What is our primary use case?
We are a relatively smaller organization of roughly 250 people. We utilize SentinelOne for patch management, vulnerability assessments, and remediation. So whenever one of our users has an issue on their machine, we get an immediate notification to let us know what that intrusion, infection, malware, whatever it might be, where it is, what file may have caused it, and then we can immediately take action.
There are also default settings for ensuring the software that SentinelOne installs on all our client machines. The latest agent is up to date everywhere. They have a couple more insights, however, that's our main use case.
The big thing for us was just having optics on vulnerabilities, being able to ensure that we have a secure way to get month-over-month assessments of our security stats, and ensuring that there's something in place that can make sure that we're secure. We also wanted something that could keep up with current demands without having any sort of interference or impact on the user's end.
How has it helped my organization?
The biggest thing for us is the level of minimal intrusion on our user's experience. The previous EDR we were using, Sophos, was not ideal. Whenever an update came out, there would be different things that were affected. At one point, an update from Sophos had completely disabled public Wi-Fi for our users. And when dealing through their message boards, dealing with their support, they, unfortunately, did not have a resolution other than disabling security elements of their software. With SentinelOne, we have not seen a single instance of that. You can get down to the user level of tweaking different elements of their security system. You can even quickly add exclusions based on rules. Being able to tailor to our users and making sure that our users don't feel like something is running on their machine is the biggest advantage.
What is most valuable?
The remote shell and the remediation are the two that really stand out as valuable features. The remote shell function that it offers is something that I use almost daily. It allows us to quietly and discreetly sign in on a user's computer, but only as admin. It prevents any sort of security issues or security risks to a user, which would be probably our favorite.
The remediation is really nice as it gives a very clear understanding of where a file came from. For example, in our use of it, there are a couple of files that we had that we didn't even know that we had. There was software that no one was aware was installed on these machines more than three years ago; we actually learned about that software once SentinelOne was installed. The level of optics it gives you is just incredible.
With that software, as soon as we installed SentinelOne, there were a couple of different applications and software that were immediately flagged as tracking user information and things like that. We found out that there was actually some sort of remote surveillance software that the past iteration of the IT team had installed and tested that just never got removed. We ended up tracking down the vendor for that and getting their assurance that that was no longer being used.
The real-time detection and response capabilities overall are great. I've never used anything that was as fast as this. The software that we used to use, Sophos, was comparable, however, it had a noticeable impact on the user. The bigger thing for me is that there isn't an impact on my end users. When we are actually running a scan, let's say, if we find that there's an impact, it's very quick. We've tested it by throwing malicious software onto our test machines just to see how quickly SentinelOne actually picks it up. And it's literally within seconds. When you actually do a scan, you can scan your higher fleet, and it's done relatively quickly as long as those machines are powered on. And it will act the second that those machines power on and connect to the Internet again to get that signal. I've never used anything as quick, personally.
The forensic visibility into the Linux terminal is not something we use as we actually don't use any Linux machines ourselves, so I couldn't speak to that. As far as visibility goes, we're primarily a Mac organization, and we have ten percent of our users on PC. As far as Mac goes, the visibility is fantastic. Same with the PC side of things.
The historical data record, from what they had shown us in the demo, looks pretty incredible. We thankfully have not suffered an attack that required historical data.
In terms of our mean time to detect, I don't think we ever had it. Since we're a small organization, we haven't had any real issues with genuine malware attacks. I can't speak to a scenario where while we were on Sophos, we experienced one. When we've had security audits that have tried to pen test for us, we have not had any issues with SentinelOne whatsoever. Every time that we've attempted to see how accurate and how quickly it can detect an infection or intrusion, it's being caught immediately.
The same is true for mean time to remediate. Any remediation that we do, for example, as soon as we block off a file, the automatic remediations are nice. In the event that we want to have something behave differently on another machine, we can quickly change that once we see it in any incident log. Setting those permanent rules is very helpful since, if you know something's malicious, chances are you don't want it showing up anywhere else.
The product has helped free up your SOC staff to work on other projects or tasks. The work that we used to have to do with our previous provider in going through our vulnerability assessments on a monthly basis and in trying to track down the install path of different applications was a headache and a half. With SentinelOne, the application management, and vulnerability assessments, are easy. You can see directly to the file path. It cuts a significant enough time out of our day.
It's had a positive impact on our overall productivity. Being able to dig through and find applications faster has drastically cut down our vulnerability position. When we first started using Singularity, we were somewhere in the thousands. Within the first month of having used it for our vulnerability assessments, we were down to just 1600, and now we're sitting well under the 500 mark when it comes to critical vulnerabilities. It's been very drastic and exponential at that. Now, any time a vulnerability does pop up, it's very quick and easy for us to track down where it is and take immediate action.
The interoperability with third-party solutions is fine. We don't currently use Kubernetes in our organization, however, we do utilize a VPN and it has no issues with adapting to that VPN. We also utilize different storage, including cloud storage accounts. There are no issues there either.
They've been fantastic at supporting innovation. We've had their support; they're always very responsive and very quick to give us the right advice on how we can execute what we're looking to do. Making sure that you have access to the necessary system without interrupting your user and without your user feeling at risk of their privacy being invaded is huge.
What needs improvement?
Currently, we would have to export our vulnerability report to an .xlsx file, and review it in an Excel spreadsheet, and then we sort of compile a list from there. It would be cool if there was a way to actually toggle multiple applications for review and then see those file paths on multiple users rather than only one user at a time or only one application at a time.
For how long have I used the solution?
I've been using the solution for nine to ten months.
What do I think about the stability of the solution?
I've had no stability issues at all. We have not experienced any performance decreases.
What do I think about the scalability of the solution?
As far as deploying to more devices, there's not a problem with scaling at all. We've automated in our MDM so any device that we start in our MDM automatically installs SentinelOne, and those devices immediately show up. If we spin up a new device on Mac OS, it shows within the set the SentinelOne console within seconds.
How are customer service and support?
Their support has been fantastic. They are quick to respond.
I've never had an issue with their support. What little time I did have one scenario where it was not something that they could help with, they'd been able to provide us with all the articles and information necessary to act on it on our own, which is really all you can ask for.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We were previously using Sophos. The biggest issue that we had with them was the fact that we were a fully remote company, so a lot of our users would be traveling for client meetings or even traveling abroad for client meetings. Reliance on a secure public WiFi solution is a very big deal for us. When it comes to users on a VPN, Sophos with MacOS's more recent updates would completely cut off Wi-Fi - which was very difficult for us to work around as a remote company. Thankfully, with multiple different tests in multiple different scenarios, we've never had that issue with SentinelOne.
The other big thing is the capability to remove a device from the network. In the event that a significant intrusion or malware, malware, ransomware, whatever it might be, is detected the ability to just isolate that one user from internet access is huge. You would hope that that's how an EDR would behave instead of completely removing all internet no matter what.
How was the initial setup?
The initial setup was pretty straightforward. Our organization uses Kagi MDM. And in using that MDM solution, it was very easy for us to just quickly put together an automated installer and deploy it.
We have multiple different groups of users, including PC and Mac. With the smaller percentage of PC users, we were able to just change the group ID in the installer, and that ensured that they were placed into the proper place for their groups. Being able to tweak and ensure that from the back end within the SentinelOne console, we could ensure that everything is set up the way we want it to be once that user gets that package installed, makes life a lot easier. You don't need to worry about signing on with a user and changing any of those settings. The installer package that they get is going to be everything that they need. Once that installs, that's it. It was very seamless. If anything, removing Sophos was the hardest part of the installation process.
We were able to deploy using a team of three people. Hypothetically, one person could do it alone as long as they are well versed in MDM.
As far as the application itself is concerned, there was no need for maintenance. You can control everything from the console. When there is a new agent to install you receive a notification when you log in to the management console. You can control when that update gets deployed to your organization. You can break it up into different groups within your organization. For ourselves, we always test on a smaller number of users. And then once we see stability, we deploy to the rest. That's what little maintenance is involved. It's a drastic improvement versus other solutions that I've used.
What about the implementation team?
We were able to do the initial setup completely in-house. We were able to do that on our own. We were able to very, very quickly deploy SentinelOne to pretty much our entire fleet.
What was our ROI?
Our ability to get in and review our vulnerability stance, whether daily, monthly, weekly, or whatever it might be, has drastically improved over our prior provider. Our users have less of a performance drain when attempting to use it. That's always huge when it comes to EDR. It pretty much checks every single box for us. It's the one software in our stack that we are happiest with.
What's my experience with pricing, setup cost, and licensing?
For us, the pricing is very fair. They were willing to meet our price point. With very little negotiation involved, we just let them know what we could pay and they were willing to meet us at slightly above what we paid with Sophos, which was still very fair for what we were looking at.
Which other solutions did I evaluate?
We reviewed quite a few solutions. The big selling point for this product was that they were willing to work with us on a price point as a smaller organization. That was a huge reason for us actually going with them. The fact that they were willing to work with us as far as the pricing goes was the main reason that we ended up going with them. It was nice to see that they work with the little teams.
What other advice do I have?
We're a customer and end-user.
We thought something as good as SentinelOne would be out of the question for an organization of our size. We assumed it would be something that's suited to larger organizations - money, obviously, being the main concern. However, the fact that they were willing to work with us changed that. Seeing that they're willing to work with smaller organizations is cool. I like that they actually give back to the tech sector that way.
I'd rate the stability ten out of ten.
I'd advise new users that they're going to need to invest a little bit of time upfront in order to make sure that their organization is set up for proper deployment. We probably spent about a week or two configuring everything and getting it to work the way we wanted. However, after that initial investment of time, the maintenance that you have to do is pretty minimal.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.