What is our primary use case?
We are mainly using it to replace a product we used before for antivirus. My specific use case for SentinelOne is threat hunting. I'm a security professional in our organization, doing offensive security. I do pen tests and analysis, and I'm hunting for intruders in our network. That's the context in which I'm using SentinelOne.
How has it helped my organization?
We're using two parts of SentinelOne right now. The first one is the antivirus and that has improved our company in that we have been able to find about 25 percent more malware on our machines than the old solution did, and that's remarkable because we are a bigger company and we used a big solution from a big player in the market. Finding 25 percent more is a really big increase.
In addition, previously we were not able to collect all the actions from our clients in the field, and search, systematically, through what they are doing and see if there is an intruder. It's the first time that is possible for us, with SentinelOne.
In terms of incident response time, it's too early to provide real numbers because we haven't finished the rollout around the world in our company. But from the trend I have seen, I would estimate we are saving about 20 percent in response time, compared to our old antivirus solution.
When talking about mean time to repair, our old solution had some problems on several clients, which resulted in having to completely restore the client. That is something we haven't had with SentinelOne, up until now. It's also difficult to estimate because we don't have it on every machine. The old product was on about 5,000 machines and I now have SentinelOne on 2,500 machines, so it's not a completely fair comparison. But if you need a number, it has also been reduced by 20 percent.
In addition, it has increased analyst productivity in our company. My main job is to analyze many of the malware threats and, again, penetration testing. But the connection to virus total is a very helpful thing and I am using it heavily. That reduces the payload I have to analyze manually and the amount of malware I have to execute in sandboxes. It has probably reduced my workload by about 50 percent. That's really great.
What is most valuable?
For me, the most valuable feature is the Deep Visibility. It gives you the ability to search all actions that were taken on a specific machine, like writing register keys, executing software, opening, reading, and writing files. All that stuff is available from the SentinelOne console. I'm able to see which software is permanent on a machine, and how that happened, whether by registry keys or writing it to a special folder on the machine. That's threat-handy. Deep Visibility has found threats we did not know were lingering on endpoints, but I am not allowed to speak further about this issue.
Because we are a bigger company, we are doing a step-by-step rollout. We don't have all countries fully in production, where "fully in production" means that SentinelOne is the only antivirus product on the machine. So in some countries we just have it reporting and not quarantining. For example, in China we have SentinelOne completely up and running, and there the Behavioral AI analysis is one of the reasons the antivirus is so effective. To be honest, we have to white-list some stuff which behaves weird but is really needed and not harmful to us.
The Behavioral AI recognizes novel and fileless attacks and responds in real-time and it does so really well. That is one of the things that has really brought us forward. It completely changes how we work with our antivirus solution. The previous product just gave us the information that the software had blocked something, while in SentinelOne we really see what was going on. We see the complete path of execution for a given malware: how it got on the machine and how it got executed. And then, SentinelOne stops it. It gets executed but then gets stopped, and that's something completely different from a pattern-based antivirus.
Another great benefit comes from the fact that SentinelOne doesn't rely on pattern updates. For some machines we have at customer sites, which are not reachable by internet or VPN, we have better protection than before because you don't need to update the SentinelOne agent every day to get the actual pattern from it. The Behavioral AI gives you protection even if you don't update the client. That's a great benefit for us at customer sites.
When it comes to the Storyline feature, as a penetration tester, I'm doing threat hunting. Every time malware gets executed on a machine, it's something I have to investigate. Normally we block it very early, on our proxy servers, for example, for all our users. Seeing how the malware got executed shows me the kinds of security holes we have are on our proxy servers. That's very important for strengthening some portions of our defense in other places.
What needs improvement?
The solution’s distributed intelligence at the endpoint is pretty effective, but from time to time I see that the agent is not getting the full execution history or command-line parameters. I would estimate the visibility into an endpoint is around 80 percent. There is 20 percent you don't see because, for some reason, the agents don't get all of the information.
Another area that could be improved is their handling of the updating of the agent. It is far from optimal. The agent changes often and about 5 percent of our machines can't be automatically updated to the newest agent. That means you have to manually uninstall the agent and install the new agent. That needs to be improved.
For how long have I used the solution?
I have been using SentinelOne for about a year. Because we have been using it for a long time, we have several versions in production but we tend to use the most recent. The version we are using mainly is 184.108.40.206.
What do I think about the stability of the solution?
We literally haven't hit a minute of downtime. It's pretty stable and I haven't even given its stability a thought.
What do I think about the scalability of the solution?
In the beginning, I saw that Deep Visibility was really fast. Then, with more and more agents reporting their daily work to the console at SentinelOne, I noticed a decrease of response time with the console. But what's really great is that they updated the console rapidly and the response time got better and better. Now I like the response time. There are ups and downs in the console response times, and in how fast the agents are reporting, but I have the feeling that SentinelOne monitors that and reacts if it gets too slow. Of course it's a trade off for SentinelOne between response times and costs. But right, it's more than we need.
In terms of expanding our usage, there's another very interesting product called Ranger. Right now we feel it's too expensive, but it might be interesting in the next two or three years. For now, we just want to finish our rollout.
How are customer service and technical support?
My overall experience with their technical support has been positive.
Which solution did I use previously and why did I switch?
SentinelOne does not provide equal protection across Windows, Linux, and Mac OS, but it's the first antivirus solution we have had in our company which provides any antivirus protection for all these very relevant operating systems. None of our previous antivirus solutions were on Linux and on Mac. That is really helpful for us because we have it all under one hood.
How was the initial setup?
This is the first time we have used an antivirus software as a service and it was the easiest set up I have ever had in my life, and I have been doing this stuff for many years. The console was set up by SentinelOne, literally in 20 minutes. The deployment of the agent took me five minutes for the first machines and they reported within those five minutes. That was the fastest ramp-up I've ever seen.
There are three IT security guys who are concerned with information security in our company. Normally I don't do antivirus stuff. My colleagues are information security officers as well and don't care about antivirus. But I got this project to roll it out it all over the world because I'm one of the technical guys who is capable of doing it. So strictly speaking, I'm doing it alone—one person for 5,500 computers. But at least we have people in every time zone who are capable of using the SentinelOne console, more or less. Altogether, there are six people in our company who actually access the solution, including me.
We had an implementation strategy. Because we had a major pain point in China, we started rolling it out there. Because it's in a completely different time zone and the people are completely different in their mindset, this was one of the critical areas for us. It worked like a charm. I installed 230 machines within five days, and then I recognized that SentinelOne was finding so much more than our old antivirus solution that I started to really do a rollout plan.
As part of that plan, we always install SentinelOne side-by-side with our old solution, and that works great. They say, "Don't ever have two antivirus solutions on one computer," but that's not true for SentinelOne. You can configure both and they work together. In the first step, SentinelOne is on the machine, just reporting to the console. That way, I see which software gets executed, software that SentinelOne might find problematic, and I do whitelisting or blacklisting, depending on the software. Once I don't get much software that I have to whitelist, I put the client into a kill and quarantine mode and every software gets removed automatically. Once the agent is in kill and Quarantine mode, the old antivirus solution is uninstalled. That's how we do it, country-by-country.
The time it took was affected by the Coronavirus. As a result of that, many of the machines were not onsite and many of the people weren't online, or were only on VPN. I don't distribute SentinelOne by VPN because people at home normally don't have a big bandwidth and I didn't want to stress it even more. I kept in mind that they were covered by our old solution, so there was no big need to really push it forward. But the 2,500 machines we have installed took six months.
SentinelOne gives their customers access to the SentinelOne API and that made it possible for me to write software for the deployment of SentinelOne. I'm speaking to the company to get permission to publish this software as open source. That might help many other companies that are facing the same problems I have in rolling it out all over the world.
What was our ROI?
It would be easier to calculate ROI if we had already rolled it out to every machine, because the number I have to compare it with is for the complete installation on all machines. My feelings say "Yes, we have seen ROI," but I don't really have good numbers that I could give you.
What's my experience with pricing, setup cost, and licensing?
There are no fees other than their standard licensing fees.
Which other solutions did I evaluate?
We compared five products. We had a matrix with weights and the requirements we needed from a new antivirus solution. We did three proofs of concept and SentinelOne won it easily.
It was difficult to compare them because we had one other product that worked with artificial intelligence as well, but with a completely different mechanism. We also had three traditional antivirus products based on patterns, and it was really difficult to compare the features of SentinelOne with the competitors. That was the reason we decided to do a POC.
What other advice do I have?
The biggest lesson I have learned is that SentinelOne is an antivirus product which gives you, on the one hand, all information you could dream of if you need to analyze software or malware, especially, on the machine. On the other hand, it's simple and fast and easy to use, and that's something I really appreciate.
We have been playing around with the solution's ActiveEDR technology, to get an idea of what is possible. We have not gotten so far that we use it for building KPIs and the like. But we have noticed it and it seems it could be a big game-changer for us, but I can't really provide much information on that topic.
While I really use Storyline right now, I'm the only one who does so in our company. I'm not sure if we will use it in our company on a large scale. That's the other side of this product. We don't have many people who are able to work with the information you get out of the module from SentinelOne.
We don't use the rollback feature, we just use quarantine right now. We haven't had any outbreak of cryptoware encrypting files. So as of now, we haven't needed it. That might change in the future.
I would rate SentinelOne a 10 out of 10, and I don't give 10s easily. I really love how simple and effective the product is. I really love the visibility it gives me into the endpoint. I really love that they open their product to the customer to enhance it with custom-made software, giving you the APIs to program it. Those are all things competitors don't have.
I really feel like the software has made my life easier. As I said before, my workload for malware analysis dropped by 50 percent. That's why I'm really thankful and really appreciate the product. I would say to everyone, at least give it a try. For our company, it really fits.
Which version of this solution are you currently using?