• United States



Review: Protecting endpoints with SentinelOne’s all-powerful agents

Sep 14, 20187 mins
Endpoint ProtectionSecurity

Having powerful, protected, and independent agents sitting on endpoints gives SentinelOne a huge advantage against today's increasingly sophisticated attacks.

green army soldier on a laptop keyboard
Credit: Thinkstock

Endpoint protection began life as signature-based antivirus programs sitting on endpoints themselves. Over the years, the science of endpoint protection has advanced considerably to include behavior analysis and eventually machine learning and artificial intelligence to uncover threats, even as the brains of those operations tended to shift deeper into the network. Many endpoint protection programs today don’t actually sit on endpoints anymore, and perhaps only reach out to them if threats attempt lateral movement and trigger a response.

SentinelOne, by contrast, is able to deploy powerful agents with advanced detection and response capabilities onto endpoints where they can intercept threats on the frontlines. Every agent is fully independent, able to act even when the endpoint it’s protecting is disconnected from the core network, or has no connectivity at all. Beyond acting independently, each agent collects detailed forensic data about any attacks or attempted attacks.

Those same agents report back to a central management console, so that human defenders are made aware of similar threats and active campaigns levied against them. That information, and any actions taken by security personnel, is sent out to all other agents, along with instructions about how to handle similar threats that other agents might discover in the future.

SentinelOne menu John Breeden II/IDG

Setting up and controlling SentinelOne agents can be done from the management console, though every agent is fully independent, and even works when the device it’s protecting is disconnected from the network.

Agents deployed by SentinelOne work with multiple platforms, including Windows machines going back to Windows 7 or even Windows XP with a legacy agent. They also work with most versions of Windows Server, nearly every flavor of Linux, and the complete line of Mac systems going back to OS X El Capitan. Agents take up a few hundred megabytes of space on the client system, and less than one percent CPU utilization on average. They can also be deployed into VDI environments or cloud instances.

Pricing for SentinelOne is a yearly fee based on the number of endpoints being protected by the program. It can be installed and managed locally, even on an air-gapped network, or managed through the cloud. There is also a software as a service (SaaS) option where the company will either help out existing security teams as needed, or can completely monitor and manage SentinelOne as part of the service.

Testing SentinelOne

Once the agents are in place, administrators need to configure them based on the environment and security tolerances, all of which is done from the management console. Agent policy is based on a hierarchy to avoid conflicts.

SentinelOne Exclude John Breeden II/IDG

Setting up the agents is quite detailed, with rules enforced in a hierarchical fashion to avoid conflicts. Here, specific behaviors or program elements can be excluded from protection on certain machines.

For example, in our testing we created one set of rules for employees working out of a Chicago office and another, more stringent policy, for those working in software development. Placing the development policy above the Chicago one ensured that all developers working in Chicago were subject to the tighter controls, while the reverse would provide generally more lenient rules for developers working there. In any case, this prevented any shadow rules or internal conflicts from forming.

SentinelOne AI Explain John Breeden II/IDG

Unlike most programs that use AI and machine learning, SentinelOne makes every effort to explain in detail why various programs are marked as malware.

Working with a test system protected by a SentinelOne agent, we first disconnected it from the network and then attacked it with advanced malware. The SentinelOne agent blocked the file from executing, erased all instances of it from the system. As soon as the client was reconnected, its agent reported the detection to the central console, along with a complete forensic record about what the file tried to do, and what the agent did in response. Humans can then allow that plan to filter back out to every other agent in the network if they so choose.

In that case, the offending file was an Excel spreadsheet. SentinelOne alerted us that there were five other instances of that same spreadsheet sitting on network endpoints. They had not yet been opened, so their agents did not know about the malware, but were aware of its presence. From the central console, we commanded those agents to delete the file, and instructed all other agents to do the same should it ever reappear.

SentinelOne Apply to Al John Breeden II/IDG

Because SentinelOne is able to use machine learning to study how attacks are handled, users can ask all of the other independent agents to behave in the same way in the future.

We had to shift one agent from response to monitor mode for the next test, which involved allowing ransomware to completely infect and crypto-lock an endpoint. We watched that scary process, and saw all the files turn to gibberish with the ransomware note popping up on the desktop. Normally, this would mean that a system is completely destroyed and would need to be wiped out and restored from off-site backups if available. But it turned out to be a relatively minor problem for SentinelOne.

All of the SentinelOne agents are protected against tampering, so malicious programs can’t overwrite or modify them. SentinelOne also protects critical areas within an endpoint. Even though the malware tried to erase the Microsoft volume shadow copy data and service, it was prevented from doing so by SentinelOne. From the management console, we were able to respond to the ransomware alert, telling our agent there to restore the system and all its files to their pre-locked state. Other than the ransom note on the desktop, which required a reboot to eliminate, it was as if the attack never happened. And if SentinelOne were running in response mode instead of detect mode for this test, the attack would not have even gotten that far.

SentinelOne User Interface John Breeden II/IDG

Endpoint users can be alerted when SentinelOne takes action, like deleting malicious files, or it can all be done outside of their view, or any combination in between.

In addition to robust malware protection for endpoints and the ability to roll systems back to normal even if they do somehow become infected, SentinelOne also provides a detailed forensic record of attacks. This could be helpful for organizations with deep cybersecurity teams to examine and get a better handle on the tools, tactics, and targets of their adversaries.

SentinelOne Forensics John Breeden II/IDG

In addition to stopping attacks, and rolling systems back to pre-attack states as necessary, SentinelOne also provides detailed forensics about what malware did, who it contacted, and how to stop it in the future.

The bottom line

Having powerful, protected, and independent agents sitting on endpoints gives SentinelOne a huge advantage against the increasingly sophisticated attacks of today. And because those agents are capable of acting independently, they can respond instantly as attacks happen, later sharing that information with human security teams for analysis. At the cost of a couple hundred megabytes of storage space and one percent CPU utilization, SentinelOne’s agents can provide the kind of protection that is sorely needed for endpoints, stopping threats before they get anywhere close to the core network.