Every time we hear customer stories of breaches prevented, compliance achieved, costs slashed, technology optimized, or other real-world tales of digital transformation, we rejoice – it’s why we do what we do. More and more, we hear these stories come from the winning solutions presented by Fishtech’s CYDERES and Google Cloud’s Chronicle.

Often, we’re going into detail about the specifics of how CYDERES and Chronicle complement each other to bring out the best in each other’s offerings, with Chronicle’s revolutionary telemetry analysis at a mass scale, and the next generation managed detection and response from CYDERES that analyzes and reacts to the security telemetry and potential threats that Chronicle illuminates.

Next up, we’re excited to showcase how these already powerful solutions integrate with best-in-breed technology in other areas of your cyber program. Imagine a fully tech-agnostic platform that has the ability to integrate with other solutions in your current stack, seamlessly fitting into what you are already running to bring unprecedented value and protection to you and your data.

A great example of an integration that is a fantastic complement to what CYDERES and Chronicle bring to the table comes from the world of Endpoint Detection and Response, or EDR. Specifically, we’re looking at a feature from SentinelOne that allows more freedom with how you can gather and use the mass amount of telemetry generated from your endpoints making it a fantastic accessory for the ingestion capabilities of Chronicle, and the full enterprise managed detection and response from CYDERES.

For more on this, we’ll hand the reins over to John Tuckner, Director of Customer Success Engineering at CYDERES, who recently wrote about this SentinelOne feature and how it integrates with Chronicle and CYDERES. If you are interested in talking more about how you can take advantage of EDR solutions with CYDERES, fill out the form at the bottom of the page, and we can connect you with an expert to help you find the right solution for your organization.

Without further ado…

SentinelOne Deep Visibility Export

By John Tuckner

Editor’s Note: This article was originally posted on John Tuckner’s blog which you can find here.

The EDR market has proven itself to be incredibly valuable over the past 5–6 years. I think many security practitioners would agree there is no larger return on investment than buying an EDR. It has even become such a large and wide market that 1. marketing has taken the entire segment over and 2. the vendors have started really competing against each other for dominance from a features perspective (both probably very related). One feature I key in on is the ability to make your endpoint telemetry (the data you own!) accessible outside of the vendor provided platforms.

The most intriguing aspect to me in the EDR realm is the telemetry that all EDR platforms are able to capture. From CrowdStrike to Sysmon, there are varying levels of effort to capture and stipulations tied to each in order to gather that telemetry. One new and incredibly promising vendor that makes telemetry available now is SentinelOne! I can’t get enough of the progress they are making in this space with their expanded “Deep Visibility” features turning the corner from a traditional EPP platform into a telemetry rockstar. It is a solution that can help provide the data needed for detection from nearly anywhere at the speed at which attacks occur.

With the Deep Visibility feature set enabled in your instance, SentinelOne will provide a Kafka instance and give customers (+ MSSPs) access to that instance to process that data.

https://support.sentinelone.com/hc/en-us/articles/360026565994-Subscribing-to-Your-Events-Using-the-Deep-Visibility-Exporter-Hermes-

I could go on for days at the value of message queues for security data, but this is really a great way to provide data for use. Looking through SentinelOne’s community boards, it had been a common ask for their Deep Visibility data to be accessible for SIEM use and now we’re there!

Currently, the Deep Visibility data provided in the Kafka stream falls into these categories:

  • Process Creation
  • Process Termination
  • Process Exit
  • File Creation
  • File Modification
  • File Deletion
  • File Rename
  • DNS
  • TCPv4 Connection
  • TCPv4 Listen
  • Persistency
  • HTTP Request
  • Login
  • Logout
  • Registry Key Creation
  • Registry Key Rename
  • Registry Key Delete
  • Registry Key Export
  • Registry Key Security Changed
  • Registry Value Creation
  • Registry Value Modified
  • Registry Value Delete
  • Registry Key Import
  • Scheduled Task Register
  • Scheduled Task Update
  • Scheduled Task Delete
  • Scheduled Task Start
  • Scheduled Task Trigger

I am a power user of Google Cloud’s Chronicle platform and there is no better platform right now to process the huge amounts of data that endpoints generate from that list. For this ‘small’ deployment I’ll be working with, we’re at 18GB of unmetered ingestion a week.

The blog post goes deeper into specific use cases. If you’d like to read the rest of the post and the more technical examples, follow this link.

To summarize, giving customers visibility into all their security telemetry is incredibly important, and we appreciate SentinelOne as well as others who are giving this much needed attention inside their solutions.

And what’s the best way to procure the necessary high-volume and long-access storage at a price point decoupled from volume or usage? Not only that, but a solution that has combined with the search speed of Google and the robust reporting and response capabilities of CYDERES?

CYDERES CNAP.

Learn how we can “CNAP on” this solution to modernize your existing SIEM/SOC, or start a all-new one with a CNAP. Learn more about CYDERES CNAP here, or fill out the form below and let’s start a discussion.