Listen to this story
Endpoint security solutions provider SentinelOne recently announced the launch of its Operations Centre in Bengaluru. The Centre will deliver innovation, product development, threat research, and engineering, recruiting top talent to modernise cyberdefense. As a key component to SentinelOne’s India investment and build-out, customer data will be stored in a local data centre. The firm has plans to invest USD 50 million in India as part of its ongoing global expansion.
“The Centre’s engineers and threat researchers will focus on cutting-edge cybersecurity innovations to address the exponentially growing threat landscape. Bengaluru was a natural choice because of the talent footprint and market opportunity that India presents,” Ric added.
Sign up for your weekly dose of what's up in emerging technology.
SentinelOne is building an India-hosted data centre as well, demonstrating the commitment to helping India-based organisations comply with evolving local data hosting regulations and preferences.
“Since beginning our regional presence in 2021, SentinelOne is protecting some of India’s largest automobile, manufacturing, pharmaceutical, insurance, and food delivery companies as well as one of its largest airlines and busiest airports. The Indian market is ready to move beyond ineffective legacy antivirus, and there is a high demand for cutting edge cybersecurity technologies from Indian enterprises,” said Raj Rajamani, chief product officer, SentinelOne.
Currently, SentinelOne’s India office has a headcount of 100 and plans to increase the local presence by 500. “We are investing in our India-go-to-market strategy and local data residency to serve the region’s enterprises and government bodies. We’re excited to bring India’s enterprises to the era of XDR, autonomously preventing, detecting, and responding to threats across device, cloud, and identity,” he added.
In June 2021, SentinelOne was publicly listed on the New York stock exchange at an implied valuation of USD 8.9 billion, making it the highest-valued cybersecurity IPO in history. According to Deloitte, SentinelOne’s revenue has grown 1,133% from 2017 to 2020.
The SentinelOne Singularity XDR unifies and extends detection and response capability across multiple security layers, providing security teams with centralised end-to-end enterprise visibility, powerful analytics, automated response across the complete technology stack. It enables enterprises to seamlessly ingest structured, unstructured, and semi-structured data in real-time from any technology product or platform, breaking down data silos and eliminating critical blind spots. In a single dashboard, users can view data collected by disparate security solutions from all platforms, including endpoints, cloud workloads, IoT devices, networks, and more.
“We look at behaviours rather than signatures. By doing that, we understand what process chains and anomalous process chains look like. And then we classify them and either mark them suspicious or quarantine them and take action on the endpoint without having to call back to the cloud and have a group channel this section, look at the alert and figure out what to do. So if you want an immediate response, we do that! If you’re dealing with one of our legacy competitors, then they have to deal with the signal in the cloud, have a SOC team look at it and then provide the response, which is late,” said Ric.
Singularity XDR aggregates event information from multiple different solutions into a single contextualised “incident”. It also provides customers with a central enforcement and analytics layer point hub for complete enterprise visibility and autonomous prevention, detection, and response, helping organisations address cybersecurity challenges from a unified standpoint.
“Essentially what you see here is the commercialisation of some of the most advanced technologies that came out of Israel. We collect tens of millions of samples and extract vectors or signals out of them. We tinker and experiment and find the features that are more correlated with good and more correlated with bad over time. The training set also has a huge impact in terms of what type of attacks we can prevent. A lot of our effort goes into curating the set of samples. Our customers contribute samples, our partners contribute samples, and we subscribe to feeds that contribute samples. And there is a group of people that just figures out what is the right mix of samples to be used in the training. When we train a new model, we are also experimenting with different types of features. We run multiple model candidates against the remaining set. So the training set is a small set, and then we have a much larger set of samples to go test the candidate models against. So whenever we do that, what needs to happen is one of the candidate models needs to outperform the current model that we have in production,” said Raj.
SentinelOne’s patented Storyline technology provides real-time, automated machine-built context and correlation across the enterprise security stack to transform disconnected data into rich stories and lets security analysts understand the full story of what happened in their environment. Storyline automatically links all related events and activities together in a storyline with a unique identifier.
“Trust is a big issue in cyber security, especially when you consider machine learning solutions. No one in the world can explain. How the model detected or why the model detected, because remember we are extracting lots of features from either the behavioural part or the static part. We cannot pinpoint and say these five features when combined tell my model that this is in the negative territory. So here’s how we deal with that problem. We have indicators within the product, which are readable and easily understandable,” said Raj.
Singularity XDR integrates threat intelligence for detection and enrichment from leading 3rd party feeds and proprietary sources that auto-enrich endpoint incidents with real-time threat intelligence. It empowers security teams to get additional contextual risk scores on Indicators of compromise (IoCs) such as IPs, hashes, vulnerabilities, and domains.
“For file-based attacks, even as soon as the file gets written, we extract the features. Put it through the model and see if it says CA or NA. If it’s NA, we quarantine. The file’s not even allowed to run. So we are preventing it before it even executes. We still keep track of everything that it does if it were to be executed because you can never be conclusive. And we keep that manifest of all the changes that are being performed. So if what we thought was good, goes ahead and proves us wrong, we catch it before anything gets encrypted. And for worst-case scenarios, we have a rollback function that rolls back all the changes that were performed by the attacker with a single click of a button. And that’s invaluable,” said Raj.
Attivo Networks acquisition
“Our strategy from day one was to do cybersecurity differently. We aspired to make it autonomous. We wanted to build it in a way that we can integrate it with other products,” said Daniel Bernard, chief marketing officer at SentinelOne.
Earlier this year, SentinelOne announced the acquisition of Attivo Networks for USD 616.5 million, marking its entry into the Indian market. Attivo Networks is identity security and lateral movement protection company with a rapidly growing business serving hundreds of global enterprises including Fortune 500 organisations. With this acquisition, SentinelOne extends Singularity XDR capabilities to identity-based threats across endpoint, cloud workloads, loT devices, mobile, and data wherever it resides, setting the standard for XDR and accelerating enterprise zero trust adoption.
Together, SentinelOne and Attivo Networks deliver comprehensive identity security as part of Singularity XDR for autonomous protection including Singularity™ Identity, Singularity™ Ranger® Active Directory Assessor, and Singularity™ Hologram.
“More vendors want to work with us because they see our traction and growth and they want to be part of the workflows in cybersecurity that we’re changing. More customers want our technology because they’re dissatisfied with what they’ve been using. More resellers want to partner with us because they know they are going to win with our technology. So it’s like this flywheel that starts to spin and spins faster and faster and faster,” said Daniel.
Feud with CrowdStrike
CrowdStrike has been the major rival of SentinelOne since day 1. As per Gartner Peer Insights 2022, CrowdStrike has a rating of 4.8 stars on 5 with 289 verified reviews and SentinelOne has a rating of 4.8 stars on 5 with 404 verified reviews.
CrowdStrike, a global cybersecurity leader, has redefined modern security with one of the world’s most advanced cloud-native platforms for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data. They went public in 2019 with USD 6.7 billion valuation; SentinelOne broke the record two years later.
As per CrowdStrike, SentinelOne lacks the ability to scale to the needs of large enterprises. CrowdStrike believes SentinelOne is “REACTIVE” and their rollback feature provides a false sense of security. The company also questions SentinelOne’s visibility into cloud configurations and ability to offer native capabilities for identity protection. CrowdStrike also called out the insights SentinelOne provides, characterising them as “basic alerts that lack valuable context from threat intel or sandbox analysis.”
On the other hand, SentinelOne called CrowdStrike’s 1-10-60 detection, investigation, and response model obsolete. Unlike SentinelOne, which leverages AI to act on malicious activity in real-time, CrowdStrike is slow to detect, slow to investigate, and even slower to recover from attacks. The SentinelOne Singularity Platform offers longer EDR data retention than CrowdStrike by default, and the patented Storyline™ technology automatically correlates and contextualises your alerts without the need for costly professional or managed services.
SentinelOne consistently outperforms CrowdStrike in the MITRE Engenuity ATT&CK Evaluations—the most trusted third-party test in the industry. In the 2022 MITRE Engenuity ATT&CK Evaluation, SentinelOne achieved record-breaking results, delivering 100% protection across operating systems with the fastest threat containment and with the most analytic detections. The SentinelOne Singularity platform consolidated the 109-step campaign into just 9 console alerts out-of-the-box, providing 99% visibility and automatically providing analysts with the context & correlation they need without extensive setup.
CrowdStrike, on the other hand, deployed their endpoint security solution and their identity protection product to tap the Managed Hunting market Yet, CrowdStrike missed the mark in speed and substance, with only 94 of 109 analytic detections and 11 delayed detections.
“Mammals started to walk the earth around the same time dinosaurs were going extinct! I think we’re seeing the same happen here. Nonetheless, our first goal is to at least achieve this success that CrowdStrike has achieved financially. Our second goal is to surpass them. There are shapes that we can take beyond that,” said Ric.