My company uses SentinelOne Singularity Complete for general endpoint security. The solution is excellent at solving problems many other vendors don't solve properly. My company runs on multiple platforms and software in various environments. My company is a Microsoft company with Azure AD and many Windows computers, and SentinelOne Singularity Complete is terrific for that. The company also has MacBooks, Linux machines, and clusters of Linux containers with various distros and types. SentinelOne Singularity Complete is surprisingly good at supporting the platforms, and the enterprise needs my company has.
IT Manager at a financial services firm with 51-200 employees
You don't need to configure a lot with it because it provides an unmatched layer of protection out of the box
Pros and Cons
- "The best feature of SentinelOne Singularity Complete is that you don't need to configure a lot with it because it provides an unmatched layer of protection out of the box."
- "Having an additional logic layer could improve the solution, mainly because I run multiple systems with different layers. For example, if I'm running a very important server with this agent, and that server gets infected, I may not necessarily be sure that I want to shut it down right away. Maybe I want to isolate some of the connectivity but not do the entire security remediation automatedly or curtail network access type of activity."
What is our primary use case?
What is most valuable?
The best feature of SentinelOne Singularity Complete is that you don't need to configure a lot with it because it provides an unmatched layer of protection out of the box.
Implementing SentinelOne Singularity Complete is a competitive bid process. As part of the competitive bid process, SentinelOne Singularity Complete stands alone. I work for an enterprise, and the company has old software. CrowdStrike Falcon Pro is a great competitor of SentinelOne Singularity Complete, but CrowdStrike Falcon Pro doesn't fit my company's needs because of its very aggressive deportation policy. If you ever run any software not in the standard manufacturer support or some support package, Crowdstrike cuts you off from updates. In real life, that doesn't work because my company builds software. Some of the company's cluster apps run on Red Hat 7, old Linux kernel, CentOS, or other distros around that era. My company has significant old technologies that it needs to secure.
A pro of SentinelOne Singularity Complete is the approach that it knows isn't the best, but it will still give you the best it has.
I also find that SentinelOne Singularity Complete gives a significant layer of security on top of SD-WAN, mandatory access control, and general information management, which is very helpful.
In assessing the solution's interoperability with other Sentinel One solutions and third-party tools, my company started utilizing Scalar and has a history of using Scalar and other providers. SentinelOne acquired Scalar, an enterprise log management platform, which is very good for the price. Scalar may not be the best platform in the world, but it's very good for the price. SentinelOne, having acquired Scalar, has gone and built an excellent integration for all logging so that you can get the SIEM logs into the Scalar pipeline and run it through a general log analysis platform, so it's unmatched.
In general, I'm pleased with the ability of SentinelOne Singularity Complete to ingest and correlate across my company's security solutions, especially with its price point. I only found very few antivirus or EDR solutions that can compete with SentinelOne Singularity Complete, but I generally prefer working with the solution because of its interoperability.
Another reason why I like the solution is because it works. It doesn't require an Internet connection. The remediation is automated, and the alerting function is excellent. Support for the platform is also great, including multi-tenancy, role-based access control, and automated deployments.
I don't have much bad feedback about SentinelOne Singularity Complete, while in contrast, I've been quite disappointed by many technical aspects of other antivirus solutions, such as the Deep Instinct Antivirus. As for MSP machines, I used to work at MSP and had many problems. I also find the CrowdStrike sales representative incredibly annoying.
I find that SentinelOne Singularity Complete works pretty well for what I want, and it always hits the right price point and options that suit my company's general, overall security platform and management of that platform.
The Ranger functionality of SentinelOne Singularity Complete works well in providing network and asset visibility, especially as my company is a Microsoft Azure AD company at the core, so most of the company's Mac and Windows endpoints are managed, and monitoring the cloud ID and posture is essential. However, I don't need to check it daily because the solution manages itself well. SentinelOne Singularity Complete works very well for active directory management and posture matching.
I appreciate that the solution can consume at an API level, but I don't care as much whether it runs an agent or doesn't because I can automate agent deployment to the fleet. If the agent works, then great. An agentless solution is suitable for old platforms that don't have the most up-to-date technologies. Whenever you try to run an agent on various environments, it might not be the ideal platform for that agent so you could run into unexpected problems. Being agentless makes SentinelOne Singularity Complete better, but I wouldn't be upset if it were a good and solid agent-based solution.
In terms of how significantly the solution helped reduce alerts depends on how many alerts my company was paying attention to before and how many alerts it is paying attention to now. I'm unsure about that because one reason for implementing the SentinelOne Singularity Complete stack at the company has been to increase the security footprint and security posture. My company might have had several useless alerts before and maybe fewer alerts now, but did the company pay more attention to the alerts now? I'm unsure if the alert reduction or paying more attention to the alerts makes a difference.
About SentinelOne Singularity Complete helping to free up staff for other projects and tasks, that isn't easy to tell, as I have a team of four, and some of the work changed upon implementation. For example, instead of fighting with specific agent installs or trying to figure out how to get logs into another system, some of that workload is reduced, but now my team may be paying more attention and uses the same amount of time for alerts, remediations, or other more important aspects, so it is possible that the amount of time spent after the SentinelOne Singularity Complete implementation wasn't really reduced. That would depend on your perspective.
As to SentinelOne Singularity Complete helping the company reduce the mean time to detect, my company didn't record the mean time to detect before implementing the solution. I feel that it is effective, but right now, I don't have a basis of comparison that allows me to point to that periodically says my company reduced the meantime to detect or that it was increased by some percentage.
SentinelOne Singularity Complete has been very effective in helping reduce organizational risk for my company, especially regarding budgetary footprint. The solution has been very effective at what it does and has helped reduce the company's cyber insurance premium. My company is a SOC 2-certified institute and has to go through an annual compliance process with auditors, so going through and being able to explain and show how the company has automated and deployed solutions and minimized its risk profile has been very helpful.
The company I work with now spends slightly less than it did and gets more value from SentinelOne Singularity Complete. Though the cost may not be that different from others, the value provided by the solution is very different. In the past, my company had several decentralized alerts and platforms. Still, after implementing SentinelOne Singularity Complete, the solution could bring and tie them together through an automated platform. It works, and when it comes to enterprise security, for every company you work for, you're not the one who built that network or solution. You have no idea what's going on, so your ability to maintain control relies on understanding the threat surface and how to control it, which SentinelOne Singularity Complete is good at.
My background is in Linux administration, and I've gone through several security tools over the years. I built out mandatory access controls and messy Linux policies. I've worked with a lot of different companies over time. SentinelOne Singularity Complete supports Linux systems really well, which is crucial because I work for a company that builds software with an ecosystem of applications, cluster apps, and containers on Linux.
Some other solutions were stuck a decade ago, particularly running Windows and .NET and other affordable systems, and though I love Windows and Mac, those are user endpoints, and endpoints extend beyond user endpoints, for example, endpoints include servers and the full scope of internet-connected devices in a company.
If you're trying to implement a zero-trust framework and a system resilient to failure across a Swiss cheese layer of multiple problems. In that case, finding one solution capable of dealing with that kind of threat is complicated. You look at Microsoft Defender, and Microsoft has improved its security over the last decade. Obviously, Microsoft still has ways to go, given that it still keeps losing its signing keys. Still, the reality is that, similar to Windows and Azure, Microsoft has improved its security footprint. Microsoft Defender went from being a joke of a product to a very viable solution. That's great, but I can't run that on Mac, and I can't run that on Linux clusters.
Looking at CrowdStrike Falcon Pro, it is a great product. It has a very annoying sales team, but it is excellent. The problem in enterprise, however, is that sometimes, you have to run old technology, and when you cut off the solution from working on old technology, that's not helpful and makes everything worse, so I appreciate the aspect of SentinelOne Singularity Complete supporting even the old technology my company is on, which is a significant differentiator that is very useful about the platform.
When you think of Carbon Black and VMware, each platform is good, works quite well on Mac and Windows, and has some capabilities, but the level is not the same as SentinelOne Singularity Complete. SentinelOne Singularity Complete can be a stand-alone product versus other products.
If you're running a decent company, you should be able to invest in security and be willing to spend whatever it takes to have a very competent solution. Since I control the budget, SentinelOne Singularity Complete provides more value for the dollars spent and a more cohesive structure than what you can get from other solutions.
I'm unsure if SentinelOne Singularity Complete is amazingly the best, but it's the best overall product because it fits my company's needs. I work for a SaaS building enterprise company that does financial transactions, which has public internet-facing applications that get constantly attacked. If I can't run a comprehensive security product across all systems, I'd have to look in three different places, which means I lose some of that robust information. I lose some of that ability to correlate threats and figure out what's happening, and so do automated platforms. An automated platform can lose the ability to correlate the different events it doesn't know about, and this is where SentinelOne Singularity Complete really shines. It's a cohesive, widespread solution that's great in various aspects.
In terms of being innovative, SentinelOne Singularity Complete is quite innovative. I grew up with the internet and have seen different generations of security products and ideas. When SentinelOne Singularity Complete came to market, it was significantly different than the other solutions. SentinelOne could either be acquired or build very useful products, taking interoperability between different products to a level you won't find in other companies.
With how my company uses SentinelOne Singularity Complete and the Scalar platform for all its servers, the company logs into Scalar and runs alerts and rejects, flags alerts, and also gets to ingest all SIEM logs from SentinelOne Singularity Complete into Scalar, and then gets automated alerts. This means that my company gets multiple layers of visibility across its stack and analysis pipeline. My company then gets to log push to S3 after the hot tier access is over, which means it gets to retain all security alerts and problems for up to seven years, just in case, which is essential for a financial services company like the one I work for. Doing that is much more complex with other solutions versus SentinelOne Singularity Complete, so I chose it because, currently, it is the best.
I care about aspects that other people don't care about, such as supporting old Linux distros and being able to run the solution in some weird cloud environments easily. I care about SentinelOne Singularity Complete working with my company's log analysis platform, which makes the process easier.
What needs improvement?
It's difficult to pinpoint areas for improvement in SentinelOne Singularity Complete because I always like to see certain aspects. Still, if I look into the EDR solution itself, I don't have many negative thoughts about it, as it is very good.
If something could be improved in the solution, I'd say better pricing, as I'd always take better pricing. I would appreciate lower pricing. The lower the pricing, the easier it is for me to sell it. A solution with lower pricing tends to sell itself at some point.
Building a more advanced "if this, then that" logic in SentinelOne Singularity Complete, in terms of when to cold shutdown, particularly when it detects a threat, would isolate it from the network, could be an improvement. There could be a better way of saying "yes" or "no" to doing an action or specific actions unless it's one of the exceptions on your list. Having an additional logic layer could improve the solution, mainly because I run multiple systems with different layers. For example, if I'm running a very important server with this agent, and that server gets infected, I may not necessarily be sure that I want to shut it down right away. Maybe I want to isolate some of the connectivity but not do the entire security remediation automatedly or curtail network access type of activity.
If I could have a more advanced control layer where I could say, "Hey, I want to do that on almost every system, but these systems are so important, and they have to keep running, so maybe if there is a problem, you can do these things instead," then that would make SentinelOne Singularity Complete better.
For how long have I used the solution?
We've been onboarding SentinelOne Singularity Complete as our primary EDR solution this year.
We implemented Scalar last year as the first step, and then it became a natural step to move as we wanted to have all of our logs flow into our general login analysis platform so that we could build and consume our own software platform. We build many SaaS apps, and we have about a thousand web servers facing the Internet, so what better way to analyze all of these than to get our internal logs, such as browser, local events, and all of the data into one place and one data plane?
Buyer's Guide
SentinelOne Singularity Complete
October 2024
Learn what your peers think about SentinelOne Singularity Complete. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,649 professionals have used our research since 2012.
What do I think about the stability of the solution?
Stability-wise, I haven't run into many problems with SentinelOne Singularity Complete, except for one case where the agent was short-cycle restarting, but that was due to some problems I caused. I can't really complain about that.
I wouldn't say I liked the SELinux policy that you force out over Ansible configurations, which naturally conflicted with the SentinelOne Singularity Complete agent. Still, once that got flagged and tagged, it was fine.
Overall, I'm satisfied with the stability of the solution, which was why my company implemented it.
What do I think about the scalability of the solution?
SentinelOne Singularity Complete is a scalable solution, which is another reason my company chose it.
How are customer service and support?
I don't contact technical support very often, but when I have, I haven't been disappointed. For example, the Scalar data center team has provided excellent technical support whenever I've asked for help with query matching strings and building RigX, so I'm very happy.
I found the technical support for SentinelOne Singularity Complete very good, and I'd probably reach out to the support team with more questions, which the team would probably answer.
My rating for technical support is nine out of ten.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Previously, we used Microsoft Defender, but I also used SentinelOne Singularity Complete in a former company. I like it a lot, and that's part of why my company uses SentinelOne Singularity Complete now.
How was the initial setup?
Deploying SentinelOne Singularity Complete didn't take long for a small global company like ours. My company has offices in the US, Canada, France, and India, and working between different locales took more time, but generally, the process didn't take very long, as it only took about two weeks.
SentinelOne Singularity Complete is a commercial solution that I found easy to implement, which is another reason my company paid for a commercial solution.
What about the implementation team?
Myself and two other people were involved in the deployment.
What was our ROI?
In terms of getting ROI from SentinelOne Singularity Complete, some factors must be considered. There is a requirement for a few layers to start with. My company has to spend some money just as a baseline.
One requirement is to be SOC 2 compliant, which means an auditor will come in and ask about the company's antivirus software, whether it's running an EDR, including analyzing logs.
Another player is the cyber risk insurance, as the company tries to get the premiums as low as possible and takes security as seriously as possible, by demonstrating to insurance partners that the company is a very low risk in terms of threats becoming problems.
In terms of cost-effectiveness, mainly based on adjustments to your premium, which either raises or lowers the price, SentinelOne Singularity Complete is quite effective.
What's my experience with pricing, setup cost, and licensing?
SentinelOne Singularity Complete is aggressively priced compared to smaller solutions. Still, in the past, as I worked for a SentinelOne reseller partner that deployed SentinelOne solutions to a lot of different customers, I was able to appreciate its capabilities and full features, which is part of the reason my company has implemented SentinelOne Singularity Complete.
The solution is a bit cheaper than CrowdStrike Falcon Pro and more expensive than smaller solutions. Still, it has a pretty reasonable pricing point, as I appreciate the flexibility SentinelOne Singularity Complete offers. I haven't been disappointed with its pricing because I'm more of a "not everything cheaper is better" person. It's not better if it makes the worst product.
I'm very satisfied with SentinelOne Singularity Complete, especially its price because I've worked with various companies. Yet, I found that no one provides a really good solution for the price except for SentinelOne.
Which other solutions did I evaluate?
When I started at this company, an MSP recommended a legacy type of antivirus, and I felt it was not up to par with what SentinelOne Singularity Complete provides. SentinelOne Singularity Complete is an excellent enterprise product with an excellent price point that's hard to argue with in terms of results and efficiency per dollar spent, so it's a no-brainer.
What other advice do I have?
My company is mainly a cloud-based company. Very few solutions in the company have been deployed on-premises.
SentinelOne Singularity Complete is managed across different layers and all verticals, such as the web, firewall, etc.
Between two hundred to two thousand five hundred people use SentinelOne Singularity Complete within the company.
My rating for SentinelOne Singularity Complete overall is a nine out of ten. I don't give tens because there's always room for improvement, but the solution is pretty good.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Director or IT Security at a educational organization with 11-50 employees
Provides a single pane of glass and takes care of a lot of things for us
Pros and Cons
- "The single pane of glass is probably the most valuable. That is a big one. We could see everything from one view."
- "It is not so much on the Singularity platform itself, but they have their own built-in SIEM that is included with it. That needs to evolve a little bit. It is relatively basic in its capabilities. They have potential there for a great product and a needed product too. Having some kind of SIEM capability with the endpoint solution will save me from buying a bigger SIEM or buying another one. I could just use the one that comes with my endpoint solution."
What is our primary use case?
We use it for our endpoints. It is installed on all of our servers and desktops. It is a replacement for the AV platforms that we used to have.
Overall, the product monitors what is happening on your machines. It monitors incoming mail and web addresses that your browsers are trying to access. It looks for suspicious activity that may occur on your desktop or on your server and generates alerts based on the type of activity. It might find a malicious file that you downloaded. Like a virus scanner, it would scan something. It might find something that it suspects to be malicious. It will look at that item and go to its own threat intelligence sources to see if it is a known threat. If it is a known threat, it will either block it or do something to it based on how you have pre-configured it. If it suspects something to be a threat but does not have any reference, meaning that it is an unknown threat, then depending on what it detects or how that thing may behave, it would either alert you or suppress or isolate it. It can do a number of things. It depends on the inner workings of the product itself, but our use cases are to protect our endpoints. It is a replacement for our AV, but it is a whole level above what AV used to be. It is the evolution of AV.
How has it helped my organization?
We had three different AV platforms in our organization. There was no central way to manage them. We had no complete visibility. From one part of our organization, we had no visibility into another part of our organization. By putting this platform in, we now have one view of the entire organization. We can look at threats as they span our organization. Threats could potentially be moving around. We can detect if they are spreading to other parts. We could not do any of that before.
Singularity Complete has a much better detection engine. It detects a lot more than an AV can. AV is pretty much finished. There would not be AV anymore.
In terms of interoperability, we do not have any other SentinelOne solution. This was our first one. There is not a lot of interoperability between endpoints and everything else. The only interoperability that is useful for us right now is the log data that it provides to our SIEM. It allows us to do correlative analysis between different areas. If we have a threat that could be going from endpoints to internet devices, such as switches, or places where the EDR system is not installed, it becomes valuable when we are sharing data from the EDR and our other systems, and we have a tool that analyzes all that data to look for threats that may span in our entire environment. I do not see the interoperability being a problem with our other tools, and I am sure it would not be an issue amongst SentinelOne's own tools as well, but I do not have any data points on that yet.
Singularity Complete has helped big time to reduce our alerts. In fact, that was my concern with it. I was concerned that we are not seeing too many alerts anymore. I had a meeting with them recently, and I mentioned to them that I feel that we should be getting more alerts. They are going to take a look at our platform to make sure it is working fine, but it seems to be doing a great job of dealing with the alerts in an automated fashion. I became a little bit suspicious that it might be doing too good of a job, so we are just having them double-check. It is just me making sure all my I's are dotted, and my T's are crossed. As a security person, I do not like to have questions out there, but otherwise, it is doing a great job.
It has freed up our time. It takes a lot less time to investigate things. It takes care of a lot of things for us. It has offloaded 30% to 50% of some of the work that we had to do in the past. It allowed us to work and focus more on higher-priority items.
It has absolutely reduced the mean time to detect. It has probably reduced the time to detect by 75% because we just did not have some of these capabilities before.
Singularity Complete has also reduced our mean time to respond but not as much as the mean time to detect. It does a lot of resolution of issues for us. It has probably improved that by 30% to 50% because it does a lot of that automatically, but it frees up our time. We can resolve the stuff that needs our personal assistance a lot quicker because we have more tools and capabilities at our disposal through SentinelOne than we had before.
Singularity Complete has saved us costs big time. We have eliminated three different vendors and the associated maintenance of those platforms. We needed more people and resources to manage three different things, but now, we do everything with just a couple of folks. Our time savings are about 50%.
It has helped reduce our organizational risk because we can detect more things that are hitting us. I cannot give a number on that, but it has definitely reduced our risk exposure. From a pure security standpoint, our risk frame point used to be flagged as red. We were missing a lot of things, and now, it is green.
What is most valuable?
The single pane of glass is probably the most valuable. That is a big one. We could see everything from one view.
The automatic detection and response is great. It takes care of a lot of alerts that it generates before they even cross our desks, which is great.
It has advanced detection capabilities. It has the ability to go and look for known threats that are in the environment. Its ability to detect even unknown threats and any suspicious activity is great. We are very happy with it.
What needs improvement?
It is not so much on the Singularity platform itself, but they have their own built-in SIEM that is included with it. That needs to evolve a little bit. It is relatively basic in its capabilities. They have potential there for a great product and a needed product too. Having some kind of SIEM capability with the endpoint solution will save me from buying a bigger SIEM or buying another one. I could just use the one that comes with my endpoint solution.
From the looks of it, it does pretty much what we need, but it could do more. It would be nice if it had some newer features that other players have. They would have a good market advantage if they were offering SIEM as a part of it. They kind of do that, but it is not something they are promoting. We just stumbled on it, so you can use it for doing other things as well, not just endpoint incident and event collection.
For how long have I used the solution?
We installed it in January, and we were doing a gradual ramp-up over three months. It has been up and running for about four months now. It is completely up and running.
What do I think about the stability of the solution?
We have not had any issues. The performance seems good.
What do I think about the scalability of the solution?
It seems very scalable. We have not run into any issues. We pushed it over about 2,000 endpoints. It performs the exact same way it has been.
How are customer service and support?
I have not personally contacted them, but my team has contacted them. Especially during deployment, they were very helpful. They helped us to get it done. The feedback I got was positive.
Which solution did I use previously and why did I switch?
We had three different AV platforms. We eliminated McAfee, Defender, and ESET. Singularity Complete does everything better than these because it has got capabilities that these products did not even have. The biggest thing for us is the single pane of glass, so we can see right down to the machine. It is great at machine isolation, and it has better detection and mitigation capabilities than any of these products. It does a lot of it behind the scenes. A lot of it is automated and does not require us to do anything.
How was the initial setup?
It is a cloud solution with local installs at the endpoints, so everything is cloud.
I manage security for the organization. I was not doing the deployment, but I was a part of the deployment team, the meetings, and the decisions when we were going to do different things. I was not pushing the software to anybody's desktop but my team was.
It was not a difficult installation. Based on the feedback that we got, it was pretty straightforward. It went over relatively smoothly.
It does not require any maintenance. It is cloud-based, so we do not have to do much to it. The endpoints will update themselves periodically, so there is not much for us from a maintenance standpoint. It does not have a lot for us to do.
What about the implementation team?
We acquired our SentinelOne implementation through a reseller. We used the reseller's help, but we did almost 90% of it ourselves. They helped us manage the project piece and provided expertise and guidance. Between SentinelOne and the vendor itself, we got it done, but we did 90% of the heavy lifting.
There were probably four or five people between all of our locations, but most of it was done remotely. There was no need to touch individual desktops. We were able to push most of it out.
What's my experience with pricing, setup cost, and licensing?
SentinelOne was half the price of CrowdStrike.
Which other solutions did I evaluate?
We looked at all the big ones, such as CrowdStrike. That is the first one that comes to mind. We even looked at Microsoft Defender and Sentinel. We looked at a few other solutions out there. We had an IBM demo there, but I do not remember what theirs was called. Bitdefender was another one that we looked at.
We went to Singularity Complete for the feature set. They did not have a robust feature set the way CrowdStrike does, but they had everything that we needed. CrowdStrike had even more advanced features, but SentinelOne's pricing was half of what CrowdStrike sells for. It was a pretty easy decision for us to go with SentinelOne. They were much better than the other players that we looked at. It came down to between SentinelOne and CrowdStrike, and the pricing made all the difference. They also seemed pretty easy to deal with, whereas with CrowdStrike, it felt like they were doing us a favor. When we talked to them, I just did not get a great sense of them, but price was one of the main things. CrowdStrike's price was double of SentinelOne's price.
What other advice do I have?
I would advise a couple of things. If you are using a reseller to buy this and install it for you, have a good reseller that you can call upon for support and help manage the project. The other thing that I would probably suggest is to negotiate your education up front and not after the fact. It does not come with a lot of training. They even charge for the online university, so you should probably negotiate that as a part of the negotiation process before you sign a deal. Other than that, it is good.
I would rate Singularity Complete a nine out of ten. For my use case, it is definitely a nine.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
SentinelOne Singularity Complete
October 2024
Learn what your peers think about SentinelOne Singularity Complete. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,649 professionals have used our research since 2012.
SME for Cybersecurity at Locuz Enterprise Solutions Ltd
Helps reduce our MTTD and MTTR while improving our network visibility
Pros and Cons
- "SentinelOne offers several valuable features for threat detection and response."
- "SentinelOne Singularity Complete needs more connectors for integration with more solutions."
What is our primary use case?
Our organization is leveraging SentinelOne Singularity Complete to achieve a comprehensive endpoint security solution. This involves utilizing SentinelOne's EDR functionality across all our endpoints, including IT, OT, and legacy systems. By integrating additional log sources, we're expanding to XDR which will further enhance threat detection, investigation, and response capabilities. This enriched data will also enable the creation of custom workflows to streamline security operations and improve the overall effectiveness of SentinelOne alongside existing security solutions like Office 365, proxy servers, and firewalls, allowing for better correlation and incident response.
Our previous antivirus solution wasn't strong enough to keep up with the growing number and complexity of cyberattacks. Traditional antivirus struggles to monitor all endpoint processes and activities. SentinelOne Singularity Complete addresses this issue with its Endpoint Detection and Response capabilities. EDR collects comprehensive endpoint data and stores it centrally, allowing us to monitor all running processes, identify evolving threats and their techniques, and take appropriate action. Additionally, SentinelOne's built-in AI and ML can detect suspicious behavior that traditional antivirus solutions might miss, providing advanced protection against modern cyberattacks.
Our organization utilizes a two-pronged approach to cybersecurity with SentinelOne. On-premises, SentinelOne Singularity Complete safeguards our sensitive big data that never leaves our network. Additionally, we leverage the cloud-based SentinelOne SaaS solution for further protection.
How has it helped my organization?
SentinelOne offers a marketplace that expands its XDR capabilities. This marketplace allows for seamless integration with various security solutions, including Azure AD, email gateways, threat intelligence platforms, firewalls, and proxies. By integrating these tools, we can create automated response playbooks within the XDR platform, streamlining our security posture.
SentinelOne Singularity Complete excels at gathering and analyzing data from various security solutions. Its built-in marketplace offers over 120 connectors that automatically ingest logs, enabling correlation and better incident response through custom workflows. This integration streamlines security operations by minimizing manual effort and allowing security personnel to focus on faster remediation.
We leverage Ranger to secure our raw networks and functionalities that SentinelOne has limited coverage for. Additionally, we actively search for vulnerabilities in our systems.
Ranger is a valuable tool for improving network and asset visibility. It helps us identify gaps in our coverage by highlighting raw networks and unmonitored endpoints. These blind spots represent areas where we lack agent deployment, and Ranger essentially acts as a roadmap for prioritizing where to install them for a full view of our environment.
Ranger has a seamless integration process. From the console, we enable Ranger, triggering the installation of a lightweight agent on our endpoints. This agent then monitors traffic to identify coverage gaps and potential vulnerabilities within our system.
Integrating all log sources and creating a custom workflow will streamline analyst workloads. This will automate most of the basic tasks currently handled manually, freeing up the team for other projects. The analysts performing investigations and remediation will see a significant reduction in time spent on repetitive tasks.
Since implementing SentinelOne Singularity Complete, our mean time to detection has been drastically reduced, going from two full days down to just ten minutes each month.
SentinelOne Singularity Complete has reduced our mean time to remediation.
SentinelOne Singularity Complete has been a valuable asset in reducing our organization's security risks. Its features, including device control and firewall management, provide us with the tools we need to effectively manage and secure our endpoints.
What is most valuable?
SentinelOne offers several valuable features for threat detection and response. Correlation, static analysis, and other detection engines work together to identify and address security issues. Additionally, the STAR Rules feature allows us to create custom alerts based on specific attacker behaviors or indicators of compromise. This empowers us to not only respond to built-in threats but also proactively detect and prevent emerging ones by defining custom actions for abnormal activity. In short, SentinelOne goes beyond native threat detection, offering customization to tackle even the newest threats.
What needs improvement?
SentinelOne Singularity Complete needs more connectors for integration with more solutions.
It seems there are currently two separate installers for the same device, one in MSI format likely for Windows and another in a potentially custom EXP format. Ideally, these could be combined into a single installer. If that's not feasible, the EXP format could be used as a self-extracting archive that automatically installs the software using the MSI installer. This would eliminate the need for two separate agents and provide a more streamlined installation experience.
SentinelOne endpoint protection enters a reduced functionality mode during certain resource-intensive events. This mode temporarily limits some features and may require a machine restart. In some cases, the agent might even get disabled. To restore full functionality, we need to re-enable the agent and reboot the machine, which can be inconvenient. Ideally, SentinelOne should improve its handling of resource usage to avoid these disruptions.
The technical support response time has room for improvement.
For how long have I used the solution?
I have been using SentinelOne Singularity Complete for three months.
What do I think about the stability of the solution?
The current version of SentinelOne Singularity Complete is stable.
What do I think about the scalability of the solution?
SentinelOne Singularity Complete is highly scalable.
How are customer service and support?
The technical support response time is slow.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Our previous antivirus solution, Symantec Endpoint Security, struggled to keep up with evolving cyber threats. Additionally, integrating it with other security tools proved to be a slow and cumbersome process. Since switching to SentinelOne, we now benefit from seamless integration with various log sources and other security solutions, enabling a more holistic and responsive security posture.
How was the initial setup?
The initial deployment was straightforward and took four months to complete in our large environment but it was not complex to onboard the machines based on our policies.
Four people were required for the deployment.
What's my experience with pricing, setup cost, and licensing?
While the cost of SentinelOne Singularity Complete might seem high at first glance, it's important to consider the value it offers. This helps to average out the cost.
What other advice do I have?
I would rate SentinelOne Singularity Complete nine out of ten.
SentinelOne Singularity Complete offers a comprehensive security solution for cloud workloads and endpoints. While it excels at covering all these areas, it could benefit from more granular control and further enhancements. The ability to extend its protection to cloud security or cloud servers, similar to CSPM tools, would be valuable for taking action within cloud or microservice environments.
Maintenance is required for updates.
SentinelOne is a good strategic security partner.
Before implementing SentinelOne Singularity Complete, it's crucial to understand how it will integrate with your existing systems. This ensures compatibility and avoids any unintended consequences. Make sure to create exclusions for any applications that might conflict with SentinelOne to prevent disruptions.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Jun 3, 2024
Flag as inappropriateAnalyst Information Security at a healthcare company with 5,001-10,000 employees
Drastically reduced alerts, highly interoperable, and unparalleled support
Pros and Cons
- "I have been a Mac guy for twenty years, and the feature parity and the capabilities of a Macintosh agent are unparalleled in the industry. It is the first anti-malware and antivirus that does not make you feel that you bought the wrong processor. It is really good and lightweight."
- "It seems like they are doing a lot with their automatic updates. They can maybe slow down the actual release cycle to make it easier to deploy the most recent and then do it using the live update. They can continue to work on that because trying to get agent changes through change management platforms and get approvals and testing can be quite difficult."
What is our primary use case?
It is our primary software platform for endpoint detection and response and vulnerabilities.
How has it helped my organization?
Our overall fleet posture and our security have increased a lot. It is much easier to get the agents out onto machines no matter what their operating system is, and it gives equitable reports back no matter what our platform is.
So far, it is one of the most interoperable applications and platforms that I have seen. There is the ease of bringing things in with the marketplace and the willingness of the company itself to work with you to help you address anything that they do not currently have.
Singularity Complete has helped free up our staff for other projects and tasks. Being new in the department for a year and a half, I am not the one to say how much time it has saved, but it has made my life easier by several hours a week. It gives me a straight line and a story for what I am looking for, so I can quickly identify whether something is to be expected and just a false positive or if it is actually a problem. Usually, when it is a problem, SentinelOne would have already mitigated it.
Singularity Complete has absolutely helped reduce alerts. It has drastically reduced alerts across the board. There is a 40% to 60% reduction. This reduction is because it is tunable. It is very tunable, and you can tweak it to meet your needs where you are not just stuck with what a manufacturer or a software developer said in terms of the alerting that you are going to get.
Singularity Complete has definitely helped reduce our organizational risk. Our risk score has gone down by 15% to 20%. We have better coverage and better insight into what is being covered.
Singularity Complete has probably saved us costs. I do not have enough insight into those budget numbers, but they keep adding things to it, so my guess is that it has saved us costs.
SentinelOne is one of our most important partners. The help that we get from their engineers, success team, and support really and truly has been unparalleled.
What is most valuable?
I am going to be a little biased because I am a Mac guy. I have been a Mac guy for twenty years, and the feature parity and the capabilities of a Macintosh agent are unparalleled in the industry. It is the first anti-malware and antivirus that does not make you feel that you bought the wrong processor. It is really good and lightweight.
What needs improvement?
It seems like they are doing a lot with their automatic updates. They can maybe slow down the actual release cycle to make it easier to deploy the most recent and then do it using the live update. They can continue to work on that because trying to get agent changes through change management platforms and get approvals and testing can be quite difficult.
For how long have I used the solution?
I have been using Singularity Complete for three years.
How are customer service and support?
I am blown away by their support. Every time I reach out to my customer service manager, they are returning questions after hours. You do not see that from a lot of companies. I would rate their support a 10 out of 10.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We were not officially using a similar solution. We had other products that we were using, but we did not have a full solution like SentinelOne. We were using multiple things. One of them was McAfee. We switched because they got bought by Trellix, and nobody knew what was going to happen with them. That was our most recent one and what I am most experienced with.
How was the initial setup?
I was involved in its initial deployment. I packaged the Jamf mobile device management installation package for our Macs. As far as security products go, it was the easiest one. The instructions were great. They were aligned with the vendor, which is something not common. Usually, it is like, "Here is what you have to do with your vendor." SentinelOne took that extra step, and it deployed right out of the box.
We have on-premises, public cloud, and private cloud deployment. Our cloud provider is primarily AWS, but we also have a little bit with Google and Mandiant, so we have a hybrid cloud. We are in the middle of a migration. The cloud is fairly new for us, and securing it has been a priority.
We have our deployment segregated on endpoint types, but our entire organization has it.
What about the implementation team?
We did it directly on our own. We rolled it out very quickly. We had been dealing with McAfee before it, so this was like a breath of fresh air.
We had two or three people working on it, so it went out very smoothly.
What was our ROI?
I believe we have seen an ROI. If nothing else, the investment that they are making, as analysts, engineers, and architects, we feel that we can get more done in SentinelOne and have a better stance overall for our organization.
Which other solutions did I evaluate?
They evaluated a lot, but that was before I was in the department, so I do not know exactly which ones they did.
What other advice do I have?
I would advise listening to your sales engineers and letting them give you ideas because SentinelOne can do things that you have no idea about.
For next-generation platforms, it is at the top of what is a small stack right now, and that puts them ahead of a lot of other people.
I would rate it a 10 out of 10. It has been fantastic for us.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Deputy CISO at The University of Texas at El Paso
Interoperable with great support and documentation
Pros and Cons
- "It is great for security monitoring and blocking when needed."
- "I've had some issues with the specific agents, however, we are moving off of that particular OS that we were having issues with. Other than that, it's been a pretty solid tool."
What is our primary use case?
It's our main EDR solution on campus for our university. It's the main solution that we deployed to our host throughout the university.
How has it helped my organization?
I wasn't here for the initial implementation, however, it was to replace a previous product that we had, so we wanted to move to something cleaner, easier to use, and an overall better product.
Its basic use, which is just an EDR solution for actively hunting and killing threats, is good. It does what we had intended it to do, and that's what it does a great job of.
What is most valuable?
The main feature, its EDR capabilities, is the most valuable. It is great for security monitoring and blocking when needed. It offers good basic operations of an antivirus solution.
Singularity's ability to ingest and correlate across security solutions is good. It does not ingest as much as it gives out. Right now, for us, there is not any ingesting happening for it right now. We don't have that set up.
The interoperability with other solutions or other third-party applications has been pretty solid. It's pretty standalone by itself. We're exporting a little bit of data from it, however, and we haven't had any issues.
Our mean time to detect is good. I wouldn't have the numbers on that, however, it's relatively quick. From some of the stuff that we've done investigations on, it's within the minute. It responds when it sees something within minutes and runs through its normal process of blocking and then alerting us about whatever was done.
The response comes to us. That's a human response. It's just the detection and alerting system, and then the response falls on us, and that varies depending on workload.
The quality is obviously great. They are mature. They change, they adapt as any security tool would in response to the threats in the threat landscape.
What needs improvement?
Off the top of my head, I can't think of much that’s wrong with the product. It's a pretty solid tool from top to bottom. I've had some issues with the specific agents, however, we are moving off of that particular OS that we were having issues with. Other than that, it's been a pretty solid tool.
We had a problem on the Singularity side. So for that particular issue, I’m not sure why it didn’t work with the OS, a Windows Server. It was an issue with some of the clients connecting to the console. We’ve been working with them and haven't been able to find out a single cause of failure.
For how long have I used the solution?
I've been using the solution for a year and a half.
What do I think about the stability of the solution?
We haven't had any issues. There is nothing that's noticeable and it's never offline for long periods of time.
What do I think about the scalability of the solution?
It's pretty scalable. There are a few operating systems that we've had issues with. Other than that, everything else has been pretty scalable.
How are customer service and support?
Technical support is super. They are very helpful and relatively quick to respond. Sometimes they take a little bit to respond, however, it's not super long.
The company also has good online knowledge and it's pretty helpful. Usually, we'll access the database knowledge first and then go to support.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We used CrowdStrike previously.
How was the initial setup?
I was not involved in the initial setup.
I'm not hands-on. I'm more on the management side. Basically, we make sure that they connect, and I'll handle the management once everything's set up. I'm handling monitoring. Deployment is handled by another team. We have maybe ten team members who manage deployments.
The maintenance is minimal. It's pretty self-sufficient. We just do normal reviews.
From my point of view, the deployment is straightforward.
What about the implementation team?
We use internal teams to handle deployment.
What's my experience with pricing, setup cost, and licensing?
I'm not sure of the pricing. That's above me. I'm a technical person. It's not my arena.
What other advice do I have?
They also have this feature called Ranger. That one we don't have implemented. That's an extra fee, so we don't have it.
Overall, I'd rate the solution ten out of ten. It's been a pretty solid tool.
I would probably recommend it over some of the other ones that I've seen only based on the ease of use. It does what it's supposed to do. It's been relatively fast and is also pretty complete from what we've seen. The product is not very difficult to learn.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Soc Analyst at a retailer with 10,001+ employees
We can easily deploy the agents, have great visibility, and log correlation
Pros and Cons
- "The most valuable aspects of SentinelOne Singularity Complete are the ease of deployment with the Sentinel Agent and the enhanced visibility with Skylight, which provides correlation of logs and all endpoint data in a centralized location."
- "We often experience interruptions to our investigations in SentinelOne Singularity Complete."
What is our primary use case?
I review the data logs from each SentinelOne agent using Skylight to develop queries. We have been using Star Alerts to create custom alerts based on those rules. We also partner with their Vigilance team for 24/7 monitoring.
We implemented SentinelOne Singularity Complete to gain widespread visibility into global markets and to facilitate easy agent deployment for EDR and XDR solutions.
How has it helped my organization?
SentinelOne Singularity Complete's interoperability with other SentinelOne and third-party applications is excellent. We recently used a proof of value to integrate some of our other email products, such as Proofpoint, with SentinelOne Singularity Complete. The ease of use has been amazing. Singularity Complete has been a great data ingestion platform, and we have already gained a wealth of data that we never had access to before.
Singularity Complete's ability to ingest and correlate data across our security solutions has been effective. We can see a significant number of events from our DNS logs, firewall logs, and email tenancy. Overall, it has performed very well thus far.
We ended up getting rid of QRadar and relied heavily on Singularity Complete. Singularity Complete allowed us to deploy the SentinelOne agent on a significant number of domain controllers and collect much more information than we could with QRadar alone. We needed to purchase additional licenses to quantify the data more effectively. However, Singularity Complete provided the same if not even more enrichment because it allowed us to see a lot of things about the transitioning of IP ranges, the ingressing of traffic from different IP ranges if they are open to the internet, and who is contacting those ranges via different endpoints. Overall, Singularity Complete has provided a significant improvement in data ingestion over our previous solution of QRadar.
Overall, we have seen a quicker response time with Singularity Complete. We are able to drill down into events in a much more granular way. This allows us to respond better, correlate the information that Singularity has gathered, and come up with a definitive answer to certain questions. Because of Singularity's enrichment of the data that we currently have, we are able to answer these questions more accurately, carefully, and with more specific timestamps. Since we have some of these deployed globally, it is very important for us to get the centralized time zones correct so that we know exactly when an event occurred.
Singularity Complete has helped us reduce the number of false positives. It provides us with a wealth of data enrichment, which allows us to distinguish between normal and abnormal events in our environment. This is important because we have billions of events happening every ten minutes across our many deployed endpoints. In the past, we would waste analyst time investigating alerts that turned out to be false positives. However, with Singularity Complete, we can now quickly identify which alerts are most likely to be legitimate and prioritize those for investigation. For example, if Singularity Complete tells us that a particular event has been seen a thousand times on one endpoint but only twenty times on another endpoint, we know that the twenty occurrences on the second endpoint are more likely to be abnormal and worth investigating.
Singularity Complete has helped free up our staff's time for other projects. With all the data enrichment that Singularity Complete has provided us, we are no longer chasing false positives. We are able to set our custom Star rules so that we receive the alerts that are most relevant to our organization, rather than broad alerts that may or may not be relevant. This allows us to focus our attention on what matters most and to investigate more accurate alerts. As a result, we are able to dedicate time to other projects. Before Singularity Complete, our analysts spend two to four weeks. With Singularity Complete in place, we've seen a reduction of two to three weeks, depending on the vendor. On average, analysts now spend three to ten days analyzing logs.
Singularity Complete substantially reduced our MTTD.
Our MTTR has been substantially reduced by Singularity Complete. We are now able to respond within the hour of receiving the alert.
Singularity Complete has helped our organization save costs by eliminating the need to replace equipment infested with malware. We can now detect, remediate, and roll back malware attacks as needed, thanks to the visibility that Singularity Complete provides. We can drill down into actual alerts, not just false positives, and eradicate any malware that may be infecting our systems.
Singularity Complete has reduced our organizational risk by providing us with much broader visibility into various endpoints deployed globally. This allows us to see what is normal in our environment, rather than reacting to what may not be normal.
What is most valuable?
The most valuable aspects of SentinelOne Singularity Complete are the ease of deployment with the Sentinel Agent and the enhanced visibility with Skylight, which provides correlation of logs and all endpoint data in a centralized location.
What needs improvement?
The ingestion and correlation of data would be improved by integrating with email security solutions such as Proofpoint or our email security solution. We do not yet have a marketplace integration, so we had to build it from scratch. As a result, it has been somewhat difficult for this particular use case, but the data is available and we are able to correlate it with users, not necessarily with endpoints, but we are making progress.
We often experience interruptions to our investigations in SentinelOne Singularity Complete. It would be helpful if we could resume our search query from where we left off, even if we lose internet connectivity or the platform is caching results. This would reduce our MTTR by eliminating the need to wait for the platform to load results again. We expect some load times due to the amount of data in our environment, but the current load times are too long and sometimes produce no results. We would like to see the overall response time of the platform improved.
One area for improvement would be per-user dashboarding. This may be a permissions issue, but we currently only have organization-wide dashboards. I think per-user dashboards would be beneficial because they would allow users to focus on their specific investigations. For example, when a user opens Singularity Complete, they can see a dashboard that is tailored to their current investigation.
For how long have I used the solution?
I have been using SentinelOne Singularity Complete for three years.
What do I think about the stability of the solution?
I would rate the stability of SentinelOne Singularity Complete as a seven out of ten. We have sometimes encountered problems where queries do not load or take an abnormally long time to load, especially when we are narrowing down the search range to a fourteen-day period, which is standard for us. We have also seen queries that run for twenty minutes or so and then log us out. Additionally, the time narrowing feature, or at least the custom time slots, where we can specify a date, such as September 18, may not work depending on how we write the query. We have had to get used to the custom syntax for the time stamps. Finally, we have sometimes seen data that does not update as often as it should.
What do I think about the scalability of the solution?
We have not experienced any problems with scalability. We are able to onboard new machines, and within a day or two, we see more data populate for those machines. So far, scaling has been very helpful for us. This is one of the reasons why we wanted to onboard with Singularity Complete, to get that visibility and to get it right away.
How are customer service and support?
Most of the technical support team members I have spoken to at the level two and level three levels of support have been very helpful and willing to share resources and documents from the help portal and knowledge base articles.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We previously used IBM Security QRadar but it did not provide the level of data ingestion we required so we switched to SentinelOne Singularity Complete.
What was our ROI?
We have seen a return on investment from SentinelOne Singularity Complete, based on our reduced time to detect and respond to threats, as well as the overall risk reduction to the organization.
What's my experience with pricing, setup cost, and licensing?
Our organization is very satisfied with SentinelOne Singularity Complete, especially compared to other options available. It is very affordable and easy to license, and it allows us to onboard new analysts quickly, with a turnaround time of one day at most.
Which other solutions did I evaluate?
We evaluated CrowdStrike, but the way their deployment platform worked would not work for our organization.
What other advice do I have?
I would rate SentinelOne Singularity Complete eight out of ten.
We just started using Ranger this week. So far, we've done small test use cases to see what our endpoints can communicate with. Ranger has identified a significant number of machines, including printers, other endpoints, and personal machines, which gives us a better understanding of our network security.
SentinelOne Singularity Complete has come a long way. I believe it used to be called Power Query or even Data Set at one time. We're currently using the Skylight portion of Singularity Complete, which is a newer addition. Compared to where it was, Singularity Complete is now leaps and bounds ahead. It's the product we use when we need a lot of raw data and the ability to customize what we're looking for in our environment. The wealth of information that we get from every endpoint with the Singularity Complete agent installed allows us to create a large number of custom rules and alerts. This saves us a lot of time, especially for our analysts, who no longer have to respond to as many false positive alerts.
We have a maintenance process in place for our custom rules and alerting. We have a dedicated team of members who are responsible for maintaining these aspects, but overall, we have not encountered any major issues that have impacted our team. A lot of this maintenance does occur outside of office hours.
With SentinelOne Singularity Complete, experiment and use it to its fullest potential, even if a mistake is made. It is a robust platform, so causing any serious damage is unlikely. Some specific features to play around with include custom roles, alerting, fields, power queries, search queries, data retention, and customized displays for the analysts. Tailoring the platform to specific needs will help get the most out of it. Singularity Complete collects a lot of data, so make sure to parse and categorize it in the most efficient way for the organization.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
CISO at a insurance company with 10,001+ employees
Excellent threat detection, easy to deploy, and helps save time
Pros and Cons
- "We have had very few false positives or false negatives, which allows our analysts to focus on their work instead of dealing with noise."
- "The endpoint firewall capability is fairly primitive and basic."
What is our primary use case?
We use SentinelOne Singularity Complete for its end-to-end detection and response capabilities.
How has it helped my organization?
We started using SentinelOne Singularity Complete because I wanted to eliminate a number of our existing first-generation tools, which were designed primarily for on-premises use cases. I wanted to move to our new set of tools, which were designed predominantly for cloud deployment and cloud infrastructure. There were two primary drivers for this decision: to reduce complexity and cost and to move to a solution that was specifically designed for our new architecture.
One of the main reasons we bought SentinelOne was for its integration capabilities. We don't have a standalone tool to supplement our overall security architecture. This includes our security data link, analytics layer, and intelligence capabilities. So that was really one of the primary reasons.
SentinelOne Singularity Complete excels at ingesting and correlating data across the security solutions that it has visibility into.
It has helped consolidate two of our security solutions.
SentinelOne Singularity Complete has helped our organization by boosting our confidence in our ability to detect and respond to the broadest range of threats, reducing noise in our security operations capability and resulting in fewer false positives than ever before.
It helped reduce our alerts by around 60 percent per day. SentinelOne Singularity Complete helped free up 20 percent of our staff's time to work on other projects.
Although I do not have data to support the claim, SentinelOne Singularity Complete should reduce MTTD. SentinelOne Singularity Complete has reduced our MTTR. It has saved us around 18 percent of our costs.
What is most valuable?
I find two features particularly valuable. First, deployment is much simpler than with other solutions with similar capabilities. Second, the fidelity of the detections is excellent. We have had very few false positives or false negatives, which allows our analysts to focus on their work instead of dealing with noise.
What needs improvement?
SentinelOne plans to integrate its endpoint agents, but the process is slow. The company has multiple agents with different functions, such as the ED Ranger, and each agent has different actual clients. Combining the endpoint agents would be a good step.
The endpoint firewall capability is fairly primitive and basic. It does not use objects and different device types to create a single object that can be easily managed. There is a significant amount of work to be done on the firewall side.
For how long have I used the solution?
I have been using SentinelOne Singularity Complete for almost seven months.
What do I think about the stability of the solution?
SentinelOne Singularity Complete is stable.
What do I think about the scalability of the solution?
SentinelOne Singularity Complete is scalable.
How are customer service and support?
Technical support has been excellent so far.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We previously used Tanium and Symantec, two separate sets of tools. Tanium is a first-generation tool that is not specifically designed for the cloud. It requires a significant amount of manual effort to configure and manage, rather than automate these tasks. Symantec does its job, but we are essentially buying two tools to do what SentinelOne Singularity Complete can do on its own. Therefore, the switch to SentinelOne is primarily a cost-saving measure.
How was the initial setup?
The initial deployment was straightforward. The entire deployment took 16 weeks, with eight weeks spent deploying the endpoints and eight weeks spent deploying the service. A total of 20 people were required for the deployment.
What was our ROI?
We are beginning to see a return on investment in SentinelOne Singularity Complete due to the reduced number of alerts in the operations center and the high-fidelity data.
What's my experience with pricing, setup cost, and licensing?
After negotiations, the pricing was found to be fair.
What other advice do I have?
I would rate SentinelOne Singularity Complete an eight out of ten.
SentinelOne Singularity Complete is a really mature product and seems to be focused on enhancing core capability and not getting distracted by other stuff.
SentinelOne Singularity Complete is deployed across our entire estate. We have around 10,000 endpoints.
It requires maintenance, such as builds, policies, and other related tasks. We have a team of four responsible for maintenance and another three people for day-to-day operations.
They have stepped up as a strategic security partner.
I recommend organizations do a proper proof of concept with the SentinelOne Singularity Complete in their environment using their tools and their people.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Enterprise Security Architect at a recruiting/HR firm with 10,001+ employees
Single pane of glass allows us to run a lean team while protecting tens of thousands of endpoints around the world
Pros and Cons
- "SentinelOne also provides equal protection across Windows, Linux, and macOS. I have all of them and every flavor of them you could possibly imagine. They've done a great job because I still have a lot of legacy infrastructure to support. It can support legacy environments as well as newer environments, including all the latest OS's... There are cost savings not only on licensing but because I don't have to have different people managing different consoles."
- "If it had a little bit more granularity in the roles and responsibilities matrix, that would help. There are users that have different components, but I'd be much happier if I could cherry-pick what functions I want to give to which users. That would be a huge benefit."
What is our primary use case?
We use it for endpoint protection. It's an active EDR endpoint protection tool. Think of it as an antivirus and endpoint protection solution with machine learning, like McAfee on steroids.
In our company it is deployed in 83 countries and on over 40,000 workstations and servers.
How has it helped my organization?
It provides incredible visibility in a single pane of glass. The dashboard gives me visibility over all the endpoints, which are broken down by country, and then broken down within each country by brand and machine type. It provides a very simple way for me to understand if
- we're being targeted globally
- my endpoints are actively being attacked
- we have outstanding issues in any one region
- we have malicious activity.
In addition, it logs to my SIEM tool, cloud-natively, which makes it a very effective weapon to help diagnose and remediate any potential bad actors in my environment.
The Behavioral AI feature for ransomware and anti-malware protection does an outstanding job of identifying abnormal behavior patterns in my environment. Once we allowed it to sit in learning mode for about 30 days, we switched all our endpoints into what is called Protect mode, instead of Detect mode. With Protect mode, we have different functions available to us, such as kill, quarantine, identify, and rollback. Using those features, we are really able to protect our endpoints much better. We take advantage of the fact that we have a machine, or an automated process, governing our endpoint protection. That reduces the total headcount needed to babysit my environment.
Furthermore, Behavioral AI recognizes novel and fileless attacks and responds in real-time. It improves my security, reduces my total cost of ownership and management, and provides enhanced protection for what is now a highly mobile population. Due to COVID-19, we have had to take most of our workforce, and that's over 40,000 people around the world, and give them access to work remotely through a series of different mechanisms. In doing so, we felt much more comfortable because we have this endpoint protection tool deployed. It provides us not only the visibility into what the tool is doing and how it's protecting us, but it allows us to look at what applications are installed, what IP range is coming on, and what network it's sourced from.
And with Ranger we're able to help identify additional networks. Using SentinelOne with Ranger, allowed us to take a look at some of our smaller offices in Asia Pacific where we didn't have exceptional visibility.
We also use the solution’s automatic remediation and rollback in Protect mode, without human intervention. I want to protect mode for both malicious and suspicious, and that is in Protect mode. Having turned that on, we saw no negative impact, across the board, which has been an outstanding feature for us. It does save time on having to go in and identify things, because we allowed it to run in learning mode for so long. It learned our business processes. It learned what's normal. It learned file types. It learned everything that we do enough that, when I did turn that feature on, there were no helpdesk calls, no madness ensued, no people complaining that files were being removed that they needed. It worked out very well for us.
We also use the solution’s ActiveEDR technology. Its automatic monitoring of every OS process, at all times, improves our security operations greatly. There is a learning time involved. It has to learn what processes are normal. But the fact that it's actively engaged with every process—every file that moves across it, every DLL that's launched, whether or not it's automated or process-driven—everything is viewed, inspected, and categorized. And it allows us to have enhanced visibility that ties directly into the Deep Visibility. I can look at and help identify behavior patterns.
For example, yesterday I wrote a series of queries for Deep Visibility that are based on MITRE ATT&CK parameters. Those give me reports, on a daily basis, of how effective this tool really is because I can use MITRE ATT&CK engine parameters to help define what's going on. Even if something is not considered malicious behavior by the tool itself, if I take that information and couple it with information I can pull from Tanium and information I pull from other tool sets, and aggregate that into my SIEM tool, my use case is provided. I get more positive and actionable intelligence on how my endpoints are behaving. If I have somebody out there who is doing testing of software, I can pick that out of a crowd in a second.
We have application control and containers available. Since we have AWS, Azure, and a myriad of cloud platforms, it's been hugely beneficial to us. Considering that we are endeavoring, as an organization, to move into cloud-based solutions, this has been a huge benefit.
Overall, SentinelOne has absolutely reduced incident response time. It's instantaneous. It has reduced it by at least 95 percent.
I use the tool to help me determine how well my other tools are working. For example, we have a role called a RISO, a regional information security officer. Those people are responsible for regions of the globe, whether it be Latin America, Asia Pacific, or AMEA. The RISOs now use the tool because it can help them identify other tools we have rolled out, like Zscaler. They can go into the SentinelOne console and query for Zscaler and look at all the machines in their environment and determine what the delta is. It allows people with different levels of knowledge and different roles in an organization to have visibility. It's been outstanding. That, in and of itself, makes it a better tool than its counterparts and it makes it usable for non-technical and non-security people.
We get the long-term strategic benefits of having enhanced visibility and the more short-term tactical benefits of knowing that our endpoints are protected, the visibility is there, and that no matter what lands on top of it, it's going to get taken care of.
What is most valuable?
The most valuable feature of the solution is its ability to learn, the fact that once you tune it correctly, it knows how to capture and defeat malicious activity on the endpoints. It's not set-it-and-forget-it, but it does give me a much more comfortable feeling that my endpoints are secure and protected from malicious behavior.
SentinelOne also provides equal protection across Windows, Linux, and macOS. I have all of them and every flavor of them you could possibly imagine. They've done a great job because I still have a lot of legacy infrastructure to support. It can support legacy environments as well as newer environments, including all the latest OS's. The latest Mac OS X that's coming out is already supported and in test for our organization. The complete coverage of every OS that we have in our environment has been a huge benefit because I don't have to have different tools to support them. There are cost savings not only on licensing but because I don't have to have different people managing different consoles. For me, having single pane of glass visibility is incredibly important because we run a very lean team here. We are a skeleton crew governing all 83 countries. In doing so, it provides us the ability to do a lot more with a lot less.
I use the Deep Visibility feature every single day. It is outstanding because I just create hunting cases and then I can load them. I can figure out what queries I want to run and I can go digging. And with the queries that I have built for the MITRE ATT&CKs, it makes it very simple to identify something. And now that I have reporting set up based on those queries, I get emails every day.
Using Deep Visibility I have identified a threat and figured out information about it. I've also used Deep Visibility to be proactive versus reactive as far as my alerting goes. I know that SentinelOne will protect my endpoints, but there's also a case where there isn't specific malicious behavior but the patterns look malicious. And that's really what I'm writing these queries for in Deep Visibility.
Here's an example. You can do a lateral movement in an organization. You can RDP to one server and RDP to another server, depending on how your software defined perimeter is configured. Unless you do something malicious, SentinelOne will look at it, but it won't necessarily stop it, because there is no malicious activity. But I can write a query in Deep Visibility to show me things. Let's say somebody breached my secure remote access solution. With the Deep Visibility queries that are being run, I can see that that one machine may have RDPed to a server and RDPed to another server and been jumping around because they may have gotten compromised credentials. That can be reported on. It might not have been malicious behavior, but it's an activity that the reporting from Deep Visibility allows me to pursue and then do a deeper dive into it.
What needs improvement?
If they would stop changing the dashboard so much I'd be a happy man.
Also, if it had a little bit more granularity in the roles and responsibilities matrix, that would help. There are users that have different components, but I'd be much happier if I could cherry-pick what functions I want to give to which users. That would be a huge benefit.
The nice thing about SentinelOne is that I get to directly engage with their leadership at any time I want. That allows me to provide feedback such as, "I would like this function," and they've built a lot of functions for me as a result of my requests. I don't really have much in the way of complaints because if I want something, I generally tend to get it.
For how long have I used the solution?
I have been using SentinelOne for about 14 months now.
What do I think about the stability of the solution?
It's incredibly stable. We really haven't had any significant issues. There have been a couple of things here and there where certain versions of the product weren't disabling Windows Defender effectively. I think that was predicated on a GPO that we identified that had been accidentally linked and that kept turning Defender back on again. The issues were very trivial things.
How are customer service and technical support?
I talk to my TAM once a week, minimum. I think I have the best customer support in the business.
I had an issue that I raised a couple of weeks ago and within minutes I had an army of engineers working on it. By the end of the week, I had senior management calling me asking me what else I want, what else I need, and how else they could help me.
They go all-in. I have never had to wonder or concern myself with whether I will be getting adequate support? Will the support be on time? Will the support be effective and accurate? Not once, not ever.
I have such a close relationship with the team, not only the team that sold it to me but the team that supports me. We call each other on a first-name basis and we talk about how we're doing. It's that kind professional relationship. That's how good it is.
Which solution did I use previously and why did I switch?
Before, we had a mix of dozens of different solutions across the enterprise. We didn't have any one, ubiquitous solution. We had a mix of McAfee and Panda and Kaspersky. You name it, we owned a copy of it, and that didn't provide a unified field of view. It also didn't provide the best protection that money can buy and, in my opinion as a professional in this industry for 25 years, this is the best protection money can buy.
How was the initial setup?
The initial setup of SentinelOne was very simple. I packaged the executables into MSIs, including the token ID, I created a package in Tanium, and I dropped it on all the workstations. I was able to deploy it to over 40,000 endpoints in 35 days.
When you govern as much real estate as I do, meaning the number of endpoints and the number of different business units that those endpoints comprise, there had to be a deployment strategy for it. I broke it down into countries, and in each of those countries I broke into brands and I broke it into asset types, whether they be servers or workstations, whether they're mobile or localized. It's not difficult to push out there, as long as you create exclusions. I used my legacy tools in parallel with this for a month and still never faced any issues.
For any organization, if you have any kind of deployment mechanism in place, you could put your entire workforce on this and it wouldn't matter how many endpoints. If they're online and available and you have a deployment solution, you could do it in a month, easily, if not less. I could've done it much faster, but I needed to do a pilot country first. I did all the testing and validations and then, once we went into production mode, it was very fast.
What's my experience with pricing, setup cost, and licensing?
I got a really good deal so I'm very happy with the pricing.
Which other solutions did I evaluate?
I looked at everything. I looked at CrowdStrike, Cylance, Carbon Black, and I had McAfee as the largest of the incumbents. I tested them all and I validated them all and I pushed every malware virus—everything in my collection—at them. I built a series of VMs to test and validate the platform. I tested against multiple operating systems. I tested against downloads, I tested against uploads. I tested visibility. I did this entire series of tests and listed out 34 or 35 different criteria. And at the end of the day, SentinelOne came out on top.
One of the huge benefits of SentinelOne is the Full Remote Shell. That has been an incredibly useful tool for me.
Cylance came in second. It has very similar functionalities, very similar builds, but not a full remote shell. It had the single pane of glass dashboard, but the visibility I get out of SentinelOne, as well as the protection and the capability to run the Full Remote Shell pushed it over the top.
Carbon Black was nice, but I had to run two different dashboards, one cloud and one local. I couldn't get single pane of glass visibility from that.
When I tested SentinelOne against all the engines, they all pretty much found everything. Mimikatz was the deciding factor. A couple of the solutions flagged it but didn't remediate it. SentinelOne just rolled everything back as it started to discover it. It actually pulled the installer out, so that was nice.
A lot of new technologies that are out there are very similar. They are pulling from public threat feeds and other learning engines. But if you compare and contrast all the features available, SentinelOne is just going to edge everybody else out. And they're constantly evolving the product to make it more efficient and to have a smaller footprint too. When they came out with Ranger, we were still doing some network discoveries around our environment to try to figure out exactly what was still out there. That came to be a very useful tool.
It really just shines. If you compare it to everybody else there are a lot that come close, but nobody else can really quite get to the top. SentinelOne really gives you the best overall picture.
What other advice do I have?
Do your homework. I would encourage everybody, if you have the capabilities, to do what I did and test it against everything out there. If you don't have those capabilities and you want to save yourself a lot of time, just go straight to SentinelOne. I cannot imagine any organization regretting that decision. With the news stories you read about, such as hospitals under attack from malware and crypto viruses—with all the bad actors that exist, especially since the pandemic took over—if you want to protect your environment and sleep soundly at night, and if you're in the security industry, I highly encourage you to deploy SentinelOne and just watch what it's capable of.
I don't use the Storyline technology that much simply because I'm really turning this into a more automated process for my organization. An example of where we may use Storyline is when we download an encrypted malicious file. Let's say that email was sent to 500 people. If it gets through our email gateway, which is unlikely, I can not only identify those users quickly, but I can also use the Storyline to determine where it came from, how it got there, and what it was doing along the way. And while it killed it, it will tell me what processes were there. It helps us create and identify things like the hash, which we then summarily blacklist. Overall, Storyline is better for identifying what had happened along the way, but after the fact. For me, the fact that it has actually taken care of it without me having to go hunt it down all the time is the real benefit.
The only thing we don't take advantage of is their management service. We do have a TAM, but we don't have Vigilance.
For top-down administration, there's only about six of us who work with the solution. For country level administration, we have one or two in every country in those 83 countries.
We run a myriad of different front office and back office environments. SentinelOne had to learn different environments in different countries. It had to understand the business processes that are surrounding those. We did a substantial amount of tuning along the way, during the deployment. And then, of course, there are agent updates and there are considerations when you get a new EA version and are creating test groups. But, as an organization, we have reduced our total cost of ownership for our EPP platform, we have improved our visibility a hundred-fold, and we have maintained our data integrity. It really is the one end-all and be-all solution that we needed.
It's a home run. I've been doing this a long time and I've done this in over 48 countries around the world. Given what we do with this product and the visibility it has given us and the protection it has given us, I feel very comfortable with my security right now.
Which deployment model are you using for this solution?
On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Download our free SentinelOne Singularity Complete Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Product Categories
Endpoint Detection and Response (EDR) Endpoint Protection Platform (EPP) Anti-Malware Tools Extended Detection and Response (XDR)Popular Comparisons
CrowdStrike Falcon
Microsoft Defender for Endpoint
Fortinet FortiEDR
Cisco Secure Endpoint
Splunk Enterprise Security
Microsoft Defender for Cloud
Fortinet FortiClient
Cortex XDR by Palo Alto Networks
Microsoft Defender XDR
IBM Security QRadar
Elastic Security
Symantec Endpoint Security
Trend Micro Deep Security
Buyer's Guide
Download our free SentinelOne Singularity Complete Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the biggest difference between Carbon Black CB Defense, CrowdStrike, and SentinelOne?
- Which is better - SentinelOne or Darktrace?
- What do you recommend to choose when replacing Symantec EDR: SentinelOne or CrowdStirke Falcon?
- Cortex XDR by Palo Alto vs. Sentinel One
- Which solution do you prefer: CrowdStrike Falcon or SentinelOne Singularity Complete?
- Does SentinelOne have a Virtual Patching functionality?
- What is the biggest difference between EPP and EDR products?
- What is the difference between EDR and traditional antivirus?
- What is your recommendation for a 5-star EDR with low resource consumption for a financial services company?
- Which is the best EDR for a logistics company with 500-1000 employees?
I'm delighted to report that we have now released Fully Customizable RBAC Roles. Thanks again for your feedback!