SentinelOne’s Product Journey – A Year in Review
WOW! 2018 was a year of significant growth and achievements for SentinelOne.
In order to support and deliver such growth, our product grew and transformed. We set our sights on a crazy roadmap…and we achieved it! This is the story of our product’s journey in the last year.
Multi-Tenant / Multi-Site
A year ago, our popular management console was still designed for single-tenants. This meant that for every customer, we deployed a dedicated management server in the cloud. This model made sense for the company that needed to deliver a production grade solution as fast as possible at the early stages of the company. However, looking at the viral growth we were seeing (millions of endpoints coming on to the platform) as well as an even further skyrocketing sales pipeline, a single-tenant model didn’t scale.
Consider, for example, the need to maintain, update and monitor thousands of servers. Such a model requires a heap of DevOPS and CloudOPS engineers and is inefficient. Foreseeing this, our R&D team was already working on a multi-tenant management server version, which means that with a single albeit “richer” server (actually a cluster of servers), we can support many hundreds of customers! This is a scalable solution and one that delivers an even better customer experience: we transformed to support our customers with an order of magnitude lower number of servers.
The first introduction of our Multi-Tenant management server was Central Park, and since then we’ve deployed hundreds of customers on our clustered environment. At the same time, we worked diligently to transition our existing single-tenant deployment to the managed clusters.
What’s In It For Our Customers?
Service Quality. Our managed clusters offer higher availability and even better service, as they are always updated to the latest versions including all latest features and bugfixes.
But that’s not all… With Central Park we also added Multi-Site capability, so our customers could create and manage multiple segregated sites to support their deployment needs. We also added a view that allows multi-site oversight and management for efficiency. The Multi-site capability is crucial for the world’s largest enterprises and MSSP deployments – with that we were able to scale with SonicWall and Continuum.
User experience. Last but certainly not least, in the transition of the console code to support multi-tenancy, there was a general overhaul of the code and the UI design to have an even better UX for our users.
Deep Visibility – Threat Hunting Module
One of the most significant leaps our product has made this past year was revamping our Deep Visibility module for Threat Hunting. We heard the market feedback on the solution we had and jumped on the challenge to create a winning threat hunting platform – Deep Visibility 2.0. In addition to our proprietary capability of providing visibility into encrypted traffic, we delivered a fully-featured platform answering customers’ requests for multiple views (Tabular, Proces Tree), a language supporting both simple and complex queries (S1QL), more data attributes available for hunting, and more response capabilities such as File Fetch and Full Remote Shell.
We also identified one of our key technical differentiators early on: our ability to provide a full rich TrueContext for system events that our autonomous agent monitors and models. This enables our customers to save significant time as they don’t need to create the context themselves, an expensive task that requires both skilled personnel and large amounts of time.
Instead, a hunting mission starts with a single data point and with just a single pivot on TrueContext, the SOC analyst gets the full attack story correctly and quickly. With TrueContext in the Deep Visibility Threat Hunting Module, SentinelOne account admins can spend their precious time on decision making, hunting more and pivoting less.
Faster Release Cadence
Imagine the effect of transitioning from a shotgun to multi-barrel Vulcan cannon… This is what we’ve done with our management console release cadence. Before, we shipped a quarterly release. This means we met the market with a significant release once every three months – these releases required significant QA and regression cycles given the amount of content shipped. We changed and moved to a console release every 2 weeks! I mean production grade release that is deployed on all our cloud deployments every 2 weeks (imagine again what it would mean without a multi-tenant solution!).
We are now able to pump out features at a faster pace and provide higher quality (faster bug fix cycles) solutions to our customers. Our customers were surprised at first with the rate of their console upgrades, but it is fully appreciated as they see our response rate and a predictable cadence.
One of the ways legacy AV vendors coped with the changing threat environment is to add more features which are not directly related to malware detection or prevention, such as Device Control and Endpoint Firewall Control. These features became standard check-box items in customers’ RFPs, and in order to help our customers rip-and-replace existing legacy AV solutions, we also introduced suite features such as Firewall Control and Device Control. At the time these features were conceived, we already started thinking how to provide even better value to our customers beyond the check-box item, and have found several flows that improve security stance, such as responding to an identified C&C server by quickly blocking all communications to it from our managed endpoints with a Firewall Control rule.
Expanding Beyond the Endpoint
When engaging with customers, we often heard a request to address off-endpoint use cases. We responded with the introduction of the Nexus Embedded AI SDK. The SDK can be useful in various use-cases. One example is Cato Networks integration of our SDK in their newly announced MDR service in their Network-as-a-Service Cato Cloud solution. Another example is the integration of the SDK to protect storage solutions such as Cohesity.
All of the above is of course impressive, but wouldn’t mean much if our detection and protection capabilities were not continuing to evolve and lead the market. High efficacy, low false-positive rates, added detection behaviors, extending Static AI file types coverage, providing Behavioral Indicators mapped to the MITRE ATT&CK framework, Shadow SUID protection, and CryptoMiner detection are just a taste of what our Research team added to the product’s detection capabilities this past year.
All these product advancements across the board couldn’t have happened without the leadership of SentinelOne’s awesome PM team and the true collaboration we have with the tireless, talented and BEST R&D team in the world! – THANK YOU!
Glimpse into the Future
While we were doing all these amazing things, we didn’t stop there, and continued to research, develop and innovate. One exciting area we’re expanding into in 2019 is Enterprise IOT with SentinelOne Ranger. With Ranger our protected endpoints autonomously map and provide full visibility of all IOT devices connected to the enterprise network, then preventing high risk devices from connecting to the assets – protecting them. Contact us to find out more on what we’re up to in 2019!
As mentioned at the beginning, 2018 was quite a journey for SentinelOne, and I’m proud of all the achievements we’ve accomplished.
I might have saved you the time to read by just providing this video highlighting some of the features mentioned in this write-up.
To our customers, thank you for joining us on this journey – we listen and we act quickly with your needs and desires in our hearts and minds.
To our prospects, happy testing! We hope you make the “ONE” choice to take your endpoint security and overall enterprise security strategy to new places in 2019.
Read more about SentinelOne’s Product Innovation
The Secrets of Evaluating Security Products
Endpoint Protection Platform Free Demo