SentinelOne SentinelOne 3.0 Product Review
Summary
SentinelOne combines endpoint protection, detection and response in a single, autonomous agent for the three major operating systems. It was structured around an API-first approach to maximize integrations, which has yielded an impressive 300+ APIs, including Windows Defender ATP, SonicWall, Phantom, Netscope and others. This expansive integration makes adding SentinelOne to an existing toolset a seamless process and maximizes their value. .
Prevention uses pre-existing Static AI technologies to
replace signatures, leveraging them to detect file-based malware in PE, PDF and
Microsoft Office files. Through on-execution Behavioral AI technologies,
detection recognizes real-time anomalies on endpoints, without relying on the
cloud. SentinelOne serves up response to detections in milliseconds to shutdown
attacks almost immediately. Response actions include alert, kill, quarantine
and remediation of unwanted changes.
The Windows
installation was straightforward but he Linux installation was a bit
troublesome and required us to manually install dependences a few times before
it would run. We tapped the knowledgebase for assistance and once we got the
dashboard up and running, we were impressed with how clean and modern it was.
After testing, it immediately showed us the files that were killed and
quarantined. Of note: The system claimed everything had been killed and
blocked, but our testing tools maintained there some areas in the system were
still susceptible to different attacks.
The behavioral AI with this product has re-linking
functionality, meaning it traces detections back to their root causes to give
visibility into the steps they took. These attack steps are then automatically
stitched back together into a single story. SentinelOne sees this as the key to
giving true context to an attack and leverages this start to finish tracking
for automated response and rollback functionality. When the steps involved in
an attack are known, organizations can undo the damage it created. The product
does rollback by leveraging Microsoft’s Volume Shadow Copy service, which
SentinelOne also is designed to protect against breaches. This product takes
storyboarding to the next level here by assigning a story ID that gets uploaded
to the cloud and indexed, making it easier to search.
Additional features announced for this product are set to arrive in September, including a new tool called Lone Ranger. As features are added, agents become passive scanning devices that offer visibility into the story behind an event. That information can be leveraged for search functionality to obtain a real-time map of what is happening. The contextual information here can even be utilized to create a software-defined firewall rule that sits on every managed endpoint.
Tested by Tom Weil
Gloss