Industry Innovators 2016: Data protection
At the risk of sounding like a stuck record, it’s all about the data. Job one of the security stack at any enterprise, whether hardware- or software-defined, is to protect the data. A big piece of that happens at the endpoint. This can take a couple of forms: traditional – or traditional-like – endpoint protection and anti-malware protection.
Traditional endpoint protection is a sort of superset of anti-malware. All attacks don’t involve malware. There are varying estimates of what percentage of attacks are malware-based and which are not. However, regardless of the method of ingress, it is likely that malware will, at some point, play a role in a major data breach. And there are issues – such as those related exclusively to malware, such as ransomware – and those that may or may not use malware as the delivery mechanism, such as denial of service.
So, the bottom line is that all endpoint protection products need to address malware in some form or other. We are of the opinion that signature-based anti-malware is nearly useless by itself. First, there are so many strains of malware – families – that building signatures for all of them is nearly impossible. Even if it were possible, it is a daunting job for such a product to scan an enterprise efficiently. So, that argues for some additional horsepower. Often, that comes in the form of heuristics. Heuristics learn so the families become the focus at some point, rather than the million-plus individual kinds of malware.
In our view, in order to stay ahead of the adversary, even heuristics is not sufficient. Some form of advanced machine learning and advanced detection algorithms are the order of the day. Both of our Innovators in this space take advantage of next-generation techniques such as these.
One of our Innovators is focused on malware. However, recognizing the roles that other forms of attack play in the threatscape these folks are beginning to apply their sophistication to identifying and interdicting those types of attacks. Our other Innovator is so sure of itself that it offers a form of insurance against certain kinds of malware infestations that they don’t, for some reason, catch.
Flagship product SentinelOne EPP (Endpoint Protection Platform)
Greatest strength A creative go-to-market strategy that is complementary to and every bit as good as the technology.
SentinelOne unifies prevention, detection and response in a single platform driven by machine learning and intelligent automation. SentinelOne EPP (Endpoint Protection Platform) is intended to prevent attacks and detect malicious behavior across multiple vectors; rapidly eliminate threats with automated, policy-driven response capabilities; and adapt their defenses against cyberattacks.
This was SentinelOne’s second appearance in our Innovators issue. Over the past year, the company showed its ingenuity by adding new features to protect the endpoint from the management side, as well as platforms supported, and added Linux to its agents. The tool sits out of band on the server so there is almost no performance impact. Also, over the past year, SentinelOne became HIPAA and PCI-DSS certified. Finally, the company added new features that allow administrators to group endpoints for applying policies resulting in an improvement in scalability.
Often – usually, in fact – our Innovators don’t restrict their innovation to their technology. We also see creativity in go-to-market and business strategies. One of the things that this Innovator has done in that regard we found extremely creative: the company now offers a cybersecurity guarantee that largely targets ransomware. SentinelOne claims to be particularly good at protecting against ransomware.
The company believes nobody offers financial backing for what they sell. “If your product is as good as you say,” this Innovator points out, “guarantee it.” In that spirit, the company offers up to $1,000 per endpoint to $1,000,000 per organization for the cost of remediation of a successful ransomware attack. We found this offer extraordinary, if, perhaps, a bit risky.
What makes this claim less risky? Clearly the company is comfortable with its technology. That comfort, they told us, comes from heavy use of machine learning and no reliance on signatures. To that end, they’ve made big advancements in their behavioral-based engine. The system consists of two layers: static and then behavioral. Both layers are based on machine learning. The tool is very focused on preventing false positives. There are over 12,000 malicious malware indicators in its knowledge base.
Over the past couple of years, SentinelOne has focused on the management interface and supporting significant scalability.
Flagship product CylancePROTECT
This is one of our perennial favorites and an SC Lab Approved tool. It also is the pure-play anti-malware product that isn’t. Because most of what the product does is malware-centric on the endpoint, the appearance is that of an anti-malware product. Not taking into account the direction the tools has been moving, that could not be further from the truth.
For example, Cylance was the first company to apply artificial intelligence, algorithmic science and machine learning to cybersecurity and improved the way companies, governments and end-users proactively solve the world’s most difficult security problems. Using a predictive analysis process, Cylance quickly and accurately identifies what is safe and what is a threat, not just what is in a blacklist or whitelist. By coupling sophisticated math and machine learning with a unique understanding of a hacker’s mentality, Cylance provides the technology and services to be truly predictive and preventive against advanced threats.
They now are able to include their data science in the tool in such a way as to allow detection and interdiction of non-malware-based threats, such as manual or machine hacking. In testing, we had inadvertently downloaded a new ransomware to a lab computer. Before we could click on it to get rid of it, we noticed that it no longer was on the desktop. One look in the CylancePROTECT quarantine showed us what had happened. It was in there. Cylance identified and quarantined it. Not really a big deal unless you take into account that the compile date on the ransomware was only two days prior.
Cylance has spent a significant portion of the last year thinking about what visibility means. Nobody stops all threats, so what options do they have. First thrust is make it so you don’t have to investigate everything. The second is, what do you need to know? That’s not just malware. So, they are building a technology platform called Optics. This allows pre- and post-event info. It acts like a flight data recorder that collects interesting information. This helps understand the scope of the threat and where their scope of control needs adjustment. It maintains a record of what actually happened so you can go back in a forensically interesting depth to find out what happened.