SentinelOne CEO: Endpoint security market full of 'noise and confusion'

As more attention -- and money -- has been invested in the endpoint security market in recent years, the space has seen a growing amount of "noise and confusion," according to Tomer Weingarten.

At RSA Conference 2018, Weingarten, CEO of SentinelOne, based in Mountain View, Calif., said he believes endpoint security vendors have introduced much-needed innovation in recent years, but the space has also seen too many niche products and questionable investments from venture capital firms. Weingarten said the endpoint security market has started to clear up this year, but new developments with security automation and machine learning have both invigorated the space and contributed to the noise.

In part one of the interview with Weingarten, he discussed SentinelOne's AnyCloud strategy and how the vendor monitors and limits lateral movement in cloud environments. In part two, Weingarten discusses the highly competitive endpoint security market and how the space has evolved.

Editor's note: This interview has been edited for clarity and length.

Five years ago, it seems like no one cared much about endpoints and all the focus was on the network. And, obviously, it's a much different story today. What's your view of the endpoint security market right now? How competitive is it?

Tomer Weingarten: It's extremely competitive. And I think you're right. Five or 10 years ago, it was a market that was very stale -- no disruption, no innovation. It was mostly the incumbents like Symantec, McAfee and Trend Micro -- the big antivirus companies -- basically just doing more of the same.

What we realized when we started SentinelOne -- and other new-generation companies that started roughly around the same time -- was that the reliance on network-based controls as means to protect your perimeter was no longer working. There are two big deficiencies there. First, as we discussed, the perimeter is becoming everywhere. It's not something that can be confined with a hardware-defined circle anymore. And when users leave their corporate perimeter, a lot of them don't have any protection for their endpoints. 

The second part is that attackers were clearly looking for the endpoint as that point of entry. At the end of the day, as an attacker, when you seek to compromise a target, you seek to run malicious code. And often the only place you can do that is on a device. That device is the endpoint. The user is the weakest link, and the endpoint is where you want to run code, which really puts all of the firepower of a given attacker on you in your endpoint. The endpoint protection from the past from the antivirus companies became trivial to bypass; the signature-based detection was not deterring anyone from getting in.

We've seen a lot of venture capital (VC) funneled into the cybersecurity industry in recent years, including the endpoint security market. Is that a good thing? Or, do you feel the market is getting too crowded, and there's too much money being thrown at it?

Weingarten: I think the space is clearing up a little bit right now, but it was definitely something that was a little bit alarming last year. You want innovation. You want people developing new tools to fight attackers. That's one thing. That said, I think if you find something as an investor that's basically a niche product --that's part of a tool set that becomes something that is not that much of a necessity -- then that's problematic. Why would you want to do that? If you're investing in a company, then you want it to have a vision to become a platform, a company that understands that you can't be a niche tool set.

You can't just have two or three features and augment some other stuff. You want to be a foundational stack. You want to bring in meaningful innovation -- innovation that not only translates to value to your customers, but it also translates to being a catalyst for change in cybersecurity. I think that's very much needed, and that's probably the best use of VC funds.

There does seem to be a lot of niche products that receive millions of VC dollars, but won't ever make it as a legitimate platform, as you said, let alone their own product category. Do you worry that with more of that out there, customers are going to be subjected to ...

Weingarten: Noise and confusion. Yes, I agree -- I think it's a very valid concern. And to be honest -- and there might be some people who are going be a little bit angry with what I'm going say next -- but I feel like a lot of the investors don't completely understand what they're investing in. Even if it sounds like really amazing technology, sometimes it's so pinpointed that it will not make a difference. It will not be something that you can come in to a customer with and say, 'I'm going to solve your problems.'

At the end of the day, there are very clear pain points in this world today. And if you're not building anything that maps directly to the No. 1 to 3 pain points that an enterprise has, then you're going have a tough time selling. That much I'm sure of.

Security automation is a big theme here at RSA Conference, with a lot of people saying the more you can automate security functions, the better off you'll be. Where do you see that cycle headed?

Weingarten: I hate the word theme, but yes. I think we definitely need to get there. You want the machine doing more. That's very, very clear. But for the machine to do more, the machine needs to be incredibly accurate. That's the part that everyone forgets. You won't let any product mitigate in real time and shut down processes if it's not accurate. If the decision-making via AI and machine learning is not accurate enough, then you're just shutting down environments.

We're big believers in automation; I think that it's a necessity to scale. We went through quite a bit of work to get the point where we could say that our product can be actually autonomous. We've trained it time and time again. And, again, in the full degree of honesty that I can offer, two years ago, it wasn't as accurate. You couldn't truly say that you can deploy any of these new next-gen solutions and be completely protected without having a human involved.

Today, it's a completely separate story. Today, it's mature. I'd say that close to 90% of our customers are running in complete operational mode; they let the machine make the decisions and shut down processes. To me, that was the biggest attestation that we've managed to build something that's so accurate and so cognizant of the amount of false positives that could occur. You would need to have that in order to have something like this operational today, and that's one of our biggest benefits for the customer.

I feel like a lot of the investors don't completely understand what they're investing in. Even if it sounds like really amazing technology, sometimes it's so pinpointed that it will not make a difference.

We know that your SOC [security operations center] is incredibly busy. We know you have a ton of alerts. When you use something that's really automated, you feel it immediately. There's no bluffing. If you're saying you're automated, but at the end of the day, you have people configuring and sifting through alerts, then it's going to show. And if you're truly automated, then it shows.

If you're really automated, it shows the integration to the other parts of the security ecosystem that you have. That's key. It's not a single-vendor world anymore. You're living with so many different products. You want them to talk to one another. You want data to move, and you want the full context. So, that's not a part of the automation, but it's important -- how robust your integration is to the entire ecosystem and how much time can you really save to the security team that needs to really deal with incidents.

I don't envy them. They need to deal with a lot of stuff, and we all know there's a huge shortage of resources in this space.

What kinds of endpoint threats are your customers seeing today? Are a lot of the threats simple attacks like phishing, or are there more targeted attacks today? 

Weingarten: I'd say that today it's a 50-50 split. We see 50% being very opportunistic attacks, like phishing or ransomware or cryptominers. But then we definitely see more and more of the targeted attacks, and they're not limited to government and intelligence agencies anymore. We're seeing highly organized attackers with motivations that are deeply rooted in cybercrime most of the time, and they target an enterprise in highly nonopportunistic ways. They will profile, research and then try to penetrate those targets, sometimes with the same methods. Sometimes, we'll see spear phishing campaigns.

We also see completely fileless malware, for example, that will be completely punching through everything that you have, because most solutions out there are really geared toward dealing with files. We haven't completely lost that notion that attackers might not need a file to compromise someone. So, we see some of these fileless attacks. You see quite a bit of lateral movement, which I think is a complete change in how attackers used to operate.

What we're seeing right now is that they will try to find the weakest user in the enterprise and sometimes penetrate with the simplest of phishing emails. Once they get some foothold inside of the perimeter, then moving laterally becomes almost trivial, because there aren't solutions that can see that lateral movement in an effective-enough way.

One of our biggest differentiators is that we built a complete lateral movement detection engine that basically profiles in real time how someone -- and it might not be an attacker -- is moving from device to device. Are we seeing any remote code execution from one device to another to try? You see complete enterprise takedowns that are happening with a live attacker that's able to move laterally. Someone is basically trying to get in, and then once they got in, they spread ransomware all across the enterprise.