SentinelOne Singularity Complete Reviews

I have used SentinelOne Singularity Complete in a SOC environment where most customers were utilizing it. 

The solution has been helpful especially for the infrastructure security team. They can focus their energy on other business projects and priorities while having peace of mind knowing that even without real-time operation, SentinelOne Singularity Complete can detect vulnerabilities and contain threats until they intervene. This allows them to work on other projects, develop security policies, and strengthen their defense. The team can address other security loopholes while SentinelOne Singularity Complete manages their infrastructure.

One of the features I particularly appreciate is the hunting capability, specifically being able to use deep visibility for threat hunting. 

It's quite elaborate. It allows you to create and manage queries easily. Even if you're not very proficient in the language being used, it suggests the correct syntax when you type in plain text. If there's an error, it points out where you're wrong, enabling you to adjust the syntax. This feature is particularly beneficial for threat hunting using the deep visibility feature of SentinelOne Singularity Complete.

Additionally, the platform allows for compartmentalization, which is great because we use it for about 13 customers. It enables us to manage different environments from a single console and download relevant data for each customer.

What stands out is that this solution is not just about detection; it's also about response and containment. When it addresses an incident, it explains what occurred and suggests actions to take before further investigation.

Another excellent feature is its ability to filter events from the same company, helping to reduce noise. For instance, if a single user performs various actions that would typically trigger hundreds of alerts, this system consolidates those activities under that one user. This approach allows for tracking related events together rather than generating multiple alerts. As a result, you can analyze an incident from a holistic perspective rather than just viewing individual alerts in isolation. Overall, these capabilities enhance the effectiveness of threat management and incident response. That's my take on it!

It's capable of integrating with SIEM and other solutions. It offers enhanced interoperability. 

The main area for improvement relates to Linux compatibility. When deploying on a Linux system, the process isn't as seamless compared to other operating systems. They could enhance this by providing an easier way to implement or deploy on Linux OS systems.

I have used SentinelOne Singularity Complete for four years.

There have been no stability issues at the moment.

It's scalable.

Their support is very good. When we encounter an issue, we quickly raise support tickets, and the response time is very good.

Positive

It's not complex. It's straightforward, and the support is very good. 

SentinelOne Singularity Complete has shown a return on investment with its ability to detect threats at approximately 99% efficiency.

It's affordable. The pricing is competitive. 

SentinelOne Singularity Complete has proven beneficial in a specific case. In one instance, a customer had Microsoft licenses that were very expensive at the enterprise level. By implementing SentinelOne Singularity Complete, they were able to reduce their license plans and focus on this solution because it offered more robust features than their previous solution.

I would rate SentinelOne Singularity Complete a ten out of ten. It's a good solution.

We have the Singularity Endpoint Detection platform along with the MDR service. We are using their Singularity Enterprise offering along with Vigilance Pro.

We are currently in the process of deploying it. We started with the deployment earlier this calendar year with a goal of reaching 30,000 endpoints this year. We have deployed to about 25,000 endpoints to date. Our end goal is 100,000, but that will be phased in over the next year.

Our deployment experience has been excellent. We have received a ton of support from their customer success team. We are using this initial deployment to tune the product to make sure it is not causing performance issues on our endpoints. We are going about it in a very methodical fashion.

It has helped us achieve business goals in a few areas. Even though we are early in our adoption, there are a few areas where I have seen benefits. One is around the technology, the solution itself. It provides our security analysts with a very succinct and usable interface that they can use to effectively and efficiently manage incidents and investigations. 

The second area is around the MDR. This has been a huge benefit to us compared to our prior solution. We used to get a lot of false positives. That took up the time of our security analysts, which then took away time from addressing real problems.

The risk management at Lenovo has improved greatly over our prior toolset. We have identified risks that we would not have otherwise identified with our prior implementation.

Our analysts' efficiency has gone up tremendously. We are not chasing false positives. The tool provides timely and relevant information to our analysts so that they can address the events with confidence. They know they are working on the right activities, and then along with the managed service, they are not chasing rudimentary incidents. Those are being resolved before they can get to our team.

It has definitely helped us reduce noise. In the prior platform, which we are phasing out, the false positive rate was tremendously high. That caused a huge amount of inefficiency in the team.

It has helped us increase our incident response because we are working as a team. We not only have an improved platform for detecting and managing incidents; we are also partnering with SentinelOne on the MDR and the managed service aspect of it.

It has helped us improve our mean time to respond from a perspective of seeing what is happening. I do not have any metrics related to the percentage of that improvement.

It has highlighted the risk of insider threats, and we have found that on multiple occasions. It is hard to compare if they would have been caught in our prior solution, but we have increased visibility into what is going on across our network and the machines that are connected to it.

SentinelOne is an integral part of our AI strategy. We have recently got a chief AI officer in our organization. He happened to be our chief security officer, so we take AI very seriously. There are two things that AI can impact. We can leverage SentinelOne to help us protect the AI models that we develop and use, but we can also leverage AI for endpoint protection in the product itself. We can utilize the AI offering to improve our response rate and mean time to respond.

We are freeing up our resources and our security analysts' time to focus on the most critical threats to our landscape by not having to chase down false positives. In conjunction with the MDR, many of those incidents and events are mitigated and resolved without any intervention from our team.

SentinelOne can continue to make the presentation of relevant and timely data to the analysts as succinct and clear as possible. It will allow analysts to execute remediation or resolution with the least amount of clicks.

We started with the deployment earlier this calendar year.

The support from SentinelOne has been second to none, exceeding expectations. Maybe we are in the honeymoon period, but they have definitely exceeded expectations. I have been part of many deployments, not just of cybersecurity platforms but also of other platforms, and SentinelOne, in comparison, has been second to none.

Positive

We purchase it through CDW.

One of the primary considerations in evaluating EDR and identity security vendors was around the effectiveness of the detection and the ability to tune the solution to fit our needs. The presentation of the data to our analysts and the ability to detect events and threats that were not detected by our prior platform played a big role in that. We also were able to test out the MDR service as part of our proof of concept. That pushed it over the edge from anything we experienced with other vendors.

Earlier, we had a high false positive rate coming in, which would take up our analysts' time. In addition to that, our prior vendors or other vendors would report threats and incidents to our team but not what action to take to resolve them. The huge difference that we have seen is that we are now getting feedback from SentinelOne and the MDR team, and it is coming back completely resolved and completed. We are more on an information basis, and we do not have to spend any time on resolution or investigation.

Anyone considering changing their endpoint detection or SIEM solution should consider SentinelOne. It offers benefits in the product and technology aspect, service aspect, and partnership, allowing us to influence the roadmap and plan our cyber defenses.

Even though we are early on in our adoption, we have had a direct line of contact with the product team. We have been able to provide feature requests. We are not simply a customer of SentinelOne. We view it as a partnership. We can influence the roadmap. Likewise, SentinelOne is providing us a vision of their roadmap, and we can plan accordingly how to steer our cyber defenses.

As it stands today, I would rate SentinelOne Singularity Complete a nine out of ten simply because we are so early in our adoption that we are not taking full advantage of all the aspects of the solution. We will continue to grow and mature alongside the product.

Our organization is leveraging SentinelOne Singularity Complete to achieve a comprehensive endpoint security solution. This involves utilizing SentinelOne's EDR functionality across all our endpoints, including IT, OT, and legacy systems. By integrating additional log sources, we're expanding to XDR which will further enhance threat detection, investigation, and response capabilities. This enriched data will also enable the creation of custom workflows to streamline security operations and improve the overall effectiveness of SentinelOne alongside existing security solutions like Office 365, proxy servers, and firewalls, allowing for better correlation and incident response.

Our previous antivirus solution wasn't strong enough to keep up with the growing number and complexity of cyberattacks. Traditional antivirus struggles to monitor all endpoint processes and activities. SentinelOne Singularity Complete addresses this issue with its Endpoint Detection and Response capabilities. EDR collects comprehensive endpoint data and stores it centrally, allowing us to monitor all running processes, identify evolving threats and their techniques, and take appropriate action. Additionally, SentinelOne's built-in AI and ML can detect suspicious behavior that traditional antivirus solutions might miss, providing advanced protection against modern cyberattacks.

Our organization utilizes a two-pronged approach to cybersecurity with SentinelOne. On-premises, SentinelOne Singularity Complete safeguards our sensitive big data that never leaves our network. Additionally, we leverage the cloud-based SentinelOne SaaS solution for further protection.

SentinelOne offers a marketplace that expands its XDR capabilities. This marketplace allows for seamless integration with various security solutions, including Azure AD, email gateways, threat intelligence platforms, firewalls, and proxies. By integrating these tools, we can create automated response playbooks within the XDR platform, streamlining our security posture.

SentinelOne Singularity Complete excels at gathering and analyzing data from various security solutions. Its built-in marketplace offers over 120 connectors that automatically ingest logs, enabling correlation and better incident response through custom workflows. This integration streamlines security operations by minimizing manual effort and allowing security personnel to focus on faster remediation.

We leverage Ranger to secure our raw networks and functionalities that SentinelOne has limited coverage for. Additionally, we actively search for vulnerabilities in our systems.

Ranger is a valuable tool for improving network and asset visibility. It helps us identify gaps in our coverage by highlighting raw networks and unmonitored endpoints. These blind spots represent areas where we lack agent deployment, and Ranger essentially acts as a roadmap for prioritizing where to install them for a full view of our environment.

Ranger has a seamless integration process. From the console, we enable Ranger, triggering the installation of a lightweight agent on our endpoints. This agent then monitors traffic to identify coverage gaps and potential vulnerabilities within our system.

Integrating all log sources and creating a custom workflow will streamline analyst workloads. This will automate most of the basic tasks currently handled manually, freeing up the team for other projects. The analysts performing investigations and remediation will see a significant reduction in time spent on repetitive tasks.

Since implementing SentinelOne Singularity Complete, our mean time to detection has been drastically reduced, going from two full days down to just ten minutes each month.

SentinelOne Singularity Complete has reduced our mean time to remediation.

SentinelOne Singularity Complete has been a valuable asset in reducing our organization's security risks. Its features, including device control and firewall management, provide us with the tools we need to effectively manage and secure our endpoints.

SentinelOne offers several valuable features for threat detection and response. Correlation, static analysis, and other detection engines work together to identify and address security issues. Additionally, the STAR Rules feature allows us to create custom alerts based on specific attacker behaviors or indicators of compromise. This empowers us to not only respond to built-in threats but also proactively detect and prevent emerging ones by defining custom actions for abnormal activity. In short, SentinelOne goes beyond native threat detection, offering customization to tackle even the newest threats.

SentinelOne Singularity Complete needs more connectors for integration with more solutions.

It seems there are currently two separate installers for the same device, one in MSI format likely for Windows and another in a potentially custom EXP format. Ideally, these could be combined into a single installer. If that's not feasible, the EXP format could be used as a self-extracting archive that automatically installs the software using the MSI installer. This would eliminate the need for two separate agents and provide a more streamlined installation experience.

SentinelOne endpoint protection enters a reduced functionality mode during certain resource-intensive events. This mode temporarily limits some features and may require a machine restart. In some cases, the agent might even get disabled. To restore full functionality, we need to re-enable the agent and reboot the machine, which can be inconvenient. Ideally, SentinelOne should improve its handling of resource usage to avoid these disruptions.

The technical support response time has room for improvement.

I have been using SentinelOne Singularity Complete for three months.

The current version of SentinelOne Singularity Complete is stable.

SentinelOne Singularity Complete is highly scalable.

The technical support response time is slow.

Positive

Our previous antivirus solution, Symantec Endpoint Security, struggled to keep up with evolving cyber threats. Additionally, integrating it with other security tools proved to be a slow and cumbersome process. Since switching to SentinelOne, we now benefit from seamless integration with various log sources and other security solutions, enabling a more holistic and responsive security posture.

The initial deployment was straightforward and took four months to complete in our large environment but it was not complex to onboard the machines based on our policies.

Four people were required for the deployment. 

While the cost of SentinelOne Singularity Complete might seem high at first glance, it's important to consider the value it offers. This helps to average out the cost.

I would rate SentinelOne Singularity Complete nine out of ten.

SentinelOne Singularity Complete offers a comprehensive security solution for cloud workloads and endpoints. While it excels at covering all these areas, it could benefit from more granular control and further enhancements. The ability to extend its protection to cloud security or cloud servers, similar to CSPM tools, would be valuable for taking action within cloud or microservice environments.

Maintenance is required for updates.

SentinelOne is a good strategic security partner.

Before implementing SentinelOne Singularity Complete, it's crucial to understand how it will integrate with your existing systems. This ensures compatibility and avoids any unintended consequences. Make sure to create exclusions for any applications that might conflict with SentinelOne to prevent disruptions.

Our main use case is to protect all the Linux servers. We use it only for servers, not for users.

SentinelOne Singularity Complete is one of the most mature solutions available. It shows great benefits over time.

We can install filters to analyze every alert, and make some whitelists, blacklists, and exceptions, thus helping reduce alerts.

It can reduce the organization's risk. It gives better control to our limited team resources.

It already has AI capabilities, which is one of their advantages.

When you select a policy for a type of server, such as an Active Directory, we can apply a dedicated policy. We can have a dedicated policy for Exchange Server and a dedicated policy for MS SQL, Oracle server, etc.

The interface of SentinelOne Singularity Complete is user-friendly, and we can quickly find what we need.

The main issue with SentinelOne Singularity Complete was the process memory used for Linux servers, which generated a lot of tickets and incidents due to the high load of disk consumption and memory. The problem was on all systems, but especially on Linux servers. It might have already been fixed.

SentinelOne Singularity Complete is the best EDR in the market, but it will evolve, though I have concerns about using US partners in Europe due to the geopolitical context. It is better to work with European companies.

I have been using SentinelOne Singularity Complete for approximately four years.

For stability, I would rate it a nine, as I have experienced only the issue of overload.

The technical support from SentinelOne Singularity Complete is very active and good, with a strong knowledge base available online. The response time of technical support is satisfactory and acceptable.

I would rate their support a nine out of ten based on reactivity and the solutions they provide; this is based on my team's interactions, not mine.

Positive

For Windows servers, we are using Defender. SentinelOne Singularity Complete is only used for Linux servers. 

The initial setup was not really complex; we only needed one on-premise management server to deploy to different servers. It took about two months for about 300 servers.

I am the third party assisting in the deployment.

I don't know about the licensing model. It seems easy, but it's not my area of expertise. I don't have information on how it compares to its competitors, but the pricing is per device.

We conducted some PoCs between SentinelOne Singularity Complete, Defender, and Carbon Black, and we decided to go with SentinelOne Singularity Complete based on usability. 

It is unclear if it has helped reduce our organization's mean time to detect or respond because we have a platform with four people, and we are using SOC as well. Our main activities are done by four people, and we don't have much time to conduct thorough investigations.

I cannot assess SentinelOne Singularity Complete's ability to be innovative because we stayed with it after choosing it and never compared it with others.

Overall, I would rate SentinelOne Singularity Complete a nine out of ten because nothing is perfect, but it is close.

First, budget-wise, and for the quick actions I take in automation, certainly AI plays a crucial role.

The most valuable features are the quick action and restoration capabilities. I can catch any behavior and restore everything for the last two changes. There's also automation that gives my team free time, preventing them from having to look for every alert. As a result, we don't need their action on some emails.

Integration with the firewalls is needed because there is no integration with Forti as a FortiAnalyzer. It is currently integrated with FortiManager and the Forti box, but if I have an analyzer, it doesn’t integrate with them. It would be better if there were direct integration with FortiAnalyzer.

I have used the solution for two years.

The stability is just okay.

The scalability is good at more than ninety percent.

I would rate the customer service at an eight.

Positive

I tried, when busy, CrowdStrike, and as an endpoint, I work with FortiClient.

The setup is complex related to the XDR because there are more logs, and the queries need someone expert for that. I should create a guide.

The deployment has been done in-house by my team.

If I compare prices between SentinelOne and another solution, I have already conducted this exercise, and SentinelOne is cheaper by more than sixteen percent.

It’s cheaper than other competitors.

I will recommend it to other clients. The quality is good for us based on our operations. We don't have a huge amount of transactions, but it’s good for us. The solution meets our needs. It’s good. Overall product rating is eight out of ten.

As a company with 30,000 employees and 26,000 endpoints worldwide, we have diverse operational needs that SentinelOne Singularity Complete effectively addresses.

SentinelOne Singularity Complete effectively addresses numerous challenges. As a cloud-based SaaS solution, it seamlessly protects office and remote workers, safeguarding laptops and other devices. Its comprehensive coverage extends to cloud infrastructure across multiple operating systems like iOS, Linux, and Windows, including Kubernetes environments. This versatility, coupled with its ability to fulfill various use cases, has made SentinelOne Singularity Complete our trusted security solution for the past four years.

SentinelOne Singularity Complete integrates with our other security solutions, correlating data from NDR, ADR, SIEM, and XDR tools. All this information is consolidated within SentinelOne, providing a centralized access point.

SentinelOne Singularity Complete has helped us streamline our security operations by consolidating multiple solutions into a single platform. We are currently in the process of acquiring a threat intelligence platform to complete our security stack.

We use Ranger to monitor our network and track connected devices. This is crucial because it helps us quickly identify unauthorized machines connected to our infrastructure, including personal devices. We have additional security measures in place, but Ranger provides an extra layer of protection. It also alerts us if the SentinelOne Singularity Complete agent is missing from any new or existing machines, allowing us to take appropriate action.

SentinelOne Ranger's agentless and hardware-independent nature is crucial for our environment with 26,000 endpoints, as manual management of such a large number would be extremely challenging.

Ranger uses a multi-layered approach to prevent vulnerable devices from being compromised. We employ scanners, network configurations, and a risk scanner to assess devices, endpoints, servers, and cloud infrastructures. Vulnerability reports and timelines for remediation are shared with device owners or custodians. This proactive strategy enables us to address vulnerabilities efficiently and secure our infrastructure.

SentinelOne Singularity Complete has significantly enhanced our security posture. While no system is impenetrable, this solution has brought us closer to achieving a high level of protection, ensuring we maintain at least a 90 percent security level.

Our team is dedicated to refining alerts and eliminating false positives from our solutions. Additionally, a team is responsible for identifying and excluding alerts from the solution. We can manually expedite this process by reviewing these elements and utilizing our security tools. We have been able to reduce the alert volume by 20 percent.

Our 30-member Security Operations Center team has been able to redirect their focus to other tasks due to the time saved after implementing SentinelOne Singularity Complete.

SentinelOne Singularity Complete has helped us improve our mean time to detect threats, which we accomplish using the Vigilance service for detection and response.

SentinelOne Singularity Complete has helped us decrease our organizational risk. We utilize the Security Scorecard to manage our security posture, which has remained steady at 90 percent.

Unlike other endpoint solutions like Kaspersky or Trend Micro, SentinelOne's agents are exceptionally lightweight, updating seamlessly without consuming significant network or system resources. This ensures smooth operation and user-friendly control. Moreover, SentinelOne's support team is highly competent, providing timely assistance and going the extra mile to resolve any issues.

When SentinelOne Singularity Complete is used as the central hub for viewing alerts from all integrated security solutions, it is challenging to identify the specific solution that triggered each alert.

I have been using SentinelOne Singularity Complete for almost four years.

SentinelOne Singularity Complete is stable.

The technical support team is quick to respond to and resolve our issues.

Positive

Our hybrid environment has raised security concerns for management, leading them to seek an all-in-one solution. After conducting multiple proof-of-concept tests for endpoint security, they determined that Kaspersky was insufficient for their needs due to inadequate functionality and management complexity. As a result, they transitioned to SentinelOne Singularity Complete.

SentinelOne is actively developing new innovations and introducing additional integration platforms.

I would rate SentinelOne Singularity Complete nine out of ten.

SentinelOne Singularity Complete offers comprehensive endpoint security by automatically updating without impacting bandwidth. Unlike traditional signature-based solutions, it employs a behavior-based approach to detect and immediately address malicious or suspicious files and processes.

We are 100 percent confident with SentinelOne as a strategic security partner.

Maintenance has been seamless, and while SentinelOne does notify us in advance of any required downtime, I haven't experienced any interruptions in the past year and a half.

With 30,000 employees and 26,000 endpoints worldwide, our organization has implemented SentinelOne Singularity Complete across all endpoints.

Singularity Complete has helped reduce alerts. We have one place to go to check them, and there is also a reduction in false alerts.

Singularity Complete helped free up our staff for other projects and tasks. I do not have the metrics, but it saves a lot of time compared to what I have used at other companies.

Singularity Complete has helped reduce our mean time to detect. We only have to look at the portal. We can quickly isolate the user or the device, which also stops the virus from spreading. It also reduces our mean time to respond.

The web portal has a really good web UI, and all the things are well integrated. It is easy for us to increase the number of users because it is pretty simple.

The maintenance window can be improved because once it happened that I had multiple laptops, and the maintenance window caused a lot of laptops to get stuck in the portal, blocking access. This is important to address. The basic functionalities should be up and running even during maintenance windows. I understand that it is a software-as-a-service model, but it becomes a problem if I cannot do anything when issues occur during maintenance.

They could make it simple to have a SIEM integrated with their solution so that we can send logs to their server and then analyze them.

I have been using SentinelOne Singularity Complete for almost one year.

It is stable.

It is scalable. We have 50 users in our company. We have three administrators. We also have a consultant.

I did not have the opportunity to contact them because I had almost no issues.

Neutral

We were probably using Webroot. I was not there when they made the decision to switch.

I did not participate in the initial setup, but our new onboarding process for laptops is really straightforward. You just join the domain, and the software gets installed automatically. It is bound to our site, making it very easy.

It is difficult to measure ROI, but since we started using it, we have not had any problems related to security. We have not experienced any breaches or issues so far.

It has absolutely helped reduce our organizational risk.

Overall, it was a good experience. It is pretty easy for us to increase the number.

SentinelOne is focused on this solution. This is evident in the GUI. The GUI is well done compared to solutions like Microsoft Defender which I have been trying to get into, but it almost repels me. SentinelOne Singularity Complete is very stable and mature. It is one of the best solutions that one can choose.

I would rate SentinelOne Singularity Complete a nine out of ten.

I am part of the security team, and our strategy is to have this EDR deployed on all of the company's assets, all of our endpoints. We wanted a powerful platform in terms of detection and response to incidents.

It gives us a first layer of security. In addition, we have hired the SentinelOne Vigilance Respond team, a 24/7 SOC that monitors and mitigates. And, in case we need to escalate an alert on any of our assets, it allows us to do a bit of threat intelligence analysis and debug any asset on any topic.

It has helped reduce alerts thanks to the Vigilance service over the last two years. This includes all types of incidents, whether critical, medium, or low priority. Most of the alerts are managed by them, and we do not see them. We only see those that require some information that only our company has, but very few reach that level since Vigilance is directly in charge of managing them. If we had to manage the alerts that Vigilance manages, between 30 and 50 percent of my workday would go to reviewing alerts.

Overall, it has reduced our mean time to detect by about 70 percent, as that is the percentage in which it acts as an autonomous tool. And our mean time to respond has been reduced by 80 to 90 percent because we have SentinelOne's DFIR, Digital Forensics and Incident Response, team involved.

By providing that first layer of detection and response, SentinelOne allows us to have eyes on all our endpoints and, from there, to manage if a machine or a server has been compromised. We can directly isolate it from the network so that malware or ransomware cannot spread broadly.

It has helped us consolidate security solutions, although we did have some problems. The DFIR team responds quickly, and the Vigilance Respond team is continually working with us, managing the alerts. We do quarterly evaluations, and the support team always responds well, plus we interact with the tool ourselves.

The security team has gained a presence and control over the company's equipment that we did not have before.

Every device that does not have SentinelOne installed is a risk, and without SentinelOne, the difference would be significant. It has helped reduce our organizational risk by 70 percent.

SentinelOne has three services that are very well consolidated:

1. Technical support, through which they help you, suggest new configurations, and resolve questions. 
2. The Vigilance Respond service, which is a 24/7 SOC that works on and manages all the alerts that are raised in SentinelOne on our devices. It’s a first layer of defense that filters a lot of the requests. Sometimes we end up escalating something because there are times when we need to understand if the alert is a false positive or not.
3. DFIR, Digital Forensics and Incident Response. This team is in charge of doing all the forensic analysis of an incident, and we have a certain number of hours contracted with them. Their advisors' technical level is very high and enables you to create a high-quality forensic report, in case you have to escalate or report it to senior staff. The DFIR team is excellent.

Another aspect that is very good is the solution’s ingestion and correlation across security solutions. We opted for SentinelOne because it gives you visibility and control over all the devices on which you have the agent deployed. That is very valuable because, in the end, all the attacks enter only through one gateway, which is usually a user's computer. If you do not have visibility over that computer and the ability to manage it, you cannot block it, restart it, or run a full scan to see if the user has clicked on a link or if any type of malware has been downloaded. This is a layer of visibility and basic management that any company needs.

Also, there is the threat intelligence and activity correlation. They not only detect and respond to incidents but also prevent them.

We started using SentinelOne Ranger, but we found two problems. Perhaps they are particularities, but they should be addressed as they may change the minds of other companies that are considering this feature.

The first problem is that, while it scans all the assets that are on the network, when it comes to discerning whether an asset is a server or a laptop, it tends to fail. It does not have a very high level of precision. We have experienced problems when reporting these types of assets to those responsible for installing the agent, and then they tell us, "Hey, this is not a server, this is a fax," or "this is a printer." When things like that happen, we lose credibility.

The other issue that we saw with the functionality of Ranger is that if, for whatever reason, you have a product with SentinelOne installed but it is on a client's network, the SentinelOne agent starts scanning the ports and the network and goes to a honeypot. As a result, the client may think that it is being attacked because someone has reached its honeypot, when it’s actually us on the client's network. When you don't know that this is happening, it can generate conflict and tension with the clients. Once you know about the problem, you can deactivate that process, but sometimes it can have a negative impact.

Ranger does provide me with visibility of the network, but not completely because the assets it scans are often mistakenly identified regarding what type of device they are. A SentinelOne agent is worth a lot of money, and there is no point in putting it onto a printer, for example. It should have the ability to go a little further and be more precise.

Another very clear area for improvement, one that I don't understand why they haven't deployed it yet, is a self-updating SentinelOne agent. The agent has a version, and what SentinelOne proposed up until one year ago is that you had to be proactive in consulting the dashboard to see if your agent had reached end-of-life and then update it. Now, they've released a new feature where I believe you can schedule updates, so it makes perfect sense for the agent to update itself without any action on our part, and never go out of version. By simply connecting to the network it should be able to download and update.

This idea is not critical because SentinelOne updates many versions of the agent and, when one becomes obsolete, it does not mean that it no longer works. But this is something that SentinelOne should know how to work with. A solution could be that if you do not have the ability to auto-update the agent, SentinelOne would directly tell you which agents are not updated. That way, we would not have to go to the documentation, look at the dashboard, and filter the agents by version. It would be great if it were able to tell if the operating systems are unsupported so that we wouldn't have to look in the official documentation at whether the Windows Server is outdated or not.

If the agents self-updated, maintenance due to the update process would be minimal.

I have been using SentinelOne Singularity Complete for about two years.

SentinelOne is very stable. It has never dropped or caused any problems

We do not have it in any cloud. The agent is located on devices; we manage almost 10,000 computers. Our company has a presence in nine European countries, and SentinelOne is used in all of them. Our department is the group that supervises all regions, including Spain, France, the Nordic countries, Poland, Romania, the Czech Republic, Austria, and Switzerland.

We are continually deploying new agents because we detect more and more devices. SentinelOne will stay in our company until it dies, so to speak. With what it has cost us to get here, we will not change now.

Support responds in less than a day.

SentinelOne is a top partner in the industry.

Positive

Defender for Endpoint is more expensive than SentinelOne. Other solutions are more expensive and others are cheaper, but in terms of cost-benefit ratio, we’ll always stick with SentinelOne.

The detection and visibility over all assets, whether by the agent or Ranger, and the ability to take action as a result are worth it. It is all very intuitive, and for me, these elements are our return on investment.

All the portals, at the end of the day, are "first cousins", such as CrowdStrike and Palo Alto, although that's not exactly an EDR. We went to a global cybersecurity congress in London, and all the solutions were there: SentinelOne and its competition. At the portal, user, and other levels, they are practically the same. Each will have something that is better and something that is worse, but they are quite similar.

You have to do a cost-benefit analysis. Understand the context of your company. It is not the same for a bank or an insurance company compared to a company in the industrial sector that does not manage sensitive data. Understand your particular needs. After a cost analysis, if there is enough budget, choose SentinelOne.

The most important lesson I have learned using SentinelOne is to always listen to what the Vigilance Respond team says.

We are still chasing the benefits of the solution. The model is already deployed, but we are a very large company, and every day we find new devices that do not have SentinelOne. We are still in that phase of continual improvement, of improving the solution and achieving even more benefits. We are getting to the most isolated cases of, for example, servers that have little RAM, and we are debating if we should apply SentinelOne to them because, perhaps, the server will be affected more so. 

We are dealing with these small cases and continuously improving. You don't get all the benefits in two months; it is an ongoing process.

I would recommend SentinelOne, and if, in the end, it is a question of budget, choose it. If I became a CSO tomorrow, that is what I would do.

Foreign Language:(Spanish)

¿Cuál es nuestro caso de uso principal?

Soy parte del equipo de seguridad y nuestra estrategia es implementar este EDR en todos los activos de la empresa, en todos nuestros puntos finales. Queríamos una plataforma potente en términos de detección y respuesta a incidencias.

¿Cómo ha ayudado a mi organización?

Nos da una primera capa de seguridad. Además, hemos contratado al equipo SentinelOne Vigilance Respond, un SOC 24 horas al día, 7 días a la semana que monitorea y mitiga. En caso de que necesitemos escalar una alerta sobre cualquiera de nuestros activos, nos permite realizar un poco de análisis de inteligencia de amenazas y depurar cualquier activo sobre cualquier tema.

Ha ayudado a reducir las alertas gracias al servicio de Vigilance durante los dos últimos años. Esto incluye todo tipo de incidentes, ya sean críticos, de prioridad media o baja. La mayoría de las alertas las gestionan ellos y nosotros no las vemos. Solo vemos aquellos que requieren alguna información que solo nuestra empresa tiene, pero muy pocos llegan a ese nivel ya que Vigilance se encarga directamente de gestionarlos. Si tuviéramos que gestionar las alertas que gestiona Vigilance, entre el 30 y el 50 por ciento de mi jornada laboral se dedicaría a revisar alertas.

En general, ha reducido nuestro tiempo promedio de detección en aproximadamente un 70 por ciento, ya que actúa como una herramienta autónoma. Ademas, nuestro tiempo promedio para responder se ha reducido entre un 80 y un 90 por ciento porque contamos con el equipo DFIR, análisis forense digital y respuesta a incidentes de SentinelOne involucrado.

Al proporcionar esa primera capa de detección y respuesta, SentinelOne nos permite vigilar todos nuestros puntos finales y desde allí, gestionar si un equipo o un servidor se ha visto comprometido. Podemos aislarlo directamente de la red para que el malware o el ransomware no puedan propagarse ampliamente.

Nos ha ayudado a consolidar soluciones de seguridad, aunque si tuvimos algunos problemas. El equipo de DFIR responde rápidamente y el equipo de Vigilance Respond trabaja continuamente con nosotros, gestionando las alertas. Hacemos evaluaciones trimestrales y el equipo de soporte siempre responde bien, además interactuamos con la herramienta nosotros mismos.

El equipo de seguridad ha ganado una presencia y control sobre los equipos de la empresa que antes no teníamos.

Todo dispositivo que no tenga SentinelOne instalado es un riesgo y sin SentinelOne, la diferencia sería significativa. Ha ayudado a reducir nuestro riesgo organizacional en un 70 por ciento.

¿Qué es lo más valioso?

SentinelOne cuenta con tres servicios que están muy bien consolidados:

1. Soporte técnico, a través del cual te ayudan, sugieren nuevas configuraciones y resuelven dudas.

2. El servicio Vigilance Respond, que es un SOC 24 horas al día, 7 días a la semana, que trabaja y gestiona todas las alertas que se generan en SentinelOne en nuestros dispositivos. Es una primera capa de defensa que filtra muchas de las solicitudes. A veces terminamos escalando algo porque hay ocasiones en las que necesitamos entender si la alerta es un falso positivo o no.

3. DFIR, Análisis Forense Digital y Respuesta a Incidentes. Este equipo se encarga de hacer todo el análisis forense de un incidente, y tenemos contratada una determinada cantidad de horas con ellos. El nivel técnico de sus asesores es muy alto y te permite crear un informe forense de alta calidad, en caso de que tengas que escalar o informar a tu personal superior. El equipo de DFIR es excelente.

Otro aspecto que es muy bueno es la incorporación de la solución y la correlación entre las soluciones de seguridad. Optamos por SentinelOne porque te brinda visibilidad y control sobre todos los dispositivos en los que tienes implementado el agente. Esto es muy valioso porque, al final, todos los ataques entran sólo a través de una puerta de enlace, que suele ser la computadora del usuario y si no tienes visibilidad sobre esa computadora o capacidad de administrar, no podrás bloquear, reiniciar o ejecutar un análisis completo para ver si el usuario ha hecho clic en un enlace o si se ha descargado algún tipo de malware. Esta es una capa de visibilidad y gestión básica que cualquier empresa necesita.

Además, cuenta con una gran inteligencia de amenazas y correlación de actividades. No sólo detecta y responde a incidentes sino que también los previene.

¿Qué necesita mejorar?

Empezamos a utilizar SentinelOne Ranger, pero encontramos dos problemas. Quizás sean particularidades, pero conviene abordarlas ya que pueden hacer cambiar de opinión a otras empresas que estén considerando esta característica.

El primer problema es que, tal vez escanea todos los activos que hay en la red, pero la hora de discernir si un activo es un servidor o un portátil, tiende a fallar. No tiene un nivel de precisión muy alto. Hemos experimentado problemas al informar este tipo de activos a los responsables de instalar el agente y luego nos dicen: "Oye, esto no es un servidor, esto es un fax" o "esto es una impresora". Cuando suceden cosas así, perdemos credibilidad.

El otro problema que vimos con la funcionalidad de Ranger es que si, por cualquier motivo, tiene un producto con SentinelOne instalado pero está en la red de un cliente, el agente SentinelOne comienza a escanear los puertos y la red y va a un honeypot. Como resultado, el cliente puede pensar que está siendo atacado porque alguien ha llegado a su honeypot, cuando en realidad somos nosotros en la red del cliente. Cuando no sabes que esto está pasando, puede generar conflicto y tensión con los clientes. Una vez que conozcas el problema, puedes desactivar ese proceso, pero a veces puede tener un impacto negativo.

Ranger me proporciona visibilidad de la red, pero no completamente porque los activos que escanea a menudo se identifican erróneamente con respecto al tipo de dispositivo que son. Un agente SentinelOne vale mucho dinero y no tiene sentido ponerlo en una impresora, por ejemplo. Debería tener la capacidad de ir un poco más allá y ser más preciso.

Otra área de mejora muy clara, una que no entiendo por qué no la han implementado todavía, es que el agente de SentinelOne sea autoactualizable. El agente tiene una versión, y lo que SentinelOne proponía hasta hace un año es que había que ser proactivo al consultar el panel para ver si su agente había llegado al final de su vida útil y luego actualizarlo. Ahora, han lanzado una nueva función en la que creo que se pueden programar actualizaciones, por lo que tiene mucho sentido que el agente se actualice sin ninguna acción de nuestra parte y nunca se quede sin versión. Simplemente conectándose a la red debería poder descargarse y actualizarse.

Esta idea no es crítica porque SentinelOne actualiza muchas versiones del agente y cuando una queda obsoleta, no significa que ya no funcione. Pero esto es algo que SentinelOne debería saber cómo ejecutar. Una solución podría ser que, si no tiene la capacidad de actualizar automáticamente el agente, SentinelOne te indique directamente qué agentes no están actualizados. De esa forma, no tendríamos que ir a la documentación, mirar el panel y filtrar los agentes por versión. Sería fantástico si pudieras saber que sistemas operativos no son compatibles para que no tuviéramos que buscar en la documentación oficial si Windows Server está desactualizado o no.

Si los agentes se autoactualizaran, el mantenimiento debido al proceso de actualización sería mínimo.

¿Durante cuánto tiempo he usado la solución?

He estado usando SentinelOne Singularity Complete durante dos años aproximadamente.

¿Qué pienso sobre la estabilidad de la solución?

SentinelOne es muy estable. Nunca se ha caído ni ha dado ningún problema.

¿Qué pienso sobre la escalabilidad de la solución?

No lo tenemos en ninguna nube. El agente está ubicado en los dispositivos; Gestionamos casi 10.000 ordenadores. Nuestra empresa tiene presencia en nueve países europeos y SentinelOne se utiliza en todos ellos. Nuestro departamento es el grupo que supervisa todas las regiones, incluidas España, Francia, los países nórdicos, Polonia, Rumanía, República Checa, Austria y Suiza.

Continuamente implementamos nuevos agentes porque detectamos cada vez más dispositivos. SentinelOne permanecerá en nuestra empresa hasta que muera, por así decirlo. Con lo que nos ha costado llegar hasta aquí no vamos a cambiarlo ahora.

¿Cómo es el servicio y soporte al cliente?

El soporte responde en menos de un día.

SentinelOne es un socio líder en la industria.

¿Cómo calificaría el servicio y soporte al cliente?

Positivo

¿Cuál fue nuestro Retorno de Inversión?

Defender for Endpoint es más caro que SentinelOne. Otras soluciones son más caras y otras más baratas, pero en términos de relación coste-beneficio, siempre nos quedaremos con SentinelOne.

La detección y visibilidad de todos los activos, ya sea por parte del agente o del Ranger y la capacidad que tiene de tomar medidas valen la pena. Es todo muy intuitivo y para mí, estos elementos son nuestro retorno de la inversión.

¿Qué otras soluciones evalué?

Todos los portales, al fin y al cabo, son "primos hermanos", como CrowdStrike y Palo Alto, aunque no sean exactamente EDR. Asistimos a un congreso global de ciberseguridad en Londres y todas las soluciones estaban allí: SentinelOne y su competencia. A nivel de portal, usuario y otros niveles son prácticamente iguales. Cada uno tendrá algo mejor y algo peor, pero son bastante similares.

¿Qué otro consejo tengo?

Tienen que hacer un análisis coste-beneficio. Comprende el contexto de tu empresa. No es lo mismo un banco o una compañía de seguros que una empresa del sector industrial que no gestiona datos sensibles. Comprende tus necesidades particulares. Después de un análisis de costos, si hay suficiente presupuesto, elije SentinelOne.

La lección más importante que he aprendido al utilizar SentinelOne es escuchar siempre lo que dice el equipo de Vigilance Respond.

Todavía estamos descubriendo más beneficios en la solución. El modelo ya está implementado, pero somos una empresa muy grande y cada día encontramos nuevos dispositivos que no tienen SentinelOne. Todavía estamos en esa fase de mejora continua, de mejorar la solución y lograr aún más beneficios. Estamos llegando a los casos más aislados de, por ejemplo, servidores que tienen poca RAM y estamos debatiendo si debemos aplicarles SentinelOne porque, quizás, el servidor se verá más afectado.

No obtienes todos los beneficios en dos meses; es un proceso continuo.

Yo recomiendo a SentinelOne. Si al final es una cuestión de presupuesto, elígelo. Si mañana me convirtiera en un OSC, eso es lo que haría.