“Having five layers of protection in your environment, without any controls, is like putting five burglar alarms in your house and not locking the front door,” says Danny Jenkins.
On Monday, ThreatLocker’s Danny Jenkins urged blockchain players to focus on the “control” side of cybersecurity if they are serious about providing adequate protections to their customers.
Speaking at The Channel Company’s August 2022 XChange conference in Denver, Jenkins, CEO of Maitland, Fla.-based security company ThreatLocker, said there are ultimately three ways to stop a cyberattack. – through human training, detection and response, and “controls,” or who can access and use parts of a system.
All three are ultimately needed to combat escalating cyberattacks that can devastate organizations, Jenkins said, appearing before a room full of chain actors from across the country.
[RELATED STORY: THREATLOCKER ALERT WARNS OF INCREASED RANSOMWARE ATTACKS USING MSP RMM TOOLS]
But he said there will always be humans who fall for email phishing schemes, detection programs that don’t always detect, and response actions that don’t always block threats.
As a result, he said “the most important area of security is this idea of control”, or essentially limiting access to entire areas of a system that different people can access.
Jenkins has refrained from using the phrase “zero trust”, which is now the popular way of describing a framework requiring all users to be continuously authenticated, authorized, and validated in order to access certain areas of a system.
But it certainly sounded like “zero trust”, even though Jenkins stuck to the word “controls” instead during his XChange session titled “Zero Trust for Applications”.
Jenkins insisted that more controls over IT systems are needed if true security is to be achieved.
“You should have (layers of) protections, but having five layers of protection in your environment, without any controls, is like putting five burglar alarms in your house and not locking the front door,” he said. he told members of the XChange audience. “It’s going to make a lot of noise, but it won’t stop someone from taking TV.”
Among the “controls” that Jenkins believes are necessary are so-called “ringfencing”, or the establishment of strict barriers within computer systems so that users, including intruders, do not cannot move from one zone of one system to another.
Another necessary control is “allowed list” or application control, which is a security feature that only allows trusted files, applications, and processes to run on a system.
And another necessary control, according to Jenkins, is elevation. As Jenkins said on Monday, “If you have local (administrator) accounts, remove them. And only allow software that needs to run as local administrator to run as local administrator,” he told XChange attendees.
Jenkins also said similar storage and network controls are also essential to protect systems and their data.
“These are all tangible things you can do as a computer scientist,” Jenkins said. “If you start your safety journey with checks, you’ll be in a much stronger position.”
After the XChange session, Jenkins told CRN that he deliberately avoided using the phrase “zero trust” in his presentation.
“It’s an overworked phrase,” he said, adding that some people just don’t understand what zero confidence means or ignore people who use the phrase too often.
Thomas Vaughan, founder of Central Technology Solutions, a Lynchburg, Va.-based MSP, told CRN he agrees with Jenkins that zero trust is an often misdefined and overused term to describe an approach. general safety.
“It’s always better to describe what you’re actually doing,” rather than using a catchy phrase, he said.
Still, when it comes to the access control principle behind zero trust, Vaughn said, “Anyone who isn’t using it is missing the boat.”
Shayan Khan, director and senior systems engineer at Preeminent Technology, a Dallas-based MSP, agreed that zero trust is the future.
“He’s telling the truth,” Khan told Jenkin’s warnings and recommendations on Monday.