SentinelOne Singularity Complete Reviews

We used it only for six months. Initially, it turned out to be a good product, but then we had an issue, so we stopped using it. We are now using CrowdStrike.

From an endpoint perspective, we have a heterogeneous environment. We have Windows, we have Mac, and we have Linux endpoints. We deployed it on all the endpoints, all different operating systems, and cloud instances as well. Our AD was also integrated along with the identity solution, but the issues specifically get reported on the endpoints for open-source or Linux. That is why we decided not to move forward with it.

By implementing SentinelOne Singularity Complete, we wanted security for our endpoints. After COVID, endpoint security became even more critical because our perimeter was more exposed. It was expanding wherever the end users were, so endpoint security became much more critical. Previously, in terms of endpoint security, the traditional antivirus, anti-malware, and endpoint protection were disconnected systems. We did not have any offline correlation, log collection, or policy management, whereas SentinelOne, as well as CrowdStrike, come with a central console. For compliance requirements, such as ISO, SOC 2, or PCI, we have to provide evidence in terms of the status of the endpoint patches and security posture. That is possible through the central console. That was the motivation for us to move to one of these products. SentinelOne was our first choice, but we ran into a specific issue.

We had not specifically signed up for any risk management, but we were also looking to expand that to a completely managed SOC where we do the log correlation as well. When we initially started, we only started with the endpoint, identity, and cloud.

The main reason for getting this solution was that it was a new-gen endpoint solution for having an organization-wide view of security vulnerabilities or abnormal behavior. That was the main reason we got started with SentinelOne Singularity Complete. It gave us a lot of that information. It also helped us with compliance requirements. In the case of any specific instance or any abnormal behavior, its reports certainly helped us with the root cause analysis and collection of logs. It helped us in providing or collecting the evidence that we could use in our compliance reports to ensure proper reporting for relevant legal entities.

The ranger product helped us to do discovery of endpoints. We could identify our rogue devices.

SentinelOne Singularity Complete helped to reduce alerts. It groups the alerts. If you have similar alerts coming from the same server or a couple of servers at a similar time frame, it groups them and sends a single alert along with the device ID. This way, you have less number of alerts for the team to work on. If the agent itself is not in the running state or does not have the latest signatures available, it basically groups the alerts and tries to create a single alert. You have all the endpoints listed out, and you can take action against that particular issue rather than the same issue being reported from thousands of machines together. It is hard to provide the metrics, but generally, it helped quite a bit. I had around 8,000 endpoint licenses, and if 20% of the services started reporting the same issue, there would have been 1,500 to 1,600 alerts in a minute. It merges them into a single alert. We can also define a real-time action. A single alert helps our backend team to take action easily. The same is applicable to the SentinelOne support as well. If certain patches or certain actions are required to mitigate an issue, their team can do the mitigation in one shot and the fixes get pushed to all the servers that were reporting that particular issue. In one shot, you can automate and orchestrate your mitigation.

SentinelOne Singularity Complete helped reduce the mean time to detect and the mean time to resolution. There was at least a 10% reduction.

SentinelOne Singularity Complete did not help us save any direct costs, but there is an opportunity in terms of manhours saved in the backend because of having all these features integrated. There were indirect cost benefits. We saved a lot of hours because our engineers did not have to keep an eye on all the alerts. They could automate certain actions. That was an indirect cost benefit. I cannot list any direct cost benefits. These are costly products.

SentinelOne Singularity Complete absolutely helped reduce organizational risk. It is meant for that. We had different levels of reporting available. We could have an executive view. We could view the standards or framework that we were using. We could see the level of compliance to various standards in terms of percentage. We could also define the actions by accepting something as a risk or mitigating that by orchestrating.

There is centralized reporting and view. We can have role-based access management where technical people or monitoring people can have a central dashboard with a single view of all the endpoints. Whether our endpoints are running on Windows, Mac, Linux, or any flavor of operating systems, and even mobile devices, we can have a central dashboard through which we can do complete user management and policy management. We can have a complete security posture organization-wise, department-wise, or business-wise.

They have a good data lake kind of feature where you can ingest all the security logs. They can be from your endpoint, your identity management system, or your cloud. They can be from any of those services, so you get to do log analytics. That is one of the features that I liked about it. The same capability is also available with CrowdStrike which we are now exploring because of the issue with SentinelOne. However, at the time, with SentinelOne Singularity Complete, because of log analytics, we could do threat intel or sandboxing or have custom logic written for any specific kind of reaction. Those kinds of things were quite easy.

Log analytics and a couple of other things were also pretty good.

We ran into production issues related to CPU utilization on Linux endpoints. Our production environment's performance got degraded like anything. After a lot of debugging, we figured out that because it consumed a big percentage of the CPU and memory. Some of the applications were restarting automatically or randomly. We had an auto-healing infrastructure, so if the system memory was available, the application would restart on its own. When this issue got prolonged, we could see a lot of service failures because of being out of memory. This issue started hitting us wherever we had persistence connection requirements. Because existing connections were breaking completely, any transaction that somebody was doing online got terminated, and that was a big issue.

They should improve it for the open-source or Linux endpoints. They can provide customizations where we can limit the on-access CPU utilization or memory utilization. It should honor the specified limit and use only a limited percentage of CPU and memory rather than utilizing all the CPU or memory available on a system. 

Other than that, I do not have any input. There is a lot of potential. There are a lot of possibilities for orchestration and sandboxing. Because we hit one particular issue, we were not able to continue using it, but I see a lot of opportunities there.

With SentinelOne Singularity Complete, we did not work for a long time. We gave away this product within six months. There were some problems or issues reported, and that is why we discontinued using this product. We stopped using it nine to ten months ago. We have now migrated completely to CrowdStrike.

I discarded this product within six months. I would rate its stability a five out of ten.

Its scalability is fine. I would rate it a nine out of ten for scalability. 

We used it in a heterogeneous environment. We had about 8,000 endpoint licenses.

I would rate their support a six out of ten because the issues that I had reported were not resolved.

As a strategic partner, SentinelOne is pretty good. They are very proactive.

Neutral

Prior to SentinelOne Singularity Complete, we had multiple pieces. We did not have one single product for everything. For endpoint security, we had McAfee as an antivirus and anti-malware. For identity, there was a different application altogether. For SIEM, there was a completely different solution, and for log correlation, we had a different log management server. Dashboarding solutions were completely different. EPO was the tool that we had to orchestrate some of the endpoint and antivirus-related policies.

We were having some challenges with SentinelOne Singularity Complete, so we migrated to CrowdStrike. We are now also exploring CrowdStrike's SIEM solution.

From a maturity standpoint, both SentinelOne Singularity Complete and CrowdStrike are mature products.

We deployed it on-prem and on the cloud. Its deployment was straightforward. It was orchestrated via my backend tool.

It does not require much maintenance. The maintenance required is similar to an endpoint. One or two people are sufficient for 8,000 to 9,000 licenses because they need to just monitor the status. In case they find a rogue device, then only they have to take action. Otherwise, once they have a complete deployment done, they just need to automate reports and tasks. Those kinds of things certainly help.

It is expensive. There is no doubt about it. If one of the functions does not work, it becomes very difficult for any CIO to justify the cost.

I would not be able to share the exact price, but we had almost 8,000 endpoint licenses, and it was a huge cost.

CrowdStrike is not cheaper than SentinelOne. Both products go neck to neck. Both are costly products. 

I would advise going for this solution only if you have a clear use case.

I have only one recommendation. If anybody wants to use such a solution to its potential, they need to be very clear about their use case. They need to know whether they want to go for the complete solution or they are just focusing on the endpoint solution. If you have a complete use case that requires EDR, identity, cloud, and log analytics, then SentinelOne or CrowdStrike makes sense. If you only have an endpoint use case, then these solutions do not make sense. It would not be a cost-effective deal.

After the complete endpoint deployment, you have complete asset visibility. We never used the life cycle management piece. We were just using the EDR feature.

SentinelOne Singularity Complete did not help free up the time of our staff for other projects and tasks. It has a lot of potential to do that, but we used it for a very short duration. Because of the issue we had, we did not continue using this solution. However, it has a lot of potential.

I would rate SentinelOne Singularity Complete a six out of ten. After they improve the product and their support, I may increase the rating. At this time, I cannot rate it more than six.

We use SentinelOne Singularity Complete to provide endpoint protection for all endpoint servers and Kubernetes clusters in our environments where SentinelOne is supported. We also use SentinelOne to help manage our systems and provide visibility into the assets in our environment.

We have found that Singularity Complete integrates well with our existing SIEM solution, Splunk, and some of our other system management tools, such as Okta and Armis. We are also looking forward to the additional future integrations that are planned.

I appreciate Singularity Complete's ability to ingest and correlate data across our security solutions. I use this feature quite often, either to perform deep visibility searches to correlate data across different sources if I have specific concerns about security events, or even to track running or operational issues as well. Singularity is not only a security product but it can also be used for troubleshooting non-security and related issues on devices.

Compared to the previous EDR solution, Cylance Protect, we had substantially fewer false positives when we implemented Singularity Complete.

Singularity Complete has reduced our MTTD.

Singularity Complete has reduced our MTTR somewhat compared to our previous EDR solution.

Singularity Complete has reduced our organizational risk by 20 percent, specifically the risk profile associated with malicious activities on protected devices.

The most valuable features, of course, are the protection and support for the devices. In addition to that, the ability to see the last log-on dates for time-tracking purposes has been helpful. The most useful feature of all is deep visibility. I think it was recently renamed to something else, but it is the ability to run IOC queries across all devices and gain information to look at any kind of potential events that might occur.

We have had cases where Singularity Complete has caused applications to malfunction. The existing interoperability rules have not necessarily been sufficient to resolve those conflicts. SentinelOne needs to work on interoperability with other systems and on the interoperability rule set.

I have been working with SentinelOne Singularity Complete for one year.

We have not had any stability issues in our environment with Singularity Complete.

Singularity Complete is scalable.

With any support service, it depends on the person we get on the line. Some are better than others. But overall, I find the technical support team to be good, comparable to other good technical support teams I've seen from other vendors.

Positive

We implemented SentinelOne Singularity Complete to move away from a legacy EDR platform, Cylance Protect, that did not perform as well as a modern EDR solution should.

The initial deployment was complex due to the complex environment. I would agree that deploying to a single device would be straightforward, but we have a manufacturing environment that requires bespoke applications, which makes any migration complex.

Fifteen people were required for the deployment.

The implementation was completed in-house.

The pricing and licensing make sense. We worked with a third party to help us with licensing, and the licensing we obtained through that process was ultimately reasonable and comparable to other products on the market.

We evaluated Microsoft Defender, CrowdStrike, and Cortex XDR by Palo Alto Networks.

I would rate SentinelOne Singularity Complete ten out of ten.

We are considering the possibility of using SentinelOne to consolidate some of our security solutions, but have not moved in that direction just yet.

Singularity Complete has not yet saved our staff time because it takes more time to deploy and migrate to the point where we have time savings. I think it will in the next couple of years.

We see a lot of innovation from SentinelOne. They are acquiring many other products that are integrating with the platform we looked to adopt in the next couple of years if it works out well. New features and functionalities are also regularly released. So, in terms of innovation, that's one of the reasons we chose SentinelOne Singularity Complete in the first place.

Singularity Complete is a mature product that can sufficiently protect our assets. I would say that the core features associated with that functionality are in place and work well.

Maintenance is relatively low, but systems need regular updates, and we need to troubleshoot all of them. So, there is some work involved.

SentinelOne is a good strategic security partner. We appreciate the direction of their product roadmap and its current coverage. One area where they could improve is in having their EDR support teams reach out to us. We don't believe we have an EDR or anything similar setup, but it would be helpful if they offered quarterly or semi-annual meetings to check in, see how we're doing, and give us an opportunity to provide feedback.

People researching Singularity Complete should first understand their environment and deployment goals to ensure compatibility between their existing solutions and the new product. They should also evaluate multiple competitors before making a commitment.

We use Singularity to secure our workstations and servers.

Singularity has added some features to our security setup. It adds layers of protection to our security servers and workstations. One advantage of Singularity over other traditional antivirus products I use is that it doesn't use as many resources as other products. 

If you resolve them permanently, the solution can reduce the number of alerts. Some applications keep triggering alerts, and you need to remove them, or they will continue to do so. We need physical signatures to prevent them from alerting again in the future. We can reduce the alerts by about 80 to 90 percent annually. Our old antivirus wouldn't flag some applications as malicious, but SentinelOne detected them, so we removed those applications, and it reduced our alerts.  

Singularity has reduced our organizational risk by about 80 to 90 percent. We were able to address those alerts and remove a lot of malicious files that our previous solution didn't recognize. We saw a significant advantage in the first year. We've experienced a massive improvement in our mean time to detect. We have a large user base, but Singularity Complete performs better than our previous solution.

Singularity has the same features as other antivirus products, but it provides an added layer of security and vulnerability protection. It's also light on resources. Singularity doesn't use a lot of CPU or memory. We can consolidate our security solutions into one centralized platform, and monitor all our workstations and servers from one place. 

SentinelOne is causing a problem with the data service that causes one of our applications to crash randomly. We're still looking for a permanent fix, but we have implemented a temporary workaround that excludes that application from the scan. 

I have used Singularity for 4 or 5 years. 

I rate Singularity Complete 9 out of 10 for stability.

I rate Singularity Complete 9 out of 10 for scalability. 

I rate SentinelOne support 9 out of 10 because they're very responsive.

Positive

I previously worked with Sophos and ESET. The primary reason we prefer SentinelOne is that it doesn't consume a lot of resources. 

Deploying Singularity is straightforward, and it doesn't require you to restart the servers in the latest version.

Singularity isn't cheap, but it's worth what we pay for it. 

I rate SentinelOne Singularity Complete 9 out of 10 overall. Singularity performs as well as expected, and it's less resource-intensive than other products.

The solution provides endpoint protection for all our desktops, laptops, and servers. We also use it for some of the firewalls on the endpoints. We are also doing asset discovery for devices.

Tracking down which devices don't currently have SentinelOne on them is the most valuable feature of the product. So, we can push SentinelOne onto those devices.

Recently, the vendor took away my ability to create a ticket, mostly because we're in an MSSP environment. It has created a lot of extra hoops to jump through. I recently had a single sign-on issue on the console. I had to go through my MSSP. It took a month and a half to two months to get any resolution on it because my MSSP can't test our single sign-on. They don't have an account in that system. It has been very detrimental to effectively solving issues. I understand that the vendor does not want the clients of the clients submitting tickets. However, when I'm the one who's doing the majority of the work inside of SentinelOne, removing that from my ability has been very inconvenient.

The filtering features of the application management console could be improved. If I search for applications that shouldn't be installed on our endpoints, filtering is not the most straightforward process. Running through the search process takes a lot of time and effort. It would be hugely beneficial if the tool blacklists the applications that are not allowed to be installed. It would help with the management of unapproved applications or malicious applications that might be installed.

The automated agent upgrade system could use a little bit more fine-tuning. The maintenance windows must be a little bit more robust. I have to manually set what agent we're pushing each time we want to change instead of asking the tool to do N-1 for agent upgrades. It's automatic, but it's not quite automatic.

I have been using the solution for two years.

We've had fewer issues with stability recently, mostly because they made some changes to the actual agents. Shadow copies were filling up the drives and causing some crashes. However, the more recent agents have been much more stable, which has been wonderful.

The tool is very scalable. If we use all of our agents, it's very easy to ask the vendor to add more agents to our license. They get that taken care of, which is really nice. It's been very easy to change and modify groups as we need to.

Exclusions have been very straightforward. I would love to see the exclusions to look at the machines in a group and inform us when we have exclusions that are not found in the directories on the machines. It will help with the removal of redundant or unused exclusions. It will remove some of that risk.

I don't have access to create tickets. The vendor removed the ability. I need to talk with our MSSP for support. They sometimes send us support articles that we already have access to. It takes an extra three to four days to get things resolved. In the most recent case, it was a month and a half.

We used Symantec Endpoint Protection before. We switched to SentinelOne Singularity Complete because Symantec Endpoint Protection was very old and was not being updated by Broadcom anymore. It was not as effective in terms of reporting. It was very clunky. So we were looking for something new and a little bit easier to work with than what we had at the time.

The initial deployment was pretty straightforward from my perspective. We were able to take the package and deploy it, which made it really easy to get it on all of our endpoints. About ten people were involved in the deployment.

Our MSSP helped us do the deployment. We used the asset management tool Ivanti to push out the agents.

The pricing is packaged in with our MSSP. The cost of endpoint protection is fairly reasonable. Some of the other systems are a little expensive, but there's still value behind them. It's pretty close to what I would expect.

We haven't stepped into other integrations quite yet. We're looking to explore it next year. We're trying to rebuild our security stack. The endpoint protection was one big step. We're planning on expanding a little bit more. I love that it is pretty straightforward to connect between different systems. It makes my life a little easier.

The solution’s ability to ingest and correlate across our security solutions is nice. We haven't done much of that with our systems yet, but having one source of truth to look at all those different pieces is hugely beneficial because we have a very small team. Anything that allows us to connect all the dots and pieces makes our lives really easy.

We're rebuilding our security stack from scratch. We do not have to get many other solutions because much information is built into Singularity Complete. We did a POC of the Ranger functionality for a little bit of time. Ranger's network and asset visibility are about the same as in Rogues.

The automation would be great if I didn't have to create a couple of extra security holes by opening up ports on our devices. So we've gone back to using just Rogues rather than Ranger because there isn't a lot of added value for that extra piece. I can take the whole list, export it, and take it to one of our other solutions and have the agent pushed from there.

It is nice that Ranger requires no new agents, hardware, or network changes for most of the part. If we're going to automate the installation process from another Ranger agent, it will require opening up some extra security holes. I don't love that part. I love that it discovers assets that don't have SentinelOne but could potentially have SentinelOne. It has been beneficial to us.

We like Ranger because it helps find the missing pieces. We must ensure that we're not going over on our licenses, but it helps us discover the devices in our network and how we can better protect the environment. It also gives us an inventory of devices. If they are vendor devices, we can go to our vendors and ask them why the devices have old software versions.

The product has done a much better job of giving us high-fidelity information. The system that we had before was old and antiquated and did not work well. We are getting better-quality alerts. The solution has helped free up our staff for other projects and tasks. All the information is in one place, and a lot of the system has been automated for us. The tool resolves threats almost instantaneously for us. It's hugely beneficial for a very small team.

The product has helped reduce our mean time to detect. It is a lot better at discovering threats and mitigating them quickly than our previous solution. However, I wouldn't say that it's perfect. The solution has helped reduce our organization’s mean time to respond. We have a managed security service provider that's doing a lot of the research for us, but it's been very helpful for us to have the information.

The tool has helped us with a couple of audits that we've had. It has also helped us with some of our cyber insurance because we're able to give much better reporting compared to our previous solution. The reporting is available on the fly rather than us trying to go through multiple systems to try and get some information from it.

The product is easy to use. It is very easy to navigate around. The vendor has added features that we've wanted. It has made our lives quite a bit easier. People who want to buy the product must evaluate their exclusions ahead of time and understand what level of exclusion they need for each system. We spent the most time reevaluating exclusions for each server system.

It was not too big of a deal for our desktops and laptops. However, for some of those bigger systems, especially with us being a healthcare organization, ensuring we weren't impacting the end-user experience was central. For example, we have EMR, which is electronic medical records. If we impact that, it affects patient care, which in turn can be not great.

It was a very big jump for our process to go from monitor-only mode to full-protect mode. We allowed things to just sit there for a very long time and understand the changes in our environment.

Overall, I rate the solution an eight out of ten.

This is our main endpoint and detection response platform. 

It's our antivirus for all of our endpoints, including workstation servers, Linux Windows, Macs, et cetera. We're also deploying it to some of our mobile endpoints as well. We also do incident threat hunting here so that if we see an incident in our environment, we can use it to hunt down that incident and try to get a better analysis of it. We're using it to scan our active directory environment. 

We just wanted a better antivirus. It fixed a lot of problems that we were facing.

We get a lot of benefits from them, including its ease of use. We don't have to really go digging or spend hours a day trying to configure something. 

They have a really good knowledge base. That eliminates a lot of the time having to do manual research. The time it cuts down is great. It removes a lot of time from doing some of these manual and tedious tasks.

Their basic endpoint and detection platform is pretty much their bread and butter. The features that it comes with get a lot of love. You can add custom solutions, rules, et cetera. 

The mobile device management platform is also really good.

They have a lot of integrations with a lot of common platforms that we use. We integrate them with three or four other platforms including data analysis platforms. We haven't really come across too many instances where we had to create custom APIs for them. 

Our impressions of the solution's ability to ingest correlated data across our security solutions are good. They do it really well. They tend to take a lot of the data that they ingest and do a really good job showing you exactly what you need to do or utilizing that data the better way than just receiving it and then manually parsing it. 

We can consolidate our security solutions. It's nice. We have a lot of our security solutions right in the platform itself. They don't offer everything that we need as a security team, yet they do offer a lot. We've been acquiring more of their products as the years go on.

We use the Ranger functionality. That was something we acquired a little over a year ago, and we had quite a lot of endpoints in there, and we actually reduced that number down to under 20 recently. So we're working our way through it, and it's made a lot of progress in our environment.

It provides network and asset visibility for us. Ranger scans our network. It does a really good job of identifying that. In correlation with some of our other network tools, it does a really good job of evaluating what's out there and also being able to provide a proper review and analysis of those endpoints.

We like that Ranger requires no new agents, hardware, or network changes. It's actually really nice. Every time we want to do something that involves the installation of an agent, we have to put in a change request, and we have to wait for the proper easy to improve it. The nice thing about it was we just alerted a couple of teams. We were going to do some scans, and that was it. We've never had any issues. Agentless is definitely the way we've been trying to go moving forward.

We have more insight into our environment. While it doesn't cut down on alerts, we gain more visibility.

The solution, on average, saves us a couple of days' worth of time in total.

It's helped reduce our company's mean time to detect. In correlation with the SOC, we've seen quick alert times. We get an alert almost immediately after an incident.

It also improved the mean time to respond. It does depend on the situation.

From the standpoint of having to suffer through an attack, the solution has saved money in saving us a potential loss. We're paying for the product. The savings are all hypothetical numbers, however, we are definitely saving money. It's helped us reduce organizational risk. We were in bad shape before. We're looking a lot better now. 

The grouping feature needs improvement. There are many times I've wanted to do blacklisting or exclusions for specific people in a group, however, I don't want to remove them from the group itself. 

I'd like to see an auto-update feature. 

I've been using the solution for about over three years. I've been dedicated to it only for a year or two.

They are pretty stable. The company is expanding at a good rate and they are releasing new features to maintain the stability effectively.

We have almost 3,000 endpoints. We have a spike of 500 to 600 endpoints in the summer to December season. We are primarily Windows and also have about 200 Linux endpoints. They are all deployed across the same organization. 

Scaling is flexible. They do a really good job.

Technical support is helpful. Sometimes Level One support may not be the greatest, however, you can push to someone higher. Issues are always resolved. 

Positive

I don't have any personal experience working with other solutions. 

We are at about 98% deployment. There are endpoints that pop up that don't have the agent to get it, however, we're past the deployment phase or past the initial configuration phase. It's all just maintaining and tweaking, and as new features come out, we adjust.

I wasn't here for the initial deployment process. I've done a lot of configurations for new features that they've implemented.

Our team does general maintenance. They do a really good job of giving you the information you need to troubleshoot. Their knowledge base is really good. 

We've definitely seen an ROI. I'm not sure where we would be without it right now. 

The pricing is fair. It's not cheap, nor is it expensive.

The solution seems to be quite innovative. They are coming out with network products. Every month we have a webinar on new features coming out.

The quality and maturity of the solution are both great. The stuff they give us is really detailed.

There are instances of the solution on the cloud, however, all the endpoints are on-premises. 

I'm pretty satisfied with the product as a security partner. I'm happy with where we are with them. 

This is a great product. If a company is unhappy with its current EDR, SentinelOne is a good choice. They are acquiring a lot of companies and solutions to add to their roster in order to provide a more centralized platform.

I'd rate the solution nine out of ten. It's going to be a good one-stop-shop and I enjoy working with them.

In most cases, the product is used as an XDR or MDR for our customers internally as well. It is used for us to provide some customers with a light SOC service so we could also manage that solution. So as an example, if they don't have dedicated resources to look or monitor it offers that ability for them to do the monitoring for you or for some customers. That is very handy. But most of the time, we use it as an MDR XDR solution for our customers.

We mostly provide customers with MSSP services. We do not resell it as a standalone.

The ease of use and has some integrations within their marketplace. Those come in handy. The GUI is really easy to use.

The storyboarding gives you a play-by-play of how an instance or alert came to be.

Some of the automation tools are really good. 

Singularity's ability to ingest and correlate across our security solutions is great. I don't see a platform that does it better. At least from an MDR standpoint. It really is a central tool to ingest that data to begin with and correlate and then it's pushed out other solutions like Splunk or other solutions.

Singularity has helped reduce alerts. The automation tools have been able to lower the number of alerts. We desensitized alerts as there are too many of them. Sentinel One has helped repair it with our team to do that. Just the ability for the automation tools to be in use has been really helpful.

Singularity has helped free up our staff for other projects. The automation tools have really helped there.

Our security team is about ten people. Two people no longer have to worry about anything. We've saved about 20% to 30% of our labor, our staff. 

Singularity helped reduce our organization's mean time to detect. We're able to detect or even dive in and look for issues. We have the freedom to look and inspect. We're proactive now.

Our mean time to respond is good. It helped us fill operational procedures.

Singularity helped save costs. We've saved in terms of operational costs or even salary in terms of time-savings. We didn't save on platform to platform, yet we saved on time. 

It's helped us reduce organizational risk. We're able to monitor our networks better.

They are probably the most mature product at the moment. For the price point, we're getting a good middle ground of price and value. 

I would hope that they would increase their prebuilt migrations. As an example, they have one Active Directory in Azure Cloud, which is really good. If they can expand that to other pretty well-known software, some platforms, that'd be great. What they have now is good for some of the key players like Azure, Google, and Splunk. I would just like to see that being expanded.

We'd like to have a network map or scan to cover network security. That would be good to have.

I've used the solution for five to six years. 

The stability is great. I'd rate the stability nine out of ten. They are never really down. It's usually up and running. 

The solution is very scalable and very easy to scale. 

Every time we have an issue, we get somebody who knows the product and can talk us through it. We can resolve issues pretty quickly. 

Positive

We had used Crowdstrike and Trend Micro a bit. 

We first switched to Sentinel One based on an audit. It was a next-generation antivirus. There are new options on the market now. We continue to use it due to the fact that are always improving their offering and I don't see a better option on the market.

I was part of the deployment. The initial setup is pretty straightforward. 

We have three people involved in the deployment of the product. 

There isn't too much maintenance. It just works. 

We did use a consultant to assist with deployments in the past. At this point, we just do it ourselves. 

The pricing is good. They are in line with the market.

We looked into Crowdstrike, Carbon Black, and Microsoft.

In terms of Ranger, I've used it. I have not used it recently. I'm actually trying to get back into and play with that again.

Sentinel One is good as a strategic security partner. The platform is great and there are a lot of features. Using their managed service really does help. We can partner with them to provide that service to our customers. 

I'd rate the solution ten out of ten. 

I'd advise others considering the solution to get with a good MSP or MSSP. Users should try the complete version and all the features to find out about the entire system. Get the higher feature set and go down from there. I'd also advise at first new users get a good MSP to work through the initial installation process. 

In general, we replaced our entire antivirus and anti-spyware with SentinelOne. We use it across all platforms, from servers to workstations, to Macs, to Windows, to Linux, Virtual Desktop Infrastructure, and embedded systems - on-premise and in the cloud. We also use their console and their threat-hunting. We needed a solution that was simple and intuitive, without having multiple agents.

We have also started evaluating their IoT, for the discovery of all IoT devices. This is 

It has improved our operational efficiencies. It saves us time because it does that first level of EDR automatically and that allows us to focus on certain things that it tells us about.

And we have better confidence because of all the threats that have been remediated. In fact, the moment we started deploying, we started picking up stuff that was in a dormant state on machines.

SentinelOne has absolutely reduced the number of threats. We get thousands of hits around the world. I'm looking in the console right now and there are 14,639 suspicious detections in the last few days. Of those, it has blocked 87. Another 30 were mitigated right away, and 24 active threats are being investigated now. Remediation of those threats could not be automated because it needs a response to do certain things right.

The strength of SentinelOne is that it has an automated, active EDR. It does that first level of what a SOC analyst would do, automatically, using artificial intelligence, so we can focus on other things. Active EDR not only notifies you, but it actually fixes that first level. That is unheard of. Very few, if any, companies do that.

The reason we went into this whole selection process and selected SentinelOne is that their strategy is "defense-in-depth." They do not only do what the traditional AV endpoint security solutions used to do, but they go further by looking at behaviors and patterns. Additionally, their big differentiators are in the dept of behavior analysis. There are other companies that claim this - albeit in a lighter flavor. 

The whole behavioral analysis helps us get to the root causes. We can understand and pictorially see the "patient zero" of any threat. It shows the first one who got whatever that threat is. When you look at their console and you see a threat, you can not only pick up the raw data to do forensics on it, but it can actually tell you a storyline: who patient zero was and how this whole threat has spread through your environment or on that machine itself; how it happened. Then, you can check on these things yourself. That's crazy good.

In addition, there is no dependency on the cloud to fully protect. Many products you see today, especially those called next-generation, depend on getting some information from the cloud. With this solution, you don't need to connect. It has the intelligence on the endpoint itself. That's useful because you're not always connected to the cloud. You could be in a lab. We've got laboratories where they aren't necessarily connected to the internet, but you want to have the latest intelligence of machine learning to see that you're doing the right thing. SentinelOne doesn't have to be connected. It's already got that behavioral stuff built-in.

They have a rollback and remediation facility as well. If you've got a virus or some malware on a machine, it's going to detect it and it can actually just clean up that part of that malware. You don't have to do anything else. And if you have ransomware, for example, it will pick it up before it causes a problem. And if it didn't, you can actually roll back and get it to the previous good version.

It integrates well with other products. We've got other cloud services that we use for security, and the intelligence is shared between SentinelOne and the CASB that we have.

And with the threat-hunting, you can validate what it's telling you: Is it a real threat or is it just something that is suspicious?

It can tell you everything that's running on an endpoint: What applications are running there and which of those applications are weak and that you have to watch out for. That's one of their free add-ons. You can do queries, you analyze, you can see who touched what and when. You can check the activities, settings, and policies.

Another advantage is that you can break up consoles. You can have them all in the cloud, or you can have some available physically. You may want to keep certain logs local and not share them because of GDPR. You can do those kinds of things. It's very adaptable and malleable.

If you have an agent on your machine, it will find out what things are neighbors to your machine. You can control machines at different levels. You can even control a device on your machine. If there is, for example, a USB device on your machine, I can control it and not let you use that USB device. I can actually get into your console and do stuff.

The other strength of SentinelOne is that you get almost all these features out-of-the-box. They add many features as a default, you don't pay extra, unlike many other companies. There are services you do pay extra for. I mentioned that SentinelOne handles that first level SOC security analyst-type work. But if you need a deeper understanding, with research, they've got a service for that and it's one that we're using. I was convinced that our current team wasn't good enough, so we had to get that service. It's actually very cost-effective, even cheaper than other ways of getting that level of understanding.

They are already reporting on application vulnerabilities in the landscape and working on providing remediation - another big win. 

Regarding the IoT feature, it's on the fence whether they're going to charge for it but that's an add-on module. However, it's not like you have to do anything to install it. You just have to click something in the solution.

The area where it could be improved is reporting. They have some online reporting, but it would be nice to be able to pick and choose. When I'm looking at the console, I would love to be able to pull certain things into a report, the things that are specific to me. They're very responsive. They regularly ask customers to provide feedback. They've been working on their reporting since the last feedback meetings. It's not only me but other customers as well who would like to see improvements in the reporting.

 File Integrity Monitoring is not a gap, but to do it you have to type several times. It's not the few-click intuitive situation.

It would be nice to have some data leakage included. Also, when it comes to data leakage, while you can get out everything that a person does on a machine, there needs to be a proper way of doing so, like other products that are just focused on data leakage.

I can't wait to see their advances in the cloud infrastructure (containers and serverless).

It would be nice (and is critical) to allow administrators to notate when they make changes to the console configurations - perhaps a tag for reporting. I might, for example, whitelist an application. If I did that today and I leave the company at some point, someone might wonder why I did this. There should be a place to easily notate everything.

I started validating and testing the product back in the fall timeframe of 2017. By the time the proof of concept was done, we were signing the product by the end of 2017 or January of 2018.

In our company, if something happens with a solution, everybody will know, and it will be out of the environment in a jiffy.

So far, the scalability is going really well. It's really lightweight. Using the console, you can break it up into regions. It's integrated with Active Directory and we have it set up as the "research lab" in Melville, New York and something else in China.

Right now, it's our product of choice for endpoint protection. I suspect our usage will grow a lot once they enable the IoT; what they call Ranger.

Technical support started off mainly by email, but support is probably the single biggest improvement since we started with SentinelOne two years ago. They always had the intelligence, like any techie person, but techies are not necessarily good communicators. They always had answers, right up to the top. Their CEO is also a very technical person. But they have improved how tech support is delivered by 100-fold.

We had McAfee, and we were using it for other things too.

I'd never heard of SentinelOne in 2017. I knew of the other big guns but I came across it just by chance by looking at studies that spoke about SentinelOne. I had their sales guys and engineers demonstrate but it didn't mean anything. I still thought it might be fluff. So we had to test it and go through that whole rigmarole.

For all intents and purposes, they delivered. You have to remember that they were fighting a battle against all the big guns in the industry, solutions that were already entrenched. When we did our test, we actually broke a couple of their competitors, not because we wanted to. We were just comparing and doing it as a proof of concept. SentinelOne kept catching everything that I thought the other guys should have caught.

Also, they were never defensive; they were straight-easy to work with. Their responsiveness was also very good. If we needed to get something — and this might be because of the size of their company — we could go right up the chain and something would happen right away. If changes were required they happened really fast.

The initial setup was straightforward. I co-authored a book on evaluating products and one of the things that you have to take into account is ease of use and how intuitive things are. Some people may not consider that important, but I consider it important.

In general, it was easy to set up. That was one of the reasons I was pleasantly surprised.

What can make it difficult is the environment you are in. For example, we have "freeze periods" during about half the year, where we cannot make any changes. So, during retail, during Christmas, Chinese New Year, Black Friday, etc., nothing can change in the environment and we cannot deploy anything.

Other things, outside of the environment, were that there are financial/fiscal periods, every quarter, where we cannot change certain things. And we have different silos: a server group, a Windows group, a Mac group, and a Linux group that didn't want to touch anything. Everyone had some bad taste left in their mouths at some point in time, not necessarily with SentinelOne, but in general. If everything is working, why change it? So there were some political things, internally. We have about 35 different companies around the world. Each has a variation of things and there is every version of every thing out there. And some have badly written code too that shows up as malware; it manifests just like malware.

For deployment and maintenance it was me. I did almost everything. There were only one or two people. Obviously, we have to follow the sun because we're global, so at times there might have been three or four people involved, but generally it was one or two who were coordinating it. They know the product and how to deploy it and what needed to be done, but I needed those guys around the globe. They had to coordinate with each of those groups I mentioned. But we owned it and we were accountable for it. We have segregated duties. Even though I'm in security, I don't have the rights to get onto our Windows Servers and make changes. I have to ask the server guys to do something and that's why things take time. That's why you need people to coordinate it.

But, once it was detecting those threats, I felt that even though we had an outsourced team, they were lacking in knowledge. If I told them, "Hey, this is malware," without the right experience, they wouldn't know what the heck to do with it. That was the challenge. That's why we went with SentinelOne's managed service. They have people who can deal with it and sort out the things that are real.

The way you do it is that you don't just McAfee take off a machine and put this one in. You run them simultaneously for some time, and then take one out. I wanted to see if something would happen, or it started messing things up, or if people would start calling saying, "Hey, there's something going on in my machine."

We didn't work with any third-party. Over the years, I've seen that a lot of these guys tend to have biases.

We have absolutely seen a return on our investment because it has created that first-level SOC. Plus, it has all these other functions. It has replaced McAfee. We don't need a file integrity monitoring product. And we can see application vulnerabilities without using another product. And they keep adding features. Once they add this IoT feature, the ROI will be much more.

Initially, I was just researching solutions using independent reports and industry reviews. I don't necessarily agree with everything in industry reviews, but I used them to narrow down the field and to figure out which solutions I needed to look at. I also looked into whether there were any legal issues the companies were fighting. In that first phase, I got it down to about four or five that I would take to the next level and actually touch them with live malware. The reason the other ones fell off is either they were too focused on one thing or there were some legal things. The industry is small. You hear things, not necessarily officially, but unofficially you hear things.

I looked at McAfee, CrowdStrike, Carbon Black, Palo Alto Traps, Cylance, Endgame, Tanium.

In my evaluation, back in 2017, I wanted to see the features of each and match them up with our requirements. What were our influences? What was important to us? I tried to map that into what features were available at the time, or look at whether a product could consolidate another product that we had so that we would no longer need that other product. I also looked at operational efficiencies, security efficiency, and whether it meets all our compliance goals.

Then I went to the lab where I had real malware. There was a whole method to that madness of testing. 

McAfee failed miserably, even with their later product. It would have been easier for us to stick with the incumbent, but it couldn't pick up on malware. There was something it never detected. With that type of next-generation, machine-learning algorithm, it's not so much the algorithm as it is the intelligence, the data that they collect over time.

At the time, Palo Alto Traps was not ready for prime time - immature console, limited support across all our platforms and focus on exploits.

I broke Cylance, surprisingly. I didn't expect that. I'm not even a researcher, per se. I have other jobs in our company. When I managed to break them I was looking at how they responded. I'm not expecting everyone to be perfect, but I found them very defensive. They would say, "Oh, it's only one in 100 or 200 or 300 pieces of malware". But it was the way they responded to things. It took a while for them to get back to me, and they were more concerned about whether I was doing the same thing with the others.

The other weakness of Cylance was that, for anything else, like remediation and response to something, you had to buy another piece. It wasn't part of the product, whereas, with SentinelOne, it was part of the product, without paying anything more.

Some of our folks were convinced that CrowdStrike was the way to go but our tests proved otherwise. CrowdStrike has some good features, but it requires going to the cloud. And secondly, whenever you get events, you almost have to use their service, so you're paying them to help resolve something. It gets expensive.

Separately, I did a compatibility test where I checked our environment: I deployed it in a sampling of some of our machines to see if it run without creating another mess.

When you do a thorough proof of concept, you already have all the details, so nobody's going to mess with you. I compared everything. At the end of the day, I gave my boss a report and said, "This is it. You decide."

Have a look at it. Compare it. It's a very good product to have.

It gives you a lot more insight. It has combined many products into one agent and it's expanding. There are a lot of things it can do now on the cloud, like containers. It gives you insight into a lot of the threats with the hunting ability. I have learned from the tool to see how our environment is. I've learned about certain behaviors of our applications, just by observing what pops up.

There is a console that is in the cloud and there are agents that are all over. You put these agents on Macs or Windows or Linux, or on whatever the cloud versions are of all these virtual devices. We are spread out across the globe. We've got nearly 50,000 endpoints in different parts of the world. We generally stay as close to the latest version of the agent as possible, but we go through change-control and it is very strict. We don't just put things on endpoints. We validate and test in our environment because we have nearly every type of operating system and variations of them in our environment. Therefore, sometimes we are something like .1 or .2 of a version behind. In terms of the console, we are at the latest version.

As a company, we use all variations of clouds, from Ali Cloud, which is China to Azure; we're predominantly Azure. We have AWS and GCP. SentinelOne manages that console and we have access to it. We own that part, our console. It's on AWS, I believe.

Overall, is there room for improvement? Absolutely. There are gaps in the reporting because we need to give reports to different levels. Ideally, we want to just drag and drop things to create reports. They have very nice reports but they're canned. We want to be able to choose what goes into a report. Otherwise, it's right up there and I would give it a nine out of 10.

We use the tool for malware protection and the XDR portion to track intrusions and possible exploitations.

I find the product very easy to maintain and troubleshoot. Their engineers are very helpful if you need additional assistance. It's one of the best products I've used. It's easy to use from my standpoint, both for troubleshooting and with the support we get from their team if necessary.

I find its interoperability with other solutions very good. When there are issues, because everything eventually has issues, the team is very good about running logs and finding out what portion is having issues. We can either exclude a portion of it or make it work. They find a solution.

We haven't had any issues with how we ingest or correlate data across security solutions. We use APIs and things like that to ingest data. For us, we haven't had any issues with the tools we use, but I can't speak for other organizations.

We now have threat hunting, visibility, and malware protection in one console. There are other portions we don't leverage because we choose to keep them separate, like our firewall, but we could if we wanted to.

The solution has helped us reduce false positives. We still get alerts, but I think they're more dynamic now. We have fewer issues with systems. It doesn't take as many resources, so we don't have outages caused by hijacking resources. We've probably reduced our issues with that by 90 percent from the previous program we were using.

The tool has helped free up our team's time. Especially when it comes to upgrades, I went from taking several months with the previous software to getting it done in a week or two for 15,000 to 17,000 assets. It's freed up months.

While I don't track mean time to detect specifically, I know it's very quick because of the way it detects intrusions. It's anomaly-based, not signature-based. It will flag something, review it, determine whether it's a false positive or actually malicious, and then quarantine it. It's pretty instantaneous. We've averted several ransomware attempts before they could infect anything.

Our mean time to respond has decreased significantly. The response is much quicker now, especially since very little gets reverted to us for handling. The Vigilance AI portion usually takes care of most of it, determining the severity of something and whether it needs human attention.

It has helped us save costs, particularly regarding fewer infections throughout the network. While I don't have exact numbers, we've had a reduction in costs associated with reimaging machines due to malware.

It would be nice to be able to adjust the canned reports manually and choose the specific data we want to report on instead of being limited to their pre-set reports.

I have been using the product for three years. 

In terms of stability, we have no downtime from SentinelOne Singularity Complete. We may have some complications with interoperability when we deploy something new that didn't get tested, but that's usually not SentinelOne's fault. It's usually because a third party changed something that had already been whitelisted.

We haven't had any issues with scalability. It scales very well from small to large. We're at 16,000 endpoints, and it's very easy to deploy and manage.

I've contacted technical support myself. Their response time depends on the severity with which you submit the case. For low priority, it takes about a day or two. For high priority, it's within an hour or two, according to their SLA. They're very prompt.

Positive

We switched from Symantec to SentinelOne Singularity Complete mainly because of cost and technology changes. Symantec wasn't changing quickly enough as technology moved toward the cloud, and things were going faster. Broadcom was still using heavy, clunky on-premises agents that used a lot of resources. SentinelOne Singularity Complete was new, next-gen, smoother, and quicker with less downtime. They manage their end in the cloud, so we don't have to maintain our console.

We saw the benefits immediately after deployment. The deployment was seamless, easy to learn, and easy to use—very intuitive. The initial deployment was pretty seamless and easy. It took us about six months to fully deploy, but that was because we did it in segments. We're a global organization with many different entities, so we had to do it segmented. It probably would have taken us a quarter if we had just set it out all at once.

The only maintenance we require is keeping our agents up to date. We do this manually because we go through a change approval process to ensure we don't introduce anything that will harm the system. We then test and deploy.

We used SentinelOne's guidance, but we did the deployment ourselves in-house.

My impression of SentinelOne Singularity Complete as a strategic security partner is that it's state-of-the-art, easy, and uncomplicated. As an engineer, I find the product easy to deploy, maintain, and efficiently. I rate the overall solution a ten out of ten. 

I advise new users to read the manual before they start using it. Understand all the different modules to utilize them as intended and get the best out of them. Also, use their support if you have questions before you deploy. Get a game plan and follow their recommendations.