SentinelOne - Application Inventory

Updated: Apr 17, 2020

Although researchers discover new vulnerabilities every day, organisations often find out about them after a breach has happened, when it's too late. A vulnerable application can be a free pass for an attacker to access your organisation's systems. Monitoring and updating these applications can be a real problem when you have to deal with thousands of endpoints. What is needed is the ability to identify and prioritize vulnerable applications across your network.

SentinelOne offers full visibility over the vulnerable applications on the devices the agent is installed on. This insight is a result of SentinelOne's in-depth inspection over the endpoint, in combination with data from the National Vulnerability Database(NVD) which is updated continuously.


Moreover, SentinelOne deploys an Exploit Shield to detect and prevent any exploitation of the discovered vulnerabilities. It does that by taking advantage of its unique behavioural AI engine, to distinguish anomalies that deviate from the regular operations of the application.


Updating software patches is widely known to be a time-consuming process that might go through various testing phases. SentinelOne covers security holes immediately, giving time to the technical staff to do their testing without worrying for exploitation and breach.


Visibility

We tested SentinelOne in a demo environment and the results can be seen below.

WinRAR and WinSCP seem to contain some high-risk vulnerabilities while Skype, Mozilla, Wireshark, VMware and VLC media player contain some medium-risk vulnerabilities.

The console provides information like the date of the vulnerabilities publication and an explanation of what successful exploitation might result in.


No known Risks

You can also search for applications with "No known risks" through SentinelOne's management console. This selection can help identify unwanted applications by allowing administrators to have full visibility over all the installed software on your endpoints.

In this demo environment, one of the endpoints has uTorrent installed. Even though this application does not have any known vulnerabilities, it can potentially introduce malware and is mostly undesired in a business environment. This level of visibility allows technicians to take quick and decisive actions against any weak point in the system. These actions can include the removal of the application from the endpoint and its addition to a blacklist (another feature that SentinelOne provides), to avoid future compromise.


Blacklisting

Blacklisting is a SentinelOne feature that allows the user to mark specific SHA1 hash values to be treated as malicious. This action allows for greater control over the applications that a user can install on their endpoint.


In our previous example, we detected an undesired application on one of our endpoints. A recommended course of action would be the inclusion of the software's executable hash value to the blacklist, resulting in its immediate mitigation. Moreover, to prevent any further installations of the software, we can also include the hash value of its installer to the blacklist.

In the above image, you can see an example of how the agent detects and immediately mitigates any blacklisted files.


Conclusion

SentinelOne is shaping a future where endpoint security unifies technologies like detection, prevention, monitoring and remediation. Its unique approach to the deep-inspection of all files and processes with innovative machine learning allows the isolation of malicious behaviours and the protection against advanced targeted threats and zero-day exploits in real-time.


554 views