Sentinel One Capture Client serve as complete replacement for Webroot/Malwarebytes EndPoint Clients.

I am trying to confirm whether Sentinel One EndPoint Protection is a viable replacement for existing Webroot EndPoint Protection and MalwareBytes EndPoint protection.  We have been using Webroot/Malwarebytes endpoint clients on our workstations and servers for about four or five years now.  We have not encountered any compromises/issues using these products.   I also need to mention we also use Cisco's Umbrella Roaming Client as well.

We also have a SonicWall TZ500W with the Comprehensive  Gateway protection.  We never enabled the DPI module because it caused many connection issues accessing creditable Court websites, etc.  

So now SonicWall is promoting/offering their Capture Client solution that I am interested in.  I wanted to purchase the Sentinel One client software a couple of years back, but they said I could not make a purchase since the minimum count they could sell is 100.  We only need 25 licenses.  So now that Sonicwall offers Capture Client, I want to know if its feasible to say it would actually replace both Webroot and MalwareBytes EndPoint products and not just work along side and complement them.  So, I contacted Sentinel One Sales and they indicate their product serves as direct replacement.  They also mentioned their clients actually use Capture Client exclusively.

I have concern about a complete replacement solution.  I just want to ensure if we decide to deploy Sentinel One Capture Client as the sole Anti-Virus and Anti-Malware solution it performs as well or better than the existing endpoint products combined.  I am also concerned about deploying Sentinel One on our domain controllers, SQL servers, Exchange servers, and file servers.
cmp119IT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrew LeniartSenior EditorCommented:
We have been using Webroot/Malwarebytes endpoint clients on our workstations and servers for about four or five years now.

performs as well or better than the existing endpoint products combined.

My opinion - stick with what you have.

I have an inherent dislike of any product or company that claims to offer a security-related solution that replaces all others. The fact of the matter is that no one solution can or will catch everything and that's been proven time and time again as people all around the world get infected with one piece of malware or another because their endpoint solution fails to recognize or catch a threat before the damage is done.

Take Malwarebytes, a product I promote to all my clients and use on every machine I own, also made this mistake by making a grab for more users with a ludicrous claim that "their" solution was so good as to make all Antivirus products obsolete. A ridiculous statement for any company to make and the event not so long ago that brought millions of machines around the world to their knees because of a released bad update only serves to reinforce my views.

If MWB was the only solution being employed at the time, then every one of those machines would have been left vulnerable to the thousands of threats roaming the Internet all over the world. As it turned out, the worst that happened is that a lot of people experienced a load of frustration and considerable down time.

Any company claiming their product is a direct replacement for other combined solutions immediately waves a red flag for me and makes me wonder why they would need to employ such an aggressive (and outrageous) marketing strategy. In my opinion, you should stick with what you have.

By your own words, you "have not encountered any compromises/issues using these products" - the age-old adage of not fixing what isn't broken I think is quite appropriate here.

I hope that's helpful.

Regards, Andrew
0
Blue Street TechLast KnightCommented:
Hi cmp119,

Security is not a product...its an ongoing and rigorous process that is ever-changing! Furthermore, it is not a place to be complacent.

In 2017 we saw an overall reduction in the number of attacks but the attacks moved horizontally instead of vertically. In other words, the malware was slightly modified across the threat landscape so that the number of variants grew by 100%. This is one of the reasons virus definitions are a not only a bad strategy moving forward but are quickly becoming superannuated. Webroot and MalewareBytes were becoming deprecated or siloed as any AV/AM will that still relies on virus signatures and therefore had to acquire ML (Machine Learning companies and strapped them onto what they currently have) to stay relative in the game.

I am trying to confirm whether Sentinel One EndPoint Protection is a viable replacement for existing Webroot EndPoint Protection and MalwareBytes EndPoint protection.
It's not only viable it is better. There is no panacea in security either, so I'm not touting that this is the end-all, be-all but it does provide you with a plethora of functions that can make a tremendous difference in your security posture. Sentinel One has partnered with SonicWALL to roll out enforced and fully integrated endpoint security, called Capture Client, which further enhances the Sentinel One offering if you have a SonicWALL NGFW (Next-Generation Firewall) because it has:
     • DPI-SSL certificate management - this is the most advantageous feature...inspection of encrypted traffic
      • Enforce Endpoint Security in and out of the network
      • Continuous behavioral monitoring via AI
      • Highly accurate determinations via ML
      • Multiple layered heuristic-based techniques
      • Unique rollback capabilities

Regardless of which flavor you decide to get you will still benefit from its capabilities:
1. SentinalOne is built in-house from the ground up - its not an acquired technology - this matters from an architectural standpoint;
2. They can block Ransomware, Zero-Day and Fileless malware and a diverse set of attacks in multiple stages of the threat lifecycle;
3. They provide a protection guarantee of $1mm for Ransomware.

Let me know if you have any questions!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Blue Street TechLast KnightCommented:
It looks like you changed your question.

We also have a SonicWall TZ500W with the Comprehensive  Gateway protection.  We never enabled the DPI module because it caused many connection issues accessing creditable Court websites, etc.
DPI is enabled by default so someone had to have disabled at some point. I'd recommend AGSS which provides CAPTURE ATP for the network and DEFINITELY configure DPI - this is a security 101 mandatory function and without it you can not achieve security baseline. You cannot stop Ransomware and other encrypted attacks/payloads without DPI running coupled with AGSS. Plus without AGSS you cannot stop Zero-Day, Unknowns, Spectre/Meldown, and Fileless attacks at the gateway. Encrypted traffic on the web is now at 73% and growing - this means unless you can decrypted it you cannot inspect it and if you cannot inspect it you cannot stop it. Just because you have had a good run without infection doesn't mean you can rest on your laurels; make no mistake there are vulnerabilities in your current security posture.

I just want to ensure if we decide to deploy Sentinel One Capture Client as the sole Anti-Virus and Anti-Malware solution it performs as well or better than the existing endpoint products combined.  I am also concerned about deploying Sentinel One on our domain controllers, SQL servers, Exchange servers, and file servers.
I'd be more concerned you don't have DPI configured than rolling out a tried and proven endpoint security. You can roll CAPTURE Client out in a phased implementation monitoring & reporting only, then action later after your internal evaluation period is up.

Again let me know if you have any questions!
0
cmp119IT ManagerAuthor Commented:
Thanks for your feedback.  I was hoping I would get more responses.  It never panned out.  Both you provided very good points that need to be considered.  Still up in the air as far as making a decision.  Thank you regardless!!
0
Andrew LeniartSenior EditorCommented:
You're very welcome cmp119. Sorry you didn't get more input, but I'm pleased I was able to help a little.

Regards, Andrew
0
Blue Street TechLast KnightCommented:
Glad I could help...thanks for the points!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Malwarebytes

From novice to tech pro — start learning today.