SentinelOne combines endpoint protection, detection and response in a single, autonomous agent for the three major operating systems. It was structured around an API-first approach to maximize integrations, which has yielded an impressive 300+ APIs, including Windows Defender ATP, SonicWall, Phantom, Netscope and others. This expansive integration makes adding SentinelOne to an existing toolset a seamless process and maximizes their value. .
Prevention uses pre-existing Static AI technologies to replace signatures, leveraging them to detect file-based malware in PE, PDF and Microsoft Office files. Through on-execution Behavioral AI technologies, detection recognizes real-time anomalies on endpoints, without relying on the cloud. SentinelOne serves up response to detections in milliseconds to shutdown attacks almost immediately. Response actions include alert, kill, quarantine and remediation of unwanted changes.
The Windows installation was straightforward but he Linux installation was a bit troublesome and required us to manually install dependences a few times before it would run. We tapped the knowledgebase for assistance and once we got the dashboard up and running, we were impressed with how clean and modern it was. After testing, it immediately showed us the files that were killed and quarantined. Of note: The system claimed everything had been killed and blocked, but our testing tools maintained there some areas in the system were still susceptible to different attacks.
The behavioral AI with this product has re-linking functionality, meaning it traces detections back to their root causes to give visibility into the steps they took. These attack steps are then automatically stitched back together into a single story. SentinelOne sees this as the key to giving true context to an attack and leverages this start to finish tracking for automated response and rollback functionality. When the steps involved in an attack are known, organizations can undo the damage it created. The product does rollback by leveraging Microsoft’s Volume Shadow Copy service, which SentinelOne also is designed to protect against breaches. This product takes storyboarding to the next level here by assigning a story ID that gets uploaded to the cloud and indexed, making it easier to search.
Additional features announced for this product are set to arrive in September, including a new tool called Ranger. As features are added, agents become passive scanning devices that offer visibility into the story behind an event. That information can be leveraged for search functionality to obtain a real-time map of what is happening. The contextual information here can even be utilized to create a software-defined firewall rule that sits on every managed endpoint.
Tested by Tom Weil
