Cloud Infrastructure Security

SentinelOne’s VP Product Management On CNAPP, Autonomous Threat Remediation

Expert Insights interviews Ely Kahn, VP, Product Management, Cloud at SentinelOne.

SentinelOne

“There’s so much marketing noise, it’s really hard for CISOs to figure out what’s different,” Ely Kahn, VP, Product Management, Cloud at SentinelOne, tells Expert Insights. 

We’re talking at the RSAC in San Francisco, where the phrase ‘AI Powered’ is plastered across many hundreds of booths and posters. In April 2024, SentinelOne announced their new Purple AI solution, a first-of-its-kind AI platform that combines their real-time neural networks with a LLM interface to help teams better leverage threat hunting data and scale security operations.

“What’s different about SentinelOne really gets back to our origin story,” Kahn says. “The niche we filled was more about small, medium businesses and commercial customers that wanted a modern endpoint security solution that was simpler to operate and more automated. That’s the way we built the Singularity platform 10 years ago. Everything we are doing with Purple AI is carrying that same ethos. We simplify, automate, and streamline operations.”

Kahn’s career began in the federal government, as a consultant at Booz Allen Hamilton. He was the Director For Risk Management and Strategic Innovation at the TSA, Deputy Chief of Staff for Cybersecurity at the Department of Homeland Security, and then the Director of Cybersecurity for the National Security Council at the White House.

In 2012, Kahn left the federal government, to co-found Sqrrl, a threat hunting start-up that was acquired in 2019 by AWS. The solution is now called Amazon Detective. He worked in the AQS team for several years, before joining SentinelOne as VP of Product Management for Cloud Security, AI/ML, and the Core Platform.

Kahn’s portfolio includes Purple AI and SentinelOne’s new cloud native security solution: Singularity Cloud Security, announced during RSAC 2024.

Singularity Cloud Security

Singularity Cloud Security is a Cloud Native Application Protection Platform (CNAPP), built on SentinelOne’s acquisition of PingSafe earlier this year. The solution is designed to mimic how a real-world hacker would assess an environment. It simulates multiple attack methods, and provides a prioritized, evidence-based list of exploits so security teams can prioritize improvements.

“We are the only CNAPP out there that offers an integrated offensive scanning tool,” Kahn says. “We go beyond just detecting misconfigurations and vulnerabilities. In addition to that, we look at your intranet, expose assets that have a misconfiguration or vulnerability associated with it. And we send a de-fanged exploit to assess whether that misconfiguration or vulnerability is actually exploitable, or just theoretically exploitable.”

This is an “oh shit,” moment for CISOs,” Kahn says, because the solution provides tangible evidence of what could happen if a vulnerability is exploited. “They’ve never seen anything like this. They never see the proof, the evidence of what will happen if this vulnerability is exploited for real. And ultimately this is a better way to prioritize the massive amounts of alerts generated by cloud solutions.”

One of the challenges in the CNAPP space is that there is too much focus on the detection element, and not enough on the protection element, Kahn argues. “CNAPP tools really focus on detection, and not enough on protection. Really most of the tools out there are ‘cloud native application detection platforms’.

SentinelOne is combining the Cloud Native Security platform with its cloud data security and cloud workload security product lines. “That’s our agent base, threat detection and protection capabilities, Windows, Linux, and Container agents that do real-time protection. So, you not only have real-time detection, but you have that protect mode as well.”

Toward Automated Remediation

What excites Kahn most in the cybersecurity space at the moment is the move toward automated remediation. SentinelOne’s Purple AI solution is part of this move – streaming the threat investigation and threat hunting process using natural language commands and building that into automated investigation workflows.

“It guides you along with minimal human intervention needed,” Kahn says. “We’re moving beyond the idea of AI assistance, and [triaging alerts] fully automatically, in the background. But outside of the SentinelOne portfolio, there is a trend in the market towards automated remediation, and helping teams defend against vulnerabilities more effectively.

“There’s a number of startups we are tracking that are using AI to bring automated remediation to other areas as well. A great example is in the application security space, which is oftentimes the root cause of the threats that we have to go in, detect, and help fix up. The more that we can bring security left, and fix insecure code as it’s being developed, the less attack surface there is, and ultimately the fewer threats we’re going to face downstream.”

“Things in the shift left security bucket, using AI to make developers form or develop code more securely, it’s something I’m super excited about. It’s going to make security better across the entire stack.”