ThreatLocker and The Center for Internet Security's (CIS) Critical Security Controls

21 min. readlast update: 07.05.2023

 Version 8 

Use Case: The purpose of the information below is to help the reader understand how ThreatLocker can support CIS-CSC Compliance. For each section 1-18, we have outlined if and how we can support that control. We have made our best effort to define which products support each sub-section. In the cases where sub-sections are missing, we do not support that sub-section.  
Disclaimer: We make no claim on the end-user. If ThreatLocker policies are not configured correctly, they will not support controls.  

Control 1: Inventory and Control of Enterprise Assets  

"Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate."

  • ThreatLocker does not currently support this control. 

Control 2: Inventory and Control of Software Assets 

"Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution."

  • 2.1 Establish and Maintain a Software Inventory 
    • ThreatLocker can help establish and maintain a detailed inventory of all licensed software installed on enterprise assets.  
    • When a device is in Learning Mode, nothing is blocked or interrupted. The agent logs what is running in the environment, including all executables, libraries, and scripts. 
    • Application Allowlisting can restrict what applications can run in your environment, who can use them, and when.  
  • 2.2 Ensure Authorized Software is Currently Supported 
    • ThreatLocker can help ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. 
    • ThreatLocker provides Built-In Application Definitions for many popular business applications. These are predefined Application Definitions that are created and maintained by ThreatLocker. They contain all the files required to run an application.  
  • 2.3 Address Unauthorized Software 
    • ThreatLocker can help ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. 
    • Using the ThreatLocker solution, you can default deny any application from running on your machine that is not a part of the allow list. 
    • Application Allowlisting can restrict what applications can run in your environment, who can use them, and when.  
  • 2.4 Utilize Automated Software Inventory Tools 
    • Although ThreatLocker does not utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software, it can help with this control.  
    • Application Allowlisting can restrict what applications can run in your environment, who can use them, and when.  
    • Using the ThreatLocker solution, you can default deny any application from running on your machine that is not a part of the allow list. 
    • ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met. 
  • 2.5 Allowlist Authorized Software 
    • ThreatLocker uses technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed.  
    • Application Allowlisting can restrict what applications can run in your environment, who can use them, and when.  
  • 2.6 Allowlist Authorized Libraries 
    • ThreatLocker uses technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. 
    • Application Allowlisting can restrict what libaries can run in your environment, who can use them, and when.  
  • 2.7 Allowlist Authorized Scripts 
    • ThreatLocker uses technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed.  
    • Application Allowlisting can restrict what scripts can run in your environment, who can use them, and when.   

Control 3: Data Protection 

"Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data."

  • 3.2 Configure Data Access Control Lists 
    • ThreatLocker can help configure data access control lists based on a user’s need to know. 
    • Application Allowlisting can restrict what applications can run in your environment, who can use them, and when. 
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
  • 3.5 Encrypt Data on End-User Devices 
    • ThreatLocker can help enforce encryption of data on end-user devices containing sensitive data. 
    • ThreatLocker’s Configuration Manager can help by alerting if Windows BitLocker is not enabled.
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. Storage Control can be used to enforce encryption on removable media by only permitting data access to encrypted devices.  
  • 3.8 Encrypt Data on Removable Media 
    • ThreatLocker can help enforce encryption of data on end-user devices containing sensitive data. 
    • ThreatLocker’s Configuration Manager can help by alerting if Windows BitLocker is not enabled. 
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. Storage Control can be used to enforce encryption on removable storage devices by only permitting data access to encrypted devices.

Control 4: Secure Configuration of Enterprise Assets and Software 

"Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications)."

  • 4.4 Implement and Manage a Firewall on Servers
    • ThreatLocker can help implement and manage a firewall on servers. 
    • Network Control is an endpoint firewall that allows total control of inbound traffic based on IP addresses, specific keywords, agent authentication, or dynamic ACLs, to your protected devices using a simple server-client connection.  
  • 4.5 Implement and Manage a Firewall on End-User Devices 
    • ThreatLocker can help implement and manage a firewall on end-user devices.  
    • Network Control is an endpoint firewall that allows total control of inbound traffic based on IP addresses, specific keywords, agent authentication, or dynamic ACLs, to your protected devices using a simple server-client connection.
  • 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software 
    • ThreatLocker will not uninstall or disable services on Enterprise Assets or Software, but it can help with implementing this control. 
    • Application Control can restrict which applications can run in your environment, who can use them, and when.   
    • Using the ThreatLocker solution, you can default deny any application from running on your machine that is not a part of the allow list.  

Control 5: Account Management 

"Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software."

  • ThreatLocker does not currently support these controls.  

Control 6: Access Control Management 

"Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software."

  • 6.1 Establish an Access Granting Process 
    • ThreatLocker can help establish and maintain an access granting process.  
    • Application Allowlisting can restrict which applications can run in your environment, who can use them, and when.  
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
  • 6.2 Establish an Access Revoking Process 
    • ThreatLocker can help establish and maintain an access revoking process.  
    • Application Allowlisting can restrict which applications can run in your environment, who can use them, and when.  
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access specific file paths. 
  • 6.8 Define and Maintain Role-Based Access Control 
    • ThreatLocker can help define and maintain role-based access control. 
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed.    

Control 7: Continuous Vulnerability Management 

"Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information."

  • 7.1 Establish and Maintain a Vulnerability Management Process 
    • ThreatLocker can help establish and maintain a vulnerability management process. 
    • ThreatLocker Ops is a comprehensive threat detection and behavior monitoring tool which can be used to set intrusion detection parameters.  
    • ThreatLocker’s Health Center can identify vulnerable machines and link to the offending policies for immediate revision. 
  • 7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets 
    • ThreatLocker can help with automated vulnerability scans of internal enterprise assets. 
    • ThreatLocker Agent is the overarching program that allows devices to interact with each other and over a network. All users, all devices, and their interactions are all logged within the uneditable Unified Audit. 
    • ThreatLocker’s Health Center can identify vulnerable machines and link to the offending policies for immediate revision. 
    • ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met. 
  • 7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets 
    • ThreatLocker can help with automated vulnerability scans of externally-exposed enterprise assets.
    • ThreatLocker Agent is the overarching program that allows devices to interact with each other and over a network. All users, all devices, and their interactions are all logged within the uneditable Unified Audit. 
    • ThreatLocker’s Health Center can identify vulnerable machines and link to the offending policies for immediate revision. 
    • ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met. 
  • 7.7 Remediate Detected Vulnerabilities 
    • ThreatLocker can help with remediation of detected vulnerabilities. 
    • ThreatLocker’s Health Center can identify vulnerable machines and link to the offending policies for immediate revision. 
    • ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met.   

Control 8: Audit Log Management 

"Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack."

  • 8.1 Establish and Maintain an Audit Log Management Process 
    • ThreatLocker can help with the establishment and maintenance of an audit log management process. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured.  
  • 8.2 Collect Audit Logs 
    • ThreatLocker can help with collection of audit logs. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured.  
  • 8.3 Ensure Adequate Audit Log Storage 
    • ThreatLocker can help with ensuring adequate audit log storage. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. The Unified Audit collects and stores uneditable records for a minimum of 30 days and that time can be extended indefinitely.  
  • 8.5 Collect Detailed Audit Logs 
    • ThreatLocker can help with the collection of detailed audit logs. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. The Unified Audit collects data on the device name, location, interactions with servers, programs, storage locations, networks, certificates, URLs, etc., along with any interactive devices on the receiving end of the transaction. 
  • 8.9 Centralize Audit Logs 
    • ThreatLocker can help with creating centralized audit logs. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. The Unified Audit collects and stores uneditable records for a minimum of 30 days and is only available to those with access to the ThreatLocker portal. 
  • 8.10 Retain Audit Logs 
    • ThreatLocker can help with retaining audit logs. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. The Unified Audit collects and stores uneditable records for a minimum of 30 days and that time can be extended indefinitely.  
  • 8.11 Conduct Audit Log Reviews 
    • While ThreatLocker cannot conduct audit reviews, we can help with this control. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. The Unified Audit collects and stores uneditable records for a minimum of 30 days. Records can be exported, if desired, for offline parsing. 
    • ThreatLocker’s Health Center can identify vulnerable machines and link to the offending policies for immediate revision.   

Control 9: Email and Web Browser Protections 

"Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement."

  • 9.3 Maintain and Enforce Network-Based URL Filters 
    • ThreatLocker can help maintain and enforce network-based URL filters. 
    • Ringfencing™ allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc). Admins can create a Tag of known malicious domains and apply that Tag to any applications, like the permitted web browsers in their organization. 
  • 9.4 Restrict Unnecessary or Unauthorized Browser and Email Client Extensions 
    • ThreatLocker can help restrict unnecessary or unauthorized browser and email client extension. 
    • Allowlisting operates using a default deny. Any unapproved browser extensions will be blocked until they are approved and permitted.
    • Ringfencing™ allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc).  
  • 9.6 Block Unnecessary File Types 
    • While ThreatLocker can't block unnecessary file types attempting to enter the email gateway, ThreatLocker can help prevent unnecessary file types from executing. 
    • Using the ThreatLocker Platform, you can default deny any application or file type from running on any machine that is not a part of the allowed policy list. 
    • Application Allowlisting can restrict which applications can run in your environment, who can use them, and when.  
    • Ringfencing™ allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc).  
    • Configuration Manager policies can be set to disable Office macros, and disable OLE in Office documents.

Control 10: Malware Defenses 

"Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets."  

  • 10.1 Deploy and Maintain Anti-Malware Software
    • ThreatLocker can assist in deploying anti-malware software on all enterprise assets.
    • ThreatLocker Allowlisting restricts which applications, scripts, and libraries can run in your environment, using a default deny, so any unapproved software, script, or library will be blocked.
    • Ringfencing™ allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc), so in the event malware does attempt to abuse permitted applications, the impact will be reduced.   
  • 10.2 Configure Automatic Anti-Malware Signature Updates 
    • ThreatLocker can help with the configuration of automatic anti-malware signature updates.
    • Using the ThreatLocker Platform, you can default-deny all applications or file types which are not a part of the allowed policy list from running on any machine.  
    • Application Allowisting can restrict which applications can run in your environment, who can use them, and when. After that, everything else is blocked. 
    • Ringfencing™ allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc).  
    • ThreatLocker can be set to automatically update its version so that as changes are made to ThreatLocker, it will be updated in your environment according to the Update Channel specified by you.
  • 10.6 Centrally Manage Anti-Malware Software 
    • ThreatLocker can help with centrally managing anti-malware software.
    • The ThreatLocker Agent is an overarching program that allows devices to interact with other devices over a network. All users, all devices, and all their interactions are all logged within the uneditable Unified Audit. 
    • ThreatLocker’s Health Center is a bird’s eye view of the entire organization and can identify vulnerable machines and link to the offending policies for immediate revision. 
    • ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met.    

Control 11: Data Recovery 

"Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state."

  • ThreatLocker does not currently support this control.    

Control 12: Network Infrastructure Management 

"Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points."

  • 12.2 Establish and Maintain a Secure Network Architecture
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker protected devices using a simple server-client connection. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use. 

Control 13: Network Monitoring and Defense 

"Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base."

  • 13.2 Deploy a Host-Based Intrusion Detection Solution 
    • ThreatLocker can help as a host-based intrusion detection solution. 
    • Using the ThreatLocker Platform, you can default-deny all applications or file types which are not a part of the allowed policy list from running on any machine.  
    • ThreatLocker Ops is a comprehensive threat detection and behavior monitoring tool which can be used to set intrusion detection parameters, alerts, and responses.  
  • 13.3 Deploy a Network Intrusion Detection Solution 
    • ThreatLocker can help as a network intrusion detection solution. 
    • Using the ThreatLocker Platform, you can default-deny all applications or file types which are not a part of the allowed policy list from running on any machine.  
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker protected devices using a simple server-client connection. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use.  
    • ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met. 
  • 13.4 Perform Traffic Filtering Between Network Segments 
    • ThreatLocker can help perform traffic filtering between network segments. 
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker protected devices using a simple server-client connection. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use. 
  • 13.5 Manage Access Control for Remote Assets 
    • ThreatLocker can help manage access control for remote assets. 
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker protected devices using a simple server-client connection. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use.  
  • 13.6 Collect Network Traffic Flow Logs 
    • ThreatLocker can help collect network traffic flow logs. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including network activity. The Unified Audit collects and stores uneditable records for a minimum of 30 days.
  • 13.7 Deploy a Host-Based Intrusion Prevention Solution 
    • ThreatLocker can help as a host-based intrusion prevention solution. 
    • Application Allowlisting can restrict which applications can run in your environment, who can use them, and when.  
    • Ringfencing™ allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc.).  
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access specific file paths.  
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker protected devices using a simple server-client connection. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use.   
    • ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met. 
  • 13.8 Deploy a Network Intrusion Prevention Solution 
    • ThreatLocker can help as a network intrusion prevention solution. 
    •  Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker protected devices using a simple server-client connection. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use.  
    • ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met. 
  • 13.9 Deploy Port-Level Access Control 
    • ThreatLocker can help to deploy port-level access control. 
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your protected devices using a simple server-client connection. Using dynamic ACLs, ports remain closed and open on demand for approved connections. 
  • 13.10 Perform Application Layer Filtering 
    • ThreatLocker can help perform application layer filtering.
    •  Ringfencing™ allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc.).   

Control 14: Security Awareness and Skills Training 

"Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise."

  • ThreatLocker does not currently support this control.    

Control 15: Service Provider Management 

"Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately."

  • ThreatLocker does not currently support this control.    

Control 16: Application Software Security 

"Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise."

  • ThreatLocker does not currently support this control.    

Control 17: Incident Response Management 

"Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack."

  • ThreatLocker does not currently support this control.    

Control 18: Penetration Testing 

"Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker."

  • ThreatLocker does not currently support this control. 

References   

Security, T. C. (n.d.). Center for Internet Security. Retrieved 2 16, 2023, from Center for Internet Security: http://www.cisecurity.org/  

Updated 4/25/2023

Was this article helpful?