Tom didn't touch on the Uninstall process. Is it possible to uninstall SentinelOne from another portal that we dont have access to? We have issues where we onboard customers with existing SentinelOne installation that requires uninstalling from the vendors portal that installed it.
18:37 What happens if the ransomware somehow manage to delete volume shadow copy, which is common thing done by any ransomware nowadays. Can I still rollback my machine state?
nice overview ..thank you… as this replaces a traditional av, would you still need to purchase a firewall or do you think it using windows firewall is good enough??
I use this for my clients as well. I'm curious if you do anything special for false positives now in light of the solarwinds supply chain attack. We are at the point where we can't afford to just assume something's a false positive because the file is signed by trusted source.
5:13 - it's kinda the same as Trend Micro got in their solution called Office Scan, I remember a customer that, by mistake, enabled it on PRD network to each endpoint connected (server and workstation) - It was a rough time fixing it ;)
Thank you for the review, Tom. Do you have any thoughts or insights on rolling S1 out to multiple linux servers? I'm primarily concerned with trying to balance impact overhead to system resources with the protection provided. Just curious if you have any thoughts there or experience with the linux agent. Thanks again.
Can you do a video on the why and how of sentinel one running powersploit in the background of every device the agent is installed? Where is the output file going?
@@LAWRENCESYSTEMS Thanx. Looking at going with Control, but looks like I lose the Explore (Storyline) tab. Complete seems to be about 2x more expensive for us (200 endpoints).
@@LAWRENCESYSTEMS thanks for the reply!, but I was wondering more about how it exactly does that. i.e. in windows does it change the network adapter profile from Private/Domain to Public and make other windows firewall changes? Can't seem to find any documentation on that detail. Was hoping you might have experience from this demo 😀
Can you do a real test? Double clicking malware is in no way indicative of a real world threat. There are dozens of free AV that can stop commodity malware so this test tells me nothing. What TTPs are you using?
@@LAWRENCESYSTEMS A test that shows some real trade craft. Threat actors don't just double click malware that is sitting on someone's desktop. How was initial access gained to the system (phishing email, unpatched vulnerability, stolen credentials)? How do the malware get onto the machine? What was done to gain persistence after the access had been gained? MITRE does a good job at replicating real trade craft, which at the end of the day is what these solutions are supposed to be preventing. Just about any free AV can stop someone double clicking malware.
@@joeuser7384 I get what you are asking but that would be a COMPLETELY different video on how attacks occur and very out of scope for a video titled "SentinelOne Review and Malware Rollback Demo"
@@lennyaltamura2009 S1 actually works better with Splunk. They have a component that will actually enable the Splunk front end as used in environment today but will redirect the data to be stored in the S1 backend. This will not only cut the Splunk storage costs by more than half but also enable the customer to get dramatically improved performance on query results as it is stored/processed in a cloud native scalable environment. It's a win-win!
@@tomgore1959 I know. I use S1 for threat hunting. I also use Splunk for outlier and zero day IOC inspection. I'm curious what I said that spurred your reply. Thank you for pointing this out to the rest of the community. I find people making unsubstaciated claims of what S1 doesn't have. When I find these outrageous falsehoods, I always come to S1's defense. I also test EPP suites, SIEMs and the like.
Thanks Tom for the review! For any technical questions from the audience, feel free to add your comments down here so we can answer. 💜
does sentialone support ICAP for storage devices?
Tom didn't touch on the Uninstall process. Is it possible to uninstall SentinelOne from another portal that we dont have access to? We have issues where we onboard customers with existing SentinelOne installation that requires uninstalling from the vendors portal that installed it.
18:37 What happens if the ransomware somehow manage to delete volume shadow copy, which is common thing done by any ransomware nowadays. Can I still rollback my machine state?
honestly.....i got the chills when those files went white on the desktop.....
Same here!
nice demo, we just deployed this through the SonicWall capture client, The rollback feature is nice but we couldn't test it but good to know it works!
Didn't know SonicWall also used this option.. excellent info
I recently became an Admin for S1. Great tutorial. I'm a subscriber & will share 🙂
Awesome, thanks!
Thanks Tom! As always, great content!
Glad you enjoyed it!
nice overview ..thank you… as this replaces a traditional av, would you still need to purchase a firewall or do you think it using windows firewall is good enough??
I would not purchase an additional firewall for windows
Great Demo, thank you for the hands on!
I use this for my clients as well. I'm curious if you do anything special for false positives now in light of the solarwinds supply chain attack. We are at the point where we can't afford to just assume something's a false positive because the file is signed by trusted source.
Tom, you are awesome. Keep up the fantastic real world knowledge sharing!
Thanks for this reviewing this SIEM you might have gotten me a job lol.
5:13 - it's kinda the same as Trend Micro got in their solution called Office Scan, I remember a customer that, by mistake, enabled it on PRD network to each endpoint connected (server and workstation) - It was a rough time fixing it ;)
Thank you for the review, Tom. Do you have any thoughts or insights on rolling S1 out to multiple linux servers? I'm primarily concerned with trying to balance impact overhead to system resources with the protection provided. Just curious if you have any thoughts there or experience with the linux agent. Thanks again.
Nice product … rocking Right now the EDR market … i think Forcepoint is good as well
Thanks Tom!
Thank you!
Awesome demo. Thanks
Great video.
Can you do a video on the why and how of sentinel one running powersploit in the background of every device the agent is installed? Where is the output file going?
S1 log is crazy good. Poor man SEIM
Am I correct that if you didn't have volume shadow copies enabled, you wouldn't be able to do a rollback?
Do they offer special prices for Schools ?
I think so
Tom, are you using Control or Complete?
Complete
@@LAWRENCESYSTEMS Thanx. Looking at going with Control, but looks like I lose the Explore (Storyline) tab. Complete seems to be about 2x more expensive for us (200 endpoints).
@@PokerMunkEEE I think it's worth it.
@@LAWRENCESYSTEMS Sounds like it. $30/yr for Control and $60/yr for Complete. Seem reasonable? Can you sell it for cheaper? This is from Connection.
@@PokerMunkEEE depends on how many systems
Are you still currently using it? Also, what is the process for whitelisting?
Yes and allow listing is done via their web interface.
Is the S1 product available for retail or general public?
Nope, it's not
a little late to the game here but does anyone know what EXACTLY Sentinelone does when it isolates a machine?
Blocks all network access except to their servers
@@LAWRENCESYSTEMS thanks for the reply!, but I was wondering more about how it exactly does that. i.e. in windows does it change the network adapter profile from Private/Domain to Public and make other windows firewall changes? Can't seem to find any documentation on that detail. Was hoping you might have experience from this demo 😀
Their software controls it, it's not using the built in Windows firewall.
@@LAWRENCESYSTEMS thank you again for taking the time to respond and thank you for everything you guys/gals do!
Can you do a real test? Double clicking malware is in no way indicative of a real world threat. There are dozens of free AV that can stop commodity malware so this test tells me nothing. What TTPs are you using?
Can you be more specific what you consider a "Real Test?"
@@LAWRENCESYSTEMS A test that shows some real trade craft. Threat actors don't just double click malware that is sitting on someone's desktop. How was initial access gained to the system (phishing email, unpatched vulnerability, stolen credentials)? How do the malware get onto the machine? What was done to gain persistence after the access had been gained? MITRE does a good job at replicating real trade craft, which at the end of the day is what these solutions are supposed to be preventing. Just about any free AV can stop someone double clicking malware.
@@joeuser7384 I get what you are asking but that would be a COMPLETELY different video on how attacks occur and very out of scope for a video titled "SentinelOne Review and Malware Rollback Demo"
@@LAWRENCESYSTEMS Fair. Would still like to see a real test if you could. 🙏
Is there an open source project that does this kind of stuff ???
Not that I know of
Any opinions on CrowdStrike ?
Never used it.
It's good but expensive. It integrates with Splunk. Thus having that will enhance its performance.
@@lennyaltamura2009 S1 actually works better with Splunk. They have a component that will actually enable the Splunk front end as used in environment today but will redirect the data to be stored in the S1 backend. This will not only cut the Splunk storage costs by more than half but also enable the customer to get dramatically improved performance on query results as it is stored/processed in a cloud native scalable environment. It's a win-win!
@@tomgore1959 I know. I use S1 for threat hunting. I also use Splunk for outlier and zero day IOC inspection. I'm curious what I said that spurred your reply. Thank you for pointing this out to the rest of the community. I find people making unsubstaciated claims of what S1 doesn't have. When I find these outrageous falsehoods, I always come to S1's defense. I also test EPP suites, SIEMs and the like.
I like👍👍👍👍
First
Good demo. Thanks!