Vanta Representative (12:28)

Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you've ever found yourself drowning in spreadsheets, chasing down screenshots or wrangling manual processes just to keep your GRC program on track, you're not alone. But let's be clear. There is a better way. Vanta's trust management platform takes the headache out of governance, risk and compliance. It automates the essentials from internal and third party risk to consumer trust, making your security posture stronger. Yes, even helping to drive revenue. And this isn't just nice to have. According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact.

Dave Bittner (13:23)

So if you're ready to trade in.

Vanta Representative (13:24)

Chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta GRC how much easier trust can be? Get started@vanta.com Cyber.

Dave Bittner (13:46)

Worried about cyber attacks? Cyber Care from Storm Guidance is a comprehensive cyber incident response and resilience service that helps you stay prepared and protected. A unique onboarding process integrates your team with industry leading experts so if an incident occurs, your response is optimal. Get priority access to deeply experienced responders, digital investigators, legal and crisis PR experts, ransom negotiators, trauma counselors, and much more. The best part? 100% of unused response time can be repurposed for a range of proactive resilience activities. Find out more at Cyber Care Cyberwire Rob Allen is Chief product officer at ThreatLocker. I recently caught up with him at the RSAC conference for a sponsored Industry Voices segment discussing deliberate simplicity of fundamental controls around zero Trust.

Interviewer (14:57)

We are continuing with our conversations here at RSAC 2025 and I am pleased.

Dave Bittner (15:03)

To be joined by Rob Allen.

Interviewer (15:05)

He is Chief Product Officer at Threatlocker Rob, welcome.

Rob Allen (15:08)

Thank you. It's good to be here.

Interviewer (15:09)

For folks who may not be familiar with the company, give us the brief description of what ThreatLocker is.

Rob Allen (15:15)

Threat locker is awesome. Is that brief enough?

Interviewer (15:18)

Thanks for joining us here today.

Rob Allen (15:19)

Thank you. Thank you.

Dave Bittner (15:20)

Thank you.

Rob Allen (15:21)

No, so Threat Locker is an endpoint protection platform, zero trust focus. So denied by default, basically. So it's a slightly different approach to most cybersecurity, which is typically reactive. Just waiting for something bad to happen, basically, or some indication of bad things happening. We are more proactive, so we're more about stopping it happening than responding to it happening. There's a lot of different ways we do that. So we start with allow listing. So just allowing what needs to run to run. And we've got ring fencing and lots of really cool stuff. But it's all based around that principle of deny by default, permit by exception. So rather than letting everything happen except what we know to be bad, we only allow what's required.

Interviewer (16:03)

Can we talk about the challenge with endpoint protection of lateral movement and protecting against that?

Rob Allen (16:09)

Sure. Well, I mean, there's a couple of different types of lateral movement. There's lateral movement between programs on an endpoint because very often a lot of these breaches start with, for example, something like Outlook calling something like PowerShell. Now, in reality, in most environments, there's no reason for outlook to call PowerShell. But someone in their infinite knowledge and wisdom in Microsoft decided one day, hey, it'd be really cool if we'd make this possible. Now it's being exploited so we can control that lateral movement between applications, but we can also control lateral movement across the network because that's another huge problem. So once one machine gets compromised, typically it doesn't take them very long to move to another machine or to another machine or to another machine, and eventually they get to something that's really important. So controlling network access, same principle, denied by default, permit by exception, but only allowing trusted devices connect to other trusted devices and basically just limiting access to the network will stop. As I said, that lateral movement as well.

Interviewer (17:09)

Help me understand how much of this is, say, signature based. How much of it is behavioral? Is there a blend?

Rob Allen (17:16)

None and none.

Interviewer (17:17)

Okay.

Rob Allen (17:18)

Generally speaking, so what we're talking about, I actually have a really interesting example to give you about this. But basically what we're talking about is fundamentally controlled controls. So it's about applying controls to your environment. So the control over what can run and what can't run, the control over what things can do, controls around the network so it's not about detecting or recognizing bad behavior per se, it's about saying, well look, we're going to control the environment in such a way that that bad behavior can't take place. I'll give you an example, if you don't mind. So we did a podcast some time ago with a guy called Jacoby, David Bombal. And Jacoby and Jackby is an absolute genius. He was Hak5's hacker of the year number of years. He came up with something that is unbelievably cool, which is basically API based polymorphic PowerShell reverse shell. So basically he reaches out to an API using PowerShell, it gives him code, PowerShell code, basically. But it's polymorphic, so it changes every time. So signature base detections just don't find it.

Dave Bittner (18:20)

Right.

Rob Allen (18:21)

So he tested that against every major Ed or every tool that he could find. He tested that against and none of them recognized it as what it was. He tried it against ThreatLocker and Threat Locker, immediately blocked it. Now he was convinced that we were doing some behavioral based recognition of what he was up to. And what we were actually doing was just blocking PowerShell from Access on the Internet. So it was a really simple basic control that solved a very advanced, complex, quite frankly brilliant exploit. So that might explain somewhat better. So we're not about behavior. We don't care what the behavior is. We care about applying controls to the environment in such a way that it can't be.

Interviewer (19:07)

So is it fair to say a deliberate simplicity to the approach?

Rob Allen (19:14)

Absolutely. The beauty about that simple approach is that you don't need to, you don't need to know everything that's bad because if you block everything, then you're going to block all the bad stuff. You're also going to block good stuff that could be misused. And that's something else that people need to consider is things like WinRAR, for example. I mean, WinRAR has all of the characteristics of ransomware. You can encrypt data, you can transfer data and you can delete data, all with one convenient program that is not in itself malicious. Things like putty, We've seen putty being used for data exfiltration. Now again, putty is not a bad program, it's not a bad application. But can it be used for bad purposes? Absolutely, it can. So the beauty about the deny by default approach is you don't need to know all of the bad things, you don't need to know all of the exploitable things. You just need to allow what's required and Block everything else. It's so simple. But once you actually get your head around it, it's like, why isn't everybody doing this?

Interviewer (20:09)

Well, so how do you do the things you need to do and at the same time not introduce undue friction?

Rob Allen (20:18)

Because in reality, the vast majority of users do the same things in the same way with the same software every single day. And fundamentally all we're doing is setting guardrails around that. I'm saying, look, you operate within these guardrails, you're not going to even know we're here. Now, if you step outside of those guardrails and try and download that coupon clipper from China or run a remote access tool, absolutely, we're going to step in and stop that. But that's what organizations need, that's what they need to keep them safe.

Interviewer (20:46)

What about things like token theft, you know, that sort of thing? How do you come at that?

Rob Allen (20:51)

So token theft is an interesting one. So we've recently started expanding. We were typically endpoint based or exclusively endpoint based for many years now. The reason for that was basically most of the action was taking place in the endpoints. Most breaches started at the endpoint. But we realized that customers also have challenges with the cloud, specifically controlling access to cloud resources. So what we did for that is we have, and it comes back to this idea of deny by default, permit by exception. So Microsoft actually have some quite advanced conditional access functionality in Office 365, for example. So you can have what are called named locations. You can have a bunch of IP addresses in a named location and say, look, allow these IP addresses to connect to my office365 and block everything else. That's fine until somebody has had an event like this. My IP address has probably changed five times today, right? So it's not, it's, it's fine. Static but dynamic presented a challenge. So what we did is we've got obviously Threat Locker Agent installing people's machines. It's checking in, reporting its IP address. We have an app on our phone which basically is checking and reporting my phone's IP address. We take all those IP addresses, we upload them to a named location in Office 365 and those IP addresses are allowed to connect while the entire rest of the Internet is not. So the way a lot of people have approached this is fundamentally a lot of people will do countries. So they're going to say, look, allow the United States and block the rest of the world, which is fine until your CEO goes on holidays to the Bahamas and all of a sudden he can't access his resources.

Dave Bittner (22:21)

Right.

Rob Allen (22:22)

So this is why the dynamic nature of what we do is so effective. Because it doesn't matter if I go to the Bahamas or Timbuktu, quite frankly, I'll have an IP address, it's gonna check in, register, upload and be added to named location. So it doesn't matter if somebody steals my credentials, it doesn't matter if somebody even gets my token. The fact is they won't be allowed to connect because of those conditional access policies.

Interviewer (22:44)

When someone decides that they want to take this approach that, you know, they're all in on going at the problem this way. What does the onboarding look like?

Rob Allen (22:56)

Surprisingly smooth, is the answer to that question. Because basically when we deploy threat locker, when a customer deploys threat locker, it's not blocking anything, it's not stopping anything, it's not getting in their way. Fundamentally, all it's doing is it's logging data. It's basically building a set of policies based on what's present in the environment. So it takes a lot of the heavy lift out of this process.

Interviewer (23:14)

So there's an analysis, correct, A learning period sequence.

Rob Allen (23:18)

Okay, absolutely. So the learning period, basically what it's doing is it's logging all of the software that's on your machine and it's saying, look, all of this software is required. We're going to fundamentally allow this, this, or create our policies to allow this to run. After which point, you know, a couple of weeks in the future, we can say, okay, well you've got policies for all you need, all the things you need, and we're going to lock it down and then all of those things are going to be allowed and then nothing new is going to be allowed to run on your machine.

Interviewer (23:43)

Are there company wide policies, but then individual policies as well.

Rob Allen (23:50)

You can do it at various different levels. You can do a company wide, you can do it global teams. Exactly.

Interviewer (23:56)

Again, my salespeople travel, they need.

Rob Allen (23:57)

Correct, exactly. And your IT team probably needed a little bit more leeway in terms of the tools they're going to run. So they might need to run a tool like putty. Whereas your finance department probably aren't. Your marketing people. Definitely aren't. Your marketing people might need creative cloud, but your IT team don't. So it's not a question of applying the same rules to everybody. You can pick and choose, you can adjust and tweak as necessary. Again, the idea being to allow people to do what they need to do.

Interviewer (24:25)

But no more as a Provider of the type of tool that you provide. As you're looking toward the horizon and you're seeing the evolution of the threats, how do you stay nimble? How do you anticipate and know that your own roadmap is going to be able to respond to those things?

Rob Allen (24:48)

Well, to some extent. I mean, obviously we're constantly striving to improve what we do. We're trying to make it as seamless as possible, both for the administrators and also for the users. That's something that's really important to us. I mean, one of the beauties of the approach that we take because it's denied by default, we're not constantly responding to new threats, to new techniques, new tactics. I mean, obviously we tweak and adjust our policies from time to time. We make them more secure. We can absolutely always improve things. But generally speaking, the deny by default approach means that it doesn't matter if a new piece of malware appears tomorrow, a zero day appears tomorrow, or even a particular piece of software is vulnerable. You know what I mean? Application vulnerabilities are a major, major issue. But you have to consider with the likes of application vulnerabilities is, well, what's the next thing that will typically happen if a vulnerable application is exploited? Well, generally speaking, something's going to run or something's going to reach out to the Internet. You know, somebody's going to call PowerShell to try and download a payload. Well, if you can stop all of those interactions, then you basically stop that vulnerability from being exploitable. So as I said, it's the beauty of default and I is you're not constantly trying to play catch up. And again, that's one of the problems with cybersecurity as a whole, is the industry is constantly playing catch up. The bad guys are nimble, the bad guys are really, really clever, and they're constantly one step ahead. And if your approach requires you to keep up with them, then you're never going to win. I mean, the sad reality, the sad fact is nobody knows all of the bad things. I mean, if somebody knew all of the bad things, there would be no need for solutions like ours. There would be no need for any other solution. The fact is, nobody does. I mean, there's 160,000 new pieces of malware come out every single day. How do you possibly keep up with that? I mean, the sad reality is you can't. So that's why a different approach, one like the default deny, one that we expose, is so important.

Interviewer (26:48)

There's been a lot of Talk I think particularly this year about consolidation. And we hear from CISOs all the time that how do I keep track of all these different tools? What I really want is, you know, to bring me a platform that'll. One platform that'll do everything. From your point of view as a.

Dave Bittner (27:06)

Provider.

Interviewer (27:08)

How do you approach playing well with others?

Rob Allen (27:13)

Well, one of the ways that we try and solve that problem for people is we try and solve as many of the problems as we can within one portal, one agent, one product, one thing to understand, one bill to pay. Fundamentally. So as well as the allow listing, ring fencing, network control stuff I mentioned, we do have detection capabilities. This is another product we do. We've also gotten. We've recently introduced web control. So basically web filtering, we've introduced patch management, a very unique, take a unique approach to patch management. So these are all boxes that we can tick for organizations without them having to go out and buy third party tools or have another portal to manage or another agent to install in the machine. Because it is one thing that we hear loud and clear is I've got too many agents on my machine. I've got my antivirus, I've got my edr, I've got my, this thing, I've got my patch management, I've got that thing. I've got web control, I've got different agents running my computer. The fan is always, the pan is almost filling. So there's a huge amount of value in just giving them one agent, one portal to manage, one product to understand, one thing to get trained up on and you don't need to manage all of these other tools. So that is something we're acutely aware of and trying to solve in that fashion by building solutions ourselves.

Vanta Representative (28:28)

Yeah.

Interviewer (28:29)

As you're walking around here at RSAC 2025, what are some of the things that have, that have caught your eye? Are there things that, that, that lift your spirits, that give you hope? You know, that what clever people we are, you know, those sorts of things.

Rob Allen (28:45)

A lot of very impressive boots, that's for sure. There are some very, very shiny boots and very big and fancy and there.

Interviewer (28:53)

Are puppies and baby goats and.

Rob Allen (28:55)

Is there puppies?

Interviewer (28:56)

There are puppies.

Rob Allen (28:57)

I saw a picture of the baby goat. I did not. Where are the puppies?

Interviewer (29:00)

There is over there.

Rob Allen (29:01)

There's a puppy. Okay, I'm going to have to go and find the puppies. I mean, I actually chastised our marketing department yesterday because when we saw there was goats, I was like, how come we haven't thought about bringing Farm riot animals to these things. Yeah, Missed opportunity. So, yeah, I didn't realize somebody had brought puppies. That's kind of one upping. But, no, I mean, the beauty about events like this, from our perspective is twofold. I mean, first of all, it's an opportunity to meet existing customers. The great thing that I've seen, even over the last couple of years of coming here, is that, you know, a few years ago we would have had, I'm not going to say a handful of customers. There wouldn't be a huge amount of customers. Every year there's more and more and more. They come up, they say hello, you know, tell us about their experience. And it's phenomenal feedback. I mean, face to face like that. It's just. It's a brilliant opportunity to connect with existing customers, but obviously it's also an opportunity to tell people about what we do, tell people about why we do it. Explain.

Dave Bittner (29:53)

Explained.

Rob Allen (29:54)

I mean, I had somebody come up to me yesterday and they were talking about. Talking about allow listing and they're saying, we're looking at this other allow listing solution. Tell me why you're better. And we have. And I actually don't have it here. I'd love to show you, but we've got rubber duckies that do data exfiltration, we've got rubber duckies that do screen captures and upload them to a C2 server. We've got a whole pile of different stuff. So I was able to show them in person. Three different attacks, all perpetrated using PowerShell, none of which were detected as being bad, all of which were extremely scary. And that's a fantastic opportunity. I mean, you just don't get that talking to somebody over Zoom, for example. You can explain it to somebody, but you can't show them.

Dave Bittner (30:31)

Right.

Rob Allen (30:32)

And there's a huge amount of value in that for us.

Vanta Representative (30:35)

Yeah.

Interviewer (30:35)

All right, well, Rob Allen is chief Product Officer with Threat Locker. Rob, thanks so much for joining us.

Rob Allen (30:41)

No worries. Pleasure. Thank you very much.

Dave Bittner (30:43)

That's Rob Allen, chief Product Officer at Threat Locker. And finally, security researcher and O2 customer Daniel Williams uncovered a glaring privacy leak in O2 UK's 4G calling system. For context, O2 is one of the UK's largest mobile carriers, part of the Virgin Media O2 group, serving millions of customers across the country. And apparently it's been serving up more than just phone service. While poking around voiceover LTE call data, using a rooted Pixel 8 and some digital elbow grease, Williams found that O2's IP multimedia subsystem implementation was a little too chatty. Calls were accompanied by SIP messages containing not just debug logs but also both parties, imsis imies and cell tower IDs. In short, every call was a potential geolocation treasure map. Williams concluded that O2's IMS implementation poses a significant privacy risk as it exposes sensitive metadata during every 4G or Wi Fi call. This data can be exploited to geo locate call recipients with surprising accuracy even when they're abroad or not currently connected to the network. The researcher emphasized that this Vulnerability affects all O2 customers using IMS based calling and cannot be mitigated by users themselves, as disabling 4G calling does not stop the data from being shared. He called on O2 to remove these unnecessary SIP headers and and debug messages from call signaling and criticized the company for lacking a clear path to responsibly disclose such findings. Since then, O2 says they have resolved the issue and that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com N2K's senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Foreign hey everybody, Dave here. I've talked about Delete Me before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Delete Me keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it piece of mind. And it's not just for individuals. Deleteme also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal 20% off your DeleteMe plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.