Category Archives: Sentinel One

  • 0

How to Build Your Endpoint Security Blueprint

Category : Sentinel One

Date and time: August 23rd, 2017 at 10am PT | 1pm ET
Speakers: 
Chris Sherman, Forrester Senior Security Analyst
Rajiv Raghunarayan, SentinelOne Vice President, Product Marketing
Description:
We’ve all heard of traditional endpoint models failing. And there is an overwhelming number of next generation technologies. As a customer how do you identify the right technology, the right approach to invest in?
Hear Guest Speaker Chris Sherman, Forrester Senior Security Analyst, and Rajiv Raghunarayan, SentinelOne VP of Product Marketing, talk about the top trends and approaches to safe guard your endpoints, users, and organization against the continued evolution of threat and business landscapes.  
 
Join the webinar to:
  • Understand the different approaches to endpoint security 
  • Select the best architectures for your business needs
  • Role of automation in powering your security strategy
  • The SentinelOne approach

REGISTER


  • 0

SentinelOne Demo

Category : Sentinel One

Want Zero-Day protection? Watch this video & see how SentinelOne can help.


  • 0

Measuring the Usefulness of Multiple Models

Category : Sentinel One

The past several years have seen a massive increase in products, services, and features which are powered or enhanced by artificial intelligence — voice recognition, facial recognition, targeted advertisements, and so on. In the anti-virus industry, we’ve seen a similar trend with a push away from traditional, signature-based detection towards fancy machine learning models. Machine learning allows anti-virus companies to leverage large amounts of data and clever feature engineering to build models which can accurately detect malware and scales much better than manual reverse engineering. Using machine learning and training a model is simple enough that there are YouTube videos like “Build an Antivirus in 5 Minutes“. While these home brew approaches are interesting and educational, building and maintaining an effective, competitive model takes a lot longer than 5 minutes.

To stay competitive with machine learning one must constantly beef up the training data to include new and diverse samples, engineer better features, refine old features, tune model hyper parameters, research new models, and so on. To this end, I’ve been researching how to use multiple models to improve detection accuracy. The intuition is that different models may have different strengths and weaknesses and as the number of models which agree increases, you can be more certain. Using multiple model’s isn’t new. It’s a common technique generally agreed to improve accuracy, and we already use it in some places. However, I wanted to quantify how much can it improve accuracy and which combination of models would work best. In this post, I’m going to share my findings and give some ideas for future research.

Selecting the Algorithms

If you want to use multiple models, the first question is which learning algorithms to use. Intuitively, you want strong models which make different mistakes. For example, if one model is wrong about a particular file, you want your other models to not be wrong. In other words, you want to minimize the size of the intersection of the sets of misclassified files between models. In this way, three strong models which make the same mistakes may not perform as well as one strong model with two weaker models which make entirely different mistakes.

I picked three models which I hoped would perform differently: random forestmulti-layer perceptron, and extra trees. Random forests, which I’ve explained previously and extra trees are both ensemble algorithms which use decision trees as a base estimator, but I figured I could use very different parameters for each and get different results.

For evaluating the performance of multiple models, consider that when a model judges a file, there are four outcomes:

  1. true positive (TP) – file is bad and model says bad
  2. true negative (TN) – file is good and model says good
  3. false positive (FP) – file is good but model says bad
  4. false negative (FN) – file is bad but model says good

In the anti-virus industry, the most important metric for a model is the FP rate. If you detect 100% of malware but have an FP rate of only 0.1%, you’ll still be deleting 1 in 1,000 benign files which will probably break something important (like the operating system). The second most important metric is the TP rate, or the detection rate. This is how many malicious files you detect and these two rates are usually antagonistic. Improving the TP rate usually means increasing the FP rate, and vice versa.

Since FPs are so important to avoid, I decided to evaluate model combinations by measuring how much the FP sets overlap. The less they overlap, the better. This isn’t very rigorous, but it’s fast. I prefer to get quick results, build my intuition, and get more rigorous as I iterate. In a perfect world with unlimited time, CPU power, and memory, I would setup a grid search to find the ideal parameters for a dozen models and then build another grid search to find the ideal way to combine the models. Unfortunately, this could take weeks. By doing some quick experiments, I can find out if the idea is worth perusing, possibly come up with a better test, and save a lot of time by eliminating certain possibilities.

Building the Models

The training data consisted of features from a wide variety of about 1.7 million executables, about half of which were malicious. The data were vectorized and prepared by removing invariant features, normalizing, scaling, and agglomerating features. Decision trees don’t care much about scaling and normalizing, but MLP and other models do. By limiting the number of features to 1000, training time is reduced and previous experiments have shown that it doesn’t degrade model performance much. Below is the code for preparing the matrix:

import sklearn as skl
import sklearn.feature_selection
import gc

variance = skl.feature_selection.VarianceThreshold(threshold=0.001)
matrix = variance.fit_transform(matrix)

normalize = sklearn.preprocessing.Normalizer(copy=False)
matrix = normalize.fit_transform(matrix)

# Converts matrix from sparse to dense
scale = skl.preprocessing.RobustScaler(copy=False)
matrix = scale.fit_transform(matrix.toarray())

# Lots of garbage to collect after last step
# This may prevent some out of memory errors
gc.collect()

fa = sklearn.cluster.FeatureAgglomeration(n_clusters=1000)
matrix = fa.fit_transform(matrix)

The random forest (RF), extra trees (ET), and multi-layer perceptron (MLP) models were built using the SKLearn Python library from the prepared matrix.

Testing the Models

The strongest performing model was the random forest with extra trees coming in a close second. The lackluster MLP performance is likely due to bad tuning of hyper parameters but it could just be a bad algorithm for this type of problem.

Below is the table of results showing the number of FPs from each model and the number of FPs in the intersection between each model and every other model:

Model FPs ∩ RF ∩ MLP ∩ ET
RF 3928 3539 2784
MLP 104356 3539 3769
ET 4302 2784 3769

The FPs common between all models is 2558. This means that all three models mistakenly labeled 2558 of the files as malicious when they were actually benign. The best way to minimize FPs is to require that all three models agree a file is malicious. With these three models, this would decrease the false positive rate by 35%. For example, instead of using just a random forest and getting 3928 FPs, if all models had to agree, the FPs would be limited to just 2558.

Requiring all models agree is a highly conservative way to combine models and is the most likely to reduce the TP rate. To measure the TP rate reduction, I checked the size of the intersections of TPs between the models. The table below shows the figures:

Model TPs ∩ RF ∩ MLP ∩ ET
RF 769043 759321 767333
MLP 761807 759321 758488
ET 768090 767333 758488

As with FPs, the RF model performed the best with the ET model lagging slightly behind. The intersection of TPs between all models was 757880. If all models were required to agree a file was malicious, this means the TP rate would only decrease 1.5%.

Below is roughly the code I used to collect FPs and TPs:

# matrix contains vectorized data
# indicies contains array of sample sha256 hashes
# labels contains array of sample labels - True=malicious, False=benign
def get_tps(labels, predicted, indicies):
    tps = set()
    for idx, label in enumerate(labels):
        prediction = predicted[idx]
        if label and prediction:
            tps.add(indicies[idx])
    return tps


def get_fps(labels, predicted, indicies):
    fps = set()
    for idx, label in enumerate(labels):
        prediction = predicted[idx]
        if not label and prediction:
            fps.add(indicies[idx])
    return fps

# Fit the classifier
mlp = skl.neural_network.MLPClassifier()
mlp.fit(matrix, labels)

# Make predictions and collect FPs and TPs
mlp_predicted = skl.model_selection.cross_val_predict(mlp, matrix, labels, cv=10)
mlp_fps = get_fps(labels, predicted, indicies)
mlp_tps = get_fps(labels, predicted, indicies)

# rf_fps contains random forest FPs
print(rf_fps.intersection(mlp_fps))

Conclusion

This research suggests that by using multiple models one could easily reduce FPs by about a third with only a tiny hit to the detection rate. This seems promising, but the real world is often more complicated in practice. For example, we use many robust, non-AI systems to avoid FPs so the 35% reduction likely wouldn’t affect all file types equally and most of the FP reduction might be covered by such pre-existing systems. This research only establishes an upper bound for FP reductions. There’s also engineering considerations for model complexity and speed that need to be taken into account. I’m using Python and don’t care how slow models are, but implementing the code in C and making it performant might be quite tricky.

The extra trees worked better than expected. I did very little tuning yet it was strong and had fairly different false positives than the random forest model. The MLP model may, with enough tuning, eventually perform well, but maybe it’s a bad model for the number and type of features. I’m eager to try with an SVC model, but SVC training time grows quadratically so I’d need to use a bagging classifier with many smaller SVCs.

There are many different ways to combine models — voting, soft voting, blending, and stacking. What I’ve described here is a variant of voting. I’d like to experiment with stacking which works by training multiple models, then using the output of those models as features into a “second layer” model which figures out how to best combine the models. Since I’m most interested in minimizing false positives, I’ll have to compare stacking performance versus requiring all models agree. It may be possible to weight benign samples so models favor avoiding false positives while training without sacrificing detection rates.

The main bottleneck for this research is computing speed and memory. I may be able to just use a smaller training set. I can find out how small the training set can be by training on a subset of the data and testing the performance against the out-of-sample data. Another option is to switch from SKLearn to TensorFlow GPU which allows me to take advantage of my totally justified video card purchase.


  • 0

SentinelOne Expands Business Development Practice With Launch of S1 Nexus Technology Alliance and Integration Program

Category : Sentinel One

New Program Will Create Extended Ecosystem of Partners Able to Leverage SentinelOne’s Advanced Endpoint Protection Technologies

SentinelOne, the company transforming endpoint protection by delivering unified, multi-layer protection driven by machine learning and intelligent automation, today announced S1 Nexus, the company’s technology alliance and integration program. This formal business development program expands on an initial partnership with Fortinet and will create an extended ecosystem of partners who can integrate or enable interoperability with the SentinelOne Endpoint Protection Platform (EPP).

“The creation of S1 Nexus will further amplify the profound impact that our endpoint technologies have on keeping businesses secure,” said Tomer Weingarten, chief executive officer of SentinelOne. “Expanding our ecosystem via technology alliances and integrations will enable other best-of-breed security, networking and cloud companies to embed additional layers of security within their products, ultimately creating a more secure end-user environment.”

The S1 Nexus program will enable integration partners to incorporate SentinelOne technologies into their products and solutions by providing access to SentinelOne APIs. Integration partners will leverage the SentinelOne EPP engines to bolster the security functionality of their products. Alliance and platform partners will be provided interoperability with SentinelOne solutions for strengthened security posture. Partners will also receive co-marketing support and promotion of joint offerings.

SentinelOne has brought Daniel Bernard on board as vice president of business development to lead the S1 Nexus program. In his role, Bernard will source and manage global alliance and technology integration partners to complement the go-to-market team. Previously, Bernard was a founding member of Dropbox’s partnership team, creating and leading its partnership with one of the world’s largest PC manufacturers. He also helped lead the build-out of Cylance’s international field operations during its global expansion.

“SentinelOne has hit a number of significant milestones this year which strongly position the company as the ideal solution for threat prevention, automated response and remediation — all in a singular portable agent,” said Bernard. “Through our use of AI engines to power both static and behavioral analysis, SentinelOne’s technology is the most advanced and extensible technology in this space. Now that we are offering a robust set of APIs to develop a full ecosystem, there’s significant opportunity for partners to benefit from integrating our technology.”

Fortinet was SentinelOne’s first integration partner. Together, Fortinet and SentinelOne provide unparalleled visibility of threats by pairing Fortinet’s network security solutions with SentinelOne’s advanced endpoint capabilities. Threat intelligence from the endpoint is automatically generated and shared to FortiGate enterprise firewalls using Fortinet’s FortiClient Fabric Agent, giving IT unified visibility and control over their entire security infrastructure using FortiOS.


  • 0

SentinelOne Virtual Appliance, Cloud When You Want It, On-premises When You Need It

Category : Sentinel One

We are pleased to announce the immediate availability of the SentinelOne Virtual Appliance for customers who prefer to have their security consoles running in their own data centers.  SentinelOne has been serving the needs of these customers from our early days, but the new appliance cuts down the complexity in setting up the console on-premises.

Earlier, customers would set up the console on the right hardware (or on a VM with enough horsepower).  They had to make sure that all the dependent libraries and toolchain were available on the OS, run the console installer, install the certificate and start the console service.  This involved some pre-install prep and about an hour or two with a SentinelOne support engineer.  This complexity limited our velocity and only the largest and most motivated customers would go through this process.

With the Virtual Appliance, we are now the first (and only) next-generation endpoint solution to offer the same functionality on-premises and in the cloud.  The setup time is similar in both cases – within 15 minuteswe will be able to get you to log into the console and start deploying to your systems.

The virtual appliance is designed to run on all popular virtual infrastructure, scale with your deployment, hardened to protect against vulnerabilities and can be updated with the click of a button.  The appliance can be run on VMware, HyperV or even VirtualBox (for evals).  The default configuration can handle up to 1,000 devices and scaling to larger sizes involves adding more vCPUs, memory and disk.  The appliance also comes with monitoring scripts to help you maintain uptime and upgrade scripts for patching and installing server updates.

We welcome all defense contractors, federal agencies, FiServs, foreign governments, lab rats and anyone interested to try out our new Virtual Appliance.

Source: https://sentinelone.com/2017/07/21/sentinelone-virtual-appliance-cloud-when-you-want-it-on-premises-when-you-need-it/

Author: Raj Rajamani


  • 0

A Closer Look at SentinelOne

Category : Sentinel One

Date and time:
July 20th, 2017 at 10am PT | 1pm ET
Speakers: 
Rajiv Raghunarayan, SentinelOne Vice President, Product Marketing
Description:
Our R&D teams have had a busy year thus far and we would like to invite you to learn more about recent releases and updates made to the SentinelOne platform.
Rajiv, our VP of Product Marketing, will lead you through the changing threat landscape and provide an overall platform update.  Including:
  • VDI – full memory protection, threat visibility on decommissioned devices, and more
  • Updates to On-Premise Appliance for Fed, Gov, and GDPR use cases
  • A brief demo of SentinelOne with AWS workspaces
  • Highlights about recent ransomware attacks and our new executive team

Register now!


  • 0

Petya/NotPetya Ransomware: What you need to know

Category : Sentinel One

Our SentinelOne research team is actively monitoring the Petya/NotPetya ransomware outbreak and we will update this blog post as more technical information about this attack is discovered. SentinelOne is proactively protecting customers against this latest strain. All SentinelOne customers using SentinelOne Enterprise Protection Platform are proactively protected against this outbreak.* Customers should also ensure that all machines have installed the latest Windows updates.
 

As with all cyber attacks that spread as quickly as what we have seen today, there is always much speculation in the initial phases of the attack as researchers quickly come up to speed on the technical nuance of what the attack is and how it is spreading.

What we know right now:

  • We have found that the outbreak is using the EternalBlue exploit to spread laterally.
  • We have also confirmed that it spreads through SMB using the psexec tool.
  • This attack does appear to be using a similar method of collecting Bitcoin ransom that WannaCry had used, using only a small number of wallet address. The ransom demand is ~$300 USD.
  • The email address used in the ransom request has since been shut down. This means that anyone that chooses to pay the ransom, may have difficulty retrieving their decryption key.
  • Unlike WannaCry, we have yet to see if this outbreak has a kill switch, though we have found that once executed, it overwrites the Master Boot Record and is then allowed to spread for an hour before forcing the machine to reboot.
  • In addition, this outbreak has similar characteristics as Petya, such as infecting the MBR and encrypting files on the drive;** however, it is not clear yet that this is a Petya variant. Some reports are indicating that this is an entirely new form of ransomware, hence NotPetya.

Please stay tuned for more information as it becomes available.

*UPDATE: 6/28/17 – 07:05 PDT: Removed “version .8.2.2570 and later are protected” from an earlier draft; all customers are proactively protected.

**UPDATE: 6/27/17 – 15:20 PDT: An earlier draft indicated that Petya could infect the MBR and encrypt the entire drive; in fact, it encrypts files on the drive.

Source: https://sentinelone.com/blogs/petyanotpetya-ransomware-need-know/


  • 0

How Should We Think About Securing Critical Infrastructure?

Category : Sentinel One

In the first part of the afternoon panel discussion, General Michael V. Hayden, Former Director of the CIA and the NSA, Dr. Douglas Maughan, Division Director, Cybersecurity Division, DHS/S&T/HSARPA, Tim Conway, Technical Director – ICS & SCADA programs, SANS, Steve Orrin, Federal Chief Technologist, Intel Corp., and Jeremiah Grossman, Professional Hacker and Chief of Security Strategy, SentinelOne, explored solutions for making critical infrastructure more resilient.

Some of the questions addressed were:
– To what extent have we secured the grid infrastructure today?
– What options are available to secure the grid?
– What are the long-term solutions?
– Who is working on these solutions?
– How does the regulatory structure in the US facilitate or impair grid resilience?

Co-hosted by the Siebel Scholars program and the Siebel Energy Institute, the conference examined the frequency, nature, sources, and potential impact of cyber-attacks on U.S. critical infrastructure, with a concentration on the power grid. Learn more at http://gridcybersecurity.org/.


  • 0

SentinelOne Joins Fortinet Fabric-Ready Program to Integrate Advanced Endpoint Protection with the Fortinet Security Fabric

Category : Sentinel One

UNNYVALE, Calif., June 5, 2017

John Maddison, vice president of products and solutions at Fortinet

“A rapid and coordinated response is critical to defend against today’s threats. The Fortinet Security Fabric has the breadth to scale across the entire enterprise infrastructure and the Fortinet Fabric-Ready partner program enables customers to apply the benefits of the Security Fabric to their multi-vendor environments. Working with SentinelOne helps our joint customers seamlessly integrate next-generation endpoint protections with Fortinet’s broad, powerful and automated security fabric.”

Tomer Weingarten, CEO of SentinelOne

“This new partnership with Fortinet is another significant step in changing the face of endpoint protection and replacing the old guard of legacy antivirus software on a global scale. Traditional antivirus products can’t keep pace with the evolving threat landscape and companies have relied on outdated technologies for far too long. Through this partnership, our mutual customers can now seamlessly integrate SentinelOne’s next generation endpoint protection solution, which is designed to meet the realities of today’s threat landscape.”

News Summary

Fortinet® (NASDAQ: FTNT), the global leader in high-performance cybersecurity solutions, and SentinelOne, the company transforming endpoint protection, today announced a Fabric Ready partnership to deliver SentinelOne’s next-generation endpoint protection combined with the advanced defenses of the Fortinet Security Fabric. The Fortinet and SentinelOne integrated security solution delivers a comprehensive security architecture that spans networked, application, cloud and mobile environments to provide seamless protection against today’s advanced cyber threats.

Closing the Gap Between Detection and Response

As recent high-profile attacks have highlighted, the time between malware’s initial network penetration to a full-blown outbreak can be measured in minutes. This means that effectively combatting today’s advanced and targeted cyberattacks requires tight integration between security solutions that can detect existing and new threats and automatically respond within seconds.

Joining Fortinet’s Fabric-Ready program, SentinelOne Endpoint Protection Platform is now validated within the Fortinet Security Fabric to deliver automated, next-generation defenses to endpoints and servers. This cooperative approach enables zero-touch mitigation, containment and remediation capabilities to rapidly eliminate threats. In addition, threat intelligence from the endpoint is automatically generated and shared to FortiGate enterprise firewalls using Fortinet’s FortiClient Fabric Agent, giving IT unified visibility and control over their entire security infrastructure using FortiOS.

SentinelOne’s next-generation total Endpoint Protection Platform unifies prevention, detection, and response in a single platform driven by sophisticated machine learning and intelligent automation, enabling IT to predict malicious behavior across major threat vectors, exploits, script-based, and file-less attacks in real-time and without waiting for updated threat signatures.

These capabilities combined with Fortinet’s high-performance FortiGate enterprise firewalls mitigates exposure to network threats and enables resource intensive content processing features like SSL inspection and secure VPN connectivity without degrading network or security performance. The Fortinet Security Fabric’s integrated, collaborative and adaptive architecture integrated with SentinelOne delivers security without compromise that addresses the most critical security challenges from IoT to the Cloud.

Partnering to Solve Today’s IT Security Challenges

The Fabric-Ready Partner Program opens the functionality of the Fortinet Security Fabric to complementary solutions. As part of the program SentinelOne and Fortinet will work together to validate technology integration with the Security Fabric, are committed to sharing roadmaps for consistent interoperability, and will benefit from joint go-to-market initiatives.

The Fabric-Ready program enables customers and channel partners to have greater confidence in their existing technology investments and Security Fabric offerings knowing that security solutions are proactively validated and ready for deployment. This integration reduces deployment times and technical support demands while delivering enhanced interoperability for more effective and responsive end-to-end security.

 Supporting Quotes

“Using DFI for prevention, and combining behavioral-based detection of threats and exploits, gives our mutual customers complete coverage from every vector of attack,” said Weingarten. “Coupled with real-time visibility and automated remediation, SentinelOne’s approach changes the way that customers can protect against advanced, targeted cyber threats, and the integration with Fortinet means our customers are getting two best-of-breed products that work together seamlessly.”


  • 0

Evaluating Security Solutions Across the Kill Cyber Chain

Category : Sentinel One

The Cyber Kill Chain is an intelligence-led, trademarked framework developed by Lockheed Martin in 2011, following intrusion activity against their organization by threat actors of a
persistent and sophisticated nature.

The kill chain measures the effectiveness of security
assets across all types of threats, including Advanced Persistent Threats (APTs).

Not all threats are APTs, but advanced capabilities have begun to filter down to run-of-the-mill attackers.

Cyber Kill Chain

 


Support