SentinelOne Unveils Generative AI-Powered Threat Hunting Tool

The new offering is the ‘first-of-its-kind’ in cybersecurity and will allow security teams to use generative AI to improve their productivity and uncover more threats, according to SentinelOne.

SentinelOne Embraces Generative AI

For years, SentinelOne has brought a focus on enabling greater AI-powered automation in cybersecurity, including in its core areas of endpoint detection and response (EDR) and now, in extended detection and response (XDR). But with the arrival of generative AI, SentinelOne is also among the first security vendors to unveil significant functionality powered by this area of technology. On Monday, in connection with RSA Conference 2023, SentinelOne announced a new threat hunting tool that utilizes generative AI in an effort to dramatically improve productivity for security analysts.

SentinelOne is calling the offering for its Singularity platform the “first-of-its-kind” in cybersecurity and a major advancement for cyber defense. And looking ahead, it will become even more critical to bring generative AI functionality to security teams due to the fact that adversaries, too, are upping their game with the help of OpenAI’s ChatGPT and other chatbots, according to SentinelOne.

With the new SentinelOne technology, “I think security overall will get better, because we’re able to look at more things and not miss important threats,” said Ric Smith, chief product and technology officer at SentinelOne, in an interview with CRN. “But longer term, this is really about taking the technology that we believe that our adversaries are going to be using — and we’ve seen this already — and putting that in the hands of our customers so that they can play adequate defense.” Without a doubt, there’s going to be an “arms race between offense and defense” when it comes to using generative AI, Smith said.

What follows are the key things to know about SentinelOne’s new generative AI-powered threat hunting tool.

Boosting Cyber Defense

SentinelOne is referring to the new generative AI-powered threat hunting tool as “Purple AI,” the company told CRN. As an example of the capabilities that the new tool will provide, analysts will be able to use the new interface in the Singularity Skylight platform to ask questions about threats in a customer’s environment — such as, “is a certain threat actor present in this environment?” or “are there threat actors affiliated with China in my environment?” That’s a far easier approach than the traditional, often-tedious ways of hunting for threats, Smith told CRN.

The ability to use natural language to query a system will offer massive time-savings to analysts and will allow security teams to respond to more alerts and catch more attacks, he said. This is particularly important at a time when cybersecurity talent is in short supply and threats continue to evolve and intensify, Smith said.

Another key capability of tapping generative AI in threat hunting activities is around providing summarization of results, he said. “That also alleviates some of the tedium around doing the actual analysis. So then, you can pinpoint what specific events are actually doing. And get a summarization of our internal storyline, which helps you understand all the different elements of the process chain.” The end result is that analysts will be able to have the system tell them, “‘This is lateral movement. This is something that you should be aware of,’” Smith said.

Embedding Generative AI

SentinelOne will offer the new tool as an add-on for its Singularity Skylight platform, and the generative AI interface will be available directly within the platform itself. That’s in contrast to other security-focused generative AI tools that have been announced previously, SentinelOne’s Smith told CRN. “This is a direct enhancement to our platform,” he said. “We’re taking a different approach than, say, Microsoft [Security] Copilot, which is sitting side-saddle with their product set.”

As an add-on capability, the generative AI will be optional for customers and partners to start, so that SentinelOne can allow customers to become comfortable with using it, Smith said. The vendor is aiming “to make sure that they can have the degree of control that they want,” he said. “But we’re pretty confident that over time, customers will become more and more comfortable with it, and that it’ll become the default.”

Ultimately, when it comes to bringing generative AI to cyber defense, “we haven’t seen anything [to date] where it’s directly integrated with the platform, and is evolving to be the default platform experience. We’re not taking a separate product approach,” Smith said. “This is definitely something that we believe will enhance the overall experience of our platform.”

Large Language Model

As a generative AI-powered tool, the new SentinelOne threat hunting technology is based upon an underlying large language model (LLM). Rather than leveraging a single LLM, such as OpenAI’s GPT-3, SentinelOne has opted to bring together several large language models, Smith said. The new threat hunting tool utilizes both open-source and proprietary LLMs, he said, which are not being identified by SentinelOne.

Crucially, the company is also training the model on its own data, Smith said, but training [an LLM] can be expensive, as we all know, based on looking at the unbelievable amount of money going into things like OpenAI.” As a result, “where it makes sense for us to [train] our own and we get good performance, we do take that approach,” he said. “In other cases, where just having a larger model, and there’s some advanced context that’s required — specifically around language translation — we may actually use a third-party service for those cases.”

At the same time, “what we find in general is that because we are trying to prescribe this to the security domain, and then specifically to the SentinelOne ecosystem, we do have to do quite a bit of fine-tuning to get a good result,” Smith said.

Evolving The Platform

Ultimately, a main goal of implementing generative AI technology in this way is around “making threat hunting more accessible,” Smith said. With existing threat hunting platforms, “it’s pretty daunting [to use them]. You have to have a high level of skill to interact with these things,” Smith said. With the addition of this generative AI technology, however, SentinelOne believes the technology can now enable security operations center teams to scale up their threat-hunting activities, he said. “We think this will be a better method of general threat hunting.”

Looking ahead, SentinelOne also expects to drive “an evolution across our platform overall” with the help of generative AI, Smith said. Next phases for deploying the technology are likely to include in the areas of network detection and response (NDR) and threat intelligence, he said. In NDR, for instance, “you can think of it as, if we’ve made threat hunting that much simpler — in terms of being able to ask questions through natural language — we should be able to advance our NDR offering without adding additional human capital, just by enhancing the humans that we’ve got on the job today [with generative AI],” Smith said. “That is a very different approach, and very differentiating, versus what we’ve seen with our direct competitors.”

Partner Opportunities

SentinelOne believes that its new generative AI-powered threat hunting will offer significant benefit to partners, including to managed security service providers (MSSPs) who will be able to directly utilize the tool themselves as part of their work to secure end customers, Smith said.

“For MSSPs, for instance, this is a really great opportunity for them,” he said. They’ll see this as a means of improving margins, because they’re not having to pull in so much human capital to run [the threat hunting] — because they’ve got this guide to help them through these activities.”

The new SentinelOne threat hunting tool add-on is now in limited preview, and details about wider availability are not being released yet.