The SentinelOne Endpoint Protection Platform

Transcription

1 Enterprise Strategy Group Getting to the bigger truth. SOLUTION SHOWCASE The SentinelOne Endpoint Protection Platform Date: September 2015 Author: Jon Oltsik, Senior Principal Analyst; and Doug Cahill, Senior Analyst Abstract: The endpoint is a highly attractive entry point from which adversaries land and then move laterally across the network to the gain access to corporate data assets. The endpoint plays such a central role in the cyber kill chain (from delivery to exploitation and installation of malware) that organizations of all sizes have a strategic imperative to deploy effective security controls protecting against both known and unknown threats. To date, this has necessitated the use of multiple endpoint security solutions resulting in agent bloat impacting system performance and increasing operational cost. SentinelOne can help address emerging endpoint security requirements by eliminating the need for traditional antivirus and providing advanced detection and prevention in a single-agent solution. Overview There are a number of reasons why the endpoint is all too often the attack vector of choice, most notably human vulnerability (i.e., gullibility) that can be exploited by a variety of methods including spear phishing, drive-by downloads, malvertising, and more. The fact that today s endpoints are mobile, frequently outside of the corporate firewall, and connected to various public networks make them highly susceptible to attacks. To compound matters, by the nature of their usage, endpoints drift regularly from a standard (i.e., secure) configuration and often host outdated, vulnerable applications. Multiple Endpoint Security Agents Impact System Performance and Operational Cost The cat and mouse game that starts with the constant barrage of zero-day malware and exploits and ends with the need to repeatedly update antivirus (AV) signature files for the latest threats is a daily operational burden for IT. One-third of cybersecurity professionals surveyed by ESG indicated that signature-based AV can be ineffective against today s more sophisticated, dynamic attacks, so organizations typically need to deploy additional security controls at the endpoint, further increasing operational cost and complexity. 1 ESG s endpoint security research also found that 62% of the 340 respondents reported having two to three security agents already deployed on endpoints (see Figure 1). 1 Source: ESG Research Report, The Endpoint Security Paradox, January All ESG research references and charts in this solution showcase have been taken from this research report. This ESG Solution Showcase was commissioned by SentinelOne and is distributed under license from ESG.

2 Solution Showcase: The SentinelOne Endpoint Protection Platform 2 FIGURE 1. Approximate Number of Security Agents Deployed on a Typical Endpoint On average, approximately how many security agents (i.e., security software installed on an endpoint system that works autonomously and continuously to align endpoint activities with a particular security software function) are installed on a typical endpoint? (Percent of respondents, N=340) 35% 30% 31% 31% 25% 20% 20% 15% 10% 8% 7% 5% 0% More than 5 Don t know 0% 1% Absent a single-agent solution to protect against both known and unknown malware, organizations have also had to pay a performance penalty that is inherent in legacy AV. These first-generation antivirus solutions employ a heavy file system scanner to match bit patterns in executables to signature entries, consuming valuable CPU cycles and memory space, and creating occasional contention for file system reads and writes. Performance degradation is exacerbated in virtualized environments, such as virtual desktop infrastructure (VDI), where file system scanning results in AV storms saturating shared hardware resources. Indeed, according to the aforementioned research, nearly half (48%) of the respondent organizations report that antivirus products adversely impact system performance. Agent fatigue is not only a performance concern, but also one of system integrity because the need to trap I/O and shim the file system can lead to incompatibilities between endpoint agents that can destabilize systems. Additional complexity is incurred by having to swivel chair between multiple management consoles, which requires that IT develop and maintain a knowledge base for multiple endpoint security products. These factors, along with managing procurement and technical support relationships with multiple vendors, contribute to increasing operational complexity and degrading system performance. Cybersecurity Professionals Want a Single Endpoint Security Solution To date, organizations faced a Faustian compromise with endpoint security. To mitigate risk, security professionals were forced to install several endpoint security tools on each system and then live with higher cost and operational complexity. Ideally, CISOs would love to address endpoint security with a single comprehensive solution. In fact, the aforementioned ESG research found that 58% of the 340 respondents indicated they want a comprehensive endpoint security solution from a single vendor (see Figure 2).

3 Solution Showcase: The SentinelOne Endpoint Protection Platform 3 FIGURE 2. Type of Endpoint Security Technology Approaches Most Attractive to Organizations As new endpoint security requirements arise and your organization considers new endpoint security controls and analytics, which of the following choices do you think would be most attractive to your organization? (Percent of respondents, N=340) A portfolio of endpoint security products from various vendors that establish technical partnerships to integrate their products together into a heterogeneous endpoint security suite, 8% Don t know, 1% An assortment of endpoint security technologies from various vendors, enabling my organization to choose best-of-breed products in each category, 33% A comprehensive endpoint security software suite from a single vendor, 58% More specifically, the two most-cited desired features in a comprehensive endpoint security product suite were advanced malware detection functionality and endpoint forensics. To complete the threat lifecycle and expedite reverting to a known-good system state, a notable 76% of the organizations responded that remediation and recovery functionality is a very important feature of an endpoint security suite. There is a strong appetite in today s market for a solution that detects and prevents known as well as new and unknown threats while also providing endpoint forensics and employing remediation steps to lower overall cost of ownership. Solution: SentinelOne Endpoint Protection Platform The complexities of securing today s multi-device, mobile workforce against advanced threats requires a solution that is not only comprehensive in its feature set, but also operationally efficient to deploy and manage. These new requirements are opening the endpoint security market to new types of comprehensive solutions from vendors like SentinelOne. Unlike other add-on endpoint security tools, SentinelOne can be seen as a one-stop-shop because it can eliminate the need for signature-based AV. In fact, AV-TEST, a leading independent antivirus research institute, awarded SentinelOne EPP its Approved Corporate Endpoint Protection certificate, answering a long-standing question about whether a behavioralbased approach can be effective in detecting both known and unknown malware. This certification indicates that SentinelOne EPP can replace traditional, signature-based antivirus while also providing the advanced threat detection capabilities to address new and unknown dynamic malware and exploits without adding additional performance overhead. SentinelOne s Endpoint Protection Platform employs a prescriptive, multistep methodology as the basis for its definition of next generation endpoint protection, which maps well to the threat lifecycle (see Figure 3).

4 Solution Showcase: The SentinelOne Endpoint Protection Platform 4 FIGURE 3. SentinelOne EPP Next Generation Endpoint Security Methodology Prevention utilizes cloud reputation services to reduce the attack surface across a wide array of endpoint devices by detecting and blocking known threats Detection uses anti-exploitation and dynamic behavioral analysis to inspect execution context protecting vulnerable applications and users from being compromised. Mitigation quarantines infected files and systems to contain the threat. Remediation for the ability to restores machines back to the state prior to malware execution eliminating the need to re-image infected systems. Endpoint Forensics provides audit-trail markers from attacks for real-time and root-cause analysis and to fortify against future threats. Aside from defense-in-depth, SentinelOne also aligns with today s IT infrastructure as it provides: Effective Use of the Cloud. The cloud is well suited to serve as both the control plane for management functionality and a delivery vehicle for threat intelligence. SentinelOne EPP offers flexible deployment options including an onpremises management server and a cloud-hosted service providing anywhere, anytime management, eliminating the need for customers to deploy and manage their own management server. The cloud is also utilized to aggregate and disseminate threat intelligence, allowing all SentinelOne EPP customers to benefit from real-time updates across the SentinelOne user base. Broad Platform Support. With Macs becoming more common in the enterprise, support for OS X is becoming a requirement for many organizations. In addition to Windows, SentinelOne EPP supports OS X, as well as Android devices, providing device coverage across the endpoint attack surface area. EPP also supports a variety of virtual environments and has ios and Linux support in the queue, an increasingly relevant operating system due to the increase of Linux server deployments. Strength via Integrations. Today s threat landscape requires organizations to employ a defense-in-depth strategy from endpoint to data center and cloud. Disparate security technologies must be integrated via standard interfaces to coordinate and expedite detection and response across an organization s infrastructure. SentinelOne EPP meets this requirement by integrating with a number of devices for example, network security appliances and SIEM servers via industry standards such as STIX, OpenIOC, and CEF formats. The Bigger Truth Endpoint security used to simply mean antivirus, but the landscape fundamentally changed with the proliferation of malware and the advent of advanced persistent threats (APTs), which revealed an attack pattern of exploiting the endpoint to install stealthy dropper code undetected by AV. This foothold on the endpoint proved effective for hackers as a means

5 Solution Showcase: The SentinelOne Endpoint Protection Platform 5 to lay the groundwork for a broader attack. Companies with a forward-leaning security posture initially tended to favor placing advanced controls on the network to detect these sophisticated threats. The continuation of similar breaches highlighted the need for advanced controls at the point of infection: the endpoint. Out of necessity, companies responded by deploying advanced endpoint threat detection products in addition to their antivirus products, having no choice but to pay the associated performance and operational tax. As companies grapple with the overhead of managing multiple endpoint security tools, there is a clear requirement for a solution that is both effective and operationally efficient. Based on the validation provided by AV-TEST, its comprehensive features based on a prescriptive methodology, and its modern implementation, SentinelOne is designed to meet today s set of endpoint security requirements. CISOs looking for a onestop-shop, next generation endpoint security solution may want to research, evaluate, and test SentinelOne s offering. All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides actionable insight and intelligence to the global IT community by The Enterprise contact@esg-global.com Strategy Group, Inc. All Rights Reserved. P