With the acquisition of Scalyr, SentinelOne® is carving out a unique position in the security space not through it’s acquisitions, but through how limited and targeted its acquisitions are in practice due to its ability to innovate internally. We wanted to get the inside track on this innovation and how SentinelOne is applying it to the XDR space, so we talked with Yonni Shelmerdine, AVP of Product and Head of XDR for SentinelOne. With experience in an elite Israeli intelligence unit, as well as a deep private sector career in cybersecurity, Yonni brings a unique perspective to what it takes for XDR to be successful.
When it comes to SentinelOne, Yonni feels that the organization runs its security product management like a business, instead of focusing on one specific field, which has led to significant success in owning the entire business problem of cybersecurity for customers. “I wouldn’t say that we necessarily have some secret sauce that no one else has in terms of building products,” he shared. “But I do think that we’ve done a better job of evolving what we have into exactly what the market needs, as opposed to just completely starting from scratch each time we notice a new problem.”
Customer-Defined XDR
Yonni explained how this philosophy drives SentinelOne’s approach to XDR. “When we set out to define what XDR was going to mean for us, we focused on making sure that it was going to have a foundation of what we’re already good at. We asked ourselves what is it that is driving this thing called XDR? And our conclusion was that the market recognizes the approach that EDR took seems to work. If you recognize that prevention isn’t sufficient, you are going to need to focus on how efficiently you can answer: Who, what, why, when, where, how—and then do something about it. It seems to be the right formula and I think we also recognize there’s a reason it’s called XDR and not X-IEM or X-OAR. XDR does seem to be an evolution of EDR, obviously with more data sources and with more response actions, and there are some key parts of EDR that we recognize are going to be the crux of our approach to XDR. This includes using metrics such as mean-time-to-respond, mean-time-to-investigate and mean-time-to-detect as our beacons to answer: ‘Are we going in the right way?’”
“At SentinelOne, that’s how we approach EDR now,” he continued. “We determined that this was going to be about ingesting data, but not necessarily ingesting all of it. We’re not ingesting for the sake of ingesting. We’re ingesting for the sake of reducing mean-time-to-detect. We now facilitate much more automation than we did last year, and we’re going to be facilitating even more in the months to come. We ask ourselves, ‘Does it help reduce the number of screens you need? Does it help reduce the number of analysts you need? Does it help reduce the years of experience they need in order to solve this really complex problem?’ And then we set about deciding what we were going to build.”
Putting the pieces together
Yonni discussed their Singularity™ Ranger® product as an example this approach stating, “Ranger evolved into not leaving behind any IOT features, but now it can give you a complete picture of what’s happening in your network and give you the ability to actually do something by deploying each Sentinel agent. This was born out of the needs of our customers and partners to do exactly what people need it to do.”
The recent acquisition of Scalyr shows another variation of this idea, as Yonni explained it adds not only new capabilities to SentinelOne’s portfolio, but it also represents a commitment to the existing customer base that still predominantly uses EDR. “The difference is that now the most advanced customers, such as CRITICALSTART can run even more complex and rapid queries,” Yonni stated.
He went on to describe how this is all part of SentinelOne’s “laser focus” on XDR, with Ranger and Scalyr components adding to a much larger and comprehensive strategy as part of its XDR efforts. “Our approach to XDR is to look at it as a combination of things that we as SentinelOne can do, as well as the things that one of our customers’ stacks can do,” Yonni explained. “We have no intention to stop with tools built by SentinelOne and we’re introducing options for a customer to respond to an event with their identity tool, their Cloud Access Security Broker and various other tools. We are very much open to using the entire tier for the customer’s arsenal to respond in the most efficient way or use the entirety of our arsenal to respond in the most efficient way—whichever is the right fit for the situation.”
When asked whether XDR is going to replace SIEM, Yonni responded: “Will it completely kill off SIEM? I think there’s probably quite a bit of runway before that happens.” But with SentinelOne’s customer-and-market-centric approach, XDR seems to be poised to take the baton on cybersecurity and pass it to the next level of threat remediation.
