Review: SentinelOne blocks and dissects threats

SentinelOne Endpoint Protection Platform (EPP) is an antimalware solution that protects against targeted attacks, malware, and zero-day threats through behavioral analysis and process whitelisting and blacklisting. The client agent, which analyzes the behavior of processes on Windows, OS X, Linux, and Android endpoints, can replace or run alongside other signature-based antimalware solutions. SentinelOne EPP stands out not only for its protection capabilities but also for its excellent forensics and threat analysis.

SentinelOne evaluates process behavior based on "dynamic execution patterns." The agent scans endpoints, indexes application files and processes, and sends information about them to the cloud where they are assigned reputation scores. When scores surpass policy thresholds, processes can be killed, files quarantined, and endpoints rolled back to the last known-good state. Metadata about processes and files are pooled among SentinelOne's customers, building an anonymous threat intelligence network that benefits everyone.

I was impressed by the depth of SentinelOne's forensic analysis capabilities. The solution records all information related to applications and processes, then displays it in a straightforward, easy-to-understand historical view within the browser-based management interface.

Getting started

SentinelOne's management console can run in the cloud or on premises. I tested the cloud-based version. The management console has an elegant, responsive GUI, with a friendly look and feel across devices. I found that it was most user-friendly from my PC with a nice big monitor, yet it was still pleasant to access from my iPad and usable from my Android smartphone.

Installing agents on my Windows test machines took seconds and required no user intervention. After a reboot, the agent did a full scan of each machine, which took anywhere from 30 seconds to two minutes. The agent has negligible resource requirements, taking up a mere 25MB of disk space and 32MB of RAM and at most 1 percent of CPU when running. The agent interface provides basic information to the user, such as how many applications, processes, and services are running. I was unable to terminate the process or remove the agent from the endpoint itself.

When agents are first deployed, they are put into Learning Mode for the first 24 hours. During this time, they build a baseline of applications in order to minimize chances for false positives.

Intuitive management console

SentinelOne's management console opens into a dashboard view that shows summary information about endpoints, as well as the behaviors and applications discovered on them. Major functional areas -- labeled Dashboard, Activity, Analyze, Network, Black/White, and Settings -- are listed along the left side of the page. Threats -- broken out into active, mitigated, blocked, and suspicious -- are listed in the middle of the page. On the right side of the page is a quick color-coded graphic of network health. I found it very helpful to be able to click on a threat or an endpoint and dive deeper for more information.

Even on my small test bed, the running list of threats grew very quickly, particularly the "suspicious" category, which contained entries such as newly executed binaries, updated applications, documents that contained links (whether the links were accessed or not), unsigned files and documents, and malware. I could analyze each threat to see attack-related events and a risk severity rating, then mark it as a threat, benign, or resolved. The suspicious list can be sorted by time and mitigation status, but frankly, that isn't enough. It would save time and effort to display a sortable risk score next to each entry. This shouldn't be too hard for SentinelOne to do because those scores are already calculated under Analyze > Attack Overview.  

Below the threat list are a graph of the number of applications discovered over time, a map view of endpoints or threats displayed on a country level, a live feed of threat intelligence, and SentinelOne company news. The map isn't particularly helpful as it only zooms to a country level, nor is the weekly updated news feed (which is merely an RSS feed from the SentinelOne blog). These are a waste of space, but the dashboard isn't customizable, so you're stuck with them.

Policies and configuration

The settings page is broken out into five subpages: policies, configuration, updates, notifications, and users. My first stop was the users page. SentinelOne contains only two roles: admin and SOC/Helpdesk. Beyond those two roles, privileges can't be managed. The company says that deeper role-based management features are in development.

The policies page is where scanning and containment options are set. SentinelOne recently added the ability to configure policy groups. It's very easy to add and configure policies.

The most important features are the actions to be taken on detected threats (alert only; alert and kill the suspected malicious process; or alert, kill, and quarantine the suspicious process locally) and containment (of which the more important setting is to block all network connections to and from the potentially compromised endpoint). I found it easier to create groups through the Network page, then assign policies to those groups. Creating policies and assigning groups to those policies through the Policy Settings page was a little counterintuitive.

Malware identification, alerts, and effectiveness

In order to test SentinelOne's malware detection and remediation capabilities I copied two folders of malware to my test machines. The first folder contained 32 commonly found malware executables. SentinelOne correctly identified and blocked these files prior to execution. The second folder contained renamed versions of the same 32 malware executables. SentinelOne correctly identified and blocked five of these files prior to execution.

The other 27 were either detected as suspicious before execution, or they were blocked when executed -- meaning SentinelOne detected the malware upon execution, terminated the process, and prevented the file from executing again. SentinelOne alerted me within seconds via SMS and email as I had previously configured those notifications. I remediated these 27 threats successfully, although in the case of one downloader the active malware was removed, but the installer/downloader was left behind.

I also installed and executed 18 safe applications that exhibit some questionable behavior, like automatically modifying registry settings. None of these 18 was flagged as suspicious.

Fantastic forensics

SentinelOne contains powerful forensic capabilities that can be accessed from the Analyze tab. For each process, an attack summary is presented along with detailed information regarding network connections, attack overview, and attack story line.

The attack overview contains behavior categories like network activity, spying, and antidetection, as well as information about files accessed, network connections made, and processes executed, each color-coded by severity. The attack story line shows a graphical representation of processes, files, and activities linked together in the order in which they were executed or accessed. The attack story line is extremely helpful when trying to piece together the events that took place during a malware attack. Raw attack data can also be downloaded for additional analysis.

SentinelOne EPP is an endpoint detection and response solution with strong process whitelisting and blacklisting capabilities, very good remediation capabilities, and excellent forensics. These capabilities layer on top of existing endpoint protection solutions very well. The straightforward browser-based management console is easy to use. Larger organizations will probably be disappointed by a lack of deep role-based administration features. The informative and easy to understand forensic capabilities, in particular the graphical attack story line, set SentinelOne EPP apart from the competition.