7 min Security

SentinelOne promotes Purple AI from security assistant to autonomous SOC analyst

Insight: SentinelOne

SentinelOne promotes Purple AI from security assistant to autonomous SOC analyst

New functionality in SentinelOne’s Singularity Platform should ensure that an SOC is no longer just something for large companies with large security teams. Purple AI, thanks to this new functionality and in combination with SentinelOne’s Singularity Data Lake, is no longer an AI assistant, but an analyst that proactively and autonomously gets to work for organizations. The implications of this new functionality in the SentinelOne platform are potentially enormous.

The battle against attackers has always been an unfair one. We all know the perennial saying: an attacker only has to be successful once and may fail many times; the defending party must always be successful and may not fail once.

To always be successful, organizations have to invest quite a lot. In security tooling, but especially in people, two components that come together in a Security Operations Center (SOC). However, this is reserved only for larger organizations that can afford it. For smaller organizations, their own SOC is out of reach. These then turn to managed service providers in this area for help.

Just having a SOC, however, does not get you there as an organization. It is also important to deploy it optimally. This is often done reactively. A report comes in, an analyst goes to see what’s going on and, if all goes well, solves the problem. In this respect, AI can be a good assistant to quickly get to the heart of a problem. Especially given the amount of reports and telemetry coming at analysts (which is increasing every day), some degree of AI and automation by AI has become more or less indispensable.

If you deploy AI for cybersecurity in this way, however, you are still being reactive. In other words, organizations are still lagging behind. SentinelOne wants to change this. It wants to do that with the combination of Purple AI and the Singularity Data Lake it has built as part of its own Singularity platform. We spoke briefly with Ric Smith, CPO and CTO of SentinelOne, shortly before the RSA Conference.

Purple AI and Singularity Data Lake

Both Purple AI and the Singularity Data Lake are not new. We wrote an extensive story about SentinelOne’s vision around these two components late last December. The data in the data lake combined with the (Gen)AI capabilities of Purple AI should make it possible to get the most out of the data. About a month ago, PurpleAI actually became generally available.

So far, nothing new, then. This week, however, SentinelOne is adding new capabilities to the Singularity platform. New features made possible thanks to the combination of Purple AI and the Security Data Lake. Purple AI gets a completely new dimension less than a month after general availability. Smith puts it as follows: “Purple AI doesn’t just do what you ask it to, it does what you need it to.”

The above quote indicates that Purple AI is an autonomously operating SOC analyst rather than “just” a security assistant. It can still be the latter, of course. You can still ask Purple AI if it can provide an overview of assets that are vulnerable to a specific threat, for example. That’s functionality that many other security parties also offer. “However, chatbots and the whole chat interaction is the way of the past,” Smith points out. We need to move beyond the security assistant, he says, toward an autonomous SOC. That’s today’s news. SentinelOne has taken the first steps in that direction.

Autonomous SOC analyst

With the new functionality in the Singularity platform, SentinelOne is “unleashing Purple AI on the data” in and connected to the Security Data Lake. This can be proprietary data sources, but it also links to EDR, Okta, AWS, among others. Purple AI autonomously sends out queries to all these sources simultaneously and continuously. In doing so, it detects things that are wrong or suspicious and presents these findings to someone within the organization who can then approve a proposed solution to a problem.

Of course, this new functionality is not intended to just create more work for organizations in the cybersecurity field. You do run that risk. Purple AI is irrevocably going to find more than you would see without this autonomy. That’s why SentinelOne allows you to create hyperautomation rules. These allow you to solve problems in a fully automated way. Not just once, but every time the same problem comes up again. The model behind this learns continuously and will get better the more it is used, Smith says.

The situation above sounds pretty futuristic. We can imagine that not every organization is up for this yet. SentinelOne also realizes that very few people want to go full “Skynet” with this. That is, putting everything in the hands of Purple AI without any explainability is not what organizations want. Hence, the new functionality includes something called Global Alert Similarity. This is a score that clarifies whether something Purple AI has found is actually bad news. It does this by testing the results of other customers worldwide against each other. If the score is high enough, then other customers also see it as a hazard and you can take action.

Schermafbeelding van een dashboard van een gebruikersinterface met verschillende zakelijke statistieken, zoals gebruikersbetrokkenheid, financiële gegevens, systeemstatus en recente activiteiten, met een navigatiemenu aan de linkerkant.
A screenshot of the new functionality of the SentinelOne Singularity platform

Toward a SOC for everyone

Putting significant responsibility in the hands of an AI analyst like Purple AI will undoubtedly not come naturally. Even if there is confirmation from the broader customer base that something is malicious and needs to be fixed, there will certainly continue to be suspicion toward this new functionality for some time. The key for SentinelOne will be to be as transparent as possible about how it arrives at certain decisions. Then you win the trust of customers to go further and further with it. Global Alert Similarity is a good start, but customers will likely want to see more, also in terms of hyperautomation rules.

Eventually, however, organizations will really have to get on board with this trend towards autonomous security, is our belief. It is slowly but surely becoming almost impossible to protect organizations well enough without the use of tools such as Purple AI. A well-trained algorithm that proactively and continuously looks for vulnerabilities and suspicious behavior will always be more effective than one or more people who go out to investigate after alerts come in.

Finally, Purple AI’s new functionality combined with SentinelOne’s Singularity Data Lake also sends an encouraging signal to smaller organizations. Those now theoretically also have access to a potentially full-fledged SOC without having to hire expensive people to do so. The providers of managed security services to these companies will be somewhat less pleased with this development. At least that is our assessment. Although smaller companies in particular are also not really the target group of these players. So these companies especially can give their security efforts a huge boost.

Of course, the success of a democratized autonomous AI analyst for everyone depends on what it all costs. SentinelOne will have to think about that carefully. After all, that’s what it all comes down to in the end. Good tooling is nice, but it has to be affordable. It’s going to be interesting to see what the adoption of these new features will be like going forward.