SentinelOne has long focused on defending endpoint devices, but the company has turned its attention to cloud...
Last week, at RSA Conference 2018, the security vendor announced several new offerings for cloud security and vulnerability management. SentinelOne's AnyCloud is a management console that extends the vendor's Endpoint Protection Platform (EPP) to any public or private cloud. Enterprises can deploy the management console in those cloud environments and use EPP to secure them, as well.
SentinelOne, based in Mountain View, Calif., is largely known for its endpoint security technology and product warranties, but CEO Tomer Weingarten believes the company's approach can help improve security in the cloud, as well.
In an interview at RSA Conference, Weingarten discussed the vision for AnyCloud, the role endpoint protection can play in securing cloud environments and how the vendor is attempting to limit threat actors' lateral movements. Here is part one of the conversation with Weingarten.
What's the strategy behind AnyCloud?
Tomer Weingarten: AnyCloud is definitely one of the things that is foundational for us as we think about security in the next two to three years. Big enterprises are using clouds in a very hybrid way, so it confuses both their physical environments and their cloud environments. And, suddenly, you're running into all of these use cases where you need support on perimeter and then outside of perimeter.
Supporting hybrid clouds -- running clouds in different stacks -- became something that's pretty important to our customer base. Amazon is definitely the biggest cloud provider in market share, but we're seeing more and more adoption of the other platforms, too, like [Microsoft] Azure and Google Cloud. So, security shouldn't be limited to just Amazon. You want to give people the freedom to basically run security everywhere, regardless of what different clouds they're using. AnyCloud is about that freedom to take security to any cloud platform that you want.
How does AnyCloud fit into the company's overall vision?
Weingarten: If you think about the evolution of endpoint, we all used to think about endpoint as the antivirus, but that's really not the case anymore. There's a whole new stack [of endpoint protection] that's being developed right now that is much more current with what you need in order to manage modern enterprise endpoint fleets.
When it comes to very cloud-oriented environments, where almost everyone is now adding a layer of the cloud or becomes fully dependent on the cloud, what is the role of the endpoint in that? It's about visibility. How do I gain visibility from the device and all the way up to the cloud? These connections are typically encrypted, so how do you find malicious traffic there? How do you know to search indicators of those types of devices?
Obviously, those things become very imperative ingredients in how you think about defense in a modern enterprise environment. All of these capabilities that we've added, including vulnerability management, go far beyond what a typical antivirus program would give you.
You mentioned hybrid clouds. Are you seeing any true public-private mixes, or are the hybrid cloud environments of today just a mixed stack of different public services?
Weingarten: We see a little bit of companies building their own private cloud infrastructure. What we see more of is the classic data center -- really, it's a farm of servers. And that's your on-premises physical data center, and now you have another data center in the cloud.
So, how do you paint your perimeter around all of those? How do you see them as a singular data center? And that's where software-defined perimeters come into play. That's how you gain that elasticity. You can't gain that through putting a firewall in the cloud. You gain that by deploying software agents on all of your assets.
Today, the physical data center and the cloud data center is a combination we see a lot. We do see some folks running an Azure stack pretty much within their corporate environments; there are a lot of large enterprises doing that. We also see OpenStack as something that people will deploy in-house, and VMware is obviously pretty big in on-premises environments; in those cases, everything is completely virtualized, but it's within your premise.
So, you're not seeing a lot of multi-tenant environments.
Weingarten: No. Very rarely do we see something that's truly multi-tenant, as you get in a complete public cloud.
Do you run into organizations that don't like the hybrid or the multi-cloud approach and feel like it's a security risk?
Weingarten: I'd say less and less. Some of them are doing that for financial reasons. I've seen a lot of business reasons to sometimes go with a single cloud. For the folks that are still saying that going out to the cloud might present more risk, I'd suggest that they revisit their base assumptions and ask why are they thinking that. We've been trained to think a certain thing for about 10, 20 years now. Take air-gapped networks, for example; that's a concept that we've been using for probably 20 years now. But at this point in time, most people don't really know whether their air-gapped network is really air-gapped.
All these concepts might not be true in the world that we live in today. That said, the approach to cloud is very enterprise-specific. Some use cases will pretty much dictate that you still need to run with these old concepts. Some use cases will say, 'Look, you're already using Office 365, so what are you trying to avoid here? You're already in the cloud.'
To me, it's more about understanding a true use case. You just don't plug something in and generically configure it and that's it.
With hybrid cloud environments, how do you monitor the east-west traffic and microservices and API calls in between the different clouds? How do you prevent lateral movement without removing the interconnectivity and grinding IT operations to a halt?
Weingarten: First, we need to understand how are attackers moving laterally. Typically, what happens is they're actually using the same admin tools that a proper admin would use. They leverage legitimate programs and legitimate protocols to move within the environment like PowerShell and WMI [Windows Management Instrumentation] scripts and say, 'I want to map out all the assets, and I'm going see which one of them I can actually remote into.'
There's nothing that looks malicious at that point to any security solution. What we try to do in those cases is observe very closely the baseline behavior. If a given user never previously used their credentials to remotely execute code on a device, then something here is very much out of the norm. If they're using encoded parameters to move information from machine to machine, that's very atypical. So, the question becomes, can you monitor the right points?
And, again, endpoint is an amazing place to tap into because you know that each one of these connections starts with an endpoint and they end with an endpoint. So, if you can tap into endpoints, you can better understand what you're seeing. Am I seeing legitimate PowerShell usage? Am I seeing something that's anomalous? Am I seeing the use of credential-scraping software?
That's very common; once an attacker grabs any foothold in the environment, they try to get admin credentials, so they will try to scrape it off of memory, scrape it off of Active Directory or run pass-the-hash and pass-the-ticket attacks. Assuming you understand the baseline, you can see these things they're happening on endpoints. That's the power of behavioral detection, and that's what we do.
One of our biggest proficiencies right now is definitely dealing with lateral movement and seeing attackers move around in the environment. I'd say this type of lateral movement is one of the most prominent and slightly more sophisticated ways that you see attacks propagating today. But sometimes -- and, to me, this the funniest part -- you see that happening, a chain of pretty elaborate lateral movement, is happening when someone just wants to run ransomware. You see all of that elaborate planning for something as common as taking down a 400-seat enterprise with ransomware.