or 512 00:27:26,300 --> 00:27:29,330 S2: on your behalf. So that's the cyber hero approvals. We 513 00:27:29,330 --> 00:27:33,290 S2: also have eMDR, which is again tied to the ADR, 514 00:27:33,320 --> 00:27:36,890 S2: tied to the detection, which is human beings sitting outside 515 00:27:36,890 --> 00:27:40,700 S2: here watching alerts, investigating when something is going on and 516 00:27:40,700 --> 00:27:43,910 S2: if needs be, alerting customers or as I said, taking 517 00:27:43,910 --> 00:27:45,290 S2: remediating action. 518 00:27:46,609 --> 00:27:47,060 S3: Yeah. 519 00:27:47,090 --> 00:27:51,109 S1: Fantastic. Well, this is this is super interesting. I actually 520 00:27:51,109 --> 00:27:53,570 S1: have an idea I want to ask you about, but 521 00:27:53,570 --> 00:27:56,690 S1: I think it might, uh, take us into a whole 522 00:27:56,690 --> 00:28:01,639 S1: separate episode. I'm actually curious about if we were to 523 00:28:01,670 --> 00:28:08,090 S1: break down the different portions of a ransomware attack, like. So. 524 00:28:08,090 --> 00:28:10,369 S1: It's got to get in. It's got to do the following. 525 00:28:10,400 --> 00:28:13,430 S1: It wants to spread. I would like to match that 526 00:28:13,430 --> 00:28:18,200 S1: with the different blocking functionality and the detection functionality of 527 00:28:18,200 --> 00:28:21,500 S1: the tool. So it's like this particular portion gets blocked 528 00:28:21,500 --> 00:28:24,790 S1: by this portion. If it gets through there, which it wouldn't, 529 00:28:24,790 --> 00:28:27,940 S1: but if it somehow did, it would get stopped here 530 00:28:27,940 --> 00:28:30,639 S1: and then stopped at the internet. So it's like, here's 531 00:28:30,640 --> 00:28:32,860 S1: three different ways or here's five different ways. It would 532 00:28:32,859 --> 00:28:33,670 S1: be stopped. 533 00:28:33,700 --> 00:28:34,150 S3: Yeah. 534 00:28:34,600 --> 00:28:38,500 S2: Absolutely. And look, there's so many different examples of that. 535 00:28:38,530 --> 00:28:43,120 S2: I mean, you know, we stop very often the initial 536 00:28:43,120 --> 00:28:45,610 S2: access because we're going to stop the network connection coming in. 537 00:28:45,640 --> 00:28:48,190 S2: Even if a network connection comes in, we're going to 538 00:28:48,220 --> 00:28:51,460 S2: probably detect a brute force happening because we can, you know, 539 00:28:51,490 --> 00:28:55,030 S2: detect or fail logons. So even if they do get 540 00:28:55,030 --> 00:28:57,070 S2: that far in, then they're probably going to try and 541 00:28:57,070 --> 00:28:59,440 S2: give themselves persistent access. So they're going to run something 542 00:28:59,440 --> 00:29:01,360 S2: like Anydesk. Well, we're going to block that by default 543 00:29:01,360 --> 00:29:03,730 S2: because blocking things is what we do. Or they might 544 00:29:03,760 --> 00:29:07,360 S2: try and run a reverse shell in PowerShell. Again we're 545 00:29:07,390 --> 00:29:10,840 S2: going to block that because blocking PowerShell from accessing the 546 00:29:10,840 --> 00:29:15,010 S2: internet there's probably about in your average ransomware attack, there's 547 00:29:15,010 --> 00:29:17,980 S2: probably about ten different stages that we would basically step 548 00:29:17,980 --> 00:29:22,300 S2: in and block things. Um, To embody it would be 549 00:29:22,300 --> 00:29:27,400 S2: an interesting exercise and to undertake, but I would suggest 550 00:29:27,400 --> 00:29:30,280 S2: in most attacks there's a lot of different ways that 551 00:29:30,280 --> 00:29:33,010 S2: we we would get in their way. 552 00:29:34,000 --> 00:29:34,300 S3: Yeah. 553 00:29:34,330 --> 00:29:37,479 S1: Interesting. Any new stuff coming out? You should let us 554 00:29:37,480 --> 00:29:38,230 S1: know about. 555 00:29:38,890 --> 00:29:42,520 S2: Um, so the detection eMDR was released this year. We 556 00:29:42,520 --> 00:29:46,959 S2: have recently added Cloud Detect as well. So effectively the 557 00:29:46,960 --> 00:29:51,490 S2: same or similar capabilities as Threatlocker detect but for cloud environments. 558 00:29:51,490 --> 00:29:54,550 S2: So first one we've done is office 365 with the 559 00:29:54,550 --> 00:29:57,190 S2: likes of G suite and others coming soon as well. 560 00:29:57,190 --> 00:30:01,930 S2: So same principle looking for anomalous behavior. I mean, a 561 00:30:01,960 --> 00:30:06,580 S2: lot of the problems are whether you're managing one office 562 00:30:06,580 --> 00:30:12,490 S2: 365 environment or 100 office 365 environments, actually finding somewhere 563 00:30:12,490 --> 00:30:14,680 S2: with all of the information you need and all the 564 00:30:14,680 --> 00:30:17,920 S2: alerts that you want to look at is not always easy. Um, 565 00:30:17,950 --> 00:30:22,890 S2: less Microsoft. but again, allow people to alert themselves on, 566 00:30:22,920 --> 00:30:27,570 S2: you know, suspicious travel and anomalous behavior, forwarding rules being 567 00:30:27,570 --> 00:30:30,930 S2: set up, all those kind of things. Again, in one place, 568 00:30:30,930 --> 00:30:33,900 S2: rather than having to go into 50 different office, 365 569 00:30:33,930 --> 00:30:36,780 S2: tendencies to see what's going on. So Cloud Detect is 570 00:30:36,780 --> 00:30:39,479 S2: probably the newest thing that we've we've added recently, and 571 00:30:39,480 --> 00:30:41,790 S2: it's something that's gaining a lot of interest and a 572 00:30:41,790 --> 00:30:42,720 S2: lot of traction. 573 00:30:43,530 --> 00:30:46,350 S1: Awesome. And where can people learn more about you? 574 00:30:47,760 --> 00:30:51,450 S2: Threatlocker. Com is a good place to start. We are 575 00:30:51,450 --> 00:30:56,280 S2: on all the things we're on, um, Facebook. We're on Twitter. 576 00:30:56,310 --> 00:31:00,030 S2: I refuse to call it X and we're on YouTube. 577 00:31:00,030 --> 00:31:04,560 S2: And if anybody is interested, we do webinars on YouTube 578 00:31:04,560 --> 00:31:08,670 S2: quite often, maybe once or twice a month, and often 579 00:31:08,670 --> 00:31:12,510 S2: entertaining and somewhat or sometimes educational. So have a look 580 00:31:12,540 --> 00:31:15,060 S2: at them as well. We sort of take deep dives into, 581 00:31:15,090 --> 00:31:18,400 S2: you know, different attack vectors. We did, you know, things 582 00:31:18,400 --> 00:31:22,930 S2: about drones and Wi-Fi? Pineapples at one stage that may 583 00:31:22,930 --> 00:31:25,870 S2: have been, may or may not have crashed a drone 584 00:31:25,870 --> 00:31:28,870 S2: into a building here. And but yes, at the risk 585 00:31:28,870 --> 00:31:31,990 S2: of sounding like every YouTuber, my children watch and smash 586 00:31:31,990 --> 00:31:33,820 S2: that subscribe button and check us out. 587 00:31:34,840 --> 00:31:35,560 S3: Awesome. 588 00:31:35,590 --> 00:31:37,600 S1: Well, thanks for your time today. I enjoyed it. 589 00:31:37,630 --> 00:31:39,550 S2: You're very welcome. Daniel, thank you very much. 590 00:31:39,580 --> 00:31:39,910 S3: All right. 591 00:31:39,940 --> 00:31:40,540 S1: Take care. 592 00:31:40,900 --> 00:31:41,410 S3: Bye bye. 593 00:31:44,350 --> 00:31:47,530 S1: Unsupervised learning is produced and edited by Daniel Miessler on 594 00:31:47,530 --> 00:31:52,120 S1: a Neumann U87 AI microphone using Hindenburg. Intro and outro 595 00:31:52,150 --> 00:31:55,480 S1: music is by zombie with a Y. And to get 596 00:31:55,480 --> 00:31:57,550 S1: the text and links from this episode, sign up for 597 00:31:57,550 --> 00:32:03,190 S1: the newsletter version of the show at Daniel miessler.com/newsletter. We'll 598 00:32:03,190 --> 00:32:04,060 S1: see you next time.