Endpoint security specialist SentinelOne announced the latest release of EDR (Endpoint Detection and Response), which expands its core execution inspection technology with cloud intelligence, application whitelisting and real-time forensics.
This broader security coverage enables EDR to provide a continuous cycle of protection against both known and zero-day attacks on Windows, Mac and Android computing devices, including servers and embedded systems.
The expanded capabilities build upon SentinelOne’s existing predictive execution inspection engine, which dynamically tracks each newly created process on a machine to block malware, exploits and zero-day attacks.
"SentinelOne EDR is currently aimed at large to medium sized enterprises, which suffer most from advanced attacks. However, endpoint protection is an issue for all businesses. Primarily because the only tool available to them is anti-virus scanning, which everyone recognizes doesn't work anymore," Tomer Weingarten, CEO of SentinelOne, told eWEEK. "This is leaving organizations of all sizes exposed to attacks that can shut down or harm their business. Recent examples include Sony, Target, JP Morgan Chase and many others."
Weingarten also noted that sometime next year the company would release a version aimed at small and midsize businesses (SMBs).
Available immediately with subscription pricing based on a per endpoint per year basis, EDR also generates forensic reports which provide a graphical view of an attack’s sequence and also line-by-line details including dwell time, files impacted and network connections.
The platform provides dynamic investigative capabilities as a threat occurs, with forensic capabilities designed to simplify the collection and analysis of security incident data to accelerate response efforts such as identifying any other compromised machines on the network.
In addition, EDR now provides the ability to specify which applications are considered safe to run with automatic blacklisting of malicious applications that are detected by its predictive execution inspection engine.
The blacklist capability prevents a malicious application from spreading to other endpoints in the organization.
For discovery and initial whitelist configuration, SentinelOne EDR provides real-time visibility into all applications running on an endpoint, and also protects against tainted whitelisted applications.
To proactively block known threats, SentinelOne EDR now provides continuous passive scanning which combines cloud intelligence and processing.
Since its agent monitors every file and process on the endpoint, EDR automatically sends information to the cloud where it is scanned in real time by more than 40 engines that incorporate intelligence from leading reputation services. When a threat is detected it is immediately blocked on the endpoint before it can cause any damage.
From a performance and administration standpoint, SentinelOne’s passive scanning has zero impact on endpoints and does not require on-device updates.
Weingarten noted Endpoint protection must shift more of its focus to heuristic-based detection, and less on prior knowledge or reputation-based systems to block advanced and zero-day attacks.
"This approach will make it much harder for attackers to compromise systems and enable breaches to be detected faster," he explained. "In addition, endpoint protection systems should extend to cloud-based apps. They should allow administrators to set up centralized rules and policies to control both desktop and cloud apps with the same enforcement agent."