Next Generation Endpoint Detection and Response

Rumblr33

Any thoughts out there on Crowdstrike and SentinelOne?

Jamm1n

Ran into Crowdstrike at a security conference recently. Talked a good game, everything looks great but don't have any hands on.

https://www.reddit.com/r/AskNetsec/comments/4280qi/anyone_with_experience_on_crowdstrike_sentinelone/

Dryst999

My last company was a SentinelOne reseller so I have a good amount of experience with it in the SMB setting (30-200 endpoints). It's pretty easy to setup and manage, you just run the install and reboot the endpoints and it'll check into the cloud management portal (no experience with on-prem). For the most part we had little trouble with pushing it out to clients. You install it in "learning mode" for the first few weeks where it learns your environment and reports everything back to the management console but does not automatically mitigate threats. Once you are comfortable that you've weeded out all the false positives you turn learning mode off at which point it takes over as your endpoint solution.

Pros - It's easy to deploy and manage, barely any policies to set up. A lot of forensic capabilities, you can really dig down and view everything a threat is doing. From our tests it was extremely effective with flagging malware samples.

Cons - The interface does not have a lot of reporting functionality. We had a good amount of agents crash or stop reporting in, the resolution was always to reinstall. There were some interoperability issues we found with certain applications (IE installing it on a Citrix server makes Labtech crash, but only Citrix).


Overall I think it's pretty great but it's definitely in the early stages. From an administrative point of view deploying traditional AV is more stable and easy to manage. From a security point of view I would definitely go with SentinelOne.