Protecting Your Network: Why Automated Remediation Is Just As Important As Detection

Cybersecurity professionals have faced seismic changes over the past few years, with a huge increase in both the number and sophistication of cyberattacks. Organizations need new technologies to improve their resilience against these attacks, but alert fatigue and a mismatch of vendors and competing services is making it increasingly difficult for them to find the right solution. 

To discuss these pressures on security teams, Expert Insights spoke with Brett Taylor, SE Director at market-leading XDR and identity protection provider SentinelOne. Prior to joining SentinelOne, Brett was the Senior Systems Engineering Manager at Palo Alto Networks, where he ran their public sector technical team, and also worked at BAE Systems as their International Head of Government, Pre-Sales. 

Our interview covered the SentinelOne XDR platform, the need for strong endpoint protection and identity services within your cybersecurity strategy, the automation challenges in the security market today, and his advice for organizations to improve their cybersecurity defenses. 

Can you give us an overview of the SentinelOne platform, and what sets you apart from other providers in the endpoint protection and extended detection and response (XDR) space? 

Different vendors color XDR differently. For us, it means extending detection and response across many digital surfaces, but also exposing the XDR data we ingest to enable deeper integrations with our ecosystem partners, as well as enabling our customers to ask complex questions of that huge repository of data, in their context and addressing the business outcome they desire. Our heritage as a business is in the endpoint detection and response (EDR) domain, which has evolved from the next gen anti-virus (NGAV) space. If you were to visualize it as a series of technology evolution waves, you’ve got NGAV, then EDR, and now finally XDR as the most recent wave where we are one of the thought leaders. 

Our platform is S1 Singularity, and it enables you to monitor many different types of endpoints and surfaces via a deployed agent piece of software, whether they are traditional Windows, Linux, Mac or even mobile devices. Our coverage of the operating systems in terms of versions is very broad and temporally deep, as an example we protect devices installed with 10 major Linux distributions and 12 years of Windows Server versions, and this is certainly a strength when you compare it against the market. 

We also cover Cloud Workload Security, as cloud-native containerized workloads need runtime security protection and EDR just like any other computer. We deliver these capabilities to SecOps and DevSecOps teams through our Kubernetes Sentinel agents, which supplement pre-production CI/CD container scanning with real-time protection for live, in-production containers. Runtime protection is vital to identify and stop previously unknown threats that pre-production scans miss. Our K8s Sentinels also remove a blind spot for the SOC by enabling EDR threat hunting visibility into container operations. We have an efficient one agent per node architecture that supports self-managed Kubernetes and managed Kubernetes services including AWS EKS, Azure AKS, and Google Cloud GKE.

And there’s more coming as we consider storage as a surface, both in the network and in the cloud – in short, it’s a really complete platform in terms of the monitoring side of XDR. 

What we’re driving, and our ‘extended’ vision if you like, is deeper integrations and more enrichment from things like identity. One announced integration enriches information for our “Storylines” solution, from external systems like Okta. In practice, this means if there is an authentication breach or use of stolen credentials in the attack lifecycle, we will reach into Okta, get the logs about the user who used those credentials, and then take an action on them if warranted; we can suspend the user, or ask them to re-authenticate or a number of other remedial actions to stop the attack dead.

I mentioned Storylines—that’s another part of our differentiation. Storylines is our way of adding context earlier in the security analyst cycle, which takes away that grueling, manual work that analysts do in the SOC. To enable this capability, every single process—benign, or malicious—will be allocated a Storyline identifier. Every child process of that original process will get the same Storyline identifier, as will every grandchild and great grandchild process, and so on as the process tree grows, as well as every interaction between those processes. 

So, if you start with a process, which looks benign, but then three steps down that tree it suddenly is adjudged to be malicious by our AI engines because of its behavior or some other facet of its execution, you have all of the context. That’s our Storylines feature, and that’s how we build the atomic list of IOCs we detect into a single incident view that clearly shows the phases of the attack lifecycle, deeply rooted in the MITRE attack framework language.  This is the single campaign level alert that the SOC can see, and if they desire drill in to for further analysis, but with all of the context at their fingertips. 

This deep understanding of the attack sequence, and the context, is what gives us the confidence to run a protection policy automatically as a best practice, on any maliciously judged attacks. This enables our clients to defend their businesses at machine speed; the same velocity at which they are being attacked in many cases. 

SentinelOne has recently completed an acquisition of Attivo Networks. How will their solutions fit into the wider SentinelOne product set?

There’s three parts to Attivo that will enhance the Singularity platform notably. There’s identity threat detection and response, which we’re calling Singularity Identity, followed by identity configuration assessment which we’re calling Singularity Ranger AD Assessor, and finally deception & decoy, which we’re calling Singularity Hologram. 

Singularity Identity addresses the fact that AD and Azure AD are common targets of identity-based cyber-attacks, as their compromise can provide attackers with the foothold to expand access, establish persistence, escalate privileges, identify more targets, and move laterally. Singularity Identity threat detection & response (ITDR), defends, in real time, Active Directory and Azure AD domain controllers and domain-joined endpoints from adversaries aiming to gain privilege and move covertly.

The second new capability that Attivo brings us is Singularity Ranger AD Assessor.  This is an identity configuration assessment solution that identifies misconfigurations, vulnerabilities, and active threats targeting enterprise AD implementations. Through this capability we’re able to provide prescriptive, actionable insight into exposures in the identity attack surface, and help businesses reduce the risk of compromise through an identity lens, bringing assets in line with security best practices. 

The final part, Singularity Hologram, is straight up decoy and deception technology that enables us to leverage advanced, high-interaction deception and decoy technology to lure in-network attackers and insider threat actors into engaging and revealing themselves. By mimicking production OSes, applications, data, and more, we’re able to uncover covert adversary activity, collect high-fidelity telemetry, and garner actionable intelligence to help our clients build better defenses. In normal operations, none of your standard business processes will ever touch that simulated network, so you know that anything that does touch that network is something that you should pay close attention to and study. 

Taking a step back, what are the biggest challenges your customers are facing in the industry, which are driving adoption of these XDR technologies? 

It’s about automation. It’s about the value of time. We are a resource-poor industry in cyber, in terms of people that truly understand the threat and have the operational skills that we need. Two illustrative examples would be level one triage analysts who feel overwhelmed by the volume of security event data, and senior analysts having to step in and do a level one job to fill the gap, not utilizing their expertise or skills that they have built during their career. We need to fix this, as it ultimately makes both populations feel worthless, and they’re likely going to burn out and look for a change, increasing staff churn, and ultimately exposing the business to more risk, as it experiences a perpetual loop of training new staff to replace those capable staff walking out the door. 

To address this, what we want to focus on is automating more aspects of security operations. And that’s cutting down the more grueling, alert fatigue and integration bits of the security operations center, where you’re piecing together that context that I mentioned when we discussed Storylines. If you are given 250 events and told, “These are nine attack campaigns, Mr. Analyst, go and work it out,” it will take you time. It will take you a lot of time to piece it together, and it will be error prone. 

So, what you’re getting through the use of automation, and the use of both static and dynamic AI in that automation, is the best of machine speed detection and protection, enabling our valuable human resource to be freed, recovering their valuable time to go and be creative and do the threat hunting at the top end of the sec-ops tree, or refine the sec-ops processes themselves, where their skills are really useful. This helps provide more fulfilment and satisfaction as well as much better security outcomes.

Finally, what is your advice to organizations who are struggling with these challenges, but looking to improve their security resilience?

It’s all about planning. Make sure you put a plan together that incrementally improves your security posture by however small a degree, because any step is better than no step at all. Plan to get to your final desired state in incremental phases. I used to work in national cybersecurity deploying cyber protection platforms with a country wide scope in Europe, the Middle East, Asia Pacific and the Americas. These were massive projects, but the fundamentals of success remain the same. You must phase cyber defense projects effectively, so you can realize the benefits and change your operating model as you go. 

This is because your security operations will change and adapt as you adopt new technologies, as well as concepts like automation that we have talked about. So, I would say, make it a step change, not a big bang. And you might have an aspiration to run a really highly technological solution, but don’t do it all in one go. Realize the benefits, prove the benefits, and then take small steps along the road. Because incrementally, you will get better. Don’t expect to solve it overnight. 

You can find out more about SentinelOne here: https://www.sentinelone.com