4 min

Purple AI, the new generative AI addition to the SentinelOne platform is going to save a lot of time for security teams and also provide them with much better insights into the weaknesses and vulnerabilities of the organizations they work for, according to the company. As of today, this new AI security solution is generally available.

Organizations have a major cybersecurity challenge. There is simply too much to do with the number of people they have dedicated to security. Ric Smith, SentinelOne’s Chief Product and Technology Officer talks about how the average enterprise has to deal with more than 1,000 alerts a day every day that it has to investigate. Security teams also have to proactively hunt for threats. In other words, the number of attacks and vulnerabilities is now so high that they have to work their asses off to analyze and then take action on them.

Better prevention, intrinsically more secure software and more security awareness within organizations can only partially counter this trend. So there needs to be additional help for security teams. More people is often not possible, nor does it really solve the problem, because it scales only to a limited extent. The attacks scale much harder than you can absorb with extra people. So the security industry and the organizations that need help will have to look to AI for much-needed help. That’s why SentinelOne has developed Purple AI.

Purple AI

Purple AI is not something SentinelOne is announcing today. In fact, we already described it in detail in an article we published several months ago. Today’s news is that as of now it is generally available. Any SentinelOne customer using the company’s Security Data Lake service can basically start using it.

A little recap here about Purple AI from our previous article. It’s a GenAI “analyst” that helps you with threat hunting, suggestions around what questions to ask (in plain human language) and report generation. With Purple AI, you can basically answer any security question, we heard during our conversation with Sjoerd de Jong, Solution Engineer at SentinelOne, a few months ago. Purple AI interprets the question, in whatever language you ask it. It answers with relevant data, interprets the data and extracts highlights in normal language, makes suggestions for action and suggestions for additional deeper questions.

You can ask to show all devices vulnerable to a specific attack, but also ask much more general questions. The purpose of Purple AI is that it is a true security analyst. For example, you can ask how the organization’s security posture is. Thanks to its integration with the datalake, in which all data is normalized, Purple AI can also immediately indicate why something is not right and give recommendations. If it is still not quite clear, you can ask if Purple AI can specify it a little better.

Interesting to highlight here, as far as we are concerned, are the Purple AI Threat Hunting Quick Starts. These are search terms created by SentinelOne around specific hidden risks that SentinelOne has identified in the market, but that may not yet be known to organizations. In addition, it is also good to see that Purple AI supports the Open Cybersecurity Schema Framework (OCSF). This standard aims to break down data silos within security. A common standard ensures less overhead in terms of normalizing data and thus faster and better detection, is the idea.

First experiences

Purple AI, as mentioned, is not a new announcement. That has the advantage that SentinelOne already has some results to report from running it at a selection of customers. According to SentinelOne, the experiences of those customers are definitely encouraging. It talks about an eighty percent performance gain in the area of threat hunting. Without knowing exactly what the old situation is, it’s hard for us to estimate how much gain this is in absolute numbers, of course. But in cybersecurity, every gain counts. So even if this is eighty percent of something that worked very quickly anyway, it’s still a big gain.

Further, SentinelOne customers report that Purple AI is very good at generating meaningful insights from SIEM data. SIEMs are known to generate a huge amount of logs. Those logs create a lot of work for analysts, and also a lot of noise, into which they have to put their precious time. There’s still a lot of room for improvement in this area. With Purple AI, analysts have the ability to very quickly fire queries at the data. This ensures that the very important mean time to respond can be reduced by a significant amount.

Purple AI takes SentinelOne to the next level

As mentioned several times already, Purple AI is available starting today. It is part of SentinelOne’s Security Data Lake offering. This makes it a very interesting addition for existing SentinelOne customers. If the experiences continue to be as positive as with the early adopters (who were selected by SentinelOne, of course), it could also be an opportunity for SentinelOne to sign up quite a few new customers, although of course the competition is not sitting still either.

All in all, Purple AI takes SentinelOne’s overarching story to the next level, as far as we’re concerned. This is good news not only for SentinelOne itself, but also for organizations in general. They can use all the help they can get. Now, if the entire security industry gets behind open standards and initiatives like OCSF properly, they will get even more help. But that’s something for another time.