Category Archives: Sentinel One

  • 0

A Closer Look at SentinelOne

Category : Sentinel One

Date and time:
July 20th, 2017 at 10am PT | 1pm ET
Rajiv Raghunarayan, SentinelOne Vice President, Product Marketing
Our R&D teams have had a busy year thus far and we would like to invite you to learn more about recent releases and updates made to the SentinelOne platform.
Rajiv, our VP of Product Marketing, will lead you through the changing threat landscape and provide an overall platform update.  Including:
  • VDI – full memory protection, threat visibility on decommissioned devices, and more
  • Updates to On-Premise Appliance for Fed, Gov, and GDPR use cases
  • A brief demo of SentinelOne with AWS workspaces
  • Highlights about recent ransomware attacks and our new executive team

Register now!

  • 0

Petya/NotPetya Ransomware: What you need to know

Category : Sentinel One

Our SentinelOne research team is actively monitoring the Petya/NotPetya ransomware outbreak and we will update this blog post as more technical information about this attack is discovered. SentinelOne is proactively protecting customers against this latest strain. All SentinelOne customers using SentinelOne Enterprise Protection Platform are proactively protected against this outbreak.* Customers should also ensure that all machines have installed the latest Windows updates.

As with all cyber attacks that spread as quickly as what we have seen today, there is always much speculation in the initial phases of the attack as researchers quickly come up to speed on the technical nuance of what the attack is and how it is spreading.

What we know right now:

  • We have found that the outbreak is using the EternalBlue exploit to spread laterally.
  • We have also confirmed that it spreads through SMB using the psexec tool.
  • This attack does appear to be using a similar method of collecting Bitcoin ransom that WannaCry had used, using only a small number of wallet address. The ransom demand is ~$300 USD.
  • The email address used in the ransom request has since been shut down. This means that anyone that chooses to pay the ransom, may have difficulty retrieving their decryption key.
  • Unlike WannaCry, we have yet to see if this outbreak has a kill switch, though we have found that once executed, it overwrites the Master Boot Record and is then allowed to spread for an hour before forcing the machine to reboot.
  • In addition, this outbreak has similar characteristics as Petya, such as infecting the MBR and encrypting files on the drive;** however, it is not clear yet that this is a Petya variant. Some reports are indicating that this is an entirely new form of ransomware, hence NotPetya.

Please stay tuned for more information as it becomes available.

*UPDATE: 6/28/17 – 07:05 PDT: Removed “version .8.2.2570 and later are protected” from an earlier draft; all customers are proactively protected.

**UPDATE: 6/27/17 – 15:20 PDT: An earlier draft indicated that Petya could infect the MBR and encrypt the entire drive; in fact, it encrypts files on the drive.


  • 0

How Should We Think About Securing Critical Infrastructure?

Category : Sentinel One

In the first part of the afternoon panel discussion, General Michael V. Hayden, Former Director of the CIA and the NSA, Dr. Douglas Maughan, Division Director, Cybersecurity Division, DHS/S&T/HSARPA, Tim Conway, Technical Director – ICS & SCADA programs, SANS, Steve Orrin, Federal Chief Technologist, Intel Corp., and Jeremiah Grossman, Professional Hacker and Chief of Security Strategy, SentinelOne, explored solutions for making critical infrastructure more resilient.

Some of the questions addressed were:
– To what extent have we secured the grid infrastructure today?
– What options are available to secure the grid?
– What are the long-term solutions?
– Who is working on these solutions?
– How does the regulatory structure in the US facilitate or impair grid resilience?

Co-hosted by the Siebel Scholars program and the Siebel Energy Institute, the conference examined the frequency, nature, sources, and potential impact of cyber-attacks on U.S. critical infrastructure, with a concentration on the power grid. Learn more at

  • 0

SentinelOne Joins Fortinet Fabric-Ready Program to Integrate Advanced Endpoint Protection with the Fortinet Security Fabric

Category : Sentinel One

UNNYVALE, Calif., June 5, 2017

John Maddison, vice president of products and solutions at Fortinet

“A rapid and coordinated response is critical to defend against today’s threats. The Fortinet Security Fabric has the breadth to scale across the entire enterprise infrastructure and the Fortinet Fabric-Ready partner program enables customers to apply the benefits of the Security Fabric to their multi-vendor environments. Working with SentinelOne helps our joint customers seamlessly integrate next-generation endpoint protections with Fortinet’s broad, powerful and automated security fabric.”

Tomer Weingarten, CEO of SentinelOne

“This new partnership with Fortinet is another significant step in changing the face of endpoint protection and replacing the old guard of legacy antivirus software on a global scale. Traditional antivirus products can’t keep pace with the evolving threat landscape and companies have relied on outdated technologies for far too long. Through this partnership, our mutual customers can now seamlessly integrate SentinelOne’s next generation endpoint protection solution, which is designed to meet the realities of today’s threat landscape.”

News Summary

Fortinet® (NASDAQ: FTNT), the global leader in high-performance cybersecurity solutions, and SentinelOne, the company transforming endpoint protection, today announced a Fabric Ready partnership to deliver SentinelOne’s next-generation endpoint protection combined with the advanced defenses of the Fortinet Security Fabric. The Fortinet and SentinelOne integrated security solution delivers a comprehensive security architecture that spans networked, application, cloud and mobile environments to provide seamless protection against today’s advanced cyber threats.

Closing the Gap Between Detection and Response

As recent high-profile attacks have highlighted, the time between malware’s initial network penetration to a full-blown outbreak can be measured in minutes. This means that effectively combatting today’s advanced and targeted cyberattacks requires tight integration between security solutions that can detect existing and new threats and automatically respond within seconds.

Joining Fortinet’s Fabric-Ready program, SentinelOne Endpoint Protection Platform is now validated within the Fortinet Security Fabric to deliver automated, next-generation defenses to endpoints and servers. This cooperative approach enables zero-touch mitigation, containment and remediation capabilities to rapidly eliminate threats. In addition, threat intelligence from the endpoint is automatically generated and shared to FortiGate enterprise firewalls using Fortinet’s FortiClient Fabric Agent, giving IT unified visibility and control over their entire security infrastructure using FortiOS.

SentinelOne’s next-generation total Endpoint Protection Platform unifies prevention, detection, and response in a single platform driven by sophisticated machine learning and intelligent automation, enabling IT to predict malicious behavior across major threat vectors, exploits, script-based, and file-less attacks in real-time and without waiting for updated threat signatures.

These capabilities combined with Fortinet’s high-performance FortiGate enterprise firewalls mitigates exposure to network threats and enables resource intensive content processing features like SSL inspection and secure VPN connectivity without degrading network or security performance. The Fortinet Security Fabric’s integrated, collaborative and adaptive architecture integrated with SentinelOne delivers security without compromise that addresses the most critical security challenges from IoT to the Cloud.

Partnering to Solve Today’s IT Security Challenges

The Fabric-Ready Partner Program opens the functionality of the Fortinet Security Fabric to complementary solutions. As part of the program SentinelOne and Fortinet will work together to validate technology integration with the Security Fabric, are committed to sharing roadmaps for consistent interoperability, and will benefit from joint go-to-market initiatives.

The Fabric-Ready program enables customers and channel partners to have greater confidence in their existing technology investments and Security Fabric offerings knowing that security solutions are proactively validated and ready for deployment. This integration reduces deployment times and technical support demands while delivering enhanced interoperability for more effective and responsive end-to-end security.

 Supporting Quotes

“Using DFI for prevention, and combining behavioral-based detection of threats and exploits, gives our mutual customers complete coverage from every vector of attack,” said Weingarten. “Coupled with real-time visibility and automated remediation, SentinelOne’s approach changes the way that customers can protect against advanced, targeted cyber threats, and the integration with Fortinet means our customers are getting two best-of-breed products that work together seamlessly.”

  • 0

Evaluating Security Solutions Across the Kill Cyber Chain

Category : Sentinel One

The Cyber Kill Chain is an intelligence-led, trademarked framework developed by Lockheed Martin in 2011, following intrusion activity against their organization by threat actors of a
persistent and sophisticated nature.

The kill chain measures the effectiveness of security
assets across all types of threats, including Advanced Persistent Threats (APTs).

Not all threats are APTs, but advanced capabilities have begun to filter down to run-of-the-mill attackers.

Cyber Kill Chain


  • 0

NSS Labs Webinar: Is your endpoint security worth it?

Category : Sentinel One

Date and time: June 8, 2017 at 11am GMT
Mike Spanbauer, NSS VP Research Strategy
Robert Zamani, SentinelOne Executive Director, WW Solutions Engineers
WannaCry Ransomware (WanaCrypt0r) is the biggest ransomware outbreak in history affecting over 200,000 systems in more than 150 countries. It is because of threats like WannaCry that SentinelOne was created. This recent threat proves that it is crucial that you partner with the right endpoint security vendor.
NSS Labs, a leading independent solution testing provider, recently pitted next-generation endpoint protection solutions against real-world threat scenarios to determine which faired the best in performance and in TCO. SentinelOne led the pack in both categories, achieving the HIGHEST ROI score of all the vendors:
  • Highest ROI score (2967.8%)
  • 99.79% Security Effectiveness
  • Lowest TCO score
  • “NSS Labs Recommended Rating”


  • 0

WanaCrypt0r aka WannaCry ransomware wreaks havoc worldwide

Category : Sentinel One

The WanaCrypt0r ransomware hit with a vengeance on Friday, with the outbreak beginning in Europe, striking hospitals and other organizations, then quickly spreading across the globe. As of 1:00pm Pacific Time, it is believed more than 57,000 systems in more than 74 countries had been affected.

Researchers at SentinelOne have determined that the Endpoint Protection Platform does successfully detect and block this ransomware strain. Customers are advised to make sure that they are running the latest version.

Additional reports indicate that this ransomware strain was distributed using the EternalBlue exploit that was release by the ShadowBrokers in April. This vulnerability was patched by Microsoft (MS17-010) before ShadowBrokers released the exploit. This shows that in the real world keeping up-to-date with patches and critical updates can be difficult but is a crucial step for all organizations.

Watch SentinelOne’s advanced machine learning engines at work against WannaCry:

  • 3

Limitations of Artificial Intelligence

Category : Sentinel One

At SentinelOne, we often tout machine learning and behavioral detection as the epitome of malware prevention, mitigation, and remediation. This is true—but only because we do it the right way. Our systems are trained correctly and support by a host of interlocking features such as cloud intelligence. This is the second of a two-part series about the pros and cons of AI in security—and what might happen if it goes wrong.

In our last article in this series, we looked a couple of ways in which hackers have tried to fool AI. We saw how hackers could get around machine learning software using malware that the AI wasn’t trained to recognize, such as fileless malware. We also took a look at ways in which hackers might try to weaponize AI in the future.

Today, we’re going to take a deeper look into the ways that AI can fail. Remember that artificial intelligence, as a science, is still in its infancy. There are different kinds of AI, with different strengths and weaknesses for each. As such, here are the limitations of artificial intelligence as they currently exist.

Limitations of Artificial Intelligence: Static Analysis

Static analysis is one of the earliest forms of machine learning, and the first to be implemented in the form of a security platform. This kind of analysis is well suited to security in this way—it’s able to read code and make predictions about what it will do without actually executing it. For obvious reasons, this works well for mitigating viruses.

On the other hand, this analysis relies on the same kind of pattern-matching that has made signatures obsolete. This is one of the limitations of artificial intelligence in terms of static analysis—once you know how it works, you can game it until it stops working. Similar to how criminals have used “crypting” services to make their malware unrecognizable to traditional AV, there are already projects in place to mutate malware until it defies static analysis.

Enhancing Static Analysis by Recognizing Behavior

How do you strengthen static analysis? In some ways, the answer is paradoxical—when you let a virus execute on an endpoint, you will almost certainly know what it’s trying to do. Once you know what it’s trying to do, you can stop it.

As a quick example, most ransomware works not just by encrypting a user’s files, but also by deleting that user’s shadow copies that would allow them to restore the devices from backup. If a behavioral engine sees a process trying to delete shadow copies, it doesn’t need to know what its code looks like—it just knows that it’s probably up to no good.

SentinelOne—the Best of Both Worlds

SentinelOne is in some ways based on the idea that no single solution is going to be 100% effective at mitigating attacks. The platform replaces defense in depth while partially replicating its philosophy—or in other words, SentinelOne relies on both static and behavioral analysis.

Static analysis does most of the heavy lifting in this scenario. Most users will never see malware get a chance to execute, as it will be instantly recognized and deleted. On the off chance that malware does get past, its actions will be recognized, mitigated, and remediated. During the NSS test in which SentinelOne won a recommended rating, one of the only samples to get by literally sat on a virtual machine and did nothing. Once it executed on bare metal, it was immediately caught.
There is no theoretical upper limit for the power of AI. At present, what we can do may feel very limited, but the results speak for themselves. For more information on how SentinelOne is advancing the power of AI in information security, contact us today.

  • 0

SentinelOne Enterprise Risk Index

Category : Sentinel One

SentinelOne’s new Enterprise Risk Index (ERI) provides new evidence of the proportion of attacks that simply cannot be stopped by traditional, static, file inspection security solutions. It’s further proof that attack methods have rendered AV redundant. The ERI is intended as a resource on the commonly encountered threat vectors seen in production environments, as well as insight into the tools, tactics, and procedures of malicious attackers.

Organizations can use the ERI as a benchmark against the type and mix of threat activity appearing in any enterprise environment and offer an opportunity to step towards board-level metrics for cyber security investments.

Based on filtered data obtained from the second half of 2016 from more than one million  SentinelOne agents deployed worldwide, the key findings are:

  • The growing menace of in-memory attacks: in this timeframe, we found that these attacks have doubled in comparison to the infection rates of file based vectors.
  • Endpoint protection technology that is agnostic to threat vectors will be increasingly important as new attack methods become mainstream, evidenced by the trend in in-memory attacks.
  • Even for file-based attacks we can’t rely on AV: the report highlights that only 20% of threats had corresponding signatures from existing AV engines.

Our hope is that organizations can use this to improve risk acumen into those threats that are successful in reaching the final barrier in enterprise defences at a SentinelOne agent. It is a reality check and a catalyst to audit investments made in cyber security and its expected results.

Click here to download the full report.

  • 0

Preventing Ransomware Attacks Becomes Vital in Healthcare

Category : Sentinel One

The deluge of ransomware attacks in 2016 on hospitals and other healthcare facilities plastered headlines. It even seemed that healthcare could be the most susceptible industry to face such attacks. Facilities providing critical care rely on access to up-to-date information from patient records or face delays that could cause malpractice or even death. With a high-pressure environment, healthcare facilities are more likely to pay for files so they aren’t facing costly consequences.

As a highly regulated industry, healthcare facilities often put HIPAA compliance at the top of the concerns list. While security is equally important, it often does not receive the same attention, which is a dangerous oversight considering the growing number of endpoints.

BYOD strategies that help strengthen communications and patient care are opening up entities to ransomware threats. As data moves out of the core there needs to be more proactive protections in place. It only takes one click or download by an unknowing employee to compromise the organization’s network.

In a report by Ponemon Institute, eighty percent of those surveyed said that their mobile endpoints were the target of malware in the past year. The same study reported “the majority of respondents felt that endpoint devices were the biggest threat to business cybersecurity. Forty-three percent of organizations said that laptops are the greatest endpoint threat, followed by smartphones at 30 percent, tablets at 19 percent, and USB sticks at 6 percent.”

To ensure that you’re preventing ransomware attacks, it’s vital to educate employees on how to safely use their endpoint devices, but there is also more that can be done to defend against ransomware.

Critical Steps to Preventing Ransomware

  • Backup data daily so that bad actors have less power to extort healthcare facilities. Backups should be stored securely in the cloud and local backups should be kept on air-gapped devices. Once the backup has been performed, drives should be disconnected so the backup drives cannot be encrypted in the case of an attack.
  • Block email attachments that are generally not used by employees, including JavaScript (JS) and Visual Basic (VBS) files, executables (.exe), screensaver files (SCR), and Windows Shortcut File (.lnk).
  • Educate users on double extensions and configure computers to display the extensions. Then users will be able to identify malicious files if they see a name like PatientRecord.xlsx.scr.
  • Enabling and running macros is often a place where malware hides. Configure Microsoft Office to block macros or require manual permissions to run.
  • Consider disabling Windows PowerShell if not in use.
  • Use software management tools so that patches are completed in a timely manner.
  • Segment the network so that if a breach occurs, not all data is in encrypted.
  • Block end users from visiting malicious sites through the company network.
  • Block all unused ports on computers.
  • After training employees on cybersecurity best practices, complete simulated attacks to test the staff’s knowledge.
  • Use a next generation endpoint security solution.

Your Healthcare Facility Doesn’t Have to Be a Statistic

We’re observing ransomware attacks evolve into cunning threats that even the most trained security professionals could miss. That’s why it’s vital for all healthcare facilities to take steps today to protect itself, its data, and patients’ privacy.

Cybersecurity must be given as much attention as HIPAA compliance because they go hand-in-hand. If a ransomware attack occurred, HIPAA rules require the breach to be reported if the protected health information has been accessed or encrypted. The only exception to this is if the healthcare organization can demonstrate that there was a low probability that patient data was compromised.

Don’t become a statistic in 2017, contact SentinelOne today for a demonstration of our next generation endpoint security platform that can keep your data safe from ransomware.