ThreatLocker as an Essential Eight Maturity Model Mitigation Strategy

Description — 'Application control is implemented on workstations.' 

ThreatLocker Application Control is available on Windows, macOS, and Linux. 

Description — 'Application control is applied to user profiles and temporary folders used by operating systems, web browsers and email clients.' 

ThreatLocker runs at the kernel level, ensuring that Application Control applies across the device. 

Description — 'Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.' 

ThreatLocker Application Control can restrict all of the above. 

Description — 'Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.' 

ThreatLocker Software Health Report lets you know of discontinued software in your environment. Application Control can then block the execution of such software. 

Description — 'Microsoft Office macros in files originating from the internet are blocked.' 

ThreatLocker Configuration Manager allows you to block macros in files originating from the internet. 

Description — 'Internet Explorer 11 does not process content from the internet.' 

ThreatLocker Application Control can easily block Internet Explorer 11 from executing. 

Description — 'Web browsers do not process Java from the internet.'  

ThreatLocker Application Control can do this because Internet Explorer 11 is the only modern browser that natively processes Java from the Internet. ThreatLocker Ringfencing can also restrict applications from interacting with Java. 

Description — 'Requests for privileged access to systems, applications, and data repositories are validated when first requested.' 

ThreatLocker Elevation Control can remove local administrators in your environment, leaving privileged access management to your ThreatLocker administrators. 

Description — 'Privileged accounts (excluding those explicitly authorised to access online services) are prevented from accessing the internet, email and web services.' 

ThreatLocker Elevation Control can remove local administrators from your environment, reducing the need for privileged accounts. ThreatLocker Network Control can also restrict devices from accessing the internet, email, and web services.  

Description — 'Unprivileged accounts cannot access backups belonging to other accounts.' 

ThreatLocker Storage Control can limit user access to storage locations while still allowing certain programs to have the necessary access. 

Description — 'Unprivileged accounts are prevented from modifying and deleting backups.' 

Description — 'Operating systems that are no longer supported by vendors are replaced.' 

ThreatLocker Detect can alert you when a Windows-related update is available. The Computers tab will also show you what operating systems are in your environment. 

Description — 'Multi-factor authentication uses either something users have and something users know, or something users have that is unlocked by something users know or are.' 

Description — 'Application control is implemented on internet-facing servers.' 

ThreatLocker Application Control is available on Windows and Linux servers 

ThreatLocker is available on macOS; however, Apple does not currently support any macOS servers. 

Description — 'Application control is applied to all locations other than user profiles and temporary folders used by operating systems, web browsers, and email clients.' 

ThreatLocker runs at the kernel level, ensuring that Application Control applies across the device. 

Description — 'Microsoft’s recommended application blocklist is implemented.' 

ThreatLocker Application Control uses a Zero Trust, deny-by-default allowlisting method to ensure that only approved applications can run. 

Description — 'Application control rulesets are validated on an annual or more frequent basis.' 

ThreatLocker Application Control gives you insight into which policies are being used and allows for easy removal of unnecessary policies. 

Description — 'Allowed and blocked application control events are centrally logged.' 

The ThreatLocker Unified Audit is a centralised location displaying all audited data about what's occurring within the environment. This powerful feature shows data from the different ThreatLocker modules utilised across the entire business environment in a single pane of glass. 

Description — 'Event logs are protected from unauthorised modification and deletion.' 

The ThreatLocker Unified Audit cannot be modified by anyone and is kept by default for 30 days. 

Description — 'Event logs from internet-facing servers are analysed in a timely manner to detect cybersecurity events.' 

ThreatLocker Cyber Hero MDR can monitor and respond to Indicators of Compromise in your environment within minutes.  

Description — 'Cybersecurity events are analysed in a timely manner to identify cybersecurity incidents.' 

ThreatLocker Cyber Hero MDR can monitor and respond to Indicators of Compromise in your environment within minutes.  

When ThreatLocker Detect identifies suspicious activity in your environment, the Cyber Hero Team will review the alert to determine whether it is a true IoC or a false positive. In the event of a cyber incident, the Cyber Hero Team will follow your runbook to isolate or lock down the device and notify you. 

Description — 'Cybersecurity incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered.' 

Your runbook for MDR can include alerting the CISO or one of their delegates. ThreatLocker Detect can also be set up to notify them once a threat threshold has been detected. 

Description — 'Microsoft Office is blocked from creating child processes.' 

ThreatLocker Ringfencing can stop Microsoft Office from creating child processes. 

Description — 'Microsoft Office is blocked from creating executable content.' 

ThreatLocker Ringfencing can stop Microsoft Office from creating executable content. 

Description — ‘Microsoft Office is blocked from injecting code into other processes.’ 

ThreatLocker Ringfencing can stop Microsoft Office from injecting code into other processes. 

Description — 'PDF software is blocked from creating child processes.' 

ThreatLocker Ringfencing can block PDF software from creating child processes. 

Description — 'PowerShell module logging, script block logging and transcription events are centrally logged.' 

ThreatLocker ‘Options’ allows you to monitor PowerShell and log it in the Unified Audit. 

Description — 'Command line process creation events are centrally logged.' 

The ThreatLocker Unified Audit centrally logs command line process creation events by default. 

Description — 'Event logs are protected from unauthorised modification and deletion.' 

The ThreatLocker Unified Audit cannot be modified by anyone and is kept by default for 30 days. 

Description — 'Event logs from internet-facing servers are analysed in a timely manner to detect cybersecurity events.' 

ThreatLocker Cyber Hero MDR can monitor and respond to Indicators of Compromise in your environment within minutes.  

Description — 'Cybersecurity events are analysed in a timely manner to identify cybersecurity incidents.' 

ThreatLocker Cyber Hero MDR can monitor and respond to Indicators of Compromise in your environment within minutes.  

When ThreatLocker Detect identifies suspicious activity in your environment, the Cyber Hero Team will review the alert to determine whether it is a true IoC or a false positive. In the event of a cyber incident, the Cyber Hero Team will follow your runbook to isolate or lock down the device and notify you. 

Description — 'Cybersecurity incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered.' 

Your runbook for MDR can include alerting the CISO or one of their delegates. ThreatLocker Detect can also be set up to notify them once a threat threshold has been detected. 

Description — 'Privileged access to systems, applications, and data repositories is disabled after 12 months unless revalidated.' 

ThreatLocker policies can be set with an expiration date to ensure periodic revalidation. 

Description — 'Privileged access to systems and applications is disabled after 45 days of inactivity.' 

ThreatLocker Application Control allows for unused policies to be quickly and easily removed. 

Description — 'Privileged operating environments are not virtualised within unprivileged operating environments.' 

ThreatLocker blocks virtualisation software by default. 

Description — 'Administrative activities are conducted through jump servers.' 

ThreatLocker Network Control can ensure that administrative activities are conducted through specified jump servers. 

Description — 'Privileged access events are centrally logged.' 

The ThreatLocker Unified Audit is a centralised location displaying all audited data about what, including privileged access events, is occurring within the environment. This powerful feature shows data from the different ThreatLocker modules utilised across the entire business environment in a single pane of glass. 

Description — 'Event logs are protected from unauthorised modification and deletion.' 

The ThreatLocker Unified Audit cannot be modified by anyone and is kept by default for 30 days. 

Description — 'Event logs from internet-facing servers are analysed in a timely manner to detect cybersecurity events.' 

ThreatLocker Cyber Hero MDR can monitor and respond to Indicators of Compromise in your environment within minutes.  

Description — 'Cybersecurity events are analysed in a timely manner to identify cybersecurity incidents.' 

ThreatLocker Cyber Hero MDR can monitor and respond to Indicators of Compromise in your environment within minutes.  

When ThreatLocker Detect identifies suspicious activity in your environment, the Cyber Hero Team will review the alert to determine whether it is a true IoC or a false positive. In the event of a cyber incident, the Cyber Hero Team will follow your runbook to isolate or lock down the device and notify you. 

Description — 'Cybersecurity incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered.' 

Your runbook for MDR can include alerting the CISO or one of their delegates. ThreatLocker Detect can also be set up to notify them once a threat threshold has been detected. 

Description — 'Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts.' 

ThreatLocker Storage Control can stop privileged accounts from accessing backups belonging to other accounts. 

Description — 'Privileged accounts (excluding backup administrator accounts) are prevented from modifying and deleting backups.' 

ThreatLocker Storage Control can stop privileged accounts from modifying and deleting backups. 

Description — 'Multi-factor authentication is used to authenticate privileged users of systems.' 

ThreatLocker Elevation Control can remove local administrators in your environment, allowing your ThreatLocker administrators to manage administrative privileges. ThreatLocker administrators can be configured to require MFA. 

Description — 'Successful and unsuccessful multi-factor authentication events are centrally logged.' 

Successful and unsuccessful MFA events are logged in the ThreatLocker Health Center. 

Description — 'Event logs are protected from unauthorised modification and deletion.' 

The ThreatLocker Unified Audit and MFA event logs cannot be modified by anyone and are kept by default for 30 days. 

Description — 'Event logs from internet-facing servers are analysed in a timely manner to detect cybersecurity events.' 

ThreatLocker Cyber Hero MDR can monitor and respond to Indicators of Compromise in your environment within minutes.  

Description — 'Cybersecurity events are analysed in a timely manner to identify cybersecurity incidents.' 

ThreatLocker Cyber Hero MDR can monitor and respond to Indicators of Compromise in your environment within minutes.  

When ThreatLocker Detect identifies suspicious activity in your environment, the Cyber Hero Team will review the alert to determine whether it is a true IoC or a false positive. In the event of a cyber incident, the Cyber Hero Team will follow your runbook to isolate or lock down the device and notify you. 

Description — 'Cybersecurity incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered.' 

Your runbook for MDR can include alerting the CISO or one of their delegates. ThreatLocker Detect can also be set up to notify them once a threat threshold has been detected. 

Description — 'Application control is implemented on non-internet-facing servers.' 

ThreatLocker Application Control is available on non-internet-facing servers through a relay server. A self-hosted solution is available on a case-by-case basis for air-gapped servers. 

Description — 'Application control restricts the execution of drivers to an organisation-approved set.' 

ThreatLocker Application Control restricts the execution of applications, drivers, executables, and more to an organisation-approved set. 

Description — 'Microsoft’s vulnerable driver blocklist is implemented.' 

ThreatLocker Community has a suggested Application Control policy to implement Microsoft’s vulnerable driver blocklist. 

Description — 'Event logs from non-internet-facing servers are analysed in a timely manner to detect cybersecurity events.' 

Non-internet-facing servers using a relay server can have their event logs monitored and responded to in minutes by ThreatLocker Cyber Hero MDR.  

Description — 'Event logs from workstations are analysed in a timely manner to detect cybersecurity events.' 

ThreatLocker Cyber Hero MDR can monitor and respond to Indicators of Compromise in your environment within minutes. 

Description — 'Applications other than office productivity suites, web browsers, and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.' 

ThreatLocker deny-by-default philosophy ensures that only approved applications are allowed to run in your environment. The free ThreatLocker Software Health Report can quickly show you outdated software running in your environment, which you can easily block with Application Control. 

Description — '.NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed.' 

ThreatLocker Application Control can disable .NET Framework 3.5 (including .NET 2.0 and 3.0). 

Description — 'Windows PowerShell 2.0 is disabled or removed.' 

ThreatLocker Application Control can disable PowerShell 2.0. 

Description — 'PowerShell is configured to use Constrained Language Mode.' 

ThreatLocker Configuration Manager can ensure that PowerShell is in Constrained Language Mode. 

Description — 'Event logs from non-internet-facing servers are analysed in a timely manner to detect cybersecurity events.' 

Non-internet-facing servers using a relay server can have their event logs monitored and responded to in minutes by ThreatLocker Cyber Hero MDR.  

Description — 'Event logs from workstations are analysed in a timely manner to detect cybersecurity events.' 

ThreatLocker Cyber Hero MDR can monitor and respond to Indicators of Compromise in your environment within minutes. 

Description — 'Privileged access to systems, applications and data repositories is limited to only what is required for users and services to undertake their duties.' 

ThreatLocker Elevation Control can remove local administrators in your environment, leaving privileged access management to your ThreatLocker administrators.  

Description — 'Secure Admin Workstations are used in performing administrative activities.' 

ThreatLocker policies can allow only specific computers to have elevated access. 

Description — 'Just-in-time administration is used for administering systems and applications.' 

ThreatLocker Elevation Control can remove local administrators in your environment, leaving privileged access management to your ThreatLocker administrators. ThreatLocker policies only delegate elevated access when needed, ensuring just-in-time administration. 

Description — 'Local Security Authority protection functionality is enabled.' 

ThreatLocker enables Local Security Authority by default. 

Description — 'Event logs from non-internet-facing servers are analysed in a timely manner to detect cybersecurity events.' 

Non-internet-facing servers using a relay server can have their event logs monitored and responded to in minutes by ThreatLocker Cyber Hero MDR.  

Description — 'Event logs from workstations are analysed in a timely manner to detect cybersecurity events.' 

ThreatLocker Cyber Hero MDR can monitor and respond to Indicators of Compromise in your environment within minutes. 

Description — 'Unprivileged accounts cannot access their own backups.' 

ThreatLocker Storage Control can limit unprivileged users from accessing their own backups while still allowing the necessary backup software to access what it requires. 

Description — 'Privileged accounts (excluding backup administrator accounts) cannot access their own backups.' 

ThreatLocker Storage Control can limit even privileged users from accessing their own backups while still allowing the necessary backup software to access what it requires. 

Description — 'Backup administrator accounts are prevented from modifying and deleting backups during their retention period.' 

ThreatLocker Storage Control policies can be set with an expiration date, restricting any and all accounts, including backup administrators, from accessing the backups. 

Description — 'The latest release, or the previous release, of operating systems are used.' 

ThreatLocker Detect can alert you when a Windows-related update is available. The Computers tab will also show you what operating systems are in your environment. 

Description — 'Multi-factor authentication is used to authenticate users of data repositories.' 

ThreatLocker Storage Control can limit user access to data repositories but still allow them to request access. Once the request has been received, the ThreatLocker administrator can contact the user to authenticate their request. 

Description — 'Event logs from non-internet-facing servers are analysed in a timely manner to detect cybersecurity events.' 

Non-internet-facing servers using a relay server can have their event logs monitored and responded to in minutes by ThreatLocker Cyber Hero MDR.  

Description — 'Event logs from workstations are analysed in a timely manner to detect cybersecurity events.' 

ThreatLocker Cyber Hero MDR can monitor and respond to Indicators of Compromise in your environment within minutes. 

'Essential Eight Maturity Model.' Essential Eight Maturity Model | Cyber.gov.au, https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model.