SentinelOne is a pioneer in delivering autonomous security for endpoints, data centers, and cloud environments to help organizations secure their assets with speed and simplicity. In this fascinating interview, marketing director Yotam Gutman explains why AntiVirus belongs in the past, and how AI can assist to tighten endpoints security now and in the future.
How did SentinelOne come together? What sparked the idea and how has it evolved so far?
SentinelOne is a Cybersecurity company established in Israel 6 years ago by Tomer Weingarten and Almog Cohen. They have been friends since childhood and they were both working in the industry when they realized traditional security solutions were insufficient in regards to endpoint security, meaning, the security of laptops, desktops and servers within organizations.
Up until then, most endpoint security solutions were relying on traditional Antivirus technology, which is a known tool developed in the ’80s. The technology is simple: it aims to scan all the files on the machine and identify matches to known viruses. That’s how it’s been working for the past 30 years, but today some estimates say we are witnessing hundreds of thousands of malware variants per day, altered by machines rather than human attackers. The fact that so many new viruses are released every day makes it hard for traditional AV to fight this losing battle.
Of course, there are also more aggressive attacks like ransomware, which installs itself on your machine and locks parts of the system, demanding a ransom in exchange for unlocking files and data. The reactive nature of AV is insufficient in this case.
So the founders of SentinelOne developed an AI engine to secure endpoints and actively scan all files on the Machine. It searches for indications in the way the file appears, its source and attributes, and how it behaves. Then, it defines whether files are malicious and notifies the user. That is how active AI creates a security layer that can defend you against malicious activities.
SentinelOne raised over 230M USD. We have over 300 employees, half of which are in our large R&D support center in Israel, 100 in the USA the rest in the EU and Asia pacific.
An interesting thing that happened recently is that the entire endpoint security market has shifted. Previously, it was based on large legacy players like McAfee, Symantec and other names we all know that provide AntiVirus and are quickly being replaced by fairly new, dedicated endpoint security players. But some of these companies are being evaporated. Cylance was bought by Blackberry and Carbon Black was bought by VMware, so they are being governed by huge players and are not as agile anymore, so they pretty much left the market open for SentinelOne to gain a strong foothold in the market and capitalize it.
We currently have over 2,500 clients, mostly in North America, and I’m talking about respected Fortune1000 clients including three of the top ten Fortune companies in the world. Our revenue is also very impressive and is nearing $100M in 2019. With such impressive growth, SentinelOne is not just another Israeli Cybersecurity startup, but a mature global cybersecurity company, and one of the top endpoint security solutions in the world.
Here’s a sneak preview of the SentinelOne dashboard:
How do you leverage AI and ML to protect business information?
As mentioned, signature-based security, which is also a form of pattern-matching AI, is off the table and not relevant anymore. You need a strong AI engine capable of detecting anomalies and comparing them with other endpoints within the global deployment. Such an engine will need to react quickly to the actions of the malware.
For instance, if unknown malware installs itself on the machine and starts to access parts of the memory, change files, or gain access rights, an AI engine should be able to learn this activity and try to stop it. If you do it quickly enough, as we do, it can even reverse some of their actions. In the case of ransomware, one of our strongest features at SentinelOne is what we call Rollback, which enables the system to reset itself to the previous state automatically, saving a lot of hassle for the user.
Another form of AI is the way that we allow more proficient users that have in-house analysts to understand the course of the attack. Given that SentinelOne is deployed on all endpoints of the organization, and a particular file is starting to behave differently, we can trace back the attack right from the source, and tell what its origin was; how did it move laterally within the organization, meaning, from one endpoint to another; how did it try to access the outside world; which types of data did it try to access, and what did it try to do with it. So with just one click, we can show you the entire storyline of the infection or attack, making the remediation process a lot quicker.
A lot of the time you’ll have simple AI that will show you that something has gone wrong and it’s just one of many alerts. So one of the analysts will need to investigate it and try to retrieve the data by writing queries to the database, but SentinelOne does that automatically, so it saves a lot of what we call Time to Resolution. Time to Detection is easy nowadays, but you get a lot of false positives, so in order to have real mitigation, you need to be able to understand the context of these alerts and act quickly.
Although AI is powerful, we don’t think it can solve all the problems. Our security solutions are obviously geared at providing analysts with the best tools. Customers who don’t have the manpower to handle that can still benefit from our Managed Detection and Response (MDR) service – Vigilance. We have access to these endpoints, so we can actively investigate them by doing what we call “threat hunting”, so even if there’s no alert we can look for specific indicators of known attacks so that our customers can decide what they want to do about it. It’s a combination of powerful AI and the work that analysts are doing.
Another thing is that many companies provide endpoint security solutions, but we are the only ones that (with a single, unified agent) who do it for Windows (which is obviously the majority of endpoints), Mac and Linux, which brings us into the cloud. We realize that nowadays, just protecting endpoints is not enough, as a lot of the data sits in the public and hybrid cloud, so we need to be able to defend that as well. We have seen cases where clients have been able to encrypt the entire cloud drive, so that’s our next frontier.
What are some of the security challenges that users can expect to encounter in the next few years?
I would say the biggest challenge that we are facing is in the form of non-standard IT (also known as “Shadow IT”). Part of it is mobile security but it’s not a huge problem because it’s only on the device level.
On the other hand, IoT devices (or “connected devices”) that find their way into the organization can be a major threat because they are often unsupervised.
Let’s say we have networks, servers, services and endpoints which are well documented under the supervision of the IT security department. Then, we have devices that people bring, buy or install in the office, such as Alexa’s helpers or IP cameras.
Unlike endpoints, it’s not very practical to install a security software on each of these devices, but they are the source of many security breaches including a very famous one where some employee at NASA brought a Raspberry pie: A tiny computer that has a modem in it, and basically opened the entire facility at NASA to the outside world, bypassing all security mechanisms. Nobody knows exactly how long it has been there, but it could have been months before they found out about it. If this can happen to NASA, it can happen to any organization.
There are dedicated security solutions that can monitor this kind of activity, but they call for deploying physical appliances (“Boxes”) within the network. At SentinelOne we came up with a more clever approach. Using our existing endpoint agents, we learn the behavior of the network through AI, so we know all the devices within the organization, and if we see new activity, we can fingerprint it and compare it to known devices.
Each new activity is shown to the IT security, which is then asked to respond with the kind of policy they want to enforce, whether it’s to limit or block the user. We give visibility which later allows enforcement of such devices. This new offering is called SentinelOne Ranger, and it’s being rolled out as we speak.
Is there anything else that you would like to share with our readers?
I think we are in a unique position. We are rooted in Israel but we are a global company, and very few companies have managed to achieve that. As we are recruiting, I’d like to invite more brilliant minds to come and join us.