ThreatLocker’s Danny Jenkins on Monday urged channel players to focus on the “control” side of cybersecurity if they’re serious about providing adequate protections for their customers.
Speaking at The Channel Company’s XChange August 2022 conference in Denver, Jenkins, the CEO of the Maitland, Florida-based security firm ThreatLocker, said there are ultimately three ways to stop a cyberattack – via human training, detection and response, and “controls,” or who gets to access and use portions of a system.
All three are ultimately required to combat escalating cyberattacks that can devastate organizations, said Jenkins, appearing before a roomful of channel players from across the country.
But he said there will always be humans who fall for email phishing ploys, detection programs that don’t always detect, and response actions that don’t always block threats.
As a result, he said the “most important area of security is this idea of control,” or basically limiting access to entire areas of a system that various people can access.
Jenkins stopped short of using the phrase “zero trust,” which is now the popular way to describe a framework requiring all users be continuously authenticated, authorized and validated in order to access certain areas of a system.
But it sure sounded like “zero trust,” though Jenkins stuck to the word “controls” instead during his XChange session entitled “Zero Trust for Applications.”
Jenkins hammered home the point that more controls over IT systems are needed if true security is ever going to be achieved.
“You should have (layers of) protections, but having five layers of protection in your environment, without any controls is like putting five burglar alarms in your house and not locking the front door,” he told audience members at XChange. “It‘s going to make a lot of noise, but it’s not going to stop someone taking the TV.”
Among the “controls” that Jenkins said are needed is so-called “ringfencing,” or putting up strict barriers within computer systems so that users, including intruders, can’t move from one area of a system to the next.
Another control that’s needed is “allowlisting,” or application control, which is a security capability that allows only trusted files, applications, and processes to run on a system.
And another necessary control, according to Jenkins, is elevation. As Jenkins put it on Monday: “If you have local (administrator) accounts, take them away. And only allow the software that needs to run as a local admin to run as a local admin,” he told XChange attendees.
Jenkins also said that similar storage and network controls are also critical to protect systems and their data.
“These are all tangible things you can do as an IT person,” Jenkins said. “If you start your security journey off with controls, you’re going to be in a much stronger position.”
After the XChange session, Jenkins told CRN that he deliberately avoided using the phrase “zero trust” in in his presentation.
“It’s an overworked phrase,” he said, adding that some people simply don’t understand what zero trust means or they tune out people who use the phrase too often.
Thomas Vaughan, founder of Central Technology Solutions, a Lynchburg, Va.-based MSP, told CRN that he agreed with Jenkins that zero trust has been an often ill-defined and overused term to describe a general approach toward security.
“It’s always better to describe what you’re actually doing,” as opposed to using a catchy phrase, he said.
Still, as for the access-control principle behind zero trust, Vaughn said: “Anyone not using it is missing the boat.”
Shayan Khan, a manager and senior systems engineer at Preeminent Technology, a Dallas-based MSP, agreed zero trust is the future.
“He’s talking the truth,” Khan said Jenkin’s warnings and recommendations on Monday.