Dave Buettner (13:58)

Well, security fatigue is one way of describing it. I think alert fatigue is probably more appropriate. I think the, the old analogy of the boy who cried wolf is very much relevant in this scenario, which is if you have something that's popping off alerts left, right and center saying there's something happening here and there's something happening there and there's something happening over there and you check them all out and there's nothing happening, you're going to believe it less and less over time. And unfortunately, when something is actually happening, you're probably going to be either too busy chasing other things or as I said, just fatigued and thinking it's not actually going to be what I think it is. I mean, we have a Or I had a really interesting example of this when I was dealing with a, a prospect who was using, let me be diplomatic and say, one of the major ed or tools that are out there. And I asked him how it was, you know, how was this his experience been with it, is it good, is it bad, you know, was it easy to manage, etc. And he said, look, it's really good, but the false positives break my heart. I spent all day, every day chasing false positives. But the interesting thing was we have a, we have a powershell script that we use for demonstrations, which is basically just data exfiltration via PowerShell. So it goes through the user's documents folder and uploads everything it finds to our blob. And when I showed that to him, I said, look, do you mind if I try that on my machine? I said, no, absolutely not. So we tried it in his machine, exfiltrated the data, no problem, and not a peep out of the tool that he was using. So from alerts for everything that was nothing to not alerting on something actually bad happening, I thought that was very instructive.

Rob Allen (15:52)

Yeah, I can't help thinking that that has to take a toll on people and affect their decision making.

Dave Buettner (16:00)

Oh, undoubtedly, undoubtedly. As I said, it's basically soul destroying to keep on chasing things that aren't happening or things that aren't serious, or things that you don't need to worry about. The problem is, when there is something you do need to worry about, it is eminently possible it will fall through the cracks.

Rob Allen (16:22)

Well, I know you and your colleagues promote this notion of default deny. Can you unpack that for us? What does it mean in practical terms?

Dave Buettner (16:33)

In practical terms, I mean it's incredibly simple if you think about pretty much all cybersecurity. The approach is fundamentally to allow everything except what we know to be bad. And by we, I mean the cybersecurity tool that's in place. So allow everything to run unless it's known malware. Allow everything to happen unless it's known to be malicious. The problem with that fundamentally is that nobody knows everything that's bad. Nobody knows every piece of malware, nobody knows every technique, every tactic, everything that's being used. So what we do and what we espouse is to effectively turn that, allow everything except what's not to be bad in its head and say, deny everything unless it's explicitly allowed. So it's pretty much a full 180 from that traditional approach and it's a really, really effective way of approaching cybersecurity. And it's got so many other knock on benefits in terms of we're working on a little project at the moment, our special projects team, and it's a variation on that Data Exfiltration that I mentioned earlier. So we became aware that one of the EDR vendors now detects data exfiltration via PowerShell as malicious. We did a little tweak to our previous script. So instead of just using PowerShell to upload a load of files, what we're doing now is we download 7zip, use 7zip to encrypt the files, delete the files, and then upload them to our location. Now, that's fundamentally ransomware. That's ransomware attack in one PowerShell script for all intents and purposes. Now, the problem with it is in most environments, PowerShell is pretty much allowed to do whatever the hell it wants. So it can download 7 zip, it can run, can copy data. The really interesting thing about this instance is because it's only uploading one file. That EDR tool that used to work in terms of detecting data exfiltration now does not. Because it obviously has some sort of a limit built into it where it says if it's less than, you know, X number of files, it's not data exfiltration if it's more than X number of files than it is. But it comes back to the idea of making decisions. So that tool is making a decision as to whether or not that behavior is malicious. And obviously in the case of multiple files being exfiltrated, it's deciding that this is malicious. If it's only one file that's being exfiltrated, it's deciding it's not. And it shows the weakness of decisions, whether it be, you know, a human being that's making decisions, or whether it be AI that's making decisions, or whether it be, you know, whatever the case may be. Decisions are dangerous because it only takes one wrong decision for it to be effectively game over.

Rob Allen (19:23)

Help me understand how Default Deny changes the way that security teams handle unknown or unexpected activity.

Dave Buettner (19:33)

So the likelihood is in most cases there won't be as much unknown or unexpected activity, because again, fundamentally, everything that shouldn't be allowed or everything that isn't required is going to be blocked. Now, there's a couple of sides to it. There is the what can run and what can't run side. So that, that's very simple. I mean, blocking everything that isn't explicitly allowed from running is going to solve the problem of unknown malware. Zero days things have Never been seen before. I mean, fundamentally we don't need to decide if you're blocking everything by default. You don't need to decide that something could be bad or is bad. You just block everything and work backwards from there.

Rob Allen (20:08)

What about for the users? I could imagine in a worst case scenario, I'm picturing, you know, users frustrated that they can't do anything, everything's being blocked, or so how do you balance that out?

Dave Buettner (20:21)

So there's a really important caveat to deny by default or there's a really important addition to deny by default, which is permit by exception. So deny by default is what's going to keep you safe. Permit by exception is what's going to allow you to continue to do business. And in reality, the vast majority of users do the same things in the same way with the same software every single day. You know, most use Office, most use a couple of browsers. They might use a, you know, line of business application or two, maybe you know, a teams or a zoom or whatever the case may be. And the reality is we're not going to get in their way if they're doing those things. Because fundamentally what we're doing and what we espouse is to put guardrails around that and say, look, if you operate within these guardrails, which 99% of users are going to do on any given day, we're not going to get in your way, we're going to allow you to do the things you need to do with the software you need to run. But if you step outside or try to step outside those boundaries and try and run a remote access tool or, you know, Cooper, the coupon clipper from China. Absolutely, we're going to step in and block that. But again, it's not stopping users from doing the jobs you have to allow users to do their jobs. The point is, but no more. And that's what, as I said, deny by default, permit by exception allows.

Rob Allen (21:41)

So how do default deny policies help reduce the alert fatigue?

Dave Buettner (21:46)

So again, the fact of the matter is if something can't run, it can't do anything bad. And it's not only alert fatigue that I reduce. This is a really important consideration. So shadow it is a huge problem and it's one that I'm acutely aware of because I spent the best part of 20 years of my life working for an IT company and I am very familiar with the frustrations of I would give somebody a computer today and it will be all singing, all dancing, do everything they need super fast, powerful, they Think this is fantastic, all my problems are solved. And then I'd get a call in six months from the same person going, hey, my computer's running slowly, can you look at it? And I'd log in and I'd find that they'd somehow installed 15 Chrome extensions and five different toolbars and somehow managed to install three different antiviruses. And then we're wondering why their computer was running slowly. So if you take users ability to install all of those stupid Chrome extensions and toolbars and antiviruses and random other software away, it's going to make the administrator's life so much easier. But I suppose to directly answer your question, we have, first of all, we've got a detection tool ourselves which is Threat Locker Detect. But we would very often see customers of ours running Threat Locker alongside something like an EDR, for example. And the overwhelming response from people who did that was that very quickly, when they have Threat Locker running and secured, their EDR suddenly has very little to do because nothing is being allowed to run that shouldn't be allowed to run, nothing's being allowed to happen that shouldn't be allowed to happen. So very quickly the EDR is kind of sitting there going, it's very quiet around here today. And that, to be perfectly honest, is one of the reasons why we created our own EVR, as I said, ThreatLocker Detect, because most customers were saying, well, why am I paying X number of dollars a month for this tool when realistically it's got nothing to do? Because Threat Locker is blocking all of these attacks at source.

Rob Allen (23:47)

You know, your description makes me think that not all user friction is bad. You know, if you can make your user think twice before installing that sketchy browser plugin, that's, that's not a bad thing.

Dave Buettner (24:03)

Absolutely not. It. And it's one of the things we've actually tried to do. There's a couple of things and we've introduced a, we've an entire department who are basically product research. So their jobs fundamentally is to, and I know it's a very thankless one, is to research every piece of software that's out there. So whether it be, as I said, Cupert being made in China or 7zip being Russian, and their function is to find out as much as possible about these various pieces of software. And one of the things that happen when something gets blocked with Threat Locker is they have the option to request approval because again, from time to time people will need to run software they've never run before. But when we pop up the approval request, we tell them a little bit about the software. So we say, look, this is a remote access tool, it's made in the following countries. So we're giving the user information to help them decide whether or not they actually, actually want to run it, if that makes sense. So when I try and run seven zip, if it pops up and says seven zip is, you know, it's compression software, it's made in Russia, it can be used to encrypt data. Do you want to request this? The reality is I'm probably going to go, no, no, maybe I shouldn't actually request that. So, yeah, you will often find that users, I mean, first of all, they'll know that they can't run random crap pretty quickly.

Rob Allen (25:20)

Right.

Dave Buettner (25:20)

And they will probably not try to as often. But even when they do, as I said, if you can educate them and if you can inform them as to the dangers of a particular piece of software, maybe they'll self, you know, self restrict or self choose themselves not to actually try and run the thing.

Rob Allen (25:39)

Yeah. Now, even when you have a robust default deny policy in place, detection still plays a part, right?

Dave Buettner (25:47)

Absolutely. We see detection as an important layer of a well balanced security stack. The point is though, it shouldn't be the only layer and that is unfortunately where a lot of organizations find themselves is that they have, and they may have multiple detection tools in place, they might have a threat hunter, they might have an antivirus, they might have an edr. But, but the problem with those layers is they're very similar. They're effectively looking for the same known threats, the same known bad things, and very often falling over each other when they do actually find one. But as I mentioned earlier, a well balanced security stack should combine proactive protection, which is the controls we spoke about earlier, and also reactive detection. The idea being that, and your ideal scenario is that you're not told about a cyber attack when it is in progress and you're trying try to respond to it. Ideally you want to know about a potential cyber attack that is trying to get underway and is failing to do so because of the controls I mentioned earlier.

Rob Allen (26:57)

Well, for organizations who are interested in this, what, what's a good place for them to begin?

Dave Buettner (27:03)

Our website would be a great place to start. So threatlocker.com I mean, look, we see, I suppose, education as a very large part of what we do. I mean, as an example, we're currently about halfway through a webinar series we're doing which is 100 days to secure your environment. So we're doing weekly webinars. They are, I think. I'm pretty sure they're on YouTube, but you certainly find them on our website. But it's not Threat Locker specific. It's not only things that you can do using Threat Locker. It's good best practice. You know, here's how you can make your environment unfriendly and difficult for an attacker to operate in. So, yeah, as I said, education is a very large part of what we do. Sort of explaining to people that there is a different way to what you have been doing up to now. I mean, it's a, it's a sad reality that very often when organizations do turn to solutions like ours, it's because they have had an event or a breach or have been hit in some way or way, shape or form. It's something that's frustrating from my perspective because I, I'd be much happier if every customer came to us before they got hit rather than after they got hit. But as I said, it's. It does sometimes take an event or something serious for people to realize that there are other ways to approach the problem that they've been trying to solve with these detection tools for so many years. But as I said, website's a great place to start. YouTube. I mean, we're on all the socials, but the YouTube stuff, the webinars we do, I mean, they're always educational and sometimes entertaining as well. So that's a really good place to start.

Rob Allen (28:34)

That's Rob Allen, Chief product officer at ThreatLocker. And now a word from our sponsor. ThreatLocker, the powerful zero Trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes applications control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker.

Dave Buettner (29:28)

This episode is brought to you by polestar. There's only one true way to experience the all electric luxury SUV Polestar 3. And that's to take a test drive. It can go from 0 to 60 in as little as 4.8 seconds with the dynamic handling of a sports car. But to truly understand how it commands.

Rob Allen (29:43)

The road, you need to be behind the wheel.

Dave Buettner (29:45)

Up to 350 miles of range. The 3D surround sound system by Bowers and Wilkins. It's all something you have to experience to believe. So book your Test drive for Polestar 3 today@Polestar.com.

Rob Allen (30:00)

And finally, in Maine, the Westbrook Police Department tried to jazz up its drug bust photo by adding its badge using ChatGPT. Unfortunately, the officers didn't realize AI image editing works. Like an over enthusiastic intern, it changed the entire photo. Facebook followers quickly noticed the garbled text and eerie gloss, prompting the department to delete the image and issue an apology. Their statement blamed a Photoshop app, but local station WGME revealed It was actually ChatGPT's image generator, which treated the uploaded photo as a prompt to create a brand new masterpiece. The AI even removed some drugs from the evidence photo. Locals wondered how no one spotted the glaring differences, so lesson learned. Next time, just set a badge on the table and that's the Cyberwire for links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of this summer. There is a link in the show notes. Please do check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Elliott Peltzman and Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here tomorrow. Krogle is AI built for the Enterprise soc, fully private schema free and capable of running in sensitive air gapped environments. Krogle autonomously investigates thousands of alerts weekly, correlating insights across your tools without data leaving your perimeter. Designed for high availability across geographies, it delivers context aware, auditable decisions aligned to your workflows. Krogle empowers analysts to act faster and focus on critical threats, replacing repetitive triage with intelligent automation to help your SOC operate at scale with precision and control. Learn more@krogle.com that's C R O G L com.