What is our primary use case?
We are a company with several types of PC users. Our office ranges from marketing to sales, and we also have people who are remote on laptops all over the world, as well as an R&D department. Those people use PCs in different ways.
We wanted a platform that has ways of dealing with various kinds of users, but we also wanted a central management so we could overview the state of all our endpoints with one view.
We use the central cloud interface to manage all our endpoints.
We only use it on Windows machines.
How has it helped my organization?
It delivers the type of security which we were hoping for, since we have a lot of different endpoint users utilizing different types of software. We have people who only use Office software, like email, Word, and PDFs. Then, we have people who use some applications that other people wrote. We also write applications in-house using people who develop software. Therefore, we have some machines using very high-end developer software for mechanical development, electronic development, and software development. Those users are used to managing their PC on their own. The centralize platform allows us to differentiate between those three groups of people. We have overall control and can oversee the security levels at all the endpoints. They have not yet been blocked in any way when performing the functions.
I have one instance where we had a trigger of an attack. Luckily, it appeared to be in an unregistered program created a lot of threats by renaming files. This was something that the employer developed by his own. This was an unknown program that generated a lot of threats to very quickly rename a thousand files. However, it was not an actual attack, but the behavior of that program was such that the AI protection of SentinelOne kicked in and alarmed us of a possible attack. One of our employees created a program just for his benefit. It had exactly the same behavior as a ransomware attack would have had, then it kicked in. This is why I'm confident that SentinelOne will also detect real ransomware actions. That is the only one instance where I encountered the Behavior AI software kicking in.
We haven't had any real attacks over the last year. We did have some intrusions mainly from suspicious files that people were getting via their browser and some attachments that I tried to open with double extensions. Luckily, in the last year, we haven't had any actual attacks.
The effectiveness of the solution’s distributed intelligence at the endpoint is 100 percent. We haven't had any incidents break through. We only see a very small reduction in PC performance.
What is most valuable?
The main reasons that we use SentinelOne are the antivirus and Behavioral AI protections. We have this solution centrally managed to see what endpoints are active, along with the latest software protection running. It also provides us external control, so we can block machines remotely, even if they are in another country, because we have account managers all over the world. All these features together protect us against strange behavioral programs.
SentinelOne's one-click, automatic remediation and rollback for restoring an endpoint is very handy. We had some issues with programs that were unknown by SentinelOne, then marked as suspicious and quarantined, because we also develop software ourselves and have software packages that were compiled in 1995 and don't conform to the normal rules. SentinelOne always marks those packages as suspicious because they do something different than they should when you compile them with current libraries of Windows, etc. Therefore, we had some interventions of SentinelOne where you can easily whitelist them and rollback the quarantine action so people who use those old-fashioned programs could easily continue with their work.
This was only an issue during the first month when we rolled out the software, then it starts doing scans mainly on the R&D PCs, which was our great concern. Normal office use is fairly straightforward, but when you develop software (and we also develop software to communicate with our embedded systems), then the demands are a bit different. However, until now, we have been very happy with it.
What needs improvement?
We have had one or two occasions when we had to roll back off our Windows machine. Then, we had an issue with SentinelOne where we couldn't let the client make contact with the cloud service anymore. Therefore, the integration with the Windows Service Recovery could be improved in the future.
For how long have I used the solution?
We have been using it for about a year now. We rolled it out in December 2019.
What do I think about the stability of the solution?
All the endpoints are running without problems. It is very stable. We have deployed several versions of agents. I haven't encountered any issues, apart from when that rollback occurred, and the SentinelOne agents were locked out of the cloud platform, and the only way to retrieve that was by installing it again by hand.
Up until now, SentinelOne's effectiveness has been 100 percent.
What do I think about the scalability of the solution?
We are a relatively small company with about 80 employees. Most things are offsite. We do not use automated things very much.
There are four users from the admin side.
Together with another colleague, we chose SentinelOne, then tested and deployed it. A few other colleagues have monitoring views in SentinelOne, e.g., if a site has to be whitelisted.
How are customer service and technical support?
I had one issue that I brought up with customer support. They delivered a solution in about two hours. It was related to the issue with the agent. I just issued an email, and in about an hour, the problem was solved. I was delivered a good solution: an uninstalling procedure and how to go about it. That's the only thing that we needed it, and the only time we needed the technical support.
Which solution did I use previously and why did I switch?
Before this solution, we used McAfee, which was not enough for our use. Then, SentinelOne came into the picture. It not only had static virus checking (antivirus), but it also had the Behavioral AI features, like triggers, that we could investigate.
The McAfee solution that we had was more demanding, more expensive, and had less functionality. Three to four years ago, we had an incident with ransomware, and it wasn't detected at the time by the McAfee on all the points. There were two points that were affected. Since it wasn't noticed by the McAfee. we were considering other software solutions from that point on.
SentinelOne offered a good solution, which is the main reason that we went with them. It was easy to manage, although we didn't use McAfee the way we use SentinelOne right now. McAfee was incorporated in our company about 20 years ago, so we probably didn't use all the facilities that McAfee can offer now.
SentinelOne made us a good offer, especially regarding the Behavioral AI aspect of the protection. Therefore, we just wanted to see what they could offer us. After a year, we are still very satisfied.
SentinelOne had a smaller footprint, both in resources and time-wise, as in load, than the McAfee solution that we had previously.
How was the initial setup?
The initial setup was fairly straightforward. It was very easy to start up. You didn't have to go into a lot of documentation to roll it out. We used the management from the central platform, not our own central platform on-premise, and did it on the cloud version. This way, it could be delivered and updated remotely.
The deployment took a week. We deployed it to about 90 endpoints.
What about the implementation team?
We just had a discussion with the SentinelOne service provider onsite. He gave a revision of how SentinelOne should be deployed along with some examples. Before we deployed it to the entire company, we had a testing time of about two months.
What was our ROI?
SentinelOne has reduced incident response time. The two main pillars that SentinelOne helps us with:
- Central management: I can ensure management that if there is a breach all the machines and endpoints are up-to-date and protected.
- SentinelOne allows us to switch off an endpoint remotely, which we could do previously. Most people are on-premises, but there are 15 to 20 people all over the world with laptops connected everywhere.
It saves a few hours a week for one person, because you can see the statuses of all the machines in one place.
What's my experience with pricing, setup cost, and licensing?
It was cheaper than McAfee, which was a way to convince management to go with the solution.
What other advice do I have?
At the moment, we are very pleased with the solution.
We saw the Storyline technology briefly. However, the Storyline is only when you have actual attacks, and they are not caught in the beginning. Most of our attacks were caught just by static recognition of the files, so there was no story because the file was not allowed to activate. In the beginning, we did some fake file checks in an enclosed surrounding and in a CM setup, which is how I saw the Storyline facilities, but we don't use it.
I would rate this solution as a nine (out of 10).
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?