ThreatLocker & NIST 800-171 Rev. 2

25 min. readlast update: 06.21.2023

 NIST SP 800-171 Rev. 2 addresses the protection of Controlled Unclassified Information (CUI) in nonfederal systems and organizations. For more information on NIST 800-171 R2, please see: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final 

When configured correctly, ThreatLocker can assist your organization when you are working towards becoming NIST 800-171 Rev. 2 compliant. ThreatLocker can be used to meet certain security requirements and can assist in meeting other requirements. 

3.1 Access Control 

Basic Security Requirements

  • 3.1.1 - "Limit system access to authorized users, processes acting on behalf of authorized users, or devices (including other systems)."
    • ThreatLocker can help enforce mechanisms at the application and service level to provide increased information security. 
    • Application Allowlisting can restrict what applications can run in your environment, who can use them, and when. 
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc).  
    • Storage Control allows you to customize whether a user can access different types of storage, such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths.
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed.   
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, agent authentication, or dynamic ACLs, to your protected devices using a simple server-client connection.   
  • 3.1.2 - "Limit system access to the types of transactions and functions that authorized users are permitted to execute."
    • ThreatLocker can help define access privileges by account and/or type of account and restrict other attributes required for authorizing access, such as time-of-day and/or point-of-origin. 
    • Application Allowlisting can restrict what applications can run in your environment, who can use them, and when. 
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths.  
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed.   
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, agent authentication,or dynamic ACLs, to your protected devices using a simple server-client connection.   

Derived Security Requirements

  • 3.1.3 - "Control the flow of CUI in accordance with approved authorizations."
    • ThreatLocker can be an enforcement mechanism to control the flow of information. 
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths.    
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, agent authentication, or dynamic ACLs, to your protected devices using a simple server-client connection.   
  • 3.1.4 - "Separate the duties of individuals to reduce the risk of malevolent activity without collusion."
    • ThreatLocker can prevent the risk of malevolent activity among different individuals or roles.
    • Application Allowlisting can limit the use of applications by users to allow the use of only what is needed for their role. 
    • Storage Control can limit the ability of each user’s access to different types of storage devices. Only allowing what is strictly required for the user's role. 
  • 3.1.5 - "Employ the principle of least privilege, including for specific security functions and privileged accounts."
    • ThreatLocker can help create the least privileged environment. 
    • Application Allowlisting can restrict what applications can run in your environment, who can use them, and when. 
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc). 
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths.
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed.
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, agent authentication, or dynamic ACLs, to your protected devices using a simple server-client connection. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. 
    • ThreatLocker Ops is a comprehensive threat detection and behavior monitoring tool which can be used to set intrusion detection parameters.
  • 3.1.6 - "Use non-privileged accounts or roles when accessing nonsecurity functions."
    • ThreatLocker can help implement access control policies and manage access authorizations for users. 
    • Application Allowlisting can restrict what applications can run in your environment, who can use them, and when. 
    • Elevation Control can specify which applications are permitted to run with elevated privileges, and which users can run these said applications within a designated timeframe.
  • 3.1.7 - "Prevent non-privileged users from executing privileged functions and audit the execution of such functions." 
    • ThreatLocker can help protect privileged functions from non-privileged users. 
    • Application Allowlisting can restrict what applications can run in your environment, who can use them, and when. 
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc).  
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. 
  • 3.1.8 - "Limit unsuccessful logon attempts."
    • ThreatLocker can help limit unsuccessful logon attempts. ThreatLocker Configuration Manager policies can be created to alert on excessive failed logon events. ThreatLocker Ops can be used to detect excessive failed logons and take action based on thresholds set by you.
  • 3.1.11 - "Terminate (automatically) a user session after a defined condition."
    • ThreatLocker helps achieve this requirement for the ThreatLocker Platform by requiring users to set a time limit in which after a period of inactivity in the ThreatLocker Portal the session is terminated.
  • 3.1.12 - "Monitor and control remote access sessions." 
    • ThreatLocker can help monitor and control remote access sessions.
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, agent authentication,or dynamic ACLs, to your protected devices using a simple server-client connection.
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. 
    • ThreatLocker Ops is a comprehensive threat detection and behavior monitoring tool which can be used to set intrusion detection parameters, and take action based on thresholds specified by you.
  • 3.1.14“Route remote access through managed access control points.”
    • ThreatLocker can help route remote access. 
    • Application Allowlisting can restrict what applications can run in your environment, who can use them, and when. It will block any remote access tools/applications that are not explicitly approved.   
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, agent authentication, or dynamic ACLs, to your protected devices using a simple server-client connection.
  • 3.1.15 “Authorize remote execution of privileged commands and remote access to security-relevant information.” 
    • ThreatLocker can help control access and privileges. 
    • Application Allowlisting can restrict what applications can run in your environment, who can use them, and when. It will block any remote access tools/applications that are not explicitly approved. 
    • Elevation Control can specify which applications are permitted to be run with elevated privileges, and which users can run these said applications within a designated timeframe. 
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, agent authentication, or dynamic ACLs, to your protected devices using a simple server-client connection. 
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc). 
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
  • 3.1.17“Protect wireless access using authentication and encryption.”
    • ThreatLocker can help authenticate users and devices to protect wireless access to organizational systems. 
    • Application Allowlisting can restrict what applications can run in your environment, who can use them, and when. It will block any remote access tools/applications that are not explicitly approved.
    • Elevation Control can specify which applications are permitted to be run with elevated privileges, and which users can run these said applications within a designated timeframe. 
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, agent authentication, or dynamic ACLs, to your protected devices using a simple server-client connection. 
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc). 
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths.
  • 3.1.19 - "Encrypt CUI on mobile devices and mobile computing platforms."
    • ThreatLocker can assist with enforcing encryption on mobile computing platforms.
    • Storage Control can be used to enforce encryption on external storage.
    • Configuration Manager can be set to alert if full disk encryption is not enabled.
  • 3.1.20 - "Verify and control/limit connections to and use of external systems."
    • ThreatLocker can help control the use of external systems. 
    • Configuration Manager can block access to social media, cloud storage and common webmail platforms.
  • 3.1.21 - "Limit use of portable storage devices on external systems."
    • ThreatLocker can help control the use of portable storage devices. 
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths.   
    • Configuration Manager can be used to block the use of optical drives.

3.3 Audit and Accountability 

Basic Security Requirements  

  • 3.3.1 - "Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity."
    • ThreatLocker can help by providing an audit log of events. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. These logs are retained for 30 days by default, but organizations can extend the retention period according to compliance needs. 
  • 3.3.2 - "Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions."
    • ThreatLocker can help by linking audit events to individual users. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. It will ensure that the actions of all individual users can be traced to those users for accountability. 
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. It will ensure file access of specified storage will be displayed in the Unified Audit. 
    • Application Allowlisting can restrict what applications can run in your environment, who can use them, and when. It will ensure the auditing of application usage. 

Derived Security Requirements

  • 3.3.3 - "Review and update audited events."
    • ThreatLocker can assist by providing a list of logged events for the organization to examine for re-evaluation. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. These logs are retained for 30 days by default, but organizations can extend the retention period according to compliance needs. 
  • 3.3.5 - "Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity." 
    • ThreatLocker can assist by providing a list of logged events. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. These logs are retained for 30 days by default, but organizations can extend the retention period according to compliance needs. 
  • 3.3.6 - "Provide audit record reduction and report generation to support on-demand analysis and reporting."
    • ThreatLocker can support audit log analysis. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. Using ThreatLocker's various filtering options in the Unified Audit, you can search for specific information. ThreatLocker also provides the ability to generate various reports. 
  • 3.3.7 - "Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records." 
    • ThreatLocker can assist by providing time stamps for audit records.
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. All audit logs will include a date/time stamp down to the second and will be set to the time zone of the organization. 
  • 3.3.8 - "Protect audit information and audit tools from unauthorized access, modification, and deletion." 
    • ThreatLocker can help by restricting user access. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. ThreatLocker protects the audit information from unauthorized access, modification, or deletion. Only administrators on your ThreatLocker account can access the audit. You have the ability to lock out ThreatLocker staff. Anything logged in the audit cannot be deleted by anyone unless those logs go past the specified retention time period. 
  • 3.3.9 - "Limit management of audit logging functionality to a subset of privileged users."
    • ThreatLocker can help by inhibiting the ability to modify logged events within a specified period. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. Only administrators on your ThreatLocker account can view any of the audit logs in ThreatLocker. You can limit the privileges of administrators on your ThreatLocker account to prevent them from viewing the audit if desired. You can lock ThreatLocker staff out of your account as well. Anything logged in the audit cannot be deleted by anyone unless those logs go past the specified retention time period.  

3.4 Configuration Management 

Basic Security Requirements

  • 3.4.1 - "Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles."
    • ThreatLocker can assist by taking inventory of and baselining organizational systems.
    • Every machine running ThreatLocker will be baselined. During the baselining process, ThreatLocker will catalog each application found on the machine(s), including the OS version and build.
    • Utilizing the Application Control policy and application lists, you can view all software installed and control what can run in your environment. 
  • 3.4.2 - "Establish and enforce security configuration settings for information technology products employed in organizational systems."
    • ThreatLocker can help create and execute security configuration settings. 
    • Application Allowlisting can restrict what applications can run in your environment, who can use them, and when.
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc). 
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths.
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed.
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, agent authentication, or dynamic ACLs, to your protected devices using a simple server-client connection.   

Derived Security Requirements

  • 3.4.3 – “Track, review, approve or disapprove, and log changes to organizational systems.” 
    • ThreatLocker can assist with tracking, logging, and approving changes to organizational systems. 
    • Application Allowlisting operates using a default deny, so any software changes have to be approved or they will be blocked. A current list of all software in the environment is logged, including the first time and last time it was seen. 
  • 3.4.5 - "Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems."
    • ThreatLocker can help manage privileged access rights. 
    •  Application Allowlisting can restrict what applications can run in your environment, who can use them, and when. 
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc). 
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed. 
  • 3.4.6 - "Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities."
    • ThreatLocker can help limit component functionality. 
    • Application Allowlisting can restrict what applications can run in your environment, who can use them, and when. 
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc). 
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed. 
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, agent authentication, or dynamic ACLs, to your protected devices using a simple server-client connection. 
  • 3.4.7 - "Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services."
    • ThreatLocker can assist to restrict the use of nonessential software. 
    • Application Allowlisting can restrict what applications can run in your environment, who can use them, and when.
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc). 
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed. 
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, agent authentication, or dynamic ACLs, to your protected devices using a simple server-client connection. Create a policy to deny all inbound traffic, closing all ports. Needed ports will open on demand for permitted connections. 
    • Configuration Manager provides the ability to disable autorun. 
  • 3.4.8 - "Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software."
    • ThreatLocker can assist with Application Allowlisting.
    • Application Allowlisting operates using a default deny, restricting what applications can run in your environment, who can use them, and when. It gives you the ability to deny all and permit by exception, creating a true whitelist.
  •  3.4.9 - "Control and monitor user-installed software."
    • ThreatLocker can control user-installed software.
    • Application Control can restrict what applications can run in your environment, who can use them, and when. It provides the ability to control and monitor all software installed in your environment. No user can install or make changes to software unless you have permitted it.
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. It will provide a log of all software that is installed or attempted to be installed. 

3.5 Identification and Authentication 

Basic Security Requirements

  • 3.5.1 - "Identify system users, processes acting on behalf of users, and devices."
    • ThreatLocker can assist in identifying which user/device processed an action. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. Through the Unified Audit, you can track what actions are run, by which user or system account, and maintain visibility of what processes are run and on which device they occurred. 
  • 3.5.2“Authenticate the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.”
    • ThreatLocker can assist with authenticating users.
    • ThreatLocker Configuration Manager policies can be set to enforce local password complexity requirements, including length and age.
  •  3.5.7 “Enforce a minimum password complexity and change of characters when new passwords are created.”
    • ThreatLocker can assist with enforcing password complexity. 
    • ThreatLocker Configuration Manager policies can be set to enforce local password complexity requirements, including length and age. 

3.7 Maintenance 

Basic Security Requirements

  • 3.7.2 - "Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance."  
    • ThreatLocker can assist in meeting the control for this practice.
    • Application Allowlisting can restrict what applications can run in your environment, who can use them, and when.
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc).
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths.  

Derived Security Requirements  

  • 3.7.6 - "Supervise the maintenance activities of personnel without required access authorization."
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed. This way, administrators can offer restricted elevated permissions on a case-by-case basis.

 3.8 Media Protection 

Derived Security Requirements

  • 3.8.6“Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.”
    • ThreatLocker can assist with implementing cryptographic mechanisms on stored media.
    • Storage Control can be used to enforce encryption on removable media by setting policies to only permit access to data locations by encrypted devices.
  • 3.8.7 - "Control the use of removable media on system components." 
    • ThreatLocker can help employ technical controls to limit the use of portable storage devices. 
    • Storage Control allows you to customize whether a user or device can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
  • 3.8.8 - "Prohibit the use of portable storage devices when such devices have no identifiable owner."
    • ThreatLocker can help restrict the use of portable storage devices. 
    • Storage Control allows you to customize whether a user or device can access different types of storage such as USB drives, network shares, and local folders. Devices can be permitted by serial number and can be permitted to read-only access or read-and-write access. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 

3.11 Risk Assessment 

Derived Security Requirements

  • 3.11.3 - "Remediate vulnerabilities in accordance with risk assessments."
    • While ThreatLocker cannot remediate vulnerabilities, it can be used to minimize the risk associated with vulnerabilities until they can be addressed. 
    • Application Control can restrict what applications can run in your environment, who can use them, and when.
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc).
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed.   
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, agent authentication, or dynamic ACLs, to your protected devices using a simple server-client connection. 
    • ThreatLocker Ops policies can be set to monitor for IOCs and alert and respond according to thresholds set by you.  

3.13 System and Communications Protection 

Derived Security Requirements

  • 3.13.6 - "Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception)."
    • ThreatLocker can assist by controlling inbound network traffic.
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, agent authentication, or dynamic ACLs, to your protected devices using a simple server-client connection. 
  • 3.13.9 - "Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity." 
    • ThreatLocker can help control of inbound traffic and terminate inactive network connections. 
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, agent authentication, or dynamic ACLs, to your protected devices using a simple server-client connection. Once a connection is authenticated, the connection will remain open for 5 minutes. Every minute, the authentication is checked again, and once it can no longer be authenticated, the connection automatically terminates in 5 minutes.
  • 3.13.16 - "Protect the confidentiality of CUI at rest." 
    • ThreatLocker can assist restrict access to information. 
    • Storage Control allows you to customize whether a user or device can access different types of storage such as USB drives, network shares, and local folders. Storage Control can also be configured to enforce encryption by only permitting access to data by encrypted devices. 
    • The Unified Audit will log only the file names and directory where they are located; there is no visibility of the file contents, protecting the confidentiality of the data within the ThreatLocker Portal.

 3.14 System and Information Integrity 

Basic Security Requirements  

  • 3.14.1 - "Identify, report, and correct system flaws in a timely manner."
    • ThreatLocker can help identify and log vulnerabilities. 
    • ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met.
  • 3.14.2 - "Provide protection from malicious code at designated locations within organizational systems."
    • ThreatLocker can help ensure that software does not perform functions other than intended. 
    • Application Allowlisting can restrict what executables can run in your environment, including scripts and libraries. 
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, theregistry, etc). 
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths.
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, agent authentication, or dynamic ACLs, to your protected devices using a simple server-client connection.
    • Configuration Manager provides the ability to disable downloaded Office macros.

Derived Security Requirements

  • 3.14.5“Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.”
    • ThreatLocker can assist with performing real-time scans of files. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. The Unified Audit will provide a near-real-time log of all files being executed, or attempting to execute.
  • 3.14.6 - "Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks."
    • ThreatLocker can help provide audit records to use while monitoring. 
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, agent authentication, or dynamic ACLs, to your protected devices using a simple server-client connection.  
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including network activity. 
  • 3.14.7 - "Identify unauthorized use of organizational systems." 
    • ThreatLocker can help prevent unauthorized use of organizational systems and provide a log of access or attempted access to files and systems secured by ThreatLocker. 
    • Application Allowlisting can restrict what applications can run in your environment, who can use them, and when.
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc).
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths.
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured.
    • ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met.   

Updated 6/21/2023

Was this article helpful?