Listen Up! SentinelOne CRO on the RiskyBiz PodcastBy SentinelOne -
Patrick Gray: Hi everyone and welcome to part two of our final snake oiler edition for 2018. My name’s Patrick Gray. snake oiler as is the podcast we do here at risky dolphins where we get a bunch of vendors together to pitch their stuff. They all pay to participate just so you know. And today we’re going to hear three pitches from tech companies one is from 40 card one is from exec team and one is from central one. That’s right. We talk to the vendors to get their best pitches so you don’t have to execute him we’ll be talking about how they’re doing more device analytics in this same platform. Sentinel 1 we’ll be talking about how it differentiates itself in the highly competitive EDR space.
Patrick Gray: Okay our final vendor today is SentinelOne which makes an EDR platform and let’s face it the EDR space is very crowded and it’s no surprise because it’s one of the sort of bigger markets that infosec vendors can get into in order for players in the space to do well they only to offer something a little bit different. And for SentinelOne that difference is what they term active EDR. The focus being less on event logging and detection and more on direct intervention on the endpoints you know less reliant on cloud based decision making. Nick Warner is SentinelOne’s chief revenue officer and he joined me to explain why he thinks Sentinel 1 is different to other EDR platforms. Here’s what he had to say.
Nick Warner: So the way that we’re different from the competition is we really have a single purpose built product with a single code base that does three things in one. And that’s Endpoint Management and point protection as well as EDR endpoint detect and respond or enterprise detect and respond in one single product that was built from the ground up to accomplish those three different things. Because we built a product that was looking to do management visibility and protection together. One of the unique things about Sentinel 1 is that we’ve incorporated behavioral A.I. into the product which one way to think about it is taking EDR and automating it making it active EDR that resides live on each and every endpoint. So rather than waiting for after the fact analysis around behavior in order to determine if something good or bad is happening behaviorally on a system our product is empowered to make live real time decisions to step in take action and prevent behavior based attacks on the employee.
Patrick Gray: So this is more like you know like an active host intrusion prevention system rather than you know host you know telemetry system that’s one way to think about it.
Nick Warner: We also do a lot more than just looking at execute behaviors we can examine files before they run and make a determination if they’re good or bad using what we call static A.I.. We can also take a look at scripts macros and all sorts of non binary based elements on a system to determine if they’re good or bad while they’re running and what’s very different around our technology is the time to detect and respond is in machine speed. And so what that means is a much more effective product that protects our end users in real time.
Patrick Gray: Now the macros issue is a pretty curly one how does SentinelOne go about trying to address that because that is as I say that’s a pretty curly problem in infosec.
Nick Warner: It is and we’re seeing a lot of customers increasingly wrestle with this in their enterprise and before there was a false choice and it’s well you can allow all macros to run or you can simply disallow all macros from running which for most enterprises neither is a good option with central one what you can actually do is allow macros to run but will track and watch every single part of that macro as it tries to execute in the system. And the moment that we determine that it’s behaving badly or implementing a set or sets of bad behavior we can step in and take action and block any of that malicious behavior from occurring in a system. So what we allow our customers to do is have their business carry on as normal and allow legitimate and benign macros to run but step in and take action and prevent exploits that might be embedded in macro or malicious macros from doing damage on a customer system.
Patrick Gray: Now one thing that I find pretty interesting about your products is it’s like the least sexy feature of your products but it’s a it’s one of the ones that I certainly find the most interesting which is the ability to actually order remediate after malware infections. Can you tell us a little bit a little about that place.
Nick Warner: Sure. And the reason that we can do that again going back to what I mentioned. This combination of management visibility and protection because we’re doing that all locally and a Honestly on a system what it means is that we’re watching every single file change any change that’s made to a system we’re watching and recording. So if we step in and take action and block an attack what it also means is we know every single change that that attack made or tried to make in the system and we can automatically roll back and remediate any changes that were made. One of the most eye catching implementations of this this capability are ransomware attacks say if we’re running a monitor only mode because we’re very effective at stopping and preventing ransomware attacks. But let’s say that your monitor only mode or one didn’t get caught by us. We can actually go back and roll back and put back all of the encrypted files as if the attack never happened. It’s really acting like a time machine of sorts but it also means the days of sort of wiping re imaging machines after even a blocked or prevented attack.
Nick Warner: Those are days passed because with our product you can automatically roll back changes that were made in the system and continue with minimal to no business interruption. You know another key feature with Sentinel one that is really needed in the industry is having a purpose built API centric product because increasingly what customers are wrestling with is just this notion of how do I incorporate this massive disparate stack of security solutions that I’ve acquired over the past so over many years. And what we did with SentinelOne is built an endpoint product that can be entirely controlled and managed through API. So anything you do in our cloud based console you could do over API. So we have API integrations with several dozen different security vendors. And what it means for customers is they can literally get Endpoint Management protection invisibility and snap it in seamlessly to any number of security products that they’ve purchased in the past whether or not that’s a sim product an automation product or even firewall products as well.
Patrick Gray: Can you give us an example of where that comes in handy like a real world use case.
Nick Warner: So one you know one common implementation of this would be with your firewalls. So let’s say that you’re running Sentinel one on a set of systems within your network you’re deployed out to 50 percent of your systems or deployed to a hundred percent but you also have a network for BYOB devices. SentinelOne detects and blocks successfully a set of attacks and those attacks are or are coming from a certain IP address. And we determine the unique hash of that file or files we can automatically pass all that information over to any number of the top firewall vendors and they could automatically blacklist both that originating IP address as well as automatically blocking the downloading of that set of hashes from even nonsensical one protected devices.
Patrick Gray: Now I’m curious where you’re finding the most success because you know most infosec companies tend to find that they have a typical size or style of organization that tends to like its products.
Nick Warner: Although you know EDR is a little bit different cause it’s a pretty broad appeal type of thing but where are you having the most success.
Nick Warner: We’re really having the most success in enterprises. Global Enterprises you know we are the fastest growing company in the next generation and point space. We have three of the Fortune 10 and we have several dozen Fortune 500 companies using us that said we are also have been adopted by hundreds of small and mid-sized customers. Really what we’re looking to do is democratize EDR and next generation protection by making it an easy to use and easy to consume technology.
Patrick Gray: Now you’ve got to cross platform support looking at the Big Three Linux Mac and Windows. That’s right isn’t it.
Nick Warner: That’s right. And we also within each of those support for example the broadest number of Linux kernels and destroyers in the market. Additionally we have been adopted by many of Apple’s largest Mac OS implementations in the world because we have very very good feature parity between our windows solutions or Mac solutions and our Linux solutions. Like most next generation solutions we can either be deployed in the cloud which makes it really fast and easy to use but very unique in the spaces that we also can be deployed using an on premise infrastructure. That’s because our endpoints themselves do so much of the automation so we’re not reliant on a cloud infrastructure necessarily. You can also choose to run us on premise for highly secure and firewall environments or you can run us in a hybrid motion with some being controlled from the cloud and some being controlled from an on prem ova or virtual server.
Patrick Gray: Now one thing I’m curious about here you cite very large companies is using this product and you know the type of companies that have socks. But I would have thought something with you know that does auto blocking that’s more of a prevention system than just a monitoring solution would be popular more popular among smaller enterprises that don’t have socks.
Nick Warner: I mean is that something you’re saying it is something that we’re seeing and I think you know another advantage to our approach is because we don’t rely on humans to do all the hunting and to make decisions. We can not only offer better prevention but we can be brought to value. Much more quickly within say medium and small organizations that might have resource strapped security teams. What we bring to market is something that in an automated way give you EDR and visibility and hunting capabilities
Nick Warner: And also in a very automated way give you next generation protection both against your commodity based attacks and your advanced attacks.
Patrick Gray: Okay. Nick Warner from SentinelOne thank you very much for joining us to have a chat about your stuff on snake oil. Thank you. That was Nick Warner there of center one big thanks to him for that and I have linked through to central one in the show notes for this episode of The Snake Oil podcast and that is it for this edition of snake oil as I do hope you’ve enjoyed it and found it useful. I’ll be back in a couple of days with the regular weekly news show. But until then I’ve been Patrick Gray. Thanks for Mr..
The above audio transcript of “riskybiz.m4a” was transcribed by the best audio transcription service called Sonix. If you have to convert audio to text in 2018, then you should try Sonix. Transcribing audio files is painful. Sonix makes it fast, easy, and affordable. I love using Sonix to transcribe my audio files.
Reversing Malware on macOS
Endpoint Protection Platform Free Demo