We are pleased to announce Ranger Pro, an available extension of Singularity Ranger®, which uses configurable job automation to conveniently and efficiently close agent deployment gaps. This exciting new option reduces stress and raises the productivity of an already overburdened Security team by offloading the ongoing and repetitive task of EPP/EDR agent installation. With peer-to-peer agent deployment, Ranger Pro finds and closes any agent deployment gaps, ensuring that no endpoint is left unsecured.

What Is An Agent Deployment Gap?

As SentinelOne customers already know, Singularity Ranger® is about proactive attack surface management. The first challenge that Ranger solves is visibility, showing you what is on your network.

Ranger uses a proprietary ML device fingerprinting engine (FPE) to find any IP-enabled device connected to your network without any additional agents, hardware, or network changes. Ranger creates a device inventory in moments, organized by device function and by security state: Secured, Unsecured, Unsupported, and Unknown.

Secured: These are endpoints that already have a Sentinel agent.
Unsecured: These devices can support an agent, but do not yet have one.
Unsupported: These devices, whether by hardware or software limitations, cannot support a Sentinel agent. Examples include OT (operational technology) devices, such as manufacturing process sensors.
Unknown: These are devices that the FPE could not yet categorize. The fingerprinting engine gets  ‘smarter’ the longer it observes device communication traffic.
Ranger can autonomously discover unprotected devices

It is the so-called unsecured endpoints that are of particular interest to Ranger Pro. Any such device represents a gap in your agent deployment and a potential attack surface to be exploited. The security gap needs to be closed before malware or ransomware can exploit it.

How Do These Gaps Happen?

We often hear the question, “How do these gaps happen?” There are a number of possibilities. First, you may not have completed your initial agent rollout, but thought you did. Limited visibility is a real challenge facing IT security, and our solution tackles that challenge head-on. As previously mentioned, Ranger will spotlight any unsecured devices. In this way, it helps Security confidently answer the question, “Have I completed my agent rollout?” And if that answer is no, you will know exactly where to look. (And please, hold that thought for two paragraphs more…)

Another likely scenario is a hardware replacement cycle: new user endpoints or servers were purchased and put into service by IT, perhaps without a Sentinel agent installed to protect against known and unknown threats. Similarly, new employees are onboarded, often with new laptops or desktops which need autonomous cybersecurity protection, detection, and response.

In all of these cases, Ranger would show when an endpoint needs a Sentinel agent. Security teams can configure the solution to alert anytime such an unsecured endpoint is found.

Why Did We Create Ranger Pro?

After finding the coverage gap, the inevitable next step facing the security team is closing the gap. Security administrators can indeed choose to do so manually via the SentinelOne Management Console, but such repetitive tasks are begging to be automated.

No one suggests that installing an agent is not a necessary cause worthy of Security’s attention, only that such a task comes at the opportunity cost of a SOC analyst’s valuable time. Security teams are often stretched way too thin and need sensible automation to help them do their job more effectively.

Moreover, how long would the endpoint remain in the wild without a Sentinel agent keeping watch? After all, SOC analysts are on the front lines of a high-stakes battle for the security of the organization against all threats. Much like nurses and physicians in a hospital emergency room, security staff are often forced to triage events, giving their time and focus to the most pressing matters of the day. SentinelOne created Ranger Pro to solve this pain.

Slashing an uncertain response time to a matter of moments, Ranger Pro is both a highly configurable and reliably automated means of completing your Sentinel agent rollout to unsecured endpoints.

An available add-on, Ranger Pro includes all of the Ranger capabilities available for your chosen functionality level – Singularity Core, Control, or Complete – with the added convenience and repeatability of automated deployment. Inevitably, the next question is, “How does it work?”

How Does Ranger Pro Work?

The following sequence walks you through the process.

First, by using the networked device inventory capability, an administrator notices a few unsecured endpoints. In this example site, there are five endpoints, four of which are unsecured. The admin selects 2 of those 4 endpoints – she could have just as easily selected all 4, but perhaps this is her first experience with Ranger Pro’s automated agent deployment and so wants to test it on a subset.

Under the Actions pull-down, she selects Deploy Agent.

Selecting unsecured devices for Agent deployment

The Auto Deploy pop-up window is opened, and the administrator selects the appropriate Agent deployment package.

Selecting the Agent deployment package

Once the package is chosen, the administrator enters the master passphrase credentials for her secure credential vault. SentinelOne does not have access to the credentials.

Entering the Master Passphrase credentials

Then the admin selects the appropriate site to assign the endpoints.

Completing Auto-Deploy configuration

And then Ranger Pro is off to the races, handling the details of Agent installation.

Switching to the Task Management context, the administrator can check the job status as it moves from “Pending” to “In Progress” to “Completed.”

Keeping an eye on job status via Task Management

Ranger Pro examines nearby secured endpoints and selects the one which can most efficiently install the Agent via the peer-to-peer deployment mechanism. Here the first Agent installation is completed.

Ranger Pro autonomously deploys the correct agent

Once Ranger Pro completes the installation and the next device inventory scan is done, the updated inventory reflects the newly secured endpoints. In this example, we installed an agent on two endpoints. In practice, a security administrator is just as likely to have configured the agent installation for all unsecured endpoints on this site. Or, perhaps this was the first attempt using Ranger Pro and the admin just wanted to explore the process on a subset of endpoints.

Once the admin is comfortable and confident with the auto-deploy capability, she can easily tackle the remaining endpoints’ agent installation with a few simple clicks.

A few clicks and you can auto-deploy agents across an entire site

Summary

Ranger Pro provides a convenient means of quickly and reliably installing a SentinelOne endpoint security agent on unsecured endpoints. The best part? Ranger does not need extra agents to manage your network attack surface; its AI is woven into the Sentinel agent itself. Using peer-to-peer agent deployment, Ranger Pro conveniently finds and closes any agent deployment gaps, providing security administrators with yet another way of proactively reducing their attack surface.

To explore Ranger and Ranger Pro, visit our solution page, read the datasheet, and when you are ready, contact us to discuss how SentinelOne can help your team do more.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

MeteorExpress | Mysterious Wiper Paralyzes Iranian Trains with Epic Troll
The Rise of Big Data | Solving Today’s Challenges with SentinelOne XDR (Part 1)
Detecting XLoader | A macOS ‘Malware-as-a-Service’ Info Stealer and Keylogger
PrintNightmare | Latest Patch Almost Puts Microsoft Vulnerability to Bed
CVE-2021-3122 | How We Caught a Threat Actor Exploiting NCR POS Zero Day
Conti Unpacked | Understanding Ransomware Development As a Response to Detection
Cyber Insurance: Navigating A Tough New World In the Age of Ransomware
REvil’s Grand Coup | Abusing Kaseya Managed Services Software for Massive Profits
Kubernetes Security: Challenges, Risks, and Attack Vectors

“Do a podcast” they said. “But not just a regular podcast, they’re boring. Make it really interesting, with charismatic guests, tackling current cyber topics. Easy!”

Easy, indeed.

After production issues, name changes, disappearing guests, cutting compelling content, format changes, regular doses of technical issues and a long gestation period, it’s finally going live. And I couldn’t be more thrilled with the result, wholly because of the wonderful friends and colleagues I was able to chat with for the making of this series. They were so good in fact, that we decided to optimistically rename these six episodes as “Season One” of the CyberChat podcast. Next time, we might even do it with video.

So what is it all about, then? Well, my main goal was to highlight not just the more well-known characters in this industry, but also the folks who are working so very, very hard to create community events, spread awareness and share knowledge for the greater good of the broader infosec community. These are the people that really do make a difference, and I have no doubt that each and every one of you will have learnt something from them at some point in the past, so wide and varied is their experience.

And it was so much fun to do as well. I am at that stage of my life now where if I am not having fun doing something I won’t do it, so to say recording this series was a highlight of my current job would be an understatement. My guests are charming, erudite, intelligent, informed, and above all funny; each conversation was the very definition of a “pub chat”, making each episode an easy but informative listen. The intelligence and infosec knowledge of each of my guests is also without question, and with the exception of Episode 6, I was definitely not the smartest person in the room.

Take a look at what we have in store for you over the coming weeks:

Episode 1 – Brian Honan

It’s one thing to own and run a successful and renowned cybersecurity consultancy, It’s another to also be an internationally acclaimed speaker, author, and founder of Ireland’s Computer Emergency Response Team (CERT). We discuss Brian’s work in the industry, what motivates him, and the importance of supporting initiatives like community infosec events and the Irish CERT.

Episode 2 – Jim Shields

Jim built a reputation making the pioneering infosec sitcom Restricted Intelligence, the award-winning educational infosec series aimed at corporates. It made awareness training engaging, fun, and above all memorable. Is the infosec industry in need of more fun, or do we have quite enough at the moment, thank you very much?

Episode 3 – Rowenna Fielding

Rowenna is a highly regarded privacy professional, known for giving information security nerds a hard time. A champion of people’s personal and human rights, as well as having an encyclopedic knowledge of GDPR and other related topics, she actually manages to balance her huge intellect with being one of the best human beings I know.

Episode 4 – Sandeep Singh and Vandana Verma

Sandeep is one of the co-organizers of BSides Delhi. He is also the co-lead of OWASP Delhi chapter, Community Manager of null community, and actively supports the local and global security community whenever and wherever he is able to.  The award-winning Vandana is Security Solutions Architect at Snyk. She is a Vice-Chair of the OWASP Global Board of Directors, leads diversity initiatives like InfosecGirls and WoSec, and is the founder of InfosecKids. a member of the Black Hat Asia Review Board as well as multiple other international conferences.

Episode 5 – Graham Cluley and Carole Theriault

Graham was at the forefront of anti-virus right from the very beginning, from being Dr Solomon’s right-hand man to becoming the public face of Sophos Security. Carole has 20+ years in the industry, is the founder of Tick Tock Social, a comms consultancy for the tech world, and host on Smashing Security podcast.

Episode 6 – Andrew Agnês & Javvad Malik

Javvad & Andrew are two-thirds of the trio known as host Unknown. One has an ego and the other thinks he doesn’t. Both are well known, established infosec professionals whose reputation often preceded them. We talk about humour in the industry.

There you have it! Season One of CyberChat is speeding its way to you through the tubes and pipes of the internet as you read this. I hope you enjoy listening to it as I did recording it, and above all, learn something from it. I’ll see you again in Season Two!

Stay Secure Folks!

Cyber Chat
Join Thom Langford and Guests

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Hive Attacks | Analysis of the Human-Operated Ransomware Targeting Healthcare
Feature Spotlight: Ease Deployment and Minimize Risk With Ranger Pro
5 Traits of a Great Endpoint Security System
6 Reasons Why Ransomware Is Not Going To Be Stopped
What Is A Malware File Signature (And How Does It Work)?
HiveNightmare | Protecting Windows 10 Security Account Manager Against CVE-2021-36934
MeteorExpress | Mysterious Wiper Paralyzes Iranian Trains with Epic Troll
Detecting XLoader | A macOS ‘Malware-as-a-Service’ Info Stealer and Keylogger
PrintNightmare | Latest Patch Almost Puts Microsoft Vulnerability to Bed

SentinelOne Announced As Launch Partner for Amazon EKS Anywhere

Today, SentinelOne was announced as a launch partner for AWS’ new on-prem and hybrid Kubernetes service, Amazon EKS Anywhere. EKS Anywhere extends AWS’ popular cloud Kubernetes service to deliver hybrid cloud agility for on-premises workloads. EKS Anywhere brings customers flexibility and choice when deploying, managing, and scaling Kubernetes workloads.

Flexibility and Choice for Kubernetes

Containerized applications are the future of how applications are written and deployed.

Gartner predicts that by 2023, 70% of organizations will be running three or more containerized applications in production. Kubernetes, a purpose-built open-source platform for managing and orchestrating containers, is the most used container orchestration control plane powering more than 50% of containerized applications. By abstracting the complexity of container lifecycle management, Kubernetes enables organizations to re-architect and modernize applications for scalability and portability.

Despite the almost universal adoption of cloud services, many organizations have sunk CapEx investments in on-premises infrastructure. Additionally, DevOps teams likely have separate tooling for Kubernetes in the data center vs. Kubernetes running in public clouds like AWS. Multiple control planes for Kubernetes workloads lead to a lack of uniformity, which makes management complex, confusing, and expensive. Operational differences between separate Kubernetes environments also lead to gaps in security policy and controls. Organizations need a way to unify the management of Kubernetes, utilizing existing on-premises investments while taking advantage of the agility and scalability of the public cloud. For these reasons, hybrid approaches offer the best of both worlds and are the driving force behind AWS’ new EKS Anywhere offering.

How Does EKS Anywhere Work?

EKS Anywhere creates a hybrid cloud Kubernetes control plane to create and operate K8s on-premises on your own hardware or in the public cloud. Where the EKS service manages Kubernetes workloads in AWS, EKS Anywhere extends the managed Kubernetes service to containerized workloads deployed either on-premises or hybrid.

EKS Anywhere uses the backbone of EKS to automate the deployment, scaling, and management of containerized apps.

EKS and EKS Anywhere are powered by Amazon EKS Distro, Amazon’s open-source Kubernetes distro. EKS Distro is an upstream, certified conformant version of Kubernetes that enables the creation of K8s clusters anywhere. EKS Anywhere bundles Kubernetes with networking, cluster config database, and storage plugins that are all tested, supported, and validated by AWS. With EKS Anywhere, AWS offers continuous security patches, updates, and extended support.

EKS Anywhere helps reduce support cost, tool redundancy, and complexity with a single dashboard in AWS console that provides unified management of K8s regardless of location. EKS Anywhere supports several types of deployments based on the availability of internet connectivity at the on-premises location:

Fully Connected: Supports backups, instance snapshots to S3, and full-featured audit, compliance, and policy management.
Partially Connected: In cases of intermittent disconnects, the EKS console will show the last connected state.
Disconnected: Use EKS distro to run clusters on-premises. All of the benefits of homogeneous EKS Distro images without a centralized EKS management console in AWS.

Amazon EKS Anywhere delivers a number of benefits for organizations seeking frictionless hybrid cloud:

Workload migration and modernization: Provides developers and DevOps with consistent tooling and a familiar interface for deploying Kubernetes. Rather than refactoring or re-platforming containers, a common base image enables an accelerated journey to the cloud for K8s workloads.
Utilize and optimize on-premises investments: Use existing investments in on-premises infrastructure, especially for applications that require low latency. Deploy applications on-premises using EKS Anywhere and seamlessly burst excess demand to EKS in AWS for temporary capacity.
Flexibility: Choose the right infrastructure for the right workload with maximum choice. Have applications with specific data residency requirements? Keep the data where it is for compliance purposes, and shift compute to cloud-based instances in EKS.

What Does SentinelOne Bring To EKS Anywhere?

Kubernetes provides many benefits for DevOps, but if improperly secured presents an attractive target for adversaries who seek to disrupt business. The 2021 IDC State of Cloud Security survey says 98% of companies surveyed experienced a cloud data breach in the last 18 months, illustrating that cloud workloads are just as vulnerable to malware, ransomware, and nation-state attacks as user endpoints. Kubernetes has become a popular attack vector and is primarily targeted for data theft, cryptomining using the underlying infrastructure, and denial of service to critical applications. This challenge prompted the NSA to issue specific guidance on the hardening of Kubernetes environments.

Just as DevOps and developers struggle with tool redundancy and complexity, so do cloud security practitioners. Multiple cloud security tools create operational difficulties and blind spots, which may leave organizations vulnerable. SentinelOne believes that for cloud security to be effective, it should provide the same level of consolidated management and automation as Amazon EKS Anywhere does for Kubernetes.

An integral part of the Singularity Platform, Singularity Cloud extends security and visibility to assets running in public clouds, private clouds, and on-premises data centers. Singularity Cloud is the single console for hybrid cloud management; security teams can manage not only Linux and Windows servers in Amazon EC2, but also Docker and Kubernetes-managed containers, all from the same console where they secure user endpoints.

A single featherweight Sentinel agent delivers runtime, AI-driven protection, detection, and response at machine speed across the hybrid cloud estate. The Kubernetes Sentinel brings ActiveEDR® to Docker containers and both self-managed and managed Kubernetes services like EKS, EKS Anywhere, ECS, and ECS Anywhere, with automated kill and quarantine, Application Control Engine, and complete remote shell forensics.

Detecting Threats in an EKS Environment

Our agent is DevOps-friendly. Auto-deployed as a DaemonSet, a single, resource-efficient Kubernetes Sentinel agent protects the Kubernetes worker, its pods, and all their containers without any container instrumentation to gum up the works. Plus, our agent operates entirely in user space: no tainted kernels, no kernel panics, and freedom to update your AMI at will without fear of conflicting with the Sentinel agent.

SentinelOne gathers cloud metadata from the workload, making it easy to tag, group, and manage policy based on the workload characteristics. To simplify management, we can take all instances with a particular image ID and apply a more granular or hardened policy.

“Amazon EKS Anywhere brings unprecedented flexibility and agility for Kubernetes workloads by offering true hybrid cloud container orchestration, “ said Guy Gertner, Vice President of Product Management, SentinelOne. “The SentinelOne Singularity Platform delivers industry-leading protection and EDR to Kubernetes and containerized workloads, wherever they are deployed whether on-premises or in AWS.”

SentinelOne is powered by AWS and is available on the AWS Marketplace. Learn more about SentinelOne and AWS to see how SentinelOne brings AI-powered threat prevention, detection, and response to AWS workloads.

Watch Demo
Securing Kubernetes in Amazon EKS Anywhere

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Hive Attacks | Analysis of the Human-Operated Ransomware Targeting Healthcare
Feature Spotlight: Ease Deployment and Minimize Risk With Ranger Pro
5 Traits of a Great Endpoint Security System
6 Reasons Why Ransomware Is Not Going To Be Stopped
What Is A Malware File Signature (And How Does It Work)?
HiveNightmare | Protecting Windows 10 Security Account Manager Against CVE-2021-36934
MeteorExpress | Mysterious Wiper Paralyzes Iranian Trains with Epic Troll
Detecting XLoader | A macOS ‘Malware-as-a-Service’ Info Stealer and Keylogger
PrintNightmare | Latest Patch Almost Puts Microsoft Vulnerability to Bed

Delivery Scams Most Prominent Form of Smishing

Texts purporting to be from parcel and delivery companies are the most prevalent form of ‘smishing’ scams, according to new data provided to UK Finance by cybersecurity firm Proofpoint.

The data showed that over two-thirds (67.4%) of all UK texts reported as spam to the NCSC’s 7726 text messaging system, operated by Proofpoint, during the 30 days to mid-July 2021, were supposedly from delivery companies. The next highest category of scam texts was those pretending to be financial institutions and banks (22.6%).

Over the 90 days to mid-July, the proportion of spam texts relating to parcel and package deliveries was lower, at 53.2%, while those purporting to be from financial institutions and banks were 36.8%.

As with other forms of phishing campaigns, smishing attacks have risen substantially during the COVID-19 pandemic, with the crisis providing significant opportunities for scammers to lure consumers into clicking on malicious links and giving away personal data such as credit card details. One of these relates to the rise in online deliveries as a result of social distancing restrictions.

Katy Worobec, managing director of economic crime at UK Finance, commented: “Criminals are experts at impersonating a range of organizations and have capitalized on the pandemic, knowing that many of us will be ordering goods online and awaiting parcel deliveries at home.

“We are urging people to follow the advice of the Take Five to Stop Fraud campaign and to always stop and think whenever you get a text message out of the blue before parting with your information or money. Always avoid clicking on links in a text message in case it’s a scam and forward any suspected scam text messages to 7726, which spells SPAM on your telephone keypad so that the criminals responsible can be brought to justice.”

Sarah Lyons, NCSC deputy director for economy & society, said, “Scammers and cyber-criminals regularly exploit well-known, trusted brands for their own personal gain, and sadly these latest findings bear that out.

“We would encourage people to be vigilant to any suspicious-looking text messages, which should be forwarded to 7726. However, these scam messages can be very hard to spot, so if you think you’ve already responded to a scam, don’t panic. Whether you were contacted by text message, email or phone, there’s lots you can do to limit any harm. Visit www.cyberaware.gov.uk for more information on how to protect your online accounts and devices.”

Last week, consumer group Which? warned consumers to be aware of a new smishing scam impersonating international parcel delivery firm DPD, which requests the user to send a small fee to rearrange delivery of a parcel.