Good morning. Good afternoon. Good evening, ladies and gentlemen, welcome to another call webinar. My name is Alexei a Balaganski I'm Analyst Analyst at call and our topic for today is protect, detect, respond, mitigate a modern security paradigm for modern enterprises. Today I'm joined by Matthias KIOS who is original director at Sentinel one here in Germany. Before we begin just a few words or while housekeeping, you are all muted centrally. So you don't have to worry about your microphones.
We are recording this session and of course it'll be available on our website, along with the slide decks tomorrow. The latest we'll also send everyone a link through email.
Of course, you'll have a Q a session at the, of the webinar, but you don't to wait to submit your question. You can do it time using the questions on the go to control panel you side of your screen at the moment.
And just another few words or shameless block for keeping a calls, virtual events. We just had our first one sometime ago, and it was a total success with 900 participants. It's online, only absolutely free for everyone. And you can find out this screen list of our next upcoming virtual event. So head.com to find out or more information and register yourself at any time.
Thank you in advance. The agenda for today is as usual split into three parts.
First, I would present kind of a more or less neutral Analyst focused overview of the latest trends and challenges in endpoint security. Then I will head over to SIOS and he'll talk through more technical details about the ecosystem and capabilities of an integrated endpoint security platform from Sentinel one. And as I mentioned, by the end, we will have a special Q and a session. And without photo, just start with our first slide.
So you've probably heard this claim that the antivirus is dead, but if it really so well, yes, but actually no, I guess it all depends on how do you define an antivirus or how do we define the virus and obviously a virus and an antivirus nowadays is something completely different from what we used to have, say, 20 years ago. And to understand that we have to take a step back and look at the bigger picture or of enterprise security as a whole.
So nowadays really when the hyper connected world, whereas there is no longer a security perimeter around your corporate network because your corporate network exists in many places in parallel. It might be still in your old on-prem office location or multiple locations. It could be in the cloud or in multiple clouds. It could incorporate parts of your manufacturing plant or just lots of people on the move.
Or, oh, as we all currently are now at home and traditionally we have multiple security tools deployed in different places. We have firewalls and, and endpoint protection in the office. We have cloud security tools. We have specialized operational technology security tools, or, you know, manufacturing, plant, device management, you name it.
And all those tools are sometimes automatically, or most of the time manually feed their security telemetry into a single place, which we traditionally call security operation center where a team of extremely skilled and extremely busy people just fight with a torrent of security events.
When we take another step back and look at the role of ware defense in the bigger picture of it, security, we can easily map if you will, three of the five essential phases of needs, cybersecurity framework into three primary jobs for an endpoint security solution, including both technology and people, which is of course, protecting your networking devices from our known malicious software and activities that traditional antiviruses who are famous for doing this along with firewalls and other solutions, that's about detecting what's wrong within your network, analyzing those anomalies or suspicious activities and taking action on them that is responding to a security incident analyzing, investigating, and finally orchestrating and automating mitigation of the problem.
And of course the, again, traditional antivirus is no more. And the endpoint security solutions nowadays can offer many more security capabilities. And it's really difficult to draw a line, which would separate an antivirus like an endpoint protection solution from an endpoint detection solution, or if you will, an endpoint mitigation solution forensic tool, as you can see, there are multiple capabilities which are usually offered in various combinations of different vendors.
And it's really the very notion of an antivirus is so blue root and evolved.
However, we can still identify two major classes of security tools, namely the endpoint protection or EPP tools, which still focus on discovering malware before it gets into your network or into your endpoint device. So it's, they're designed to prevent execution or compromise through some different some, another threat vector. And of course they are, as I mentioned earlier, coming with a plethora of additional security controls for data leak prevention, network security and so on.
And there are endpoint detection response tool, the EDRs which focus primarily on evidence and effects of malware that has already been within your network or on your device doing its nicely things they focused on or understanding what's going on at the moment and what happened earlier, lock all this data centrally and make this data available for Analyst for remote examination.
And if you will, this represents the, what I call the first paradigm shift in cybersecurity.
It probably happened quite a few years already, but a few years ago already, when we are finally realized that prevention alone just doesn't doesn't work anymore. There are so many different attacks and threats both inside and outside of our corporate networks. Then it just impossible to defend your network from all those threats, even getting into within your security parameter. And on this slide, I've included a list of common methods and techniques that modern malware and other cyber threats use to get into your network and do the nasty stuff.
And of course, as you can obviously see that the traditional protection tools, if we're a limited area of application, nowadays, most of those tech phases can no longer be addressed by a traditional protection tool. This is why the overall consensus in the security industry was that, okay, we have lost the hackers already in now let's focus on at least detecting the, their malicious actions as quickly as possible, and then trying to respond to those activities as quickly as possible.
And of course the new king of endpoint security were the, the endpoint detection response tools, which I just mentioned earlier because they have offered so many additional smart capabilities instead of just looking for signatures or other known types of malware, they could do behavior analysis, they could do live process and memory monitoring.
They could look across different sources of security telemetry and correlate those events together, and then enrich that database, some external threat intelligence to give an Analyst Analyst that a single place, single paint of glass view on what's going on within, let's say a network or an endpoint in this particular example.
And thus are ensuring that Analyst would, in theory, at least identify the problem, the malware as quickly as possible. But of course it did not take much time to understand that just logging everything militias happening within your endpoint device. Isn't enough.
First of all, obviously traditional EDR or like a pure play EDR solution. It did not actually include any mitigation capabilities. So you would still have to have your old antivirus running parallel, meaning that you have to maintain additional infrastructure. You have to maintain that you have to hire additional people to operate that infrastructure. And of course the more effective your EDR solution was the more alerts you would receive and sooner or later you will be so overwhelmed by that to of alerts. You simply have no time to investigate and respond to each one in time.
And finally those investigations were still largely manual.
So yes, you would have a page informing you that something bad happened, perhaps with some additional context information available, but if you needed more, you would have to reach out to additional tools and do your investigation manually.
So yes, EDR tools, not least EDR 0.1 0.0 tools were still much better at detecting what's going on than the additional antivirus, but not good enough to help deal with all those are alerts. And this is exactly when the second paradigm shift has happened finally, or it was understood that actually detecting the malicious event. Isn't enough. You have to be able to respond to that event as quickly as possible. This is when the next generation of EDR tools emerged. Of course they were focusing more on behavioral patterns.
So instead of just telling you that something bad has happened, it would monitor the situation unfolding and kind of fold multiple malicious suspicious activities into a single incident.
It would be able to tell you, yes, there is actually a ware attack going on, or it looks like your users credentials have been compromised and so on. So it would perform this demand correlation often enhanced with machine learning and will provide an Analyst kind of a more compact and sensible view of what actually is going on.
Another important advantage of that solution was that it's this solution to able to rely on the wisdom of the cloud. That is things are there usually based in the cloud and all the individual security telemetry is flowing into the cloud. The central or operator usually is the vendor of the solution or a managed service provider would have a, a look centralized visibility into what's going on across different customers. And from that wisdom of the crowd, they would be able to detect and, and reach individual incidents faster and more reliably.
And of course our, this is when the artificial intelligence has emerged as a major business and technology driver and the hugely popular buzzword. So everyone was suddenly selling new security tools with AI assisted decision support built into it. And this is where we have to, again, step back and have a look at what exactly is behind that AI label. And unfortunately, many products that have that label or on the box are failed to deliver on the promise. So they are implied that they are AI powered capabilities are somehow more efficient and more intelligence.
It unfortunately doesn't happen all the time and another serious problem of this cloud based AI that well it's based in the cloud because all those machine learning models that require huge computing and storage resources to deal with large data flows. So the actual brain of the ware solution would be running in the cloud.
Obviously, of course it introduces an additional latency or between the identification of event on the endpoint. And then kind of sending that information back to the mothership for analysis, and then delivering an order back to the endpoint.
And of course it will simply fail to work on a disconnected endpoint. And as I mentioned, we have to actually have a look at various aspects of artificial intelligence and cybersecurity in general, not all AI tools are created equal on this slide. I have summarize like five major development steps, or if you bill, or for AI power and AI assisted cybersecurity tools, it all starts with a simple machine learning based or data analysis and correlation that will those solutions we'll be looking for outliers or anomalies in the stream of security data.
And then of course will minimize the number of the statistical noise and reduce the number of individual alerts to a manageable number, which is great, which helps Analyst productivity a lot.
But it, it's not really that intelligent. This is just the same, which can be easily achieved with statistical methods alone without any merchant learning at all. The next step, which is really popular nowadays is the decision support.
Whenever an Analyst is looking at an incident, some kind of a AI assistant would be able to pop up and tell him, Hey, you actually dealt with similar events 50 times last year. And, or like 90% of the time it was this decision. Maybe you should make the same decision now as well. Something like that.
Again, this is a major boost in productivity, but it's not real replacement for human decision maker, right? Intelligent automation, even other aspect, or it probably still has not found that much use in endpoint security solutions because usually an endpoint security solution operates with just a single tool, its own agent.
However, it's already finding its use in our, in those security operation center in north companies, which either run stock themselves or outsource to third party, they could benefit from this inte automation immensely because it reduces the amount of manual tools, manual investigations and running these joint security tools and then collecting the evidence back into single place.
All this can be automated. Cognitive security is another really promising topic, which nowadays is implemented in tools like IBM Watson for cybersecurity, for example.
And it's mostly focuses on delivering you more detailed and higher quality threat intelligence, understanding what's going on on the web, looking for specific indicators of attack and water security information from academic papers, for example, and so on, and basically helping you to unlock the previously unstructured and unreadable the information that was previously unreadable by a computer by a machine can now be made readable through cognitive processing.
But again, our, all these tools or leave somewhere outside of your endpoint device, they help, but they cannot help you directly to, for example, stop process, encrypting your data, to be able to do this in real time, the AI has to be autonomous. It has to work directly on the endpoint device.
And there are some really interesting developments here, boss or outside of the endpoint security, for example, theres really interesting developments in terms of database security and it device maintenance in general, but of course, self learning and kind of instant instantly acting agents already exists. And we will be looking at one of those examples later in this webinar as well.
So what, what should be in our next generation of endpoint security solutions? Well, first of all, I think it's pretty obvious that they are going to further converge. I mentioned there is no longer a distinct difference between an EPP and EDR solution because both are implementing a certain set of capabilities which often overlap significantly. It's only sensible that our sooner or later we will get a solution, which implements all of those capabilities, both in terms of protecting against neural threats and detecting the unknown and suspicious activities as well.
And of course, ideally the same solution with the same agent, with the same console running somewhere in the cloud, or maybe even on-prem should be able to implement full scope of this capabilities, protecting, detecting, responding in the sense of our analyzing and investing a, a security event, understanding what its potential risk outcome would be. And finally making a decision on how to mitigate it. Ideally this should be able to happen fully autonomously without any human involvement at all.
In our certain cases where a decision might be wrong in the end, a human might intervene and kind of roll back the decision later if something went wrong, but most importantly, this should be able to work autonomously. So cloud does help, but cloud can be a major problem if your device is only occasionally connected to the internet.
If you look further in the future, why even end at the end point, consider that you already have an agent running on a endpoint device, ideally it should be the same agent supporting multiple platforms, windows, max.
Linuxes what prevents you from deploying the same engine on virtual machine, or bake it as a part of a container image or on it on your cloud workload, the more uniform telemetry collection you have across your it systems. Obviously the lower is the complexity of your whole security infrastructure. Another interesting aspect is broadening the telemetry scope. If your endpoint detection response to only collect information about bad things happening on your device, it's great for security, but it limits its potential applications for other use cases.
If you can collect quote unquote good events as well, or just be able to know exactly what's going on on the device at any time, you can expand your data model and your threat model, if you will.
And there is kind of it operations model or really interesting in innovative use cases, ranging from proactive maintenance to compliance, monitoring, to anything like that. And you can even turn your agent into a network device, a network sensor, if instead of just collecting the local process information, it would actually reach out to the network and probe its peer devices.
That regard, for example, you could observe remotely and embedded or IOT device, which you could not deploy an agent directly to. And last but not least such a solution should still be able to talk to other existing tools. And ideally in the end, you would have the unified pyramid, if you will, of security analytics, which would combine the capabilities of currently separate themes, network detection, response, and endpoint detection, response solutions. The question is, is it's something which is sensible.
Is it something which can really exist and work is promised or is it not medical animal of German folklore, the iron leg and the, and this is exactly what we're going to find out in the second part of our webinar.
So thank you, Alexei. Yeah. My name is Matthias Kius and I'm from Senti one. I don't want to bore you with details about, about me. It's about the topic and yeah, I'm happy to, to give the topic a bit more meat, probably what already has been realized by, by Sentinel one on what, what Alexei, Alexei a presented, what became reality.
What probably is, is something that is a big future topic. So I, yeah, I would write, jump into the presentation and kick it off. So here we go. Yeah. This is what we call the jellyfish. So this literally is, should kind of visualize what is currently happening on any of our endpoints. And if I say endpoints, I mean also the, the what, what an endpoint is, has evolved dramatically. I mean also Alexei say said it, we are no longer talking about just service or just, just workstations.
We are talking about OT and we are talking about cloud workloads, super hot topic.
I'm touching on that a little bit later on as well and obvious on virtual virtualized environments across all, all OSS, such as Microsoft Linux, Mac, whatever. But I mean, at the end, what is happening on an endpoint?
Is that a, a, a large amount of processes running in parallel in several directions at the same time processing certain event chains of events and running into several directions. And that's what this, oops, that's what this jellyfish should kind of kind of show to you. And the interesting piece, if we are looking into the reality and which is also one of the reasons why, why, yeah, there is this quote that says antivirus is that is the fact that when I look at the classical antivirus, usually you have a list of criminals on your system.
And once somebody new is coming onto your end point and you're looking, oh, have I seen this guy before? Oh yes, it's a criminal.
Oh no, it's not a criminal. And that's it the challenge these days. And this is definitely not new is that we have too many new criminals and too many malicious activities that are launched on a daily base to keep track with that in a, in a kind of signature based approach. That's not new, but it's important. And we recently did a study and looked at the threats we found at the point in time when we found the threats, how many of them were already named in a reputation based database and it were, were about 90%. So may this be 90%, may this be 80%? It doesn't really matter.
The fact is that we have to deal with the unknown, right.
Which also kind of is one of the reasons that we, and the name detect also suggests this, that you let you need to run stuff in order to see whether it turns out to be bad. So that is the biggest challenge these days to deal with the unknown on any system and a lot of ideas or, or to how to tackle that or to deal with that. There are a lot of strategies.
And I mean, I'm now with Sentinel one for two years before that, I worked seven years for Palo Alto networks, which was kind of when I started, it was the same situation, the firewall market, like we now have in the endpoint sector, wave of consolidation, moving from firewalling to UTM to next generation firewalling. And we, we, we see a similar thing here. And as I said, there are different strategies to, to, to, to work with that.
And based out of those conversations, one, one request is very often also from out of the, so team, for example, or out of the operation, Hey, we need more tools.
Yeah. We need something that helps us mitigate. We need to, to have a more deeper view in, in that and, and so on and so forth. And that very often leads to the fact that we have probably too many options and tools that are costy, but rarely used, right. So is this really the, the, the right approach? And the second, the second call be very often here is, Hey, we need more data.
I mean, come on. We, we need to, to, to, to, to, to enrich our data lake in order to, to, to, to, yeah. To be able to take decisions and correlate all of that. So literally what, what it says is, okay, let's, let's increase haystack to find the needle easier, right.
I mean, is that really, what, what makes sense or do we want to have relevant data rather than more data? Right. And the third piece, which is very often a result of the fact that we are crying after more tools and more capabilities and crying after more data in order to find less, probably even is that we, we try to, to really fight it with more people, which we all know, and this is also not new will probably not really happen because yeah, you need to find them and you need to keep them, right.
So probably these approaches don't really lead to, to efficient operations from a security, visibility and operational perspective. So what could be an idea? So if we take everything that is happening on an end point, from a process perspective, and think of what, if you could track any process on a system on any system, no matter if it's good, no matter if it's bad from the very start from when it starts to the very end in real time.
And as I said on any device, when doing that, we, you, you also would know at any point in time where you are and what the beginning was and what the next and the, the parent processes in that chain of events would be. So that is one idea. And this whole piece without human intervention, no external or cloud assessment needed. So this really happens straight at the end point itself in the natural environment of the process. So no latency due to cloud and nothing that probably could, could fool an external system.
And as probably the more, where does it understand that it's actually not on a real end point? And the idea here is we, what we call true context processing that allows us, as I said, to track any process from a to set and any process step that, that, that is taken and any process that comes after the other is kind of bound together by an, by a single ID.
You can think of it like a book where any, any, any word in that book has the same ID, like all the other words in the book. And they're also numbered so that you can put them in the right role.
And whenever you find one of those words, you can click on it and then you immediately get the whole story, the whole book, rather than trying to find out what book it is, what the story is and where it leads to really, really cool stuff. And this could, this could, and this can solve a whole lot of issues on any endpoint.
Second, what if I mean tracking that is cool, but what if you then could score all these events or could score all these telemetry data in order to, to really being able to, to, to understand once a story, once a process, once a chain of events is performing all sorts of Eagle evil.
Like we, like we see it here at a certain point, the process chain, the events on the, on the device start to process all sorts of evil. And we would, based on the, on the behavioral scoring, we would see that and, and could take action there.
So what we see here, as I said, in reality at, at this point, oops, seller here, we would have had enough indicators, enough behavioral process data in order to say, based on machine learning, Hey, somebody entered, somebody entered the room. He has a high pulse. He has a very, very wet hands, a lot of adrenaline. And then he starts to, to, to put his hand in his jacket, he pulls a gun and wants to shoot, right? And before that happening, we would have had enough behavioral process based indicators based on that scoring, we would've reached a certain threshold to, to prevent from harming.
We do all that again, this would be kind of a protection, a protection part we do, but we do that based on good and bad process. So you get also the, the, the, the, the, the, we do that for any process on any system, no matter if it performs evil at a certain point of view, at a point in time, or if it's benign data at the first step and still everything you see here is still no human intervention is needed, and this is still completely performed on the endpoint itself. No cloud needed no sandbox needed.
And as I said, no human intervention, as a consequence, as we see the whole chain with a with machine speed, we obviously see the root cause. As I said, if we find a certain, if, if, if, if you see a, a word, a single word, and you want to know the first, how it started, you want to see the first word, if you will, the, the first chapter in the book, it's just one click away as we index it with true context ID and find immediately the root cause.
And when you have the root cause as a consequence, number two, if you will, the end point agent itselfs is able to mitigate the attack completely.
And of course, a lot faster than any human being or any cloud based analytics could ever do that. And that is happening, as I said, completely autonomous on the system itself. And you also can do that for data, which probably kind of yeah. Went over your line of defense, which, which so based on EDR, you find an indicator that you probably have been compromised. You find a snippet of something that could actually be bad before you have been finally compromised. You click on that.
I always, I always use an example. You find a, a drop of blood. It's a bit, yeah, it's a bit a dark, a dark example, but I think it's, it's pretty realistic. You find a, a, a drop of blood in, in, in your office and you want to know, did somebody's knee, had somebody knows bleeding, or was it, or was it a criminal kind of activity?
And with knowing from a to Z any process on any system, you just click double click on that, on that, on that drop of blood. And you immediately get the full book, you get the full story at the tip of your finger without human intervention.
And you then can say, yes, this was a completely harmless kind of piece. Somebody kind of cut, cut the finger, whatever.
Or yes, we have a, a, a criminal activity here and you can then jump back to the root cause, understand what is happening, how it's happening, why, and then you can take action. A lot of that, as I said, can be done automatically, but most of it is happening autonomously on the endpoint itself
At machine speed. And that is also something I think it's pretty important.
I, I mean, we also look, look at the market as you can, as you can think of. And we have customers from, from a hundred endpoints to 500,000 endpoints, and what, what is becoming more and more obvious? And I think you would, most of you would agree if I could look into your faces. I wish I could is, is the fact that you can't solve a digital problem, withdrawing people towards it, right. And in a lot of solutions, you, at a certain point of time at, at a certain point of complexity information, going out from the end point to a, an external device or to manual kind of analytics.
And I mean, per definition, and even without having, having assured from, from Sentinel one on my chest, that doesn't make sense. Right.
And, and, and the idea in general is to, to solve digital problems at machine speed. And you only can do that if you have an autonomous, an AI based agent on the endpoint itself, and the cool stuff is, and the question I always get is, okay, do I need a quantum computer in order to run it?
No, you don't the algorithm step that run there that look after behavior after process behavior, after also static attributes, if you will, in, or, or features of files, we need about one to 2% of, of CPU, that's it. So, yeah, I mean, literally the, this, this little presentation is about to make your mouth a bit wet in order to want to know more. So this is only a little snippet, obviously, of what, of what we can do, but the result is that while the whole device is running and continuing its work, we have, I don't know if you can see it, we have in parallel automatically mitigated the attack.
Yeah. And, and you are up and running again. And we are talking about one agent that gives you that full visibility on every single endpoint that is then reporting its data to a central kind of to central management system. And the central management system is, is literally a web server. If you want to, you can run it on prem. You can run it in the cloud, but the, the real intelligence is, is on the endpoint itself.
And the way I like to think about it is I, I, I think like having a little stock Analyst or a little Joda sitting in the system, looking at all these events and processes, correlating it automatically and, and stopping them when needed recording them, when they look good and being able to look also in that benign data, once we found probably the drop of blood in the floor of your office, that is, we don't talk about features and all that stuff.
That's the concept behind it.
You may like it, you may don't, but I think there's nothing at the moment and the market that can do anything comparable to that. And to coming back to that, as I said, at the very beginning, do we need more tools? I don't think so. I think with one tool, for example, too, that doesn't create too many alerts that allows you to give me full visibility that is able to automate a medically mitigate that.
Yes, we, we, we work with the cloud if needed, but we don't rely on it for analytics. Right. That's a huge difference. Yeah. So one tool and also giving you relevant data. For example, if you look at the Mitra report that currently was published, there's always a number of alerts that were created. And honestly, I mean, some, some, some vendors say, Hey, we have found, we have more alerts, Hey, come on.
This is a disadvantage.
I mean, as we all know a life cycle of a, of a, of, of, of an attack or what also Alexei showed the, the Mitra attack methods and techniques that, that were mentioned, some solutions create an alert for every single one of them. I mean, thus, that really makes sense. We had the lowest amount of alerts because we correlate it, it, for us, it's one, it's one alert, but you see obviously every single item and, but we found them all right.
So this is also something that, that, especially in the, in the midsize business, so where you probably can't afford a full, so team is extremely important and also protection. And, and this is, this is kind of introducing my, my next slide is still something, yes, we, we, we cannot, we cannot tackle most of the methods and stuff like that, but a good protection helps also to get the banal and, and, and easy, easy stuff away from the guys that get a whole lot of money to just understand a little bit more.
Right. So really interesting.
And that's, that's, that's actually the, the, the last, the last of those three here, you have one tool, you get relevant data. So you get signal rather than noise. You get the full transparency, transparency, you don't get snippets or single data points. You get the full story at the tip of your finger. And that kind of gives you the ability to work that, to increase your secure level of security with, with, even with the current stuff. Right.
That, as I said, by, by this autonomous agent, yes, Hey, it is like with every other vendor, the, the, the kit needs a name and our platform is called singularity. And it is, it is, it is vertically integrated platform.
And, and I like to think, I like to think of it as a, like a volume, a volume button on a, on an amplifier, for example, that you current from low to, to very noisy.
And that's exactly the same here.
You can, you decide, you can really tackle any incident from an easy one to sophisticated. You, you, you get full control and visibility of the full life cycle of an attack and this while by reducing operational challenges, because it's one management, it's one system.
And, and I would like to, to give you some, some broader, I, I will not, I will not talk about any of those of those bits and pieces, but some of them, so it really goes from, from the classical prevention based on AI and machine learning, but also what, what Alexei say said, turn an endpoint into a sensor. It makes a whole lot of sense. So the same sensor is capable of making IOT discovery and control, giving you an idea on what devices are on your network. For example, the, the NA the NAZA hack happened with, with a, with the respiratory pie that should not be in their network.
I mean, you can discover that stuff. For example, when turning the Senti one agent, and there's only one into a sensor, right. Really cool stuff.
And last but not least, I would, I mean, we see a whole lot of development in the, in, in, in the market and in the endpoint space, but not only the endpoint space, also the next big thing, I think we have virtualized service and VMware and, and, and, and put, put that on in virtual environments. And that was a real revolution when, when building data centers and, and consuming energy and, and, and managing managing applications and workloads.
And the next revolution is right in front of us when we are talking about Docker about, about Docker, about Kubernetes, about containerized workloads, where we literally abstract even from the OS. So that means, but they have the same level of, but you need the same level of security for them. And also for that, we do have a solution.
We are working as a site car in, in the, in the pot to, to be able really, to, to see in real time the behavior of, of any note and giving you the same level of security that we are capable of giving you in the area of a, of a classical server or of a classical workload.
And this is, this is a big, big piece, I think.
And we, we hear a lot about them in future and yeah. With, with, with that set one last point on the, on the XDR, what XDR, you probably have heard that as well, a lot of vendors starting to use it. I think what, what was the unified threat management system, which combines IDP solutions at firewalling will be the XDR in the endpoint space? So the unified endpoint security, I, I guess this, this, this, these three letters will probably stick pretty much. And what Alexei explained as converged endpoint security will very likely what we will understand in future as the XTR.
And also the X suggests that we not only talk about classical and typical endpoints, so that we are also talking about, as I said, containerized workloads, IOT, and many more things. So, yeah, as you can imagine, I could talk for hours.
I hope some of those information are making appetite. Really.
This is, this is a real small snippet on what we currently do based on machine learning, based on the autonomous agent on the endpoint itself. And yeah, I have a couple of additional slides put into that deck that give you further more information about the company, about the size we are ISO certified. We are GDP PR compliant, all that stuff you, you probably need if you run a, a, a, a critical environment. So with that said, yeah, so we are solving digital problems at machine speed, and I hope yeah. To have created some interest, many, many things unmuted.
Okay.
Well, thanks a lot materials for this really interesting presentation. And I guess the first takeaway from that would be that, that, that technical egg lane woo milk, big of the German focus actually exists
Alexei, and
That it leaves in your office, I guess, in Munich, right?
Yeah. I'm currently working out of the home office in, in San Coone, but yeah, we are, we, the European headquarters is based in Amsterdam and we are, we are spread around Germany, Austrian, Switzerland as a team.
Right. Okay. So we now still have some time left for the Q and a session. Yeah. Just checking.
Do you see my screen again?
Give a second. I now presentation, give a second.
Anyway. Yeah. I really suggested our attendees submit that question to the questions tool. And in the meantime, I will just slowly scroll through my remaining slide, just to give you some additional information to think about. For example, we have actually recently published an executive view report on specifically on the Sentinel security platform. And of course we have lots of other relevant research on our website.com. So you are very welcome to visit. And in the meantime we have first question.
Yes. Cool.
Do I still need my antivirus or do me?
Yeah. So this question comes up regularly and no it's a full, it's a full AV replacement. So whatever you have on legacy AV and whatever you use can be, or will be replaced by, by Sentinel one. And we also have what you probably also want to not miss, like device control, like firewall control, all these let's call it additional feature that made the former AV to an endpoint protection platform. This is also included in the same agent. So the answer is no, you don't need an additional IV are the full replacement for it.
And if I at, if I may add just a few words as an Analyst to this statement on one hand, you are absolutely right with that again. So I've seen your solution in action so I can confirm, but on the other hand, it's really an extremely misguided approach or towards selecting your next security purchase by looking at the label, as, because you have mentioned in my part earlier that an antivirus a thing does not exist anymore.
Every vendor has a range of capabilities they can support in the platform and the range differs different solutions, and there will be some overlaps, smaller, bigger overlaps. So it's always important for you to stop looking at labels and start looking at your company's risks and the vendors capabilities to remediate those risks, if you will. And with that regard, of course, one is quite a good contender.
We are exactly.
And also we sometimes even run, I mean, people have their E three license, for example, from Microsoft and they just let the, let their defender switched on and putting us on top for that in order to have a BI behavioral instance and have an idea on what, what they can do with file more, for example. So sometimes it's the coexistence, but it's not from a technical point of view it's, it's not really needed.
Right. Okay. I think we just go to next question, right? Okay. I'm not sure this is a fair question, but it's up to you to decide, do you consider your biggest competitor from the market?
I mean, we've, we mainly is good question. So 1, 1, 1 competitor, and I would put them all into one bucket. Every legacy vendor at the moment is a competitor, obviously.
I mean, the biggest, the biggest contender in the endpoint market at the moment is still Mac EFY, which I guess they own 6.9% of the market, which also shows how spread it, the market. Isn't how distributed it is.
So any, any legacy vendor, like cross perky, like McAfee, like Trent micro, I mean, these are the, the legacy vendors. And I would then put as one. And the second, the second I would name is, is Microsoft, right?
They are having, having, yeah. A lot of a very, very broad offering and, and they are in any company. A lot of customers tell us, Hey, listen, we, we don't want to rely security wise on, on, on the vendor. That probably causes also a lot of trouble and want to put our, our bet on one. This is very often happening, but especially Microsoft is usually a top down strategy.
So means that there is a strategic decision to go, for example, for an EFI license. And we are then competing against Microsoft, especially in the EDR space. Yeah.
So that's, these are, these are the, the ones that we see the most.
Right, right.
And again, I would like to add from my side end of it, I don't think that calling those companies' legacy vendors is a fair definition. Sort of, they are still doing a good job. They're still innovating in their market. Just a really important to understand that those companies, they give you a totally different kind of security. It's still necessary. Obviously it's still useful in many cases, but it does not keep up with the modern challenges anymore. No matter how hard they will try to innovate or kind of unless say also start branching into the same territory as you are working in now.
Well, just
No, but, but you're right. I mean, the legacy that, I mean, we are usually not a company that, that blames the competitor and we don't, I mean, there, there is there's enough space to coexist and depending on your requirements, probably another vendor than sent one is probably sometimes better with legacy.
I, I literally mean the ones that have been there before us and that have kind of founded what we, what we, what we, we got to know of 2 25 or 30 years as antivirus. So that was not meant in a negative sense.
Right. So you are standing on the shoulders of the giants, right? Like Isaac Newton. Yes.
Yes.
I mean, I've, I've seen it the second time now, as I said, when I started with parlor Alto networks, it is, I was there seven years ago, but it is 10 or 12 years ago. I mean, we, everybody thought, Hey, who, who needs a new firewall vendor. Right. But it was also AUM shift and it went extremely fast and look at Palo Alto networks now it's, it has become the one of the market leaders, if not the market leader. And that that's how, how, how fast things can evolve and change.
Right. Right. Okay. We've got next question. So if you are collecting any kind of event, not just the bad ones. Yeah.
How do you deal with such a normal amount of data? Yeah. Where
Does it go? That's a very good question. Yeah.
Yeah, absolutely. So the, that, that's exactly, that's a very important, it's a very important detail. So if you consider the fact that 99.9% of all events on processes, we look after are benign or good in the first shot, but we want to make them searchable. We want to, to have them for our forensic analysis, if needed. And we want to probably run some automations over those forensic data as well. We need to have them somewhere stored in indexed and accessible. And this is where we use the cloud.
So we don't rely on the cloud from an analytics point of view, but we use, or, or from a decision, is this good or bad? So we use the, the AWS cloud in Frankfurt, for example, and then many others around the world to store the data, to make them, to index them, to make them searchable for the management system. So that's where we, that's also where we use the cloud, but don't rely on it from a assessment point of view.
Right. There is one more question and you like this one, if this, I would ask it myself, what about, pardon me, threat hunting capabilities?
Is it something which you see as your, one of the primary capabilities?
Yes, absolutely. This is what I also meant with, with the, the volume speaker. This is also part of, of it.
You, you, you may decide whether, what capability you want to use and, and how deep you want to go. A lot of what, what you, what you would call an and point detection and response is, is happening automatically due to the algorithms we have. And due to, to the fact that we have that little sock Analyst that can process a lot of stuff autonomously, but if you really want to, to hunt manually after a, a certain IOC or indicator of attack, you can absolutely do that.
We have, you can query that. We can give you access to forensic data for up to a year, right? And this is, this is, this is absolutely doable. And it's one of the core capabilities of the products as even if you hunt manually after a certain IOC, once we find that IOC, this IOC is like a word again, like, like a, and is also bound to a certain context ID.
So once you have that found that you can click on that you can search after this context ID and you get the full content of the full book and can immediately see, even if you have done it manually, what happened at the very beginning and at the very end, and can take your decision or can take your mitigation action or whatever you wanted.
All right. And what I really like, or, or about this approach that, yes, it's just another tool in the toolbox, but it's not, or a standalone tool.
It works, or within the same context as any other automated capabilities as well. Yes. You can do it both base and you don't have to choose one. So economy do it myself, or let the robot do it for me, let's work together.
Exactly. You choose the level of automation and you should.
I mean, let's also be honest automation integration, autonomous autonomous behavior is something that is, that is pretty highly rated. And it makes also sense as we want to solve digital problems at machine speed and digitally. But nevertheless, I don't see in the, in the, in the close or even in the mid future, I mean, there will always be at the end of a chain, there will always be a human being that needs to take a certain decision. And I think we relieve our operations team pretty much if we extend the, the, the, the point in time where the human being needs to step in.
And that's the idea behind Santana one. And you have also the decision in your hand, how much you wanna automate or what you wanna decide manually.
Okay, great. And I see that we have just reached the top of the hour. So unfortunately there will be no more questions to address, but of course, if you still have any open questions or requests or ideas, just reach to us or email through our website and we will forward your request to the proper people. And of course, thank you very much Matthias for your part on this webinar today. Thanks to all of our attendees. Thanks for staying with us for the whole hour, looking forward to seeing you in some of our future online events. So maybe even sometime later in our future physical events.
So that's always quarantine is over. So stay healthy and have a nice rest of the day.
Thanks. Thanks a lot from my side as well, byebye.