SentinelOne CEO Tomer Weingarten on Cloud, XDR and Analytics

Identity protection, XDR, data analytics and cloud security have been SentinelOne’s biggest areas of investment during 2022, according to co-founder and CEO Tomer Weingarten.

See Also: Now OnDemand | C-Suite Round-up: Connecting the Dots Between OT and Identity

Weingarten says cloud has become the fastest-growing part of the Silicon Valley-based company’s business, appealing even to customers who might have chosen a different vendor for endpoint security. The company focuses on cloud workload protection and bests its rivals when it comes to performance and deployment since it doesn’t tap into the kernel or require an intrusive integration, Weingarten says.

“Given the technological superiority we have on our platform today, some of the biggest cloud consumers out there have been adopting our workload protection platform,” Weingarten tells Information Security Media Group.

During an ISMG interview at Black Hat USA 2022, Weingarten discussed his company’s biggest bets from cloud workload protection and unstructured data ingestion to accelerating automation and becoming a full SIEM replacement (see: SentinelOne’s $100M Venture Capital Fund Seeks Data Startups).

Protecting Cloud Workloads

SentinelOne has focused on protecting workloads and delivering EDR for the cloud, which Weingarten says is very different from others in the space who’ve concentrated primarily on posture management. The company’s approach to the cloud limits trade-offs between performance and security and, unlike competitors, embraces an architecture that’s compatible with the needs of cloud-native companies.

Cloud-native companies from social media networks to ride-hailing providers tend to be very mindful of what’s being deployed into production environments, especially if the service they offer is entirely based on the cloud. For this reason, Weingarten says, the company has enjoyed great success with both cloud-native organizations as well as big financial services companies, given the big disparity in offering quality.

“The rest of the competitors have just chosen an architecture that is not well received by a lot of the cloud-native companies that are looking to secure their cloud environments,” Weingarten says. “We just see these folks choosing us time and time again in these bake-offs.”

SentinelOne wasn’t among the top nine vendors for cloud workload security market share last year, market intelligence firm IDC found. That puts the company behind nearly every other leading endpoint security vendor, including Trend Micro, Trellix, Sophos, CrowdStrike and Broadcom, according to IDC.

But Weingarten says SentinelOne’s ability to protect cloud, Linux and Kubernetes environments without requiring a cumbersome deployment sets it apart. He says the company is expanding into critical areas such as cloud security posture management and cloud infrastructure entitlement management. Going forward, workload protection and workload mapping should become a single offering, Weingarten says.

“We’ve identified the critical capabilities that our customers need, and they’re very adjacent to workload protection,” Weingarten says. “Those are the ones that we’re working to complete.”

Ingesting Unstructured Data

SentinelOne not only provides native protection around endpoints, cloud workloads and identity but also can ingest data from any other product in the customer’s enterprise, Weingarten says. Clients can bring in any type of log source and cross-correlate disparate data points from siloed products made by different vendors into a single cohesive data lake to drive more automation and orchestration, he says.

When customers run a search or query in SentinelOne’s EDR platform, it can return results from any other security product in the customer’s IT ecosystem without having to deploy multiple consoles or duplicate or transport data, Weingarten says. He adds that SentinelOne stacks up favorably against any other data analytics vendor when it comes to both cost and performance.

Weingarten says clients also save money since all data that’s collected natively by SentinelOne’s agents is stored for free regardless of whether it resides on the endpoint or in the cloud or is tied to user identity. From there, Weingarten hopes to introduce a high degree of automation around the data that’s collected to improve security operations, not just on the endpoint or cloud but also around the network and email.

“It’s going to be tough for other vendors to follow anytime soon,” Weingarten says. “Our competitors have gone down the path of multiple platforms and multiple offerings, beaming data from their EDR into their XDR. For us, it’s one singular offering, and it’s super simple to use.”

Once the data is ingested, Weingarten says, SentinelOne has mechanisms in its Singularity platform that let customers build rules around the collected data and invoke responses to those commands across any product. By building these rules, customers can drive automation between products in a meaningful way and remove risk from the system by reducing the system’s dependence on humans, he says.

“The Holy Grail is real-time security – being able to find something on one system and inoculate and immunize your entire environment in a complete, automated way. I think that is what the ideal is,” Weingarten says. “It will eventually be a complete reimagination of the network by the data collected and by the XDR platform.”

SentinelOne sits all the way down in 13th place in the worldwide corporate endpoint security space, with just 1.8% market share last year, according to IDC. But the company’s endpoint security revenue skyrocketed by 112.2% from $88.2 million in 2020 to $187.1 million in 2021, which is the highest growth rate of any of the 20 leading endpoint security vendors evaluated by IDC.

Safeguarding Identity and Displacing SIEM

Identity protection is one of the most desired capabilities right now, given the shift in the threat landscape toward more user-based attacks, Weingarten says. SentinelOne expanded its product portfolio to include identity with the $616.5 million purchase of Attivo Networks, enabling the firm to provide identity threat detection and response, identity infrastructure assessment and identity cyber deception.

Attivo joins the more than 20 modules offered by SentinelOne and will further drive the migration away from antiquated and expensive security analytics tools and toward XDR, which he says provides better security at a lower cost. Most SIEM firms started as a node-based approach that’s deployed on-premises, while cloud-native data analytics provide a shared architecture that’s highly scalable across customers.

Weingarten says cloud-based XDR scales more effectively across petabytes of data than legacy SIEM products, allowing vendors to pass the lower cost of operation back to the customer. Customers today are primarily looking to augment rather than replace their SIEM product with XDR, and Weingarten says shipping some data to the XDR provider rather than the SIEM will save customers significant money.

Many customers are using XDR as a filtering mechanism for their SIEM tools, Weingarten says, putting all of their data initially into XDR since it’s much more cost-effective. From there, Weingarten says, the customer picks and chooses what data to transport into the SIEM for ticketing purposes or to respond to workflows that are already in place.

“You’re starting to see what the XDR strategy really looks like for some of these vendors,” Weingarten says. “Up until this point, it was mostly promises and in buzzwords. Now, you can see real bifurcation in XDR approaches.”