Q&A: SentinelOne CEO On Why Endpoint Security Vendors Will Win Out Over Firewall Vendors

Weingarten On The Record

The security industry is about to experience an overhaul. That's what SentinelOne co-founder and CEO Tomer Weingarten said in an interview with CRN. As enterprises look to reinvent their security stacks to meet emerging trends around cloud and the Internet of Things, Weingarten said endpoint security vendors and their partners are in the best position to help define that future. However, he also said not all endpoint security vendors are created equal, with only a handful of companies emerging above the swell of marketing, buzzwords and new technology. Take a look at what Weingarten thinks that future will look like, and what role partners need to play in helping enterprises get to the next generation of security technologies.

How do you look at the crowded endpoint security market right now?

The way I look at the endpoint space is that on paper you have 20 to 30 endpoint companies – that's not really true. To me, the entire space really sums up to three or four companies that are leading the pack and one of them is definitely us. I think most people see it the same way. I have read someplace that they call us the 'Four Horsemen of the Apocalypse.' I think it's us versus the incumbents. Within that pack, I think you see most vendors are trying to complete a holistic approach that they are not really completing right now. A lot of it is on the road map, or it's coming, or they aren't going to do this or that.

What is different about SentinelOne's approach in the endpoint security market?

We have been lucky to pretty much define this space. Even if you look at Gartner, they call us the most visionary company in endpoint protection because we really came up with these founding stones of what next-generation endpoint protection should be. The AV replacement piece: We were the first company to ever say that and then Cylance came. We were the first company to get certified by a third-party testing authority to say we can actually replace antivirus and everyone moved to that. People thought that we were crazy – you were going to go against Symantec and build an antivirus alternative? ... We were the first company to say that there is no such thing as EDR [endpoint detection and response] and EPP [endpoint protection platforms], it's one thing. That's the protection of the future: You really have to have a fused capability set of both. … The EDR vendors all want to become EPP vendors and they are adding capabilities. The EPP vendors want to become EDR vendors, so they are adding EDR capabilities. We have already done that so we are focusing on the next generation of what capabilities you might want in your enterprise. I feel like the space is moving to where we said it would move. … We are now very focused on innovating and taking it one step further.

How do you look at the advent of machine learning in endpoint security?

There are people saying 'machine learning,' but in essence the underlying technologies aren't that different. What Cylance has been doing with AI, every company is now doing as well. This machine-learning-based file sharing is now completely a commodity. We do that, Palo Alto [Networks] is doing that, Crowdstrike has added that, Sophos has added that through the acquisition of Invincea. It's a complete commodity right now. ... The difference really is in the data sets. If you think about AI and machine learning in general, it isn't really about your algorithms – because eventually everyone is using the same things – it's really about the underlying data set that you use to feed AI and then what you do with that. … It's not only about files or the hunting or the IOCs [indicators of compromise], it's about a holistic view of anything that's happening on a given system and AI is a derivative of that. … Visibility is the absolute must of every protection suite out there. Even on the network side of things, if you don't have visibility into what is actually happening and build the best AI that you can, if it's not based on what's truly going on then you have a blind spot. … I think that's where we have a huge advantage.

What about platform security? You see a lot of large security vendors touting the benefits of full suites of security solutions.

My pet peeve is the anti-virus suites. It's an amazing work of marketing. It's the extensive bloatware of suites that contain everything from DLP [data loss prevention], to device control, to application control – all of these unbelievable amount of features that just become check boxes and really hold no value in the world of today. DLP was really invented about 10 to 15 years ago when Amazon was a bookstore, not when Amazon was the head of everything. You have to wonder, if I'm deploying DLP today from a McAfee or Symantec or one of the leading vendors, what am I actually getting? What is this thing really doing for me? When you really move to more of a visibility model, if you are seeing what is happening and you are applying AI, then almost like a byproduct you get anomalies. I can see the norm and I can see outside the norm, and what's outside the norm almost becomes DLP. … If you truly profile what is happening on the network then you can understand anomalies on the network in a way that DLP can't today.

What technologies will you need, then, in the security stack of the future?

We need to reinvent the stack. Whether it's us or someone else, that's a separate story. … I think identity is a huge, huge piece of it. … But you still are going to have to need something that will give you that underlying piece of how you will route access in whatever it is we call the network universe. At that point, you really have to reinvent the stack. You need to understand how the data is moving in the environment. … We have lost control of where things reside, so we have to reinvent the stack. I think we're in a great position to reinvent a large portion of the stack. It is going to take us a long whilel to do all of it. But, again, a lot of it to me at least is being manifested through visibility and actually seeing the pathways on the network. … The endpoint eventually is the inputs and outputs of everything that you do. You cannot access anything in our world today without going through the endpoint. If I control the endpoint, then I control everything that you use.

What are you hearing from customers around the endpoint security market?

You hear a lot of confusion. There is no question about it: Everyone is saying the same things and sometimes it is really hard to differentiate and even understand what it actually means. … You really have to think about these models when the network becomes everything we do. I think the endpoint, and when we say 'endpoint' we mean any device that can run code and has a CPU, the security nodes had to be spread around the edges of the network instead of being centralized or trying to surround it. … If you can't surround the network, what else can you do? To us, the answer is really simple: You have to have completely distributed security on everything that touches the network. That becomes an integral part of the network.

How does the Internet of Things change that security model?

It is incredibly complicated. I think some of the things that we are exploring today is how do we adapt some of the models of what we do to the very fragmented universe of devices that sometimes won't run code, can't run code, or will only run a very specific subset of code. How do you still provide protection from these? I think the answer in a lot of cases is better segmentation. You really have to first understand what you have on your network. … One of our goals is to really see how we can map that entire world for you. Then, we can say we understand that there are a lot of unmanaged devices and those should not have the same access as the managed devices. … What's unmanaged should – by definition – have less privilege than the managed devices. Today, it's really inseparable. If you don't know, you can't enforce and say these [devices] should behave differently. … Then, I can have AI investigate the usage patterns and build a baseline. ... To me, that is probably the only path forward. … I think even some of the very big vendors are starting to wake up to that.

Who is in the best position to tackle the IoT security challenge?

The endpoint companies should be in the best position possible to build the next network. It sounds absurd, but it's really the reality. I feel that we have such a huge advantage over Cisco in how we drive software-defined networking. We're just in a better position to build the network of the future.

I think even today you see [network security vendors] are less and less applicable for the cloud. People are turning to things like CASB and other things to plug the hole … but in essence I am not a big believer in the firewall market. I think it will take time and obviously we see some legacy companies and legacy enterprises that are heavy users of firewalls and it's not easy to say let's just rip it out. It is going to be very gradual, no question about it, but even the most legacy enterprises out there are getting more virtual and getting more into the cloud. … If you fail to see that the world today is inherently different than what it was and you still try to protect it with a hardware, iron box that you plug into the wall – good luck. I don't think that can scale and I don’t think it can cover things that are completely non-defensible by these models.

What's the role for the partner in helping adapt this security model?

I think the No. 1 thing I would want – and that's our mission, too – is education. I think the partners should be playing a pivotal role in educating customers on what is happening next. … The channel partners are really a segue to deliver what some of the more visionary vendors are seeing and some of the new models that are happening. They are basically the delivery tools into these enterprises and they are taking whatever new methodologies, new solutions, and even new thinking that we are seeing – they should be the ones to translate that into the enterprise environment. They will obviously be in a position to do great business at the same time, but all in all I think it will just benefit everyone if they become the voice of where we are going as a security industry. … The customers trust the channel – that is very, very clear. They are the trusted adviser. As a trusted adviser, I expect them to be knowledgeable and I expect them to be on the forefront. I expect them to educate, explain and help the customer think in the new models.

Do you see the typical partner as mature enough around security today to educate customers on the next wave of security?

There is a reason why we work with the very technologically savvy partners. I think they get it, and they get it faster. I think the others they will get there eventually, no question about it, but you also have that very long legacy tail of vendors – the Check Points and Palo Altos of the world – and you have an inherent interest to still make that ecosystem work and preach those old methodologies. I think this is a transition that will happen when some of these big vendors will start understanding that they are becoming less and less relevant to some companies. Right now, we talk about the enterprise but we are seeing a lot of companies that are becoming the 'new enterprise.' If you think about Netflix, for example, they are a model of the new enterprise. … Some of these companies will become the enterprises of the future. The infrastructure is different. I have nothing today that I can do with a firewall. I put it there for compliance purposes. I don't feel like I'm getting extreme protection from my firewall vendor. I think fast forward three to five years from today, you will need a different model to secure some of these enterprises. Some of them are already working in these models… that will happen to everyone eventually.

Give us an update on SentinelOne as a company.

SentinelOne has about 300 people and is probably still one of the youngest companies in the endpoint security space. It is a very crowded and noisy endpoint security space. We raised $110 million to date, with the Series C funded by Redpoint Ventures. We touch pretty much every part of the globe right now with 12 offices. We're a fully channel-oriented company. We do everything through the channel. We're a software company, a SaaS company, more than anything else. We're trying to not do services and not do anything else but scalable software that we can distribute via the channel. That's our way to scale. All in all, we have seen pretty good traction and thousands of customers to date. Lots of growth.

What you are doing with the channel at SentinelOne?

We are very focused on selecting the quality channel partners. … We want to focus on certain segments and people that understand technology. We're a very technology-focused company and we take a lot of pride in what we do. … We're really wanting to stay true to what our technology can do beyond the buzzwords and we want channel partners that can reflect that and understand that and talk and deliver the technology message beyond the brochure with the nice AI, machine learning, and other place-holder buzzwords. … We are very pleased with the channel partners that we have. … We are a software company and we love our channel partners to build any practice they want on top of our service and on top of our software. … The product is really good at tailoring services around it and we have no designs of doing anything that is remotely close to MSSP. Deployment, integration – all of that is being done through the channel. We're trying to be very good at enabling the channel to do that without our help. We're a very channel-focused company. I would say that 99 percent of the sales that we do today are via the channel.

Where are you investing around the channel to expand that push?

That's pretty much everything. [Vice President of Worldwide Channels] Dee Dee [Acquista] is one -- she is absolutely great. Nick Warner just joined us as chief revenue officer -- he was the head of global sales at Cylance, another very channel-focused company. He is now with us. Almost the entire executive team has changed in the last six to eight months. Rebecca [Kline], our CMO, was CMO at Malwarebytes before that. We're pretty much investing everywhere right now. I feel we have a world-class team, with pretty much everything around go-to-market, sales execution, working with our partners, working with our customers. It's an amazing team. I'm very pleased with it.