SentinelOne Certified for HIPAA and PCI DSS Compliance

SentinelOne retained Tevora, a security and risk management consulting firm, and a reputable PCI Qualified Security Assessor (QSA) and HITRUST Assessor, to conduct an independent, in-depth evaluation of SentinelOne’s anti-malware Endpoint Protection, Detection, and Response Platform (SentinelOne Platform) and software against PCI DSS version 3.2.1 Requirement 5, and HIPAA Security Rule requirements 164.308(a)(1), 164.308(a)(5)(ii)(B), and 164.308(a)(6)(ii). This paper describes the functionality of the SentinelOne Platform, and how the solution dynamically prevents, detects, and responds to cyberattacks. SentinelOne performs automated SOC functions such as blocking malware, providing root-cause investigation, correlation and remediation of suspected threats, and performing automated mitigation of cyberattacks. Furthermore, this report outlines the specific ways in which the SentinelOne Platform can bring organizations in line with PCI DSS Requirement 5 and HIPAA’s malware protection, and security event response and reporting requirements. The Current Endpoint Security Marketplace The Current Endpoint Security Marketplace


Over the last decade, the evolution of traditional, signature-based anti-virus (AV) has been slow and incapable of responding to the rapid pace of the threat landscape. In recent years, the rate of innovation is accelerating with next-generation endpoint protection products utilizing new techniques. Typically these solutions are capable of malware prevention using machine learning and are now starting to converge with response capabilities, known as Endpoint Detection and Response (EDR). Next-generation solutions can help satisfy HIPAA and/or PCI DSS requirements and reduce operational overhead.


EPP solutions rely on two primary features: 1. Background scanning 2. Full system scanning Background scanning consists of anti-malware software scanning downloaded files, plugged-in hard drives, mounted drives, and other non-volatile storage, searching for malware traces and comparing files and hashes to known virus signatures. This process is known for slowing system speeds due to the intensive processing it requires, especially for hard disk drives. Full system scans are similar in nature, except they iterate over every file on the endpoint in the hunt for known viruses. All traditional EPP solutions work in the same way: perform a background or full system scan and compare all against known virus signatures. Frequent updates to the signature databases are required and create user friction during updates and constant risk of missed detections. Traditional EPP solutions neglect to protect against unknown or emerging malware.


EDR solutions provide an alternative approach to endpoint protection. Leading EDR solutions track system events, identify trends in behaviors, and, if anomalies are detected, provide the tools to create alerts for further investigation and remediation typically performed by an expert analyst in a SOC. Sophisticated EDR solutions can often assume many of the manual remediation responsibilities normally performed by dedicated security operations center (SOC) personnel. A SOC requires significant overhead often outside of the budget for many enterprises. The SentinelOne Platform eliminates much of the pain with its unified EPP and EDR functionalities, designed to perform prevention, detection, and automated remediation in addition to forensic investigation and threat hunting. Further, while EDR does not adhere to the traditional scheduled The Current Endpoint Security Marketplace scanning standards set-out in PCI and HIPAA, it does operate in a state of constant-scanning. Real-time visibility and response, coupled with prevention, aligns organizations with compliance standards and a proactive posture towards addressing threats.

SentinelOne Platform: A Compliance Champion

SentinelOne’s Platform takes a hybrid approach to achieve the ultimate in endpoint protection and fulfill an organization’s compliance requirements. SentinelOne employs four key features:


II. ActiveEDR

III. Suite features like device control, firewall control, and vulnerability management

IV. Advanced threat hunting tools and techniques SentinelOne applies a methodical approach to threat detection and response, calling each feature at precisely the right moment.

EPP features are launched during pre-execution of processes to prevent attacks, and ActiveEDR (powered by patented TrueContext technology) is triggered onexecution to track, identify, correlate, contain, and remediate the potential malicious activity. The SentinelOne Platform also enables full remediation and even a rollback to pre-infected system state. SentinelOne’s advanced EDR kicks in for in-depth visibility and hunting, by providing deep visibility into all system behavior activities. This SOC-like functionality determines if the investigated system may be the victim of zero-day attacks, regardless of network connectivity. How Does SentinelOne Help Customers Meet Compliance Requirements?

How Does SentinelOne Help Customers Meet Compliance Requirements?

Overview Threat prevention, detection, and response (containment, remediation, investigation, analysis) are integrated through static and behavioral AI engines which 1) constantly monitor all activities on the endpoint to detect malicious activities, and 2) automatically remediate malicious activity – with both processes happening in real time. Today’s SentinelOne Platform gives businesses the tools they need to secure their data and systems, using minimal effort to achieve compliance. Tevora performed an in-depth evaluation of the SentinelOne Platform core features: sophisticated multi-layered protection, detection, visibility, investigation, remediation, and automation.


The SentinelOne Platform uses autonomous multi-layered prevention to cover diverse threat vectors — known and unknown — even when a system is offline. When a suspected threat is detected, the Platform is capable of automatically responding to eliminate the risk, including rollback of all malicious activity — all viewable as a detailed narrative, and also providing orchestration and investigation data to a supervising SOC. SentinelOne has a robust protection directive which can even disconnect endpoints from the network upon detection of attacks to prevent the spread of malicious activity to the rest of the environment.


The SentinelOne Platform has visibility into all activities tracked by the agent, like applications and running processes on configured systems, and even encrypted network traffic. Real-time alerting is available at the endpoint level and the management console level, to allow end-user and administrator clarity and management capability.


The Platform provides a robust blend of the following features in one autonomous agent with minimal endpoint resource utilization:

  • EPP (known and unknown malware intrusion prevention and detection)
  • ActiveEDR
  • Vulnerability and risk monitoring and management
  • Suspected threat detection, monitoring and containment
  • Remediation of threat-related operations
  • Versatile options for cloud, on-premise or hybrid-hosted management console to fit any business infrastructure.


A central part of the platform is utilizing intelligent automation to reduce risk and save time. Full endpoint-level automation of responses to suspected threats minimizes response time, reduces negative effect of suspected threats, reduces the need for manual SOC intervention, and minimizes disruption to end-user productivity. Automation is also facilitated by the over 300 APIs developed by SentinelOne which allows for the integration of its Platform with various SIEM products. With this compatibility framework, logging and monitoring is not only readily available, but it may be configured with ease for businesses with nearly any technical architecture.


To meet their compliance obligations as organizations processing PCI and/or HIPAA-protected data, it is incumbent on covered businesses to configure SentinelOne to help meet their PCI or HIPAA compliance needs. SentinelOne’s obligation is to provide a comprehensive feature set that when configured adequately can support covered organizations to achieve their compliance obligations.

To read how the SentinelOne Platform addresses each applicable PCI DSS and HIPAA requirement and the full report, click here

Technical Analysis Methodology

Tevora analyzed SentinelOne’s Platform to observe the Platform’s effectiveness for the following compliance areas:

  • PCI DSS Requirement 5
  • HIPAA requirements 164.308(a)(5)(ii)(B) and 164.308(a)(6)(ii)



Tevora’s primary objective was to assess the efficacy of the SentinelOne Platform in satisfying PCI DSS and HIPAA requirements. To begin, Tevora evaluated how SentinelOne’s Platform protects against, detects, contains and removes all known and unknown types of malware. Next, Tevora tested how effective SentinelOne’s Platform is against evolving malware threats for systems not commonly considered affected by malware. Finally, the focus shifted toward testing how the Platform remains current, performs system scans, and generates audit logs. The last test by Tevora was to ensure that end-users could not disable or uninstall the SentinelOne Platform client.


  1. Samples of malware were downloaded to a test environment. Upon download to the system, the Platform immediately triggered an alert signaling malware detection, and the payload was quarantined. Activity reports were generated to highlight the complete narrative, including the source and how the malware was introduced to the system, which services it attempted to call upon, what files were launched and targeted and more. After being quarantined, the malware was encrypted with an administrator-defined password, if that file was required to be maintained.
  2. While the definition of ”systems not considered commonly affected by malware” is at the discretion of each business, this was where the SentinelOne ActiveEDR feature had its time in the spotlight. With its capabilities of identifying anomalous behavior with its automatic SOC functionality, zero-day and uncommonly-known vulnerabilities were detected without needing to rely on virus signatures or definitions. The ActiveEDR functionality also provides automated investigation, orchestration, containment and remediation capabilities with respect to previously unknown and uncommonly known threats.
  3. Endpoints report to the Platform’s management console every 10 seconds to keep virus hashes as current as possible. Also, background system scans run continuously and may be configured to run at any time interval or even during file downloads or transfers. Numerous auditing options allow owners to specify the granularity of logs and, with over 300 application APIs, virtually every SIEM solution integrates with SentinelOne’s Platform. Technical Analysis Methodology Logs are available to administrators on the Platform’s management console and are encrypted with AES-256 to maintain log integrity.
  4. The management console provides anti-tamper functionality that prohibits deactivation and tampering by default. Tevora verified that this feature prevented the end-user from seeing anything besides the active status of the Platform.


Tevora attests that SentinelOne’s Platform meets the intents of prevention, detection, remediation, and reporting requirements covered by the HIPAA Security Rule and HITECH when properly configured. Further, it aligns with HIPAA’s Security Rule Requirements §164.308(a)(1), §164.308(a)(5)(ii)(B) and 164.308(a)(6)(ii) for security violations and incidents, and more specifically malware protection. Tevora further attests that SentinelOne’s Platform meets the intents of controls set out in PCI DSS 3.2.1 Requirement 5. The Platform provides the ability to protect, detect, contain, and remove all known and previously unknown types of malware. Additionally, the Platform regularly updates and patches itself to ensure it is frequently maintained for optimal performance. With verbose log capabilities, configurable system scans, Anti Temper mechanism, and hundreds of integrations with SIEM and other information security solutions, the SentinelOne Platform checks all PCI boxes. Overall, Tevora found that SentinelOne’s Endpoint Protection Platform provides a robust endpoint protection solution that is capable of satisfying PCI DSS and HIPAA compliance requirements.

To read how the SentinelOne Platform addresses each applicable PCI DSS and HIPAA requirement and the full report, click here