 Tommy here from Orange Systems and we're gonna talk about Sentinel one endpoint detection and response now The thing is I want to just be as clear as I can up front. This is not paid for or endorsed by Sentinel one I'm not a salesperson for Sentinel one They have an entire team of sales people you should reach out to if you want to know the full breath of the product and all the features it has I Did this video because a lot of people have asked me about the tools we use I don't mind talking about them and offering up my insights or what I like or don't like about them And I do not reach out to these companies specifically I have not reached out to Sentinel one to let them know I'm making this video Of course, I tweeted to a few people I was making this video. So it's not a secret, but they have no editorial Oversight on this video. They had no advanced copy of it and it was not paid for or endorsed by them This is just me talking about the product and the tools we use that said this is really not for end users This is for people that maybe work in the IT services manage services space and would like to understand some of the tooling So that's what this demo is. It's just something on my own This is also not an endorsement to tell you that Sentinel one is the best product in the world that will stop all threats Because anyone who makes that type of claim is just lying to you I work in the real world where sometimes things get through and sometimes there's false positives. These are Things that happen with any of these tools and understanding how to use the tools ultimately leads to better security Also for any type of security, you should have process procedures methods for dealing with it Now that i've thrown out all those qualifiers now, let's talk about the tool itself Before we do if you like to learn more about me and my company however to laurance systems.com If you like to hire a short project such as managing the security for your business and all of your computers There's a hires button right at the top if you like to support this channel Other ways there's affiliate links down below to get you deals and discounts on products and services We talk about on this channel. All right, let's start here at the dashboard This specifically in this test environment. I have set up just for this youtube demo Is our laurance systems? What we refer to as an nfr not for recent license that we have so we can do testing because it's important that you understand the tools So having test environments where you have a few licenses set up where you maybe play with some ransomware, which we're going to do today And understanding how the tool response is really important for training of yourself training of your technicians Because a tool that you don't know how to use is not going to be a very effective one Despite any magic these tools claim you should take the time to really understand how to use them Now the dashboard gives us some general mitigated not mitigated insights healthy infected the system that we're going to be using We're going to be infecting on here. It is the same system I did for my ninja one video that I posted i'll leave a link down below to my channel So any of the ip addresses that you see in here? Don't worry. They're not mine. It's not a big deal I don't have to redact any of that information second ninja one is loaded on a system for the rule management and monitoring But I do not have our full security stack of tools Which does include huntress which some people may ask what about huntress I've done other videos on that product and talked with some of the team over at huntress We continue to use their product and normally on a full environment We would have both of these loaded but for demo purposes. I only loaded sentinel one on the system Now let's go over and look at what it sees as the sentinels, which this is a test environment with only a single system in there It shows me the visible ip It says this is tom's test Which is a special group because we're going to be changing some policies in there updated four minutes ago January second is when I've registered this currently set up as healthy It's a desktop running windows windows 10 pro 64 a bit eight gigs gives you quite a bit of information about the end point I know the mac address. I know it's online. I know it's connected I know everything that's up to date one of the last fold this scan was run It works in very much like a Normal antivirus in some ways because you have features like I just want to scan all the files on there Because you have static threats You have threats that are determined through behavioral heuristics and you also have Hey, let's just scan this drive and find things that were left over in the downloads folder And finding knows is important because you may find something in there But no one's activated or it was something copied over from another machine So those are you know good to go through once in a while because they're not actively looking at things just statically sitting on the system So that's why it does have that option We can click on the system itself brings up a little window down here to summarize it And where you can go and look at the app inventory any tasks that you have queued up for it You can go to the action recently use do things like fetch logs Enable different features agent edit edit the customer identifier and everything can be pretty simply done right here One of the other cool features they have under endpoint actions You can approve reject uninstall reboot shut down. So it actually works a lot like A rmm tool remote management and monitoring where I can directly access the system and have actions done on it So easy enough to do also if for some reason would be weird to do this We can move this to another site if you group different sites together when you're managing like we do many different businesses You have them all grouped together under their respective customers That way you can set up policies and actions based on customer But you can actually move it between them as well You can revoke randomize migrate agent approve local upgrade because we need to do the agent upgrade Among the other things that are kind of neat you can do is host isolation So if you think a host has become problematic, you can isolate it to where the only thing you can talk to is the Sentinel 1 dashboard This means that other devices on its local network even can't ping it That computer becomes essentially Muted to the internet with one exception of a connection between the Sentinel 1 product and the dashboard So you could still do your task of Or sorting out what's wrong with that system while isolating it so it can't talk to all the other devices Now the other things that i'm not going to dive deep into like I said talk to a sales rep is you have the option to Build out firewall rules offer device control like usb and bluetooth controls so you can block usb ports There's a lot of things that are going to be of course a big crossover of what you can do with a lot of other tools But hey, it's nice that they have them in here when you're focusing on doing threat management and understanding the threats Now what do the threats look like? Well, let's start with incidents and you can see history of incidents here Now this is where don't let the sales reps fool you I always like to say because I've heard people tell me well. I heard it doesn't have false positives Matter of fact this particular system The ninja rmm patch agent was flagged and lockhart was part of it as well for the backups I believe that's what that tool does as part of the backup when we loaded that it flagged them And we had the other day it decided that quicken when it wanted to do an update for one of our clients Well quicken it flagged as malicious as well This is where you have to do some investigation Take a look at and understand whether or not that tool you're using Is a false positive is a true positive? It's suspicious and of course this one's false positive and then when you go through and Essentially mark it as such so it's not going to get flagged again Now this is common Especially when you have let's say you're managing an accounting firm and they all have to do an update If quicken gets flagged as bad on one system is probably going to get flagged an arrest So if you catch it on the first system and you go no I looked at it as much as I may not like the product I don't think it's actually intentionally malicious So therefore we will flag it and then you can say mark that as benign for everything in the fleet That way the next person it has to do that update doesn't get flagged as well And this is what we did with the ninja rmm update We're not sure why it did this but once we did this any other machines loaded It says oh you've already seen this before we have a hash for it now speaking of having a hash for it right here We can go I don't have a recorded future account, but we could open it up and record a future You can open it up in virus total And then look at Some information. Okay. Here's all the other different Platforms think about this particular product. It's nice that they keep the shortcuts right there They generate the hash This is all with the goal of making it easy for you to start gathering knowledge on whether or not something's really a threat Because sometimes you don't know the system starts as suspicious and then you work your way through of this Is this suspicious? Is this something new that's trying to get through? Or is it just another false positive of which it does happen But honestly there's not that many for the number of systems and endpoints we manage and how few false positives there are And because so many of our clients from common software you figured out on one system you Basically say this is a false positive and then it won't flag on all the other systems Just part of the security and threat management now back to the actual system here It killed in quarantine But our ability to undo that killing quarantine Is over here under the actions. We'll show more about that later But this is where you can do the mitigate unquarantine it if you want to put it in there We actually just end up recopying the files, but for that's why I didn't do it I wanted to do some playing here. Normally you just unquarantine it can put the files back Then you go over to explore and this is where you can dive a little deeper and it gives you some of the Process management. So this is the execution path What did it do it took a network action and it contacted this destination ip So you can start seeing the source ip internally of the system was 192 168 13 13 Reached out to this ip address here. It was the ninja arm and patcher name Then we have this part here. What did it reach out to neck? What were the next network actions and you can start tracing these out? Load more you can then look at like the ninja bar right here And these are all timelines of when it started process timeline when it ended from start to finish So this is at 10 16 and 39 seconds since the whole process was done and quarantined at 10 17 0 5 So you can kind of walk through and this gives you that in Data you're looking for in all those points So you can understand what each piece was trying to do and what the events were that led up to this This is like I said all that intelligence data that you're looking for so we can get a deeper understanding of it Network actions Once again reaching out to the same idea address processes and your arm out Now you can also do these other timelines for the entire event of who did what when This gives you the history because it's for our team internally more than one of us working with this sometimes Where we'll start an investigation Dive through it and now I can see who did what including my internal users for how this was done How this resolved and how we went through this particular threat and determining what we did Now let's look at something. That's actually a real threat. Now. Here's what a real threat looks like So we're going to go ahead and look at it in virus total 11 security vendors and one sandbox flag. This has malicious. This is just some random malware found It's interesting that this is still not being found by some of these other ones It does also a relatively recent malware act 21 hours ago to upload it And uh, there wasn't a lot of stuff on there So it is flag malicious by a few things including central one You can look over here and read through the threat indicators attempted to evade monitoring process Etc. So you have each one of these you can dive into the matter of defense evasion You can go through each section and start learning more about Everything going on with this you can even go and fetch if you want download the threat file Give it a password if you wanted to pull it for local analysis Less often I need to do that. I usually have enough information here to see that. Yeah, we have some type of unsigned Originating form explorer xe because I actually did double click on it using explorer just to try and get this to execute It's a small piece of malware and you can go through and you know kind of see that Yeah, this is probably something that needed to go away and then for the actions you can go through and remediate Now let's actually deploy ransomware on this system Now these were all done with the protection enabled on here We're actually going to disable the protection and change the mode of operation For sentinel one so you can see what actually happens and how if a threat gets through what you can do with that And for that we go back over here to sentinel I mean go over the policies The way you set the policies is a little obscure. So here's the default group for my nfr licenses Here's the one toms test So I have a few other things that we're working on in demos outside of this particular demo we're doing here When you're doing this by default well not by default but by the way you configured sentinel one you want it on To protect and protect for suspicious and protect for malicious You can turn this into a detection only to tell you what happened but not Stop and do something about it. All those different incidents were me having the protection on So you've seen like a lot of things that were caught which means nothing really bad happened on there It did its job now This would be kind of a closest I can do to a demo because actually I tried a lot of different mailware And nothing got through that I could find because I thought that'd be fun To be able to have that on there But hey sometimes you can't find anything that'll get through because like I said nothing's perfect And there could be an incident but so far our satisfaction rate and the reason we keep using sentinel one is because It seems to catch everything which is always the ultimate goal that we want But we're going to put this on there to detect as and do not take action I've actually um Seen a few people maybe configure their system like this because I don't know why This is obviously what it's going to let the mailware through So we're going to run the actually one of the same mailware things that this caught But we're going to run it in this mode right here. Are you sure you want to save these changes? Yes, by the way for security reasons It does log always the last person To modify this and we can actually go through an action history if we need to do who touched what From a global view. This is something that sentinel one does a nice job of tracking all that Now that we've got this into a delicious threat detect. Let's have some fun And this is my completely sandbox system with a handful of files. Nothing important That is isolated from any other networks. This is really important and even though I've been doing this a while There's still this nervous factor when you're going to detonate ransomware on a system Did you not make a mistake? Did you make sure this is isolated from anything else in network in it? There is no potential problems that could come back and bite you with production systems Physically, this isn't even in my building. This is actually an independent lab. I have set up We'll just leave my house and I've set it up on an isolated network If you're not sure if you've did this right have a friend that is a expert in security Double check it because it's better to have a second set of eyes I've had me and my staff go over this to make sure that this isn't isolated system I just warned people because I've seen people make mistakes trying to test ransomware on their own systems And it gone horribly wrong. I've unfortunately had it people who've tried it in there What they thought was a lab environment that was able to escape So lots of warning even to people who are professionals mistakes can't be made have someone else double check it All right now for the fun part. This is a detect only mode So let's go ahead and see if this ransomware will work. We're just going to run it as administrator because yes It does Detect that a file execution suspicious one was detected. Let's see what it does. Hopefully this will actually work Well, it's just running processes. All right. It's all in detect mode. So it's just going through and alerting us of things Actually, what we'll do is while this is running in the background so this computer is not incredibly fast Do you want to empty recyclable in on this drive? Uh No, it's corrupted. That's weird. Well, not weird. I guess if you're running ransomware Oh, I see something on desktop popping up There we go. There's a read me here And I will say no again to that. I'm not sure what it's trying to do I guess I need to say yes. I don't know Your files are encrypted and currently unavailable. I don't think they are yet. So let's uh Give it a minute to finish what it's doing There we go. Now the files are encrypted. We got to see the document change now. This makes sense It's all encrypted and everything's bad. So this is that worst-case scenario where well Everything has gone wrong and Yeah, let's go through what actually happened. Let's break down the incident and how we see it in here Now this was a False start it I had a decryptor on there and it picked it up. So that's not what we're really looking at We're looking at these suspicious. This is me pulling out the malware and the suspiciousness is going to be The opening of this particular tool. So when we start looking at the exploration of this, what happened here? This is the event Scroll down here. What exactly had happened? Network actions. This is like the kickoff event that started it So this is me clicking on it and then that kicked off this And then this process and we're going to go back over to here to the threats This is where all the bigger event happened and let's look through a timeline go down to explore There's all the processes everything it touched. Hey, look, there's that little readme file it created for us You know to let us know Processes that started on this you can kind of see how we can go through and say, all right This is the whole event and it's grouping these together to let you know that this incident as a whole This is what happened. We can expand it out And yeah, this whole system is just broken now because of the ransomware Now this is the part that people want to know if it works So far we haven't really had ransomware incidents that allowed something to truly get through But the testing we have done is which we're doing right here This does work and we're about to watch this in real time So we want to mitigate the action and we know this was ransomware. Do we want to kill it? That seems like a good idea Normally it would have killed it automatically and do the killing quarantine is at least the default levels of protection you should have Uh remediate automatically. Well as long as killed in quarantine, we don't mind doing manual remediation This is where you set some of those parameters on there but let's go ahead and do full rollback because This is where we youtube demo for full rollback Because we want those files back and this is definitely a true positive So we can flag it as just something suspicious positive and analysis verdict to go ahead and throw in some notes right here Mark has resolved when we're done Add to blacklist don't really need a blacklist to put sure why not it already flagged it So we're we're not doing any normal investigation where it's like suspicious but unknown This is yeah, this is ransomware. We're going to go ahead and hit apply Incident status say save successfully action successful note was added now. What does that mean for the system over here? It's going to take a few minutes is what it means It's slowly going through and running through those remediation process because One of the things that one does is keep an eye on the volume shadow copies and try to stop any tools from Breaking volume shadow copies. It actually just used those to go ahead and roll back the system Terminated processes Quarantine malicious files reverted changes made by the Florida threat. I say go back over here Let's look at our documents folder Documents are now fully back to where they were now There is this is not some guarantee that absolutely every scenario that no threat Actor will find some way around it. That is not what this video is about to demo This is a known piece of malware that I was able to find fairly recent version That is commonly out there that was able to you know get this far with the system so to speak And we are able to roll it back because we had it turned off Let's just show you what that looks like if we have it in the other mode just for reference So if we go back over to our sentinels now that this is a remediated threat We can look at the incident real quick though and we can see that it's mitigated We don't have to worry about this one here We could just mark this one is done because we did it off of the later process that happened We did the rollback from that point So I for cleanup reasons would go and fix this one But let's actually turn this back on to normal policy And you can see actually still showing a red right here because of the last action it happened And we have some unmitigated things on there, but let's go ahead and Do this And we'll leave it at kill and quarantine You could do it remediate if you want for most part killing quarantine And then you can remediate manually this kind of depends on how your policies are internally So we'll put it on kill and quarantine save this policy Go back over to the test machine Sentinel one needs a reboot to finish what it was doing. No problem We'll go ahead and reboot and we'll come back to this and we're going to execute the same ransomware again But with the detect and protect kill and quarantine to show you how far it gets with just kill and quarantine turned on All right, we've rebooted the system everything's back to normal now We want to try this again, but as you notice in the background here We have the suspicious threat and detect turned on and let's go ahead and do an extract And uh, let's try and run that again Well, that didn't get me very far it Immediately deleted the file it got rid of it as soon as I tried extracting it didn't even let me get as far as executing it This is important if we go back over here to incidents And you can see it's unresolved But then again, we have a nice checkbox here because it immediately seen it ran somewhere again Found it said we're just getting rid of this and it's then sent a notice We have this set up to send notices to our ticketing system So we would have got a notice on this but nothing really happened It's like yeah Look, they tried to do something that you try to figure out what the user was trying to do Dive into why were you trying to extract this file? Did it come from an email and as you do your investigations and we'll actually do this right here It didn't find any processes because all it was was a file But if someone actually tried to even execute the file or click it It would tell us the application that they tried to click it out of this Deleted right away as soon as it seemed the file getting extracted is that no the moment I Unextracted a file with seven zip it immediately killed it and that's the end of the story Now we've been using Sentinel one since 2019 and here in january 2022 We plan to continue using the product as I said in beginning. It's not absolutely perfect There are occasionally some false pauses But they're so minimal that they're not creating such a burden on my staff And occasionally the things they do flag are pretty suspicious things that are written by third parties That's actually been majority of any of the false positives Which means proprietary software line of business applications run by one-off clients And you just whitelist those and not a big deal It is probably always good to look at them because they are once again one-off products The flagging of quicken that was weird doesn't happen all the time But hey, I will mention it because I'm just being honest It does occasionally get a false positive But as I said not not the end of the world not enough to make us stop using the product If you're interested in getting sent the one we are resellers of the Product you can also reach out to set no one directly and find a reseller because for whatever reason you don't like me That's fine too. I'm not here to be a high-pressure salesperson I just wanted to share my knowledge in a demo if you're a business interested in having us handle the security and Impressed that this is one of the tools that we use in that security stack Hey, reach out to us. That is something we'd love to help your business with As always see you in the forums for a more in-depth discussion leave some comments below I try to reply to all the youtube comments But the forums is where you're going to have a better more engaging discussion with me You can connect with me on whatever socials as well and thanks And thank you for making it all the way to the end of this video If you've enjoyed the content, please give us a thumbs up If you would like to see more content from this channel hit the subscribe button and the bell icon If you like to hire a short project head over to laurance systems.com And click the hires button right at the top to help this channel out in other ways There's a join button here for youtube and a patreon page where your support is greatly appreciated For deals discounts and offers check out our affiliate links in the description of all our videos Including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out Well randomly so check back frequently and finally our forums forums dot laurance systems.com Is where you can have a more in-depth discussion about this video and other tech topics covered on this channel Thanks again for watching and look forward to hearing from you