At OneCon 2024, SentinelOne is announcing several additions and updates to its Singularity Platform aimed at making organizations’ Security Operations Center (SOC) more powerful and, most importantly, more autonomous. Purple AI will get an update, there will be LLMs trained specifically for cybersecurity, and Singularity will get hyperautomation and SIEM capabilities.
SentinelOne’s vision is pretty clear. The company wants to leverage AI and automation to the fullest in order to take the maximum burden off SOC employees. The goal is to make the Autonomous Security Operations Center a reality. We’ve written quite a bit about this development over the past year. Not only at SentinelOne, but also at other players in the security market. This year’s RSA Conference was also largely about autonomous security.
Autonomy in the context of a SOC does not mean that analysts or other SOC personnel are no longer needed. The autonomous functioning of a SOC is primarily about taking as much of the burden off SOC staff as possible so that they can respond to risks and threats as effectively, quickly and efficiently as possible. However, companies like SentinelOne are adding more and more capabilities, shifting the balance ever so slightly as the Singularity Platform takes on more and more of the work.
Today, SentinelOne announced four enhancements and updates to the Singularity Platform and Purple AI. They are Singularity Hyperautomation, Singularity AI SIEM, some new features for Purple AI and a set of security LLMs, which it calls Ultraviolet. We discuss these four components below.
Singularity Hyperautomation
When we think of more autonomy for SOCs, we also quickly think of automation, or automating workflows. A solution that can independently produce excellent analyses and then dump them all on an analyst’s plate still creates far too high a workload for that analyst. In other words, actual action must be taken. That is what SentinelOne wants to add with Singularity Hyperautomation.
Singularity Hyperautomation consists of more than a hundred integrations and dozens of out-of-the-box workflows to address common threats. These include mitigating ransomware attacks, responding to suspicious user behavior and dealing with insider threats. In addition, it is also possible to build your own workflows. This works through a no-code environment in which SOC employees can simply pull together a workflow via drag-and-drop, according to SentinelOne. Access to any APIs needed to create the integrations also works without having to punch in code, SentinelOne promises.
The above sounds nice, but how do you know which workflow to build and when? To help users with that, Singularity Hyperautomation makes suggestions while investigating notifications. Furthermore, through an integration with Purple AI, it automatically generates playbooks that include the insights of others. Of course, the integrations with SentinelOne’s proprietary environments do not have to be built, they are included by default.
Singularity AI SIEM
The SIEM market is in a clear transition phase. Palo Alto buying QRadar from IBM, Exabeam and LogRhythm merging and of course Cisco buying Splunk are examples of this. Security Information and Event Management got a bit of a name that it was something of the past. It had been overtaken in several areas by other developments, such as the movement toward Extended Detection and Response (XDR) platforms.
TIP: SentinelOne XDR platform and Security Datalake get Gen AI boost
Yet there is still a need and room for a SIEM in the SOC. SentinelOne sees that too. With Singularity AI SIEM it explicitly links it to AI and its own Singularity Data Lake. Thanks to this connection, it can make SIEM a lot more relevant again, is the idea. It is basically an open ecosystem that can ingest both structured and unstructured data. This can be data from SentinelOne tooling, but also from third parties. This is possible thanks to support for the Open Cybersecurity Schema Framework (OCSF), an agnostic format in which data can be stored. It can then be picked up and processed by SentinelOne.
2024 is the year of Purple AI
At SentinelOne, 2024 was and is primarily about Purple AI. During OneCon 2024, this is no different. For example, there is a Mortal vs. Machine contest, in which SentinelOne’s best PowerQuery people will compete against people who have (a lot) less knowledge of this company’s query language. These less knowledgeable people, however, have Purple AI and thus the Machine. The Mortal does not have this. Time after time, the Machine beats the Mortal, often with some ease. We have tried it ourselves and also won.
Of course, SentinelOne will frame this kind of “contest” primarily in favor of the Machine. For example, there are ready-made scripts for the challenges that man and machine must face. So the people using Purple AI during the contest do not have to come up with their own questions. If everyone were to start completely from scratch, the experienced PowerQuery user would start his query a lot faster than his opponent. Purple AI is therefore not meant for the complete noob, understanding and knowledge of how things work is important. In other words, it should boost the level of a good SOC worker to become a very good one.
Also read: SentinelOne promotes Purple AI from security assistant to autonomous SOC analyst
New features for Purple AI
So Purple AI is definitely one of the things SentinelOne wants to differentiate itself with. Hence, it is announcing several new features today. Auto-Alert Triage helps determine which notifications should be given the most priority. This is possible through the use of something SentinelOne calls Global Alert Analysis. This means that it analyzes thousands of similar real-world alerts (anonymized, by the way), which enables it to judge the level of severity of these alerts.
In the context of autonomy within a SOC, the new Auto-Investigations is also interesting. Reports that are prioritized (with or without the help of Auto-Alert Triage) are picked up and analyzed fully automatically. This analysis consists of compiling the steps that Auto-Investigations must take to do the investigation, then executing these steps and coming up with a recommended verdict. The evidence found during this process is recorded in a Purple AI notebook. This is necessary for auditing purposes, among other things.
Ultraviolet
The last big news at SentinelOne OneCon 2024 today is the introduction of Ultraviolet. This color that is near purple in the spectrum should further support Purple AI. That currently still works with general LLMs. These already make many things, but not enough. Hence the introduction of Ultraviolet, a family of security LLMs and multimodal ML models designed for security purposes. Each model focuses on specific security issues and should therefore be even more powerful and accurate than the generic models. The latter will continue to be used, by the way. Ultraviolet is an extension of, not a replacement for, the existing models.
Not much is known about Ultraviolet at this time. As examples of what it adds to Purple AI, SentinelOne gives that the specific security models can include more context and thus improve efficacy. They should also reason more from a security perspective than existing generic models. This also ultimately provides more confidence in the models and thus their autonomous functioning. Better tuned models will stay better focused on their task and require less input to reach useful conclusions.
SentinelOne promises things, and also delivers
SentinelOne’s announcements for the Singularity Platform and Purple AI are certainly interesting. However, they are not very surprising. We have already anticipated the kind of possibilities we are discussing in this article in several articles about Singularity and Purple AI. Not only based on speculation from our side, but also based on statements from people at SentinelOne that they were working on it.
The latter is very important in the security industry as far as we are concerned. If a vendor says something is coming, it should be coming. SentinelOne is generally quite open and transparent about what we can expect from the company in the near future. It doesn’t have to be. It can also pull some big surprises out of a hat a few times a year. That it chooses to make product announcements a sort of non-event, since basically everyone knows what’s coming anyway, is a nice feature as far as we’re concerned.
The way SentinelOne continues to develop in a steady and predictable manner sends the message that the market can and perhaps should also judge SentinelOne on it if they don’t deliver on their promises. That makes cybersecurity feel a little more like a joint journey that vendor and customer take together than purely a vendor-customer relationship. Of course, revenue is important, and SentinelOne is an organization that wants to make a profit. However, we do not have the idea that it is all about achieving the highest possible market cap, an idea we do get when looking at other vendors in this space. That doesn’t necessarily make SentinelOne popular with financial analysts and shareholders, but if all goes well, it does with its customers.