Welcome back to Part 3 of our exploration of SentinelOne’s powerful features! Today, let’s dive into one of the most fascinating and essential capabilities SentinelOne offers: Network Discovery and its closely related counterpart, Unprotected Endpoint Discovery. These two features work hand-in-hand to provide unparalleled visibility and control over your network. So, let’s unpack this, step by step, as though we’re in a room filled with curious cybersecurity professionals.
-------------------------------------------------------------------------------------------------------------
The Backdrop: Why Network Discovery Matters
Imagine you’re the captain of a ship, navigating through uncharted waters. To ensure smooth sailing, you need a detailed map showing not just the known islands but also hidden reefs, shoals, and lurking hazards. That’s exactly what Network Discovery does—it’s your map of the corporate network.
With SentinelOne, Network Discovery scans your environment to identify every connected device, be it a server, endpoint, IoT device, or even an unknown gadget someone sneaked into the office. It doesn’t stop at identification; it categorizes devices into Secured, Unsecured, Unsupported, and Unknown, ensuring no stone is left unturned.
------------------------------------------------------------------------------------------------------------
What’s the Difference Between Network Discovery and Unprotected Endpoint Discovery?
This is a question many people ask, and it’s a good one. Here’s the gist:
Unprotected Endpoint Discovery : Think of this as the “lite” version of Network Discovery. Its main focus is to scan and identify endpoints in your network that don’t have the SentinelOne agent installed. It’s quick, effective, and perfect for targeting vulnerable devices that need immediate attention.
Network DiscoveryOn the other hand, Network Discovery is the full package. It doesn’t just identify unprotected endpoints but also provides a comprehensive overview of every device in your network—including IoT devices, cameras, and more. It’s like having x-ray vision for your corporate environment.
Here’s the kicker: Unprotected Endpoint Discovery doesn’t work unless Network Discovery is enabled. It’s like the foundation upon which the unprotected endpoint feature is built.
------------------------------------------------------------------------------------------------------------
Let’s Break It Down: The Device Categories
Network Discovery classifies devices into four categories:
Secured: Devices where the SentinelOne agent is installed and running.
Unsecured: Devices that support the SentinelOne agent but don’t have it installed yet.
Unsupported: Devices incompatible with the SentinelOne agent (think mobile phones, tablets, or Unix systems).
Unknown: Devices where it’s unclear if they’re supported by SentinelOne, often requiring manual investigation.
------------------------------------------------------------------------------------------------------------
Walking Through the Tabs in Network Discovery
1. Devices Tab
This is where the magic happens. The Devices Tab lists all identified devices in your environment. Here’s an example:
Imagine spotting an unsecured server. From this tab, you can do two critical things:
Isolate the device: Cut it off from the network immediately to prevent potential threats.
Deploy the SentinelOne agent: Right from this interface, provided you’ve configured your Deploy Key (we’ll talk about this shortly).
Even for unsupported devices, you can still review and isolate them.
The level of control here is astounding.
------------------------------------------------------------------------------------------------------------
2. Networks Tab
This tab gives you a clear view of which endpoints are connected to which networks. It’s perfect for tracking activity and understanding how devices interact within your environment.
------------------------------------------------------------------------------------------------------------
3. Settings Tab
Configuration is key.
The Settings Tab allows you to fine-tune how Network Discovery operates. SentinelOne provides some excellent recommendations to get started:
Minimum Agents in Corporate Networks: Set this threshold close to the smallest number of agents in your corporate network. Don’t go below five to avoid scanning public or home networks that might generate noise.
Gradual Scanning : Start by manually scanning networks from the Networks page. Enable automatic scanning gradually to avoid overwhelming the system.
Excluding Specific IPs or Ranges : You can exclude certain addresses, like honeypots, to focus on critical devices.
Scan Only the Local Subnet : Begin with scans limited to the local subnet of the agent. Expand this gradually to include cross-subnet scanning as needed.
Two settings might confuse some users, so let’s clarify them:
Scan Only in Scanner’s Local Subnet: This limits the scan to devices within the scanner’s immediate network segment.
Auto-enable Scan of Discovered Networks: If enabled, this automatically starts scanning any newly discovered networks—hands-free!
------------------------------------------------------------------------------------------------------------
4. Deploy Keys Tab
Before you can deploy agents to unprotected devices, you need to configure Deploy Keys. Think of this as a passkey that ensures a smooth installation process. If you ever face deployment issues, SentinelOne’s documentation is an excellent resource.
------------------------------------------------------------------------------------------------------------
Real-Life Use Case: Why It’s Awesome
Let’s imagine your organization has 500 devices connected to its network. Among these, you discover:
450 secured devices.
30 unsecured endpoints, some of which are critical servers.
10 unknown devices, possibly rogue or unauthorized.
From the Devices Tab, you isolate the unknown devices immediately. For the unsecured endpoints, you deploy the SentinelOne agent, ensuring they’re protected moving forward. All this happens within minutes, minimizing risk and maximizing efficiency.
------------------------------------------------------------------------------------------------------------
Final Thoughts
SentinelOne’s Network Discovery and Unprotected Endpoint Discovery features are like having a superpower in your cybersecurity arsenal. They provide full visibility into your network, help you identify vulnerabilities, and empower you to act swiftly. With the ability to categorize devices, monitor networks, and deploy agents seamlessly, you’re always one step ahead of potential threats.
Akash Patel