SentinelOne Increases SOC Capabilities With Cloud Native Security (CNS)

As a cloud-native organization building and providing cyber security software to thousands of businesses worldwide, SentinelOne maintains correspondingly high cloud security requirements and rigor in its Security Operations Center. For SentinelOne, ensuring our customers' security is a crucial part of that mission. As such, our security teams are constantly working to improve and set the standard for world-class security operations across people, processes, and technology.

To secure runtime cloud and container environments, SentinelOne deploys its industry-leading, highly performant, scalable AI-powered Cloud Workload Security (CWS) as part of the Singularity Platform. This real-time cloud workload protection platform (CWPP) is built upon the eBPF framework, meaning that it operates entirely in user space for maximum stability and performance. CWS provides AI-powered protection, detection, and response for the cloud workloads that run the Singularity Platform - the foundation on which all of SentinelOne's cloud-native cyber security SaaS service is built and delivered.

This post covers how SentinelOne's acquisition of PingSafe, now Singularity Cloud Native Security, delivers security posture management, secret scanning, and infrastructure-as-code (IaC) scanning capabilities without the need for multiple third-party software solutions.

Proof of Concept

As part of periodic evaluations of opportunities to raise SentinelOne's security posture, SentinelOne's Deputy CISO Josh Blackwelder led a cross-functional effort across our SOC, Cloud Security Engineering, Vulnerability Assessment, Application Security, and GRC teams, reexamining cloud security requirements to consolidate the multiple third-party tools used to provide agentless CNAPP capabilities.

A tiger team identified a set of guiding cloud security outcomes for the project. The goal in mind was to boost productivity among the teams closely involved in maintaining cloud security posture and reduce key time-to-x metrics. Ideally, SentinelOne wanted a beneficial financial outcome, as previous overlapping cloud security investments indicated an optimization could be made.

Evaluation criteria for agentless CNAPP platforms were built, including required capabilities, areas of desired improvement, and net-new capabilities.The core required capabilities for re-evaluation included:

• Cloud Security Posture Management (CSPM)
• Secrets Scanning
• IaC Template Scanning
• Vulnerability Management
• Container Image Security
• Container & Kubernetes Security Posture Management
• Cloud Asset Inventory
• Deployment, Governance, Integration, and Search functionality

Beyond the core capabilities, SentinelOne sought to improve capabilities in three areas:

• Prioritization of cloud misconfiguration findings beyond severity levels
• An ability to prioritize across both OS and app-level vulnerabilities
• Gain a flexible custom security policy engine specific to SentinelOne's context

Additionally, the company sought to expand with net-new capabilities:

• The substantiation and validation of risk beyond industry reporting feeds
• Capability to threat hunt for cloud-specific metadata
• Automate the hunting for leaked or compromised credentials

Results from this evaluation were compiled, and some clear areas of opportunity were identified.

We Liked It So Much, We Bought The Company

Overlapping with this effort, the SentinelOne Product group, led by Jane Wong, SVP of Product Management, desired to expand our cloud security portfolio to provide an expanded set of capabilities for customers looking to SentinelOne for their enterprise security needs. One of the acquisition targets of particular interest, due to their technical innovation, was an India-based startup, PingSafe. Co-founded by a world-renowned ethical hacker and bug-bounty hunter, Anand Prakash, PingSafe's agentless CNAPP was built with an attacker's mindset to better highlight which cloud security issues represented a genuinely exploitable risk to customers. Now, PingSafe is now a part of the Singularity Platform and is available to customers as Singularity Cloud Native Security.

Before the acquisition of PingSafe, the SentinelOne Security Operations Center (SOC) had deployed two alternatives from the market, Wiz and Orca, to provide agentless CNAPP capabilities. The deployment of PingSafe (now Singularity Cloud Native Security) was able to replace both these solutions and additionally found security context information previously unknown, increasing visibility and improving our security posture.

With the SOC team's thorough proof of concept (PoC) and their ability to benchmark PingSafe against other third-party solutions, including the previously-deployed Wiz and Orca Security, SentinelOne's Head of AI/ML and Cloud Security, Ely Kahn, requested that PingSafe be included within the evaluations to provide the Product team with a complete view of target acquisitions.

PingSafe rapidly emerged as a stand-out within the evaluation process. The agentless CNAPP was rapidly onboarded across the cloud environment for a PoC and quickly returned some eye-opening results. PingSafe not only matched the existing cloud security investments deployed within the SOC, but also showcased several improved capabilities to identify, prioritize, and remediate cloud risk and threat hunt.

A clear differentiation was PingSafe's secrets scanning capabilities to prevent and hunt for credential leakage:

Most essentially, PingSafe highlighted cloud risks and vulnerabilities that the existing deployed third-party solutions Wiz and Orca Security had missed. In addition to finding previously unidentified issues, including subdomain takeover risk, the PingSafe platform verified their prioritized findings with evidence. By correlating and contextualizing cloud assets, PingSafe rapidly showcases the relationship between assets and their insecurity and their public-facing route in a user-friendly graphical interface. This view of cloud assets, relationships, access, and either a cloud or Kubernetes misconfiguration and/or an OS or Application level vulnerability is called an Attack Path.

PingSafe goes a step further with an automated Offensive Security Engine™ that delivers Verified Exploit Paths™ representing verified exploitable risk. The engine safely simulates attacks and returns evidence, including the attack tactics and observed results (e.g., such as a screenshot from within the compromised cloud resource).

This attacker's mindset cuts through the typical noise of minor misconfigurations and vulnerabilities, transforming an overwhelming number of theoretical attack paths into an actionable number of Verified Exploit Paths™ in a false positive-free report inclusive of the obtained evidence. Previous CNAPP generations all too often require two separate, sequential, and time-intensive stages of investigation: (1) what risk does any particular alert represent, and (2) is the risk readily externally exploitable? PingSafe's Offensive Security Engine™ automates and provides evidence for these investigations, drastically reducing time-intensive analyst efforts.

Company Philosophy Alignment

Reading the tiger team's detailed PoC and capability comparison notes, SentinelOne's Chief Product Officer Ric Smith was struck by the similarities between the two organizations.

A Senior Cloud Security Engineer's findings about the Offensive Security Engine noted, "it empowers security teams to act decisively, minimizing dependence on human vetting of alerts." Smith continues, "It reads like SentinelOne, like a review of our Behavioral AI or our Storyline™ innovations. It automates investigation, which can be time-consuming and resource-intensive, and allows security teams to jump straight to action."

Ultimately, PingSafe met SentinelOne's requirements and agentless cloud security needs. Alongside SentinelOne's announcement of intention to acquire, the SOC team began working to transition PingSafe from a POC to a primary security solution, and the previously deployed alternatives were scheduled for decommission and removal.

90 Days Later

As an internal customer, adopting Cloud Native Security capabilities has been smooth.

The Offensive Security Engine, alongside the built-in remediation options (i.e., remediation guidance, one-click remediation, and auto-remediation), has already positively impacted cloud alert actioning. Blackwelder continues,

PingSafe, as acquired, was immediately made available in the Asia-Pacific region in February 2024 and migrated to the SentinelOne Singularity Platform between February and May 2024. Cloud Native Security was released to the North American market on May 6 and to European customers on July 8. SentinelOne will continue innovating in the cloud security portfolio with additional capabilities and integrations to further enhance our ability to improve customers and our cloud security risk profile.

Conclusion

Given today's cyber threat landscape, it can be an uphill challenge for organizations to protect their cloud resources. SentinelOne is on this journey with you, continuing to innovate and providing our customers with the most comprehensive and marketing-leading CNAPP available.

Our SOC continues to evaluate and revalidate our security posture and the tools we use to protect ourselves so we can protect you. The PingSafe evaluation and subsequent acquisition are representative of these investments, and we welcome the chance to show you how we can provide you with the same level of value.

Learn more about Singularity Cloud Security here, or hear what our customers have to say on PeerSpot, G2, and Gartner Peer Insights. A self-guided tour is also available here for those who want to see CNS in action.