Orlando-based cybersecurity startup ThreatLocker. a large, late-stage venture capital-backed firm -has unveiled their Advanced Anomaly Detection, a new feature within its Cloud Detect product. Advanced Anomaly Detection significantly enhances organizations’ ability to identify and neutralize sophisticated cyber threats such as impossible travel, cookie theft, credential harvesting. endpoint security and Zero Trust solutions as well as to identify and neutralize sophisticated cyber threats such as impossible travel, cookie theft Zero Trust solutions. This functionality is particularly crucial for security analysts and CISOs grappling with the complexities of modern cloud-based environments. ThreatLocker has customers and operations in North America, EMEA, and APAC, in healthcare, banking, government, and manufacturing, and many other sectors. The ThreatLocker platform has a library of more than 8,000 built-in application definitions, maintained and updated by the ThreatLocker applications team.
Orlando-based cybersecurity startup ThreatLocker has released their Advanced Anomaly Detection, a new feature within its Cloud Detect product. Advanced Anomaly Detection significantly enhances organizations’ ability to identify and neutralize sophisticated cyber threats such as impossible travel, cookie theft, credential harvesting. endpoint security and Zero Trust solutions, endpoint security and Zero Trust solutions. This functionality is particularly crucial for security analysts and CISOs grappling with the complexities of modern cloud-based environments.
ThreatLocker has multiple features around visibility. It works independently of Microsoft Licensing. It also improves use of telemetry data through implementation of trusted IPs to reduce false positive for traveling users. Finally, it empowers customers with deeper visibility into irregularities, beyond traditional individual log analysis.
ThreatLocker also features application whitelisting, a rule-based system that prevents applications that have not specifically been approved from executed on the network. This is a key part of the ThreatLocker solution. The solution also includes Storage Device Control, to protect external devices, and RingFencing, which is designed as anti-ransomware protection, and which stopped the EternalBlue exploit, is about to get a lot more powerful.
The ThreatLocker Portal also contains a Software Health Report, which lists all applications in the environment, including if the apps are out of date, and their risk factor. It also provides administrators with useful information about the condition of their ThreatLocker environment, including (but not limited to) incorrectly configured policies, missing network control policies, and unused policies.
The Advanced Anomaly Detection feature is designed to analyze log data from a customer’s cloud environment, running advanced analytics to determine if two login attempts from the same user constitute an “impossible travel” scenario. This means if a user logs in from Europe and an hour later a login is recorded for the same user in the United States, Cloud Detect can identify this as an impossible event, highlighting potential account compromise.
‘Allowlisting’ has long been considered the gold standard in protecting businesses from known and unknown executables. Unlike antivirus, Allowlisting puts you in control over what software, scripts, executables, and libraries can run on your endpoints and servers. This approach not only stops malicious software, but it also stops other unpermitted applications from running. This approach greatly minimizes cyber threats by stopping rogue applications from running on your network.
“This new capability is critical for hardening attack surfaces and highlighting irregularities in distributed environments,” said Danny Jenkins CEO and co-founder of ThreatLocker. “Without a unified source of truth for the location of its users, organizations often lose out on critical security measures. Cloud Control creates this source of truth for our Advanced Anomaly Detection, allowing us to identify suspicious activities, such as an authentication from Florida followed by a login from Europe in a different application, which strongly indicates account compromise. And it doesn’t have to end at just Microsoft 365.”
This approach not only stops malicious software, but it also stops other unpermitted applications from running. This approach greatly minimizes cyber threats by stopping rogue applications from running on your network.
ThreatLocker gives IT teams the granular control they need to block ransomware, prevent zero-day exploits, and harden their environments from the inside out. Designed for simplicity, scalability, and speed, the ThreatLocker security stack reduces complexity, accelerates compliance, and empowers businesses to take control of their cybersecurity—before threats strike. Headquartered in the United States with a growing global presence, ThreatLocker protects 50,000-plus organizations across industries.
The Advanced Anomaly Detection feature is designed to analyze log data from a customer’s cloud environment, running advanced analytics to determine if two login attempts from the same user constitute an “impossible travel” scenario. This means if a user logs in from Europe and an hour later a login is recorded for the same user in the United States, Cloud Detect can identify this as an impossible event, highlighting potential account compromise.
“This new capability is critical for hardening attack surfaces and highlighting irregularities in distributed environments,” said Danny Jenkins, ThreatLocker CEO and co-founder. “Without a unified source of truth for the location of its users, organizations often lose out on critical security measures. Cloud Control creates this source of truth for our Advanced Anomaly Detection, allowing us to identify suspicious activities, such as an authentication from Florida followed by a login from Europe in a different application, which strongly indicates account compromise. And it doesn’t have to end at just Microsoft 365.” It also empowers customers with deeper visibility into irregularities, beyond traditional individual log analysis.
The KuppingerCole Executive View examines the ThreatLocker Protect, a set of advanced tools in the broader Endpoint Protection Detection and Response (EPDR) market, which focuses on and has dedicated products for Allowlisting, Ringfencing, and Network Control. Endpoint security is and has been a key component of cybersecurity architectures for decades. All end-user computers should have Endpoint Protection Detection & Response (EPDR) clients installed with up-to-date subscriptions. Servers and virtual machines/desktops should also be protected. Windows platforms continue to be primary targets, though malware targeting Android is increasing. Apple’s iOS and macOS devices are not immune to malware, and as their market share grows, so does the volume of threats targeting them.
Ransomware attacks have become more frequent and now affect businesses of all sizes, as well as non-profits and government agencies. Traditional ransomware encrypts users’ data and demands payment for decryption keys. These attacks are often carried out by Advanced Persistent Threat (APT) campaigns, using phishing, social engineering, or stolen credentials to gain access before deploying ransomware across an organization and exfiltrating data. Some ransomware operations have evolved to function like businesses, providing victims with working decryption keys upon payment.
Another approach attackers use is exfiltrating data and threatening to release it unless a ransom is paid. This method bypasses the effectiveness of backups, as the risk lies in data exposure rather than data loss. Some attackers frame their activities as unauthorized penetration testing. Paying ransoms does not guarantee a positive outcome and can encourage further attacks.
Backups remain a fundamental part of cybersecurity planning. However, restoring data can be challenging if backups are outdated, the restoration process is not well-defined or tested, or if malware has compromised backup data. Cybercriminals often target and disrupt cloud-based backups to ensure victims have no easy recovery option. Even when backups are available, restoring systems takes time, making prevention the preferred approach. Since no security product is completely effective, organizations need a multi-layered defense strategy.
The Advanced Anomaly Detection feature is designed to analyze log data from a customer’s cloud environment, running advanced analytics to determine if two login attempts from the same user constitute an “impossible travel” scenario. This means if a user logs in from Europe and an hour later a login is recorded for the same user in the United States, Cloud Detect can identify this as an impossible event, highlighting potential account compromise.
Advanced Anomaly Detection features also let you add firewall-like application policies. This is a powerful firewall-like policy engine that allows you to permit, deny or restrict application access at a granular level. You can also add Time-Based Policies to permit access to applications for a specified amount of time, and to automatically block the application after the policy has expired.
Application whitelisting has been around for many years, but Jenkins said that it is cumbersome for most customers to use, and has limitations to its effectiveness.
“There have been two approaches to application whitelisting, epitomized by Microsoft and McAfee,” Jenkins said. “The Microsoft approach is that whitelisting is needed to lock down systems, but they do it at a top-level only, while the threats are mainly down at the level of the user. The other approach, pioneered by McAfee, and then by Bit9, takes a snapshot of the computer, and nothing is allowed to change. McAfee does very well in IoT devices because they never change, and it works well on servers that typically don’t change. But it doesn’t work on PCs and laptops.” If a snapshot has to be uninstalled and updated with this approach it typically takes a couple of hours. Jenkins said that while this is simpler with Microsoft, it’s still a 50 minute job.
Jenkins said that ThreatLocker brings a different approach to the table.
“Our system is designed to run on every endpoint – not just static systems,” he stated. “We also focus on making it easy. One of the flaws with whitelisting has been that it has been very hard to deploy. Every computer has 60,000 executables. The result is that one bank took two years and six people to deploy it. A big bank could justify that, but most companies really can’t.
“We transfer the overhead to make whitelisting easy,” Jenkins added. “We have a team to update daily whitelists so that all the heavy lifting is done. We have 17 people on our app team. Their job is to download updates, and make the deployment easy with ThreatLocker catalogues that add them in real time.”
The ThreatLocker Cyber Hero Team takes pride in their role and ability to provide the best for the IT industry, whether it’s offering technical support, consulting services, project management, helping customers, having a cyberresponse time of approximately 60 seconds, and participating in cybersecurity-focused events.
In addition to keep up to date with Built-In Applications, ThreatLocker automatically adds new hashes when application and system updates are released. In addition, the ThreatLocker Unified Audit is a centralized location displaying all audited data about what’s occurring within the environment.
ThreatLocker achieves compliance with NIST, HIPAA, CIS, PCI, Essential Eight, and other regulations. It blocks unwanted software from running, regardless of administrative privilege. It also stops known and unknown viruses, ransomware, and other malicious software.