We changed our name from IT Central Station: Here's why
Get our free report covering CrowdStrike, Darktrace, Microsoft, and other competitors of FireEye Endpoint Security. Updated: January 2022.
564,997 professionals have used our research since 2012.

Read reviews of FireEye Endpoint Security alternatives and competitors

RS Mukherjee
Senior Information Security Engineer at a retailer with 5,001-10,000 employees
Real User
Top 20
The Storyline feature significantly simplifies the investigation and research related to threats
Pros and Cons
  • "The Storyline feature has significantly affected our incident response time. Originally, what would take us hours, now it takes us several minutes."
  • "There is an area of improvement is agent health monitoring, which would give us the ability to cap and manage resources used by the SentinelOne agent. We had issues with this in our environment. We reached out to SentinelOne about it, and they were very prompt in adding it into their roadmap."

What is our primary use case?

There are four use cases:

  1. Endpoint visibility.
  2. Endpoint protection, which includes detection, protection, and error response. We use this for protection endpoints as well.
  3. Provides historical loss of any events or changes in files that may have happened in the last 90 days.
  4. Threat hunting, which we use to troubleshoot applications.

There are different versions. The SaaS portal has a different version. The agents for each operating system have a different version. For the SaaS platform, we are on the current release. For the agents, we are one behind the current GA release.

How has it helped my organization?

We have another tool for network analysis. Last night, it detected some suspicious network activity for a machine that was making an outbound action to a spacious external entity. So, it raised an alert. Other than being a network tool, it couldn't provide any information as to why it suddenly started doing this. As far as response and running through our playbook, the first steps were for the SOC to go and reach out to our engineering teams to see if any users caused what happened. That took them almost until the end of the day. Finally, they came back, and said, "There is nothing that we can see." Then, I went into SentinelOne, spending about 15 minutes, and was able to determine exactly:

  • What process caused the activity.
  • The reason for it. 
  • The user.
  • The command line running that caused it.
  • What addresses it tried to communicate out, since the network tool wasn't able to capture all the IP addresses. 

We were able to determine it was a process that one of our engineers had set up and forgot about. It took us almost an entire day for the SOC to get a response from a person on that. Whereas, we were able to get that information directly from SentinelOne in less than 15 minutes.

SentinelOne's automation has increased analyst productivity. It can automate actions on a threat, such as, kill/quarantine, remediate, and then roll back. All those automation processes have significantly helped us in making our SOC more effective.

What is most valuable?

All the features are valuable. Their core product, EDR, is pretty good. We utilize the entire functionality of the feature set that they have to offer with their core product. For EDR, we are using all their agents: the Static AI and Behavioral AI technologies as well as their container visibility engine.

We use SentinelOne’s Storyline feature to observe all OS processes quite routinely. When we want to know a bit more details about any threats or want to investigate any suspicious event types, that is when we use the Storyline quite a bit. Its ability to automatically connect the dots when it comes to incident detection is useful. It significantly simplifies the investigation and research related to threats.

Today, we automatically use Storyline’s distributed, autonomous intelligence for providing instantaneous protection against advanced attacks for threat detection. The AI components help tremendously. You can see how the exploits, if any, match to the MITRE ATT&CK framework, then what actions were taken by the AI engine during the detection process or even post detection actions. This is good information that helps us understand a little about the threat and its suspicious activities.

We use the solution’s one-click remediation for reversing unauthorized changes. In most of the groups, we have it automatically doing remediation. We seldom do manual remediation.

What needs improvement?

There is an area of improvement is agent health monitoring, which would give us the ability to cap and manage resources used by the SentinelOne agent. We had issues with this in our environment. We reached out to SentinelOne about it, and they were very prompt in adding it into their roadmap. A couple of months ago, they came back to us and got our feedback on what we thought about their plan of implementing the agent health monitoring system would look like, and it looks pretty good. So, they are planning to release that functionality sometime during the Summer. I have been amazed with their turnaround time for getting concepts turned into reality. 

For how long have I used the solution?

We have been using SentinelOne since early 2020.

What do I think about the stability of the solution?

It has been very stable. There have been no issues so far.

One person is needed for maintenance (me).

What do I think about the scalability of the solution?

It is scalable with the caveat that we have had some challenges within our infrastructure for 20 agents across Linux servers. Beyond that, scalability is not an issue.

8,000 to 9,000 people are using the solution across our entire organization.

We are using SentinelOne as our de facto endpoint protection software. As a result, it is a requirement for every machine in our infrastructure, except for the devices that do not support their agents. So, as our infrastructure continues to grow or shrink, the users of SentinelOne will either increase or decrease, depending on the state of our infrastructure at that specific point in time.

How are customer service and technical support?

The technical support is good and very responsive. 99.99 percent of the time, they have been able to provide satisfactory responses. Whenever we have asked them to join a call that requires their assistance on a priority basis, they have been able to join the call and provide assistance. Whenever they felt that they do not have enough information, they were upfront about it, but they realistically cannot do anything about it because there is a limitation on either SentinelOne agent software or deeper logs would need to be captured in order to provide more information. There has been no situation where support provided an unsatisfactory response.

Which solution did I use previously and why did I switch?

We were previously using Sophos. The primary reason that we switched was Sophos did not provide us the extended capabilities we needed to support our infrastructure, both on-prem and on the cloud. Sophos did not support any of the Kubernetes cluster environmental containers systems on the cloud. It did not have the advanced AI engines that SentinelOne does. Overall, Sophos was very bulky, needing a lot of resources and a number of processes. In contrast, SentinelOne was thinner, very lightweight, and more effective.

How was the initial setup?

The deployment and rollout of SentinelOne are pretty simple. In our environment, we deployed the agents, then we had to remove them from some of the machines because the agent was impacting the performance of those machines. At that time, we found out it wasn't the SentinelOne agent rather an underlying issue on our own system or even the environment that it was in. We had to take SentinelOne out to troubleshoot the root cause, which delayed us a bit in rolling it out to our other infrastructure. That was completely fine. Looking at it from a global and world perspective, the rollout was very simple. 

About 6,000 to 7,000 endpoints took us six to seven months to deploy. Linux took a bit longer to deploy because the tools are not as good for deployment as what is available for Windows and Macs. Using a script, we were able to take care of that. However, we could only do that during maintenance windows, otherwise we couldn't deploy the agents without an approval change.

What about the implementation team?

We did the implementation ourselves. We have several teams responsible for each area:

  • Two to four people for workstations. 
  • Two people for a retail environment
  • Two people for the server infrastructure. 

This provided resource continuity. In case one resource would be unavailable for any reason, then the other resource would be able to continue. Essentially, the deployment needed three people, but we had six for continuity.

What was our ROI?

We saw a return of investment during the first year. We far exceeded our ROI expectations, meeting our ROI expectations within the first year.

The Storyline feature has significantly affected our incident response time. Originally, what would take us hours, now it takes us several minutes.

From an overall perspective, it has reduced our mean time to repair in some cases to less than seconds to a maximum of an hour. Before, it would take days.

What's my experience with pricing, setup cost, and licensing?

The licensing is comparable to other solutions in the market. The pricing is competitive.

We subscribe to the Managed Detection and Response (MDR) service called Vigilance, which is like an extension of our SOC. Vigilance's services help us with mitigating and responding to any suspicious, malicious threats that SentinelOne detects. Vigilance takes care of those. 

We also pay for the support. The endpoint license and support are part of the base package, but we bought the extended package of Vigilance Managed Detection and Response (MDR) services.

Which other solutions did I evaluate?

Sophos was eliminated very early on in the PoC process. Then, we looked at: 

  • SentinelOne
  • FireEye
  • CarbonBlack
  • CrowdStrike. 

Out of these solutions, we selected SentinelOne. Their ability to respond quickly in terms of feature functionality was the biggest pro as well as their fee for agents in the cloud. The other solutions' interpretation of a cloud solution did not match with our expectations. From an overall perspective, we found SentinelOne's methodology, its effectiveness, its lightweight agents and their capabilities far exceeded other solutions that we evaluated.

SentinelOne had the highest detection rates and the ability to roll back certain ransomware, where other solutions were not even close to doing that.

What other advice do I have?

It is a very good tool that is easy to deploy and manage. The administration over it is little to none. However, depending on the environment and whoever is trying to deploy the agents, they should test it with the vendor environment before they go and deploy it to production. The reason why is because SentinelOne has the ability to be tuned for optimization. So, it is better to understand what these optimizations would be before deploying them to production. That way, they will be more effective, and it will be easier to get buy-in from the DevOps team and the infrastructure team managing the servers, thus simplifying the process all around. Making the agents and configurations optimized for specific environments is key.

The Storyline feature has affected our SOC productivity. Though, we have yet to fully use the Storyline feature in a SOC. We are using it on a case-by-case basis. However, as we continue to deploy agents throughout our infrastructure and train our SOC to use the tool more effectively, that is when we will start using the Storyline feature a bit more. Currently, this is on our roadmap.

I am very familiar with the Ranger functionality, but we haven't implemented it yet for our environment. Ranger does not require any new agents nor hardware. That is a good feature and functionality, which is helpful. It can also create live, global asset inventories, which will be helpful for us. Unfortunately, we have not yet had an opportunity to roll that out and capture enough information from our infrastructure to be able to maximize the effectiveness of that functionality. We are still trying to get SentinelOne core services fully deployed in our environment.

Now that we have SentinelOne, we cannot go without it. 

Compared to other solutions in the market, I would rate it as 10 out of 10.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
Sr Manager - Information Security & Researcher at a tech services company with 1,001-5,000 employees
Real User
Top 5Leaderboard
Useful features, highly scalable, and reliable

What is our primary use case?

Tanium is used for network security. We can acquire files, detect malicious file-related activities, and process-related activities in our environment.

What is most valuable?

Threat hunting is a very good feature on Tanium. We have just started using it and have not used it extensively.

What needs improvement?

The performance could improve in future releases. We have had performance issues in specialized web environments, but overall I think the problems are less than 2% of the computer systems being used.

For how long have I used the solution?

I have been using Tanium for a few months.

What do I think about the stability of the solution?

The stability is good but it could still improve.

What do I think about the scalability of the

What is our primary use case?

Tanium is used for network security. We can acquire files, detect malicious file-related activities, and process-related activities in our environment.

What is most valuable?

Threat hunting is a very good feature on Tanium. We have just started using it and have not used it extensively.

What needs improvement?

The performance could improve in future releases. We have had performance issues in specialized web environments, but overall I think the problems are less than 2% of the computer systems being used.

For how long have I used the solution?

I have been using Tanium for a few months.

What do I think about the stability of the solution?

The stability is good but it could still improve.

What do I think about the scalability of the solution?

Tanium is highly scalable.

We have approximately 7,000 laptops and 40,000 regular systems that we have deployed Tanium on.

Which solution did I use previously and why did I switch?

I have used other security solutions, such as CrowdStrike Falcon and HX FireEye.

How was the initial setup?

The initial setup is straightforward.

What about the implementation team?

We have a security engineering team of four people that does the implementation and maintenance of the solution.

What's my experience with pricing, setup cost, and licensing?

There is an annual license required to use this solution.

What other advice do I have?

I rate Tanium a six out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Vice President at a computer software company with 1,001-5,000 employees
Real User
Performs well, easy to maintain, and good support
Pros and Cons
  • "The most valuable feature of Microsoft Defender for Endpoint is that it is embedded into the Windows system. Additionally, the performance is good and simple to maintain."
  • "Microsoft Defender for Endpoint is secure but when it comes to security all solutions could improve security."

What is our primary use case?

Microsoft Defender for Endpoint can be used for system protection. For example, anti-virus, malware, and EDR.

What is most valuable?

The most valuable feature of Microsoft Defender for Endpoint is that it is embedded into the Windows system. Additionally, the performance is good and simple to maintain.

What needs improvement?

Microsoft Defender for Endpoint is secure but when it comes to security all solutions could improve security.

For how long have I used the solution?

I have been using Microsoft Defender for Endpoint for a couple of years.

What do I think about the stability of the solution?

Microsoft Defender for Endpoint has been stable in our usage.

What do I think about the scalability of the solution?

We have more than 5,000 users using this solution.

How are customer service and support?

We are quite satisfied with the support.

Which solution did I use previously and why did I switch?

We use many solutions in our company, such as Panda, Trend Micro, McAfee, Microsoft, and FireEye.

How was the initial setup?

There is no installation required.

What about the implementation team?

We have a five-person technical team that supports this solution.

What's my experience with pricing, setup cost, and licensing?

The solutions price could be cheaper.

What other advice do I have?

I recommend this solution to others.

I rate Microsoft Defender for Endpoint an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Get our free report covering CrowdStrike, Darktrace, Microsoft, and other competitors of FireEye Endpoint Security. Updated: January 2022.
564,997 professionals have used our research since 2012.