The importance of endpoint security in the context of emerging zero trust security is clearly recognized—and this is reflected in the growing number of choices enterprise teams have in the selection of a suitable endpoint protection solution. Commercial tools focused on prevention, on detection, or on the related functions of remediation and response are readily available and this can lead to confusion for enterprise teams.
A new goal has thus emerged to unify and introduce greater commonality for the required endpoint security functions in an enterprise. The goal of uniting prevention, detection, and response has therefore become an important priority—and this is not just for management simplification. It also increases the effectiveness of the endpoint controls and can help reduce operating and capital expense investments by the security group. Having a solution capable of distributing intelligence and coordination actions across the prevent, detect, and respond lifecycle—regardless of attack surface— is extremely powerful for a SOC.
The TAG Cyber team recently sat down with Migo Kedem of SentinelOne to learn more about how the company is working to unite and unify endpoint security into a next-generation cyber security platform that can address many of the goals mentioned above.
TAG Cyber: What’s promoted the increase in attention to endpoint security in our community?
Migo Kedem: Endpoints were always a lucrative target for cyber attacks, and the reasons are simple: It’s where we work, and humans are vulnerable from a cyber security perspective. For those who work in an enterprise, it’s also where we access, and in many cases store, the data we use and produce to do our jobs. These elements always drive cyber criminals to invest in compromising endpoints. Gaining access to a single endpoint is the key to breaching the enterprise.
TAG Cyber: Do you see unification of endpoint security functions as a requirement coming directly from practitioners?
Migo Kedem: Yes, 100%. Especially since COVID, we see a change in how enterprises allocate budgets, and the consolidation of tools is one of the easiest ways to reduce cost without compromising on security. Automation also helps cut down the inherent costs of responding and investing in manual work. More tools means more labor to manage them, which translates to cost. Solutions which consolidate and automate are getting moved to the top of CISO spending.
TAG Cyber: Tell us about your platform. How does it work?
Migo Kedem: The journey of the SentinelOne product is unique. Even at the beginning, the solution baked in EPP [endpoint protection platforms] and EDR [endpoint detection and response] in a single architecture. Aside from our prevention and detection capabilities, we were the first to introduce the concept of rolling back a ransomware infection, so users who may have seen traces of infection could keep working.
In 2015, we introduced cyber insurance—a term not previously used by a vendor to say, “We are confident enough to stand behind our technology and we will pay if we miss a breach.”
Over time, the platform evolved to answer the new needs of CISOs and security practitioners, like IoT discovery and cloud workload protection. We also introduced capabilities to support an easy switch from legacy AV suites commonly needed by enterprises, like device control (USB), Bluetooth control, and even endpoint firewall control.
The SentinelOne security platform’s most significant evolution was when we introduced Singularity. In short, the platform combines all the capabilities mentioned above into a holistic platform so that enterprises can choose the right solution for their needs. This approach allows enterprises to install one agent, to manage it from a single console, and replace traditional AV with a much better AI-based solution that is cross-platform. It includes an EDR and XDR that allow for automated response (which means that security and incident response teams aren’t fielding calls in the middle of the night); visibility into every asset on your physical and virtual networks; and vulnerability scanning, Bluetooth control, isolation of infected devices, and a long list of features to keep enterprises safe from cyber attacks while maintaining our original single agent and single management console architecture.
The hallmark of Singularity is that all this rich device and user data is stored in a data lake available to each of our customers. This takes SentinelOne beyond a unified EPP and EDR endpoint solution of choice—we also are an IoT security solution, a cloud security solution, and a security/data analytics company—all in one.
TAG Cyber: What trends do you see in the types of threats that endpoint tools are expected to mitigate?
Migo Kedem: Several new trends are affecting this market:
1. Ransomware is no longer a decryption play, but downright extortion. Highly organized crimeware groups (such as Dridex and Trickbot) once relied primarily on banking fraud and demonstrated success, utilizing ransomware as their primary attack vectors. Such operators are now using the same capabilities to compromise enterprises, not only to blindly encrypt devices (like the case of the City of Baltimore which cost $17 million in recovery), but to exfiltrate data, post demands on public websites, and to hand data back only after receiving the ransom. The economics of this trend should alert all security practitioners: Enterprises risk facing substantial financial damage by either collaborating with crimeware groups or by having their PII and customer data exposed to the public.
2. The scale of operation and the use of AI. There is no doubt that the capabilities of AI are allowing all kinds of technologies to be more effective. AI has become more accessible to different types of organizations, and at the same time, it has become available to organized crimeware groups. This means that defending using AI is not a luxury but a necessity. Attacks are more lethal and debilitating than ever before, given that the adversary uses AI just like defenders.
3. Ransomware-as-a-Service – Heaven’s gate to criminals. In the past, the bar of creating ransomware for profit was much higher than it is today. This changed in recent years. While Ransomware-as-a-Service does not change the way to defend, it exponentially increases the number of malicious attacks seen today by businesses of all sizes.
TAG Cyber: Is proper use of artificial intelligence an important factor in the success of an endpoint security solution?
Migo Kedem: Artificial intelligence is a critical element in the fight against malicious threat actors. It is definitely not a silver bullet, but it is a gateway to efficiency and automation. If you ask any AI experts, they will all say the same—the quality of AI-driven security protection is as good as the data you use to train AI. Knowledge accumulated over time helps companies incorporating AI to understand the blind spots of AI. In addition, as mentioned before, the democratization of AI—meaning, it’s being used effectively by both defenders and attackers—has created the reality that using AI is no longer a differentiator, but a baseline of a security stack.
TAG Cyber: Any final predictions about endpoint security and endpoint-related threats?
Migo Kedem: Yes—securing enterprises is an ever-changing battle to overcome threat actors. Today, standing still is effectively moving backwards. The economics of malware, and specifically ransomware, still fuels a vast criminal market that sometimes operates like startups that are capable of innovating and taking advantage of fragmented and vulnerable networks (remote work is one example).
To adequately protect against such challenges, one needs to find a security solution that is trusted and proven in the wild, without creating more burden on the existing cyber security workforce.
These inherent challenges are not going to lessen in the future; on the contrary—we keep adding more and more devices that access our networks and data. By doing so, we increase the attack surface, sometimes without realizing or considering the implications. You don’t find many enterprises capable of coping with this real-world challenge—this is where technology helps close the gaps.
In summary, the need to protect devices of all kinds grows; the challenge—and opportunity—is increasing protection and visibility without impacting overhead and human capacity to manage the evolving and complex enterprise architectures of today and tomorrow.