SentinelOne Platform
Introduction
©2020 SentinelOne, All Rights Reserved. 4
Deep Visibility
Threat Hunting Threat
Intelligence
Ranger IoT
Discovery & Control
Endpoint
Automated
ActiveEDR
Kubernetes
Containerized
Workloads
Endpoint
AI
Prevention
Nexus
Integrations
CloudFunnel
Data Lake
Streaming
Endpoint
Control
XDR Response
Thanks for joining us today @ Tucana Cloud Event
• About SentinelOne
• Storyline & ActiveEDR
• Core – Control - Complete
• Ranger IoT
• Cloud Workload Security
• Vigilance MDR
• Management Portal Demo
©2020 SentinelOne, All Rights Reserved. 5
Agenda
About SentinelOne
HEADQUARTERSMountain View, CA
GLOBAL ENGINEERINGIsrael, California, Boston, France
GLOBAL DATA CENTERSUS, Frankfurt, Tokyo
AWS GovCloud
Highly Available
Global Ready Architecture Global Service & Support
700+employees
$1.1 billionMarket Valuation
3,500+customers
GLOBAL SUPPORT 24/7 Follow the Sun
VIGILANCE 24/7 MDR team
7©2020 SentinelOne, All Rights Reserved.
Clients Awards & Testing
2019 Forbes AI 50 Ranked
SentinelOne #14 America’s
Most Promising AI Companies
7th fastest growing
company in North America
& the only cybersecurity
company in the top 10.
In progress
Compliance
8©2020 SentinelOne, All Rights Reserved.
The Solution
Storyline & ActiveEDR
ActiveEDR Autonomous Behavioral ScoringMachine Speed MitigationEvery Device Tells a Set of StoriesEach Story is Unique ActiveEDR Root Cause AnalysisMachine Speed MitigationModern Attack VelocityModern Attack VelocityMost stories are benign. Some are not.
11
SentinelOne differentiates among 1000’s of stories in real time
Storyline Process TrackingEach Story is a rich set of branching related processes with a context all their ownThe contents and arrangement of every Storyline is weighed in real time
by ActiveEDR in order to identify when code execution has exceeded normal
When evil code remains unchecked the consequences are dire.
This is especially true with high velocity attacks.
Root cause is critical to controlling the source of the problem.SentinelOne tracks the Storyline and ActiveEDR makes the judgement.
The agent responds instantly to mitigate the threat.
SentinelOne unauthorized change reversal, Windows rollback,
Kubernetes container kill remediate attacks
Machine Speed RemediationThe Stories ContinueSurgical removal of out of bounds code keeps users working without delay
©2020 SentinelOne, All Rights Reserved.
The Real Storyline & ActiveEDR
12©2020 SentinelOne, All Rights Reserved.
S1 Core Endpoint Protection
13
Unifies Prevention, Detection & Response
✓ Autonomous decisions + Automatic, instant responses
✓ Global Intel + Static AI + Behavioral AI
✓ Full forensics & indicators. Easy pivot to EDR.
Protection Differentiators
✓ Holds up to high velocity & stealthy attacks
✓ Clean, simple management UX provides context
✓ Feature parity across OSes
Core
Control
Complete
©2020 SentinelOne, All Rights Reserved.
S1 Core Endpoint Recovery
14
Painless, fast attack recovery keeps users working
Recovery Differentiators
✓ Easy reversal of unauthorized changes
✓ One-click remediation & Windows rollback
✓ Device isolation & triage
✓ Less re-imaging. Less operational work.
Core
Control
Complete
©2020 SentinelOne, All Rights Reserved.
Firewall for
all OSesBluetooth &
BLE Control
Full Remote
Shell for all OSes
USB Device
Control
S1 Control
15
Adds security suite features to further support
agent consolidation
Core
Control
Complete
©2020 SentinelOne, All Rights Reserved.
Unpatched
Apps
S1 Complete EDR
16
Adds Deep Visibility™ Endpoint Detect & Respond
EDR Differentiators
✓ Combines enterprise features + ease-of-use
✓ Deeply coupled with Prevention enforcement
✓ MITRE ATT&CK™ technique searching
✓ ActiveEDR™ mark entire story as threat
✓ Built for massive data retention, scale, performance
Core
Control
Complete
©2020 SentinelOne, All Rights Reserved.
ActiveEDR™
Code Analysis
AI Dynamic Behavioral Models
Real Time File
Analysis
AI-ML Static File Models
Automated
Remediation
• Kill & Quarantine
• One-click Cleanup
• One-click Rollback
• Disconnect from Network
• Local firewall control
• Anti-tamper
Deep Visibility
Response
• Threat hunting / Watchlists
• Fast queries. Highly scalable.
• Single pivot storyline built
with Storyline™
• Mark entire story as threat
• MITRE ATT&CK™ TTP hunt
DETECTION & RESPONSE
Timeframe = Seconds
Autonomous Agent Operation / Not Cloud Reliant
High levels of feature parity for enterprise: Windows, Mac, Linux, Kubernetes clusters
Timeframe = 30 - 365+ Days
Data context is maintained for
ease of use
REAL TIME PREVENTION REMEDIATION & RECOVERY+
How It Works - Underlying Technology Flow
17©2020 SentinelOne, All Rights Reserved.
Ranger IoT
IoT Discovery & Control
19
Ranger IoT
S1 Ranger IoT discovers & fingerprints
every device on your network
✓ Instant Asset Inventory
✓ Eliminate IoT Blind Spots
✓ One-click Rogue Protection
✓ No network changes
Cloud Workload Security
Cloud Security Challenges
21
Too Many Blind Spots
Speed and scale of change renders
manual security methods mootComplex
Manual
Reactive
Expensive
Too Many Bottlenecks
Self-organizing scrum teams working
outside of centralized governance
Too Few Experts
The skills, tools, methods for on-prem
don’t work well for cloud
Too Much Noise
Raw, uncorrelated data streams don’t
help analysts control problems
Too Many Tools
Overlapping functions create
operational difficulties and expense
22
Distributed. Autonomous. Automated.
Endpoint IoT Cloud
Complete Host OS Protection▪ 10 major Linux distributions and 12 years of Windows Server
▪ Cloud-native Kubernetes managed containers / Docker
▪ AI-powered runtime protection and remediation
▪ Application Control
Enterprise-grade EDR▪ Runtime detection and response at VM and container level
▪ Patented Storyline™ accelerates incident response
▪ Fully equipped remote shell
Enterprise Management & Deployment▪ Automated deployment and scalability
▪ ONE multi-cloud, multi-tenant console
Cloud Security Posture Management (1H-2021)
▪ CIS Benchmarks for Workloads and Cloud Services
▪ Cloud Asset Inventory / Compliance Reporting
▪ Visual Investigation / File Integrity Monitoring Reports
Securing Workloads - No Matter Their Location
23
Hybrid Cloud VMs and Containers
Autonomous, consolidated EPP
▪ One agent
▪ Max stability, agility / no kernel modules
EPP functions on-agent
▪ Static AI real-time prevention
▪ Behavioral AI detects fileless attacks
Accelerated Threat Resolution
▪ Storyline™ auto-correlates to MITRE
▪ ActiveEDR™ hunting
▪ Remote forensics via fully capable rsh
▪ Kill, Q, file fetch, network isolate
Automated Application Control
Runtime SecurityLinux VMs
24
▪ Ubuntu
▪ RHEL
▪ CentOS
▪ Amazon AMI 2
▪ Oracle
▪ SUSE Linux Enterprise Server
▪ Fedora
▪ Debian
▪ Virtuozzo
▪ Scientific Linux
Supports 10 Major Linux Distros
Runtime SecurityWindows Server VMs
25
Supports Years of Releases
▪ Windows Server
2019, 2016, 2012 R2, 2012,
2008 R2 SP1
▪ Windows Server Core
2019, 2016, 2012
▪ Windows Storage Server
2016, 2012 R2, 2012
2020 MITRE ATT&CK
▪ Fewest Misses
▪ Most Correlations
▪ Best Data Enrichment
Coverage
Consolidated EPP functions on-agent
▪ One agent
▪ Static AI real-time prevention
▪ Behavioral AI detects fileless attacks
Accelerated Threat Resolution
▪ Storyline™ auto-correlates to MITRE
▪ ActiveEDR™ hunting
▪ Secure remote full PowerShell
▪ Patented 1-Click Remediation & Rollback
Container SecurityKubernetes Sentinel
26
Enterprise-grade EPP+EDR in one
▪ Real-time container protection w/o interference
▪ Runtime protection vs. malware, unknown, and
fileless attacks
▪ ActiveEDR™ visibility & hunting inside containers
▪ Kill and quarantine threats, let k8s respawn
affected containers
▪ Full remote shell into pods
Automated Application Control
▪ No allow lists or ML training required
Consolidated EPP functions on-agent
▪ 1 agent per worker node
▪ No pod instrumentation
▪ Auto-deploy via HELM; auto-scale as daemonset
Storyline™
Connects the Dots Automatically
• Distributed intelligence drives high-
velocity, instantaneous protection
• Patented, real-time, machine-built context
across all major OSes & cloud workloads
• Long time horizon EDR data retention for
proactive custom queries, MITRE
technique hunting, IR, or any EDR activity
• 1-Click recovery & response reverses
unauthorized changes across the fleet
Cloud Metadata within S1 Console
Ex: EC2 Instance deployed
as an EKS worker node.
Review VM and K8s metadata tags
▪ IDs for machine image, VPC, and more
▪ K8s cluster name, worker node name, labels
Group instances according to tags...
▪ account ID
▪ AMI ID
▪ etc.
...and manage groups
▪ apply different policies
▪ monitor resource usage
© 2020 SentinelOne. All Rights Reserved. 28
Immutable Cloud Workloads
▪ Any executable running in the app is in
the image
▪ Runtime security depends upon
immutability
Application Control Engine
▪ Detects any foreign processes which
impair the immutable state of the
workload
Workloads Protected at Onset
▪ NO pre-deployment scanning needed
▪ NO ML training period needed
▪ NO allow list maintenance needed
Application Control
App Control
for Containers
▪ AVAILABLE NOW
App Control
for VMs
▪ COMING SOON– Linux VMs Windows
Servers
© 2020 SentinelOne. All Rights Reserved. 29
Available with Control and Complete
Misconfigured IaaS services remain #1 cause of
cloud security failures
CIS Benchmarks represent gold standard for
configuration security
CIS Benchmarks
30
31
97% WOULD RECOMMEND S1
Highest rated
EDR vendor in
Voice of the
Customer report
for EDR”
May 2020
“
CUSTOMERS ARE OUR #1
Customer Satisfaction
(CSAT) is ~97%
97%
Net Promoter Score in the
“great” to “excellent” range
Excellent
Customer Case Studies
32
Securing Cloud Workloads at Scale
K8s Agent
Linux Agent
▪ Thousands of user endpoints...
▪ ...Hundreds of Linux VMs
▪ Intuitive hybrid cloud mgmt, no additional headcount
One
Console
▪ Accelerating k8s, 100’s Linux builds daily
▪ Auto-deploy, scale K8s Sentinel
▪ GO FAST and SECURE
Max
Agility
▪ Info Services Enterprise needed to secure cloud VMs and EKS
▪ EZ deploy: ~1k / couple hours
▪ No kernel modules, max stability
Cloud
Runtime
Summary
33
Distributed IntelligenceScales people with edge to cloud AI
Purpose-Built for EnterprisesOffers deep capabilities for demanding Teams
Simplified ExperienceConsolidates controls to reduce complexity
Fast Threat ResolutionAccelerates recovery to real time
Vigilance MDR
SOC Augmentation
Service
Vigilance extends your in-house SOC expertise and
provides a second set of eyes.
35
24/7 Global
Coverage
Human Element
Human Service
Peace of
Mind
Fewer Alerts
More Context
©2020 SentinelOne, All Rights Reserved.
Thank You