Company logoHelp Center
Visit www.threatlocker.com

ThreatLocker and the NCSC Cyber Assessment Framework

11 min. readlast update: 10.17.2023

Overview

The UK’s National Cyber Security Centre introduced the Cyber Assessment Framework (CAF) to improve government cyber security. A direct link to the Cyber Assessment Framework can be found here.

https://www.ncsc.gov.uk/collection/caf/cyber-assessment-framework

When properly configured, ThreatLocker can assist organizations in meeting these objectives and principles. We have done our best to outline the objectives and principles that ThreatLocker supports. Where a principle is not listed, ThreatLocker is not involved in that process or does not currently support it.

Disclaimer: We make no claim on the end-user. If ThreatLocker policies are not configured correctly, they will not support the listed principles.

Objective A: Managing Security Risk

Appropriate organisational structures, policies, and processes are in place to understand, assess and systematically manage security risks to the network and information systems supporting essential functions.

Principle: A2 Risk Management

The organisation takes appropriate steps to identify, assess and understand security risks to the network and information systems supporting the operation of essential functions. This includes an overall organisational approach to risk management.

A2.a Risk Management Process

Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.

ThreatLocker can assist with providing insights and data to help manage risks to the security of network and information systems.

  • The ThreatLocker Health Report offers valuable insights into ongoing activities within an organisation’s environment, supplemented by actionable recommendations. These recommendations serve to enhance the organisation’s grasp of security measures and strategies, empowering them to bolster their overall protection.
  • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. Organisations can use the Unified Audit logs to see attempted and ongoing activity in their environment to help them make informed decisions.

Principle: A4 Supply Chain

The organisation understands and manages security risks to networks and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used.

A4.a Supply Chain

ThreatLocker allows organisations to protect their data and network connections with Storage Control and Network Control.

  • Storage Control allows you to manage data sharing by customizing whether a user can access different types of storage, such as USB drives, network shares and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths.
  • Network Control allows you to manage your network connections by allowing total control of inbound traffic based on IP addresses, specific keywords, agent authentication or dynamic ACLs, to your protected devices using a simple server-client connection. 

Objective B: Protecting Against Cyber Attack

Proportionate security measures are in place to protect the network and information systems supporting essential functions from cyber attack.

Principle: B1 Service Protection Policies and Processes

The organisation defines, implements, communicates and enforces appropriate policies and processes that direct its overall approach to securing systems and data that support operation of essential functions.

B1.a Policy and Process Development

You have developed and continue to improve a set of cyber security and resilience policies and processes that manage and mitigate the risk of adverse impact on the essential function.

ThreatLocker can help organisations mitigate the risk of adverse impact by keeping systems secure even when user security policies and processes are not always followed.

With the proper configuration of policies within the ThreatLocker platform, users who attempt to conduct activity against any policies will not be able to. 

  • Application Control can restrict what applications can run in your environment, who can use them and when.
  • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, agent authentication or dynamic ACLs, to your protected devices using a simple server-client connection. 
  • Storage Control allows you to customize whether a user can access different types of storage, such as USB drives, network shares and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths.
  • Configuration Manager provides a centralized, policy-driven portal where IT admins can set configuration policies per individual endpoint, computer group, organization or across multiple organizations.
  • ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and automatically respond to potential indicators of compromise or weakness in the environment.

Principle: B2 Identity and Access Control

The organisation understands, documents and manages access to networks and information systems supporting the operation of essential functions. Users (or automated functions) that can access data or systems are appropriately verified, authenticated and authorised.

B2.a Identity Verification, Authentication, and Authorisation

You robustly verify, authenticate and authorise access to the networks and information systems supporting your essential function.

ThreatLocker policies can be configured to allow access to networks and information systems for authorised users, devices, groups, or organisations. 

  • Application Control can restrict what applications can run in your environment, who can use them and when.
  • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, agent authentication or dynamic ACLs, to your protected devices using a simple server-client connection. 
  • Storage Control allows you to customize whether a user can access different types of storage, such as USB drives, network shares and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths.

B2.c Privileged User Management

You closely manage privileged user access to networks and information systems supporting the essential function.

ThreatLocker can help organisations manage privileged user actions. 

  • ThreatLocker Elevation Control can be configured to enable users to run specific applications as a local administrator without giving users local admin rights for a specified amount of time.

B2.d Identity and Access Management (IdAM)

You closely manage and maintain identity and access control for users, devices and systems accessing the networks and information systems supporting the essential function.

ThreatLocker can support organisations as they monitor all user, device and systems access.

  • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. 
  • ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and automatically respond to potential indicators of compromise or weakness in the environment. A ThreatLocker Ops policy could be configured to alert administrators to unauthorised user connection attempts.

Principle: B3 Data Security

Data stored or transmitted electronically is protected from actions such as unauthorised access, modification, or deletion that may cause an adverse impact on essential functions. Such protection extends to the means by which authorised users, devices and systems access critical data necessary for the operation of essential functions. It also covers information that would assist an attacker, such as design details of networks and information systems.

B3.a Understanding Data

You have a good understanding of data important to the operation of the essential function, where it is stored, where it travels and how unavailability or unauthorised access, modification or deletion would adversely impact the essential function. This also applies to third parties storing or accessing data important to the operation of essential functions.

ThreatLocker can help manage who has access to data and how users can interact with the data.

  • Storage Control allows you to customize whether a user can access different types of storage, such as USB drives, network shares and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths.

B3.c Stored Data

You have protected stored data important to the operation of the essential function.

ThreatLocker can help protect stored data.

  • Storage Control allows you to customize whether a user can access different types of storage, such as USB drives, network shares and local folders. Access can be limited to read-only access or read and write access. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths.

Principle: B4 System Security

Network and information systems and technology critical for the operation of essential functions are protected from cyber attack. An organisational understanding of risk to essential functions informs the use of robust and reliable protective security measures to effectively limit opportunities for attackers to compromise networks and systems.

B4.a Secure by Design

You design security into the network and information systems that support the operation of essential functions. You minimise their attack surface and ensure that the operation of the essential function should not be impacted by the exploitation of any single vulnerability.

ThreatLocker can help to minimize your attack surface and mitigate cyber attacks.

  • Application Control and Ringfencing™ can be configured to work together to only allow permitted applications to run in the environment and to ensure these permitted applications do not interact with or call out to other applications or powerful tools, such as PowerShell. 
  • Network Control regulates traffic, keeping ports closed and opening on-demand for authorized connections.

B4.b Secure Configuration

You securely configure the network and information systems that support the operation of essential functions.

ThreatLocker can assist with the secure configuration of the network and information systems.

  •  Application Control and Ringfencing™ can be configured to work together to only allow permitted applications to run in the environment and to ensure these permitted applications do not interact with or call out to other applications or powerful tools, such as PowerShell. 
  • Network Control regulates traffic, keeping ports closed and opening on-demand for authorized connections.
  • Storage Control allows you to customize whether a user can access different types of storage, such as USB drives, network shares and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths.

Principle: B6 Staff Awareness and Training

Staff have appropriate awareness, knowledge and skills to carry out their organisational roles effectively in relation to the security of network and information systems supporting the operation of essential functions.

B6.b Cyber Security Training

The people who support the operation of your essential function are appropriately trained in cyber security. A range of approaches to cyber security training, awareness and communications are employed.

ThreatLocker supports ongoing education for cyber security professionals. 

  • ThreatLocker provides a variety of resources for training through designated calls, ThreatLocker University courses and Knowledge Base articles.
  • ThreatLocker partners with the International Information Security Certification Consortium (ISC2) to provide continuing professional education credit for individuals who attend specified coursework within our online learning platform, ThreatLocker University, or at our live event, Zero Trust World.

Objective C: Detecting Cyber Security Events

Capabilities exist to ensure security defenses remain effective and to detect cyber security events affecting, or with the potential to affect, essential functions.

Principle: C1 Security Monitoring

The organisation monitors the security status of the networks and systems supporting the operation of essential functions in order to detect potential security problems and to track the ongoing effectiveness of protective security measures.

C1.a Monitoring Coverage

The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function.

ThreatLocker can help provide data to assist organisations as they monitor their networks and information systems.

  • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. 
  • ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and automatically respond to potential indicators of compromise or weakness in the environment.

C1.b Securing Logs

You hold logging data securely and grant read access only to accounts with business need. No employee should ever need to modify or delete logging data within an agreed retention period, after which it should be deleted.

ThreatLocker can assist with maintaining data’s integrity. 

  • Storage Control allows you to customize whether a user can access different types of storage, such as USB drives, network shares and local folders. Access can be limited to read-only access or read and write access. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths.
  • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. Only administrators on your ThreatLocker account can view any of the audit logs in ThreatLocker. You can limit the privileges of administrators on your ThreatLocker account to prevent them from viewing the audit if desired. You can lock ThreatLocker staff out of your account as well. No one can delete anything logged in the audit unless those logs go past the specified retention time period. 

C1.c Generating Alerts

Evidence of potential security incidents contained in your monitoring data is reliably identified and triggers alerts.

ThreatLocker can be configured to trigger alerts to suspicious activity.

  • ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and automatically respond to potential indicators of compromise or weakness in the environment.
Was this article helpful?