704 ThreatLocker and Zero Trust: A Conversation with CEO Danny Jenkins

Transcript

[Uncle Marv]
Hello friends, Uncle Marv here with another episode of the IT Business Podcast, the show for IT professionals, where we talk about products, stories, and tips, helping you to run your business better, smarter, and faster. Welcome to today's show. This is one of our audio podcasts, and this is, of course, powered by NetAlly.

This episode is actually sponsored by our friends over at Super Ops, the all-in-one ready-made platform to help power your business. Today, I am going to be talking with a first-time guest to the show, a product that I've talked to you about because I actually use them, but this is going to be a good little show here. We're going to be talking ThreatLocker, and I have with me the CEO and founder, Danny Jenkins.

Danny, how are you? Good. Thank you for inviting me today, Marvin.

Well, I should probably say it's about freaking time that I got you on the show. I've been talking about you for a while and started using the product, and it's been a fantastic addition to my stack, so thank you. I'm glad to hear that, and hopefully it wasn't all too bad.

Well, I mean, listen, it's a good product, but good products take a little time to get used to. It's not one of those set-it-and-forget-it type things, so.

[Danny Jenkins]
Yeah, and what you find when you start with ThreatLocker is it's very much about changing the mentality about how you do business, and then once you do that, it becomes very easy. Not only does it help you understand ThreatLocker and make ThreatLocker operations better, but it makes your IT operations better. And I remember actually one of our first customers, I say customers, was our kid's school.

We didn't charge them. And it was great because we were looking after their IT at the time, and this was 2014, and it was a nightmare managing that IT. It was like 20, 30 hours a week, and I started regretting offering to help with their computers.

And our kids have been out of school now for two years, maybe even three years, and my wife is still handing over the IT slowly, but she spends about an hour a month now looking after the hundred-and-something devices, whereas before it was 30 hours a week, and the reason being is because she's able to control their IT and actually manage their IT rather than fight fires. And it takes a while to get that washed through because you've got to get rid of all the old problems as well. You don't just have clean computers, but if you think about it, give someone a laptop, you put ThreatLocker on it, updates happen, five years later the laptop comes back, screen's broken, but everything else is fine.

[Uncle Marv]
So let's dig a little deeper. I didn't plan on this, but you brought up the zero-trust concept and the fact that we have to change our mindset. Now, zero-trust, the phrase, has been out for a few years now, but I still think a lot of us as MSPs don't fully do zero-trust the way that it was intended.

So knowing that, yes, we'll do zero-trust, but then we open up this access, or we open up that access, and we allow for users to do this. So no longer is it zero-trust by the time you get around to it. Let's start with that.

What, in a sense, is zero-trust in your eyes, and how much of those changes should we really be allowing?

[Danny Jenkins]
Okay, so I think the idea of zero-trust, and I hate to say this, but the best definition I ever found in one sentence was from the White House. Anything that comes from the White House, we got in the same sentence, just doesn't exist. And it said, it was an executive order, and it said, the government agency must implement a zero-trust framework.

And then it had a definition, because lawyers write definitions, and the definition of zero-trust was something along the lines of only grant access to any node, service, or user where access is required to perform the function or job of the asset, or whatever they were talking about. I can't remember the exact terminology, but it was something like that. And I think it was the clearest definition I've ever read, because it's not about stopping everything and blocking everything, but it's about only giving access where access is required.

And what ThreatLocker does is helps you with tools to do that. Because of course, we started off as this allow-listing solution where you only run software, and that's at principle the best zero-trust you can do, because it means no malware can run unless you allow it, or ThreatLocker is stopped, or it's added to the allow-list, or it's in monitor mode. But the core of that is, how do we make this easy?

So what ThreatLocker's goal is, is give you a toolset that allows you to implement the least amount of privilege required to do a job without being a headache. And most of the time, the least amount of privilege means you can only run the software that's been approved by the business. Only these network ports are open.

The software that is allowed can only do X, Y, and Z. And in some cases, it becomes, okay, you can run anything you want because your job is to test software, but we're going to limit what that software can do so it can't talk to our network. And the areas where we see the biggest failure in it, and you can never be fully zero-trust, but you strive to give the least amount of privilege.

But the areas that we see the least amount used that should be, is in the network. Because if you think about it, people say, well, I need to open up this port on my firewall. I need to allow my users to access their servers, so that's a functional job.

And technically, by saying, I opened up the port because I need port 443 open, or I need SMB ports open in my network, I am following a zero-trust framework, because that's what I have to do. But what ThreatLocker is doing is, well, we're going to actually change the boundaries here, because that's what you have to do in the old way. But we're going to say you open it up only to trusted devices, and we track the trusted devices for you, because before, you couldn't do that, because there was no way of knowing who got given that IP address on your network.

So zero-trust is really least privilege. What we are there to do is give you the tools to make it as easy as possible.

[Uncle Marv]
Very nice. Very nice. So let me tell you what I tell my clients when I try to explain that to them, is that when you allow people into your house, it used to be years ago that you could just leave your door open, and you would trust that only friends and family would go into your house.

But what that did was made it to where if anybody walking by noticed that your door was open, anybody can go in, whether it was a crook, a criminal, a neighbor down the street, somebody you don't know. And what zero-trust is doing is saying, look, we're going to have openings to the house, but it's only going to be to those trusted people. They're going to have a key.

They're going to have a code. We're going to be able to track who's going in and out. And that's how we should be devising our networks, is you need to know who's in your network and what they're doing.

[Danny Jenkins]
We call that an investor pitch. So that's how we explain it to investors. The only one slight difference we use is only the people that need to come into the house.

Not necessarily trusted people. And a great example is, you know, my wife's allowed in the house because she owns the house. So my kids are allowed in the house.

My parents allowed in the house. And you know, I trust those people, but they also need to come in because they live there. My kids do.

But my daughter's boyfriend's allowed in the house. So I don't necessarily trust him, but he needs to come in the house. But that's what then we extend it to say, oh, we're going to ring fence you.

So when you're in the house, you can only do what I want you to. So he's allowed everywhere but my daughter's bedroom.

[Uncle Marv]
That's great. That's great. So real quick, I don't want this to be all about the product here, but I'd like to have you guys back on sometime to talk about that.

But I know that you guys recently have put together this unified bundle. And I wanted you to describe that more because I don't think when I joined up that existed. And when I was prepping for the show here, I'm like, oh, I probably need to go back and check that out.

[Danny Jenkins]
Okay. So probably a little bit of history. So we started off our core principles in ThreatLocker is how do we allow you to implement least privilege controls?

Right. And we had net allow listing, ring fencing, network controls, elevation controls, and storage controls. And we bring in all these controls.

And then we deploy ThreatLocker to a whole load of businesses. I think 45, 46,000 companies ranging from small companies, right up to JetBlue, parts of the US Navy, airports, hot banks, hospitals. And they come back to us and say, we love this.

Our EDR doesn't give us any alerts anymore when they do their false positives, do I need to keep paying for my EDR? And we're sitting there going, well, technically, they block based on bad, we block based on everything, but your insurance is going to tell you a whole different story. So we went out and we built the best threat intelligence team we could.

And we started building our own EDR. So we said, well, what is an EDR? Now, an EDR, first of all, isn't that great at detecting threats, because it's looking at previous threat patterns. And also, there's very fine lines between good behavior and bad behavior.

Backup software takes your files, uploads them to the internet. Data exfil takes your files, uploads them to the internet. So the idea you can do it based on behavior, not accurate, but so we build an EDR and we run all of the indicators of compromise that are in the Milo attack framework.

Every time there's an attack, we look at that attack, we investigate, we help with the FBI, we get all this data and we build this EDR. And we release this a little bit every year and customers weren't really loving it. And the reason they weren't loving it, by the way, is because it wasn't a great tool to use. And it was good at detecting, but it wasn't good to use.

So the next thing we did is we went and built Cyber Hero MDR behind it. And suddenly, within two months of us releasing Cyber Hero MDR, we'd rewritten half of the EDR in terms of its usage, because we realized this is a shit tool to use. And we did the same, by the way, with our Allow Listing.

When we released Allow Listing, we sold it for years. And then in 2020, we gave away for when people were struggling with COVID, we said, we'll look after your approvals. And then we realized this is too hard.

So we rewrote the way that the approvals work. And so we started using our own tool and we created this MDR. And then customers are coming to say, okay, I want the EDR and MDR. How can I get a better price? Because I want to get rid of my EDR, my EDR, blue screen, my computer, how do I kill it?

And so we said, well, look, you can just turn it on. It's a lower cost than your existing EDR. We're going to bundle it all together in a unified. And in that, you get our Allow Listing, we get our Cyber Hero approvals, you get our storage or elevation, our network controls, you get all of the controls.

You also get our detect with our EDR and our managed detection response behind it. Now, if you haven't tested our managed detection response, it's unbelievable. Right here in Orlando, they pick up the tickets within about 25 seconds.

They look at everything on your machine, they'll call you based on your room, but they'll lock down your machines and they are faster than any... The best thing I can recommend is you've got an existing MDR, deploy Threat Locker, do some dodgy shit and see who calls you first.

[Uncle Marv]
Hmm. Okay. So all of this was brought together.

So it sounds like you're helping with, what is it, stack fatigue, you know, having to have different tools from different vendors. So being able to bring that all into a bundle, lower costs. So that all sounds good.

Let me ask you, I know of the Cyber Hero program. Is that technically your SOC?

[Danny Jenkins]
Yes. So we have a Cyber Hero approvals, we have a Cyber Hero SOC, which is an MDR. And then we have Cyber Hero Support. And the three different things, when you buy any Threat Locker product, you get Cyber Hero Support included.

And then, and it's the best support you can ever imagine. 23 seconds, 365 days a year. And these guys actually know what they're talking about.

They're not some outsourced call center, they're in-house here, they'll walk over to my office if they can't solve the problem. But then we built the Cyber Hero approvals and Cyber Hero MDR behind that as well.

[Uncle Marv]
All right. So I'm in Fort Lauderdale. And if I take a three hour drive up north to see you, can I get in and see all that stuff?

[Danny Jenkins]
You can get in, you will be hosted, they will take care of you, they will show you the SOC, they'll show you the MDR team. And we also have the coolest Cyber Hero swag store on the ground floor. And they'll even give you a voucher.

But I think we raised $100,000 in that store, because we give all the proceeds to everything we collect to Ronald McDonald. So at Zero Trust World, we gave away $100,000 or $98,000 or $96,000 to Ronald McDonald from that store here. So it's actually really popular with employees and customers.

We always give... If you come up here, we'll give you a voucher, someone will host you and you get to see how our support center runs.

[Uncle Marv]
We'll have to talk about that, because the only swag I have from you guys are all the different colors of your shirts.

[Danny Jenkins]
We got baseball caps, we've even got baby vests, we've got Yetis, laptop bags. The only thing we don't have is underpants, but we do have socks.

[Uncle Marv]
All right, that was TMI. All right, well, we'll definitely be chatting about that. So let's talk about Zero Trust.

Well, let me do this. You mentioned Zero Trust World. So let me go ahead and get that out of the way.

So you had Zero Trust World last year, around February, right? You're doing it again this year in February. Now, this is a cybersecurity three-day event hosted by you in Orlando, correct?

[Danny Jenkins]
Yes. So we've done it for three years running now, and every year we've over doubled our attendance from the year before, which is great. It's a three-day hands-on security event.

And our goal of the event is very simple, that you go away knowing more than you came in with. It's not about you coming in and sitting there and watching someone talk for four hours every day or eight hours or 10 hours. It's about you get smarter.

And we do it in three different ways. We do education sessions. So we'll teach you about, and not just Threat Locker education, we'll teach you how to use Threat Locker, best practices, recommendations.

But we'll teach you how to harden Office 365. We'll teach you how to harden your Mac, things you should be doing on your physical network. We'll teach you all of those things in sessions.

And we always try and give takeaways of things you should do in every session. The next thing we do is we want to teach you how to hack, not because we want you all to be hackers, but because it makes you actually realize the importance of doing these things. Because when you think, oh, no one can get into my machine, they don't know my password.

And you go, no, you just exploit this vulnerability. So we'll show you how to use Metasploit. We'll do a rubber ducky challenge.

We have a pineapple come in, we'll actually put it on a drone, take over the Wi-Fi. There's a whole bunch of new cool stuff. We'll teach you how to take over a Mac from the Air Pods.

All of these things we teach. Some of its hands-on labs, some of it's through sessions. And the third thing we do is we kind of bring a lot of industry experts and leaders to give you the high-level thought leadership and then some cool people.

Last year, we had Mark Rober, the NASA engineer on YouTube. So we'll bring some cool people in. And the best party ever, because it was a, I think it was an action movie party last year or a 90s movies party.

So great three days, great collaboration, great learning.

[Uncle Marv]
All right. And you had a Pwn2Own hack challenge. Was that last year or the year before where you guys gave away a custom computer?

[Danny Jenkins]
Yeah, it was like a $5,000 or $6,000 computer. They made it too easy. And basically, it didn't have ThreatLocker on it, so it made life a lot easier.

It was a bunch of machines. And basically, you had to figure out how to hack in, break into it. And I think the guy who actually did manage to hack it is now being offered a job at ThreatLocker too.

So he got a computer and a job.

[Uncle Marv]
Very nice. All right. So that sounds interesting.

So I'll have a link to that in the show notes that you can go sign up. And you know what? I didn't check.

I assume there's a cost to it.

[Danny Jenkins]
Yes? Yeah. So basically, the tickets are $500.

But there's something cool about that. There is a coupon code that we can probably get to put in the notes as well that will give you for $300. But when you're on site, we have the Cyber Hero certification.

So this is a certification about how to use ThreatLocker, how to deploy. If you pass a certification on site, you get a refund of your ticket. Oh.

Now, I will tell you, it's not that easy. If you study and you do ThreatLocker University before you come, you'll get it. So if you come and you think you can win the test because you've been using ThreatLocker for two years, you're not going to pass it.

Every year, we have a whole bunch of engineers who complain that it's not fair that they didn't pass and it was too hard. If you study, you'll pass the test. And you know how to use ThreatLocker.

But yeah, it's cool because you get the tickets refunded. And your boss will be very happy.

[Uncle Marv]
Okay. All right. So we'll have all the links to that.

And if we get the coupon code, that'll be there as well. Danny, let me go ahead and go back real quick and ask about any updates that have been significant. I know we talked about the Unified Bundle.

I know that, of course, you guys raised money back in April. And everybody's probably wondering, oh, what are you going to use the money for?

[Danny Jenkins]
We're not allowed to use it for parties, unfortunately. And look, we have one mission, and that is to change the paradigm of security from default allowed to default denied. So everything we do is about educating the market, making everybody aware of what's happening and getting people to roll forward.

Of course, that means selling products, which is always great. But that's our core mission as a business. And we did 840 events last year, and we're doing 800 events this year.

And they're expensive events. It's about building better threat intelligence team, building a better support team, building a bigger organization. Our goal is to create the most versatile platform to help us deliver our mission to our customers.

And that's really what we're going to use the money for. And at the moment, we have 45,000 plus companies that use that locker, and we expect that to continue to grow. And we expect to keep the same level of support and the same quality of product throughout.

[Uncle Marv]
All right. So sounds like there's going to be a lot of stuff in the works for us. Now, as MSPs, I mentioned earlier, one of the problems that I think a lot of us have when we, you know, just try to implement ThreatLocker, it's not a set it and forget it.

So we do have to kind of pay attention and work with it and stuff. As that applies to the entire landscape of cybersecurity, how do you see the roles of us as MSPs changing?

[Danny Jenkins]
So I think MSPs are in a particularly awkward situation because I worked corporate IT for many years. And the thing about being corporate IT is you go to your boss and you say, hey, we need to buy this new AV or we need to buy this new tool. And you give them a business reason why you need to buy.

As an MSP, one of the biggest challenges is when you go into your customer and you say you need to buy this new tool, they'll go, oh, who's selling me the tool? Oh, I am. So it's always a difficult thing.

But I think here's the thing. There's no such thing as set and forget security, period. Now, the security is easier to manage, the security that has less noise, but there's no such thing as set and forget.

Every piece of security should be managed, everything should be validated and tested. I feel like if I'm hiring the perfect MSP, what I am looking for is the MSP that's going to monitor my security, manage my security, do pen tests, tell me what's weak in my security and be able to come forward and say that. And I think as MSPs evolve from IT support, because that's what the history is here, is you fix my computer.

I'm not here just to fix your computer. I'm here to make sure your computer doesn't get owned by someone else. And I think that's where MSPs have got to continue to evolve in delivering messaging to their clients, showing importance, and we help our customers with that.

And also managing that security and giving the reports every month saying, this is what we've done for you. This is why it's important. If you didn't do this, this is what would have happened.

[Uncle Marv]
All right. So it's going to change for us. Do you see anything coming down the pike that we really need to pay attention to?

[Danny Jenkins]
I think I think there's probably two challenges here. First, the industry in general, not everybody, but the industry in general needs to catch up with the, I suppose, cybercrime industry, because right now, cybercrime is running about two years ahead of the rest of the world. The MSPs, IT people, security companies need to catch up with that.

So I think there's a lot of things to pay attention to the future. But first, we've got to catch up with the two years we're behind as an industry in defending against cybercrime. I think as we go and look to the future, we're going to see more tools, more response to AI risks.

AI threats are all over the place right now. They're increasing. You can now create the smartest phishing emails without even speaking English.

You can create the smartest malware without having to download it or pay for it from the dark web. So those threats are increasing. And I think what the industry is going to see is more focused on zero trust, but also they need to kind of catch up with where we are.

[Uncle Marv]
So I think one of the hardest things is to let users know that, yes, we've got to we've got to catch up. They're out there. And our users, for some reason, think, well, they're not after me.

And so the question always is, is how we balance, you know, robust zero trust security with, you know, user experience and productivity, because they're like, I just want to be able to work.

[Danny Jenkins]
Okay. So and by the way, I and I'll be very candid here. I think sometimes MSPs can't get out their own way, or people in general can't get out their own way.

They're so scared of the fear of asking someone to do something. It's irrational. Most small businesses, they hire you guys to hire MSPs because they trust them to look after their IT.

It's the guy who comes out and the credibility you get by crawling onto someone's desk and plugging in some cables. It's like, this guy's really smart with computers. It's unbelievable.

And when you go, you know, I'm a small business owner, when you go to a small business, say this is what you need. And this is why you need it. And this is what the federal government says.

And this is how many attacks happened this year. And this is not just big businesses. I think most sane business owners will actually say, okay, we're going to do that because I understand what you're saying, period.

And we've seen that over and over again. We have opted out emails, a lot of MSPs sent to their customers say, hey, we're going to put this on. This is what it's going to look like.

This is the new process. And they say, okay, I understand. I'm not going to opt out that you've put it very, very clear to me in black and white, in terms I can understand.

So I'm going to do it. So sometimes MSPs just need to go out, they need to send the email, but they shouldn't be giving the customer a choice. In many cases, this is what we're going to do, because this is what we have to do to protect you.

And my job is to protect you. When you go to the doctor and you say, hey, I've got a sore chest. The doctor doesn't say, oh, you know what I recommend you want to buy some of these pills.

They don't do that. And MSPs should be very much the same. This is what you need to take to fix your problem.

And this is what you're going to do. And then it's up to the customer to go, oh, I'm ignoring you. I want a second opinion.

So I think some of it is you've got to go out and do that. I think the other thing is, I just want to do my job. Part of that is poor service in the back end.

If someone needs a new piece of software, which doesn't happen very often, approve the software faster. Or if you can't, use ThreatLocker, Cyber Heroes Team, or use someone else. But make sure you're responding fast, because no one's mad that something got blocked, because they downloaded a new app.

What people are mad at is that it took 15 hours to get it approved. The approval process is minutes. So make sure that your service desk is delivering a fast, good service.

We have 23-second response time on ThreatLocker support for a reason. People aren't mad that there was a problem. We have bugs.

We have problems. People don't get mad because there's a bug. People get mad because you didn't respond and fix it fast enough.

And that's the same principle for MSPs. Deliver the response fast. If you can't, outsource it to us and we'll manage it on your behalf.

But make sure you respond to your customers and make them happy.

[Uncle Marv]
Yeah. And they're always more mad if something happens because you didn't protect them in the beginning, when they thought you were.

[Danny Jenkins]
Yes. And look, when a customer does say no, it's really, really important that you've got it in writing telling them you need to do this. And they said no in writing.

That's why it's always better to tell them, we're doing this. This is the costs. If you don't want to do it, tell me you don't want to do it.

Because then you've got an affirmative denial from the customer. So if in two years’ time, there was a big MSP in Ireland actually that got sued and I think lost the lawsuit because the customer got their Office 365 hacked because they didn't have dual factor. The MSP had told them over and over again, but there was no documentation to prove that.

[Uncle Marv]
Always get it in writing. Yeah. All right.

Well, Danny, you've been busy. I should let the listeners know that this is something we've been trying to do for a couple of months now. And I think the last time we were scheduled ended up being CrowdStrike Day.

Hopefully, we don't see too many of those in the future. And then even last week, you were in Vegas.

[Danny Jenkins]
How was Vegas? Vegas? Yeah.

It's exhausting every single time. So we were in Vegas. We had a massive event at Black App.

We were really, really successful. We had two parties. We hosted.

If you're ever at Black App, please make sure you come to our party. We always buy out the Irish bar. The two evenings.

We have a welcome reception, another one. And they're always great fun. We had two parties we hosted.

I think we probably spoke to a few hundred customers and probably booked probably three or four hundred other potential customers on demos. It was a great three days. It was exhausting.

And when I rolled back home at 2.30 in the morning and climbed to bed, I was very happy to be home.

[Uncle Marv]
Nice. Now, you were one of the main speakers there. And for listeners who did not get a chance to go, what were some of the key things that you talked about there that people should note?

[Danny Jenkins]
OK. So the first presentation I did was on the main stage or keynote speaker. And it was about supply chain attacks.

And it was about the three different areas about where the supply chain can be a big hole in your security. And the first one being the one that most people are scared about, but the least likely is a SolarWinds Orion type event. And the most probable being the vulnerability that no one's scared of enough.

And that was the Kaseya, the Eternal Blue, those type of events that happened. So when we were, you know, we talked very much about this, what you can do to solve this, how you know what software is running in your environment. So if you are a ThreatLocker partner and you didn't notice, you can actually see every piece of software, categorize it and even what country it was developed in in your environment just by going to the applications page and filtering.

So we talked a lot about making sure you know what's in your environment, making sure you mitigate and limit risks. And understanding what you can do to mitigate supply chain attacks. That was the first one.

And the second one was really about how to create successful malware. Again, we always want people to know how the bad guys are thinking. If you know how the bad guys are thinking, you know how to defend.

All right.

[Uncle Marv]
Nice. Well, I don't know if I'll make it out to Vegas next year, but I will be working on making it to Orlando for Zero Trust World. But I need to talk to you about a trip up there to check out that swag room.

[Danny Jenkins]
Yeah. So you're welcome anytime and any of the partners are welcome to speak to your account manager and we'll get you in here. And Zero Trust World, like I said, I'll get you guys a coupon code so you can post it with the coupon code.

But if you do pass your Cyber Hero test, you get a refund at a ticket. It's a really great three days. You learn a lot.

And we have something like 80 to 90 percent renewal return rate of everyone who's attended it before because they really did like it as an event.

[Uncle Marv]
All right. Sounds fantastic. So folks, Danny Jenkins, CEO and co-founder of ThreatLocker.

And yes, I use them and I like them. So it'll be good. Danny, thanks for coming out and hanging with me and look forward to seeing you again soon.

Thank you, Marvin. All right, folks, that's going to do it. Thank you for downloading and listening to the show.

Be sure to subscribe to your favorite pod catcher and get notified whenever we have these here. You can head over to itbusinesspodcast.com. Do everything you need to do there.

But for now, that's going to be it for this episode. Again, thank you and we'll see you soon. And until then, Holla!