Client Overview
A financial services organization with approximately 15 employees sought to improve endpoint security across its Windows, Linux and Mac environment. The organization handled sensitive financial data, processed customer transactions daily, and was subject to regulatory and cybersecurity compliance requirements.
The client's leadership was concerned about unauthorized software installations, increasing ransomware activity targeting financial institutions, and a lack of visibility into what applications were running throughout the organization.
The Challenge
Prior to the engagement, employees had the ability to execute a wide range of applications on their workstations. While traditional antivirus and endpoint protection solutions were in place, the organization faced several risks:
- Employees installing unauthorized software.
- Potential execution of malicious files delivered through phishing attacks.
- Limited visibility into applications actively running in the environment.
- Difficulty enforcing least-privilege principles.
- Concerns about ransomware and living-off-the-land attack techniques.
- Compliance requirements demanding stronger endpoint controls.
The client needed a solution that would allow business-critical applications to function while preventing unauthorized or malicious software from executing.
Assessment and Planning
Intricate Security conducted an assessment of the environment to identify:
- Business-critical applications.
- User workflows and operational requirements.
- Existing endpoint security controls.
- High-risk applications and utilities.
- Administrative access requirements.
The objective was to create a Zero Trust application execution model that would minimize business disruption while significantly reducing the attack surface.
Solution: ThreatLocker Application Allowlisting
ThreatLocker was selected as the primary application control platform due to its ability to enforce default-deny application execution policies while maintaining operational flexibility.
Phase 1: Learning Mode
ThreatLocker agents were deployed across all workstations and placed into Learning Mode.
During this period:
- Existing applications were inventoried.
- Application usage patterns were analyzed.
- Necessary business software was identified.
- Baseline policies were automatically generated.
This allowed Intricate Security to gain visibility into the organization's software ecosystem without impacting users.
Phase 2: Application Allowlisting
After establishing a baseline, ThreatLocker was transitioned from Learning Mode to an enforcement model.
Policies were created to permit only approved applications, including:
- Microsoft 365
- Microsoft Edge
- Adobe Acrobat
- Financial management software
- Banking and transaction processing applications
- Approved line-of-business applications
Any application not explicitly approved was automatically denied.
Phase 3: Ringfencing Controls
To further strengthen security, Ringfencing policies were implemented.
These controls prevented approved applications from:
- Launching PowerShell.
- Executing command-line utilities.
- Accessing sensitive system resources.
- Interacting with protected applications.
- Performing unauthorized privilege escalation activities.
This significantly reduced the effectiveness of common attack techniques used by ransomware operators and threat actors.
Phase 4: Storage Control
ThreatLocker Storage Control policies were configured to restrict access to sensitive financial data locations.
Examples included:
- Limiting access to financial databases.
- Restricting access to accounting file repositories.
- Preventing unauthorized applications from reading or modifying financial records.
- Controlling access to network shares containing customer information.
Only approved applications and authorized users were permitted access.
Phase 5: Ongoing Monitoring and Policy Optimization
Following implementation, Intricate Security continuously reviewed:
- Application execution requests.
- Denied execution events.
- User access requests.
- ThreatLocker Unified Audit logs.
- Potential policy improvements.
Unused and duplicate policies were regularly removed to maintain a clean and manageable policy structure.
Results
Within the first 90 days, the organization achieved measurable improvements:
| Security Metric | Result |
|---|---|
| Unauthorized Application Executions | Reduced by 100% |
| Unapproved Software Installations | Eliminated |
| Application Visibility | Full visibility achieved |
| Ransomware Attack Surface | Significantly reduced |
| Compliance Readiness | Improved |
| Endpoint Control | Zero Trust enforcement implemented |
Additional benefits included:
- Improved security team visibility.
- Reduced risk of malware execution.
- Stronger protection against phishing-delivered payloads.
- Better enforcement of least-privilege principles.
- Increased confidence during compliance assessments and audits.
Business Impact
By implementing ThreatLocker across its environment, the financial services organization transformed its endpoint security posture from a reactive model to a proactive Zero Trust approach.
The organization now operates under a controlled application environment where only approved software can execute, significantly reducing opportunities for attackers to gain a foothold within the network.
This project demonstrated that application allowlisting, combined with Ringfencing and Storage Control, can provide financial institutions with a practical and highly effective method of reducing cyber risk while maintaining normal business operations.
About Intricate Security
Intricate Security helps organizations strengthen their cybersecurity posture through services including penetration testing, security assessments, managed security operations, compliance consulting, vCISO services, and endpoint security implementations. Our team assists organizations in deploying and managing solutions such as ThreatLocker to reduce attack surfaces, enforce Zero Trust principles, and improve overall cyber resilience.Start writing here...