Introducing ThreatLocker


COVID has forced virtually all firms to have their staff work from home.   As a result, and as we continue to rethink our business practices, security has become more of an issue.

Triella continuously looks to improve the security position of our clients by looking at the threat landscape and comparing it against the tools that we have for identifying and eliminating those threats.  The threat landscape keeps on changing and what worked before will not necessarily offer the protections needed tomorrow.

In the past 6 months we introduced URL Protection – a system that scans a link clicked in an email to be sure it is safe before allowing users to go to that link.  We also introduced Dark Web Monitoring wherein we look for compromised accounts for sale on the Dark Web as a result of recent breaches that have occurred on platforms such as LinkedIn, the Chartered Professional Accountants of Canada, Nintendo and others.   When your credentials show up for sale on the Dark Web, subscribers are notified of the threat and have the opportunity to change their password so that the breached information no longer has relevance.

On the hacker side, these changes cause us concern:

  1. North Korea (and others) are now focusing on Data Exfiltration instead of direct ransomware.  This method entails establishing access to the firm’s data and copying that data off site.   Then, once a significant cache of data is acquired, the firm is asked to pay a ransom not to release the data on the Internet for more public exposure.  You will recall this happened to Mossack Fonsaca with the Panama Papers which eventually resulted in the closure of that prominent Panama law firm.
  2. In another incident, a carefully crafted attachment had an embedded PowerShell script which allowed the hackers to gain silent access to the internal network and begin exfiltration of data.

Over the past 3 months we have been evaluating tools to protect our clients against this new generation of hacking protocols.  And, in considering the ever changing environment, future problems that we don’t yet know about.  Essentially, we feel that the greatest threats stem from a lack of control over what users can do on their computers.  This weak point can be exploited by hackers as someone who is tired, busy or otherwise distracted can be taken advantage of at a weak moment when they ordinarily would not be susceptible.

What is ThreatLocker?

ThreatLocker essentially locks down all computers in your environment so that software not verified cannot run on the machine.   Thus, if an attachment contains a PowerShell script, it will be blocked when it attempts to make contact with the Internet.   Furthermore, programs cannot secretly run in the background once the lockdown is turned on.  ThreatLocker essentially protects our clients’ servers and desktops against these threats.

ThreatLocker is first installed in learning mode where it learns the normal behaviours at your firm.  Once these behaviours are known and verified to be proper, the firm’s systems are locked down.   If someone then attempts to run a program which is not authorized they will receive the following prompt:

They can then choose Request Permission, if this is a genuine business need, and Triella will review and allow the application if it is not harmful to the business.  Once approved, the application is valid for all users at the firm.

We will begin rolling out ThreatLocker to all clients based on the following later this month:

The software will be free to all clients on our plans above for the machines covered by the plan until October 1, 2020.  After that, the software will be charged at $5.00/computer/month.  This will provide all of our clients with the ability to trial the software before approving it for general use.

Please note:  ThreatLocker is not available for Mac computers at this time.

How does ThreatLocker Differ from Antivirus?

ThreatLocker and Antivirus programs complement each other.   The Antivirus program knows about the kinds of viruses and malware that have been detected in the threat center and made aware of to the software running on your computer.

ThreatLocker takes that a step further.  It can protect against vulnerabilities that the antivirus vendors are not yet aware of or have been exposed to.  It can also protect against embedded macro style viruses in Office programs – something antivirus programs will have difficulty with.  Some malware does not use files at all and resides only in memory.  ThreatLocker protects against that kind of malware also.

ThreatLocker goes further in helping to prevent data exfiltration. You can track changes to security, you can control copying of data to USB devices, you can monitor which files are being accessed by which user and you can restrict access to sensitive applications to only those that need it.

Together, the two systems significantly prevent infections of any kind.

For a more visual representation of how ThreatLocker protects your environment, please watch this YouTube video.

Charles Bennett is a Principal Consultant at Triella.  We are a technology consulting company specializing in providing technology audits, planning advice, project management and other CIO-related services to small and medium-sized firms. Charles can be reached at 647.426.1004. For additional articles, go to our blog page. Triella is a VMware Professional Partner, Microsoft Certified Partner, Citrix Solution Advisor – Silver, Dell Preferred Partner, Authorized Worldox Reseller and a Webroot Reseller.

© 2020 by Triella Corp. All rights reserved. Reproduction with credit is permitted.

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Follow us
Subscribe to our newsletter