Try our new research platform with insights from 80,000+ expert users
Information Security Engineer II at a recreational facilities/services company with 1,001-5,000 employees
Real User
Top 20
Level of detection and visibility we get have vastly improved, and fewer alerts means more time for other work
Pros and Cons
  • "The deep visibility is a valuable feature. I can use it during threats or alert signals that we get. I can also use it when we have alert signals from other security tools that we have."
  • "My biggest complaint is that when you're logged into the console there is the Help section where you can review all the documentation. But when you log in to the support portal, there is documentation there as well. They need to sync those two into one place so that I don't have to search in two different locations for an answer."

What is our primary use case?

It is an all-in-one agent on multiple operating systems that can detect malicious and suspicious activities. You can also use it to respond to different threat signals that you get from the platform.

There are multiple engines that run different types of detection, such as behavioral-type activities, that it can detect. It can also detect malicious activity based on a hash. It's a pretty great tool.

How has it helped my organization?

Overall, the level of detection and visibility we get have vastly improved, and that means the protection for our company has improved likewise.

Singularity has helped reduce the number of alerts we get. We were using FireEye at one point, and it was producing a ton of false positives. We have seen a major reduction in false positives, and that has saved our team's time. We have time to do other projects now.

In my previous company, we were using a Cisco product, and there was a ton of time wasted. Out of a 40-hour week, about eight to 10 hours were wasted, and with Singularity, we were able to get back about nine of those hours. Obviously, there are alerts coming in, and you have to investigate them, but the number was greatly reduced. In my current company, about 15 hours a week were wasted with false positives and wild goose chases and alerts. Now, we may put an hour into investigations. The great thing about SentinelOne is that you can get right down to what's going on with the events and deep visibility. It has saved us around 12 to 14 hours a week.

It's pretty quick when it comes to time to detect because you're right on the endpoint. Some agents have a delay in terms of when they report back to a console or a reporting server, but with SentinelOne, it seems that the agent is talking to the console right away. There isn't a huge delay.

Our mean time to respond is also very quick once we see the threat come in. It depends on the policy that is in place and the type of threat. If it is something suspicious, which we don't always have a set response for with the platform, we are able to easily look at what's going on a couple of minutes before the threat and what comes after. We can see the artifact on the endpoint, what is executed and what the user was probably doing. That means we're able to respond really quickly with all that visibility.

When it comes to cost savings, in the first company where I used SentinelOne, man-hours were saved, and it was cheaper to use SentinelOne than the Cisco product.

One use case where we've reduced risk has been due to users using something risky. They were trying to use an application that's like a keylogger. We've blocked it, and we've also created a rule using a star to detect when people are trying to use it. We have also set up rules to detect downloads of risky software, and that's protecting us too. It's protecting us from risk, but there's not a lot of reduction other than some protections and blacklists.

What is most valuable?

The deep visibility is a valuable feature. I can use it during threats or alert signals that we get. I can also use it when we have alert signals from other security tools that we have. I can use the SentinelOne platform to dive into those, even though there's no alert from SentinelOne, and zero in with a timestamp using its deep visibility to look at an endpoint and see if there's anything going on that might be correlated to a threat.

And Singularity's interoperability with other solutions has been a major bonus. You can put exclusions in place for other security platforms. For example, if you're using Symantec, you could easily put in an exclusion for that. The way that you can put them in, with the scope and the different groups, is really great. Singularity also provides pre-baked exclusions for interoperability with other pieces of equipment. For instance, for Microsoft SQL Servers, it already has pre-baked exclusions that you can put in for interoperability. It's far beyond the other platforms that I was using before.

In terms of ingestion, it's definitely taking in a lot of information at the endpoint level. You still need a human to do some of the correlation of the activities. The SentinelOne platform is looking at the endpoint, but you still need a human on the other end to analyze what the human at the other end of the endpoint was doing. But overall the solution does pretty well at correlating activities. I have seen some serious threats come in, and it definitely detects them right away with a pretty good correlation to the threat.

What needs improvement?

During my use of it over the years, they've been continuously improving it.

My biggest complaint is that when you're logged into the console there is the Help section where you can review all the documentation. But when you log in to the support portal, there is documentation there as well. They need to sync those two into one place so that I don't have to search in two different locations for an answer.

And I'm on the fence about whether to keep the agents a little bit longer than they do, before they go end-of-support. That might be an improvement, but I'm not positive about that.

Buyer's Guide
SentinelOne Singularity Complete
October 2024
Learn what your peers think about SentinelOne Singularity Complete. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.

For how long have I used the solution?

I have been using SentinelOne Singularity Complete for about four years.

What do I think about the stability of the solution?

Uptime is all the time. 

I've only had one experience where there was a disconnect between the agents and the console. It was pretty brief, but that is when I opened a case with support. I had never seen that before, so the uptime is awesome. It's up 99.9 percent of the time.

What do I think about the scalability of the solution?

It's very scalable. We are working on a special project, in which we want to set up a lab for a special event. I talked with our support, and they said we could set up another site. It's really scalable.

How are customer service and support?

As I mentioned, I recently had a case because there were a lot of agents offline for a moment. Their support responded within one minute. That was an outlier. Every other case that I've opened up with them has not been a priority-one issue, but they usually respond within about five to 10 minutes, and they have been really great. I have not had an issue yet with support.

Everyone I've worked with in support is awesome. They always have the answers. Even if it's a complex issue, we usually get right down to it. I'm really happy with support.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I have used it in two different workplaces. Both workplaces were replacing platforms that just did not perform well and did not give you good visibility into what was going on on the endpoints. Both had a higher rate of false positives, and neither had the various detection engines that SentinelOne provides.

How was the initial setup?

I was involved in the initial deployment of the solution in my previous place of employment and it was straightforward. It was only made complex by our own IT department.

There is a little maintenance. I check on a daily basis because you can build out multiple groups. When a new agent is deployed, I have it start off in a specific group to get the agent installed, and then it does a full disk scan. There is a little maintenance—and maybe no one else does this—but I log in and check for new systems. Once they have their full disk scan completed, I'll move them over to the production policy. You could do that on a weekly basis but I do it daily. The morning maintenance is less than five minutes for me, and you could definitely do that weekly as well.

What about the implementation team?

I did it mostly by myself. I had another engineer working with me but that was it. It's really easy, a no-brainer. And that was for about 1,200 endpoints

What was our ROI?

I'm not a manager, but the return on investment may be in saving man hours.

What's my experience with pricing, setup cost, and licensing?

When we were checking out different platforms we did get a price from Microsoft and it was unreasonable. SentinelOne was definitely reasonable and worth the money.

Which other solutions did I evaluate?

I've used several different platforms. We had a demo of the Carbon Black EDR, and I've used the FireEye EDR, Symantec, and Cisco.

We did a comparison between CrowdStrike, Carbon Black, and looked at Microsoft's EDR products.

What other advice do I have?

As far as consolidation of security solutions goes, I have some suggestions for my leadership. I think we can definitely consolidate. For instance, we have a certain network segmentation where we have multiple security tools, including the SentinelOne agent and other agents on the devices. These devices are lower-end systems that don't have super-high specs like you might have on a power user's PC. In that area, we could eliminate one of the security agents and leave the SentinelOne agent. We would be covered in several different areas, such as FIM. I could create a custom rule to watch a certain configuration file, and if it changed, we would receive an alert. You can definitely use it to consolidate. Although we haven't done that yet, we're going to start because it's possible with the SentinelOne.

I believe we could save money by reducing the number of agents on those endpoints. If you walk that back to the yearly cost when we buy licenses, we should be able to save money on licensing for the other agent that we're using.

SentinelOne is very mature as an EDR platform. I would definitely put it in my top two. Across the breadth of everything I've dealt with using SentinelOne, even support, it's definitely top-two and you should check it out. I don't have a bad thing to say about it.

You definitely have to check out SentinelOne. They are firing on all cylinders for multiple areas that you want to consider when buying a tool like this. They're at 100 percent. When it comes to visibility, they present the information so that it's easy to read and understand. Responding is really easy to do. Support, which is a big factor nowadays, has faltered at some companies over the past four years, but support from SentinelOne has been awesome. Put SentinelOne in your PoCs. If you're looking at a couple of companies, you have to look at SentinelOne.

SentinelOne as a provider is a major player in hardening the protection of our environment.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
reviewer2082525 - PeerSpot reviewer
IT Manager at a construction company with 51-200 employees
Real User
Top 5
It's an innovative platform that addresses issues automatically
Pros and Cons
  • "SentinelOne has improved the overall security posture of the firm without creating a lot of hassle for our end users. Everything is a bit more secure. We think Singularity Complete has helped us reduce our organizational risks."
  • "I rate Singularity Complete a seven out of ten for affordability. It's more expensive than our previous solution, but it does its job well. At the same time, there is some room for improvement. Cheaper is always better."

What is our primary use case?

We use Singularity Complete as our EDR software. It's replacing our old antivirus solution. It covers about 80 endpoints. 

How has it helped my organization?

SentinelOne has improved the overall security posture of the firm without creating a lot of hassle for our end-users. Everything is a bit more secure. We think Singularity Complete has helped us reduce our organizational risks. 

What is most valuable?

SentinelOne detects threats automatically and performs the remediation itself, so we don't need to constantly look at the logs. It reduces the meantime to respond because it automatically responds to the detected threats.

For how long have I used the solution?

We started using SentinelOne Singularity at the start of this year, so it has been nearly seven months.

What do I think about the stability of the solution?

I have had no stability issues so far. 

What do I think about the scalability of the solution?

We only started using it at the beginning of this year, so the number of users has stayed the same. I have no experience scaling it up, but it's easy to add more devices to the platform. I don't foresee having any problems with scalability.

How are customer service and support?

We receive technical support from our partner, so I have no experience with SentinelOne support. 

Which solution did I use previously and why did I switch?

We previously used Bitdefender as our antivirus solution. We switched to SentinelOne because we wanted to improve the overall security of our endpoints. SentinelOne offers more advanced and comprehensive protection than a traditional antivirus solution.  

How was the initial setup?

We contracted with a partner to deploy SentinelOne, so I wasn't involved in the deployment. Our partner also handles the maintenance.

What was our ROI?

SentinelOne is more expensive than our previous tool, but we're hoping to see a return by saving money on recovering from some kind of incident.

What's my experience with pricing, setup cost, and licensing?

I rate Singularity Complete a seven out of ten for affordability. It's more expensive than our previous solution, but it does its job well. At the same time, there is some room for improvement. Cheaper is always better.

Which other solutions did I evaluate?

Though Microsoft's solution was suggested, we only seriously considered SentinelOne. That was the one that stood out during research. Also, I heard from my peers that it was the best one, so I didn't look at other options.

What other advice do I have?

I rate SentinelOne Singularity Complete a nine out of ten. I recommend it. SentinelOne works as advertised. It's an innovative solution, but it's hard for me to compare it to other products because I don't have much security expertise. It's a mature solution that has no bugs that I've experienced. I have confidence in it.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
SentinelOne Singularity Complete
October 2024
Learn what your peers think about SentinelOne Singularity Complete. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
reviewer1083027 - PeerSpot reviewer
Information Security & Privacy Manager at a retailer with 10,001+ employees
Real User
By using the Deep Visibility feature, we found some previously unknown persistent threats
Pros and Cons
  • "The Deep Visibility feature is the most useful part of the EDR platform. It gives us good insights into what is actually happening on the endpoints, e.g., when we have malicious or suspicious activity. We came from a legacy type AV previously, so we didn't have that level of visibility or understanding. For simplifying threat-hunting, it is extremely useful, where traditional techniques in threat hunting are quite laborious. We can put in indicators of compromise and it will sweep the environment for them, then they would give us a breakdown of what assets have been seen and where they have been seen, which is more of a forensics overview."
  • "The role-based access is in dire need of improvement. We actually discussed this on a roadmap call and were informed that it was coming, but then it was delayed. It limits the roles that you can have in the platform, and we require several custom roles. We work with a lot of third-parties whom we rely on for some of our IT services. Part of those are an external SOC function where they are over-provisioned in the solution because there isn't anything relevant for the level of work that they do."

What is our primary use case?

Our use cases are for client and server visibility in our enterprise and operational technology environments, as EPP and EDR solutions.

How has it helped my organization?

Traditionally, we have had an open policy on endpoints in terms of what has actually been installed. We don't really centrally manage the application. So, we have had a sort of dirty environment. Now that we have SentinelOne with its advanced capabilities, this has enabled us to detect and categorize unwanted applications. It has given us a good foothold into the area of inventory management on endpoints when it comes to our applications as well.

One of the main selling points of SentinelOne is its one-click, automatic remediation and rollback for restoring an endpoint. It is extremely effective. Everything is reduced, like cost and manpower, by having these capabilities available to us.

What is most valuable?

The Deep Visibility feature is the most useful part of the EDR platform. It gives us good insights into what is actually happening on the endpoints, e.g., when we have malicious or suspicious activity. We came from a legacy type AV previously, so we didn't have that level of visibility or understanding. For simplifying threat-hunting, it is extremely useful, where traditional techniques in threat hunting are quite laborious. We can put in indicators of compromise and it will sweep the environment for them, then they would give us a breakdown of what assets have been seen and where they have been seen, which is more of a forensics overview.

From a forensics point of view, we can see exactly what is going on with the endpoint when we have threats in progress. It also gives us the ability to react in real-time, if it has not been handled by the AI. We have set the policy to protect against unknown threats, but only alert on suspicious ones. 

The Behavioral AI feature is excellent. It is one of the reasons why we selected SentinelOne. We needed a solution that was quite autonomous in its approach to dealing with threats when presented, which it has handled very well. It has allowed us to put resources into other areas, so we don't need to have someone sitting in front of a bunch of screens looking at this information.

The Behavioral AI recognizes novel and fileless attacks, responding in real-time. We have been able to detect several attacks of this nature where our previous solution was completely blind to them. This has allowed us to close gaps in other areas of our environment that we weren't previously aware had some deficiencies.

The Storyline technology is part of our response matrix, where you can see when the threat was initially detected and what processes were touched, tempered, or modified during the course of the threat. The Storyline technology's ability to auto-correlate attack events and map them to MITRE ATT&CK tactics and technique is very effective. By getting that visibility on how the attack is progressing, we can get a good idea of the objective. When we have the reference back to the framework, that is good additional threat intelligence for us.

Storyline automatically assembles a PID tree for us. It gives us a good framing of the information from a visibility standpoint, so it is not all text-based. We can get a visualization of how the threat or suspicious activity manifested itself.

The abilities of Storyline have enabled our incident response to be a lot more agile. We are able to react with a lot greater speed because we have all the information front and center.

The solution’s distributed intelligence at the endpoint is extremely effective. We have a lot of guys who are road warriors. Having that intelligence on the network to make decisions autonomously is highly valuable for us.

What needs improvement?

The role-based access is in dire need of improvement. We actually discussed this on a roadmap call and were informed that it was coming, but then it was delayed. It limits the roles that you can have in the platform, and we require several custom roles. We work with a lot of third-parties whom we rely on for some of our IT services. Part of those are an external SOC function where they are over-provisioned in the solution because there isn't anything relevant for the level of work that they do.

For how long have I used the solution?

We have used it for around 10 to 11 months.

What do I think about the stability of the solution?

In the 11 months that we have had it, we have only had one problem. That was related back to a bug on the endpoint agent. So. it is very stable when I compare it to other platforms that I have used, like McAfee, Symantec, and Cylance.

Being a SaaS service, they take care of all the maintenance on the back-end. The only thing that we have to do is lifecycle the agents when there is a new version or fixes. So, it is very minimal.

What do I think about the scalability of the solution?

It is highly scalable. It is just a case of purchasing more licensing and deploying agents.

We have three global admins, myself included, with about 10 other administrators. Primarily, the way that we are structured is we have a client team and a server team. So, we have resources from each geographical region who have access to the solution to police their own environment on a geographical basis. So, we have three global admins, then everybody else just has a sort of SoC-based level functionality, which goes back to the custom role issue because this is too much access. 

How are customer service and technical support?

The technical support is very good. My only criticism is they are not very transparent when they are giving you a resolution to a problem. We have had several cases where we have had a problem that we have been given the fix for it. However, when we asked for background information on the actual problem, just to get some more clarity, it is very difficult to get that. I don't know if it's relative to protecting the information regarding the platform or a liability thing where they don't want to give out too much information. But, in my experience, most vendors when you have a problem, they are quite open in explaining what the cause of the issue was. I find SentinelOne is a bit more standoffish. We have gotten the information in the end, but it is not an easy process. 

When responding to fixing a problem, they are excellent. It is any of the background information that we are after (around a particular problem) that we find it difficult to get the right information.

Which solution did I use previously and why did I switch?

We were previously using Trend Micro Deep Security. The primary reason why we switched was that it is rubbish. It is a legacy-based AV. We had a lot of problems functionality-wise. It was missing a lot of things, e.g., no EDR, no NextGen capabilities, and it had interoperability problems with our Windows platform deployments. So, there was just this big, long list of historical problems.

We specifically selected SentinelOne for its rollback feature for ransomware. When we started looking into securing a new endpoint solution about 24 months ago, there was a big uptick in ransomware attacks in the territory where I am based. This was one of the leading criteria for selecting it.

How was the initial setup?

The initial setup is extremely straightforward. The nature of the platform has been very simplistic when it comes to configuring the structure for our assets and policies. Several other platforms that I have worked with are quite complex in their nature, taking a lot of time. We were up and running within a day on the initial part of our rollout. For the whole organization, it took us about 30 days to roll out completely in five different countries across roughly 20,000 endpoints. 

Behavioral AI works both with or without a network connection. We tested it several times during procurement. It can work autonomously from the network. One of our selection criteria was that we needed it to be autonomous because we have air gapped environments. Therefore, we can connect, install, or disconnect, knowing that we have an adequate level of protection. This mitigates certain risks from our organization. It also gives us good assurance that we have protection.

We had a loose implementation strategy. It was based on geography and the size of the business premises in each country. We started with our administration office, but most of our environment is operational technology, e.g., factories and manufacturing plants.

What about the implementation team?

We did the deployment ourselves, but we had representation from the vendor in the form of their security engineer (SE). We did the work, but he gave us input and advisories during the course of the deployment.

Three of us from the business and one person from Sentinel (their SE) were involved in the deployment of SentinelOne.

What was our ROI?

We saw a return of investment within the first month.

On several occasions, we found some persistent threats that we wouldn't have known were there by using the Deep Visibility feature.

The solution has reduced incident response time by easily 70 percent.

The solution has reduced mean time to repair by probably 40 to 50 percent. This has been a game changer for us.

Analyst productivity has increased by about 50 percent.

What's my experience with pricing, setup cost, and licensing?

We are on a subscription model by choice. Therefore, we are paying a premium for the flexibility. We would have huge cost savings if we committed to a three-year buy-in. So, it's more expensive than the other solutions that we were looking at, but we have the flexibility of a subscription model. I think the pricing is fair. For example, if we had a three-year tie-in SentinelOne versus Cylance or one of the others, there is not that much difference in pricing. There might be a few euro or dollars here and there, but it's negligible.

Which other solutions did I evaluate?

We evaluated:

  • Microsoft Defender for Endpoint
  • Cisco AMP for Endpoints
  • CylancePROTECT
  • Apex One, which is Trend Micro's NextGen platform.

The main differentiator between SentinelOne has been ease of use, configuration, and performance. It outperformed every single one of the other solutions by a large margin in our testing. We had a standardized approach in tests, which was uniform across the platforms. Also, there is a lot of functionality built into SentinelOne, where other vendors offered the additional functionality as paid add-ons from their basic platforms.

During our evaluation process, SentinelOne detected quite a lot of things that other solutions missed, e.g., generic malware detection. We had a test bed of 15,000 samples, and about 150 were left for SentinelOne. What was left was actually mobile device malware, so Android and iOS specific, fileless attacks, and MITRE ATT&CKs. SentinelOne performed a lot stronger than others. Cylance came second to SentinelOne, even though they were 20 percent more effective in speed and detection. The gulf was so huge compared to other solutions.

SentinelOne's EDR is a lot more comprehensive than what is offered by Cylance. They are just two different beasts. SentinelOne is a lot more user-friendly with a lot less impactful on resources. While I saw a lot of statistics from Cylance about how light it is, in reality, I don't think it is as good as the marketing. What I saw from SentinelOne is the claims that they put on paper were backed up by the product. The overall package from SentinelOne was a lot more attractive in terms of manageability, usability, and feature set; it was just a more well-rounded package.

What other advice do I have?

Give SentinelOne a chance. Traditionally, a lot of companies look at the big brand vendors and SentinelOne is making quite a good name for itself. I have actually recommended them to several other companies where I have contacts. Several of those have picked up the solution to have a look at it.

You need to know your environment and make sure it is clean and controlled. If it's clean and you have control, then you will have no problems with this product. If your environment isn't hygienic, then you will run into issues. We have had some issues, but that's nothing to do with the product. We have never been really good at securing what is installed on the endpoint, so we get a lot of false positives. Give it a chance, as it's a good platform.

I would give the platform and company, with the support, a strong eight or nine out of 10.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Rick Bosworth S1 - PeerSpot reviewer
Rick Bosworth S1Cloud Security (CNAPP, CSPM, CWPP) at SentinelOne
Top 20Real User

Thank you for your patience.  I'm happy to report that today we released fully custom RBAC roles as generally available.  Again, thank you for your feedback and continued patronage.  If ever I may be of service, I am not difficult to find online.

See all 2 comments
Prateek Parashar. - PeerSpot reviewer
Cyber Security Administrator at a manufacturing company with 501-1,000 employees
Real User
Top 10
Helps consolidate security solutions, reduce alerts, and free up staff time
Pros and Cons
  • "The most valuable features are asset tracking, patching, endpoint tagging, and policy updates."
  • "While SentinelOne Singularity Complete effectively visualizes security data across our solutions, requiring extensive manual effort for analysis limits its effectiveness. I would therefore rate it a seven out of ten."

What is our primary use case?

We initially implemented SentinelOne Singularity Complete to streamline application installation and patching across our extensive network of over a thousand systems. Managing individual systems has become increasingly challenging. While the platform provided initial visibility during the first attack, its usefulness in further investigation proved limited.

How has it helped my organization?

SentinelOne Singularity Complete boasts good interoperability.

It has helped consolidate some of our security solutions.

While the number of security alerts we receive has been successfully reduced, it has occasionally missed some threats. To address this, we have implemented Microsoft Defender alongside SentinelOne for additional protection. This layered approach has identified several malware incidents that SentinelOne, due to its limitations at the kernel level, did not detect.

SentinelOne Singularity Complete has to an extent helped free up our staff time to focus on other tasks. In conjunction with Defender and Automox 60 to 70% of time has been saved.

Our mean time to detect has been successfully reduced by 70%.

SentinelOne Singularity Complete has reduced our mean time to respond to threats it detects by providing informative feedback from malware reviews.

Our costs have been reduced because we use it daily.

SentinelOne Singularity Complete has reduced our organization's risk by 80%.

What is most valuable?

The most valuable features are asset tracking, patching, endpoint tagging, and policy updates.

What needs improvement?

While SentinelOne Singularity Complete effectively visualizes security data across our solutions, requiring extensive manual effort for analysis limits its effectiveness. I would therefore rate it a seven out of ten.

The pricing has room for improvement.

For how long have I used the solution?

I have been using SentinelOne Singularity Complete for two years.

What do I think about the stability of the solution?

I would rate the stability of Singularity Complete eight out of ten.

What do I think about the scalability of the solution?

I would rate the scalability of Singularity Complete a seven out of ten because of the integrations they have with third-party groups.

How are customer service and support?

The technical support is quick to respond.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We previously used Automox only for device management, not as a complete EDR.

What's my experience with pricing, setup cost, and licensing?

SentinelOne Singularity Complete's price point is excessive compared to the functionality it provides.

Which other solutions did I evaluate?

SentinelOne Singularity Complete's longevity in the market may have created an inflated perception of its capabilities. While it was once considered a leading tool, comparisons with newer solutions like Automox, Cynet, and Fortinet reveal a lack of active use cases and functionalities offered by these competitors.

What other advice do I have?

I would rate SentinelOne Singularity Complete eight out of ten.

I haven't observed significant innovation from SentinelOne Singularity Complete lately. Other than obtaining the database, I haven't noticed any new features or third-party integrations being introduced. This leads me to believe that there may not be a high level of ongoing innovation at the moment.

SentinelOne Singularity Complete is deployed across thousands of instances and endpoints in different countries across multiple offices in Europe.

The only maintenance required is for updates to the endpoints.

While SentinelOne offers valuable security protection, it may not be sufficient as a standalone solution. Relying solely on Singularity Complete for a week-long absence might leave our system vulnerable to threats that other Endpoint Detection and Response solutions could identify.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Google
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Security Architect at WaveLength Ind
Real User
Top 5
Effectively prevents vulnerable devices from being compromised by isolating their network traffic
Pros and Cons
  • "The most valuable feature is the ability to drill down into individual sequences of processes."
  • "I encountered issues running Singularity Complete alongside other machine-learning tools."

What is our primary use case?

We use SentinelOne Singularity Complete to detect and respond to "unknown unknowns," which are threats that haven't been previously identified. Our process involves monitoring for any unusual activity or deviations from typical program behavior. This includes analyzing parent and child processes to ensure they're loading correctly and not communicating with unauthorized external servers for remote execution.

For example, I encountered a phishing email that triggered an investigation. Fortunately, Singularity Complete offers an event log feature that allows me to analyze the incident. The tool's built-in Advanced Detection Analytics functionality helped me identify the downloaded file, and its access time, and track its interactions with applications, including attempted installations. Furthermore, Singularity Complete boasts a rollback capability, enabling me to revert to a safe state before the malicious activity occurred. I've utilized this feature successfully for several clients.

In addition to Singularity Complete's event log and rollback functions, it excels in antivirus detection. It effectively identified even sophisticated threats like the MimiKatz attack, which attempts to escalate user privileges in Linux and Windows systems. The tool's signature-based detection proved valuable in this instance.

How has it helped my organization?

Automating threat resolution has significantly improved our security operations. On average, I scan around forty million files, and the detection rate has been quite good.

The integration capabilities significantly enhance my existing security environment. It is a night and day difference compared to CylanceOPTICS by BlackBerry, which I used previously. While CylanceOPTICS was good, it relied on an algorithmic approach that flagged millions of potential threats, resulting in some false positives that needed manual analysis and training. SentinelOne, on the other hand, leverages eleven different engines simultaneously, including AI, machine learning, heuristics, and dynamic and static scans. This comprehensive approach offers robust protection, and if something falls through the cracks, it can consult a cloud database for the latest threat intelligence. Beyond its detection capabilities, SentinelOne offers exceptional visibility and control. I can easily investigate events at any time, like tracking who accessed Yahoo Finance within my organization across specific timeframes. The global tenancy feature empowers me to apply scans and threat signatures across different segments or even my entire network, ensuring consistent protection. The more I explore SentinelOne's features, the more impressed I am. It's incredibly powerful and versatile, offering a level of security and control that far surpasses my previous solution.

The interface is user-friendly, but there's a learning curve due to its extensive capabilities. Navigating for someone unfamiliar with threat hunting can be challenging as they may need to explore every option. However, some features have tooltips explaining their function when hovered over.

Accessing the knowledge base often requires a partnership with the company. While I lack this access, my distributor provided the comprehensive admin guide.

Ranger is an excellent feature for threat scanning. While alternative pen testing tools like Digital Defense exist, Ranger offers a unique advantage. It utilizes SentinelOne agents as probes within the network, allowing scans for irregular connections and identifying devices without the agent. This provides a comprehensive view of potential vulnerabilities. Imagine we decide to deny access to certain devices. In that case, every agent with those policies implemented, throughout our network, would individually isolate their traffic. This isolation prevents communication with the rogue devices. Consequently, even if one of those devices harbors a threat, it's unable to move laterally within the network. All other devices, recognizing it as unauthorized, will refuse to communicate with it.

Ranger requires no additional agents, hardware, or network modifications. It's essentially a built-in feature of the existing agent. Therefore, if we have the module, we already possess the capability. Activation can be done remotely through the cloud. So, when we decide to upgrade to Singularity Complete, they'll offer us the option of adding Ranger Plus. If we agree, a small additional fee, typically around a few dollars, will be applied per client. While it might seem a bit pricey, considering the value it provides, I believe it's worth the investment. It translates to roughly five dollars per client. For instance, with 50 machines, the monthly cost would be $250. In my experience, it hasn't significantly increased my expenses. There might be a slight increase, but I haven't noticed any substantial impact.

SentinelOne Ranger effectively prevents vulnerable devices from being compromised by isolating their network traffic. This feature is just one of many within the SentinelOne platform, which includes a built-in router and firewall integrated directly into the agent. This integration allows for seamless compatibility with Windows firewalls and offers granular control over network traffic. For example, Ranger enables modification of the firewall's IP stack, granting the ability to isolate specific traffic based on defined rules. This can be particularly useful for segregating vulnerable devices and preventing their communication. While not recommended for general use, advanced users can leverage SentinelOne's Singularly Complete feature on, for example, a VMware server to further isolate vulnerable devices. By running the client software on a separate network from the server, administrators can block unauthorized traffic based on Ranger's or the agent's identification. This effectively isolates the vulnerable device, even if it's compromised since it lacks any incoming network traffic. The server acts as a default gateway, filtering and controlling all incoming traffic.

Singularity Complete can help reduce alerts when a threat is identified and a solution is implemented. However, if a threat is known but no solution is available, using Singularity Complete might increase alerts. This is because suppressing alerts for a known threat without addressing it can create a false sense of security. While Singularity Complete allows manual blacklisting of threats, it cannot import large lists of threats from spreadsheets in one go, a feature available in CylanceOPTICS. This can be time-consuming for dealing with many threats. Overall, Singularity Complete has improved in its alert management, but it remains average compared to competitors. While detection is excellent, the alerting system still requires some refinement.

As a threat detector, I perform threat analysis to quickly identify threats. This has significantly reduced the time I spend on analysis, allowing Singularity Complete to free up about 30 percent of my time for other tasks.

Singularity Complete has achieved a 15 percent reduction in our mean time to detection. This efficiency gain is powered by eleven different detection engines running concurrently, ensuring comprehensive identification of potential threats.

Singularity Complete can reduce our mean time to respond by providing a clear path to the root cause of an attack. However, it doesn't always do this, and sometimes further investigation is necessary. Nevertheless, the tool significantly speeds up the process of identifying the root cause. For example, imagine the timeline indicates a suspicious file was executed. We can use Singularity Complete to find out when it last ran in our environment, even if it wasn't detected on the same day. If the threat appeared recently but the file ran a month ago, it suggests a potential Trojan was planted. This prompts further investigation into how the file arrived on the system. It could have been introduced through a USB drive, email attachment, copied file, or existing on a network share. While Singularity Complete won't explicitly state the location like "Share five," it will provide a hash that can often lead us to the network path.

Singularity Complete helps manage costs by eliminating the need for additional products with overlapping functionality. This saves us thousands of dollars per month on full scans, as our existing agent already possesses that capability. By deploying it across all organizational agents and enabling Ranger, we can conduct daily scans that provide comprehensive insights into our network activity.

Singularity Complete has helped reduce our organizational risk. However, it's important to remember that no system is foolproof. While I haven't experienced a security breach since installing it, I deliberately expose some machines to potential threats to test and observe new attack techniques. To strengthen our security posture, I've implemented additional measures. Some machines have less aggressive scan and detection settings to simulate vulnerabilities and observe attacker behavior. Additionally, our network is layered, with weaker points that serve as honeypots, while critical systems are protected by stricter security protocols. Beyond Singularity Complete, we utilize Palo Alto Networks and FortiGate firewalls for further protection. Ultimately, the decision to invest in additional scanning capabilities depends on the cost and our overall security strategy.

What is most valuable?

The most valuable feature is the ability to drill down into individual sequences of processes. This allows for building a highly detailed timeline of events, which is incredibly helpful. Additionally, the quality of the intelligence provided is excellent, making it difficult to choose between the two. The solution effectively reveals the attacker's tactics, including the mechanism or injection method used, how they exploit vulnerabilities and their use of decoys or misdirection tactics like dequay attacks. They may target one area initially, then shift focus to another, potentially planting seeds for future attacks. Overall, the timeline, intelligence, and overall capabilities of SentinelOne Singularity Complete are highly impressive.

Everything operates in real-time, allowing us to conduct in-depth analysis to uncover previously unknown threats. This capability stems from the use of dynamic libraries, which enable flexible code execution. The key concept here is the ability to pivot within an application. We can dissect and analyze this pivoting behavior, which is a rare feature among software solutions. Additionally, the system allows us to create our custom signatures. By identifying a threat and performing a global search, we can locate other instances of the same threat across our network and establish correlation points. Subsequently, we can create a signature based on a unique identifier (story ID) and integrate it into the initial login scan. This enables us to proactively detect and respond to any attacks that utilize that specific signature, making it a powerful tool for threat prevention.

What needs improvement?

The uninstallation process for the SentinelOne agent could be improved. While it is currently possible to uninstall through the console, it can be more complex if registry modifications are required. Streamlining this process, especially for users with console access, would be a valuable improvement.

I encountered issues running Singularity Complete alongside other machine-learning tools. The program uses hooks, which we configure through a whitelist to specify allowed functionalities for each app. However, I've observed compatibility problems with certain applications. This seems to stem from my limited access to information from those companies, hindering the creation of effective hooks.

For example, an external scanner's EXE file might not provide hooks for features like memory protection or script locking, potentially conflicting with SentinelOne's capabilities. In my experience, Singularity Complete doesn't always play well with others. While it coexists with Kaspersky's detection without issue, enterprise AI solutions employing algorithmic scans or pre/post-execution analysis can pose problems. We might need to modify the whitelist due to unavailable information about the application's memory range. Sharing this information could create vulnerabilities, so companies understandably keep it confidential. While I believe CylanceOPTICS could likely work with Singularity Complete, I haven't achieved it because I prioritize optimal protection. Disabling all CylanceOPTICS features and putting it in uninstall mode allows it to function but without intervention. In such cases, CylanceOPTICS detects threats first, possibly due to its higher application number in Windows. Similar behavior has been observed with other products.

Deep Instinct is another excellent detection software I use for remote devices. Expanding Singularity Complete's coverage to include IoT devices, Linux, servers, Docker, and mobile platforms (currently limited to Deep Instinct on my devices) would be highly beneficial. While Deep Instinct allows uploading and installation via email code, Singularity Complete currently lacks this functionality.

For how long have I used the solution?

I have been using SentinelOne Singularity Complete for over five years.

How are customer service and support?

I've only had one interaction with their tech support, but it was excellent. In situations where we're struggling with an investigation, I believe they have a guardian contract that could allow them to analyze our findings. Alternatively, if we're having difficulty detecting something, they can guide us through the process. However, my access to their tech department was limited to a single instance when I needed it. The impressive part is that they were willing to help me even though I was from a partner company. Such helpfulness is rare in many organizations, which often require expensive fees before offering similar assistance.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Previously, we used CylanceOPTICS by BlackBerry but transitioned to SentinelOne Singularity Complete due to its enhanced user-friendliness. The latter platform boasts comprehensive investigation capabilities, allowing us to delve deeper into the specifics of security incidents. We can examine parent-child relationships, delve into registry entries, and analyze memory ranges with ease. The feature set is truly extensive.

While CylanceOPTICS offered some of these functionalities, it could not identify pivoting areas within an attack. If I needed to investigate the pivot itself, CylanceOPTICS wouldn't suffice. SentinelOne proves invaluable in such situations. By examining registry entries or monitoring running processes, it helps us pinpoint the root cause, be it a Run DLL or a Windows EXE file disguised as innocuous activity. While CylanceOPTICS might catch the attack, it wouldn't reveal the underlying malicious intent. SentinelOne grants us this crucial level of insight, empowering us to respond effectively.

What other advice do I have?

I rate SentinelOne Singularity Complete a nine out of ten. While the product itself is impressive, the price point is on the higher side. The only drawback is the limited support access. If they offered more affordable support options or provided unrestricted access to their knowledge base, I would easily give it a ten. Unfortunately, they haven't implemented this yet, as it would unlock more resources and expertise for users. Ultimately, it is what it is, but hopefully, they'll consider these improvements in the future. 

In my environment, I support a law firm and a music company while pursuing my research. Additionally, I use Intel hardware for testing purposes. My security strategy prioritizes avoiding complete system reimaging whenever possible. While I have encountered compatibility issues with specific SentinelOne versions and certain software, these were primarily during testing when I intentionally introduced malicious files. In general, the software has proven effective in preventing and mitigating threats.

SentinelOne Singularity Complete has been excellent in its ability to be innovative.

While SentinelOne Singularity Complete is well-established software, the developers continuously strive to improve it. After all, no software ever truly reaches complete maturity. To remain effective, we must constantly adapt, improve, and refine ourselves in response to evolving threats and technologies.

I'd love to partner with SentinelOne right now, but as a small business, cost is a major concern. That's why I'm working with a distributor. They purchase larger license blocks, like five thousand or ten thousand, and because I was one of their early customers, they granted me access. While I have a partnership with them, it's not a formal one. To my knowledge, they require organizations to have at least one hundred or two hundred seats to be considered for a true partnership. I'm unsure if a program exists for smaller businesses, but based on what I've seen, access to their knowledge base, support team, etc., seems to be restricted to contracts with a minimum seat capacity of one hundred or two hundred.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer2305911 - PeerSpot reviewer
Cybersecurity Service Manager at a manufacturing company with 5,001-10,000 employees
Real User
Gives us "eyes" on all our endpoints and the ability to manage them if compromised
Pros and Cons
  • "We opted for SentinelOne because it gives you visibility and control over all the devices on which you have the agent deployed. That is very valuable because, in the end, all the attacks enter only through one gateway, which is usually a user's computer."
  • "Ranger does provide me with visibility of the network, but not completely because the assets it scans are often mistakenly identified regarding what type of device they are."

What is our primary use case?

I am part of the security team, and our strategy is to have this EDR deployed on all of the company's assets, all of our endpoints. We wanted a powerful platform in terms of detection and response to incidents.

How has it helped my organization?

It gives us a first layer of security. In addition, we have hired the SentinelOne Vigilance Respond team, a 24/7 SOC that monitors and mitigates. And, in case we need to escalate an alert on any of our assets, it allows us to do a bit of threat intelligence analysis and debug any asset on any topic.

It has helped reduce alerts thanks to the Vigilance service over the last two years. This includes all types of incidents, whether critical, medium, or low priority. Most of the alerts are managed by them, and we do not see them. We only see those that require some information that only our company has, but very few reach that level since Vigilance is directly in charge of managing them. If we had to manage the alerts that Vigilance manages, between 30 and 50 percent of my workday would go to reviewing alerts.

Overall, it has reduced our mean time to detect by about 70 percent, as that is the percentage in which it acts as an autonomous tool. And our mean time to respond has been reduced by 80 to 90 percent because we have SentinelOne's DFIR, Digital Forensics and Incident Response, team involved.

By providing that first layer of detection and response, SentinelOne allows us to have eyes on all our endpoints and, from there, to manage if a machine or a server has been compromised. We can directly isolate it from the network so that malware or ransomware cannot spread broadly.

It has helped us consolidate security solutions, although we did have some problems. The DFIR team responds quickly, and the Vigilance Respond team is continually working with us, managing the alerts. We do quarterly evaluations, and the support team always responds well, plus we interact with the tool ourselves.

The security team has gained a presence and control over the company's equipment that we did not have before.

Every device that does not have SentinelOne installed is a risk, and without SentinelOne, the difference would be significant. It has helped reduce our organizational risk by 70 percent.

What is most valuable?

SentinelOne has three services that are very well consolidated:

  1. Technical support, through which they help you, suggest new configurations, and resolve questions. 
  2. The Vigilance Respond service, which is a 24/7 SOC that works on and manages all the alerts that are raised in SentinelOne on our devices. It’s a first layer of defense that filters a lot of the requests. Sometimes we end up escalating something because there are times when we need to understand if the alert is a false positive or not.
  3. DFIR, Digital Forensics and Incident Response. This team is in charge of doing all the forensic analysis of an incident, and we have a certain number of hours contracted with them. Their advisors' technical level is very high and enables you to create a high-quality forensic report, in case you have to escalate or report it to senior staff. The DFIR team is excellent.

Another aspect that is very good is the solution’s ingestion and correlation across security solutions. We opted for SentinelOne because it gives you visibility and control over all the devices on which you have the agent deployed. That is very valuable because, in the end, all the attacks enter only through one gateway, which is usually a user's computer. If you do not have visibility over that computer and the ability to manage it, you cannot block it, restart it, or run a full scan to see if the user has clicked on a link or if any type of malware has been downloaded. This is a layer of visibility and basic management that any company needs.

Also, there is the threat intelligence and activity correlation. They not only detect and respond to incidents but also prevent them.

What needs improvement?

We started using SentinelOne Ranger, but we found two problems. Perhaps they are particularities, but they should be addressed as they may change the minds of other companies that are considering this feature.

The first problem is that, while it scans all the assets that are on the network, when it comes to discerning whether an asset is a server or a laptop, it tends to fail. It does not have a very high level of precision. We have experienced problems when reporting these types of assets to those responsible for installing the agent, and then they tell us, "Hey, this is not a server, this is a fax," or "this is a printer." When things like that happen, we lose credibility.

The other issue that we saw with the functionality of Ranger is that if, for whatever reason, you have a product with SentinelOne installed but it is on a client's network, the SentinelOne agent starts scanning the ports and the network and goes to a honeypot. As a result, the client may think that it is being attacked because someone has reached its honeypot, when it’s actually us on the client's network. When you don't know that this is happening, it can generate conflict and tension with the clients. Once you know about the problem, you can deactivate that process, but sometimes it can have a negative impact.

Ranger does provide me with visibility of the network, but not completely because the assets it scans are often mistakenly identified regarding what type of device they are. A SentinelOne agent is worth a lot of money, and there is no point in putting it onto a printer, for example. It should have the ability to go a little further and be more precise.

Another very clear area for improvement, one that I don't understand why they haven't deployed it yet, is a self-updating SentinelOne agent. The agent has a version, and what SentinelOne proposed up until one year ago is that you had to be proactive in consulting the dashboard to see if your agent had reached end-of-life and then update it. Now, they've released a new feature where I believe you can schedule updates, so it makes perfect sense for the agent to update itself without any action on our part, and never go out of version. By simply connecting to the network it should be able to download and update.

This idea is not critical because SentinelOne updates many versions of the agent and, when one becomes obsolete, it does not mean that it no longer works. But this is something that SentinelOne should know how to work with. A solution could be that if you do not have the ability to auto-update the agent, SentinelOne would directly tell you which agents are not updated. That way, we would not have to go to the documentation, look at the dashboard, and filter the agents by version. It would be great if it were able to tell if the operating systems are unsupported so that we wouldn't have to look in the official documentation at whether the Windows Server is outdated or not.

If the agents self-updated, maintenance due to the update process would be minimal.

For how long have I used the solution?

I have been using SentinelOne Singularity Complete for about two years.

What do I think about the stability of the solution?

SentinelOne is very stable. It has never dropped or caused any problems

What do I think about the scalability of the solution?

We do not have it in any cloud. The agent is located on devices; we manage almost 10,000 computers. Our company has a presence in nine European countries, and SentinelOne is used in all of them. Our department is the group that supervises all regions, including Spain, France, the Nordic countries, Poland, Romania, the Czech Republic, Austria, and Switzerland.

We are continually deploying new agents because we detect more and more devices. SentinelOne will stay in our company until it dies, so to speak. With what it has cost us to get here, we will not change now.

How are customer service and support?

Support responds in less than a day.

SentinelOne is a top partner in the industry.

How would you rate customer service and support?

Positive

What was our ROI?

Defender for Endpoint is more expensive than SentinelOne. Other solutions are more expensive and others are cheaper, but in terms of cost-benefit ratio, we’ll always stick with SentinelOne.

The detection and visibility over all assets, whether by the agent or Ranger, and the ability to take action as a result are worth it. It is all very intuitive, and for me, these elements are our return on investment.

Which other solutions did I evaluate?

All the portals, at the end of the day, are "first cousins", such as CrowdStrike and Palo Alto, although that's not exactly an EDR. We went to a global cybersecurity congress in London, and all the solutions were there: SentinelOne and its competition. At the portal, user, and other levels, they are practically the same. Each will have something that is better and something that is worse, but they are quite similar.

What other advice do I have?

You have to do a cost-benefit analysis. Understand the context of your company. It is not the same for a bank or an insurance company compared to a company in the industrial sector that does not manage sensitive data. Understand your particular needs. After a cost analysis, if there is enough budget, choose SentinelOne.

The most important lesson I have learned using SentinelOne is to always listen to what the Vigilance Respond team says.

We are still chasing the benefits of the solution. The model is already deployed, but we are a very large company, and every day we find new devices that do not have SentinelOne. We are still in that phase of continual improvement, of improving the solution and achieving even more benefits. We are getting to the most isolated cases of, for example, servers that have little RAM, and we are debating if we should apply SentinelOne to them because, perhaps, the server will be affected more so. 

We are dealing with these small cases and continuously improving. You don't get all the benefits in two months; it is an ongoing process.

I would recommend SentinelOne, and if, in the end, it is a question of budget, choose it. If I became a CSO tomorrow, that is what I would do.

Foreign Language:(Spanish)

¿Cuál es nuestro caso de uso principal?

Soy parte del equipo de seguridad y nuestra estrategia es implementar este EDR en todos los activos de la empresa, en todos nuestros puntos finales. Queríamos una plataforma potente en términos de detección y respuesta a incidencias.

¿Cómo ha ayudado a mi organización?

Nos da una primera capa de seguridad. Además, hemos contratado al equipo SentinelOne Vigilance Respond, un SOC 24 horas al día, 7 días a la semana que monitorea y mitiga. En caso de que necesitemos escalar una alerta sobre cualquiera de nuestros activos, nos permite realizar un poco de análisis de inteligencia de amenazas y depurar cualquier activo sobre cualquier tema.

Ha ayudado a reducir las alertas gracias al servicio de Vigilance durante los dos últimos años. Esto incluye todo tipo de incidentes, ya sean críticos, de prioridad media o baja. La mayoría de las alertas las gestionan ellos y nosotros no las vemos. Solo vemos aquellos que requieren alguna información que solo nuestra empresa tiene, pero muy pocos llegan a ese nivel ya que Vigilance se encarga directamente de gestionarlos. Si tuviéramos que gestionar las alertas que gestiona Vigilance, entre el 30 y el 50 por ciento de mi jornada laboral se dedicaría a revisar alertas.

En general, ha reducido nuestro tiempo promedio de detección en aproximadamente un 70 por ciento, ya que actúa como una herramienta autónoma. Ademas, nuestro tiempo promedio para responder se ha reducido entre un 80 y un 90 por ciento porque contamos con el equipo DFIR, análisis forense digital y respuesta a incidentes de SentinelOne involucrado.

Al proporcionar esa primera capa de detección y respuesta, SentinelOne nos permite vigilar todos nuestros puntos finales y desde allí, gestionar si un equipo o un servidor se ha visto comprometido. Podemos aislarlo directamente de la red para que el malware o el ransomware no puedan propagarse ampliamente.

Nos ha ayudado a consolidar soluciones de seguridad, aunque si tuvimos algunos problemas. El equipo de DFIR responde rápidamente y el equipo de Vigilance Respond trabaja continuamente con nosotros, gestionando las alertas. Hacemos evaluaciones trimestrales y el equipo de soporte siempre responde bien, además interactuamos con la herramienta nosotros mismos.

El equipo de seguridad ha ganado una presencia y control sobre los equipos de la empresa que antes no teníamos.

Todo dispositivo que no tenga SentinelOne instalado es un riesgo y sin SentinelOne, la diferencia sería significativa. Ha ayudado a reducir nuestro riesgo organizacional en un 70 por ciento.

¿Qué es lo más valioso?

SentinelOne cuenta con tres servicios que están muy bien consolidados:

  1. Soporte técnico, a través del cual te ayudan, sugieren nuevas configuraciones y resuelven dudas.

  2. El servicio Vigilance Respond, que es un SOC 24 horas al día, 7 días a la semana, que trabaja y gestiona todas las alertas que se generan en SentinelOne en nuestros dispositivos. Es una primera capa de defensa que filtra muchas de las solicitudes. A veces terminamos escalando algo porque hay ocasiones en las que necesitamos entender si la alerta es un falso positivo o no.

  3. DFIR, Análisis Forense Digital y Respuesta a Incidentes. Este equipo se encarga de hacer todo el análisis forense de un incidente, y tenemos contratada una determinada cantidad de horas con ellos. El nivel técnico de sus asesores es muy alto y te permite crear un informe forense de alta calidad, en caso de que tengas que escalar o informar a tu personal superior. El equipo de DFIR es excelente.

Otro aspecto que es muy bueno es la incorporación de la solución y la correlación entre las soluciones de seguridad. Optamos por SentinelOne porque te brinda visibilidad y control sobre todos los dispositivos en los que tienes implementado el agente. Esto es muy valioso porque, al final, todos los ataques entran sólo a través de una puerta de enlace, que suele ser la computadora del usuario y si no tienes visibilidad sobre esa computadora o capacidad de administrar, no podrás bloquear, reiniciar o ejecutar un análisis completo para ver si el usuario ha hecho clic en un enlace o si se ha descargado algún tipo de malware. Esta es una capa de visibilidad y gestión básica que cualquier empresa necesita.

Además, cuenta con una gran inteligencia de amenazas y correlación de actividades. No sólo detecta y responde a incidentes sino que también los previene.

¿Qué necesita mejorar?

Empezamos a utilizar SentinelOne Ranger, pero encontramos dos problemas. Quizás sean particularidades, pero conviene abordarlas ya que pueden hacer cambiar de opinión a otras empresas que estén considerando esta característica.

El primer problema es que, tal vez escanea todos los activos que hay en la red, pero la hora de discernir si un activo es un servidor o un portátil, tiende a fallar. No tiene un nivel de precisión muy alto. Hemos experimentado problemas al informar este tipo de activos a los responsables de instalar el agente y luego nos dicen: "Oye, esto no es un servidor, esto es un fax" o "esto es una impresora". Cuando suceden cosas así, perdemos credibilidad.

El otro problema que vimos con la funcionalidad de Ranger es que si, por cualquier motivo, tiene un producto con SentinelOne instalado pero está en la red de un cliente, el agente SentinelOne comienza a escanear los puertos y la red y va a un honeypot. Como resultado, el cliente puede pensar que está siendo atacado porque alguien ha llegado a su honeypot, cuando en realidad somos nosotros en la red del cliente. Cuando no sabes que esto está pasando, puede generar conflicto y tensión con los clientes. Una vez que conozcas el problema, puedes desactivar ese proceso, pero a veces puede tener un impacto negativo.

Ranger me proporciona visibilidad de la red, pero no completamente porque los activos que escanea a menudo se identifican erróneamente con respecto al tipo de dispositivo que son. Un agente SentinelOne vale mucho dinero y no tiene sentido ponerlo en una impresora, por ejemplo. Debería tener la capacidad de ir un poco más allá y ser más preciso.

Otra área de mejora muy clara, una que no entiendo por qué no la han implementado todavía, es que el agente de SentinelOne sea autoactualizable. El agente tiene una versión, y lo que SentinelOne proponía hasta hace un año es que había que ser proactivo al consultar el panel para ver si su agente había llegado al final de su vida útil y luego actualizarlo. Ahora, han lanzado una nueva función en la que creo que se pueden programar actualizaciones, por lo que tiene mucho sentido que el agente se actualice sin ninguna acción de nuestra parte y nunca se quede sin versión. Simplemente conectándose a la red debería poder descargarse y actualizarse.

Esta idea no es crítica porque SentinelOne actualiza muchas versiones del agente y cuando una queda obsoleta, no significa que ya no funcione. Pero esto es algo que SentinelOne debería saber cómo ejecutar. Una solución podría ser que, si no tiene la capacidad de actualizar automáticamente el agente, SentinelOne te indique directamente qué agentes no están actualizados. De esa forma, no tendríamos que ir a la documentación, mirar el panel y filtrar los agentes por versión. Sería fantástico si pudieras saber que sistemas operativos no son compatibles para que no tuviéramos que buscar en la documentación oficial si Windows Server está desactualizado o no.

Si los agentes se autoactualizaran, el mantenimiento debido al proceso de actualización sería mínimo.

¿Durante cuánto tiempo he usado la solución?

He estado usando SentinelOne Singularity Complete durante dos años aproximadamente.

¿Qué pienso sobre la estabilidad de la solución?

SentinelOne es muy estable. Nunca se ha caído ni ha dado ningún problema.

¿Qué pienso sobre la escalabilidad de la solución?

No lo tenemos en ninguna nube. El agente está ubicado en los dispositivos; Gestionamos casi 10.000 ordenadores. Nuestra empresa tiene presencia en nueve países europeos y SentinelOne se utiliza en todos ellos. Nuestro departamento es el grupo que supervisa todas las regiones, incluidas España, Francia, los países nórdicos, Polonia, Rumanía, República Checa, Austria y Suiza.

Continuamente implementamos nuevos agentes porque detectamos cada vez más dispositivos. SentinelOne permanecerá en nuestra empresa hasta que muera, por así decirlo. Con lo que nos ha costado llegar hasta aquí no vamos a cambiarlo ahora.

¿Cómo es el servicio y soporte al cliente?

El soporte responde en menos de un día.

SentinelOne es un socio líder en la industria.

¿Cómo calificaría el servicio y soporte al cliente?

Positivo

¿Cuál fue nuestro Retorno de Inversión?

Defender for Endpoint es más caro que SentinelOne. Otras soluciones son más caras y otras más baratas, pero en términos de relación coste-beneficio, siempre nos quedaremos con SentinelOne.

La detección y visibilidad de todos los activos, ya sea por parte del agente o del Ranger y la capacidad que tiene de tomar medidas valen la pena. Es todo muy intuitivo y para mí, estos elementos son nuestro retorno de la inversión.

¿Qué otras soluciones evalué?

Todos los portales, al fin y al cabo, son "primos hermanos", como CrowdStrike y Palo Alto, aunque no sean exactamente EDR. Asistimos a un congreso global de ciberseguridad en Londres y todas las soluciones estaban allí: SentinelOne y su competencia. A nivel de portal, usuario y otros niveles son prácticamente iguales. Cada uno tendrá algo mejor y algo peor, pero son bastante similares.

¿Qué otro consejo tengo?

Tienen que hacer un análisis coste-beneficio. Comprende el contexto de tu empresa. No es lo mismo un banco o una compañía de seguros que una empresa del sector industrial que no gestiona datos sensibles. Comprende tus necesidades particulares. Después de un análisis de costos, si hay suficiente presupuesto, elije SentinelOne.

La lección más importante que he aprendido al utilizar SentinelOne es escuchar siempre lo que dice el equipo de Vigilance Respond.

Todavía estamos descubriendo más beneficios en la solución. El modelo ya está implementado, pero somos una empresa muy grande y cada día encontramos nuevos dispositivos que no tienen SentinelOne. Todavía estamos en esa fase de mejora continua, de mejorar la solución y lograr aún más beneficios. Estamos llegando a los casos más aislados de, por ejemplo, servidores que tienen poca RAM y estamos debatiendo si debemos aplicarles SentinelOne porque, quizás, el servidor se verá más afectado.

No obtienes todos los beneficios en dos meses; es un proceso continuo.

Yo recomiendo a SentinelOne. Si al final es una cuestión de presupuesto, elígelo. Si mañana me convirtiera en un OSC, eso es lo que haría.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
reviewer2277633 - PeerSpot reviewer
CISO at a insurance company with 10,001+ employees
Real User
Excellent threat detection, easy to deploy, and helps save time
Pros and Cons
  • "We have had very few false positives or false negatives, which allows our analysts to focus on their work instead of dealing with noise."
  • "The endpoint firewall capability is fairly primitive and basic."

What is our primary use case?

We use SentinelOne Singularity Complete for its end-to-end detection and response capabilities.

How has it helped my organization?

We started using SentinelOne Singularity Complete because I wanted to eliminate a number of our existing first-generation tools, which were designed primarily for on-premises use cases. I wanted to move to our new set of tools, which were designed predominantly for cloud deployment and cloud infrastructure. There were two primary drivers for this decision: to reduce complexity and cost and to move to a solution that was specifically designed for our new architecture.

One of the main reasons we bought SentinelOne was for its integration capabilities. We don't have a standalone tool to supplement our overall security architecture. This includes our security data link, analytics layer, and intelligence capabilities. So that was really one of the primary reasons.

SentinelOne Singularity Complete excels at ingesting and correlating data across the security solutions that it has visibility into.

It has helped consolidate two of our security solutions.

SentinelOne Singularity Complete has helped our organization by boosting our confidence in our ability to detect and respond to the broadest range of threats, reducing noise in our security operations capability and resulting in fewer false positives than ever before.

It helped reduce our alerts by around 60 percent per day. SentinelOne Singularity Complete helped free up 20 percent of our staff's time to work on other projects.

Although I do not have data to support the claim, SentinelOne Singularity Complete should reduce MTTD. SentinelOne Singularity Complete has reduced our MTTR. It has saved us around 18 percent of our costs.

What is most valuable?

I find two features particularly valuable. First, deployment is much simpler than with other solutions with similar capabilities. Second, the fidelity of the detections is excellent. We have had very few false positives or false negatives, which allows our analysts to focus on their work instead of dealing with noise.

What needs improvement?

SentinelOne plans to integrate its endpoint agents, but the process is slow. The company has multiple agents with different functions, such as the ED Ranger, and each agent has different actual clients. Combining the endpoint agents would be a good step.

The endpoint firewall capability is fairly primitive and basic. It does not use objects and different device types to create a single object that can be easily managed. There is a significant amount of work to be done on the firewall side.

For how long have I used the solution?

I have been using SentinelOne Singularity Complete for almost seven months.

What do I think about the stability of the solution?

SentinelOne Singularity Complete is stable.

What do I think about the scalability of the solution?

SentinelOne Singularity Complete is scalable.

How are customer service and support?

Technical support has been excellent so far.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We previously used Tanium and Symantec, two separate sets of tools. Tanium is a first-generation tool that is not specifically designed for the cloud. It requires a significant amount of manual effort to configure and manage, rather than automate these tasks. Symantec does its job, but we are essentially buying two tools to do what SentinelOne Singularity Complete can do on its own. Therefore, the switch to SentinelOne is primarily a cost-saving measure.

How was the initial setup?

The initial deployment was straightforward. The entire deployment took 16 weeks, with eight weeks spent deploying the endpoints and eight weeks spent deploying the service. A total of 20 people were required for the deployment.

What was our ROI?

We are beginning to see a return on investment in SentinelOne Singularity Complete due to the reduced number of alerts in the operations center and the high-fidelity data.

What's my experience with pricing, setup cost, and licensing?

After negotiations, the pricing was found to be fair.

What other advice do I have?

I would rate SentinelOne Singularity Complete an eight out of ten.

SentinelOne Singularity Complete is a really mature product and seems to be focused on enhancing core capability and not getting distracted by other stuff.

SentinelOne Singularity Complete is deployed across our entire estate. We have around 10,000 endpoints.

It requires maintenance, such as builds, policies, and other related tasks. We have a team of four responsible for maintenance and another three people for day-to-day operations.

They have stepped up as a strategic security partner.

I recommend organizations do a proper proof of concept with the SentinelOne Singularity Complete in their environment using their tools and their people.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Chief Information Officer at a tech services company with 1-10 employees
Real User
Reduces alerts, allows data from everywhere, and helps to be as secure as we can be
Pros and Cons
  • "The ability to quickly and easily identify threats on our machines is valuable. The fact that it protects the environment as a whole is also valuable. They have the ability to identify network nodes, and they have Ranger as a component of the solution that allows us to see the whole picture. We can see on what we have SentinelOne and on what we do not."
  • "Interoperability with other SentinelOne solutions and other third-party tools is an area where you can run into some issues. Because of the way the agent works, there are sometimes things that are blocked or prevented from happening that are not identified as a threat, and therefore, not alerted in the console. Sometimes, we do have to dig through the logs, run tests, and adjust the whitelisting or exclusions to make sure that other applications will run properly."

What is our primary use case?

We use it for protection and endpoint detection across our entire customer base because we are a managed service provider. It is also for endpoint protection of our internal machines. 

We have Linux, Mac, and Windows. It has essentially replaced our antivirus solutions. It is our full endpoint detection. We then work in and partner with our outside XDR and our SOC. We interface SentinelOne identifications and alerts into the SOC so that they can manage those for us.

How has it helped my organization?

It is very strong in terms of the ability to ingest and correlate across our security solutions. They have added cloud capabilities. Some of that is through acquisitions, but a lot of it is native. It allows us to bring in data from everywhere, analyze what we need to analyze, and make sure that we are as secure as we can possibly be. When we have SentinelOne running in an environment, it always makes us feel more comfortable. We require it for every one of our customers. They may have a license elsewhere, but regardless of that, we essentially say that if they are coming on and going to be a customer of ours, we are going to remove whatever they have, and they are going to SentinelOne just because it is a far superior product that we have tested and evaluated.

With SentinelOne, we have not consolidated security solutions, but we have reduced our TCO because we do not have to support customers utilizing other endpoint protection solutions. We simply would not work with other solutions. We enforce SentinelOne to be the only endpoint protection solution that is monitored or managed by us. That obviously has helped our TCO in terms of the knowledge base and being able to support and protect our clients, but we have not reduced any applications or vendors that we work with because we stuck with SentinelOne from day one.

We have used the Ranger functionality a little bit. It provides network and asset visibility. It lets us see everything else that may be on the network that we may not already have an idea of. Just by having an agent in the environment, it lets us see additional switches that may have vulnerabilities or new machines that may pop up on the network that we are unaware of. There is a large benefit to that, for sure.

The fact that Ranger requires no new agents, hardware, or network changes is crucial to it being effective because a lot of different solutions out there require you to have something else running on the network to be able to perform the functions of Ranger. However, the way they designed SentinelOne, we can essentially have the regular SentinelOne singularity agent installed on a machine out there and enable the Ranger functionality on the agent. It will then do the work for us. Rather than having an additional appliance or an additional software service running in the environment to capture the information that we are looking for, we get it from Ranger. Ranger can help to prevent vulnerable devices from becoming compromised, but we have not used it this way.

SentinelOne Singularity Complete without a doubt has helped reduce alerts. With the policies that we enable across the board for our customers through SentinelOne Singularity Complete, we can onboard new clients, and as we onboard them, we are able to quickly and easily protect their environment without filtering through a ton of random alerts that are typically false positives when you are onboarding a new customer. That, to me, has been a huge benefit to having SentinelOne and reducing our overhead to manage the new customers that we are bringing on.

SentinelOne Singularity Complete has helped free up our staff for other projects and tasks by reducing the false positives that we get for our existing customers and when we onboard new ones. It obviously allows us some engineering time to be focused elsewhere. We have been able to do more automation and tie in other protection solutions into SentinelOne, such as our XDR with our SOC.

SentinelOne Singularity Complete has reduced our mean time to detect (MTTD) without a doubt. We get alerts regularly from the console that get notified to our SOC and also internally. We are able to respond to those very quickly. In fact, on average, about 90% to 95% of the time, SentinelOne Singularity Complete automatically remediates the solution based on how it is set up with our policies. Therefore, we do not have to do anything other than verify that it was a legitimate threat that was blocked.

Our mean time to respond (MTTR) is a lot faster than what we experienced with other solutions in the near past. It is almost immediate. It sees the process kick off. It remediates it 90% to 95% of the time, and even when it does not remediate it, it alerts us immediately. We are not waiting for a weekly scan or a daily scan that the other solutions typically use because it is all in real-time with the Singularity agent.

SentinelOne Singularity Complete has helped reduce our organizational risk. It is one of those solutions that lets us sleep easier at night when we have it on a machine. Security, in general, is not set-it-and-forget-it. It is not a single layer. You have to have multiple layers. We have other solutions that we partner with SentinelOne to try and make the environment as secure as possible, but SentinelOne is definitely the starting point. It gets us protected, and it makes our lives easier with the device. We feel more confident that the device is secure from everyday end users who do not necessarily know the difference between a fake or a phishing email that has a fake Adobe or Word Document attached to it that they are going to download and try to run. It definitely makes our life easier, and in my role, it helps me sleep a little better at night knowing that all of our machines are protected by that, both internally and across the board of our customers.

What is most valuable?

The ability to quickly and easily identify threats on our machines is valuable. The fact that it protects the environment as a whole is also valuable. They have the ability to identify network nodes, and they have Ranger as a component of the solution that allows us to see the whole picture. We can see on what we have SentinelOne and on what we do not. There is always that concern that you protect what you know, but items can be brought into the network that you are unaware of because you are not sitting at every customer location every day or every office every day, so the ability to quickly identify anything new on the network has been a huge benefit to the application. It is something that they have added over time. It has been huge for us.

What needs improvement?

Interoperability with other SentinelOne solutions and other third-party tools is an area where you can run into some issues. Because of the way the agent works, there are sometimes things that are blocked or prevented from happening that are not identified as a threat, and therefore, not alerted in the console. Sometimes, we do have to dig through the logs, run tests, and adjust the whitelisting or exclusions to make sure that other applications will run properly. It is very effective, and it protects our environment like no other solution that we have ever worked with or tested. It is very strong, but you have to get in and look at the visibility reports and the information in the system, in the console, and on the dashboard to really identify if something is being blocked and causing a performance issue for a customer or on a machine. They have the flexibility there, but it can be a little frustrating at times to find the needle in the haystack until you get used to the console and understand how it works. So, there are times when it can impede the ability of an application. The way I typically look at that is that the application developer or whoever developed the app is probably using some functionality that is not standard, and that is why SentinelOne is effectively not allowing it. The only issue there is that we do not always know that SentinelOne is not allowing it. It could be impeding the traffic for an application or a database connection, but we do not know that initially. It does not flag that as a threat or block anything, so there is no alert.

They have device and network control that they have added over time. It allows you to take over control of the firewall through the network control, and you can block and manage CD-ROMs and USB devices. One thing that I always thought would be beneficial for device control is the ability to enforce encryption on USB and external hard drives. You do not have to have a separate agent to handle any of that even if it is just tying into BitLocker on Windows devices or BitLocker To Go capabilities. To me, that would be a huge benefit to the product so that there is no other application, and you do not have to privately manage BitLocker settings for USB devices or external hard drives.

For how long have I used the solution?

Between my current organization and prior organization, I have been using SentinelOne for close to nine or ten years.

How are customer service and support?

We have not had any incidents where we have had to contact them for an emergency. There were no ransomware outbreaks and no major attacks or threats running through our environment, so I have not had to deal with that level of support. Typically, we reached out to their support when we had a question on interoperability or we were seeing some weird effects or an agent upgrade not wanting to push from the dashboard properly. For the most part, their support is pretty strong. The turnaround time is usually pretty good. We had only one ticket that had to be escalated above the initial tier 1 support. They get prioritized based on criticality, and even that ticket was closed within eight calendar days. To me, it was not a critical issue. I did not think it was an issue, but it took eight days. That was well within the expected time frames. I would rate their support a nine out of ten.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

In the past, I have used Trend Micro. This was prior to endpoint detection times. It was more than nine years ago. I used Trend Micro, Kaspersky, Norton, and McAfee. I have also used ESET and Malwarebytes. Typically, we were using those in layered approaches. We put ESET and Malwarebytes on the same machine because they served different purposes, but I have not used those in nine or ten years.

By implementing SentinelOne Singularity Complete, we were not necessarily trying to solve a problem. We wanted to try and find a best-of-breed solution that was more effective than legacy AV because legacy AV is based on somebody getting hit by the virus, and then it allows the fingerprint to be used to block hashes, etc. Somebody has to get hit, and then everybody else can benefit from that. That was the old model, and we wanted to go next-gen. We wanted to make sure that we were using something that could be as protective as possible on zero-day outbreaks. After reviewing many of the solutions out there, we felt like SentinelOne was the best of the breed. That is justified year over year, and that is why we have continued to stay with them both in my last organization and this one. When you review different reports that are out there every year, SentinelOne is the leader year after year.

What was our ROI?

It has helped us save a lot of soft dollar costs. I do not know if they offer it to everybody, but we have the ransomware insurance policy from SentinelOne that provides us a certain amount of reimbursements per endpoint should there actually be a ransomware outbreak. In all our time, we never had to use it because there simply has not been a ransomware outbreak on a single one of the machines that has SentinelOne properly installed on it.

What's my experience with pricing, setup cost, and licensing?

We buy the licensing in bulk. From a pricing standpoint, because we buy in bulk, we get very good pricing. Based on its functionality and capabilities, it is well worth the price. I do not think it is at all expensive based on what you get in the solution. We use the complete up to the core. Our pricing is probably a little bit more than somebody who is on the core. In general, it is well worth what you get for the price you pay.

What other advice do I have?

Overall, I would rate SentinelOne Singularity Complete a nine out of ten.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Download our free SentinelOne Singularity Complete Report and get advice and tips from experienced pros sharing their opinions.
Updated: October 2024
Buyer's Guide
Download our free SentinelOne Singularity Complete Report and get advice and tips from experienced pros sharing their opinions.