In September 2017, we announced a new module – Deep Visibility – to search for Indicators of Compromise (IoCs) and hunt threats. The feedback from our early adopters has been very positive and we would like to share some thoughts on how Deep Visibility saves time.
EPP+EDR in a Single Agent
Deep Visibility (DV) is now a built-in component of agent version 2.5 and can be enabled using a policy configuration while not requiring the installation of another agent. DV collects information of various types and these can also be controlled using the policy –
The combination of EPP and EDR in a singular, purpose-built agent results in significant time savings from deployment, management, and capability standpoint.
Always On and On All Platforms
DV collects and streams the information for agents into the SentinelOne Management Console. The protocol uses compression and optimization to reduce bandwidth costs. More importantly, the information is available for threat hunting even when a compromised device is not. DV is also available on all platforms – Windows, Mac and Linux. Many customers who were previously using osquery for threat hunting on Linux are now switching to DV as it provides cross-platform support with better manageability and user interface. By offering a single pane view into IoCs and equivalent capabilities on all platforms, DV saves time for our customers – they do not have to deploy different tools for different platforms.
Encrypted Traffic Visibility Directly from the Endpoint
With 70%+ of traffic being encrypted, existing tools fall short only allowing unencrypted traffic to be visible and searchable. The DV module enables visibility of all network traffic – even encrypted traffic – without requiring any changes to network topology. This lets you track users compromised by a Phishing attack, lateral movement within the network, and data exfiltration attempts. In the example below, you can see the full URL that I visited after receiving an email with an account activation link –
You save time and money by not having to deploy additional third-party hardware or certificates.
The 2017 Trustwave Global Security report claims an average dwell time of 49 days. Deep Visibility data is kept indexed and available for search for 90 days to cover even such an extended time period. After 90 days, the data is retired from the indices, but stored for 12 months. It is also available for customers to export into their own security tools and data lakes. We’re proud to offer our customers such a lengthy repository to enable maximum forensic value of the module. With other tools that offer shorter retention periods, you would have to re-load older data from your repository (if you have one) or re-construct the data using forensics tools like EnCase or eCat.
File Integrity Monitoring
The data collected by Deep Visibility can also be used for meeting file integrity needs, as every file change is tracked. We will soon be introducing a watchlist that alerts you whenever a file is modified by an unauthorized user. We save you the hassle of deploying a File Integrity tool like Tripwire.
I close by inviting our customers and security professionals to try Deep Visibility. We look forward to working with you to make the world a safer place – and giving you industry-first real-time visibility of this commitment in the modules and features we constantly ship. We will be hosting a webinar on Deep Visibility on the 5th of April at 10am PT. This will feature Jim Jaeger, former Director of Operations at the NSA, as well as a demo on SentinelOne’s Deep Visibility capabilities. Register here.