What is our primary use case?
There are four use cases:
- Endpoint visibility.
- Endpoint protection, which includes detection, protection, and error response. We use this for protection endpoints as well.
- Provides historical loss of any events or changes in files that may have happened in the last 90 days.
- Threat hunting, which we use to troubleshoot applications.
There are different versions. The SaaS portal has a different version. The agents for each operating system have a different version. For the SaaS platform, we are on the current release. For the agents, we are one behind the current GA release.
How has it helped my organization?
We have another tool for network analysis. Last night, it detected some suspicious network activity for a machine that was making an outbound action to a spacious external entity. So, it raised an alert. Other than being a network tool, it couldn't provide any information as to why it suddenly started doing this. As far as response and running through our playbook, the first steps were for the SOC to go and reach out to our engineering teams to see if any users caused what happened. That took them almost until the end of the day. Finally, they came back, and said, "There is nothing that we can see." Then, I went into SentinelOne, spending about 15 minutes, and was able to determine exactly:
- What process caused the activity.
- The reason for it.
- The user.
- The command line running that caused it.
- What addresses it tried to communicate out, since the network tool wasn't able to capture all the IP addresses.
We were able to determine it was a process that one of our engineers had set up and forgot about. It took us almost an entire day for the SOC to get a response from a person on that. Whereas, we were able to get that information directly from SentinelOne in less than 15 minutes.
SentinelOne's automation has increased analyst productivity. It can automate actions on a threat, such as, kill/quarantine, remediate, and then roll back. All those automation processes have significantly helped us in making our SOC more effective.
What is most valuable?
All the features are valuable. Their core product, EDR, is pretty good. We utilize the entire functionality of the feature set that they have to offer with their core product. For EDR, we are using all their agents: the Static AI and Behavioral AI technologies as well as their container visibility engine.
We use SentinelOne’s Storyline feature to observe all OS processes quite routinely. When we want to know a bit more details about any threats or want to investigate any suspicious event types, that is when we use the Storyline quite a bit. Its ability to automatically connect the dots when it comes to incident detection is useful. It significantly simplifies the investigation and research related to threats.
Today, we automatically use Storyline’s distributed, autonomous intelligence for providing instantaneous protection against advanced attacks for threat detection. The AI components help tremendously. You can see how the exploits, if any, match to the MITRE ATT&CK framework, then what actions were taken by the AI engine during the detection process or even post detection actions. This is good information that helps us understand a little about the threat and its suspicious activities.
We use the solution’s one-click remediation for reversing unauthorized changes. In most of the groups, we have it automatically doing remediation. We seldom do manual remediation.
What needs improvement?
There is an area of improvement is agent health monitoring, which would give us the ability to cap and manage resources used by the SentinelOne agent. We had issues with this in our environment. We reached out to SentinelOne about it, and they were very prompt in adding it into their roadmap. A couple of months ago, they came back to us and got our feedback on what we thought about their plan of implementing the agent health monitoring system would look like, and it looks pretty good. So, they are planning to release that functionality sometime during the Summer. I have been amazed with their turnaround time for getting concepts turned into reality.
For how long have I used the solution?
We have been using SentinelOne since early 2020.
What do I think about the stability of the solution?
It has been very stable. There have been no issues so far.
One person is needed for maintenance (me).
What do I think about the scalability of the solution?
It is scalable with the caveat that we have had some challenges within our infrastructure for 20 agents across Linux servers. Beyond that, scalability is not an issue.
8,000 to 9,000 people are using the solution across our entire organization.
We are using SentinelOne as our de facto endpoint protection software. As a result, it is a requirement for every machine in our infrastructure, except for the devices that do not support their agents. So, as our infrastructure continues to grow or shrink, the users of SentinelOne will either increase or decrease, depending on the state of our infrastructure at that specific point in time.
How are customer service and technical support?
The technical support is good and very responsive. 99.99 percent of the time, they have been able to provide satisfactory responses. Whenever we have asked them to join a call that requires their assistance on a priority basis, they have been able to join the call and provide assistance. Whenever they felt that they do not have enough information, they were upfront about it, but they realistically cannot do anything about it because there is a limitation on either SentinelOne agent software or deeper logs would need to be captured in order to provide more information. There has been no situation where support provided an unsatisfactory response.
Which solution did I use previously and why did I switch?
We were previously using Sophos. The primary reason that we switched was Sophos did not provide us the extended capabilities we needed to support our infrastructure, both on-prem and on the cloud. Sophos did not support any of the Kubernetes cluster environmental containers systems on the cloud. It did not have the advanced AI engines that SentinelOne does. Overall, Sophos was very bulky, needing a lot of resources and a number of processes. In contrast, SentinelOne was thinner, very lightweight, and more effective.
How was the initial setup?
The deployment and rollout of SentinelOne are pretty simple. In our environment, we deployed the agents, then we had to remove them from some of the machines because the agent was impacting the performance of those machines. At that time, we found out it wasn't the SentinelOne agent rather an underlying issue on our own system or even the environment that it was in. We had to take SentinelOne out to troubleshoot the root cause, which delayed us a bit in rolling it out to our other infrastructure. That was completely fine. Looking at it from a global and world perspective, the rollout was very simple.
About 6,000 to 7,000 endpoints took us six to seven months to deploy. Linux took a bit longer to deploy because the tools are not as good for deployment as what is available for Windows and Macs. Using a script, we were able to take care of that. However, we could only do that during maintenance windows, otherwise we couldn't deploy the agents without an approval change.
What about the implementation team?
We did the implementation ourselves. We have several teams responsible for each area:
- Two to four people for workstations.
- Two people for a retail environment
- Two people for the server infrastructure.
This provided resource continuity. In case one resource would be unavailable for any reason, then the other resource would be able to continue. Essentially, the deployment needed three people, but we had six for continuity.
What was our ROI?
We saw a return of investment during the first year. We far exceeded our ROI expectations, meeting our ROI expectations within the first year.
The Storyline feature has significantly affected our incident response time. Originally, what would take us hours, now it takes us several minutes.
From an overall perspective, it has reduced our mean time to repair in some cases to less than seconds to a maximum of an hour. Before, it would take days.
What's my experience with pricing, setup cost, and licensing?
The licensing is comparable to other solutions in the market. The pricing is competitive.
We subscribe to the Managed Detection and Response (MDR) service called Vigilance, which is like an extension of our SOC. Vigilance's services help us with mitigating and responding to any suspicious, malicious threats that SentinelOne detects. Vigilance takes care of those.
We also pay for the support. The endpoint license and support are part of the base package, but we bought the extended package of Vigilance Managed Detection and Response (MDR) services.
Which other solutions did I evaluate?
Sophos was eliminated very early on in the PoC process. Then, we looked at:
Out of these solutions, we selected SentinelOne. Their ability to respond quickly in terms of feature functionality was the biggest pro as well as their fee for agents in the cloud. The other solutions' interpretation of a cloud solution did not match with our expectations. From an overall perspective, we found SentinelOne's methodology, its effectiveness, its lightweight agents and their capabilities far exceeded other solutions that we evaluated.
SentinelOne had the highest detection rates and the ability to roll back certain ransomware, where other solutions were not even close to doing that.
What other advice do I have?
It is a very good tool that is easy to deploy and manage. The administration over it is little to none. However, depending on the environment and whoever is trying to deploy the agents, they should test it with the vendor environment before they go and deploy it to production. The reason why is because SentinelOne has the ability to be tuned for optimization. So, it is better to understand what these optimizations would be before deploying them to production. That way, they will be more effective, and it will be easier to get buy-in from the DevOps team and the infrastructure team managing the servers, thus simplifying the process all around. Making the agents and configurations optimized for specific environments is key.
The Storyline feature has affected our SOC productivity. Though, we have yet to fully use the Storyline feature in a SOC. We are using it on a case-by-case basis. However, as we continue to deploy agents throughout our infrastructure and train our SOC to use the tool more effectively, that is when we will start using the Storyline feature a bit more. Currently, this is on our roadmap.
I am very familiar with the Ranger functionality, but we haven't implemented it yet for our environment. Ranger does not require any new agents nor hardware. That is a good feature and functionality, which is helpful. It can also create live, global asset inventories, which will be helpful for us. Unfortunately, we have not yet had an opportunity to roll that out and capture enough information from our infrastructure to be able to maximize the effectiveness of that functionality. We are still trying to get SentinelOne core services fully deployed in our environment.
Now that we have SentinelOne, we cannot go without it.
Compared to other solutions in the market, I would rate it as 10 out of 10.