The Future Is Flying High - Zero Trust World Day 2

All flights, regardless of the airplane, encounter some form of turbulence. A wise person (my mother) once told me before my first flying experience that just because there is some shaking and bouncing on the flight, to not worry, because it is all part of the glory of flying. This of course came on the heels of overwhelming news coverage of a plane crash in Charlotte, North Carolina that was caused due to wind shear and turbulence. Needless to say, I was anything but calm until I got into the air and witnessed the majesty of the earth from 37,000 feet. Day two of ThreatLocker’s Zero Trust World conference had a very similar theme.

There is a motto in the security industry, one that was repeated here today by ThreatLocker CEO Danny Jenkins. That motto is essentially that it is impossible to stop every threat all the time. If any company tells you they can do that, they are lying.  That is why he and his brother Michael Jenkins (CTO of ThreatLocker), and their dedicated team of engineers spend their lives trying to build a better platform that can take their customers as close to that goal of “zero threats” as possible, and for when threats do occur, they can bounce back faster!

This morning the brilliant brotherly duo took the stage together to speak about where ThreatLocker has come from, where it is now, and where they are going in the future. 2022 was a good year for ThreatLocker as it saw the introduction of their network access control services (NAC) which is currently used by approximately 35% of all ThreatLocker customers. They discussed how their algorithms process over 2 billion lines of code an hour today due to the dramatic growth they have seen in the past few years. ThreatLocker also recently made advancements to its ringfencing technology. Ringfencing is the ability of ThreatLocker to allow a program to run, but with restrictions… think of it as a rock concert. Your ticket to the show allows you to access your seat and watch (maybe while dancing vociferously… no judgment here), but you are still restricted from jumping up on stage with the performers, going backstage, or even to their tour bus. Ringfencing has become more intuitive and allows for the administrator to determine specifically what actions a program can and cannot take. Do you want to stop Microsoft Office 365 from communicating with the internet or making changes to the registry? You can do that with ringfencing. The great success ringfencing has brought for ThreatLocker pales in comparison to the success they are about to achieve with their new features announced today. These features include a brand-new web portal that is driven by APIs. This provides a faster experience for the user. Even more exciting is the coming test environment that allows an administrator to actually test a program that a user has requested access to, in a safe environment before ever allowing it to run on the user’s system. This test environment will tell the administrator what actions the software takes, what it attempts to make contact with, and any other files it opens. The administrator can then use this vital information to make a more informed decision about whether to allow the program to run or not.

While the above-mentioned new features are exciting, I haven’t mentioned the big reveal of the day yet. That came at the very end of the Jenkins brothers’ presentation, and it is… drum roll, please… ThreatLocker Ops! ThreatLocker Ops is a new initiative to allow the administrator to make rules for their environment that will create alarms and send them when certain criteria are met. This will more or less act like a SIEM (security incident and event manager) in that it will identify potential problems and alert the administrator so they can investigate further. What causes alerts, and what actions are taken automatically are all determined by the administrators themselves, giving them complete control.  ThreatLocker Ops will also be a community project that any ThreatLocker administrators can participate. If one believes that an alert policy they have created is particularly helpful, one can then choose to share that with the community.  Community members can then review that rule (along with countless others created by ThreatLocker and peer administrators alike) and determine if it will help them in their current situation. This is big news because it essentially expands your workforce and expertise without much effort or expense at all! The ThreatLocker Ops platform is anticipated to be launched by the end of Q1 this year. I know I for one am greatly looking forward to giving it a try.

The second keynote speaker of the day was former hacker, software inventor, and futurist Pablos Holman. Pablos focused on the future of computing and the danger that lurks ahead. However, he had a similar approach to what I spoke of in my opening paragraph… turbulence will happen, things will get scary, but you know what? Everything WILL be ok. Specifically, he brought out examples of different malware attacks and hacks that were perpetrated on the world over the last 30 years. Specifically, he talked about the Blast Virus, STUXnet, and various botnets that have come and gone.  The point he made was that even though most of the time these actions were bad, they led to skills creation and software inventions that eventually did great things for the world.  He encouraged us not to be fearful of innovation but to instead embrace it and run with it.

Pablos outlined a few projects that he is working on that were born out of hacking methodology. The first is a program/device that will reduce malaria and disease proliferation throughout the world. The leading killer of people by an animal is the mosquito, which kills over 700,000 people a year. Pablos displayed a flow chart describing the flow of the SSL encryption scheme and described how hackers attacked every portion of that flow chart to be able to find a way to bring down the system.  He took that idea and applied it to the malaria epidemic, designing a flow chart of how malaria is contracted by mosquitoes, then transmitted to human beings, then the course it takes through the body leading to death. Finally, he attacked every part of the process using technology to try to find a solution.  The solution that he and his coworkers developed is a device that uses motion sensors to track the movement of insects, it identifies the insect based on the wing gait and speed, and then shoots it with a laser to kill it. The software is so precise that it can even determine the gender of the mosquito.  He did speak of a few hilarious “bugs” that existed in his system, such as how the first lasers they used were too powerful and literally incinerated the mosquitoes into thin air! Pablos’ current project is to find a way to successfully use the large stockpile of radioactive spent fuel from nuclear power as a means of energy production to solve our energy deficit. This is promising technology that could really impact the world in a positive way, and it was devised using hacker methodology.

There was one more main speaker before the day broke for lunch and then more hacking demonstrations in the afternoon.  That speaker was Chase Cunningham, Chief Strategy Officer for Ericom. He spoke about the “Slow Gazelle”, describing how the world is full of cases where there is a predator and there is prey, and slow gazelles will always be prey. Chase used this view of nature to describe the cybersecurity threat landscape and how it is very similar.  Picture a lion out in the Serengeti of Africa, lying around most of the day, yawning and sleeping.  This is how the world’s attackers and hackers live. They have all the time in the world and spend their days relaxing and just waiting for a chance to attack their next victim. They are not hunting animals, they are hunting opportunities to attack you. Then there are the gazelles, impalas, and other smaller animals. These are you and I, the good people of the world who don’t involve ourselves in nefarious activities. They (and we) rely on their defense mechanisms, instincts, and tools (such as speed) to protect them from attackers when they happen to strike. The slowest gazelle is the one that loses. This ties into cybersecurity because if we do not use the tools available to us to protect ourselves then we should consider ourselves the slowest gazelle.  We, as business owners and good stewards in our societies, have a duty to use all of our tools, whether it be zero trust, compliance audits, or security incident and events managers. While entertaining, Chase’s presentation was enlightening. I loved how he used nature to describe the security landscape today. If you have attended one of my in-person presentations, you know that I like to do the same thing when I describe a security operations center (SOC) as a pack of meerkats. Meerkats are nature's greatest example of a SOC because they always have sentries standing on guard, 24 hours a day, 7 days a week. They stand in a group and watch out in all directions. Once a threat is identified they call out an emergency signal to the rest of their crew and they take action to combat the threat. This is exactly what a SOC does!

As stated earlier, the afternoon was jam-packed with more hacking labs that showed the same tools as yesterday, just used in different ways to expand our knowledge further. I participated in these hacking labs as I have a hunger to learn anything new in the field of ethical hacking and penetration testing. So many breakout sessions, so little time! I wish I could attend them all, but unfortunately, I had to forego some of them to be able to attend the hacking demonstrations. Some of the topics spoken about in these sessions were how hackers benefit from their malicious activities, as well as information for MSPs and MSSPs about developing a newer and more robust security stack to protect their customers. This is something that Appalachia Technologies is always looking to do, as our client’s security is our number one priority! There was also a panel discussion about how to succeed in a growing cybersecurity field by relying on peers and using “trusted advisors” to augment your organization's current staff and tools.

Today was yet another jam-packed day of fun and informative content at Zero Trust World 2023! The day is not yet over as tonight there is a “NAC to the Future” 80’s themed party to celebrate ThreatLocker’s network access control capabilities. I however will be attending ThreatLocker University training classes to further enhance my ThreatLocker administration skills. My motto is much like that of famed Pittsburgh Steelers safety Troy Polamalu in his wildly popular Head & Shoulders shampoo commercials; “Always working!”

Alas, tomorrow will soon be here as we bring this Zero Trust World rocket ship back to earth for a smooth landing with Captain Sully Sullenberger!

Until tomorrow,

Stay safe (and secure) out there!

Curtis McPherson is a Lead SOC Analyst who also spends time performing penetration testing and ethical hacking, making him a true purple team member. Curtis graduated cum laude from Penn State University with a bachelor’s degree in Security and Risk Analysis, concentrating on cybersecurity and digital forensics. In his time at Penn State, he participated in the Technology Club, which conducted open-sourced intelligence (OSINT) investigations into missing person cases, using social media and the internet to find clues to their disappearance. Curtis is married with two cats and a bouncy bearded collie named Laddie. In his spare time, Curtis is an avid fiction writer, Civil War historian, and a tried and true lover of all things related to airplanes and aviation.