Next generation EDR solutions create a wealth of endpoint telemetry data, operating autonomously to provide real-time endpoint protection, detection, and response, with or without a cloud connection. When such a cloud connection is available, this telemetry is securely streamed up to the cloud data lake. For many enterprises, a cloud data lake is the preferred option. For some, however, and for any number of reasons, storage of their EDR telemetry in their own enterprise data lake is required. To address this need, SentinelOne created Cloud Funnel.
Data Retention in the Cloud Data Lake
Let’s first consider the cloud data lake case. With SentinelOne Complete, an autonomous, lightweight SentinelOne agent is deployed to protect each of your Windows, macOS, and Linux endpoints. Even when offline (i.e., not connected to the cloud), the SentinelOne agent can detect and autonomously respond to security threats at the endpoint, using behavioral AI to identify processes gone wild, correlate related activity, and automatically assemble these events into a comprehensive event Storyline™ as shown in the figure below. When a cloud connection becomes available, each endpoint’s telemetry is uploaded to the SentinelOne Deep Visibility™ cloud, where aggregated analysis and threat hunting operations are managed from the SentinelOne management console.
A wide variety of data retention options are available. And while this EDR data retention in the cloud fits most customer use cases, some organizations prefer to maintain a copy of their telemetry data within their own on-prem data lake. This is where the optional SentinelOne Cloud Funnel capability comes into focus.
Create Your Own Data Lake with Cloud Funnel
Cloud Funnel is a data subscription that enables you to store your organization’s EDR data locally in your own data lake. From there, security teams may take any number of actions on their EDR data.
Typical use cases for this data include:
- Extended retention. SentinelOne currently offers various retention options, starting with 14 days, and extending up to a full year. However, you may want additional retention beyond a year, or you may want to be in direct control of your retention policy.
- Regulatory Compliance and Audit Considerations. The various procedures and regulations that govern your business may require you to have custody of your EDR event data, and direct access to retrieve specific event data.
- Correlation to other Data Sources. SentinelOne’s Deep Visibility cloud equips you to powerfully and intuitively analyze the entire scope of EDR data. Even so, cross-correlating endpoint telemetry to different data sources from across your enterprise might reveal further insight on potential threats. For example, combining firewall logs or active directory logs with EDR data from the SentinelOne agents could potentially reveal new findings. Cloud Funnel empowers you to achieve this in your own data lake.
- Integration with Security Tools. The SentinelOne console provides a rich set of capabilities for managing your endpoint fleet, analyzing threats, configuring firewall and device policies, and more. You may also have investments in other components of a security stack, such as a SIEM, and wish to consolidate all your security operations in a single infrastructure. Cloud Funnel affords you the option to do exactly that.
- SOAR Workflows. You may have an existing Security Orchestration, Automation and Response (SOAR) solution, with bespoke workflows that are aligned with your existing security processes. Cloud Funnel integrates SentinelOne EDR events directly with these workflows. For example, you may wish to automatically open a support tracking ticket whenever you encounter an EDR event that is associated with a specific set of conditions.
How Does Cloud Funnel Work?
Considering the sheer volume of EDR data generated by SentinelOne endpoints, we chose to build the solution based on Apache Kafka, an open-source distributed event streaming platform used by thousands of companies for high-performance data pipelines, streaming analytics, data integration, and mission-critical applications.
We chose Kafka for the following reasons:
- Proven. Kafka is a tried and tested open source industry solution for messaging that is capable of supporting throughput of thousands of messages per second. It is capable of handling these messages with very low latency in the range of milliseconds, as demanded by most EDR use cases. It is also very durable, fault tolerant, and scalable, allowing us to expand the solution gradually as we on-board more and more customers.
- Consumer-friendly. It is possible to integrate with a variety of consumers using Kafka, in different languages and based on different behaviours that match the consumption use-case. SentinelOne provides a code sample in Java via its Knowledge Base platform. Samples in additional languages can be provided upon request.
- Secure. Kafka supports Salted Challenge Response Authentication Mechanism (SCRAM), an authentication solution from the SASL (Simple Authentication and Security Layer) family that addresses the security concerns with traditional username/password authentication mechanisms. We create a separate topic per customer account, and the communication is encrypted with SSL based on TLS1.2+ connection.
We chose the Protobuf as the protocol for the DV (Deep Visibility) event schema because it is language-independent, interoperable, extensible, and backward compatible.
Once you subscribe to Cloud Funnel, you will receive, from our support agents, the export schema, the topic name, the Kafka Broker address and the consumer credentials (user and password). You will also get a link to our Knowledge Base article with instructions on how to connect.
We believe Cloud Funnel is a powerful complement to the existing console-based Deep Visibility offering, and the perfect solution for customers interested in maintaining their own EDR data repository.