March 18, 2025 • 33 mins
➡ Allow what you need, block everything else with ThreatLocker:
threatlocker.com
In this episode, I speak with Slava Konstantinov, ThreatLocker's MacOS Lead Architect, about their zero-trust approach to endpoint security and their latest cybersecurity innovations.
We talk about:
• ThreatLocker’s Zero Trust Approach to Cybersecurity:
How ThreatLocker enforces a default deny security model, ensuring only explicitly allowed applications and actions can run, reducing attack surfaces and unauthorized access.
• Key ThreatLocker Products and Features:
How ThreatLocker’s solutions—Application Control, Storage Control, Ring Fencing, Network Control, and ThreatLocker Detect—help organizations enhance security through granular policy enforcement.
• New & Upcoming ThreatLocker Features:
How new solutions like Patch Management, Web Control, Insights, and Cloud Detect will provide even greater security, automation, and compliance for businesses managing complex IT environments.
Chapters:
00:00 - Intro to ThreatLocker and Zero Trust Security
01:24 - How ThreatLocker’s Application Control Blocks Unauthorized Software
06:52 - Storage Control: Preventing Unauthorized Data Access and USB Threats
08:19 - Ring Fencing: Controlling App Permissions and Network Access
12:37 - Elevation Control: Granting Admin Privileges Without Risk
16:23 - Network Control: Restricting Internet and Internal Network Access
19:26 - AI-Driven Security Policies: The Future of ThreatLocker Management
24:07 - Mac vs. Windows Security: Key Differences and Challenges
29:49 - ThreatLocker’s Expansion: New Products and Future Plans
32:32 - Where to Learn More About ThreatLocker’s Security Solutions
Become a Member: https://danielmiessler.com/upgrade
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
S1 (00:00):
Unsupervised Learning is a podcast about trends and ideas in cybersecurity,
national security, AI, technology and society, and how best to
upgrade ourselves to be ready for what's coming. All right,
welcome to Unsupervised Learning. This is Daniel Miessler, and we
have with us today Slava Konstantinov from Threatlocker.
S2 (00:25):
Thanks for having me.
S1 (00:26):
Yeah, yeah, yeah. Great to have you here. So, um,
wanted to just jump right into it. Um, can you
start off by telling us what's going on with Threatlocker overall?
Like what? What does it address? What is the, um,
the main the main product and what it does?
S2 (00:44):
Yeah. So Threatlocker were a cybersecurity company and we're protecting endpoints.
And our main approach is a zero trust. Zero trust
means that that we don't trust anyone Except what we trust.
I mean, we have a lot of policies. We can
talk about this like deep dive a little bit later.
(01:06):
But yeah, in general we're working on a zero trust
with zero trust approach.
S1 (01:14):
Yeah. So and that means by default nothing is allowed
in general. Right. And then you poke poke little holes
for what's allowed.
S2 (01:23):
Yes we we have multiple different products in thread locker.
So basically we have one big thread locker machine as
if I can say that. And also we have like
different products. First of all like we have an application control.
It's this basically is allow listing. Allow listing that we
(01:43):
only allow to run specific software that it's basically in
our list. Everything else, everything else gets denied. So what
does it mean for for the enterprise it means that
every company they have set of software they use. Everything
(02:04):
else should not be allowed. And there is a lot
of examples out there on the internet and in real life. Basically,
when people are losing their jobs or company got hacked
because someone installed something that was not supposed to be there.
S1 (02:21):
Yeah, yeah, that makes sense. And so how was the
what's the process look like for. And I believe we
talked to someone else from your company as well. So
I heard about this before, and I remember being impressed
with the way that you handled it. But how do
you handle that allow list.
S2 (02:38):
So we have a set of rules. And rule can
be like you can put like a path to the rule.
You can. But mostly we use hashes. So basically we
know what every executable in your system, every executable hash
in your system. So we know that we have big
(02:59):
database of these hashes. We also know the hashes of
the apps and how we do that. If if there
is unknown hash trying to execute on your computer, which
is basically block it. So it's pretty straightforward and it's
pretty easy, sometimes you need to maintain it because there's
a we have two sets of applications we have built
(03:23):
in applications. So basically we maintain them. We also check
for updates for that applications. We update hashes. But there
are sometimes specific requests from the customers. So they need
to maintain it themselves. But it's not super hard. It's
just it's just small inconvenience for as I would say,
better security.
S1 (03:44):
Sure. And then like you were saying something for like
a windows environment, like a very big, uh, software operating system,
lots of updates coming out, lots of application updates coming
out When those updates come out, I assume they come
to you and you do. Hashes for those. And then
you give the hashes to the customers so that. They
(04:04):
can ensure that they can install them or.
S2 (04:06):
No, no. Basically what we do. We have a portal.
So it's a web website and everything managed from there. So.
We the customers, they have like admin pages and all
of this so they can set it up. And when
the update come up we have a whole team basically
looking for that updates like running them, learning the new
(04:28):
hashes and after update. So they just basically update the
existing policies when the policy got get updated, they basically
after that what they do is it's automatically updated on
every customer we have. So we'll and there's also new
(04:49):
product coming out that's batch management. So we're gonna basically
we're gonna see if there's an old application not patched
application installed on your computer. And you can install and
you can patch it on the fly basically without even
asking user to do that.
S1 (05:06):
Oh very cool, very cool. Okay, so you have the
application one. You have this new one that's coming out
which is patches.
S2 (05:13):
Patch management. Yep.
S1 (05:14):
Patch management. So what are the other products that you have.
You mentioned other ones.
S2 (05:19):
Yeah. So the one we talked about it was application control.
We also have storage control. So storage control is a
is a product that basically can uh protect your file
system from unwanted access. What I mean by that, you
can stop some application from accessing your, uh, folders that
(05:43):
may that may have some information, like a specific information
that needs to be secured. We also have we can
block USB devices. We also can block network shares, so
this product helps users to protect their data from being
(06:04):
accessed from unknown apps, for example, or even USB drives.
So if your if your company's policy does not allow
to USB drives, which can block USB drives from accessing
your computer at all.
S1 (06:20):
Hmm. Interesting. Okay, so it's controlling like the media that
can come in. It can handle network shares as well. Yes.
You could basically you could block off things that are, uh,
super sensitive. You don't want it to look at it
at all.
S2 (06:36):
Yes, yes. So we have for example like specific uh,
folder with uh, super secret data, your company data, and
you have only 1 or 2 apps that allow to
access that, like for example, like Word or Excel or
something like that. So and you will allow only this
helps to access that folder if some other app like
(06:58):
malicious app for example, like lurking in your system and
it tried to access that folder which is going to
block it. So it means like zero trust, we don't
trust anyone except with the ones we trust.
S1 (07:12):
Gotcha. Okay. So that's application control and storage control. Any others?
S2 (07:17):
Yeah. So we have ring fencing. Ring fencing basically means
if we allow app to run. But we what we
can do is we can say we can put this
app into if we can say that sandbox. So saying
like okay, you're allowed only you're not allowed to run
other applications or you're allowed to run specific applications or
(07:42):
you can you cannot access network or you can access
the network, but some specific websites.
S1 (07:49):
Oh that's right. Yeah. So this is um, same.
S2 (07:52):
For.
S1 (07:52):
The stores are round in application.
S2 (07:54):
Yes, around the specific application. So for example you have
I don't know like a file zilla or I don't
know or something like that. So you will you can
access FTP servers, but you have specific set of FTP
servers that allow that you allow to connect to or
(08:14):
any other app. I'm honestly right now.
S1 (08:18):
Netcat or terminal or something like that.
S2 (08:21):
Oh yeah. Yeah. Terminal for example. So you can ring
fence terminal and say like oh terminal can run this,
this and that and it's not allowed to run curl
for example. So if it yeah, if it can't run
curl if uh, some specific attacks.
S1 (08:36):
Or something like yeah, a way to download additional malware or.
S2 (08:39):
Yes, yes.
S1 (08:41):
Or outbound SSH or something.
S2 (08:43):
Yeah. Or you downloaded some app and you're not sure
you need this app, but you're not sure what it's doing.
And you can basically put it into that sandbox and
saying like, oh, you're not allowed to access internet. So
even if it it will try malicious software, it will
try to download some like payload from the internet like
obfuscated executable and run it. First of all, even if
(09:08):
it's downloaded, we're not going to allow it to run
it because of default deny application control. But at the
same time, it's even if it stole something from your computer,
it will now don't have access to internet to send
it over.
S1 (09:23):
Right.
S2 (09:24):
Yeah. Same. Same for the. I'm sorry. Same for the storage. Uh, storage.
Because we can reinvent storage access to specific apps. So
storage control, we can control whole system, whole computer, different applications.
But ring fencing, we can specifically say this application allowed
to access that folder, that folder, that folder. Okay, so.
S1 (09:48):
And then can you define all these different policies in
one place, or are they defined in the separate products?
S2 (09:54):
Yeah. So it's a separate product. So application control is
one product storage control. And it's all different products. But
it doesn't mean you're not allowed to reuse them between products.
S1 (10:07):
Okay. Yeah that makes sense. So a lot of this
has been very windows focused. Is that right.
S2 (10:14):
Yeah yeah windows. But we also have Mac agent now
for for a couple of years. And Linux we have
version 1.4 I guess Linux right now. So it's pretty
early stage.
S1 (10:29):
Okay. So tell me tell me about the Mac agent.
S2 (10:32):
Yeah. So I'm a mac lead architect. So, um, yeah,
I'm basically I've been there since day one of Mac
agents starting POC, and now we have version 4.2 coming
out soon. So it's been quite a journey. We don't
have all of the products windows has for now, but
(10:55):
we're trying to keep up. So we don't have we
don't have detect. I mean, we haven't talked about that yet,
but yeah.
S1 (11:04):
Tell me about detect.
S2 (11:05):
Okay. So there's also multiple there's a couple more products
that we haven't talked about.
S1 (11:11):
Yeah yeah.
S2 (11:12):
Yeah. So first oh not first. So one of the
products is elevation control. Basically it's it's in some way
it's a little bit different from zero trust because we
can what we can do is we can allow applications
or user to elevate uh specific actions in the system. Uh,
(11:39):
as a, as an admin user. So without asking actual
admin permissions. So basically you have a standard user on
your computer that is not allowed to elevate anything, but
your admin wants you to install some update, and for
that update you need elevation or to access some folder.
(12:00):
That's if we're talking about Macs that protected by root,
for example. And what we can do, we can set
up specific rules for that application. So if application tries to, uh,
install update for itself and it requires root so users
user is not, uh, basically user does not enter any password.
(12:27):
So it would just automatically elevate user for admin privileges
for for that specific request not whole system. Some specific requests.
We can allow for application for user interaction with a
system and a windows. It's UAC in a mac world
or Linux world that you can. It's pseudo or it's
(12:50):
just privilege elevation.
S1 (12:53):
Interesting. Okay. So that's an interesting layer. So it's basically
a layer in between the actual um pseudo or admin capability.
It's it's like a shim in between.
S2 (13:06):
Yes, yes. So basically if you're not allowed to run
pseudo on your computer, for example, on Mac, any standard user.
So we have admin user and a standard user, any
admin standard user doesn't have access to pseudo at all.
But what we can do, we can we can get
(13:27):
this access to standard user, but just for some specific
specific amount of time or a specific amount of actions.
Like if you want to run pseudo uh, Linux apt
get or something to update your packages.
S1 (13:42):
Right. So so it's like a policy based granular control
when that actually doesn't exist with sudo. If you have sudo,
you have everything.
S2 (13:50):
Yeah. Yeah.
S1 (13:51):
If you're taking that away. Yeah.
S2 (13:53):
Yeah. If you're admin it doesn't make sense. You can
just type in a password or click like elevate privileges
or something like that. It's not a problem. But if
we have a yeah if user doesn't have any privileges
on the computer, we allow user to have some of
them if user needs to.
S1 (14:12):
Sure. Okay. So that's elevation. Uh, what's what's the next one. Yeah.
What about detect.
S2 (14:19):
Yeah. So there's a detect. It's not on the Mac.
It's not on Linux yet. It's just windows product for now.
But we're working on getting it into Mac at least. Okay, so, uh,
this is our MDR solution. So we have EDR that's automated,
automatically detect and block something or make any decisions. We
(14:43):
have MDR, we have whole MDR team and Threadlocker Threatlocker
headquarters they basically check for, so you can set up
rules and policies for your organizations to see, like, oh,
someone like scanning my entire network or doing something. So
(15:03):
and we have alerts for that. So our MDR team,
they have alert and so they can lock your computer down.
If there's some suspicious activity they can lock your network
down or they can notify you like call you call
your admin like saying, oh there's some suspicious activity. What
what what do you want it to do with with that.
(15:24):
Because there's a lot of we it happens. There's some
false positives. But and that team, they basically monitor all
of these events from all of our customers. And they
and they make decisions by that okay.
S1 (15:39):
Okay. Great. So so essentially the agent is talking up
to a centralized location. You could see centralized alerts. Like,
for example, someone scanning the entire network or something, and
they can they could choose to respond to that.
S2 (15:51):
Yeah. Yeah, yeah. Uh, also, the customer or our team,
we can help customers with that to set up specific
policies because every organization may have different policies. So we
can set up their policies like in the way they want.
So we can check something. We can skip something, something else.
S1 (16:14):
Makes sense is that, um, is that all the products
you still got?
S2 (16:18):
Yeah. We have one more. Okay. One more old ones.
We have three more new ones.
S1 (16:23):
Okay.
S2 (16:24):
So we have, uh, we have network control. Network control
is basically we can, uh, and we also have default
deny on the network if you want this. So basically
we're not allowed and, uh, endpoint is not allowed to
access anything except what you allow to do. Or you
can just you can allow everything but block specific websites
(16:47):
like even like if we're talking about protection default deny
is better because you can say like, oh, you can
go like to to access Microsoft.com, you can access like
some other Adobe updates or something like that, uh, obviously
like specific websites for your organization. But if we're talking
(17:08):
about even controlling what your user does, like blocking Facebook or,
or something like pretty simple. So we can we can
do all of that with the network control. It's basically, uh,
protecting your environment and your network. We also have a
thing called objects and challenges. So the, uh, the multiple
(17:31):
computers can talk to each other with specific challenges and
objects and saying like, oh, this computer, I know this computer,
it's allowed to access my network. Mhm. Doesn't matter where
you are. So it means like because for firewall you
need to set up your IP like you can, you
need to like or VPN or you have to call
(17:54):
someone like your admin. Can you allow this IP to
access our network. But if you're like on on the
go somewhere like basically traveling, you can your network control
will send specific objects to your to your network and
you will uh, and they will respond. It's, it's a
(18:15):
double check between like if it's legit or not. And
it will allow your computer from any location to access
that network in this rain.
S1 (18:25):
Interesting. Okay. Okay. I have a question before you go
into the new products, is is anyone thinking about I
have to assume the answer is yes. Is anybody thinking
about a single policy editor where you go in as
an organization. And you basically define the policy of like,
here's what we care about for network overall for this
(18:50):
particular host, it's like like a more centralized single policy. Um,
in that single policy, which you like, write in English,
gets translated down to the specific rules that apply to
the specific products. So it's still being implemented inside the
separate products. But really it's like this like abstracted up.
S2 (19:12):
Um, yeah.
S1 (19:13):
So we need policy editor.
S2 (19:15):
So we need to, uh, implement some AI stuff for,
for that obviously.
S1 (19:21):
Yeah.
S2 (19:21):
Yeah. To translate from human language to that one. We
don't have it yet. It could be our next product.
We'll see.
S1 (19:28):
Yeah. Yeah, that makes sense. So what are the new products?
S2 (19:31):
Yeah. So there's, um, at least three new products. Uh,
so there's, uh, if we're talking about agents because there's
one more product called Cloud Detect, It's a little bit
different kind of product. I'm working on the agent side.
So it's it's not agent related products. It basically means
product that can, uh, allow access to your, uh, cloud
(19:56):
services from, like, Microsoft or like AWS or something like that,
with a specific app on your phone. And it connects
to same as, uh, and wherever you go with this app,
it knows your IP address, and it basically can allow
you access from that location to your cloud services. So it, uh, and, uh,
(20:18):
but other three products is, uh, web control. So it's,
it's not. Net so it's similar in some way to
a network control still. Uh, but it only works for browsers.
So if you want your organization to block like all
gambling websites or poor websites or something like that. You
(20:41):
just can choose category that you can block or allow.
And we basically will do that. So this this one
of the newest products, it's it's for someone who doesn't
want to deal with network control. It's much more simpler
and it's much more it's more uh, just uh, it's
(21:02):
more restrictive. Not not protective, I would say.
S1 (21:06):
Gotcha. Okay. And is that is that all of them?
One more. Right.
S2 (21:11):
No, no. Two more. Two more. Yeah. We have a
lot of products. So we all, we all we also
have patch management. It's coming soon. So this this three
products coming soon. So it's in beta now and it's
coming live. Uh, maybe months maybe a couple of weeks. Okay. So, uh,
(21:33):
the patch management. So as we spoke with you about
this a little bit earlier so we can patch. We
can have set of policies and we can check versions
of the apps that that's on your computer. And if
it's if the app is outdated, we can alert your
admin saying like, oh, there's a new there's a new thing,
(21:57):
there's a new update for the app, and you can
basically press the button on the portal and it's going
to automatically patch your, your, your application. So, so it's,
it's much easier way and simpler way of patching, especially
in some cases if you want to allow or uh,
(22:17):
some specific version to run on your computer.
S1 (22:21):
Okay.
S2 (22:23):
There's one more called insights. The insights is basically we have, uh,
a database that stores all of the applications and interactions
with applications, uh, from all of our clients. It's totally anonymous.
So it's it's different. It's different set of data from
(22:46):
our customers data. But what it can do basically see
every app that was allowed or denied or set of rules,
specific set of rules that apply to that app. And
we can show user oh, if some app got blocked
on your computer and you will see the small statistics
(23:06):
like the admin on your organization can look at the
statistics saying, oh, this app got denied or got allowed.
This is how many times this is how many times
this domain was accessed. This how many times it was
denied a lot of times. So it's like it's a
small insight of like what others do. And you can
create interesting set of policies, especially ringfence policies on what app.
(23:30):
Some specific app. Oh, usually this app goes to that
folder or access that website and you can automatically press
like create a ring fence policies for this app so
it makes life of our customers a little bit easier.
S1 (23:45):
Yeah, that's that's smart. That's smart. Because like a ring
fence policy could be like 12 different rules to like
12 different things. Right?
S2 (23:53):
Yes.
S1 (23:54):
And that might take a little while to figure out.
And each time it's like a manual add versus somebody else.
Or hundreds of other customers already figured that out. So
now there's a template.
S2 (24:04):
Yes. Yeah. Exactly.
S1 (24:07):
Yeah. That makes sense. That makes sense. Um, well, what
can you say more about the, uh, the Mac agent? Um,
how how are things different, like threat wise right now
with Mac versus windows? Are you seeing different threats? Like,
is the installation process different the management of it? Is
(24:27):
it different?
S2 (24:28):
I mean, like the threat, the attack vectors, they pretty
much the same everywhere. Like, yeah, it's the same thing
like Linux, Mac, windows. Most of them are social engineering.
Some of them are like zero day vulnerabilities. Some of
some of them is, uh, supply chain attacks. Right. But like,
it's still the same, like how how Apple and Microsoft
(24:52):
approach this is a little bit differently because Mac they
I mean the windows they have Windows Defender, they have UAC.
So they have their own protections. Apple goes a little
bit further with that because there's a lot of more
protections like uh, uh, TCC. It's uh, I forgot how it's, uh,
(25:14):
consent and something. Consent and control. I was honestly, I forgot,
but basically there's a specific set of rules for each app.
It's what we do. But from from Apple standpoint, it's
a little bit simpler. So they can deny access for
(25:34):
any app to access to file system, for example. So
it runs in its own small sandbox or or user
have to approve if app wants to access your documents
folder for example. Right.
S1 (25:49):
Yep.
S2 (25:50):
And Apple has X protect. It's like Windows Defender X protect.
Their probably it's built in antivirus but it also runs
only for uh known malware. So it works only for
it can block only known malware. It's not like it's
not even reactive.
S1 (26:10):
It's not looking at behavior for all applications. Okay. So
you're hooking into the the Mac functionality and doing your
own functionality or.
S2 (26:19):
Yeah. So what we do Apple restrict us from accessing kernel.
It happened like five years ago I guess or something
around that time. So and we have a lot of
complications because of that. So they, they have their own
driver running in and we basically see what this driver
sends us events and we can apply to that events
(26:41):
like allow or deny. But what driver can do it
can access other processes memory. It can access, uh, other
low level things that we can do to make protection
a little bit better, I would say, but we're not
allowed to do that. And there's also a lot of, uh,
(27:02):
because they tried to make it for everyone. So there
is a trade off between speed and some of the
things they send to, uh, to us. So we need
to approach some things differently, especially hashes. So we need
to have our own cache for hashes and all of
(27:24):
these things, because what Apple sends us is a little
bit different. They call it KD hash. It's called directory.
It's assigning hash. But we need to know hash for
specific executable and it's a little bit different. And we
need to calculate it like basically each time application runs.
And there's some complications with that I would say. But
(27:46):
it's we found workarounds for that. It's for network. The
same thing. We don't have access to kernels so we
don't have access to some low level packets. So we
only work with Apple's gives us and we have complications
with that either. So and also recently I guess it
was 15.1 recent update. They broke third party firewalls. Uh
(28:10):
not just us everyone. Yeah. If you run in built
in firewall, if it's on, uh, we never got any, uh,
events from the system, so it's like.
S1 (28:20):
Little snitch and all those.
S2 (28:22):
Yeah, yeah, yeah, yeah, yeah. Everything was broken. Like, for
one specific Apple update. They broke it. Yeah. So we
get events from the macOS. Everything. Every time someone tries
to connect like a two or packet to send a
packet or something like that, and we never received them
(28:45):
as if built in firewall was on. Right. So this
is a downside about that. So Apple Apple broke something.
We couldn't do anything about that.
S1 (28:57):
Now they fixed that or it's just broken from now on.
S2 (29:00):
No no no it's it's fixed. But I was like
you see everything is in apple hands basically.
S1 (29:07):
Yeah. Yeah that's that's a good point. They do do
hold all the cards there. Yes. Um, okay. So, um,
so the question I have for you is it seems
like the product overall is the zero trust concept, and
you're simply applying it at all these different module stages
(29:27):
because they all need something slightly different. Yeah. So it's
yeah that makes sense. Yeah, that's really interesting.
S2 (29:33):
Yeah. So, like, your system is not just simple applications.
It's more complicated than that. So. And so we try
to apply this to every single level to, to make
better protection.
S1 (29:49):
Yeah that makes sense. And how different is the Mac
side of it from the windows other than like the
permissions and stuff that we talked about is the installation
is pretty standard Mac installation. What about administration? Is it
all look the same inside of the portal and everything?
S2 (30:06):
Yeah. So basically we're talking about like business logic of things.
It's all the same obviously like paths are different right?
Like windows, Mac, Linux like like we're talking about file
system or something like that. So it's all this network
completely say like for for from the user perspective it's
(30:26):
the same thing like application control ringfencing is all the
same thing. You can. You need to understand Mac OS
to make better policies for in some cases. But in general,
we're trying to make this seamless for all of the users.
So they should not distinguish oh, I have windows, I
(30:48):
have Linux. If they have specific app like Adobe app, right.
They want to install it. We have built in policy
for windows. We have built in policy for Mac, and
there's nothing distinguishing that from user perspective. So they just
can add this policy to their system and it's going
(31:10):
to work.
S1 (31:12):
Yeah. That makes sense. Um, so when are these new
products coming out?
S2 (31:17):
Yeah. So new products they coming out like pretty soon
I hope I hope in a couple of weeks. But
we'll see. Okay. Yeah. It's not it's not up to me.
So there's QA stage. There's also but yeah, uh, I
honestly I don't know. It's not on the Mac. On
the Mac. Web controls coming pretty soon. But we have
a couple of problems with the Chrome to browsers except Safari, Safari,
(31:45):
Safari and Mac works a little bit better, and it's
easier to handle some things from that standpoint. But other browsers,
we we need to figure some things out.
S1 (31:56):
Yeah, browsers are tough because they're always changing their security stuff.
And just it seems like it moves a lot, especially
with like extensions and stuff. So. Yeah, that makes sense.
S2 (32:06):
Yeah.
S1 (32:06):
And so um.
S2 (32:07):
But on the Mac patch management and insights will come
a little bit later. Uh, because we have like Mac,
it's not as huge as windows. So we have a
little bit smaller team, but we're trying to keep up
as fast as we can. So it's gonna come out like,
I hope, until the end of this month. Web control
(32:30):
and insights patch management. I really hope it's gonna come out, uh,
at until the end of the month.
S1 (32:39):
Okay. Well. Very cool. Um, anything else you wanted to share? Uh,
where can we find more information about the products?
S2 (32:47):
Oh, we have we have YouTube, we have LinkedIn, we
have website. So you can go anywhere. We're we're everywhere.
S1 (32:56):
Awesome. Well, it was great to chat with you and, uh,
enjoy the conversation.
S2 (33:01):
Thank you.
S1 (33:02):
All right. Take care.
S2 (33:03):
Take care.
S1 (33:05):
Unsupervised learning is produced on Hindenburg Pro using an SM
seven B microphone. A video version of the podcast is
available on the Unsupervised Learning YouTube channel, and the text
version with full links and notes is available at Daniel
Mysa.com slash newsletter. We'll see you next time.
Unsupervised Learning is a podcast about trends and ideas in cybersecurity,
national security, AI, technology and society, and how best to
upgrade ourselves to be ready for what's coming. All right,
welcome to Unsupervised Learning. This is Daniel Miessler, and we
have with us today Slava Konstantinov from Threatlocker.
S2 (00:25):
Thanks for having me.
S1 (00:26):
Yeah, yeah, yeah. Great to have you here. So, um,
wanted to just jump right into it. Um, can you
start off by telling us what's going on with Threatlocker overall?
Like what? What does it address? What is the, um,
the main the main product and what it does?
S2 (00:44):
Yeah. So Threatlocker were a cybersecurity company and we're protecting endpoints.
And our main approach is a zero trust. Zero trust
means that that we don't trust anyone Except what we trust.
I mean, we have a lot of policies. We can
talk about this like deep dive a little bit later.
(01:06):
But yeah, in general we're working on a zero trust
with zero trust approach.
S1 (01:14):
Yeah. So and that means by default nothing is allowed
in general. Right. And then you poke poke little holes
for what's allowed.
S2 (01:23):
Yes we we have multiple different products in thread locker.
So basically we have one big thread locker machine as
if I can say that. And also we have like
different products. First of all like we have an application control.
It's this basically is allow listing. Allow listing that we
(01:43):
only allow to run specific software that it's basically in
our list. Everything else, everything else gets denied. So what
does it mean for for the enterprise it means that
every company they have set of software they use. Everything
(02:04):
else should not be allowed. And there is a lot
of examples out there on the internet and in real life. Basically,
when people are losing their jobs or company got hacked
because someone installed something that was not supposed to be there.
S1 (02:21):
Yeah, yeah, that makes sense. And so how was the
what's the process look like for. And I believe we
talked to someone else from your company as well. So
I heard about this before, and I remember being impressed
with the way that you handled it. But how do
you handle that allow list.
S2 (02:38):
So we have a set of rules. And rule can
be like you can put like a path to the rule.
You can. But mostly we use hashes. So basically we
know what every executable in your system, every executable hash
in your system. So we know that we have big
(02:59):
database of these hashes. We also know the hashes of
the apps and how we do that. If if there
is unknown hash trying to execute on your computer, which
is basically block it. So it's pretty straightforward and it's
pretty easy, sometimes you need to maintain it because there's
a we have two sets of applications we have built
(03:23):
in applications. So basically we maintain them. We also check
for updates for that applications. We update hashes. But there
are sometimes specific requests from the customers. So they need
to maintain it themselves. But it's not super hard. It's
just it's just small inconvenience for as I would say,
better security.
S1 (03:44):
Sure. And then like you were saying something for like
a windows environment, like a very big, uh, software operating system,
lots of updates coming out, lots of application updates coming
out When those updates come out, I assume they come
to you and you do. Hashes for those. And then
you give the hashes to the customers so that. They
(04:04):
can ensure that they can install them or.
S2 (04:06):
No, no. Basically what we do. We have a portal.
So it's a web website and everything managed from there. So.
We the customers, they have like admin pages and all
of this so they can set it up. And when
the update come up we have a whole team basically
looking for that updates like running them, learning the new
(04:28):
hashes and after update. So they just basically update the
existing policies when the policy got get updated, they basically
after that what they do is it's automatically updated on
every customer we have. So we'll and there's also new
(04:49):
product coming out that's batch management. So we're gonna basically
we're gonna see if there's an old application not patched
application installed on your computer. And you can install and
you can patch it on the fly basically without even
asking user to do that.
S1 (05:06):
Oh very cool, very cool. Okay, so you have the
application one. You have this new one that's coming out
which is patches.
S2 (05:13):
Patch management. Yep.
S1 (05:14):
Patch management. So what are the other products that you have.
You mentioned other ones.
S2 (05:19):
Yeah. So the one we talked about it was application control.
We also have storage control. So storage control is a
is a product that basically can uh protect your file
system from unwanted access. What I mean by that, you
can stop some application from accessing your, uh, folders that
(05:43):
may that may have some information, like a specific information
that needs to be secured. We also have we can
block USB devices. We also can block network shares, so
this product helps users to protect their data from being
(06:04):
accessed from unknown apps, for example, or even USB drives.
So if your if your company's policy does not allow
to USB drives, which can block USB drives from accessing
your computer at all.
S1 (06:20):
Hmm. Interesting. Okay, so it's controlling like the media that
can come in. It can handle network shares as well. Yes.
You could basically you could block off things that are, uh,
super sensitive. You don't want it to look at it
at all.
S2 (06:36):
Yes, yes. So we have for example like specific uh,
folder with uh, super secret data, your company data, and
you have only 1 or 2 apps that allow to
access that, like for example, like Word or Excel or
something like that. So and you will allow only this
helps to access that folder if some other app like
(06:58):
malicious app for example, like lurking in your system and
it tried to access that folder which is going to
block it. So it means like zero trust, we don't
trust anyone except with the ones we trust.
S1 (07:12):
Gotcha. Okay. So that's application control and storage control. Any others?
S2 (07:17):
Yeah. So we have ring fencing. Ring fencing basically means
if we allow app to run. But we what we
can do is we can say we can put this
app into if we can say that sandbox. So saying
like okay, you're allowed only you're not allowed to run
other applications or you're allowed to run specific applications or
(07:42):
you can you cannot access network or you can access
the network, but some specific websites.
S1 (07:49):
Oh that's right. Yeah. So this is um, same.
S2 (07:52):
For.
S1 (07:52):
The stores are round in application.
S2 (07:54):
Yes, around the specific application. So for example you have
I don't know like a file zilla or I don't
know or something like that. So you will you can
access FTP servers, but you have specific set of FTP
servers that allow that you allow to connect to or
(08:14):
any other app. I'm honestly right now.
S1 (08:18):
Netcat or terminal or something like that.
S2 (08:21):
Oh yeah. Yeah. Terminal for example. So you can ring
fence terminal and say like oh terminal can run this,
this and that and it's not allowed to run curl
for example. So if it yeah, if it can't run
curl if uh, some specific attacks.
S1 (08:36):
Or something like yeah, a way to download additional malware or.
S2 (08:39):
Yes, yes.
S1 (08:41):
Or outbound SSH or something.
S2 (08:43):
Yeah. Or you downloaded some app and you're not sure
you need this app, but you're not sure what it's doing.
And you can basically put it into that sandbox and
saying like, oh, you're not allowed to access internet. So
even if it it will try malicious software, it will
try to download some like payload from the internet like
obfuscated executable and run it. First of all, even if
(09:08):
it's downloaded, we're not going to allow it to run
it because of default deny application control. But at the
same time, it's even if it stole something from your computer,
it will now don't have access to internet to send
it over.
S1 (09:23):
Right.
S2 (09:24):
Yeah. Same. Same for the. I'm sorry. Same for the storage. Uh, storage.
Because we can reinvent storage access to specific apps. So
storage control, we can control whole system, whole computer, different applications.
But ring fencing, we can specifically say this application allowed
to access that folder, that folder, that folder. Okay, so.
S1 (09:48):
And then can you define all these different policies in
one place, or are they defined in the separate products?
S2 (09:54):
Yeah. So it's a separate product. So application control is
one product storage control. And it's all different products. But
it doesn't mean you're not allowed to reuse them between products.
S1 (10:07):
Okay. Yeah that makes sense. So a lot of this
has been very windows focused. Is that right.
S2 (10:14):
Yeah yeah windows. But we also have Mac agent now
for for a couple of years. And Linux we have
version 1.4 I guess Linux right now. So it's pretty
early stage.
S1 (10:29):
Okay. So tell me tell me about the Mac agent.
S2 (10:32):
Yeah. So I'm a mac lead architect. So, um, yeah,
I'm basically I've been there since day one of Mac
agents starting POC, and now we have version 4.2 coming
out soon. So it's been quite a journey. We don't
have all of the products windows has for now, but
(10:55):
we're trying to keep up. So we don't have we
don't have detect. I mean, we haven't talked about that yet,
but yeah.
S1 (11:04):
Tell me about detect.
S2 (11:05):
Okay. So there's also multiple there's a couple more products
that we haven't talked about.
S1 (11:11):
Yeah yeah.
S2 (11:12):
Yeah. So first oh not first. So one of the
products is elevation control. Basically it's it's in some way
it's a little bit different from zero trust because we
can what we can do is we can allow applications
or user to elevate uh specific actions in the system. Uh,
(11:39):
as a, as an admin user. So without asking actual
admin permissions. So basically you have a standard user on
your computer that is not allowed to elevate anything, but
your admin wants you to install some update, and for
that update you need elevation or to access some folder.
(12:00):
That's if we're talking about Macs that protected by root,
for example. And what we can do, we can set
up specific rules for that application. So if application tries to, uh,
install update for itself and it requires root so users
user is not, uh, basically user does not enter any password.
(12:27):
So it would just automatically elevate user for admin privileges
for for that specific request not whole system. Some specific requests.
We can allow for application for user interaction with a
system and a windows. It's UAC in a mac world
or Linux world that you can. It's pseudo or it's
(12:50):
just privilege elevation.
S1 (12:53):
Interesting. Okay. So that's an interesting layer. So it's basically
a layer in between the actual um pseudo or admin capability.
It's it's like a shim in between.
S2 (13:06):
Yes, yes. So basically if you're not allowed to run
pseudo on your computer, for example, on Mac, any standard user.
So we have admin user and a standard user, any
admin standard user doesn't have access to pseudo at all.
But what we can do, we can we can get
(13:27):
this access to standard user, but just for some specific
specific amount of time or a specific amount of actions.
Like if you want to run pseudo uh, Linux apt
get or something to update your packages.
S1 (13:42):
Right. So so it's like a policy based granular control
when that actually doesn't exist with sudo. If you have sudo,
you have everything.
S2 (13:50):
Yeah. Yeah.
S1 (13:51):
If you're taking that away. Yeah.
S2 (13:53):
Yeah. If you're admin it doesn't make sense. You can
just type in a password or click like elevate privileges
or something like that. It's not a problem. But if
we have a yeah if user doesn't have any privileges
on the computer, we allow user to have some of
them if user needs to.
S1 (14:12):
Sure. Okay. So that's elevation. Uh, what's what's the next one. Yeah.
What about detect.
S2 (14:19):
Yeah. So there's a detect. It's not on the Mac.
It's not on Linux yet. It's just windows product for now.
But we're working on getting it into Mac at least. Okay, so, uh,
this is our MDR solution. So we have EDR that's automated,
automatically detect and block something or make any decisions. We
(14:43):
have MDR, we have whole MDR team and Threadlocker Threatlocker
headquarters they basically check for, so you can set up
rules and policies for your organizations to see, like, oh,
someone like scanning my entire network or doing something. So
(15:03):
and we have alerts for that. So our MDR team,
they have alert and so they can lock your computer down.
If there's some suspicious activity they can lock your network
down or they can notify you like call you call
your admin like saying, oh there's some suspicious activity. What
what what do you want it to do with with that.
(15:24):
Because there's a lot of we it happens. There's some
false positives. But and that team, they basically monitor all
of these events from all of our customers. And they
and they make decisions by that okay.
S1 (15:39):
Okay. Great. So so essentially the agent is talking up
to a centralized location. You could see centralized alerts. Like,
for example, someone scanning the entire network or something, and
they can they could choose to respond to that.
S2 (15:51):
Yeah. Yeah, yeah. Uh, also, the customer or our team,
we can help customers with that to set up specific
policies because every organization may have different policies. So we
can set up their policies like in the way they want.
So we can check something. We can skip something, something else.
S1 (16:14):
Makes sense is that, um, is that all the products
you still got?
S2 (16:18):
Yeah. We have one more. Okay. One more old ones.
We have three more new ones.
S1 (16:23):
Okay.
S2 (16:24):
So we have, uh, we have network control. Network control
is basically we can, uh, and we also have default
deny on the network if you want this. So basically
we're not allowed and, uh, endpoint is not allowed to
access anything except what you allow to do. Or you
can just you can allow everything but block specific websites
(16:47):
like even like if we're talking about protection default deny
is better because you can say like, oh, you can
go like to to access Microsoft.com, you can access like
some other Adobe updates or something like that, uh, obviously
like specific websites for your organization. But if we're talking
(17:08):
about even controlling what your user does, like blocking Facebook or,
or something like pretty simple. So we can we can
do all of that with the network control. It's basically, uh,
protecting your environment and your network. We also have a
thing called objects and challenges. So the, uh, the multiple
(17:31):
computers can talk to each other with specific challenges and
objects and saying like, oh, this computer, I know this computer,
it's allowed to access my network. Mhm. Doesn't matter where
you are. So it means like because for firewall you
need to set up your IP like you can, you
need to like or VPN or you have to call
(17:54):
someone like your admin. Can you allow this IP to
access our network. But if you're like on on the
go somewhere like basically traveling, you can your network control
will send specific objects to your to your network and
you will uh, and they will respond. It's, it's a
(18:15):
double check between like if it's legit or not. And
it will allow your computer from any location to access
that network in this rain.
S1 (18:25):
Interesting. Okay. Okay. I have a question before you go
into the new products, is is anyone thinking about I
have to assume the answer is yes. Is anybody thinking
about a single policy editor where you go in as
an organization. And you basically define the policy of like,
here's what we care about for network overall for this
(18:50):
particular host, it's like like a more centralized single policy. Um,
in that single policy, which you like, write in English,
gets translated down to the specific rules that apply to
the specific products. So it's still being implemented inside the
separate products. But really it's like this like abstracted up.
S2 (19:12):
Um, yeah.
S1 (19:13):
So we need policy editor.
S2 (19:15):
So we need to, uh, implement some AI stuff for,
for that obviously.
S1 (19:21):
Yeah.
S2 (19:21):
Yeah. To translate from human language to that one. We
don't have it yet. It could be our next product.
We'll see.
S1 (19:28):
Yeah. Yeah, that makes sense. So what are the new products?
S2 (19:31):
Yeah. So there's, um, at least three new products. Uh,
so there's, uh, if we're talking about agents because there's
one more product called Cloud Detect, It's a little bit
different kind of product. I'm working on the agent side.
So it's it's not agent related products. It basically means
product that can, uh, allow access to your, uh, cloud
(19:56):
services from, like, Microsoft or like AWS or something like that,
with a specific app on your phone. And it connects
to same as, uh, and wherever you go with this app,
it knows your IP address, and it basically can allow
you access from that location to your cloud services. So it, uh, and, uh,
(20:18):
but other three products is, uh, web control. So it's,
it's not. Net so it's similar in some way to
a network control still. Uh, but it only works for browsers.
So if you want your organization to block like all
gambling websites or poor websites or something like that. You
(20:41):
just can choose category that you can block or allow.
And we basically will do that. So this this one
of the newest products, it's it's for someone who doesn't
want to deal with network control. It's much more simpler
and it's much more it's more uh, just uh, it's
(21:02):
more restrictive. Not not protective, I would say.
S1 (21:06):
Gotcha. Okay. And is that is that all of them?
One more. Right.
S2 (21:11):
No, no. Two more. Two more. Yeah. We have a
lot of products. So we all, we all we also
have patch management. It's coming soon. So this this three
products coming soon. So it's in beta now and it's
coming live. Uh, maybe months maybe a couple of weeks. Okay. So, uh,
(21:33):
the patch management. So as we spoke with you about
this a little bit earlier so we can patch. We
can have set of policies and we can check versions
of the apps that that's on your computer. And if
it's if the app is outdated, we can alert your
admin saying like, oh, there's a new there's a new thing,
(21:57):
there's a new update for the app, and you can
basically press the button on the portal and it's going
to automatically patch your, your, your application. So, so it's,
it's much easier way and simpler way of patching, especially
in some cases if you want to allow or uh,
(22:17):
some specific version to run on your computer.
S1 (22:21):
Okay.
S2 (22:23):
There's one more called insights. The insights is basically we have, uh,
a database that stores all of the applications and interactions
with applications, uh, from all of our clients. It's totally anonymous.
So it's it's different. It's different set of data from
(22:46):
our customers data. But what it can do basically see
every app that was allowed or denied or set of rules,
specific set of rules that apply to that app. And
we can show user oh, if some app got blocked
on your computer and you will see the small statistics
(23:06):
like the admin on your organization can look at the
statistics saying, oh, this app got denied or got allowed.
This is how many times this is how many times
this domain was accessed. This how many times it was
denied a lot of times. So it's like it's a
small insight of like what others do. And you can
create interesting set of policies, especially ringfence policies on what app.
(23:30):
Some specific app. Oh, usually this app goes to that
folder or access that website and you can automatically press
like create a ring fence policies for this app so
it makes life of our customers a little bit easier.
S1 (23:45):
Yeah, that's that's smart. That's smart. Because like a ring
fence policy could be like 12 different rules to like
12 different things. Right?
S2 (23:53):
Yes.
S1 (23:54):
And that might take a little while to figure out.
And each time it's like a manual add versus somebody else.
Or hundreds of other customers already figured that out. So
now there's a template.
S2 (24:04):
Yes. Yeah. Exactly.
S1 (24:07):
Yeah. That makes sense. That makes sense. Um, well, what
can you say more about the, uh, the Mac agent? Um,
how how are things different, like threat wise right now
with Mac versus windows? Are you seeing different threats? Like,
is the installation process different the management of it? Is
(24:27):
it different?
S2 (24:28):
I mean, like the threat, the attack vectors, they pretty
much the same everywhere. Like, yeah, it's the same thing
like Linux, Mac, windows. Most of them are social engineering.
Some of them are like zero day vulnerabilities. Some of
some of them is, uh, supply chain attacks. Right. But like,
it's still the same, like how how Apple and Microsoft
(24:52):
approach this is a little bit differently because Mac they
I mean the windows they have Windows Defender, they have UAC.
So they have their own protections. Apple goes a little
bit further with that because there's a lot of more
protections like uh, uh, TCC. It's uh, I forgot how it's, uh,
(25:14):
consent and something. Consent and control. I was honestly, I forgot,
but basically there's a specific set of rules for each app.
It's what we do. But from from Apple standpoint, it's
a little bit simpler. So they can deny access for
(25:34):
any app to access to file system, for example. So
it runs in its own small sandbox or or user
have to approve if app wants to access your documents
folder for example. Right.
S1 (25:49):
Yep.
S2 (25:50):
And Apple has X protect. It's like Windows Defender X protect.
Their probably it's built in antivirus but it also runs
only for uh known malware. So it works only for
it can block only known malware. It's not like it's
not even reactive.
S1 (26:10):
It's not looking at behavior for all applications. Okay. So
you're hooking into the the Mac functionality and doing your
own functionality or.
S2 (26:19):
Yeah. So what we do Apple restrict us from accessing kernel.
It happened like five years ago I guess or something
around that time. So and we have a lot of
complications because of that. So they, they have their own
driver running in and we basically see what this driver
sends us events and we can apply to that events
(26:41):
like allow or deny. But what driver can do it
can access other processes memory. It can access, uh, other
low level things that we can do to make protection
a little bit better, I would say, but we're not
allowed to do that. And there's also a lot of, uh,
(27:02):
because they tried to make it for everyone. So there
is a trade off between speed and some of the
things they send to, uh, to us. So we need
to approach some things differently, especially hashes. So we need
to have our own cache for hashes and all of
(27:24):
these things, because what Apple sends us is a little
bit different. They call it KD hash. It's called directory.
It's assigning hash. But we need to know hash for
specific executable and it's a little bit different. And we
need to calculate it like basically each time application runs.
And there's some complications with that I would say. But
(27:46):
it's we found workarounds for that. It's for network. The
same thing. We don't have access to kernels so we
don't have access to some low level packets. So we
only work with Apple's gives us and we have complications
with that either. So and also recently I guess it
was 15.1 recent update. They broke third party firewalls. Uh
(28:10):
not just us everyone. Yeah. If you run in built
in firewall, if it's on, uh, we never got any, uh,
events from the system, so it's like.
S1 (28:20):
Little snitch and all those.
S2 (28:22):
Yeah, yeah, yeah, yeah, yeah. Everything was broken. Like, for
one specific Apple update. They broke it. Yeah. So we
get events from the macOS. Everything. Every time someone tries
to connect like a two or packet to send a
packet or something like that, and we never received them
(28:45):
as if built in firewall was on. Right. So this
is a downside about that. So Apple Apple broke something.
We couldn't do anything about that.
S1 (28:57):
Now they fixed that or it's just broken from now on.
S2 (29:00):
No no no it's it's fixed. But I was like
you see everything is in apple hands basically.
S1 (29:07):
Yeah. Yeah that's that's a good point. They do do
hold all the cards there. Yes. Um, okay. So, um,
so the question I have for you is it seems
like the product overall is the zero trust concept, and
you're simply applying it at all these different module stages
(29:27):
because they all need something slightly different. Yeah. So it's
yeah that makes sense. Yeah, that's really interesting.
S2 (29:33):
Yeah. So, like, your system is not just simple applications.
It's more complicated than that. So. And so we try
to apply this to every single level to, to make
better protection.
S1 (29:49):
Yeah that makes sense. And how different is the Mac
side of it from the windows other than like the
permissions and stuff that we talked about is the installation
is pretty standard Mac installation. What about administration? Is it
all look the same inside of the portal and everything?
S2 (30:06):
Yeah. So basically we're talking about like business logic of things.
It's all the same obviously like paths are different right?
Like windows, Mac, Linux like like we're talking about file
system or something like that. So it's all this network
completely say like for for from the user perspective it's
(30:26):
the same thing like application control ringfencing is all the
same thing. You can. You need to understand Mac OS
to make better policies for in some cases. But in general,
we're trying to make this seamless for all of the users.
So they should not distinguish oh, I have windows, I
(30:48):
have Linux. If they have specific app like Adobe app, right.
They want to install it. We have built in policy
for windows. We have built in policy for Mac, and
there's nothing distinguishing that from user perspective. So they just
can add this policy to their system and it's going
(31:10):
to work.
S1 (31:12):
Yeah. That makes sense. Um, so when are these new
products coming out?
S2 (31:17):
Yeah. So new products they coming out like pretty soon
I hope I hope in a couple of weeks. But
we'll see. Okay. Yeah. It's not it's not up to me.
So there's QA stage. There's also but yeah, uh, I
honestly I don't know. It's not on the Mac. On
the Mac. Web controls coming pretty soon. But we have
a couple of problems with the Chrome to browsers except Safari, Safari,
(31:45):
Safari and Mac works a little bit better, and it's
easier to handle some things from that standpoint. But other browsers,
we we need to figure some things out.
S1 (31:56):
Yeah, browsers are tough because they're always changing their security stuff.
And just it seems like it moves a lot, especially
with like extensions and stuff. So. Yeah, that makes sense.
S2 (32:06):
Yeah.
S1 (32:06):
And so um.
S2 (32:07):
But on the Mac patch management and insights will come
a little bit later. Uh, because we have like Mac,
it's not as huge as windows. So we have a
little bit smaller team, but we're trying to keep up
as fast as we can. So it's gonna come out like,
I hope, until the end of this month. Web control
(32:30):
and insights patch management. I really hope it's gonna come out, uh,
at until the end of the month.
S1 (32:39):
Okay. Well. Very cool. Um, anything else you wanted to share? Uh,
where can we find more information about the products?
S2 (32:47):
Oh, we have we have YouTube, we have LinkedIn, we
have website. So you can go anywhere. We're we're everywhere.
S1 (32:56):
Awesome. Well, it was great to chat with you and, uh,
enjoy the conversation.
S2 (33:01):
Thank you.
S1 (33:02):
All right. Take care.
S2 (33:03):
Take care.
S1 (33:05):
Unsupervised learning is produced on Hindenburg Pro using an SM
seven B microphone. A video version of the podcast is
available on the Unsupervised Learning YouTube channel, and the text
version with full links and notes is available at Daniel
Mysa.com slash newsletter. We'll see you next time.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.