SentinelOne Technical Brief

SentinelOne unifies prevention, detection and response in a fundamentally

new approach to endpoint protection, driven by machine learning and
intelligent automation.
By rethinking the entire approach to detecting Pre-processing
malware, exploits and other cyber attacks, SentinelOne The monitoring module asynchronously sends the
has developed a product that can effectively protect operation data to the preprocessing module, which
against sophisticated modern threats in real time. analyzes the operation data and builds a full context
SentinelOne’s patent pending dynamic behavior around every process. This stage translates the raw
tracking (DBT) engine keeps organizations and monitored operations data log into a much more
individuals safe, even from the most advanced cyber structured, abstract operation language.
attacks. It runs continuously on the endpoint, without
using emulation, or sandboxing techniques. Analysis
The analyzing module is constantly working in the
SENTINELONE REAL-TIME UNIFIED ENDPOINT background and runs sophisticated pattern matching
PROTECTION algorithms to detect malicious behaviors in full context
SentinelOne’s advanced threat protection agent is a process operations, looking system-wide at the
lightweight, small footprint module that is installed on operations, as well as historical information.
devices both at the kernel level and in user space. This The “patterns” – malware behaviors and techniques – are
agent can be deployed using a standard MSI/PKG researched in SentinelOne’s labs by reverse engineering
package. thousands of malware samples daily, clustering them,
and deducing behaviors to research and score.
Monitoring
The analyzing module scores every malicious and
The agent “taps” every process and thread on the
suspicious pattern detected during process execution,
system, and extracts all relevant operations data,
and once the aggregate score exceeds a threshold, the
including system calls, network, IO, registry (on
process is considered malicious.
Windows) and more, so it can monitor the behavior of
every process that executes on the system. Suspicious patterns of execution are typically different
techniques or interactions with the operating system
Traditional antivirus, and other preventive solutions that
that malware is employing throughout its execution
leverage inline processes, use static signatures or other
lifecycle. This lifecycle can include (although cases will
reputation methods to evaluate executing binaries to
vary) the following stages: exploitation, obfuscation,
determine whether it’s malicious or not. By contrast, the
persistence, collection, and exfiltration.
SentinelOne approach doesn’t require being inline – the
agent automatically “taps” and obtains operation data,
and allows the process to continue while monitoring
everything the process does during and after execution.

TECHNICAL BRIEF
©2016 SentinelOne. All Rights Reserved.
Mitigation Endpoint Forensics
When a process is considered malicious, the mitigation All the relevant data collected on the endpoint is
module takes action, and there are different settings offloaded to a centralized, unified, management
to either configure as a policy or manually perform console to allow admins to view and analyze binaries
including: kill the process, quarantine malicious binaries and threats, and conduct forensic investigation across
or delete them and all associated remnants. The module their entire network of endpoints. The management
can and also includes the ability to restore deleted or console also provides retrospective search capabilities
modified files to their state prior to malware execution and endpoint remote control features. See the Real-time
effectively rolling back almost everything the process Endpoint Forensics section for complete details.
has changed on the system.
Real-time Endpoint Forensics
Immunization Constant monitoring of all processes at the endpoint
Each time a new, unknown malicious binary has been enables SentinelOne to provide real-time forensics and
found through our behavioral pattern detection – we a 360° view of attacks through a single management
instantly sign it and notify other SentinelOne agents on console, accessible from any device, anywhere. Security
the network – making the whole network immune to this or Incident Response analysts can quickly access
unknown attack, by preventing it from running on other forensic data, and investigate to determine the root
machines, and further spreading on the network. cause and accelerate incident response activities.
All the data monitored and collected from the agent
Prevention
is sent back to the management console over an
To block existing, known threats SentinelOne provides encrypted SSL link, and stored on the management
a layer of preemptive protection by leveraging leading server in encrypted file systems (for details on types of
cloud reputation services. data collected, refer to Appendix). SentinelOne uses this
With the Cloud intelligence setting, SentinelOne sends data to compile real-time forensic information to identify
hashes from executed binaries that exhibit suspicious where attacks originated and trace the malicious
behavior and uses multiple, leading scan engines to actions. In addition, this data can be easily offloaded to
check the reputation. Binaries identified as malicious are popular SIEM systems, including Splunk, LogRhythm, for
proactively blocked while benign ones are added to the further investigation or sent to network security devices
whitelist to minimize false positives. for proactively blocking threats at the gateway.

Performance
SentinelOne’s approach enables the agent to be very
lightweight. The minimal overhead incurred with
monitored operations is 4 micro seconds, which-- per an
average machine usage of over 24 hours-- amounts to a
total delay of only one second.
SentinelOne’s process runs in low priority on the system,
and takes between 0%-4% CPU usage. The memory
footprint is about 20MB and the agent takes about
200MB on disk on an average machine usage simulated
to run for over a year.

TECHNICAL BRIEF 2
©2016 SentinelOne. All Rights Reserved.
360° view of attacks
SentinelOne provides a 360° view of attacks including:

SUMMARY INFORMATION ATTACK OVERVIEW ATTACK STORY LINE RAW DATA

provides indicators the solution detailed information about a graphical way of identifying a comprehensive line-by-line
used to determine if a process the indicators the solution how malware propagated during detailed technical view of
was malicious, including capturing used to determine if a execution including what other changes made to the system,
attack statistics and dwell time. process was malicious, processes it created, terminated files, processes, and registry
This analysis content includes, file including capturing attack or tainted, what kind of low settings
information, path, machine name, statistics and dwell time. See level calls (kernel) and api calls
IP, domain also where else across the table below for complete (user space and wmi) were
the network it has been seen. In explanation of the different called, what files it dropped,
addition, any cloud reputation event categories. altered, deleted and created,
validation, certificate information which registry keys it changed,
(file signed or not), and advanced created or deleted (and their
attack details such as listing values), and finally, which
known packers that were used. network connections - inbound
and outbound were made and to
where during malware execution.

The forensic reports are accessed through the management console and provide rich, visual details in real time that
simplify collection and analysis of security incident data to accelerate investigative efforts. This information enables
analysts to easily determine if other machines on the network were also compromised.

TECHNICAL BRIEF 3
©2016 SentinelOne. All Rights Reserved.
Attack Overview
The Attack Overview provides a quick breakdown of the different malicious behaviors that were detected and
their associated risk levels. In addition, it reports key activities performed by the malicious file, dwell time, and the
number of network calls made. This report provides an overview of the activity that was monitored and used to
identify the file as malicious.

CATEGORIES AGENT MONITORS MALWARE ATTEMPTS TO:

HIDING/STEALTHINESS Hide operation from traditional antivirus solutions, as well as from the user. Common methods
include: modifying registry keys or file attributes, using obscure file names and code obfuscation.
Other techniques the agent monitors are: sophisticated code injections, in memory encryption/
decryption, and the use of commercial or custom/modified packers.

PROCESS OPERATIONS Manipulate process operations by performing remote code injections to other processes, hiding
processes and services, as well as elevating or manipulating processes.

SPYING Track user behavior (e.g., log keystrokes, take screenshots) through API, sys, or IO calls.

ANTI-DETECTION Evade detection from standard anti-virus solutions through obfuscation techniques such as deleting
its own files or leveraging packers.

GENERAL Perform behaviors that may not be strictly malicious in isolation, but provides additional context to
help determine whether the process is part of an attack flow or not.

EXPLOITATION Take advantage of vulnerabilities through memory manipulations, privileged function calls, or buffer
overflows.

SYSTEM MANIPULATION Manipulate operating system files that typically do not change often (e.g., registry settings, task
scheduler, etc). This enables malware to take advantage of the system to avoid detection, persist,
collect data, and mitigation.

NETWORK ACTIVITY Connect to command and control servers. The purpose is to allow malware to download additional
components or exfiltrate data.

PRIVILEGE ESCALATION Elevate user privilege levels to gain access to system resources. This would allow malware to perform
unauthorized actions including modifying files and settings or access to system resources.

PERSISTENCE Persist on the system using a number of approaches such as, loading itself after a system reset
through operating system manipulation (e.g., task scheduler, registry settings, launch agents, etc),
injecting into existing system libraries, and modifying the master boot record.

TECHNICAL BRIEF 4
©2016 SentinelOne. All Rights Reserved.
Attack Story Line
The Attack Story Line report provides a detailed view Specific details provided by this view include the names
of the threat execution flow including the sequence of the malicious processes (e.g., identifying the initial
of events, malicious behaviors, and affected system process), the actions taken (e.g., creating, modifying, or
components. The unique visual format of the report deleting other system files, including registry settings or
graphically correlates chain related events of attacked processes), and the sequence of the execution flow.
systems which helps analysts minimize the effort In addition, users can select a specific process on the
needed to investigate security incidents and plan further attack storyline and view network, file, process, data
actions. actions that were specifically taken.

TECHNICAL BRIEF 5
©2016 SentinelOne. All Rights Reserved.
Raw Data Report
For a deeper dive of all the events associated with security incidents, the Raw Data report provides comprehensive
 
attack related technical details including activity for files, network, processes, and registry (Windows only). The Raw
Data report is also available for download for easier analysis. This Raw Data report provides detailed data based on
the behavior executed by the malware. Although there are other indicators that the solution provides details about,
the information represented here is based on the behavior of the Zeus malware.

FILE PROCESS NETWORK REGISTR

The File section provides further The Process section contains The Network section includes The Registry section provides
details about files involved in an details for processes involved details about the connections specific information about the
attack including the timestamp, in an attack including the a process attempted to make registry key associated with
file names, file actions executed, timestamp, process name/ID, including the protocol used, the attack as well as the action
and the file location. process actions executed, the the source and destination performed, when the action
names of impacted processes, addresses, and when the took place, and the registry key
and the relationship of those attempts took place. location.
processes.

TECHNICAL BRIEF 6
©2016 SentinelOne. All Rights Reserved.
SYSTEM REQUIREMENTS

CLIENTS

OPERATING SYSTEMS • Windows 7, 8, 8.1

• Windows Server 2008 R2, 2012 R2
• .NET 4.5
• OS X 10.9.x, 10.10.x
• Virtual environments: vSphere, Microsoft Hyper-V, Citrix Xen Server, Xen Desktop, Xen App

HARDWARE • 1 GHz Dual-core CPU or better

• 1 GB RAM or higher if required by OS (recommended 2 GB)
• 1 GB free disk space

MANAGEMENT SERVER (ON PREMISE)

OPERATING SYSTEM • Linux Ubuntu 14.04 LTS Server

HARDWARE • Dual core CPU, 2GHz and above

• 8 GB RAM
• 32 GB free disk space

APPENDIX - DATA COLLECTION

The following sections list the types of data collected by the SentinelOne agent.

HARDWARE DATA • CPU data (ID, architecture, # of cores, clock speed)

• RAM size
• Disk size
• Hardware device info
• Device type (Desktop/Server/Mobile)

USER DATA • User name

• Machine name
• Workgroup/domain

VERSION DATA • Installed OS version

• Installed SentinelOne EDR agent version

PROCESS ACTIVITY • Time of machine activity

• Running processes (name, ID, CPU usage, memory)
• Low level System calls
• User space API calls
• For each process the SentinelOne EDR agent collects:
-- File access, metadata only (full path, file type, type of access, time of access etc.)
-- Network access, metadata only (IP, protocol used, time of access etc.)
-- Memory access, metadata only (memory addresses, permissions, sources, targets)
-- Registry access [Windows only] (keys created, altered, deleted, values)
-- Registry modified content [Windows only] (values of new or modified keys)

NETWORK • Internal network IP address, domain name, DNS server

• Public IP address (if running cloud-based management)
• URLs accessed
• Inbound/Outbound connections, metadata only (source, target, and application)

7
©2016 SentinelOne. All Rights Reserved.