Interview with SentinelOne Co-Founder and CEO

Nick Normille, Analyst at JMI Equity, conducted an interview with our very own SentinelOne co-founder/CEO Tomer Weingarten on the state of endpoint protection. This excerpt was published this week in Nick’s newsletter. Take a look…

There are a lot of interesting things happening in endpoint security nowadays and I’ve been fascinated with the progression of the space. Antivirus products were created 30 or so years ago, and up until a few years ago, there had been little innovation in endpoint security. In the past few years however, there’s been a flood of activity and money is following the innovation. Earlier this year, I analyzed the venture capital flowing into cybersecurity and found that in 2015 (as of mid-August), endpoint security companies had received significantly more funding than any other cybersecurity sub-sector, with nearly $300 million.

Naturally, I’ve been eager to talk to some of the leaders shaping the innovation in endpoint security (see past interviews with founders of CrowdStrikeBromium and Cylance) and that’s why I was very excited to talk to Tomer Weingarten, the CEO and Cofounder of SentinelOne. In the interview below, Tomer and I discuss the endpoint security market landscape, some of the differentiating features between providers, and the market penetration for next-gen endpoint security products.

Why is the EDR/next-gen endpoint space getting so much attention right now? AV technology has been the same for 20 years, what was the catalyst for innovation?

For that exact reason – there was zero innovation in the space, and clearly AV tech is not up to par with current attacks. Funnily enough, the resurgence of the endpoint space is also because a lot of the promising network based measures (think sandboxing) have failed to protect against even simple attacks, mostly because of their multiple deficiencies in dealing with evasion techniques and targeting techniques that are often used in attacks today. These methods ensure that the attack will run only on the end device that it wishes to compromise and no place else – causing it effectively to evade anything on the way to that target device (the endpoint). At that point it becomes clear – protection has to be on the endpoint if you want to stand a chance at detecting a stealthy attack.

You have some very well-funded competitors like CrowdStrike, Bit9 + Carbon Black, Cylance, Tanium, CounterTack and others. In the long term, can the market hold this many players?

The endpoint market is the biggest TAM in cyber security. A lot of these players are point solutions for different problems – CrowdStrike and Bit9CB will give you the visibility and response tools (aka EDR), but not really protection or prevention. Cylance will give you some prevention – but will be also very limited to file based attacks and not give you any visibility and response tools. Tanium’s focus is on manageability, patching and IOC searches.

Overall it’s a very fragmented market. Most of these guys are only complementary to AV, and cannot replace it. The only 2 companies that are actually flat out saying they can replace the traditional AV are us and Cylance, and out of these 2, only we have both EDR functionality AND the prevention piece required to replace the AV – and all of it is based on our own proprietary execution inspection engine for dynamic behavioral analysis.

We’re also the only next-gen vendor who actually got a third party certification and was tested for efficacy rates. I think the future will show that people will opt for more unified platforms for EPP rather than point solutions.

How do you differentiate yourself from all of this competition in the endpoint space?

I think you got a good idea from reading the stuff on the top – our ability to have one product that can cover both the EDR use case, but can also replace the AV and offer better prevention capabilities is unique. The other thing I’ll point out is, attacks today are much more than malware and files, and there multiple vectors of attack you ideally want to cover. We cover pretty much all vectors of attack, from the more traditional malware, to memory based exploitation, to script based attacks and live attackers. Our ability to be focused on code execution rather than on files, allows us to tackle attacks most other platforms cannot deal with. If you have a product that’s based on IOCs for detection – how do you detect attacks that leave no IOC? If you have a product that’s based on running ML on file scan for detection – how do you detect attacks that don’t use files or payloads? These are all attacks that are happening today, so you’d really want to opt for a better, more inclusive approach, and I think that’s one of the biggest strengths of our code execution inspection and behavior analysis – they cover all of it.

You sell both an EDR product and an EPP product. How are they different? How do they work together?

In our case the products are very similar. EDR is basically designed to be complementary to an AV, while EPP has everything that EDR has plus stand alone prevention capabilities that can replace an existing AV.

You’ve written about the benefit of next-gen endpoint solutions here, but do most of the corporations that you sell to understand the need for this? Are most of them still using traditional AV? What do you think the market penetration is like for EDR/next-gen EPP?

Its a good question. I would also say that to me – EDR is NOT next gen EPP. Next gen EPP must be able to replace a traditional EPP platform, must offer prevention, must tackle exploitation and must offer endpoint visibility. EDR vendors in most cases don’t even offer true detection capabilities, and are basically a visibility tool for an analyst to decide whether what he’s seeing is malicious or not, which obviously cannot replace a standalone, real time detection and mitigation engine.

I think most customers WANT to replace their AV. I don’t think they want to bolt EDR on top of it. They just want better protection–an AV that actually works–and that’s what we’re trying to give them. The way I think about it is, EDR is for the response team to react to a breach. Next-gen EPP is for the security team to have better defense mechanism to deflect advanced attacks and zero days. Both are required, but if next-gen EPP is doing its job correctly – you’ll have much less incidences to handle.