ThreatLocker National Institute of Standards and Technology Cybersecurity Framework 2.0 Mapping

• GV.RM-02: Risk appetite and risk tolerance statements are established, communicated, and maintained.

  • The ThreatLocker Software Health Report and the Response Center Threats tab can be used to display current risks and can be reviewed with administration regularly. 

• GV.RM-05: Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties. 

• • Solutions Engineers are available to assess current security risks at any interval desired for any and all departments based on current configuration or emerging threats. 

• GV.RM-06: A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated. 

• • The ThreatLocker Detect Dashboard, Software Health Report, and the Response Center Threats tab display current threats and risks. 

• GV.RM-07: Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions. 

• • Implementing ThreatLocker can lead to many opportunities to identify risk, for example the Software Health Report displays potential Shadow IT, Remote Access, exfiltration tools, etc. 

• GV.RR-01: Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving. 

• • ThreatLocker training can assist leaders in being aware of the status of their organization's cybersecurity strategy and how to improve it. 

• GV.RR-02: Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced. 

• • Solutions Engineers can inform people of their role in managing the ThreatLocker Platform and what each of the modules does to reduce risk. 

• GV.RR-03: Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies. 

• • Adoption of ThreatLocker can drastically reduce the manpower needed to manage cybersecurity risk. We can also allocate more resources in response to any events that occur via our MDR (Managed Detection and Response) and Threat Intelligence/IR (Incident Response) teams. 

• GV.RR-04: Cybersecurity is included in human resources practices. 

• • ThreatLocker can enforce HR processes and offers cybersecurity training through ThreatLocker University. 

• GV.PO-01: Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced. 

• • ThreatLocker can be the mechanism used to enforce cybersecurity policy, in addition its policies are regularly audited to ensure our customers are as secure as possible. 

• GV.PO-02: Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission. 

• • ThreatLocker Controls can easily be adjusted to account for any change in requirement, threats, technology, etc. 

• GV.OV-01: Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction. 

• • Calls with Solution Engineers are available on a weekly basis to assess the impact of implementing Zero Trust security controls. 

• GV.OV-02: The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks. 

• • The strategy/implementation can be reviewed and adjusted on the weekly audits with Solution Engineers. 

• GV.OV-03: Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed. 

• • The ThreatLocker Health Center can be used to quicky provide a snapshot look at the cybersecurity health of an environment with the Solutions Engineer. 

• GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships. 

• • ThreatLocker built-in apps can provide a plethora of information to assist in determining the cybersecurity risk of using another vendor's software. 

• GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement. 

• • ThreatLocker can be used to ensure access to company resources is completely removed or blocked once it is no longer needed by a partner or service. 

• ID.AM-01: Inventories of hardware managed by the organization are maintained. 

• • ThreatLocker maintains a list of all machines the ThreatLocker agent is installed on. Policies can be implemented to discover unprotected endpoints on the network. 

• ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained. 

• • During Application Control Learning Mode, a list of all applications on the machine is created. Changes to the list are logged in the System Audit. Changes to the contents of the applications are logged and/or managed by our Application Team. 

• ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained. 

• • ThreatLocker Network Control logs all inbound and outbound traffic, down to the process. It can be used to control this traffic and only allow what is needed. 

• ID.AM-05: Assets are prioritized based on classification, criticality, resources, and impact on the mission. 

• • ThreatLocker protected endpoints can be assigned to different groups; each with their own priorities and controls. 

• ID.AM-07: Inventories of data and corresponding metadata for designated data types are maintained. 

• • ThreatLocker Storage Control can be used to log all activity related to data that moves through and is stored in an environment. It cannot access all metadata. 

• ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles. 

• • ThreatLocker uses controls to prevent change in an environment. The applications on the permit list are the only ones that can run until they are removed from the list. Network Control ensures new devices on the network cannot access protected resources until those devices are protected themselves or exceptions are made. Storage Control ensures access to data is only allowed to those who need access until it is no longer necessary. 

• ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded. 

• • ThreatLocker Patch Management can help to identify applications that need to be updated. When vulnerabilities in applications are discovered, we offer Ringfenced policies that mitigate the threat while still allowing utilization of the software. 

• ID.RA-02: Cyber threat intelligence is received from information sharing forums and sources. 

• • File hashes can be run through Virus Total. ThreatLocker Research team also investigates applications, their vulnerabilities, and history of exploitation to provide insights for applications in an administrator's environment. ThreatLocker Insights also provides data on a file or program's interactions with other software, files, and the network, as well as permit and deny history among other ThreatLocker users. 

• ID.RA-03: Internal and external threats to the organization are identified and recorded. 

• • ThreatLocker Detect logs Indicators of Compromise. The Unified Audit logs all application, network, and file access information for up to 7 years and can be used to identify and investigate threats. 

• ID.RA-04: Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded. 

• • ThreatLocker Research and Insights both provide information regarding the "Threat Level" or likelihood of exploitation of permitted software in the environment. 

• ID.RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization. 

• • A ThreatLocker Solutions Engineer can help to identify what risks ThreatLocker can assist with mitigating. 

• ID.RA-06: Risk responses are chosen, prioritized, planned, tracked, and communicated. 

• • ThreatLocker Detect can be part of the risk response, detecting cybersecurity events and automatically responding to them. 

• ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked. 

• • If there is a need for new software in the environment, a user can easily request it. An administrator will be notified and can review and approve it. All of this is recorded.

• ID.RA-09: The authenticity and integrity of hardware and software are assessed prior to acquisition and use. 

• • ThreatLocker Application Control can tell you if an application is known or if it is different than other installs of the same application. This can alert you if the software is not authentic. 

• ID.RA-10: Critical suppliers are assessed prior to acquisition. 

• • For suppliers of software, ThreatLocker can tell you about the software, where it is made, who makes it, and gives it a risk score. 

• ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties. 

• • The ThreatLocker Detect Dashboard constantly assesses the environments for misconfigurations and presents solutions to improve the security posture of the environment.

• ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities. 

• • QBRs (Quarterly Business Reviews) can be conducted to review and improve processes based on past activity in the environment. 

• ID.IM-04: Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved. 

• • The ThreatLocker Detect runbook is configured during onboarding with the key stakeholders which outlines the IR plans. This configuration is mutable by ThreatLocker Admins for flexibility. If our IR team is involved, everything is recorded and documented. RCA (Root Cause Analysis) are also available to help improve the IR process in the future. 

• PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization. 

• • Hostnames and common names are kept in the devices page for any ThreatLocker protected asset. Usernames are also listed and correlated to the machines they have accessed. Elevation Control is able to revoke privileged access (Admin Rights) from user accounts without managing passwords. ThreatLocker APS can be used to rotate the Local Administrator password, and the current password is stored securely in the devices page for each endpoint. 

• PR.AA-03: Users, services, and hardware are authenticated. 

• • ThreatLocker Config Manager can enforce user password requirements: length, age, and complexity. In addition, ThreatLocker Cloud Detect can alert if M365 MFA is disabled, interrupted or denied by a user via community policies.

• PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties. 

• • ThreatLocker Elevation Control can help to ensure users have the minimum level of access needed to perform their function. ThreatLocker Config Manager can help to disable local administrator accounts. Hostname, current IP, Username, etc. can be viewed before granting administrator rights. 

• PR.AT-02: Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind. 

• • ThreatLocker University has Cyber Hero training, which can help cybersecurity professionals learn to use ThreatLocker to perform their functions. 

• PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected. 

• • ThreatLocker Application Control can validate the hashes of software. ThreatLocker Storage Control can restrict the use of removeable media or any other storage mediums that are not explicitly allowed. For permitted storage, Storage Control can block all but necessary applications from accessing the data. 

• PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected. 

• • Access to data-at-rest can be controlled to not allow it to be accessed by applications with the ability to exfiltrate. Network Control can be used to restrict access to cloud storage domains. 

• PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected. 

• • ThreatLocker Ringfencing can restrict applications from accessing things that they should not, such as particular files, other applications, or the internet. 

• PR.DS-11: Backups of data are created, protected, maintained, and tested 

• • ThreatLocker Storage Control can help to protect backups by ensuring that only specific approved applications can access them, for example the backup software used can access the backup location, but PowerShell, which is often used maliciously to encrypt data, cannot. 

• PR.PS-01: Configuration management practices are established and applied. 

• • All ThreatLocker policies are established and managed in the portal and any changes to the policies are logged in the System Audit. Any and all policies can be listed in reports. 

• PR.PS-02: Software is maintained, replaced, and removed commensurate with risk. 

• • ThreatLocker Patch Management can apply patches based on policies and/or manually if updates are present. Software can also be blocked, and associated running processes killed. Policies can be timed/scheduled to prevent them from running after a set (EoL) date. 

• PR.PS-04: Log records are generated and made available for continuous monitoring. 

• • ThreatLocker Application Control will only allow approved software to run; all other software is denied by default. 

• PR.PS-06: Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle. 

• • Application Control can ensure that authorized developers are the only ones allowed to use the approved development tools and interact with software in approved directories. Access to the internet can be limited/revoked to help control access to the development environment. 

• PR.IR-01: Networks and environments are protected from unauthorized logical access and usage. 

• • ThreatLocker Network Control can allow you to control which devices have access to your protected endpoints. This ensures that only protected endpoints and/or explicit IP Addresses have access to your protected resources. 

• DE.CM-01: Networks and network services are monitored to find potentially adverse events. 

• • ThreatLocker Network Control monitors all traffic in and out of protected endpoints. ThreatLocker Detect can monitor this traffic for IoCs (Indicators of Compromise). 

• DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events. 

• • The ThreatLocker Unified Audit will show a record of all application, storage, and network activity. ThreatLocker Detect can correlate the records to frameworks to detect IoCs.

• DE.CM-06: External service provider activities and services are monitored to find potentially adverse events. 

• • Logs from external sources, such as Microsoft365, can be ingested to alert for specific IoCs. 

• DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events. 

• • The ThreatLocker Unified Audit will show any attempts at running unauthorized software, accessing unauthorized data, or accessing network resources. Elevation requests are also logged to see if privilege escalation was attempted. 

• DE.AE-02: Potentially adverse events are analyzed to better understand associated activities. 

• • The ThreatLocker Unified Audit contains a wealth of information that will be useful for cybersecurity analysis. 

• DE.AE-03: Information is correlated from multiple sources. 

• • ThreatLocker Detect can be used to send log data to other SIEM (Security Information and Event Management) log services via API calls.

• DE.AE-04: The estimated impact and scope of adverse events are understood. 

• • The ThreatLocker Unified Audit can show what actions have occurred. This can be used to refine estimates. 

• DE.AE-06: Information on adverse events is provided to authorized staff and tools. 

• • ThreatLocker Detect will alert on events and export those alerts to SIEMs/SOCs (Security Operations Center) as well as log them in the portal for review by a ThreatLocker administrator. 

• DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis. 

• • ThreatLocker Application Control will show the risk score for a known piece of software. ThreatLocker Patch Management will show software that is out of date. 

• DE.AE-08: Incidents are declared when adverse events meet the defined incident criteria. 

• • Incident criteria can be used to create relevant alerts in ThreatLocker Detect so that the right personnel can be made aware as soon as a cybersecurity event occurs.

• RS.MA-01: The incident response plan is executed in coordination with relevant third parties once an incident is declared. 

• • ThreatLocker Detect can alert the relevant personnel to a cybersecurity incident. 

• RS.MA-02: Incident reports are triaged and validated. 

• • ThreatLocker Detect can provide an abundance of information that will help with triage assessment of a cybersecurity incident.

• RS.MA-03: Incidents are categorized and prioritized. 

• • ThreatLocker Detect can take actions based on different aspects of a cybersecurity incident, automatically helping to categorize incident responses.

• RS.AN-03: Analysis is performed to establish what has taken place during an incident and the root cause of the incident. 

• • The ThreatLocker Unified Audit keeps a record of events that occur, which can prove to be quite useful in incident analysis. The ThreatLocker IR Team can provide an RCA after assisting with remediation.

• RS.AN-07: Incident data and metadata are collected, and their integrity and provenance are preserved. 

• • The ThreatLocker Unified Audit will collect data before, during, and after a cybersecurity incident. It will be retained by us for up to 7 Years and can be exported by a ThreatLocker Administrator. 

• RS.AN-08: An incident's magnitude is estimated and validated. 

• • ThreatLocker Detect will alert on all specified events, so the exact magnitude of an incident can be determined.

• RS.MI-01: Incidents are contained. 

• • ThreatLocker Application Control can prevent cybersecurity incidents from propagating. This is done not only by preventing unwanted software from running, but also preventing allowed software from behaving in ways it should not. ThreatLocker Network control can prevent lateral movement of a cybersecurity incident across a network. ThreatLocker Detect can take automatic actions in the event of a specified cybersecurity incident. Endpoints can also be isolated or locked down to stop existing network connections and processes. 

• RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration. 

• • The ThreatLocker Unified Audit can show exactly what accessed backups and when.

• RC.RP-04: Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms. 

• • The ThreatLocker Unified Audit can log each system's interactions to compare it to activity before an incident.

• RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed. 

• • ThreatLocker Application Control can list all applications on a resource, so you can ensure nothing unauthorized can run.

• RC.RP-06: The end of incident recovery is declared based on criteria, and incident-related documentation is completed. 

• • The ThreatLocker Unified Audit can show some of the actions and responses taken. These can be used in an after-action review.

Works Cited

NIST. “The NIST Cybersecurity Framework (CSF) 2.0.” The NIST Cybersecurity Framework

(CSF) 2.0, vol. 2.0, no. 29, 26 Feb. 2024,

nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf,

https://doi.org/10.6028/nist.cswp.29.