CISOs have known for years that stopping the barbarians at the gate — the endpoint — isn’t enough to defeat the determined and imaginative attackers of today.
That doesn’t mean that endpoint defenses have been ignored. In 2013 a California company called SentinelOne Inc. released SentinelOne EDR (endpoint detection and response), an agent-based solution which works with existing enterprise anti-virus platforms and includes behavior-based malware detection and mitigation for all devices including tablets and smart phones.
Today the company announced its next version, called EPP, which it says can replace AV solutions by adding remediation to its capabilities.
“It adds a whole new preventive layer that deflects malware before it even runs,” CEO Tomer Weingarten said in an interview.
“We’ve also added what we call dynamic remediation, which is even if something has executed, you can go back (to the system) and revert everything that happened,” he said.
It will help security pros determine when an endpoint was infected, what machines it talked to, the databases that were accessed, “so you can piece together a good picture of what might have happened.”
“We can completely replace (existing) anti-virus both for compliance and in terms of efficacy,” he said.
He noted that in its most recent report AV-Test said SentinelOne EPP was one of 11 solutions for Windows 8.1 that passed its corporate endpoint protection test.
London, Ont.,-based Gartner analyst Peter Firstbrook said in an interview that the AV-Test indicated that — like a number of others tested — SentinelOne EPP couldn’t stop everything that was thrown at it. “It doesn’t change the state of the art,” he said.
What appealed to him was the ability to record any changes made to endpoints so if suspicious behavior is detected infosec pros can pour through data to find when and where the system was altered to help detect suspect applications.
But he admitted that means SentinelOne EPP can’t merely be set on automatic: “You’re going to need someone in IT who has knowledge of how packed applications are put together and how to understand one that’s bad.”
Weingarten said EPP uses the same engine as the EDR platform, but with an enhanced agent. It can “basically and inspect and predict execution on an endpoint, seeing everything that running on that endpoint and every process and application is doing. By inspecting behaviors understanding what is malicious, what is benign. Because we’re on the endpoint we also have the ability to mitigate the attack once we detect something has gone wrong, and then eventually remediate it, and later on give full detailed forensic reports in real time.”
EPP is linked to SentinelOne’s cloud intelligence platform, so it doesn’t use signatures. Nor do endpoints need to be scanned. The agent has a “very, very low” impact on performance, Weingarten said, taking up about 200 MB.
He wouldn’t detail EPP pricing, other than to say it is based on the number of endpoints protected. “We will in most cases try to match the price you’re paying today (for AV) and give you all of the added capabilities.”
Until the end of the year a subscription includes real-time forensics, white listing, anti-exploitation, dynamic malware protection, automatic remediation and endpoint search. Next year new capabilities — such as URL filtering — will cost extra.
SentinelOne products are largely sold direct to enterprise-sized companies, although it is in the process of building out a channel program. Weingarten said next year it will add a Web portal for medium-sized companies to buy subscriptions online.
