SentinelOne Singularity Complete Reviews

We are using it for endpoint security. It acts as an antivirus as well as is useful for endpoint detection. We are using the same product for both use cases. 

SentinelOne is very lightweight. It doesn’t consume much memory of endpoints. Endpoints don't hang, and machine performance doesn’t get impacted. Their technical support is also very nice.

It has all the features that other leading products in the market provide. They should keep enhancing it based on the challenges in the market. I am fine with its detection capability, but they can work more on deep inspection.

I have been using this solution for around two years.

It is stable. I would rate it a four out of five in terms of stability.

It is scalable. I would rate it a four out of five in terms of scalability. We have more than 1,200 users who are using this solution.

Their technical support is very nice. I would rate them a five out of five.

Positive

It is very easy to implement or install. I would rate it a five out of five in terms of the ease of setup. It does require maintenance by someone.

Its cost is yearly. It is not much costlier than other leading products available in the market. I would rate it a four out of five in terms of pricing.

We were looking for an antivirus and EDR solution. We evaluated some of the products, and finally, we decided to go for SentinelOne EDR. CrowdStrike was one of the solutions we evaluated. SentinelOne was lightweight, but CrowdStrike had a more secure door.

I would rate it a nine out of ten.

We use it as an Enterprise EDR solution for threat detection, anti-malware, and security investigations.

SentinelOne Singularity Complete has greatly enhanced our security posture. We feel that our endpoints are more secure. We are in the know of what is happening within our company from a security perspective. We are confident in the ability to detect untrue positives. It has also helped us in achieving industry certifications such as SOC 2.

SentinelOne Singularity Complete has absolutely helped reduce our organization's mean time to detect. There has also been an impact on our mean time to respond. With the integrations that we have set up with Splunk and other products, we are able to respond to incidents as soon as they alert us.

We have a couple of integrations with it. They are alright. I am not blown away by its integration capability.

SentinelOne Singularity Complete has not helped reduce alerts. If anything, we create more alerts with it. We are able to fine-tune the product to reduce noise and alerts, but without it, we would not have any alerts. It is the piece of software that provides that alerting capability for us.

SentinelOne Singularity Complete has not helped free up staff. In a way, it creates work for us, but that is the purpose of the product.

The deep visibility and the ability to perform security investigations and assess our endpoint security posture are the most valuable features.

There should be Terraform support for console administration. Dynamic tagging would be also useful. 

The auto-upgrade capability should be improved.

I have been using SentinelOne Singularity Complete for two years at this company. My company has been using it longer than that.

Its stability is pretty good. I like the stability of their agent.

It is extremely scalable.

Their technical support is pretty good. I would rate them an eight out of ten.

Positive

I was not here when they bought this solution, but I know why we bought the tool. We replaced another EDR solution, and then we used it as our enterprise EDR solution for ransomware prevention, threat hunting, and security investigations. We were using CrowdStrike previously. SentinelOne Singularity Complete also saved us money. It is very competitive compared to CrowdStrike.

I have used a couple of EDR solutions. SentinelOne Singularity Complete is less mature than CrowdStrike, but it is definitely one of the top players in the industry.

SentinelOne Singularity Complete has not helped reduce our organizational risk. It is about the same as CrowdStrike in this aspect.

We have it on our laptops and the cloud, so our setup is hybrid. I am in charge of deployment, and it is as simple or complex as any other solution. 

It requires maintenance on our end.

We have a team, but I do most of the work. I am in charge of it.

It is hard to define the ROI. It does not save us money, but it prevents security breaches. In the grand scheme of things, it is definitely worth investing in. 

Its pricing is competitive. 

It has competitive pricing and great support. It is a complete solution.

As a strategic security partner, they collaborate with us quite a bit on our overall posture. They constantly have webinars and education sessions for us to deepen our security knowledge and how to use their product. They have assisted us on various PoCs for different offerings that they have and different services they offer. They help us to understand how each of those components integrates into our overall security posture. We did a PoC of the Ranger functionality.

I would rate SentinelOne Singularity Complete a seven out of ten.

We use SentinelOne to collect logs and data. We will connect it to other tools and places in the future.

It is easy to collect and retain logs with SentinelOne. When you need to compare information, the data is available. It also has the possibility to configure information. It integrates well with all the other solutions we use. 

The only concern we have is that there are a few features that were not readily available. We use a lot of application files that didn't have a connection.

We would also like to see integration with other tools that have to collect the logs.

Although Microsoft claims the use of building artificial intelligence to correlate events, we have actually had a couple of events that should have logs but did not. The solution is not at the same level in terms of building artificial intelligence.

SentinelOne can do a better job of not only creating corrective action based on the correlation. For example, someone was trying to repeatedly change their password. What they didn't realize was that they weren't connected correctly.

I have been using SentinelOne for six months.

SentinelOne is a stable product.

Scalability is based on the measure. There is no limitation regarding scalability if you pay for the upgrades.

Technical support is good. When you need help from Microsoft, there is a long list of resources to help understand the issues.

Positive

The initial setup is straightforward as we have contracts with Microsoft Office Supplies, commodities, defender, and Active Directory.

I would rate the ease of initial setup of SentinelOne a five out of five. It is easy.

Our company used a third party that provided the utility. 

This solution is less expensive than its competitors. You might need to buy additional space depending on how much they are willing to provide. I would rate the pricing a five out of five.

We selected SentinelOne because it was less expensive than the competitors. We also saw the speed of evolution with Microsoft, so it can be involved theoretically when compared to Splunk.

We also chose SentinelOne because of the balance between features. It is stable and has enough choices. Being with Microsoft, we felt confident that the solution would evolve.

If you are considering SentinelOne, you should consider the cost of storage. Otherwise, the product is easy to deploy. You either need to have your own security operating center or hire someone that will use Sentinel or the secondary service. For you to consume the data, you may have had an internal security center or Sentinel.

With SentinelOne you have to invest extra cost. You have to always think of how much it will cost you to delay a response by a couple of days. If the incident is going to cost two days of revenue for the organization, that is much more than the cost of the solution.

I would rate SentinelOne an eight out of ten because of the price point and the features you get. 

We use SentinelOne mainly for lateral movement, ransomware, anti-malware, AI engine, and forensics.

The most valuable features of SentinelOne are the lateral movement and the use of the Active Directory.

SentinelOne can improve by having better integration with Active Directory.

SentinelOne can be deployed on-premise and in the cloud.

I have been using SentinelOne for approximately two years.

SentinelOne is stable. However, the only issue I had was with legacy system, such as older kernels. The newer systems are more stable.

The scalability of SentinelOne is good, but my biggest concern is they need to find some way to automatically install their agents to specifically Microsoft Windows devices because not every IT infrastructure has SECM of others that automatically deploy it. It would be helpful during the migration of new customers.

We have approximately 4,000 systems using the solution and plan on adding another 400.

I haven't had the opportunity to interact with SentinelOne support.

I have previously used Microsoft Windows Defender.

The initial setup of SentinelOne is very easy. You only need to turn it on and it starts working with a couple of clicks. The ease of implementation is SentinelOne strongest feature.

We have three people deploying SentinelOne. As part of the team deploying the agent, there are multiple teams involved, and each one can deploy an agent when they have their own time.

SentinelOne can cost approximately $70 per device.

The advice I would give others that are thinking of implementing SentinelOne is if they have any other solutions, I would highly recommend them to start using it, especially if they have Active Directory. It's very good at picking up weird anomalies.

I  rate SentinelOne an eight out of ten.

We're a partner of SentinelOne, but we're also a partner of many other companies. We're not a vendor per se. We sell SOC as a service, and as a part of that service, we provide protection solutions. My area is around antivirus. So, we are not a reseller in that sense.

I am using its latest version. It can be deployed on-prem as well as on the cloud. I have customers with a requirement for both. SentinelOne provides their own cloud because that's where they do their artificial intelligence (AI).

SentinelOne is what they call extended detection and response (XDR). So, it is the next generation of endpoint detection. The main difference between Endpoint Detection and Response (EDR) and XDR is that in XDR you have visibility on how something is executing. An EDR solution detects a suspicious or malicious package based on its signature or its behavior and sends an alert, but the problem is that you only see the file that it alerts on. For example, if it is an attachment to an email, you'll see the trigger on the attachment when you try to open it, but what you don't always know is from where that came. With an XDR solution like SentinelOne, you can see the whole process execution. You can say that it was executed from inside Word, Outlook, or something else. For example, when you opened an attachment in Outlook, it triggered Word and got opened in Word. This whole process execution is visible with XDR. It also offers the possibility to suspend or respond intelligently. So, you can use it not only to detect that the package is suspicious, but you could also suspend it so that when the person comes to investigate, the suspended process is still there.

The process visualization, automated response, and snapshotting are valuable. The integration and automation possibilities are also valuable.

The update process can be better. It is very easy to deploy, but over a long period, the updating process can be a little messy. In some EDR solutions, you end up with a very good mechanism to push new versions. It could do with a little work in that area. It is not particularly difficult, but it could do with a little work.

I have been using it for about a year and a half.

It gives good stability. It can have an impact on the performance of the workstation, but that is usually a question of tuning. From a stability point of view, I've never had a machine with a blue screen.

It scales very well.

They're excellent. I would rate them a five out of five.

Positive

We are technology agnostic in the sense that if a customer doesn't have a solution, we'll make a recommendation. If they don't have a solution, then our recommendation goes along the lines of SentinelOne, Palo Alto Cortex, Microsoft Defender ATP, or ESET. These are the ones that I typically would recommend, but Microsoft Defender ATP is problematic because you have to have the Azure and Office licenses to get it. For the other ones, you can buy the licenses separately. We also take over other solutions. I have some customers on Kaspersky and other solutions.

It is straightforward. If we deploy it from a URL where it downloads, it can be done in 10 minutes. If it is coming from an internal deployment server, it can be a few minutes. It is essentially headless. There are no prompts.

I have six people, but they normally work with the customers. As an MSSP, we normally work with the customer IT teams to deploy the agents in large companies. In small companies, it could be our people who do it. 

The number of people required depends on the number of endpoints, but generally, the number is low because it is a very simple installation. In fact, we even have end users running this.

It has the best ROI that I've seen. If I compare it to Microsoft Defender ATP or Defender for Endpoint, which a lot of people compare it against because it's included with the E3 or E5 Office licenses, Defender is three to five years behind SentinelOne. You're also tied to Microsoft's licensing scheme, whereas SentinelOne is independent of all of them. The ROI is very good. For me, its closest direct competitor is either Cybereason or Palo Alto's Cortex.

Its price is per endpoint per year. One of the features of its licensing is that it is a multi-tenanted solution. From an MSSP point of view, if I want to have several different virtual clouds of customers, it is supported natively, which is not the case with, for example, Microsoft Defender.

Another nice thing about it is that you can buy one license if you want to. Some vendors insist that you buy 50 or 100, whereas here, you can just buy one.

The Singularity product has three versions: Singularity Core, Singularity Control, and Singularity Complete. The Singularity Complete one is really what I consider an enterprise rate solution. The middle one, Control, is more than adequate. In terms of price, it works out very similar to what you would pay for Kaspersky or for any other solution. The licensing per endpoint, per year, and per version is progressively more expensive for the Core, Control, and Complete versions. 

The interesting thing is that it is possible to upgrade across the versions without a major change. If a customer buys the most basic installation and would like some of the features out of the middle, it is possible.

You have a choice between an on-premise console and the cloud. My advice would be to use the cloud, but it is a consideration of whether your endpoints can connect to the cloud or not. One of my customers is in the military defense area, and they have no connection to the internet. So, we had to deploy on-prem. What you don't get with the on-prem is all the AI. So, if you're deploying on-prem, you get the core features of SentinelOne, but you don't get all of the bells and whistles that you get from the cloud environment. The same is true for Cisco AMP and other solutions that are deployed on-prem. So, you need to consider how you're going to consume it if you have a disconnected network. If you're in the financial world, a lot of the production networks are not connected to the internet. So, solutions like Microsoft Defender are not an option because they're cloud-based, whereas SentinelOne is an option in those environments.

I would rate it an eight out of ten. It is a very good solution, but you have to compare it to understand it better.

There are four use cases:

1. Endpoint visibility.
2. Endpoint protection, which includes detection, protection, and error response. We use this for protection endpoints as well.
3. Provides historical loss of any events or changes in files that may have happened in the last 90 days.
4. Threat hunting, which we use to troubleshoot applications.

There are different versions. The SaaS portal has a different version. The agents for each operating system have a different version. For the SaaS platform, we are on the current release. For the agents, we are one behind the current GA release.

We have another tool for network analysis. Last night, it detected some suspicious network activity for a machine that was making an outbound action to a spacious external entity. So, it raised an alert. Other than being a network tool, it couldn't provide any information as to why it suddenly started doing this. As far as response and running through our playbook, the first steps were for the SOC to go and reach out to our engineering teams to see if any users caused what happened. That took them almost until the end of the day. Finally, they came back, and said, "There is nothing that we can see." Then, I went into SentinelOne, spending about 15 minutes, and was able to determine exactly:

• What process caused the activity.
• The reason for it. 
• The user.
• The command line running that caused it.
• What addresses it tried to communicate out, since the network tool wasn't able to capture all the IP addresses. 

We were able to determine it was a process that one of our engineers had set up and forgot about. It took us almost an entire day for the SOC to get a response from a person on that. Whereas, we were able to get that information directly from SentinelOne in less than 15 minutes.

SentinelOne's automation has increased analyst productivity. It can automate actions on a threat, such as, kill/quarantine, remediate, and then roll back. All those automation processes have significantly helped us in making our SOC more effective.

All the features are valuable. Their core product, EDR, is pretty good. We utilize the entire functionality of the feature set that they have to offer with their core product. For EDR, we are using all their agents: the Static AI and Behavioral AI technologies as well as their container visibility engine.

We use SentinelOne’s Storyline feature to observe all OS processes quite routinely. When we want to know a bit more details about any threats or want to investigate any suspicious event types, that is when we use the Storyline quite a bit. Its ability to automatically connect the dots when it comes to incident detection is useful. It significantly simplifies the investigation and research related to threats.

Today, we automatically use Storyline’s distributed, autonomous intelligence for providing instantaneous protection against advanced attacks for threat detection. The AI components help tremendously. You can see how the exploits, if any, match to the MITRE ATT&CK framework, then what actions were taken by the AI engine during the detection process or even post detection actions. This is good information that helps us understand a little about the threat and its suspicious activities.

We use the solution’s one-click remediation for reversing unauthorized changes. In most of the groups, we have it automatically doing remediation. We seldom do manual remediation.

There is an area of improvement is agent health monitoring, which would give us the ability to cap and manage resources used by the SentinelOne agent. We had issues with this in our environment. We reached out to SentinelOne about it, and they were very prompt in adding it into their roadmap. A couple of months ago, they came back to us and got our feedback on what we thought about their plan of implementing the agent health monitoring system would look like, and it looks pretty good. So, they are planning to release that functionality sometime during the Summer. I have been amazed with their turnaround time for getting concepts turned into reality. 

We have been using SentinelOne since early 2020.

It has been very stable. There have been no issues so far.

One person is needed for maintenance (me).

It is scalable with the caveat that we have had some challenges within our infrastructure for 20 agents across Linux servers. Beyond that, scalability is not an issue.

8,000 to 9,000 people are using the solution across our entire organization.

We are using SentinelOne as our de facto endpoint protection software. As a result, it is a requirement for every machine in our infrastructure, except for the devices that do not support their agents. So, as our infrastructure continues to grow or shrink, the users of SentinelOne will either increase or decrease, depending on the state of our infrastructure at that specific point in time.

The technical support is good and very responsive. 99.99 percent of the time, they have been able to provide satisfactory responses. Whenever we have asked them to join a call that requires their assistance on a priority basis, they have been able to join the call and provide assistance. Whenever they felt that they do not have enough information, they were upfront about it, but they realistically cannot do anything about it because there is a limitation on either SentinelOne agent software or deeper logs would need to be captured in order to provide more information. There has been no situation where support provided an unsatisfactory response.

We were previously using Sophos. The primary reason that we switched was Sophos did not provide us the extended capabilities we needed to support our infrastructure, both on-prem and on the cloud. Sophos did not support any of the Kubernetes cluster environmental containers systems on the cloud. It did not have the advanced AI engines that SentinelOne does. Overall, Sophos was very bulky, needing a lot of resources and a number of processes. In contrast, SentinelOne was thinner, very lightweight, and more effective.

The deployment and rollout of SentinelOne are pretty simple. In our environment, we deployed the agents, then we had to remove them from some of the machines because the agent was impacting the performance of those machines. At that time, we found out it wasn't the SentinelOne agent rather an underlying issue on our own system or even the environment that it was in. We had to take SentinelOne out to troubleshoot the root cause, which delayed us a bit in rolling it out to our other infrastructure. That was completely fine. Looking at it from a global and world perspective, the rollout was very simple. 

About 6,000 to 7,000 endpoints took us six to seven months to deploy. Linux took a bit longer to deploy because the tools are not as good for deployment as what is available for Windows and Macs. Using a script, we were able to take care of that. However, we could only do that during maintenance windows, otherwise we couldn't deploy the agents without an approval change.

We did the implementation ourselves. We have several teams responsible for each area:

• Two to four people for workstations. 
• Two people for a retail environment
• Two people for the server infrastructure. 

This provided resource continuity. In case one resource would be unavailable for any reason, then the other resource would be able to continue. Essentially, the deployment needed three people, but we had six for continuity.

We saw a return of investment during the first year. We far exceeded our ROI expectations, meeting our ROI expectations within the first year.

The Storyline feature has significantly affected our incident response time. Originally, what would take us hours, now it takes us several minutes.

From an overall perspective, it has reduced our mean time to repair in some cases to less than seconds to a maximum of an hour. Before, it would take days.

The licensing is comparable to other solutions in the market. The pricing is competitive.

We subscribe to the Managed Detection and Response (MDR) service called Vigilance, which is like an extension of our SOC. Vigilance's services help us with mitigating and responding to any suspicious, malicious threats that SentinelOne detects. Vigilance takes care of those. 

We also pay for the support. The endpoint license and support are part of the base package, but we bought the extended package of Vigilance Managed Detection and Response (MDR) services.

Sophos was eliminated very early on in the PoC process. Then, we looked at: 

• SentinelOne
• FireEye
• CarbonBlack
• CrowdStrike. 

Out of these solutions, we selected SentinelOne. Their ability to respond quickly in terms of feature functionality was the biggest pro as well as their fee for agents in the cloud. The other solutions' interpretation of a cloud solution did not match with our expectations. From an overall perspective, we found SentinelOne's methodology, its effectiveness, its lightweight agents and their capabilities far exceeded other solutions that we evaluated.

SentinelOne had the highest detection rates and the ability to roll back certain ransomware, where other solutions were not even close to doing that.

It is a very good tool that is easy to deploy and manage. The administration over it is little to none. However, depending on the environment and whoever is trying to deploy the agents, they should test it with the vendor environment before they go and deploy it to production. The reason why is because SentinelOne has the ability to be tuned for optimization. So, it is better to understand what these optimizations would be before deploying them to production. That way, they will be more effective, and it will be easier to get buy-in from the DevOps team and the infrastructure team managing the servers, thus simplifying the process all around. Making the agents and configurations optimized for specific environments is key.

The Storyline feature has affected our SOC productivity. Though, we have yet to fully use the Storyline feature in a SOC. We are using it on a case-by-case basis. However, as we continue to deploy agents throughout our infrastructure and train our SOC to use the tool more effectively, that is when we will start using the Storyline feature a bit more. Currently, this is on our roadmap.

I am very familiar with the Ranger functionality, but we haven't implemented it yet for our environment. Ranger does not require any new agents nor hardware. That is a good feature and functionality, which is helpful. It can also create live, global asset inventories, which will be helpful for us. Unfortunately, we have not yet had an opportunity to roll that out and capture enough information from our infrastructure to be able to maximize the effectiveness of that functionality. We are still trying to get SentinelOne core services fully deployed in our environment.

Now that we have SentinelOne, we cannot go without it. 

Compared to other solutions in the market, I would rate it as 10 out of 10.

Our use cases are for client and server visibility in our enterprise and operational technology environments, as EPP and EDR solutions.

Traditionally, we have had an open policy on endpoints in terms of what has actually been installed. We don't really centrally manage the application. So, we have had a sort of dirty environment. Now that we have SentinelOne with its advanced capabilities, this has enabled us to detect and categorize unwanted applications. It has given us a good foothold into the area of inventory management on endpoints when it comes to our applications as well.

One of the main selling points of SentinelOne is its one-click, automatic remediation and rollback for restoring an endpoint. It is extremely effective. Everything is reduced, like cost and manpower, by having these capabilities available to us.

The Deep Visibility feature is the most useful part of the EDR platform. It gives us good insights into what is actually happening on the endpoints, e.g., when we have malicious or suspicious activity. We came from a legacy type AV previously, so we didn't have that level of visibility or understanding. For simplifying threat-hunting, it is extremely useful, where traditional techniques in threat hunting are quite laborious. We can put in indicators of compromise and it will sweep the environment for them, then they would give us a breakdown of what assets have been seen and where they have been seen, which is more of a forensics overview.

From a forensics point of view, we can see exactly what is going on with the endpoint when we have threats in progress. It also gives us the ability to react in real-time, if it has not been handled by the AI. We have set the policy to protect against unknown threats, but only alert on suspicious ones. 

The Behavioral AI feature is excellent. It is one of the reasons why we selected SentinelOne. We needed a solution that was quite autonomous in its approach to dealing with threats when presented, which it has handled very well. It has allowed us to put resources into other areas, so we don't need to have someone sitting in front of a bunch of screens looking at this information.

The Behavioral AI recognizes novel and fileless attacks, responding in real-time. We have been able to detect several attacks of this nature where our previous solution was completely blind to them. This has allowed us to close gaps in other areas of our environment that we weren't previously aware had some deficiencies.

The Storyline technology is part of our response matrix, where you can see when the threat was initially detected and what processes were touched, tempered, or modified during the course of the threat. The Storyline technology's ability to auto-correlate attack events and map them to MITRE ATT&CK tactics and technique is very effective. By getting that visibility on how the attack is progressing, we can get a good idea of the objective. When we have the reference back to the framework, that is good additional threat intelligence for us.

Storyline automatically assembles a PID tree for us. It gives us a good framing of the information from a visibility standpoint, so it is not all text-based. We can get a visualization of how the threat or suspicious activity manifested itself.

The abilities of Storyline have enabled our incident response to be a lot more agile. We are able to react with a lot greater speed because we have all the information front and center.

The solution’s distributed intelligence at the endpoint is extremely effective. We have a lot of guys who are road warriors. Having that intelligence on the network to make decisions autonomously is highly valuable for us.

The role-based access is in dire need of improvement. We actually discussed this on a roadmap call and were informed that it was coming, but then it was delayed. It limits the roles that you can have in the platform, and we require several custom roles. We work with a lot of third-parties whom we rely on for some of our IT services. Part of those are an external SOC function where they are over-provisioned in the solution because there isn't anything relevant for the level of work that they do.

We have used it for around 10 to 11 months.

In the 11 months that we have had it, we have only had one problem. That was related back to a bug on the endpoint agent. So. it is very stable when I compare it to other platforms that I have used, like McAfee, Symantec, and Cylance.

Being a SaaS service, they take care of all the maintenance on the back-end. The only thing that we have to do is lifecycle the agents when there is a new version or fixes. So, it is very minimal.

It is highly scalable. It is just a case of purchasing more licensing and deploying agents.

We have three global admins, myself included, with about 10 other administrators. Primarily, the way that we are structured is we have a client team and a server team. So, we have resources from each geographical region who have access to the solution to police their own environment on a geographical basis. So, we have three global admins, then everybody else just has a sort of SoC-based level functionality, which goes back to the custom role issue because this is too much access. 

The technical support is very good. My only criticism is they are not very transparent when they are giving you a resolution to a problem. We have had several cases where we have had a problem that we have been given the fix for it. However, when we asked for background information on the actual problem, just to get some more clarity, it is very difficult to get that. I don't know if it's relative to protecting the information regarding the platform or a liability thing where they don't want to give out too much information. But, in my experience, most vendors when you have a problem, they are quite open in explaining what the cause of the issue was. I find SentinelOne is a bit more standoffish. We have gotten the information in the end, but it is not an easy process. 

When responding to fixing a problem, they are excellent. It is any of the background information that we are after (around a particular problem) that we find it difficult to get the right information.

We were previously using Trend Micro Deep Security. The primary reason why we switched was that it is rubbish. It is a legacy-based AV. We had a lot of problems functionality-wise. It was missing a lot of things, e.g., no EDR, no NextGen capabilities, and it had interoperability problems with our Windows platform deployments. So, there was just this big, long list of historical problems.

We specifically selected SentinelOne for its rollback feature for ransomware. When we started looking into securing a new endpoint solution about 24 months ago, there was a big uptick in ransomware attacks in the territory where I am based. This was one of the leading criteria for selecting it.

The initial setup is extremely straightforward. The nature of the platform has been very simplistic when it comes to configuring the structure for our assets and policies. Several other platforms that I have worked with are quite complex in their nature, taking a lot of time. We were up and running within a day on the initial part of our rollout. For the whole organization, it took us about 30 days to roll out completely in five different countries across roughly 20,000 endpoints. 

Behavioral AI works both with or without a network connection. We tested it several times during procurement. It can work autonomously from the network. One of our selection criteria was that we needed it to be autonomous because we have air gapped environments. Therefore, we can connect, install, or disconnect, knowing that we have an adequate level of protection. This mitigates certain risks from our organization. It also gives us good assurance that we have protection.

We had a loose implementation strategy. It was based on geography and the size of the business premises in each country. We started with our administration office, but most of our environment is operational technology, e.g., factories and manufacturing plants.

We did the deployment ourselves, but we had representation from the vendor in the form of their security engineer (SE). We did the work, but he gave us input and advisories during the course of the deployment.

Three of us from the business and one person from Sentinel (their SE) were involved in the deployment of SentinelOne.

We saw a return of investment within the first month.

On several occasions, we found some persistent threats that we wouldn't have known were there by using the Deep Visibility feature.

The solution has reduced incident response time by easily 70 percent.

The solution has reduced mean time to repair by probably 40 to 50 percent. This has been a game changer for us.

Analyst productivity has increased by about 50 percent.

We are on a subscription model by choice. Therefore, we are paying a premium for the flexibility. We would have huge cost savings if we committed to a three-year buy-in. So, it's more expensive than the other solutions that we were looking at, but we have the flexibility of a subscription model. I think the pricing is fair. For example, if we had a three-year tie-in SentinelOne versus Cylance or one of the others, there is not that much difference in pricing. There might be a few euro or dollars here and there, but it's negligible.

We evaluated:

• Microsoft Defender for Endpoint
• Cisco AMP for Endpoints
• CylancePROTECT
  
• Apex One, which is Trend Micro's NextGen platform.

The main differentiator between SentinelOne has been ease of use, configuration, and performance. It outperformed every single one of the other solutions by a large margin in our testing. We had a standardized approach in tests, which was uniform across the platforms. Also, there is a lot of functionality built into SentinelOne, where other vendors offered the additional functionality as paid add-ons from their basic platforms.

During our evaluation process, SentinelOne detected quite a lot of things that other solutions missed, e.g., generic malware detection. We had a test bed of 15,000 samples, and about 150 were left for SentinelOne. What was left was actually mobile device malware, so Android and iOS specific, fileless attacks, and MITRE ATT&CKs. SentinelOne performed a lot stronger than others. Cylance came second to SentinelOne, even though they were 20 percent more effective in speed and detection. The gulf was so huge compared to other solutions.

SentinelOne's EDR is a lot more comprehensive than what is offered by Cylance. They are just two different beasts. SentinelOne is a lot more user-friendly with a lot less impactful on resources. While I saw a lot of statistics from Cylance about how light it is, in reality, I don't think it is as good as the marketing. What I saw from SentinelOne is the claims that they put on paper were backed up by the product. The overall package from SentinelOne was a lot more attractive in terms of manageability, usability, and feature set; it was just a more well-rounded package.

Give SentinelOne a chance. Traditionally, a lot of companies look at the big brand vendors and SentinelOne is making quite a good name for itself. I have actually recommended them to several other companies where I have contacts. Several of those have picked up the solution to have a look at it.

You need to know your environment and make sure it is clean and controlled. If it's clean and you have control, then you will have no problems with this product. If your environment isn't hygienic, then you will run into issues. We have had some issues, but that's nothing to do with the product. We have never been really good at securing what is installed on the endpoint, so we get a lot of false positives. Give it a chance, as it's a good platform.

I would give the platform and company, with the support, a strong eight or nine out of 10.

We use it for endpoint protection. It's an active EDR endpoint protection tool. Think of it as an antivirus and endpoint protection solution with machine learning, like McAfee on steroids.

In our company it is deployed in 83 countries and on over 40,000 workstations and servers.

It provides incredible visibility in a single pane of glass. The dashboard gives me visibility over all the endpoints, which are broken down by country, and then broken down within each country by brand and machine type. It provides a very simple way for me to understand if

• we're being targeted globally
• my endpoints are actively being attacked
• we have outstanding issues in any one region
• we have malicious activity.

In addition, it logs to my SIEM tool, cloud-natively, which makes it a very effective weapon to help diagnose and remediate any potential bad actors in my environment.

The Behavioral AI feature for ransomware and anti-malware protection does an outstanding job of identifying abnormal behavior patterns in my environment. Once we allowed it to sit in learning mode for about 30 days, we switched all our endpoints into what is called Protect mode, instead of Detect mode. With Protect mode, we have different functions available to us, such as kill, quarantine, identify, and rollback. Using those features, we are really able to protect our endpoints much better. We take advantage of the fact that we have a machine, or an automated process, governing our endpoint protection. That reduces the total headcount needed to babysit my environment.

Furthermore, Behavioral AI recognizes novel and fileless attacks and responds in real-time. It improves my security, reduces my total cost of ownership and management, and provides enhanced protection for what is now a highly mobile population. Due to COVID-19, we have had to take most of our workforce, and that's over 40,000 people around the world, and give them access to work remotely through a series of different mechanisms. In doing so, we felt much more comfortable because we have this endpoint protection tool deployed. It provides us not only the visibility into what the tool is doing and how it's protecting us, but it allows us to look at what applications are installed, what IP range is coming on, and what network it's sourced from.

And with Ranger we're able to help identify additional networks. Using SentinelOne with Ranger, allowed us to take a look at some of our smaller offices in Asia Pacific where we didn't have exceptional visibility.

We also use the solution’s automatic remediation and rollback in Protect mode, without human intervention. I want to protect mode for both malicious and suspicious, and that is in Protect mode. Having turned that on, we saw no negative impact, across the board, which has been an outstanding feature for us. It does save time on having to go in and identify things, because we allowed it to run in learning mode for so long. It learned our business processes. It learned what's normal. It learned file types. It learned everything that we do enough that, when I did turn that feature on, there were no helpdesk calls, no madness ensued, no people complaining that files were being removed that they needed. It worked out very well for us. 

We also use the solution’s ActiveEDR technology. Its automatic monitoring of every OS process, at all times, improves our security operations greatly. There is a learning time involved. It has to learn what processes are normal. But the fact that it's actively engaged with every process—every file that moves across it, every DLL that's launched, whether or not it's automated or process-driven—everything is viewed, inspected, and categorized. And it allows us to have enhanced visibility that ties directly into the Deep Visibility. I can look at and help identify behavior patterns. 

For example, yesterday I wrote a series of queries for Deep Visibility that are based on MITRE ATT&CK parameters. Those give me reports, on a daily basis, of how effective this tool really is because I can use MITRE ATT&CK engine parameters to help define what's going on. Even if something is not considered malicious behavior by the tool itself, if I take that information and couple it with information I can pull from Tanium and information I pull from other tool sets, and aggregate that into my SIEM tool, my use case is provided. I get more positive and actionable intelligence on how my endpoints are behaving. If I have somebody out there who is doing testing of software, I can pick that out of a crowd in a second.

We have application control and containers available. Since we have AWS, Azure, and a myriad of cloud platforms, it's been hugely beneficial to us. Considering that we are endeavoring, as an organization, to move into cloud-based solutions, this has been a huge benefit.

Overall, SentinelOne has absolutely reduced incident response time. It's instantaneous. It has reduced it by at least 95 percent.

I use the tool to help me determine how well my other tools are working. For example, we have a role called a RISO, a regional information security officer. Those people are responsible for regions of the globe, whether it be Latin America, Asia Pacific, or AMEA. The RISOs now use the tool because it can help them identify other tools we have rolled out, like Zscaler. They can go into the SentinelOne console and query for Zscaler and look at all the machines in their environment and determine what the delta is. It allows people with different levels of knowledge and different roles in an organization to have visibility. It's been outstanding. That, in and of itself, makes it a better tool than its counterparts and it makes it usable for non-technical and non-security people.

We get the long-term strategic benefits of having enhanced visibility and the more short-term tactical benefits of knowing that our endpoints are protected, the visibility is there, and that no matter what lands on top of it, it's going to get taken care of.

The most valuable feature of the solution is its ability to learn, the fact that once you tune it correctly, it knows how to capture and defeat malicious activity on the endpoints. It's not set-it-and-forget-it, but it does give me a much more comfortable feeling that my endpoints are secure and protected from malicious behavior.

SentinelOne also provides equal protection across Windows, Linux, and macOS. I have all of them and every flavor of them you could possibly imagine. They've done a great job because I still have a lot of legacy infrastructure to support. It can support legacy environments as well as newer environments, including all the latest OS's. The latest Mac OS X that's coming out is already supported and in test for our organization. The complete coverage of every OS that we have in our environment has been a huge benefit because I don't have to have different tools to support them. There are cost savings not only on licensing but because I don't have to have different people managing different consoles. For me, having single pane of glass visibility is incredibly important because we run a very lean team here. We are a skeleton crew governing all 83 countries. In doing so, it provides us the ability to do a lot more with a lot less.

I use the Deep Visibility feature every single day. It is outstanding because I just create hunting cases and then I can load them. I can figure out what queries I want to run and I can go digging. And with the queries that I have built for the MITRE ATT&CKs, it makes it very simple to identify something. And now that I have reporting set up based on those queries, I get emails every day.

Using Deep Visibility I have identified a threat and figured out information about it. I've also used Deep Visibility to be proactive versus reactive as far as my alerting goes. I know that SentinelOne will protect my endpoints, but there's also a case where there isn't specific malicious behavior but the patterns look malicious. And that's really what I'm writing these queries for in Deep Visibility.

Here's an example. You can do a lateral movement in an organization. You can RDP to one server and RDP to another server, depending on how your software defined perimeter is configured. Unless you do something malicious, SentinelOne will look at it, but it won't necessarily stop it, because there is no malicious activity. But I can write a query in Deep Visibility to show me things. Let's say somebody breached my secure remote access solution. With the Deep Visibility queries that are being run, I can see that that one machine may have RDPed to a server and RDPed to another server and been jumping around because they may have gotten compromised credentials. That can be reported on. It might not have been malicious behavior, but it's an activity that the reporting from Deep Visibility allows me to pursue and then do a deeper dive into it.

If they would stop changing the dashboard so much I'd be a happy man. 

Also, if it had a little bit more granularity in the roles and responsibilities matrix, that would help. There are users that have different components, but I'd be much happier if I could cherry-pick what functions I want to give to which users. That would be a huge benefit.

The nice thing about SentinelOne is that I get to directly engage with their leadership at any time I want. That allows me to provide feedback such as, "I would like this function," and they've built a lot of functions for me as a result of my requests. I don't really have much in the way of complaints because if I want something, I generally tend to get it.

I have been using SentinelOne for about 14 months now.

It's incredibly stable. We really haven't had any significant issues. There have been a couple of things here and there where certain versions of the product weren't disabling Windows Defender effectively. I think that was predicated on a GPO that we identified that had been accidentally linked and that kept turning Defender back on again. The issues were very trivial things.

I talk to my TAM once a week, minimum. I think I have the best customer support in the business.

I had an issue that I raised a couple of weeks ago and within minutes I had an army of engineers working on it. By the end of the week, I had senior management calling me asking me what else I want, what else I need, and how else they could help me. 

They go all-in. I have never had to wonder or concern myself with whether I will be getting adequate support? Will the support be on time? Will the support be effective and accurate? Not once, not ever.

I have such a close relationship with the team, not only the team that sold it to me but the team that supports me. We call each other on a first-name basis and we talk about how we're doing. It's that kind professional relationship. That's how good it is.

Before, we had a mix of dozens of different solutions across the enterprise. We didn't have any one, ubiquitous solution. We had a mix of McAfee and Panda and Kaspersky. You name it, we owned a copy of it, and that didn't provide a unified field of view. It also didn't provide the best protection that money can buy and, in my opinion as a professional in this industry for 25 years, this is the best protection money can buy.

The initial setup of SentinelOne was very simple. I packaged the executables into MSIs, including the token ID, I created a package in Tanium, and I dropped it on all the workstations. I was able to deploy it to over 40,000 endpoints in 35 days.

When you govern as much real estate as I do, meaning the number of endpoints and the number of different business units that those endpoints comprise, there had to be a deployment strategy for it. I broke it down into countries, and in each of those countries I broke into brands and I broke it into asset types, whether they be servers or workstations, whether they're mobile or localized. It's not difficult to push out there, as long as you create exclusions. I used my legacy tools in parallel with this for a month and still never faced any issues.

For any organization, if you have any kind of deployment mechanism in place, you could put your entire workforce on this and it wouldn't matter how many endpoints. If they're online and available and you have a deployment solution, you could do it in a month, easily, if not less. I could've done it much faster, but I needed to do a pilot country first. I did all the testing and validations and then, once we went into production mode, it was very fast.

I got a really good deal so I'm very happy with the pricing.

I looked at everything. I looked at CrowdStrike, Cylance, Carbon Black, and I had McAfee as the largest of the incumbents. I tested them all and I validated them all and I pushed every malware virus—everything in my collection—at them. I built a series of VMs to test and validate the platform. I tested against multiple operating systems. I tested against downloads, I tested against uploads. I tested visibility. I did this entire series of tests and listed out 34 or 35 different criteria. And at the end of the day, SentinelOne came out on top.

One of the huge benefits of SentinelOne is the Full Remote Shell. That has been an incredibly useful tool for me.

Cylance came in second. It has very similar functionalities, very similar builds, but not a full remote shell. It had the single pane of glass dashboard, but the visibility I get out of SentinelOne, as well as the protection and the capability to run the Full Remote Shell pushed it over the top.

Carbon Black was nice, but I had to run two different dashboards, one cloud and one local. I couldn't get single pane of glass visibility from that.

When I tested SentinelOne against all the engines, they all pretty much found everything. Mimikatz was the deciding factor. A couple of the solutions flagged it but didn't remediate it. SentinelOne just rolled everything back as it started to discover it. It actually pulled the installer out, so that was nice. 

A lot of new technologies that are out there are very similar. They are pulling from public threat feeds and other learning engines. But if you compare and contrast all the features available, SentinelOne is just going to edge everybody else out. And they're constantly evolving the product to make it more efficient and to have a smaller footprint too. When they came out with Ranger, we were still doing some network discoveries around our environment to try to figure out exactly what was still out there. That came to be a very useful tool.

It really just shines. If you compare it to everybody else there are a lot that come close, but nobody else can really quite get to the top. SentinelOne really gives you the best overall picture.

Do your homework. I would encourage everybody, if you have the capabilities, to do what I did and test it against everything out there. If you don't have those capabilities and you want to save yourself a lot of time, just go straight to SentinelOne. I cannot imagine any organization regretting that decision. With the news stories you read about, such as hospitals under attack from malware and crypto viruses—with all the bad actors that exist, especially since the pandemic took over—if you want to protect your environment and sleep soundly at night, and if you're in the security industry, I highly encourage you to deploy SentinelOne and just watch what it's capable of.

I don't use the Storyline technology that much simply because I'm really turning this into a more automated process for my organization. An example of where we may use Storyline is when we download an encrypted malicious file. Let's say that email was sent to 500 people. If it gets through our email gateway, which is unlikely, I can not only identify those users quickly, but I can also use the Storyline to determine where it came from, how it got there, and what it was doing along the way. And while it killed it, it will tell me what processes were there. It helps us create and identify things like the hash, which we then summarily blacklist. Overall, Storyline is better for identifying what had happened along the way, but after the fact. For me, the fact that it has actually taken care of it without me having to go hunt it down all the time is the real benefit.

The only thing we don't take advantage of is their management service. We do have a TAM, but we don't have Vigilance.

For top-down administration, there's only about six of us who work with the solution. For country level administration, we have one or two in every country in those 83 countries.

We run a myriad of different front office and back office environments. SentinelOne had to learn different environments in different countries. It had to understand the business processes that are surrounding those. We did a substantial amount of tuning along the way, during the deployment. And then, of course, there are agent updates and there are considerations when you get a new EA version and are creating test groups. But, as an organization, we have reduced our total cost of ownership for our EPP platform, we have improved our visibility a hundred-fold, and we have maintained our data integrity. It really is the one end-all and be-all solution that we needed.

It's a home run. I've been doing this a long time and I've done this in over 48 countries around the world. Given what we do with this product and the visibility it has given us and the protection it has given us, I feel very comfortable with my security right now.