For IT shops deploying an EDR solution like SentinelOne, a little customization can go a long way.
Miguel Quinn, a senior cybersecurity architect at Sanity Solutions, was surprised to learn that a longtime customer was now using SentinelOne.
“Who did you buy it from?” Quinn jokingly demanded.
The IT director at the organization—a county government with around 300 employees—told Quinn that the state government had paid for SentinelOne licenses for all counties in order to provide standardized endpoint protection. But when Quinn asked how the county was using the endpoint detection and response (EDR) tool, the IT director acknowledged that the county had simply deployed the solution “out of the box”—without making tweaks to meet the unique needs of the county government.
“Even most IT professionals don’t know all the nuances of a tool like SentinelOne,” Quinn says. “We’ve actually seen customers in the past who’ve experienced attacks that could have been prevented if they had customized their solution.”
State-led IT standardization programs like the SentinelOne initiative have real benefits, Quinn explains. A single statewide tool brings consistency, which simplifies procurement and training. Instead of evaluating vendors and negotiating contracts, county governments can focus on deploying and managing the solution, and the state can offer professional development that is relevant to every county.
However, Quinn notes, this consistency comes at a cost. In most small and medium-sized counties, a relative handful of staffers manage IT environments, and they may have little or no experience with the new standardized solution. Especially in the early days of adoption, this gap in experience can lead to a gap in security.
Quinn set aside an afternoon to drive to the county offices and walk the IT director through the SentinelOne console, tab by tab. Even though the customer hadn’t bought the solution from Sanity, Quinn wanted to make sure that the county’s IT environment was as safe as possible.
“I’m passionate about this product,” Quinn says. “If I can help, I want to help. It doesn’t matter whether you bought it from us or got it from the state.”
During his meeting with the IT director, Quinn pointed out these SentinelOne features that the county had previously overlooked:
Multi-Tenancy: “With SentinelOne, you can group your PCs and your servers into more meaningful groups,” Quinn explains. “Then, rather than having one blanket policy, you can start defining more specific policies for particular business units or user groups.” Quinn walked the county IT director through how to split his organization’s users into logical groups. He also explained the concept of “inheritance.” In EDR, this means that settings and policies automatically flow from higher-level objects (such as global policies or parent groups) to lower-level objects (such as specific groups or endpoints)—but not the other way around.
Network Discovery: Quinn showed the IT director how SentinelOne allows administrators to discover rogue machines running on the network. This could be the result of shadow IT, or a simple oversight, such as users forgetting to bring PCs to the IT department to have the EDR solution installed.
Vulnerability Management: The county’s SentinelOne license includes what Quinn calls a “light” version of vulnerability management. This means that the solution can inventory endpoint software and map it to known vulnerabilities. (Common examples include outdated versions of web browsers and old programming language libraries.) While the solution does not perform patching or auto-remediation, SentinelOne gives county administrators the information they need to remediate these vulnerabilities using their existing management tools.
Reporting & Auditing: SentinelOne offers administrators access to regular reports, Quinn notes. The solution’s Singularity console includes numerous widgets to track things like threats, unprotected devices, and vulnerable applications, and administrators can configure SentinelOne to automatically generate scheduled or on-demand reports and email them to stakeholders. Also, a console audit log lets administrators see who has logged into the platform, as well as any policy changes those users made.
Rollback Capability: “When SentinelOne detects ransomware or other attacks, it stops them in their tracks,” Quinn says. However, he notes, some files may already be encrypted by the time an EDR solution recognizes and stops the attack. SentinelOne leverages the Windows Volume Shadow Copy Service (VSS), which enables point-in-time snapshots of files and volumes while they are in use. If a user’s device is hit by ransomware, Quinn explains, administrators can simply roll the machine back to a snapshot taken before the encryption, which will restore the affected files. For servers, however, Quinn recommends relying on enterprise backup solutions.
For the county, Quinn’s visit was the difference between running an out-of-the-box security solution and running a custom-configured version of SentinelOne. “Miguel’s deep knowledge of the platform helped us tune our security settings to better suit our needs,” says the IT director. “He also demonstrated features we were previously unaware of, which will improve our security posture and provide me with a much stronger sense of confidence in the product.”
Quinn says it’s something that Sanity’s solution architects would do for any customer. “We’re not just resellers,” he says. “We’re engineers. This is what we’re here for.”