SentinelOne is the flight recorder for endpoint protection

Get a free Techzine subscription!

To become truly successful in the crowded and competitive security market, you have to have a unique story. SentinelOne has that, on multiple levels. At least that is what André Noordam, Director Sales Engineering EMEA-North at the vendor, tells us. This piqued our curiosity, of course. What follows is a conversation about agents, flight recorders, storylines and singularities, which clearly shows what distinguishes SentinelOne in the market.

SentinelOne has been a security provider focused on endpoints since its inception in 2013. That’s still true, although it’s good to get a clear understanding of what endpoints are these days. They are not just PCs, laptops and other devices. IoT endpoints are also included, as are cloud workloads in Kubernetes environments, for example.

For these environments, SentinelOne has developed a single agent that not only includes NGAV (Next-Gen Antivirus) and EDR (Endpoint Detection and Response), but also provides cleanup after the malware has been removed from the endpoint. You install this agent on every endpoint you want to protect. In the case of IoT, this is not always possible. In that case, you install it on the system/endpoint that is as close to it as possible.

When talking about SentinelOne’s single agent, Noordam particularly emphasizes the capabilities it offers for containers in Kubernetes environments. Other vendors that claim to offer protection for these environments often do a quick scan the moment the container is started, he indicates. SentinelOne tackles this differently. Their agent also monitors these environments continuously.

Integrated cleanup

The combination of NGAV and EDR that SentinelOne offers is already quite special, but certainly not unique in the market. The uniqueness lies especially in the combination with the cleanup. Nobody can offer that, says Noordam without hesitation. With cleanup he means the removal of things like modified registry keys, software installed by malware and other modifications made by malware to systems and environments.

This integrated cleanup is a big reason for many customers to make the switch to SentinelOne, according to Noordam. This makes the claim that they are unique in this field a lot stronger. It is not only SentinelOne itself that says so, but the customers apparently think so too.

Further, it is also good to know that the three components (NGAV, EDR, cleanup) do not only operate from a single agent. Everything needed to do the job is also embedded in it. This means that SentinelOne is suitable for use in environments with little or no available bandwidth. Incidentally, this does not mean that the agent is particularly heavy. According to Noordam, its impact on the machine it runs on is limited: 1 percent CPU usage and 200 MB memory. The agent also does not get heavier or larger over time. Since it uses AI/ML, it does not download signatures and thus does not expand.

Flight recorder

During the conversation, Noordam uses the term flight recorder with some regularity when talking about the agent’s performance. That is actually the best way to look at SentinelOne. Because you install this flight recorder, you have continuous insight into the entire chain. After all, it keeps track of everything continuously. The idea is that this not only allows you to detect much faster that something is not right. You can also recover more quickly from an attack.

To illustrate the latter, Noordam cites a ransomware attack. That still remains a major challenge, especially in SMB and mid-market, he says. In order to deal with ransomware, SentinelOne has developed a roll-back technology. This allows you to roll back an attack even after it has been executed. Using this technology, you only restore the data that the attackers encrypted from a protected backup. Thanks to SentinelOne’s flight recorder, you also have immediate insight into which backup contains the data you need. This keeps track of everything continuously, so you know exactly when the affected data was still healthy. The rest of your data does not need to be restored from a backup and therefore remains up-to-date.

The SentinelOne agent, by the way, doesn’t look so much at the data when tracking what’s happening in an environment. It’s much more about looking at behaviors, something that AI and ML are obviously very well suited for. This allows you to (partially) repel many attacks before they can become really dangerous. You could call this ‘protection 2.0’, where you don’t so much prevent those with malicious intent from getting into your environment, but you do prevent them from being able to do anything harmful there.

Storyline

It is not enough to only have a flight recorder. You may be constantly monitoring everything, but this does not immediately provide useful insights. You only get insights when you can interpret this data. That requires context. That’s where Sentinel Storyline comes in. This is also makes SentinelOne unique, he says.

With a storyline Noordam means that it is possible to compare with a starting point. For example, in the ransomware example above, that starting point is when the hostage data was not yet encrypted. If you want to create that kind of context using other technologies, he says, you need all of the disconnected elements present in an environment. A SOC employee has to puzzle the storyline together himself based on the output of those separate elements. That’s quite a job, and it takes time. By the time the employee has written the “story,” the malware has already spread much deeper and wider.

The storyline approach of SentinelOne also works very well against dechains, Noordam indicates. With this he refers to attempts by hackers to pull the wool over the eyes of technology and analysts by temporarily disconnecting parts of the environment. This could be a reboot, or it could by putting a device to sleep for days or even months. The result is that a hacker can stay under the radar. This dechaining is extremely difficult to deploy with SentinelOne’s technology, according to Noordam. Even after a reboot or hibernation of days, weeks or months, SentinelOne’s technology can still provide insight into the full storyline.

One advantage of a flight recorder with a storyline is that you are much more effective in solving security problems. Not only that, Noordam points out, but it allows more people in organizations to deal with security. You no longer necessarily need the extremely high level of skills a traditional SOC employee needs to have in order to puzzle everything together. That’s certainly a big plus in a market where people of that level are scarce. Mind you, he adds, this simpler entry level does not mean you are limited in what you can protect with SentinelOne’s platform.

Modular SentinelOne Singularity-platform

Now that we have the basics of SentinelOne’s approach in focus, we also want to take a look at what the company actually offers. For that we come to the last important term, which is Singularity. This is SentinelOne’s platform, on which it builds all its products and services. With this platform, SentinelOne broadens its scope, Noordam points out. It is no longer just focused on single endpoints, but can now also offer XDR. With this you merge things like EDR, NTA and SIEM in a layered approach. The recent acquisition of Scalyr obviously also plays an important role in building out this offering.

SentinelOne, by the way, is certainly not aiming to do everything itself with the Singularity platform. As such, the company is participating in the OpenAPI initiative. This allows organizations to connect the platform to other data lakes, for example from endpoint management solutions.

The Singularity platform itself is modular. According to Noordam, this makes it efficient and effective for both small and large companies. If you want everything, then choose Singularity Complete, if you are initially only looking for NGAV, then you can purchase Singularity Core. Furthermore, you also have Singularity Cloud, for when you want to protect workloads in containers in the cloud, and Ranger IoT, which gives you insight into your network. On a large network you will always find a lot of endpoints without security. Noordam has seen cases of larger customers where this amounted to 10 percent of the endpoints.

So the modularity is primarily there to provide added value to as many potential customers as possible. The choice of Singularity ‘flavor’ does not change the basic protection, Noordam emphasizes. The difference is mainly in the business case. Threat hunting, for example, is not particularly interesting for smaller companies, even if they have the resources for it. That’s not included in Singularity Core, but it is in the extended version.

‘The sky is the limit’

The idea is that all organizations from about 100 endpoints can be served with the Singularity platform. There is no upper limit, says Noordam. Thanks to the underlying architecture and the focus on SaaS, the platform can scale with organizations. Ultimately, you get the most out of the platform when you purchase it as a service, in terms of visibility and scalability. However, SentinelOne also offers the Singularity platform for on-premises environments, for organizations where SaaS simply can’t or is allowed to be used. Finally, it’s worth noting that the platform supports multi-tenant. This allows you to delegate the management of the environment in a shared platform. As a reseller you can deliver and resell services on it relatively easily.

All in all, as far as we are concerned, SentinelOne certainly has a unique story that makes it stand out in the market. The modular platform approach makes Singularity potentially interesting for organizations of all sizes and in all industries. The development of what is possible with it will certainly not stop either, as evidenced by the acquisition earlier this year of Scalyr. We can no doubt expect much more from SentinelOne in the future.