Next-generation endpoint protection vendor SentinelOne’s new endpoint protection platform, called EPP, has won an Approved Corporate Endpoint Protection seal of approval from AV-Test.
The seal of approval means the device meets AV-Test standards, and those standards carry weight in determining whether corporate defenses comply with regulations.
“AV-Test is a good indicator of how a antimalware system will block threats,” says Peter Firstbrook, Analyst, Gartner. “SentineOne did very well considering they don’t use any signatures, just behaviour blocking. So yes I would say that it qualifies as a replacement for existing AV which is significant because very few other new antimalware solutions have taken this step (being tested) or would even claim to replace current AV solutions,” Firstbrook said in an email.
He noted that while EPP could replace traditional anti-virus software, it is also compatible with them, so businesses wouldn’t have to rip out their current software.
SentinelOne faces a long list of competitors including Palo Alto Networks, Bit9+Carbon Black, FireEye, LightCyber and Tanium.
Tomer Weingarten, CEO, SentinelOne, said, “EPP does not rely on signature libraries to find known malware. Instead it uses the behaviour of the endpoints – what the company calls dynamic execution patterns – to determine whether an endpoint is being compromised. About 160 of those patterns catch the same amount of malware as millions of signatures.”
In addition to catching malware EPP can remediate infections by quarantining files, killing processes and returning endpoints to known good states, he says.
EPP performs passive scanning of endpoints, indexes files of interest and sends metadata about them to the cloud where they are given threat reputation scores. If the scores break policy thresholds, they can be deleted.
“Think of this data like the black box on a plane,” says Firstbrook. “If an incident does occur you have a full recording of its effect on the system and (hopefully) the company.” Gartner calls this type of capability Endpoint threat Detection and Remediation (EDR).
He says that history feature makes EPP more complex than a typical anti-virus product, but it has a fairly simple dashboard for managing it. He notes that SentinelOne is a relatively new company, “so will likely growing pains in support and services (like any startup), and although they did well in one AV-Test it doesn’t mean they will continue to do well.”