Security Experts:

SentinelOne Enables IOC Search and Threat Hunting for Endpoints

SentinelOne Launches Deep Visibility Module to Discover Indicators of Compromise (IOCs) on Endpoints

Malware increasingly uses encryption to hide its activities. If defenders cannot see what is inside encrypted traffic, they can have no idea of whether it is malicious or benign. Since more than half, and growing, of all traffic is now encrypted, it is increasingly important for defenders to gain visibility into that traffic.

Next-gen AI-powered endpoint protection and response firm SentinelOne yesterday launched a new module to provide that visibility. Called Deep Visibility, it uses the kernel hooks already present in the SentinelOne Endpoint Protection Platform to see the cleartext traffic at the point of encryption, and again at the point of decryption. Detecting the presence of malware through recognition of malicious encrypted traffic then allows the security team to pivot to the response part of the SentinelOne platform and take remedial action.

Rajiv Raghunarayan, SentinelOne's VP of product marketing, told SecurityWeek that this approach was taken to avoid adding overhead to the endpoints. "Our kernel hooks give us the ability to extract the traffic at the point of encryption or at the point of decryption. This does not require any additional agent on the endpoint -- the hooks already exist as part of our base engine; we do not need any additional processing."

The SentinelOne view is that security -- combining endpoint protection and response -- is all about visibility to first see the threats and then be able to respond to them. "We started out with a base engine that looks at threats from a prevention and detection and response perspective: prevent when we can; detect where we can't (for example, any fileless threats that get through prevention such as the recent WannaCry and NotPetya worms)," said Raghunarayan. 

But how do you detect/protect against threats that are sometimes only detectable at the point of execution?

"Here we observe malicious characteristics on execution. All of this is based on AI technology that examines behavior -- file characteristics, process execution characteristics, registry, pages, memory etcetera," Raghunarayan said. "Finally, we pivot from detection to response -- I've detected a threat but now I need to respond to it. I can't allow ransomware to start encrypting my files just because there's no-one available to respond to the alert. So, we can contain the system automatically: we could quarantine the system or the file; we could kill the process; we could remediate (undo the changes caused by the malware), or we could roll back the system to a known previous good state."

But encryption remains a blind spot and a weakness for most defenses. This is the issue tackled by the firm's new Deep Visibility module.

The traditional route for seeing into encrypted traffic is to decrypt it at a firewall and examine it there in a sort of benign man-in-the-middle attack. "We don't need some form of man-in-the-middle decryption to see what is happening," said Raghunarayan. "If decryption is done at the firewall, the performance of both the firewall and the endpoint is impacted -- and one thing you must never do at the endpoint is drop its performance." 

By using SentinelOne's existing endpoint protection and response engine, the firm has increased security analysts' view into potential threats without requiring an additional agent on the endpoint. "We did need to do extra work to be able to see into Chrome's own proprietary encryption/decryption engines; but the result allows us complete visibility into the endpoint."

"We are bringing visibility into every edge of the network -- from the endpoint to the cloud," said Tomer Weingarten, CEO of SentinelOne. "Deep Visibility enables search capabilities and visibility into all traffic, since we see it at the source and monitor it from the core. We know that more than half of all traffic is encrypted -- including malicious traffic -- which makes a direct line of sight into all traffic an imperative ingredient in enterprise defense."

The user can pivot from this deeper visibility into the response part of the SentinelOne engine. "If endpoints are seen displaying worrying characteristics, the security analyst can either immediately stop those endpoints from connecting to the network to spread an infection; or just roll back the endpoints if they display ransomware characteristics. The whole purpose is to provide the analysts with extra insight -- it helps with both IOC searching and also threat hunting," added Raghunarayan.

The Dridex banking trojan is a good example of the need for this extra visibility, since it makes extensive use of encryption -- including encrypting the data it exfiltrates. While existing security may be able to detect the presence of Dridex, simply blocking or removing it may be too late. Without visibility into the data that has been exfiltrated, the analysts may miss continuing threats. For example, if Dridex has already stolen and exfiltrated credentials, the analysts need to know which credentials have been lost.

"Deep Visibility is a breakthrough that will re-define how we think about perimeters," said Weingarten. "Gaining visibility into the data pathways marks the first milestone for a real, software-defined edge network that can span through physical perimeters, to hybrid datacenters and cloud services."

SentinelOne raised $70 million in a Series C funding round in January 2017.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.