ThreatLocker and the CISA Zero Trust Maturity Model Version 2.0

8 min. readlast update: 04.20.2023

View in Browser

Introduction 

CISA’s newly released Zero Trust Maturity Model (ZTMM) is composed of 5 pillars. Each pillar has 4 maturity levels. Maturity in each pillar can progress independently of the other pillars. To fully support functions across the 5 pillars, the ZTMM outlines 3 cross-cutting capabilities: Visibility and Analytics, Automation and Orchestration, and Governance. These cross-cutting capabilities can be matured with respect to a specific pillar and can be matured independently of the pillars.  

For more information on the CISA ZTMM, please visit: Zero Trust Maturity Model | CISA  

When configured correctly, the ThreatLocker Endpoint Security Platform can assist an organization in its journey toward achieving a zero-trust architecture using the ZTMM as guidance. We have done our best to outline the functions on each pillar that are supported by the ThreatLocker modules. Where a function is not specified, ThreatLocker does not currently support it. 

Identity Pillar 

Access Management 

ThreatLocker can assist in meeting the Access Management function. Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if only a single file requires elevated privileges. Elevation provides just-in-time access and just enough access. Any elevation of privileges exists only for the specified application and does not carry over to other applications. Application Allowlisting enables you to limit access to any application only to specified users. Policies can be set to permit on a schedule or expire as needed to suit your organization’s needs. Storage Control can control access to data by the specific user or application that requires access to it. Any policies can easily be edited from the central ThreatLocker portal when an organization’s needs change. 

Visibility and Analytics Capability 

ThreatLocker can assist in meeting the Visibility and Analytics Capability function for the Identity Pillar. The ThreatLocker Unified Audit is a transactional history of activity on machines with ThreatLocker installed. See all application activity, including the logged-in user, and whether that activity was performed with elevated privileges. Combined with Storage Control, see all file activity (e.g., reads, writes, deletes) including the logged-in user. Used with Network Control, the Unified Audit also provides a log of all network activity within the environment. All logs are on a single, central Unified Audit page, where they can be manually analyzed. 

Devices Pillar 

Policy Enforcement & Compliance Monitoring 

ThreatLocker can assist in meeting the Policy Enforcement & Compliance Monitoring function. ThreatLocker Allowlisting blocks all software by default. On all devices with ThreatLocker installed, before any new software can run, it must be approved. All software installed on ThreatLocker-protected devices will be visible from the ThreatLocker Portal. The Unified Audit provides visibility of all software that is running or attempting to run in near-real time, including the hostname of where the software is operating from.    

Asset & Supply Chain Risk Management 

ThreatLocker can assist in meeting this function for asset management. ThreatLocker can be installed on physical and virtual assets. The Unified Audit provides a near-real-time view of the application activity occurring on all assets with ThreatLocker installed.  

Resource Access 

ThreatLocker Network Control can assist in meeting this function. Create a Network Control policy to block all inbound network traffic by default. Set Network Control policies to permit approved devices to access protected resources, via only approved ports. Using Objects, regardless of the IP address the connection is coming from, access will only be possible for permitted devices.  

Device Threat Protection 

ThreatLocker can assist in meeting this function. ThreatLocker Allowlisting automatically blocks all executions, unless explicitly permitted, protecting against the threat of unauthorized scripts, libraries, or executable files. ThreatLocker Ringfencing can be configured to prevent applications from interacting with other applications, the internet, the registry, or your protected files to further mitigate the risk of threats. The ThreatLocker agent itself can be configured to automatically update according to the cadence preferred by your organization.  

Visibility and Analytics Capability 

ThreatLocker can assist with meeting this function for the Devices Pillar. The Unified Audit provides a central log of all application activity on endpoints with the ThreatLocker agent installed. Only explicitly permitted executions will be successful. Both successful and unsuccessful executions will be logged. Network Control will add visibility of all network activity to the Unified Audit. Set a Network Control policy to block all inbound traffic, and then permit connections to only authorized devices. No unauthorized devices will be able to connect to your network locations, and the attempt will be visible in the Unified Audit. 

Networks Pillar 

Network Segmentation 

ThreatLocker can assist in meeting this function. Using ThreatLocker Network Control, set policies to block all inbound traffic. Permit inbound connections with just-in-time access using dynamic ACLs. Ports are opened automatically to all permitted devices, and close once they are no longer being used. Using ThreatLocker Ringfencing, control each application’s ability to connect to files, and only permit what is necessary. 

Network Traffic Management 

ThreatLocker Network Control can assist in meeting the Network Traffic Management function. ThreatLocker Network Control can be set to deny all inbound network connections by default. Policies can then be created to permit access dynamically using Objects. No unauthorized connections will be permitted. To assist with monitoring, all network activity will be visible in the central Unified Audit. Using Ringfencing, lock down applications’ access to the internet, the registry, and other applications. With Storage Control, specify what files each specific application can access. The Unified Audit provides a comprehensive log of all application and storage activity. 

Visibility and Analytics Capability 

ThreatLocker Network Control can assist with the Visibility and Analytics Capability function for the Networks pillar. The Unified Audit provides near-real-time visibility of network activity throughout your environment. Set policies to permit approved network connections and block everything else. Once configured, only approved connections are automatically permitted, and all unauthorized connections are automatically blocked. Even when a connection is blocked, a record of the attempt will be visible in the Unified Audit.  

Governance Capability 

ThreatLocker assists with the Governance Capability within the Networks pillar. With Network Control, enterprise-wide policies can be set to block all inbound connections. Create policies to permit connections, per port, per device, across the entire enterprise, from the central ThreatLocker portal.

Applications and Workloads Pillar 

Application Access 

ThreatLocker can assist in meeting this function. Allowlisting blocks all unapproved applications from running. Once approved, applications can be permitted only for specific users or computers.  

Application Threat Protections 

ThreatLocker can assist in meeting this function. Allowlisting blocks all unapproved applications and unauthorized changes in approved applications by default. Apply Ringfencing to approved applications to control their access to other applications, the internet, files, and the registry to help protect against application-specific attacks.  

Application Security Testing 

ThreatLocker can assist in meeting this function. Using ThreatLocker Testing Environment, all new/unapproved applications can be tested in the ThreatLocker sandbox, using dynamic analysis of what the application is doing while running, whether it is creating new files, making system changes, contacting the internet, or spawning new processes before they are ever permitted into your environment. 

Visibility and Analytics Capability 

ThreatLocker assists with meeting this function for the Applications and Workloads pillar. The Unified Audit provides near-real-time visibility of all application activity on all devices with ThreatLocker installed. Easily monitor this activity for the entire enterprise from the central Unified Audit. ThreatLocker Ops policies can be configured to alert and/or respond to specific actions, based on your thresholds. 

Data Pillar 

Data Inventory Management 

ThreatLocker can assist in meeting this function. ThreatLocker Storage Control provides the ability to control access to data at a very granular level. Set policies to permit access to data locations only to specific users or applications that need that access and specify if they can have read-only access or read-and-write access. No unauthorized access will be permitted. All activity will be recorded in the Unified Audit, providing a near-real-time record of reads, writes, moves, deletes of data, including the logged-in user. ThreatLocker Ops can be configured to alert and respond to data access based on thresholds set by you. 

Data Access 

ThreatLocker can assist in meeting this function. Just as with Data Inventory Management, the Data Access function is supported by ThreatLocker Storage Control. Control access to data at a very granular level. Set policies to permit access to data locations only to specific users or applications that need that access and specify if they can have read-only access or read-and-write access. No unauthorized access will be permitted. All activity will be recorded in the Unified Audit, providing a near-real-time record of reads, writes, moves, deletes of data, including the logged in user, even if the action was unsuccessful. 

Data Encryption 

ThreatLocker Storage Control can assist with this function for removable storage devices. Storage Control can be set to permit access to data only to encrypted devices. Any unencrypted device will be unable to reach your data. All attempts will be logged in the Unified Audit. 

Cross-Cutting Capabilities 

Visibility and Analytics Capability 

ThreatLocker can assist with this cross-cutting capability. The Unified Audit automatically logs all file activity on all devices with ThreatLocker installed. The logs for all devices with ThreatLocker installed are combined and visible from the central Unified Audit page. Adding Storage Control will add visibility of file access across the environment. Adding Network Control will provide visibility of network activity across the entire enterprise environment. The Unified Audit has filtering and exporting capabilities to assist when analysis is being conducted. 

  

Was this article helpful?