Beyond the Dark Web: Zero Trust for Enterprise Security

The cybersecurity landscape has fundamentally evolved, moving beyond simple viruses to sophisticated and aggressive attacks like ransomware that steal data and hold businesses hostage. While signature-based intrusion prevention was once a primary defense, the constant evolution of malware, now even accelerated by AI generation, means that relying solely on detection is a losing battle. The focus for effective enterprise security must shift from trying to detect everything bad to simply blocking everything that isn't explicitly known and permitted. This proactive approach, known as "protect first, detect later," is a core principle for hardening endpoints and preventing initial compromises.

ThreatLocker's core strategy centers on endpoint and cloud protection, recognizing that the endpoint (computers and servers) is the primary point of entry for attackers. Unlike network traffic, which can be encrypted, an compromised endpoint grants access to everything the user can access. The challenge of a dissolving traditional network perimeter means endpoints travel outside the office, necessitating robust security directly on the device. By stopping unauthorized software, malware, and suspicious activities directly at the endpoint, ThreatLocker aims to limit the damage even if an attacker gains initial access, preventing lateral movement and further compromise.

This includes addressing behavioral indicators of compromise, not just known malware. Tools like Endpoint Detection and Response (EDR) identify suspicious activities (e.g., IP scanners, enumerating network shares) that, while not malware, indicate potential attacker presence. However, an EDR is only effective if its alerts are actively monitored and responded to 24/7, either by an in-house Security Operations Center (SOC) or a Managed Detection and Response (MDR) team. The ultimate goal is to enforce a deny-by-default posture, where any unapproved software or activity is blocked, rather than relying on the hope of detecting every new threat, which has proven to be a failing strategy for enterprise security.

Cybercriminals, regardless of their motivation (individual, organized crime, or nation-state), employ surprisingly similar methods, mimicking the go-to-market strategies of legitimate businesses. At a fundamental level, most attacks involve gaining remote access (e.g., via open RDP ports or remote access tools), moving laterally within a network, and exploiting vulnerabilities. Social engineering remains the biggest single point of entry, where attackers trick users into running malicious software, knowing they only need one successful compromise to gain a foothold. Other prevalent attack vectors include configuration errors (e.g., vulnerable VPNs, exposed RDP ports) and exploiting software vulnerabilities or backdoors.

The level of effort and precision, however, varies significantly based on the target. For example, hackers targeting hundreds of small businesses for smaller ransoms (e.g., $20,000) will use mass-market approaches like widespread email blasts, aiming for a small success rate. Their investment is minimal, and they move quickly to extract value. In contrast, nation-state actors or highly organized groups targeting high-value entities like defense contractors or major corporations will invest substantial resources. This involves developing custom, never-before-seen malware and conducting extensive research to craft highly precise social engineering campaigns, ensuring a much higher success rate.

Cybercrime has evolved into a sophisticated, fragmented "supply chain." Individual "consultants" may specialize in one part of the attack chain, such as finding and exploiting vulnerable RDP servers to gain credentials, which they then sell on the dark web for thousands of dollars. Other, more coordinated groups then purchase this access to execute the full extortion or data exfiltration. This underground economy operates with its own "marketplaces" on the dark web, accessible via specialized browsers like Tor, constantly shifting URLs to evade authorities who cannot simply "shut down the internet." These bad actors effectively mimic legitimate business structures, complete with "marketing specialists, sales specialists, cold callers, and quotas," underscoring the organized nature of threats to enterprise security.

ThreatLocker's roadmap and product development are driven by a core philosophy: making it easier to implement robust Zero Trust Security and "deny by default" principles. Historically, very few organizations adopted a block-first approach due to its perceived difficulty. The strategy centers on removing unnecessary privileges from computer systems without disrupting legitimate user functions or breaking essential software like Microsoft Office or Chrome. This is akin to modern car locking systems: easier to use means more likely to be used, thus improving security by default. By focusing on "how do I make it easier to do security right," organizations can avoid constantly chasing new attacks, a perpetually losing battle.

The "deny by default" or allow-listing approach means that unless software is explicitly approved by the business, it is blocked, regardless of whether it's known malware or not. This is a crucial distinction from traditional antivirus, which relies on detecting "bad" software. Beyond simply allowing or denying, ThreatLocker also implements granular controls: even approved software is constrained to only do what it needs to do and access only what it needs to access. For example, Microsoft Office is allowed, but it won't be permitted to talk to PowerShell, limiting potential damage even if Office is compromised.

This "constraining once it's in the environment" principle ensures that even if something malicious slips through by mistake, its potential to cause damage is massively limited. This is a layered approach, similar to how one might allow someone into their house but restrict their access to certain rooms. This focus on minimal privilege and constrained execution is paramount for enterprise security, especially with the proliferation of new, AI-generated malware that may bypass traditional signature-based detections. By enforcing strict controls on what is allowed to run and what those allowed applications can do, organizations can build a much more resilient defense against evolving cyber threats.

The advent of AI, particularly large language models (LLMs) like ChatGPT, has dramatically changed the cybersecurity landscape by democratizing malware generation. What once required specialized development skills to create custom malware can now be achieved with simple prompts. While major AI providers like Google and Microsoft attempt to build in ethical guardrails, preventing direct requests for malicious code, sophisticated attackers can bypass these restrictions by rephrasing requests as legitimate activities (e.g., "backup files to cloud" instead of "steal data," or "light RMM tool" instead of "reverse shell"). This capability allows for the on-the-fly generation of novel malware that traditional signature-based defenses may not recognize, emphasizing the critical importance of a Zero Trust Security model that blocks anything not explicitly permitted.

Despite these offensive capabilities, AI also plays a role in enhancing enterprise security defenses and improving productivity. Danny Jenkins views AI as a "glorified spell checker and document creator" that significantly accelerates tasks like research, helping analyze large documents (e.g., 10Ks) for risks and initiatives faster. ThreatLocker uses AI extensively in its web filtering component, where AI processes website content to provide an immediate 80% accuracy in classifying unknown sites (e.g., adult vs. business). While human review achieves higher accuracy (99.1-99.4%), combining AI with human oversight further boosts accuracy (e.g., to 99.95%), demonstrating AI's value in augmenting human capabilities, not replacing them.

The broader impact of AI on jobs is a frequent discussion point, with analogies drawn to the impact of robotics. While AI may replace certain jobs, it is also expected to create more higher-paid jobs, leading to a net positive societal outcome. In the context of social engineering, Danny Jenkins believes people generally prefer real human interaction or transparent AI tools over "fake bots." He anticipates increased self-service with AI for quick answers, allowing human support to focus on more complex issues, thereby enhancing overall productivity and customer experience without relying on deceptive AI personas. The continued adoption of core security practices like Zero Trust and multi-factor authentication, even if gradual, remains the most exciting prospect for improving enterprise security in the coming years.

ThreatLocker's go-to-market strategy is heavily focused on education, differentiating itself from companies selling established solutions like EDR. Since the company champions a "block by default" approach that was initially adopted by a tiny fraction of the market, their primary objective is to educate their target audience on why this security posture is important. This involves a massive educational push, exemplified by attending an astounding 850 trade shows last year globally. At these events, ThreatLocker conducts thought leadership sessions, demonstrates how hackers bypass traditional antivirus, and presents their solution, aiming to inform, rather than just sell.

Beyond trade shows, their education engine includes a webinar series on "How to Secure Your Environment," a YouTube channel with videos, and thought leadership whitepapers. The philosophy is that if they provide the best tool for the job and educate people on the right security practices, all roads will naturally lead back to ThreatLocker. This extensive outreach is supported by a large global team, with over 500 employees in Orlando, Florida, and smaller offices in Dublin, Abu Dhabi, and Australia, ensuring local language support and efficient coordination of events. The internal operations are so streamlined that they developed their own portal to manage event logistics, down to details like clothing and meeting schedules, demonstrating their commitment to high-volume, impactful engagement.

Partners play a crucial role in ThreatLocker's ecosystem-driven go-to-market. A significant portion of their business is conducted through Managed Service Providers (MSPs), who serve small businesses lacking in-house IT or security resources. ThreatLocker collaborates with these 5,000-6,000 MSPs to run campaigns that educate not just IT professionals, but also CEOs of small businesses, often through channels like Chambers of Commerce. Additionally, traditional channel partners like Value Added Resellers (VARs) and distributors are vital for extending reach, helping to coordinate meetings with CISOs at global events and fostering thought leadership. Alliances with PSA tool providers like Kaseya and Connectwise further expand their market presence through integrations and event sponsorships. This multi-pronged, education-first approach is key to driving the adoption of Zero Trust Security and strengthening enterprise security broadly.