What Is Application Whitelisting (Allowlisting)?
Application Allowlisting, previously known as "Application Whitelisting," works by a simple rule: if it's not expressly permitted, it's not allowed. This robust form of access control prevents untrusted software, including all types of malware and ransomware, from running. It's a key part of endpoint security that ensures only specific, safe applications operate on your network.
How Does Application Whitelisting (Allowlisting) Work?
When the agent is first installed, it operates in Learning Mode. This phase involves cataloging every application and its dependencies currently on the system. It creates a list of these applications, forming the basis of your allowlist. Post Learning Mode, the IT admin reviews this list, removing non-essential apps to enhance security. Once secured, any executable file, script, or library not on the allowlist is automatically blocked. The user can request new software from the IT administrator, and it can be approved in 60 seconds.
What Is Application Containment (Ringfencing)?
Ringfencing™ controls what applications can do once they are running. Think of Ringfencing™ as a barrier and extra security measure that is actively containing software from stepping outside of its lane. By limiting what software can do, ThreatLocker® Ringfencing™ can reduce the likelihood of an exploit being successful or an attacker weaponizing legitimate tools such as PowerShell.
Ringfencing™ allows you to control how applications can interact with other applications. For example, while both Microsoft Word and PowerShell may be permitted, Ringfencing™ will stop Microsoft Word from being able to call PowerShell, thus preventing an attempted exploit of a vulnerability such as the Follina vulnerability from being successful.
Why Ringfencing?
Under normal operations, all applications permitted on an endpoint or server can access all data that the operating user can access. This means if the application is compromised, the attacker can use the application to steal or encrypt files.
Attackers can also use fileless malware which runs in the computer's memory, to evade detection by antivirus or EDR that are focused on detecting changes to files or registry keys. These attacks, often called living off the land attacks, leverage native tools and trusted applications to carry out malicious instructions in the background without ever touching the file system.
What Is Network Control (Network Access Control)?
ThreatLocker® Network Control is a firewall for endpoints and servers that can be managed centrally. It provides complete control over network traffic, which helps to protect your devices. Custom-built policies are used to grant access to the network based on IP address, specific keywords, agent authentication, or dynamic ACLs. This network access security tool allows granular control over access to the network.
Why Network Control?
The local network is no more. Neither is the corporate firewall. Users are not only working from the office but also remotely, meaning the network we utilize has quickly become the internet, leaving devices and data vulnerable to cyber threats. This dissolution of the business perimeter makes network access controls essential to protect your devices and, by extension, your data.
The ThreatLocker® network access control solution helps protect business assets whether employees are in the office or remote. ThreatLocker® Network Control provides a direct connection between the client and server, as opposed to a VPN that goes through a central point.
Why Is Configuration Manager Important?
Traditionally, companies require components of group policy from Active Directory (AD) to set Windows configurations, requiring users to be on the network or using an AD domain. Today's business network isn't always isolated to a single AD domain, making setting and enforcing configurations difficult.
ThreatLocker® Configuration Manager allows IT admins to set standardized Windows configurations, such as automatic lock policies, disabling Universal Plug and Play, and disabling autoplay, or blocking SMB v1 from one central location, whether or not the computers are connected to an AD domain.
How Does Configuration Manager Work?
ThreatLocker® Configuration Manager provides a centralized, policy-driven portal where IT admins can set configuration policies per individual endpoint, computer group, organization, or across multiple organizations. Admins can quickly manage important security configurations from a single pane of glass.
What Is Elevation Control?
Elevation Control is a policy-based PAM solution that assists organizations in being secure but still efficient in their operations. Instead of granting users access to administrator logins, policies can be created to automatically grant higher privileges to applications. This allows the applications to access the necessary resources without giving users these desired credentials.
Elevation Control puts I.T. administrators in the driving seat, enabling them to control what applications can run as a local admin without giving users local admin rights.
How Does It Work?
When ThreatLocker® is first deployed, all existing applications are learned. Administrators can review the applications, select which applications need privileged access, and set policies to grant elevated access. Once Privileged Access Management (PAM) is enabled on an application, users can run that same application as a local administrator without entering credentials.
Elevation Control integrates with our application control modules. If an application is not currently allowed, the end user can request to run the software, and administrators can approve it, applying elevation simultaneously. For applications that require elevation only to install or update, create time-based policies that will remove elevated rights once the time expires, allowing the application to run with regular privileges.
What Is Storage Control?
Storage Control provides policy-driven control over storage devices, whether the storage device is a local folder, a network share, or external storage such as a USB drive. ThreatLocker® Storage Control allows granular policies to be set, which could be as simple as blocking USB drives, or as detailed as blocking access to your backup share, except when accessed by your backup application.
Digital Trail With Unified Audit
The Unified Audit provides a central log of all storage access by users on the network and those working remotely, down to the exact files that were copied and the device's serial number.
How Does ThreatLocker® Storage Control Work?
When a storage device is blocked, the user is presented with a pop-up where they can request access to the storage device. The administrator can then choose to permit the storage device in as little as 60 seconds.
What Is ThreatLocker® Detect?
ThreatLocker® Detect (formerly known as Ops) is a policy-based Endpoint Detection and Response (EDR) solution. This EDR addition to the ThreatLocker® Endpoint Protection Platform watches for unusual events or Indicators of Compromise (IoCs). ThreatLocker Detect® can send alerts and take automated actions if an anomaly is detected.
ThreatLocker® Detect leverages the vast telemetry data collected from other ThreatLocker® modules and Windows Event logs. This info gives essential insights into an organization's security, enabling them to identify and remediate possible cyber threats.
Why ThreatLocker® Detect?
ThreatLocker® Detect has an edge over other EDR tools in detecting and responding to potential threats. Its advanced technology identifies and addresses known malicious activities while providing extensive coverage of events beyond just known ones.
ThreatLocker® Detect automated responses can give information, enforce rules, disconnect machines from the network, or activate lockdown mode quickly. When Lockdown mode starts, it blocks all activities, including task execution, network access, and storage access, ensuring maximum security.
With the capability of detecting remote access tools or PowerShell elevation, ThreatLocker® Detect also identifies events such as abnormal RDP traffic or multiple failed login attempts. Furthermore, the platform can determine if an event log is erased or if Windows Defender finds malware on a device. This proactive approach enables organizations to swiftly identify and respond to potential threats before they can cause significant damage.
What Is ThreatLocker® Cyber Hero® Managed Detection and Response? (Cyber Hero® MDR)
Cyber Hero® MDR is an add-on to ThreatLocker® Detect (formerly known as Ops) that allows organizations to opt for the ThreatLocker® Cyber Hero® Team to monitor and respond to Indicators of Compromise (IoC). When ThreatLocker® Detect identifies suspicious activity in your environment, the Cyber Hero® Team will review the alert to determine if there is a true IoC or a false positive. In the event of a cyber incident, the Cyber Hero® Team will follow the customer's runbook to either isolate or lock down the device and notify the customer. They will be able to identify additional information for the customer, including:
What the threat was?
How initial access was gained?
Where the threat originated?
What the threat attempted to do?
How the threat was blocked and mitigated?
Prompt Notifications 24/7/365
The 24/7/365 availability of the ThreatLocker® Cyber Hero® Team offers around-the-clock Managed Detection and Response (MDR) services to keep organizations secure and alert even outside of standard hours of operation.
The Cyber Hero® Team has an average response time of less than 60 seconds. This metric is unique to ThreatLocker® and provides a significant advantage when responding to threats. By augmenting the ThreatLocker® Zero Trust Endpoint Protection Platform with managed detection and response servers, customers can reduce agent fatigue while hardening their environment to the highest standards, ensuring the mitigation and notification of attempted attacks.
P.O. Box 580176
Houston, TX 77258
