Skip to main content
    Back to Podcasts

    Zero Trust Security Models for the AI Cyber Threat Era

    DJ
    Danny JenkinsThreatLocker, Inc — Co-founder and CEO
    0 views
    Share:

    Cyber threats evolve unprecedentedly, and bad actors even weaponize AI. Traditional security approaches are no longer sufficient. This podcast dives deep into the critical need for a Zero Trust Security model, focusing on blocking first and permitting later to build truly resilient enterprise security defenses. Discover how understanding modern cybercriminals' methods, including those operating on the dark web, is essential for implementing proactive and effective protection strategies. Sugata Sanyal, Founder & CEO of ZINFI, discusses this in an insightful discussion with Danny Jenkins, Co-founder and CEO of ThreatLocker. With over 20 years in cybersecurity, Danny founded ThreatLocker on the principle of denying by default, offering an endpoint cloud protection platform that hardens digital environments. This conversation explores the shift from reactive detection to proactive protection, the changing landscape of attack vectors, cybercrime's organized nature, and AI's critical role in offense and defense for enterprise security. Listen to the full episode to gain actionable insights into fortifying your enterprise security posture against advanced cyber threats!

    TL;DR

    Cybersecurity veteran Danny Jenkins discusses why traditional detection-based security is failing and how a zero-trust approach—blocking by default and permitting only what is necessary—is the only way to effectively secure modern, mobile endpoints and cloud-based applications against sophisticated threats like ransomware and unauthorized remote access tools.

    "We have been failing at finding every piece of malware for thirty years; instead of trying to detect what is bad, we should focus on only allowing the specific software your business actually needs."

    — Danny Jenkins

    What We Discussed

    The Evolution of Zero Trust Security

    The cybersecurity industry has spent decades attempting to build lists of every malicious file in existence, a strategy that Danny Jenkins argues has inherently failed. Instead of reactive detection, ThreatLocker advocates for a zero trust philosophy that begins with a total block of all executions. This proactive approach ensures that only pre-approved software can run on a company's network. By starting with a clean slate, organizations can effectively eliminate the risk of unknown malware and zero-day exploits.

    • Security should focus on blocking first and permitting later to create a secure environment.
    • Traditional antivirus tools have struggled for 30 years to keep up with the volume of new malware.
    • ThreatLocker identifies what software a business actually needs before denying everything else.
    • The platform provides visibility into the country of origin for all running applications.
    • Allow-listing simplifies security by removing the need to identify if a file is 'good' or 'bad'.
    • This model addresses the core issue of ransomware by preventing unauthorized tools from ever starting.
    • The strategy makes security viable and simple for businesses that lack huge IT teams.

    Hardening the Endpoint as the New Perimeter

    In the past, businesses relied on a strong network perimeter to keep threats out while maintaining a soft interior. Today, the endpoint—whether a laptop or a server—is the primary target because it travels outside the office and accesses encrypted data directly. Danny highlights that hardening these devices is crucial because gaining access to an endpoint gives an attacker the same permissions as the user. This makes endpoint protection the most critical layer of a modern defense strategy.

    • Endpoints are the point of entry for almost every modern cyberattack on a business.
    • Modern traffic is often encrypted (HTTPS), making it invisible to traditional network firewalls.
    • Hardening the endpoint prevents attackers from using remote access tools to bypass security.
    • The 'soft middle' of internal networks must be protected by individual device security.
    • ThreatLocker treats every computer as its own secured island within the larger network.
    • Protecting endpoints ensures security remains intact even when employees work remotely.
    • Stopping unauthorized software at the device level is more effective than filtering at the gate.

    Control Beyond Application Execution

    Simply allowing a program to run is not enough; businesses must also control what those programs can do once they are active. ThreatLocker extends its protection to storage controls and elevation management to limit the damage a compromised application can cause. By restricting an app's access to only the files it requires, companies can stop data exfiltration and lateral movement. This granular control is essential for preventing privileged escalation attacks that often lead to full network compromise.

    • Control includes more than just execution; it dictates what software can access on the drive.
    • Elevation controls prevent standard users from running processes with administrative rights.
    • The platform manages PAM (Privileged Access Management) to reduce the risk of stolen credentials.
    • Storage controls prevent authorized apps from being used to encrypt or steal sensitive data.
    • Web filtering and network traffic controls are integrated into the endpoint agent for unity.
    • Limiting software capabilities reduces the overall attack surface available to hackers.
    • These controls help satisfy compliance requirements for data privacy and internal security.

    Securing the Cloud and Mobile Workforce

    As business operations move to the cloud, the definition of an endpoint has expanded to include mobile devices and cloud-hosted servers. Danny notes that most current attacks focus either on the endpoint or the cloud application itself. While mobile OS limitations exist, having an agent on these devices is a key part of identity protection. By securing the link between the user and their cloud data, organizations can ensure that unauthorized access is blocked regardless of the user's physical location.

    • A large portion of business is conducted via mobile devices and cloud infrastructure.
    • ThreatLocker agents provide a layer of security even on limited mobile platforms.
    • Cloud applications are a top target for modern hackers looking for quick data wins.
    • The focus remains on stopping the attack vectors that lead directly to the cloud.
    • Authenticated network connections are verified before access to cloud resources is granted.
    • Protecting the cloud requires a mix of identity management and device posture checks.
    • The goal is to maintain a consistent security posture across all device types and locations.

    Frequently Asked Questions

    The core philosophy is based on a zero-trust model of blocking all untrusted software by default and only permitting what is necessary. This shift moves away from the traditional, failing method of trying to detect every piece of malware in existence.

    Endpoints travel outside the office and access encrypted traffic that traditional firewalls cannot easily inspect or filter. Once an attacker gains access to an endpoint, they inherit all the user's permissions, making the device the most vulnerable entry point.

    Traditional antivirus looks for known signatures of bad files, which can be easily changed by attackers. Allow-listing identifies only the specific applications allowed to run, automatically stopping anything else regardless of its reputation or intent.

    Elevation controls prevent users from having administrative rights that could be exploited by malware to install deep-seated threats. By managing permissions at the application level, businesses can reduce the impact of compromised credentials.

    ThreatLocker focuses on the cloud and the endpoint as the two primary attack vectors where modern threats manifest. By hardening these areas, the platform ensures that even if credentials are lost, the underlying systems remain inaccessible to unauthorized tools.

    Mobile device operating systems are more restrictive, which limits the depth of agent-level control compared to desktop or server environments. Currently, mobile security focuses heavily on protecting access to cloud-based corporate data and tracking device posture.

    Yes, allow-listing is highly effective against ransomware because it stops the unauthorized encryption tools from executing in the first place. Since the ransomware isn't on the 'allowed' list, it cannot run or access the file system.

    Storage control manages how applications interact with sensitive data on local drives and network shares. This prevents authorized applications from being used as a conduit for data exfiltration or unauthorized file encryption by malicious actors.

    Denying by default removes the element of surprise and the need for perfect threat intelligence. By assuming everything is a threat until proven otherwise, organizations create a much smaller attack surface that is significantly easier to monitor.

    Danny Jenkins has over 20 years of experience in the field, dating back to before the industry was even commonly referred to as 'cybersecurity.' He co-founded ThreatLocker in 2017 to address persistent gaps in traditional security models.

    Key Takeaways

    Security PostureBlock unknown software first, then permit trusted applications.
    Endpoint HardeningStrengthen endpoints as the main defense point, not just firewalls.
    Software VisibilityUse allow-listing to see all running software and its source.
    Application ControlLimit what data and resources applications can access.
    Network PoliciesImplement deny-by-default network rules to stop unauthorized movement.
    Remote WorkforceFocus on endpoint security for all remote and mobile workers.
    Trust ModelTrust only known good business applications, not just block bad malware.
    Market