Zero Trust and Application White Listing (podcast)

On this episode of Tech Tuesday, we talk about zero trust policies and application white listing. Look at the pros and cons, and learn how this policy can improve your business’s cyber security.

Dave Hodgdon: Welcome to PCG Tech Tuesday. This is your host, Dave Hodgdon. I’m here today with one of PCG security experts. Steve Ripper. How you doing, Steve?

Steve Ripper: I’m good, Dave. How are you?

Dave: Excellent. We have a great topic today and it’s why you should embrace a Zero Trust model. Now, that’s a big, big word to me, Steve. So, let’s first talk about what is Zero Trust model.

What Is a Zero Trust Model?

Steve: Yeah, so the Zero Trust model as a name gets people to be nervous. It got you nervous.

Dave: I’m not nervous.

Steve: You were like Zero Trust.

Dave: I’m shaking right now.

Steve: We don’t want to not trust the employees, but the Zero Trust model is basically it’s a service that will stop applications from being installed that are not approved. We’re basically trying to take away the ability for applications to be installed just by anyone, the user, but also the bad guys, and we’re going to try to have it be a whitelist.

So, that’s where the other title for this, the government calls it Zero Trust, but also application whitelisting or app whitelisting, where we’re whitelisting the applications and then we’re saying that these are the ones that we’re allowing. We’ve agreed that these are the applications our company uses, and then anything else we’re not allowing them to be installed.

Dave: I love what I heard there, Steve, when you mentioned about the bad guys, which these guys are out there. But a lot of times once they’re on a machine, they’re trying to actually put an application or download something. So, I assume that will help with that.

Steve: Oh, absolutely. It’s a great defense against it.

Benefits of a Zero Trust Model

Dave: Awesome. So, I know as we talk about the Zero Trust in application whitelisting, how can a Zero Trust model benefit your company and make it more secure?

Steve: Yeah. So simply put, if the service is blocking software to be run that has not been approved, malware or other unwanted software will also be unable to run. So, if the bad part of it is, is that we’re saying no, you can’t install software, the good part is we’re saying that the bad guys can’t either.

So, really what it’s doing is we’re changing the Windows dynamic. The Windows dynamic for years, for good 20 plus years has been, here’s a device, do whatever you want on it. You want to listen to music, go listen to music. You want to go do this, you want to go do that. It’s been wide open, it’s been an open-

Dave: Do what you want.

Steve: Yeah, do what you want. It’s an open-

Dave: Wild West.

Steve: Open, exactly. It’s an open platform. We’re saying that we’re changing the dynamic to say, no, we’re not going to let you do it, but we’re also not going to let the bad guys do it. Now, can you get software installed? Of course, we’re going to talk about that in a minute, but you can get approvals and then you can install it.

Dave: Right. And I think that’s okay on your own computer to do what you want at your home, but you’re in a business and environment. And with what’s been happening in the cybersecurity world Steve for the last 10 years, it’s one of those things you have to control what’s allowed on my computer because that one application could wreak havoc.

Steve: Yeah, absolutely.

Downsides of Zero Trust Models

Dave: So, what are some of the downsides to implementing a Zero Trust model?

Steve: Yeah, we kind of hit it. You can’t talk about the pluses without talking about the minuses, right? So, the biggest one is that if you need something to run right now, and the most common scenarios is that I need to do this WebEx or I need to do this, GoToMyPC or whatever because I’m talking to a vendor-

Dave: Every day Steve I feel that, every day.

Steve: I’m talking to a vendor and they want me to download this and install this. You may have a period of time, a short period of time where you’re waiting to get approved for that software. So, there are things that can be done if you use WebEx or GoTo Meeting, we can approve it ahead of time.

But yeah, the instantaneous, I need this satisfaction, this gratification of getting the software piece installed for myself, you’re giving that up and waiting for approval. The other part of it, the downside is that you’re going to need a support infrastructure.

Hopefully that’s coming from PCG, but you need a support infrastructure either from us or somebody inside your company that can quickly and responsibly say, “Yes, I’m going to approve that. I see the software, I get that that’s a normal piece of software, it’s for your daily use and I’m going to say yes to it.” Or say, “Why are you trying to install that? Or was that you?” You do need a support infrastructure to make this work.

Dave: I feel that’s a simple thing to solve. With most companies, you need to have a policy in place. So, if there’s something happening, you need to be proactive with PCG or your internal IT. You need to be planning for this, so it’s not chaotic.

Steve: Yeah. Yeah.

Implementing Zero Trust

Dave: So, how does it work and what needs to happen to implement it, Steve?

Steve: Yeah. So, there’s a couple of steps to it. Basically the first thing you’re going to want to do is, or at least consider, is taking away what are called local admin rights on all of the PCs. As I mentioned for years, the dynamic of the model has been that Windows has been wide open, you can do whatever you want. And what that really means is that in the Windows world, a lot of people are logging into their accounts and they have local administrative rights on their PC.

So, that’s a thing you kind of want to take away. They shouldn’t have that ability to just put whatever they want on. And then the second step will be whatever service you’ve chosen, we use we as a product called ThreatLocker, but there are several of them out there. But the service you’re choosing will have an agent that gets installed on your machine.

So, you’re going to install that agent or your IT professional is going to install the agent on it, and it’s going to be in what’s called learning mode. That learning mode will do it for about two to three weeks, right?

That learning mode is going to learn all of the software that’s on your machine at that time, right? The assumption is that what’s installed on your machine are the things that you need for your daily business, right? So, it’s going to whitelist those for you. It’s going to happen automatically. Then at the end of the two to three week period, the third step is we’re going to enable the agent.

What that means is that everything that is installed on that machine is going to be allowed. So, you’re not going to have any problem, but anything new is going to have to be approved, right? So, that you can’t install it without the approval of IT.

As you hear that you might think, well, that’s a downside. But the upside to it is that no bad guy can install anything either, it’s the ultimate protection from any kind of ransomware, malware, a breach, phishing attack that installs something on your machine. These are all things that are going to be stopped cold in their tracks, so that it can’t be installed.

What About Risks With Existing Software?

Dave: So Steve, I’m a big picture thinker, so you just kind of explained to me that it’s going to look at everything that’s there. I’m worried about some stuff that should be there probably shouldn’t be in there. So granted, your whitelisting is a way to evaluate, there’s some software that shouldn’t be on there that could cause trouble down the road.

Steve: Yeah. So, that’s sort of a blanket statement for me, Dave, that we’re going to just approve everything that’s on your machine. A good practice is to turn it on, let it learn, and then use its list because it is going to list in the service, everything that’s on everybody’s machine, on a PC-by-PC basis.

So, we can go through that list and go, Hey, what is this game that’s on your laptop? Why do you have gambling software? Why do you have that? So, why do you have a coupon? Do you really need a coupon generating software? So, we can go through it, and work the management team and say, “Look, we’re not looking to get anybody in trouble, but while we’re doing this, remove these things that are not company approved, but then go forward from there.”

Zero Trust Models and Cyber Insurance

Dave: So, from a cyber insurance standpoint, I’m assuming, are there scenarios where I would want to go to a Zero Trust model?

Steve: So the scenario, the first one that comes to mind is of course compliance. And compliance might make you, Dave not want to go, you have to go, you have to. So, if you want to be CMMC level three, if you want to work with the DOD in their frameworks, and there’s a lot of others out there, one of the controls that they’re going to ask you in that application is going to be, do you have an application whitelisting program?

And if you don’t, you’re going to get docked points that you need to accrue to get that certification. So, that’s why PCG understands this is, is why we’re talking about it today, is because we understood that we needed to have a solution for this.

Because to reach those levels of compliance where you want to do business with say someone like Grumman or anyone or the government or DOD, you’re going to have to meet that. And so, they’re not going to let you transfer files to them, and they’re not going to transfer files to you without them knowing that you are secure, that you have something that would stop something like this, right? But having said that, really this is something that’s worthwhile for any company to think about.

Zero Trust: A Good Idea for All Businesses

Dave: Yeah, especially the industry. So especially where applications could provide risks to them of doing that download.

Steve: We see Dave, you know this, right? We see companies all the time, not all the time, but it happens where they’re not doing compliance, they’re not trying to go with the DOD, but they do get ransomware. We’ve had to go and clean up ransomware because a phish got in, someone clicked on the link, they got into the network, and then they locked up a directory and they infected the whole network. So, this is a step towards stopping that cold.

Managed Detection and Response (MDR)

Dave: So, this particular service has been around, but it’s really gaining momentum over the last few years, and this is something that PCG is now offering in our managed services. Steve, speak a little bit more about our MDR.

Steve: So, the Managed Detection and Response is a higher tier level of service from our cyber security framework where our, what’s it called again, Dave? I’m losing it.

Dave: NIST.

Steve: No, not NIST. Our-

Dave: Cyber hygiene.

Steve: Cyber hygiene. I was tripping up on the hygiene.

Dave: That’s the basics.

Steve: Can you tell that we’re not editing this? You get us raw and unfiltered. The cyber hygiene model-

Dave: Tech Tuesday, baby.

Steve: So, exactly. So, the MDR is the step up from the cyber hygiene where we’re really going to target the things you need to do for compliance and the higher levels of what you need. So, it’s going to do things like send monitoring of all your logs.

It’s going to add the ThreatLocker, which is doing this app whitelisting or Zero Trust model. You’re going to get more management from us, where we’re going to review those logs and take a look at those. You’re going to get priority responses to issues that are security related, and so on.

Dave: Anything you try to protect your business or your home with various security, you’re adding some nice levels of security here, Steve, to protect my data, my reputation. But I think the big thing I’m hearing is from a compliance and checking that box on the cyber insurance.

Steve: Yeah, exactly.

Dave: So, great topic today. Thanks for joining us and I hope people learn a little bit about Zero Trust model and why application whitelisting is important for your business. Thanks again for joining us on Tech Tuesday and have a great day.