Professional Documents
Culture Documents
S1_BuyersGuide_EN
S1_BuyersGuide_EN
Endpoint Protection
Buyer’s Guide
Introduction 3
Today’s Security Landscape
Why Traditional Security is Not Working
Is Antivirus Dead?
Sandboxing as a Defense?
Why SentinelOne? 8
A Brief History
SentinelOne Endpoint Protection Platform
AV-Test Certification
Testimonials
Next Steps
Introduction Techniques
The code that runs on
the victim’s machine
In the past two decades of tech booms, busts, and bubbles, two things have not
changed - hackers are still finding ways to breach security measures in place,
and the endpoint remains the primary target. And now, with cloud and mobile
computing, endpoint devices have become the new enterprise security perimeter,
so there is even more pressure to lock them down.
sophisticated attack.
Attackers quickly realized while their current packing techniques could not be used
to bypass the sandbox environment, they just needed to detect the environment,
which could easily be done by noticing limited emulation time, lack of user
Fileless Browser Credentials
interaction, and only a specific image of the OS. Once the environment is identified,
Memory-only malware Drive by downloads, Credentials scraping,
they ensure their malicious code will not run in the emulated environment, will be
No disc-based Flash, Java, Javascript, Mimikatz, Tokens
flagged as benign, and will continue its route to the end device and only run there
indicators vbs, iframe/html5,
(where the endpoint antivirus can do little to stop it). plug-ins
With the new threat landscape, a new model that uses a different approach is
needed.
1 2 3 4 5 6
Known Attack Dynamic Exploit Advanced Malware Mitigation. Remediation. Forensics.
Prevention. Detection. Detection. Detecting threats is During execution, malware Since no security technology
We explored above how only Hackers often use exploits to Your NGEP must be able to necessary, but with often creates, modifies, claims to be 100% effective,
looking for known threats won’t target code-level vulnerabilities detect and block unknown detection only, many or deletes system file and the ability to provide real-time
protect against variants or so they can breach systems malware and targeted attacks attacks go unresolved for registry settings and changes endpoint forensics and visibility
unknown attacks, but coupling and execute malware. - even those that do not days, weeks, or months. configuration settings. These is a must. Clear and timely
it with additional security Drive-by downloads are a exhibit any static indicators Automated and timely changes, or remnants that are visibility into malicious activity
layers can pre-emptively stop common vector for carrying of compromise. This involves mitigation must be an left behind, can cause system throughout an organization
known threats before they can out exploit attacks. NGEP dynamic behavior analysis - integral part of NGEP. malfunction or instability. NGEP allows you to quickly assess
execute on endpoints. However, should provide anti-exploit the real-time monitoring and Mitigation options should must be able to restore an the scope of an attack and
instead of relying on a single capabilities to protect against analysis of application and be policy-based and endpoint to its pre-malware, take appropriate responses.
vendor’s intelligence, make both application and memory- process behavior based on flexible enough to cover a trusted state, while logging This requires a clear, real-time
sure your NGEP uses a vast based attacks. This should low-level instrumentation of wide range of use cases, what changed and what was audit trail of what happened on
collection of reputation services be achieved by detecting the OS activities and operations, such as quarantining a file, successfully remediated. an endpoint during an attack
to proactively block threats actual techniques used by including memory, disk, killing a specific process, and the ability to search for
and bad sources. Be sure the exploit attacks - for example: registry, network and more. disconnecting the infected indicators of compromise.
NGEP vendor uses data from heap spraying, stack pivots, Since many attacks hook into machine from the network,
the cloud, indexing files for ROP attacks and memory system processes and benign or even completely shutting
passive scanning or selective permission modifications - not applications to mask their it down. Quick mitigation
scanning to keep it lightweight, by using methods that are activity, the ability to inspect during inception stages
instead of performing resource- dependent on static measures, execution and assemble its true of the attack lifecycle will
intensive system scans. like shellcode scanning. This execution context is key. This is minimize damage and
approach is much more most effective when performed speed remediation.
reliable in detecting unknown on the device regardless of
attacks, since the exploitation whether it is on or offline (i.e. to
techniques themselves are not protect even against USB stick
as easy to change or modify as attacks.)
the shellcode, encoder, dropper
and payload components used
in malware.
Evaluation Questions 9. Are there prevention policies to protect against threats in real-time?
Now that you know what to look for in a next-generation endpoint protection
10. What levels of contracted support does the endpoint protection vendor
solution, you’ll need to start evaluating vendors on your shortlist. Request an
provide? Are software updates and upgrades part of the licensing fee?
evaluation from the vendor, and make sure it’s full production software so that you
can see how it will actually perform in your environment and against the security
Licensing and PRICING
test you’ve outlined. For your evaluation, take the following considerations into
account: Typically, endpoint protection products are purchased as licenses per user or
per endpoint, often in 1-year, 2-year or 3-year increments. Vendors typically offer
1. For endpoints (including mobile devices, if supported), which operating systems volume discounts for larger environments. License costs vary, but are usually $30
and major operating system versions are supported? For each of these, what to $70 for each endpoint license per year, depending on the vendor and number
are the performance requirements (CPU, memory, storage)? of licenses purchased. The cost can be deceptive, as some endpoint protection
products may provide narrow functionality that requires additional products to
2. How, in technical methods, does the product detect attacks from each vector -
be installed. Weigh the cost in terms of functionality and how many products you
including malware, exploits, and live/insider threats?
have to install for total endpoint security. For example, do you have to purchase
separate products for any of the below, or is all of it included in the next-generation
3. How frequently are updates made available? Are updates pushed or pulled to
endpoint protection platform? Evaluate the true cost before making a decision.
the endpoint? Do the updates require any user intervention (i.e. reboot?)
AntiVirus $25
4. Can the product prevent threats if the endpoint is offline from the network? Host-Based IPS (HIPS) $29
Endpoint Forensics/EDR $30
5. How scalable is the product? How many clients can be supported by each
Application Whitelisting $55
management console?
Anti-Exploit / ATP $24
6. Is the management server cloud-based or on-premise? Endpoint Search $30
Total $193
7. What is done to prevent false positives and learn benign system behavior? What Next-Generation Endpoint Protection $65
is the current false positive rate?
A Brief History Forensics – A 360-degree view of the attack including file information, path,
SentinelOne was formed by an elite team of cyber security engineers and defense machine name, IP, domain, and more (available within SentinelOne or through your
experts who joined forces to reinvent endpoint protection. With decades of SIEM)
collective experience, SentinelOne founders honed their expertise while working In addition, SentinelOne EPP is a single, lightweight solution that uses an average of
for Intel, McAfee, Checkpoint, IBM, and elite units in the Israel Defense Forces. They 1-2% CPU, so endpoints are able to do what they’re supposed to do - be a laptop,
came together in 2013 to build a new security architecture that could defeat today’s desktop, mobile device, or server. As it focuses on what’s right for each system, no
advanced threats that come from organized crime and nation state malware. signature updates/active scans are needed, and endpoints are always protected,
SentinelOne Endpoint Protection Platform whether you’re on or off the network. SentinelOne EPP is supported on major
mobile, desktop/laptop, and server operating systems.
SentinelOne’s Endpoint Protection Platform is an all-in-one endpoint security
solution that provides protection against known and unknown attacks by
identifying and mitigating malicious behaviors at machine speed. It closely monitors
every process and thread on the system, down to the kernel level. A view of
system-wide operations - system calls, network functions, I/O, registry, and more
- as well as historical information, provides a full context view that distinguishes
benign from malicious behavior. Once a malicious pattern is identified and scored,
it triggers an immediate set of responses ending the attack before it begins.
Responses include:
AV-Test Certification
www.sentinelone.com.