How to Interpret NSS AEP test results?

At RSA 2018, NSS Labs announced the results of their Advanced Endpoint Protection Group Test. The testing revealed that the SentinelOne Endpoint Protection Platform (EPP) excelled with 97.7 percent security effectiveness, a low total cost of ownership that is less than half the average of the evaluated vendors and high performance detection scores. SentinelOne ranked as the top next-gen endpoint vendor for the 2nd year in a row in the Security Value Map for security effectiveness and total cost of ownership.

In this post, we try to answer some frequently asked questions about this test and our placement.

Why not 100% effectiveness?

There are two categories where our score was not at the top, blended and unknown threats. These test categories had very few samples (fewer than 15 each).

SentinelOne leverages several AI engines to effectively detect, prevent and convict threats at runtime. These engines rely on the static features or behavioral activities of the threat, and several of the tests conducted within these two categories did not involve execution of the threat, or execution of the threat would only under a very particular scenario (such as after a certain number of left mouse clicks) that was not realized during the actual testing. As a result, there was not any malicious execution activity for the SentinelOne behavioral engines to convict.  

Our ability to discern innocuous, benign behaviors from truly malicious ones is what enables us to be deployed on thousands of organizations across the globe while minimizing the undesirable impact of false positives.

Is this result valid for macOS and Linux?

The NSS Labs AEP test only covered Windows systems.  SentinelOne has one of the most advanced protection capabilities for macOS and Linux.  In January 2018, AV-Test proclaimed  that “SentinelOne was able to fend off all attackers 100 percent, resulting only in an additional system load of one second.”

SentinelOne is also partnering with Microsoft to support macOS and Linux feeds into Windows Defender Advanced Threat Protection.  This is another validation of our superior technology on these platforms.

What about EDR?

Security effectiveness is one of the most important, but not the sole consideration of many customers.  While this shows the ability of the product to protect organizations against different types of threats, no product will ever by 100% effective.  

Customers should use layered approaches for best results.  SentinelOne also offers a unified, built-in EDR in the same agent that provides endpoint protection (EPP).  This enables customers to perform threat hunting, search for known IOCs/campaigns that may have evaded our protection layer.

SentinelOne also offers a very unique and compelling rollback capability that lets customers recover files and clean systems in 1-button click.

How do you deal with False Positives (FPs)?

One way to achieve high-security effectiveness is to lock the system down so that no new applications (good or bad) are allowed to run.  But, this is impractical for most organizations. SentinelOne has one of the lowest FP rates and this is one of the reasons why the TCO of the SentinelOne product is much lower than that of other next-gen competitors like Cylance and CrowdStrike. 

How do I get a Demo of SentinelOne?

You can request a demo of SentinelOne by filling out the form here.  We offer free 30-day evaluations for qualified opportunities to test our product in their environment.

How do I get a Copy of the NSS Advanced Endpoint Protection Group Test?

You can receive the full Advanced Endpoint Protection NSS Labs report here.