ThreatLocker Specialist

Summary

This role is critical for ensuring endpoint application control remains secure and usable for engineering teams, particularly by acting as a dedicated support function during the stabilization phase of a "Default-Deny" rollout. 

In this role, you will be responsible for designing, implementing, auditing, and maintaining ThreatLocker policies across our organization (and/or client environments). You will play a critical role in preventing ransomware, malware, and unauthorized software execution by managing Application Whitelisting (Allowlisting), Ringfencing, Storage Control, and Elevation Control.

The ideal candidate has a strong background in system administration or cybersecurity, possess a deep understanding of Windows operating systems, and is passionate about achieving a true Zero Trust security posture.

Key Responsibilities

ThreatLocker Administration & Management

• Policy Creation & Tuning: Design, implement, and maintain ThreatLocker Application Allowlisting policies to ensure only authorized software can execute.
• Ringfencing: Configure and manage Ringfencing policies to restrict what authorized applications can do (e.g., stopping PowerShell from talking to the internet or blocking Word from launching cmd.exe).
• Elevation Control: Implement and manage least-privilege access, creating rules for users to run specific applications as administrators without granting full local admin rights.
• Storage Control: Define and enforce policies for securing USB drives, network shares, and local files against unauthorized access or data exfiltration.
• Manage allowlisting, Learning Mode, and temporary exceptions.

Monitoring, Auditing & Incident Response

• Approval Queue Management: Monitor and process daily ThreatLocker approval requests from users efficiently, balancing security with operational productivity.
• Learning Mode Audits: Review, analyze, and baseline new endpoints during the "Learning Mode" phase to ensure seamless transitions to "Secured Mode."
• Log Analysis & Reporting: Investigate blocked files, denied executions, and policy violations. Use ThreatLocker audit logs to identify potential security incidents or shadow IT.
• Integration: Collaborate with the SOC/SIEM team to forward ThreatLocker logs and integrate them into the broader security monitoring ecosystem.
• Triage blocked applications, scripts, DLLs, and installers.
• Track service metrics to ensure business productivity.

Maintenance & Strategy

• Environment Maintenance: Keep ThreatLocker agents updated across all endpoints and servers.
• Testing & Validation: Test software updates and patch deployments in a sandbox environment to ensure they comply with existing ThreatLocker rules before company-wide rollout.
• Documentation: Maintain clear, up-to-date documentation of standard operating procedures (SOPs), policy exceptions, and approval workflows.
• Maintain Ringfencing and policy standards.

Required Experience

• ThreatLocker Expertise: Minimum of 3 years of hands-on experience specifically managing, configuring, and troubleshooting ThreatLocker in a production environment.
• IT/Cybersecurity Background: 3+ years of experience in System Administration, Helpdesk Tier 3, Network Engineering, or a Cybersecurity operations role.
• OS Proficiency: Deep, foundational knowledge of Windows OS (Registry, File Systems, Services, Active Directory, and Group Policy).
• Experience with macOS or Linux is a strong plus.
• Scripting: Basic familiarity with PowerShell or Command Prompt for troubleshooting and automation.

Knowledge/Skills/Competencies

Soft Skills

• Analytical Thinking: Ability to dissect complex application dependencies (e.g., figuring out why a niche accounting software was blocked by a specific DLL file).
• Customer-Centric Communication: Ability to explain security restrictions to non-technical staff diplomatically and find ways to enable business operations safely.
• Attention to Detail: Zero Trust requires precision; a misplaced rule can either cause a security gap or halt business operations.

Preferred Certifications (A Plus, Not Required)

• ThreatLocker Professional or ThreatLocker Expert certifications.
• CompTIA Security+, CySA+, or Network+.
• Microsoft Certified: Windows Server or Azure Administrator.

Physical Demands

• Duties of this position are performed in a normal office environment.
• Duties may require extended periods of sitting and sustained visual concentration on a computer monitor or on numbers and other detailed data. Repetitive manual movements (e.g., data entry, using a computer mouse, using a calculator, etc.) are frequently required.

Notes

This job description is not intended to be an exhaustive list of all duties and responsibilities of the position. Employees are held accountable for all duties of the job. Job duties and the % of time identified for any function are subject to change at any time.