Almog Cohen worked in Check Point's innovation lab at the height of the security industry's infatuation with network sandboxing.
While the sandbox added another layer to the already layered-security approach enterprises were using, Cohen saw a flaw: A sandbox couldn't stop malware from entering through laptops or the growing universe of mobile devices.
"Almog thought there were too many ways you could evade sandboxes," explained SentinelOne Director of Product Management Dal Gemmell during a phone interview. "There were inherent weaknesses in that type of protection because you're trying to monitor all this data, trying to execute in VMs. Meanwhile, you can't prevent the data from coming through."
It also didn't stop malware from coming into the enterprise. Cohen decided to return to the scene of the crime: the endpoint.
"What he said was 'look, if there's a breach or there is an infection, where does that happen?' It occurs on the endpoint. That is the scene of the crime, that's where the malware needs to execute, and then from there it's going to laterally move among the network, it's going to connect with CnC server, it's going to start capturing data, capturing key strokes, all that stuff," Gemmell said.
Endpoint Security and a Smarter Approach
Cohen, along with other cyber security and defense experts, realized that endpoint security needed to be smarter. So in 2013, he joined Israeli entrepreneur Tomer Weingarten in founding SentinelOne, an endpoint security company. As CTO, Cohen led a team of security experts from Intel, McAfee, IBM, Check Point and the Israel Defense Forces in engineering a new approach.
The goal was not only to provide virus protection at the endpoints, but to make it smarter. The company wanted a low-profile agent that monitors at the kernel level, watching not for specific virus signatures but general malware patterns. More important, they wanted a solution that could stop zero-day attacks before they spread beyond the endpoint.
"Working with governments and for large security vendors exposed the SentinelOne team to some of the biggest challenges and deficiency points in the security strategies and products being used by large organizations to try to defend their networks," Weingarten, SentinelOne cofounder and CEO, said via email.
"Since malware and attackers have to execute code on a target device in order to compromise the system, we concluded that detection has to occur on the endpoint itself," Weingarten said. "Also, relying on reputation-based sources and prior knowledge to stop attacks, such as static signatures or indicators of compromise, is ineffective against zero-day threats (since no prior knowledge exists). It was clear to us that only a dynamic, heuristic model can accomplish the task of dealing with the most advanced attacks."
The company created a lightweight agent that sits on the endpoint and monitors for attacks. It uses "dynamic execution inspection," which is a fancy way of saying it learns normal registry behavior, then monitors for certain irregularities that signal an attack.
"Once it sees malicious behavior -- like a program or application that starts demonstrating behavior like trying to maintain persistence, trying to modify registry settings, trying to interject into processes and things like that -- the agent is able to gather all this evidence and make a determination about whether something is malicious or not and then take mitigation action," Gemmell said.
Solving the False Positive Problem
SentinelOne isn't the only company that has applied behavior monitoring to endpoint security, but Gemmell said past attempts generated a lot of false positives. SentinelOne reduced false positives by adding a learning mode that provides a baseline of "normal" behavior for a network.
"What we do differently is we're looking across all the activity that is happening on the endpoint and taking things in the full context," he said. "Even if something is changing the registry settings, that something could be malicious or it could be legitimate."
The agent continues to monitor until it gathers enough indicators to determine if code is malicious. At that point, it kills the process, quarantines the malware and associated files, and then deletes the malware and any remnants.
Then it goes one better, according to Gemmell, using a rollback capability to restore any files that might have been deleted or modified during the attack. That's particularly useful against ransomware, he said, since SentinelOne will roll back the encryption and restore files to a pre-malware execution state.
The solution is already certified by third-party AV testing organization AV-TEST. It's available for Windows, iOS, OSX, Android and Linux.
Death of Traditional Antivirus
The startup's timing could not have been better. Traditional AV was floundering. Viruses were evolving and mutating faster than traditional anti-virus solutions could keep up. Just a few months ago, John McAfee, founder of McAfee Security, wrote in a Silicon Angle post: "The industry that I helped father in 1987 is dead. It has been a slow and agonizing death, and it is time for a burial. The entire antivirus industry, and all if its offshoots, have reached the end of their useful life."
Rob Fry, Netflix senior security architect, was among those who saw the writing on the wall early. After reviewing the options, Netflix chose SentinelOne. Netflix is now phasing out its antivirus license, following this summer's release of SentinelOne's Endpoint Protection Platform.
SentinelOne's core product, Enterprise Detection and Response, acts as an adjunct to traditional AV, but with this new platform the company has incorporated traditional AV tools. While the solution is comparably priced, the ability to eliminate traditional AV licenses means enterprises can achieve better protection at a similar price point.
It's a big endorsement for a still-small startup, which only left beta this year.
Looking ahead, Weingarten said his company plans to enhance its antivirus replacement suite with additional policy and control features and expand its support to more platforms and embedded devices.
Fast Facts about SentinelOne
Founders: Tomer Weingarten, founder and CEO, and Almog Cohen, founder and CTO
Product: SentinelOne uses dynamic execution inspection to detect and protect devices against targeted, zero-day threats in real time. SentinelOne Endpoint Protection Platform (EPP) deploys next-generation endpoint security and replaces traditional antivirus while ensuring that industry and government regulatory requirements are met. SentinelOne Endpoint Defense and Response can be used along with traditional AV to provide zero-day attack protection.
HQ: Mountain View, Calif.
Customers: Netflix and Lower Colorado River Authority, among others
Funding: $40 million, with investors including Tiger Global Management and Third Point Ventures
Loraine Lawson is a freelance writer specializing in technology and business issues, including integration, healthcare IT, cloud and Big Data.