Zero Trust, With Danny Jenkins of ThreatLocker

Hello, I'm Dan Tomaszewski, and this is the connecting it podcast.[inaudible] welcome to the connecting it podcast. I'm your host, Dan Tomaszewski Chesky. And joining me today is Danny Jenkins, CEO of threat locker. Danny, I want to welcome you and say thank you for being with me today and also a big thanks to threat locker for your sponsorship at our connect it global. So, uh, we really appreciate it, but welcome today's podcast.

Thank you for inviting me down.

No, we're really, really excited about this topic for me. I mean, I've been seeing a lot about threat locker in the industry. Um, you guys are everywhere and I think this is a really big topic that MSPs are, are always learning to learn more about. So why don't you tell us a little bit about yourself and why you decided to co-found threat locker?

So I I've been in the cyber security industry for a long time. Well, before it was even called cybersecurity and I've done everything from enterprise it to white hat, a red team, blue team. And as the years have gone on, we've seen more and more challenges or, um, small businesses. And my initial starting point was enterprise. And in the enterprise world, we kind of do things a certain way. We don't implement antivirus or we do implement antivirus, but we don't rely on antivirus. We don't rely on detection. We implement a lot more controls and, uh, and you know, zero trust models and zero trust is a big buzzword today, but we take that kind of default deny approach in the enterprise world. And I previously had an email security company I'd sold that. And I was working on a number of recoveries for ransomware. Ransomware was the big thing where in 2014, and I got asked him help. A lot of MSPs recover from ransomware attempts. And I was trying to convey that you guys are doing this wrong. You can't rely on this, this for security, you need to implement a default deny approaches. You need to implement application white listing. And, and I was kind of banging my head against the wall. Everyone was looking at me like I had 10 heads or something. So I went off and said, look, let me help you with this and realize that I can see why they're not doing it now. Then it's too hard. It's one practical for an MSP or any kind of midsize or small business to implement a zero trust approach because there's too much overhead. There's too much management. So, and that's kind of where the idea of threadlocker came from. We said, we've got to bring these tools that are being used by the department of defense being used by bank of America and big organizations. And we need to make them available and manageable for the MSP world and for the rest of the world that isn't bank of America.

No, I absolutely. And I mean, it is intriguing. You said some key things in here. So, I mean, so let's go into that a little bit more. So from a threat locker perspective, you know, what problems are you helping MSP solve? You know, if I come on as an MSP with you today, what, what is it that you're solving with me as an MSP?

So, so the big thing is, I mean, ransomware, I mean, that's the biggest reason people sign up for throughout locker. There's more to it than that. But as an MSP right now, what a lot of MSPs are facing where there's, I, I went out and I got an antivirus in it, and then I got ransomware. So they go like different antivirus or an EDR or threat hunting. And I'm still getting ransomware. And I don't understand, I keep spending more and more money on these technologies and I keep getting ransomware or, and I keep getting breached. And so we, we want to stop that. And what we want to do is say, okay, stop beating up on your antivirus company, because you've got to, you've got to fit in nest Chu to the moment you gotta sit where they're sitting and say, what are they doing for me? Well, they're looking out and trying to identify bad guts. And th they're essentially, if you think about, you've got a room, pull it for the people and you've got to figure out who's good and bad. It's a difficult task. I mean, that guy's wearing suit. He's probably okay, but maybe he's not, who knows, maybe he's a white collar equipment, or maybe he's just a thief in a suit and that's what antivirus is doing. And they're trying to detect that. So what we're coming in and really saying, look, we want to do two things. Well, the end goal is to stop cyber breaches, but the way you stop cyber breaches is by stopping bad things from running. And the way you stop bad things from running is not looking for bad things, but instead, deciding what do you need in your environment, uh, and blocking everything else from running and then stopping even good tools that aren't needed and money. Because if you can reduce your surface area of attack, then you're going to stop potential areas where a breach, every application you're running, you're adding an area of bleach into your sister. You're adding the vulnerability into your system. So if you don't need to run TeamViewer, don't allow that to run it. It's not about do I like team viewer? Don't I like team viewer. No one cares if you do, or don't the point is, is there a business need Brett? So from an MSP perspective, but we all took, I suppose the two biggest problems are malicious software being installed, but also shadow it, which needs to other breaches people deciding I want to work from home. So I'm going to install TeamViewer on my machine, or I've got an idea. This application is a better PDF reader. So I'm going to install it and not realizing that this application is not patched by my MSP. And so by, by taking away shadow it, we essentially take away the risk of ransomware because we're now not requiring requiring the needs to detect ransomware and by taking away. And we're also taking away computers that are running out of control and people doing whatever they want.

Well, that's, that's great. I mean, do you feel, I mean, listening to you, I mean, I'm thinking that that's, that's allowing the MSP to have good conversations with their customers about the day-to-day applications that should be in the environment that should turned on. I mean, like you were saying, should team viewer be a part of it or zoom or other applications. I mean, it sounds like the MSP, then it's enabling them from a security, but it's also enabling the MSP to have the good conversations with their clients.

Yes, absolutely. And it also is enabling the MSP to show more value to their clients. So we have an interesting thing. I mean, the goal is here, nothing runs unless it's approved nothing new runs that isn't approved by the MSP. So, and that sounds a little bit scary. And we get rid of all the problems with updates and things like that because we have so many partnerships in the industry where we can track updates, but the goal is don't let anything run that isn't approved by the MSP, which means malware is run. But it also means when a client tries to install new software, when they download team viewer and you say, Whoa, why are they trying to request CBO or even download a PDF reader or a new CRM system. You're getting to have that conversation and say, can I help you find a solution? I see you tried to download this. I can permit this for you, but maybe I've got a better solution for me. Maybe I partner, you've just downloaded an IP phone. Are you trying out new IP phone software? We actually have a partnership that we can sell to you. And it gives the MSP more value in the business. Because if you think about where all MSPs star, I mean, a lot of MSP start from someone running internal it and wanting to make that service available at a, at it using an economy of scale. Right? But the job of internal it is, is not just to respond to a problem or to sell you an antivirus it's to get involved in the business and solve the problems of the business. So it gives you the ability to do that job and put you in front of your client. And it's amazing. I mean, if you think that I sent out laptops five years later, they come back the same way or send them out. Just, just think about that. I mean, how often do you walk onto a client site and three years, two years after it's on their laptop top and not have 50 different Chrome extensions and you have four different PDF readers and various different VPN software and all sorts of crap running that shouldn't be there. But when you are in control, when you're running the MSP, as you should be, which is a true it department, you're saying, okay, this is a software. We recommend the client. Of course you can, you can approve things on behalf of them and clients are going to have different needs, but you're getting involved in that conversation. And then you're not having to pick up the pieces because they installed C cleaner or any, some kind of cleanup software that you don't think was a good idea. And it's now slowing down that computer.

Oh, that's, that's great. And I love to hear that because, I mean, I think that's one of the big things that we're seeing, especially with the COVID times is that MSPs are having better conversations with their customers, but it sounds like your product also helps them in a differentiator in terms of going out and saying, this is how we take security. This is the policy, this is the procedure we're going to do. So I really loved that. And, and how you talk about

The other area where we're

Really helping is w we see, we often think of ransomware and in most cases, malware is software. I mean, it's not something magic it's written in the same languages that software it was written in. And if you think about Dropbox, it's a legitimate application. And the job of Dropbox is to take your files and synchronize them to the internet. And if you use that in your business, that's fine. If you don't, you probably don't want it running. But if you take a piece of malware, you can literally have the same code written. The only differences is where it's sending it. And the idea that every piece of malware can be detected is, is, is very, very well it's naive. If you believe that every piece of malware could be detected, because it could be the exact same code, but you also have this, this threat outside of malware, that software, you also have this threat of people weaponizing and using tools against you. And, uh, we, we do a lot of demonstrations on this and that could be literally someone taking a PowerShell command and uploading your files to the internet without any malware needed or turning on BitLocker or from an, a macro in a word document. So what you need to, what we're trying to do as well is not just control what can run and stop malware from running, but also make sure things don't step out of their lane. And you mentioned, you know, cost 2020. You're seeing, uh, people working from home and it's been a great year for MSPs to interact with their clients. Uh, but what we're also seeing in 2020 is people downloading fake versions of zoom or zoom vulnerabilities. I mean, there is a perfect example is there's an application zoom that has access to all of your data when you run it and you don't have to be an admin for an application to have access to your data. So what we're trying to do in throughout LACO is say, not only do we control what can run. So zoom is most likely going to be permitted in your environment, but what can zoom access once it's running? Can it go off and call PowerShell? And in March it could be exploited and called PowerShell. But if you ring fence applications and say, what can they do? You're going to stop applications that don't need access to your files from accessing your files. You're going to stop the applications that don't need access to PowerShell from being able to launch PowerShell and launch attacks without even running malware. So part of what we're doing is also making sure that applications and storage can't be accessed by applications that aren't trusted or trusted to access them. So even if they are trusted, limiting what they can do,

That that's so important today. I mean, especially like you said, I mean, give the applications what they need. Don't let them have free reign. Don't let them, you know, be able to go out there and do everything. And I think that's a really important thing because I don't think the everyday business owner understands when they click install, what they're actually doing when they click accept and install. So, I mean, it's a powerful message.

Um, and it really, and this sounds a little bit scary, but it really isn't scary. I mean, you roll out an agent, you wait, and then you lock it down. It's, it's not brain surgery. We're not talking about some magic. It's just the things that you are going to worry about. Like app updates, we've taken care of that for you. And we've literally have MSPs that have deployed thousands of seats at the end of a demo and locked down a week later. It's it really isn't that scary. It's quite simple. People shouldn't be running new software on their computer every day. Don't allow them to run new software. Then you don't have to deal with as many alerts on your SOC and your, in your EDR because things aren't changing when they shouldn't be. And now you're in a controlled environment and bad stuff doesn't happen.

Oh, that's, that's great advice. And it sounds like a great product, but I have a question for you now. Um, you know, I want to get to two things. I'm going to get to zero trust here in just a second, because I heard you talk about that. And I know that's a big word MSPs are using, but I also hear from MSPs a lot of time, Hey, I go out and, you know, I have clients that are refusing security. I know is the MSP that, you know, I'm liable. If something happens, cause they're going to come back and point the finger at me. Um, you know, you have any advice that's out there for the MSP that, you know, having a little bit of a hard time selling security to their client and, you know, security is a hot topic, but what about those challenges? I mean, I'm sure you guys hear them in different things. What advice do you have for MSPs on that?

So, um, everything is, is these guys are business owners and business owners are always going to try and get the most for the least. I mean, that's their job as a CEO, that's their job as a CFO to get the most for the least. But the other thing is most of the time they just want stock to work and they just want to that they, they want to remove risk from their business and they want stop to work. And it's important to know that. So sometimes it's not always the case. Sometimes an MSP, a client will push back and you might feel like you have to back off at that point, but that's the point you actually need to step forward. And I'm a CEO. And of course, every time I don't care, if I'm paying a hundred dollars a month,$200 a month,$300 a month for someone to look after my clients and point, I genuinely don't care. I mean, of course I'm going to try and get the best price. But what I care about is that my employees that we pay a lot of money for are able to do that jobs operating securely and don't pose the rest of my business. And most of your clients actually feel that way, even though they don't say it, they feel that way. So it's your job to really convince them and build a trust in that with them. And there's a, there's a lot of steps to that. And we, we have a lot of presentations on this and we have a lot of support for our partners with that. And making sure that you can educate your clients, show them the risk. Don't go into your client and say, Oh, you know, Garmin was breached. And they had to pay$10 million ransom because they don't consider themselves alongside Garmin, go in and show them 400 dentist office or breech. And they've paid this much in ransoms. And this kind of business went out of business. This company went out of business because of a cyber breach, show them stuff that's relevant to them and tell them stories, stories. I mean, you guys have a lot of stories in your arsenal from previous clients, clients you've tell them those stories, make them understand that real problem. And don't overwhelm them with technical. And if you can show them, show them some real possibilities of a bridge. We help a lot of our clients with marketing. And one of the things coming from the enterprise side, I had to learn a lot moving into the MSP space too. But one of the things we learned is that not all MSPs are good at marketing. Not all MSPs are good at talking to their clients, but common. Talk to us, talk to our marketing department. We have collateral, you can use weaker, have brochures, whereas a brochure ware and demonstration videos and predefined scripts that you can use when talking to your clients. And at the end of the day, if they're really refusing security, there's two, you've got two choices here. One is you get them to sign a waiver. The other one is you, you have to say this isn't the right client to meet for me because it doesn't matter how much they refuse at the end of the day, when, when it, when it comes down to the wire and, and everything's broken and their files are encrypted and their data's on the dark weapon and someone keeps harvesting money from their bank account. They're going to blame you as the MSP. So you have to be very, very clear. We're doing this. This is what we recommend. And frankly, this most successful MSPs we talk to are the ones that say, we're dumping the client. If they're not willing to do it, I make tell them to sign a waiver. At very least that P the power of them signing a legal document saying I'm going against medical advice or it advice. I mean, essentially if your doctor says, I need you to sign there saying that you're not gonna take this medicine. You start thinking, well, maybe I should take the medicine. And it's a powerful thing with a client to look, I understand that your business, you get the choice, you're accepting the risk, but I want you to assign this to say that I've made you aware of the risk and you're not taking the remediation steps that we recommend. Give that to them.

Absolutely. We're hearing that a lot. I mean, we've heard MSPs call it the decline of service, the waiver, uh, definitely. You know, or like you said, it's just not the right fit. And don't take that risk and liability for you as an MSP. They're just not the right customer. So I think that's really good advice. Um, you know, I, I want to ask you this because I I've seen you, I've heard you speak, I've seen a lot of different things on your website and different things, and I know you, uh, you're really good at talking about the zero trust model. Um, but many organizations misuse that phrase, you know, how can you define it? And why is, why is this? So the security model so important of zero trust?

So, so the concept of zero trust was created by Forester and essentially what it means is least privilege. Eh, but it's, it's a really cool buzz marketing term. Unfortunately, it's used by everyone and in the wrong area, what it truly means is that you start off and you, you, you don't trust by default, you deny by default and it could be at a network level. So if you're thinking about securing your servers, you say my, my computer does not access anything on the internet. It could be at an application level where we say nothing can run, unless it's trusted. It could be an application level that says when it's running, we're gonna not granted access to other things, because we're going to assume that it's being compromised. And we're only going to granted access where it absolutely needs that access. That is the true concept of zero trust. Unfortunately, we've seen it built into a lot of detection, technologies and threat hunting technologies where they say we trust, uh, we zero, we have zero trust for viruses. That's not the idea here that the idea is that you have, you start off with a deny methodology, and then you start allowing based on what you need to run in your environment. And it applies at a user level too. I mean, when you hire people in your company, don't give them access to more than they need to do their job. And if you build from that level outwards, you end up with a much more secure and a much more, a much safer business. Unfortunately, it is one of those marketing buzzwords. I try and avoid using it, especially at the beginning of any kind of presentation because people think it means something else. Uh, what it actually means is denied by default, don't allow things that aren't needed in all areas of your business, in all areas of technology, not, Oh, we're going to have a zero trust AAV model where we scan everything, or we're going to zero trust everything that's not known in the world. That's kind of a crazy way of looking at it. Is there a trust is really about least privilege the least amount of software you need to do your job. And if you actually look at that for most people, that is a pretty small list. I mean, we have about five applications allowed in our entire organization and our sales team can run Chrome edge. Um, well, they don't even use Salesforce anymore. Um, Chrome edge, um, Microsoft office and do our, I think they're the only applications that were allowed. I may have missed the one on there, but if you think about it on that point of view, you stop worrying about is my antivirus going to detect today's virus and you stop counting your antivirus every time they make a mistake, because they're going to make mistakes. It doesn't matter how much you spend on it, whether it's a dollar or$10 a month, they're going to make mistakes. Uh, so if you, if you, if you focus on more about default deny zero true zero trust and start relying on bad things being found, you end up with a much more secure environment.

No, I think that's great advice on that security model and, you know, a great definition of how zero trust does get misused in terms of different ways. So I think that's really important. A couple other questions I have for you, and you know, that I want to, you know, and just kind of talking around in your experience, like what types of businesses benefit the most from your services? I know we're talking a lot of different things and everybody, is there a certain type of business that benefits the most?

So I think every business benefits from throughout, uh, services, I mean, obviously this is an MSP focused products and you've got lots of different clients. There are certain companies, there are certain types of business that have legal requirements. So if you do business with the federal government, you have to implement some of these policies. You have to implement our storage policies. Our file auditing policies are our application whitelisting policies, but you've got to understand the reason the federal government mandating these requirements. When you do business with them, it's not because they want to mandate things for the hell of mandating them. They're mandating them because they need you to be more secure. So those type of businesses are more about checking boxes, although ultimately delivering security, they're doing it for the reason of checking boxes, other businesses. I mean, I have a, I have a picture that I put on a slide sometimes, and there's a guy on a motorcycle and he's naked. Uh, you can't see anything too inappropriate, but he's wearing a helmet. And it says in the bottom of it, this guy is compliant. And they're the government guys that are checking boxes for the sake of checking boxes. Um, and the reality is just because he's got a helmet on it doesn't mean he's safe. Uh, and checking boxes is good because they're setting those minimum standards for a reason, but it shouldn't be your target. Other companies are doing it because they just don't want ransomware and they don't want things to run on their environment. And it doesn't matter if you're a car dealer or if you're a dental office or you sell weapons to the federal government today, the attackers don't care. If you're big or small, they can get a a hundred grand from a small dental office. They can get a a hundred grand from a car dealer or a local school. So they're going to go after, or even more than that. They're going to go after these small businesses because they have less defenses. So I think realistically, every business should be adopting a zero trust model. It's easier in some businesses development firms, it's a little bit more difficult because they tend to have a lot of change, but there's the thresholds and controls that can be put in place for even those they're going to harden their environments.

Oh, that, that thing that's really all. That's great advice. And I really want to hone in on one other aspect for MSPs, because I know this comes up for, for MSPs in a lot of conversations we have on coaching calls and different things like that is how are MSPs making more MRR? I mean, it sounds like, you know, potentially saving time increasing their client's satisfaction. You know, you've hit on a few things, but using threat locker, you know, how are you helping MSPs, you know, make more MRR and save time?

Well, so I think that's the two areas. There is how our MSP is saving. You'd almost think how can I save from a zero trust environment? Because now we have to do more. Cause they have to approve the new software, the assets actually wrong. If you do it right, you should have a net saving because you shouldn't be picking up the pieces when bad things happen. Like I said, at the beginning of this call over 90% of requests that commented like I'm not approved.

I think I said that, um, the, uh, over 90% of requests that come into the MSPs are not approved by the NSPs not because they're all malware, but because the MSP is going back to the client saying, why are you trying to install? Cravey Coke, crazy Kobe coupon, clipper into your Chrome browser. What, what's the reason for that? And when you stop that, the game, what you end up doing is reducing your over all tickets. Because now you're not picking up the pieces because they complain that Newton's running slide. The other areas, obviously you're not dealing with a cyber breaches, which is even if you've got the best backups in place, there's a lot of work when someone gets ransomed. Um, the other areas is, um, they're able to engage with their clients more. Uh, they're able to make MRR just in selling it. And there's quite a few use cases out there where people say they added$6,400 a month instantly with rocker, because they were able to add that product. They're able to show real value, but you're also able to get more engagement with clients so you can sell them more products. So when they do try and download and run a new IP phone system, you can tell them, Oh, we actually sell an IP phone system. Or when they do download, uh, some kind of, um, web security tool, you can say, uh, we sell web security. Why are you trying to install? That's we can give you this solution. And things like that probably should be in to begin with when you start talking about security, but it gives you the ability to upscale your client, engage more with your client and have reasons to talk to your client. Because every time you talk to your client, it should be an opportunity to give them more services. And if they're, if they're trying to install your software, that's a great opportunity because at the end of it, you can be helping them with the deployment and upselling services or even selling them the software.

No, I think that's great. I think the way you're positioning this in, in this whole conversation has been, I think really insightful. I think a lot of our listeners today are, are getting a lot out of this is you can turn into a really good conversation. Like you said, you can upsell, you know, or have the conversation about volume for whatever product they're trying to install. Um, meanwhile it also is giving you the ability to have good security conversations with your customers. So I think you've been extremely insightful on all this today.

Uh, there's there's one other area I'd like to add there w uh, w we have a rather large airline using throughout marker. And, um, we did an interview with our CSO recently, and he was, um, saying that the, the implementation of default deny of controls like this take resource off is security center because security centers, which are pretty high paid employees have to respond to changes on the system and they have, they get alerts. And if you take the changes away, it becomes a non-security issue. And the amount of alerts, if you do want to sock, or you do run some kind of NDR system where you have to, the amount of responses is going to be massively reduced because you're now not making those changes. And those are the things that trigger alerts on your system, on your sock.

No, that's a great device when you're eliminating the noise, you're, you're doing what every MSP says that you're here, you're cutting down of the tickets that are coming in that are like false positives or things that your techs are having to spend more time looking at. So definitely can see how you're, you're saving time and making your company more efficient. So I would like to ask you this, you know, you've given us a lot of really good information today. You've told us about threat locker, the amazing things it does, how it helps MSPs actually grow their MRR, um, secure their customers. Even more. I have good conversations. Is there anything that you'd want to leave our MSPs that are listening today? Like a final thought, um, that, you know, they can take out with them.

I mean, whether you use that Aqua or not, I think if you're an MSP and you really truly care about your clients, make sure you're adopting a more controlled, driven security approach. Whether it's implementing application white listing, the default deny on your end points or whether it's, it's knocking down your service. So they can't go out to the internet because attackers can't download malware on a server. They can't talk to the internet, it just try and adopt a more least privileged approach. You're, you'll do better off, you'll have less breaches and you'll be far more successful. And you also make yourself more valuable for the client because they, they start saying, I need this guy. I need this MSP. I, I would die without them. Right. So it's very important that if you, if you do that, you implement proper practices. It's, it's going to help. If you do want to find out about, I like to just go to that, like the.com and schedule a demo. It's a 45 minute demo, and I promise it's worth your time.

Don't Danny. And I just want to say, thank you again, you know, for being on today, I really appreciate you taking the time to meet with me and to talk to our listeners and, you know, thank you for your sponsorship. I mean, you guys, like I said, uh, sponsored our, connect it global. So I just want to say thank you again to you and, uh, appreciate you being on today. Thank you, Don. And everyone. Thanks for listening to the connecting it podcast. Make sure you subscribe and rate us five stars on the iTunes store. And, uh, until next time have a great day.