What is our primary use case?
SentinelOne performs primary functions for our endpoint antivirus and anti-malware solutions. It's a centralized managed version of an antivirus product that gives real-time information on any kind of threat we might receive. It's very broad. It not only protects through signature defense, which is like what most common antivirus products do, but it also does behavioral which has been absolutely lifesaving here a couple of times.
It has saved our bacon more than once by detecting threats. It even detects zero-day threats because it detects them through their behavior. It doesn't need a signature. It actually keeps me busy with this and the insight into the agents that are installed. Our level of protection around here has never been this high.
By comparison, we're also running Windows Defender, which comes with Windows 10 operating systems. We collect that data through our SCCM and SentinelOne finds threats that are at a rate of 25:1 to 30:1. It's not even close. SentinelOne has made a tremendous difference in our ability to protect our endpoints and servers.
How has it helped my organization?
SentinelOne gives us a lot more insight into the endpoint for the agents that are installed there. I can actually see applications. We can see precisely anything that needs to be patched, something that is dangerously out of date, or a security vulnerability. I can get insight into all of that.
It gathers the data for anything that is related to the security of an endpoint. It has very configurable policies. We can make the agent as locked down as possible. It can be very intolerant or you can actually make it to where it's relatively loose, in which it warns you about everything but doesn't lock everything down on everything, which is the way we run our environment.
At our university, there is a lot of end-user freedom that you cannot curtail like you could in a corporate environment because people doing research tend to go to a variety of websites that they really shouldn't go to. It keeps me very busy but SentinelOne has proven so far to allow us to stay ahead of the game as opposed to playing catch up.
The agent communicates through to the console incessantly. It has some intelligence on the agent, but most of the time it's literally getting its instructions from the console. That has been extremely effective and very useful. The effect on the end-user experience is practically non-existent which makes it head and shoulders above other antivirus and anti-malware platforms.
SentinelOne does not impede our ability to do our work. It doesn't start to show latency. It doesn't take up a lot of extra memory or a lot of extra cycles. How it's able to do what it does on the endpoint, as powerfully as it does, without affecting the end-user experience is beyond me. It's a stroke of brilliance in their programming. Very seldom in security products do you get the best of both worlds. Usually, you have to give up convenience for security. But in this case, they go hand-in-hand. It's very impressive.
We have used the one-click automatic remediation and rollback for restoring an endpoint quite a few times. Its ability to mitigate a threat, whether you're deciding just to kill it, quarantine it, rollback, or just remediate, which change files back, is absolutely very easy, very intuitive, and very fast to get the job done. It's top-notch.
SentinelOne has dramatically reduced our mean time to repair. In many cases, if I have to remediate a threat, I can see the threat, confirm it is a true positive, and then I can send it to remediation. It takes roughly two minutes. Whereas, in prior times, we'd have to dispatch a technician to go out there. A lot of times, they could not remediate the threat because we didn't have the capabilities that this thing has. They'd have to fully re-image the machine, which is a two-hour deal to re-image the machine, copy the data back, and configure for the end-user. We took that job and took it from a two-hour job down to about two to three minutes. It's been a dramatic effect.
The automation SentinelOne offers has increased analyst's productivity. We have fewer people due to budget cuts which means we are wearing more hats. The efficiency of this particular product has enabled me to do that relatively seamlessly. It is a phenomenally efficient and useful product.
What is most valuable?
There is a feature that allows for deep visibility, which is interesting. You can actually research files. It also does threat hunting. It goes out and finds vulnerabilities before you actually have to deal with the vulnerability. But that is at an additional cost. It's something you get if you buy additional structure.
The best thing SentinelOne has done for us is that it gives us insight into the endpoints. We never had insight into lateral movement threats before. Once a threat known as Qbot gets on the network, it actually spreads throughout sub-networks quickly. SentinelOne has detected that and saved our bacon. We were able to get in there and stop the threat, lock it down, and prevent it from actually spreading through. It would have been 50 or 60 computers. It had spread through in a few minutes. We have a lot of HIPAA data and FERPA data that we need to keep protected.
In a situation where we had a Qbot that was caught by SentinelOne, it literally saved the university millions of dollars worth of privacy protection we would have to pay for. SentinelOne has made a big difference.
We use the storyline technology's ability to auto-correlate attack events and map them to MITRE ATT&CK tactics and techniques. When we get a warning, it comes up as a very nice dashboard-type screen we can go to. It gives a lot of information on the threat right away, including going to the storyline. You can actually trace it back to the actual file. You can see where the compromise happened, the exact steps that happened, and what happened from thereon.
It's almost like a giant flow chart. It shows you where everything's going, what affected what, what was changed, what was modified, and it also gives you the opportunity at that time to actually do a rollback which allows you to roll back all of those things that were affected and changed at that particular point in time by the threat.
The storyline automatically assembles a PID tree. I use it more for my own purposes just to see where things came from and the damage they'd done. But we don't actually make a lot of use of a lot of higher functions like that. When there's a problem, we're able to rectify the issue and get the end-user up and running again. We don't have the personnel we had before, which gives us the additional cycles to actually research a lot of these things and go through them and focus on that. We don't make a lot of use of this particular functionality.
The way SentinelOne displays the threat has been the greatest effect on our incident response. It tells you exactly what the threat is, where the threat originated, allows you to look it up quickly in places like VirusTotal and Recorded Future which are malware information sites. You can link the hash of the file directly to the sync without having to do a lot of copy and pasting. It actually knocks some time off of the research of a problem when you do that. It allows me to quickly determine whether the threat is true, or if it's a false positive. It's a pretty strict engine.
If something is relatively programmed sloppy, a lot of times it assumes that that is a threat and it will flag it as suspicious. It can be a little overzealous when it comes to that. In this industry, you'd rather have that than something being too lax. You can configure it so that even if it does see something that it doesn't like, it doesn't stop it automatically. It just alerts you. It doesn't hamper the end-user if you don't want it to do that. But it puts the onus on the administrator, in this case, me, to verify the threat and deal with the threat quickly, or mark it as a false positive. Then, when you do mark something as a false positive or as a threat, it has a backend database.
The machine learning is very impressive. Once I actually start to configure the machine learning, my day-to-day administration of it, roughly four hours, shrinks down to three hours, then two hours and an hour and a half, because the amount of machine learning involved saves us all that time. That's been its biggest improvement for me. It allows me to be very efficient with my time. It learns our environment, actually stops threats before they get there, and ignores the false positives without having to come up and bother you every time, then ask for input for it.
SentinelOne has dramatically decreased my incident response time.
We've used the deep visibility feature a few times. We don't make a lot of use out of it. We were using the deep visibility feature to search through our entire environment. There was a particular piece of software that was being flagged as not being used in its appropriate manner. It was being used as an enterprise service and it really wasn't. We were able to use the agents on SentinelOne and use its deep visibility to find the particular program and obtain its hash from there. Then, we were able to use the SentinelOne agent to extract this particular program on there, so we were no longer operating something out of license. That's what we've used deep visibility for.
Deep visibility is very useful. If I had to simplify it, I would say if you know the threat you're looking for, it's fantastic.
Using the deep visibility, we did not find threats that were lingering on our endpoints, because the SentinelOne agent had dealt with them. We used it for a purpose that it probably was not intended for, which was actually finding specific software that was not supposed to be installed in our environment.
SentinelOne provides equal protection across Windows, Linux, and Mac OS. This particular product has worked so well that we mandated it across all workstations and all servers in our environment. It is our primary endpoint defense across all three of those operating system platforms. It has proven to be equally effective amongst all three. It did such a good job that it is our frontline.
I find their version naming conventions interesting in the fact that it's not just a number so it does help to recall some things when it comes to what version you are on. Anytime I open a support ticket, they always ask me what version of the console I'm on. I always have to look that up. I never remember that because this particular Liberty version has changed four or five times over the last month and a half.
What needs improvement?
They have tiers of support like most companies do. For the first three years, we had the top tier of their support and we would get a response from a technician quickly. We didn't have many things we had to ask of them. They would be very quick. We are now one tier down from that. The SLA for us is no longer within an hour or two. It's within half a day or something like that. As far as if I do ask a question of them, it is a little slower than what it used to be. I understand that we're at a lesser tier, but sometimes it feels like that could be a little better. I have to preface that by specifying that we're no longer paying for their top tier support.
They changed the UI a little bit which is to be expected but there are times where I actually preferred the older UI. The newer UI, once I got used to it, was fine. But before, when we would launch into the UI, it went straight to the bread and butter. In this case, it goes to a dashboard, which gives some statistics on the attack surface, endpoint connection status, and stuff, which looks nice. It's a lot of nice bar graphs. It's a lot of nice pie charts. But that's not what I really need. I had to configure it to get it somewhat back to what it was. I wanted to know immediately if there any threats that are incoming. I actually had to add that. I think the new dashboard has a lot of bells and whistles but I don't need it. We used to have to dig in to get this kind of stuff and that's exactly what I prefer it to be. The dashboard, in my particular case, has to tell me where the threat is, how severe the threat is, and let me remediate it as quickly as possible. I don't want to fish through pie charts to find that.
I think they put this new dashboard in two versions ago. In their defense, it's a fully customizable dashboard. I was able to put back what I wanted. It seemed like that should be a default, not something I have to add later.
For how long have I used the solution?
I have been working with SentinelOne since 2017.
My primary function is endpoint security and administration of SentinelOne and the other applications that go with that particular function.
What do I think about the stability of the solution?
The baseline, the agents, the console, and its primary functions are always steady. Those have never been compromised by any of their patching or updating. That has been really good. In our case, we still have some Windows 7 devices in our environment because they're older. They run a very specific piece of software that's not been upgraded, and by watching money, they don't want to upgrade certain pieces of software, specific labs, or things like that. They don't support their older clients past a certain date, which makes perfect sense. However, the agent doesn't just stop working. It still does its job. It loses some of its functionality, but it still does the primary job of protecting the endpoint. That's one thing I do like. Even if you do go out of date on something on an agent version because you're limited by the operating system, it doesn't just die. It still does its job.
What do I think about the scalability of the solution?
We have a 100% adoption rate. We've used all of our licenses. But we are trying to get more licenses so that we can cover our labs and other places like that. We did not have the budget at the time to cover everything we wanted to cover.
We do have plans to increase usage. It's done a fantastic job. And so every time we can, we do add more licenses to it with the end goal of actually covering not only our faculty, staff, and workstations, but also all of our labs.
There are 1,823 users online right now out of 2,750. In addition to myself, there are three other individuals who have administrative privileges and there are other members of the security department in the event I'm not here or I'm on vacation, they can fill in that role. Our IT assistant manager has read access to it so he can see in there, access the API, and can actually incorporate SentinelOne data into ServiceNow. SentinelOne has a very robust API, so if you're into programming or integrating it into other systems, you can do that.
It has phenomenal scalability. It can be used as just a small business or it can operate on hundreds of thousands of devices in a single enterprise.
We don't lose any functionality by its scaling at all.
How are customer service and technical support?
Support has been knowledgeable and well thought out. I don't feel like I'm getting a copy and paste. The technician interacts with me. The more data I can give them, the more they get back. I feel like someone's really putting time in to fix it, and they want to get the job done right the first time. I've never had to go back to them for the same problem.
Their sales rep and sales engineer usually assign two people to your case. One's your actual salesman and the other salesman is your technical salesman, the guy who answers the tech questions. They have been very involved. When it comes to deploying this, they help get the packages created and figure things out. They point you in the right direction. I can reach out to them directly. They have gotten back to me quickly and are very thorough. Their customer support from a salesperson to help desk individuals or whoever you're reaching out to remotely has been top-notch. They've always been professional. They have always been quick and they've always done the best job they possibly could for you. I can't say enough about them, they have been very impressive.
The previous tier is slower than what they are at now. With the service level agreement that we have, they need to get us an answer within around six hours but before they would answer within one hour. They've always been ahead of that curve, but it is a little noticeably slower than it was. That's because we're not paying them for that level of service. We can't really expect them to do anything more than that.
Which solution did I use previously and why did I switch?
The previous solution we used was the Windows System Center Endpoint Protection, which is a part of the Microsoft Active Directory. It's a solution that's packaged with all the Windows products. It has a centralized means of communicating back when it detects an error. However, it was woefully inadequate. We had no idea how bad that was until we tried SentinelOne. We had no idea how teetering our environment was on the threats of viruses until we actually had the insight that we did through SentinelOne.
We switched because we knew the product. We knew what we were using. We were getting to the point where we knew that our current solution was inadequate. We started looking around. We looked at Red Hat, Cylance, and a couple of other ones. We looked at these vendors of these products to gain greater insight. We knew we had to spend the money to get what we needed to get. SentinelOne was brand new at the time and we decided to give them a shot. The Chief Information Security Officer had gone to a conference and was interested. SentinelOne came in, made their pitch, we went through some examples and some tests, and they let us do a proof of concept.
I was around a day and a half into the proof of concept and I was sold. It was an unbelievably effective product so we decided to go with it. Within a month of that, we had another level of agents out there. We were covering the bulk of the machines we needed to cover and we have not looked back since. It's been one of the few things that we have done here that we have never second-guessed.
When we looked at the solutions, Cylance had similar capabilities as far as having a behavioral engine and a static engine, but the difference was the usability of the interface. SentinelOne's interface is phenomenally well laid out, easy to do, and very efficient. The other products we looked at were nowhere near as efficient on the user interface side.
We didn't test them thoroughly enough to find out if there was something that got through on SentinelOne that didn't get through on the other solutions. I don't know how it does it this quickly, but in addition to its own engine and its own ability to check through behavior, it actually references VirusTotal. VirusTotal is a website of centralized virus information. Even if their engine were somehow not detected, it checks the threat against VirusTotal and if any other engine out there has detected that threat, it flags it. It actually uses the intelligence of the other anti-malware products. It does it quickly. I have no idea how it does it that quickly, but it's impressive.
How was the initial setup?
We went with cloud-based instead of on-prem. Going cloud-based was pretty easy. The most difficult thing we had to do was deploy the agent. They don't have any means of deploying the agent. You have to use either your Shoe Leather Express, you have to go walk around and deploy it. And in our case, we use our active directory network, we used SCCM to push it out to departments in that manner.
One thing that would be nice is if they had a means of deploying their agent. For example, a long time ago, on a different network of a different company, they wanted some help, and I helped them install a Sophos antivirus solution. Sophos had a means of emailing. You can email people and they could click on a link, which would download and install the agent for them, which was nice. Now, we depend on the end-user to do their part of the job which is risky. But one thing about SentinelOne is that I can upgrade agents all day long, but I can't deploy an agent to a machine that doesn't have one on there. There's no means of doing that. I wouldn't expect them to have that in there necessarily, but I think it would be a fantastic ability if they could do that.
I actually like their agent. As a matter of fact, it's required. I don't see how they'd be able to pull it off otherwise to do what it does. My point is, if a computer did not have SentinelOne on it and they were to run into a problem, for example, if we had a device that's not on our active directory network and we wanted them to deploy SentinelOne on it, the only way for me to do that is literally to run the user down, find them, or find their device and install it manually. It would be really nice if there would be a means to deploy it to an endpoint.
We have 2,750 licenses, and I was able to deploy it to 2,750 devices quickly. If you have a deployment mechanism like using your domain or your network, you can actually just say, "Please put it on these devices." You can create an installer package and it talks back to the console and that's it. It's super easy.
Our deployment took close to six months, not because of SentinelOne but because of internal politics.
Because SentinelOne was a new product and anytime you install anything new here, it has to go through committees to install things, we targeted our most high valuable departments first, the ones with the protected data and also administrative offices, like the president of offices and HR. We tested it in our department first and once the rest of the university saw that our computers didn't go up in flames, they began to relax about it. Then, we went to our high priority departments, our Chief Information Security Officer got behind it 100% and pushed the issue, which allowed us to go full force on it after we got through the initial departments. We got it in there, we tested it in our environment, created the packages for it, and tested it in our department for a month. Over the next four months, I rolled it out to individual departments in groups.
What about the implementation team?
We did the deployment ourselves. We only needed one guy to do all those things centrally, which was nice. I was the primary person responsible for the deployment. I would occasionally enlist some help with my coworkers, specifically when we were initially deploying it to go over and test it on some machines. Once we got past the initial deployment, it was just me.
In terms of maintenance, it is no more than a mouse click away. I can upgrade agents in batches, which I normally do, and they are very aggressive about creating new agent versions. The agent versions actually contained more capability. Right now the agents are extremely powerful. I can update every agent here at once, all I have to do is select them and deploy the agent to them. It's very easy.
What was our ROI?
SentinelOne has paid for itself more than once because of the threats it stops. It allows central management, the end-user does not have to interact with the antivirus at all. They will get a warning that says, "Hey, you went somewhere risky," but it's all centrally managed. We don't have to dispatch a technician to go out and try to clean something. I can literally clean it right here from the console. It actually has full rollback capability. If you have ransomware that goes and encrypts an entire hard drive, the way the SentinelOne works on a Windows machine is so that I can hit a rollback command and I can roll the thing back before the thing got there and actually defeat ransomware for that.
It's been night and day for what my job was previous to having this solution.
What's my experience with pricing, setup cost, and licensing?
They were very good about finding a price that could work for us. I'm not the bean counter, so I don't know exactly what the end cost was, but I do know that we got them at a time of the most financial stress we had been under and they found a way to make it work for us. It was a three-year contract and everyone fully expected the price to take a significant jump because the capabilities of the solution had been significantly increased with no additional costs. We expected it to maybe even be priced out and they did not. It went up a slight bit, which you can expect, but they worked with us. We were one of the first companies to go with them here, in Ohio. They have a lot of respect for their loyal customers. They worked with us and allowed us to keep this high-level product and actually add more licenses to it without breaking our bank.
In terms of additional costs, they've added something called Ranger and another layer of deep visibility. The base console doesn't come with that. Ranger is threat hunting and we were able to use the Ranger and the visibility, which is the threat hunting and of course the deep visibility and more in-depth storyline. We were able to use that, but we hardly ever needed that for our environment and the way we use the product. Because of that, we did not opt to have those in our current console.
We do more threat response than hunting. We put the latest and greatest agent out there and it's backed by this particular product but we just simply don't have the personnel to do it like we used to. That's the one thing we're missing. If you were to add the deep visibility and the threat hunting capability onto it, it would be a little bit more. I don't think it's that much of a significant cost, but I don't know the end results of the prices. Because we didn't make use of those two functionalities, they just cut it out.
What other advice do I have?
I could not recommend SentinelOne highly enough. The one thing about this product is something I very seldom say when it comes to almost anything in life, sadly, is that I trust it. I trust this program to be well taken care of on the backend. I trust this program to do its job on the frontend. I trust the endpoint and network security of our university to this product. I have no doubt that we're in good hands. It has proven itself with ransomware, proven itself with Qbot infections, proven itself with a multitude of end-users.
We had a pen tester on campus that was actively trying to hack things, doing penetration testing, and SentinelOne stops him every time. Every time he got to the machine with SentinelOne on, it stopped him dead in his tracks. The pen tester said, "Your endpoint solution here is fantastic". This is a trained white-hat hacker trying to break through and he couldn't do it. We gave him a foothold, an account, and all kinds of stuff. We opened the door for him to see how far he could get. He was able to get in on machines that did not have this level of protection. He was able to get to devices, create administrative users, elevate privileges. You name it, he can do it. Once he got to a machine with SentinelOne on it, it stopped him.
They didn't tell me we were pen-testing. Suddenly I was seeing lateral movement and all kinds of things on the network and I ran this guy down just to find out we hired him to go do this. I thought we had a hacker on-premises.
I would recommend that anybody who uses this product also interacts with other people who have it. Another university was the first university that had it near us and then we got it. They were a big help to us, as far as answering questions about the deployment. They told us about a couple of little headaches to watch out for. It had nothing to do with SentinelOne, but how Microsoft servers operate. So we were able to save ourselves a lot of time by interfacing with the network of users of this particular program.
What I've learned with a product of this caliber is how efficient one person can be. I don't think you're going to find many places where you have primarily one person safeguarding the endpoint solution of an entire university. The good news is that because everything is the way it's set up, the way it's configured, and the machine intelligence that I've added over the last three years, if I'm not here and someone else steps in front of it, it can run itself in many ways. I've learned that if you find the right product, you can become incredibly efficient.
I'd give SentinelOne a ten out of ten. I'd give it higher than that if I could. I've actually done calls where they've called me and had me speak to the salesman, we had a really good working relationship. He had me call and speak to people who he's actually trying to sell the product to. I think I've sold half a dozen of these things for him, but I can't recommend it enough. I believe in SentinelOne wholeheartedly.
Which deployment model are you using for this solution?