Critical Features of Next-Gen Endpoint Protection, Part One: Cloud Intelligence

Cloud Intelligence
Relying on just a single solution to protect the corporate perimeter is foolish—everyone knows that, and that’s why information security must rely on defense-in-depth. Next Generation Endpoint Protection platforms must also rely on defense in depth. While each Next Generation Endpoint Protection product—such as our very own SentinelOne—uses various advanced methods to detect malware, a truly secure system will also use adjunct methods in order to make absolutely certain that it targets malicious files. Collectively, these methods are known as Cloud Intelligence.

The premise of cloud intelligence is that most malware out in the wild tends to target relatively unsophisticated users—thus, malware authors generally don’t use heroic methods, such as “crypting,” in order to disguise their hashes. These known and emerging threats are constantly catalogued by over 40 reputation services, operating in the cloud. SentinelOne relies on seven of these vendors—plus dozens of other sources, including our own research—in order to add a critical cloud intelligence feature to our Next Generation Endpoint Protection platform.

Cloud Intelligence Supplements Behavioral Detection

Once collected, the intelligence on these legacy threats forms a valuable supplement to SentinelOne’s Dynamic Behavioral Tracking (DBT) engine. To be clear, SentinelOne doesn’t solely make use of cloud intelligence in order to detect and prevent malware. However, since SentinelOne does rely on behavioral detection, in order for our solution to detect threats, there must be some behavior—in short, we can only detect malware once it begins to execute.

There’s no problem with allowing malware to execute on a system that’s protected by SentinelOne—the DBT will automatically recognize malicious activities once they begin to occur. The solution can either stop them automatically, or allow administrators to let the program run, determine its point of entry, and then roll back any changes. This is especially useful for when enterprises encounter malware that hasn’t been seen in the wild before.

Maximum Detection, Minimal Footprint

When malware has been seen in the wild before, there’s really no percentage in letting it execute. Although the DBT would block known malware handily, letting it get to that stage would tie up system resources that are better used for when really dangerous threats occur. That’s why SentinelOne, a Next Generation Endpoint Protection solution, has known attack prevention built in as a means to identify known hashes and bad sources. This mechanism dramatically speeds up our platform.

SentinelOne uses dozens of sources to comprise its cloud intelligence feature: malware signatures collected from our clients who opt in, as well as security intelligence services, and data collected by our in-house security researchers. This just adds that pre-emptive layer of attack prevention, and allows SentinelOne to squash threats before using valuable system resources to detect unusual behavior.

Built-in Redundancy

Should internet connections be offline, or if there is a problem connecting to the cloud, SentinelOne will still defend your system with the exact same effectiveness. Cloud intelligence helps us defend a little more efficiency. Should cloud intelligence be disabled, SentinelOne will still be able to detect known and unknown threats, kill viral processes, isolate infected machines, restore corrupted files, and provide real-time forensics to security administrators.

Over the next few weeks, we’ll be covering other crucial aspects of next-generations endpoint protection. If you want to learn more right now, however, download the SentinelOne Technical Brief and learn about all the features that comprise SentinelOne’s ironclad protection.