SentinelOne EDR: Explaining and Demonstrating Rollback Security

Table of Content

1. Getting Started
2. What is SentinelOne Software?
3. What is Sentinelone agent?
4. Rollback Feature
   • Volume Shadow Copy Service (VSS)
5. Benefits of Ransomware Rollback:
6. SentinelOne Singularity | The Ultimate XDR Solution with Ransomware Rollback
7. Configuration Guide
8. Conclusion

Getting Started

Before I get started the major reason to write an article for SentinelOne is for there super cool feature called Rollback which is my personally favorite. Let me first Brief out about SentinelOne if your new to here and the explain how this Rollback works.

What is SentinelOne Software?

SentinelOne Singularity platform is an industry-first data lake that seamlessly fuses together the data, access, control, and integration planes of its endpoint protection (EPP), endpoint detection and response (EDR), IoT security, and cloud workload protection (CWPP) into a centralized platform. With Singularity, organizations gain access to back-end data across the organization through a single solution, providing a cohesive view of their network and assets by adding a real time, autonomous security layer across all enterprise assets. {Official Site}

What is Sentinelone agent?

Every endpoint, such as a desktop, laptop, server, or virtual environment, has a SentinelOne agent installed that works independently without the need for an internet connection. The agent monitors all processes in real time while residing at the kernel level. Our Dynamic Behavioral Tracking engine handles this process, which enables users to view precisely what transpired on an endpoint at each level of execution. Included in this are the following: origin, patient zero, processes and files, registry events, network connections, and forensic data.

Rollback Feature

SentinelOne’s rewind for ransomware is called rollback. With the use of this capability, maliciously encrypted or destroyed data can be quickly and easily restored to their original state. Furthermore, this functionality is offered in a single agent EPP/EDR system.

Volume Shadow Copy Service (VSS)

We first need to grasp the VSS (Volume Shadow Copy Service) capability offered in Microsoft’s Windows operating systems in order to comprehend how SentinelOne handles rollback functionality. With the help of the VSS feature, backup copies of volumes or computer files can be kept up to date even when they are being used. The VSS works by creating a snapshot of the system known as a “copy on write,” which makes sure that for every disk write activity, a copy of the file that is now on disk is made and relocated to a small temporary storage area designated by the VSS. After the snapshot creation process is finished, the disk write operation may halt.

Benefits of Ransomware Rollback:

• Swift Recovery – Ransomware rollback allows organizations to restore their files and resume normal operations promptly. This minimizes downtime and mitigates the financial impact of the attack.
• Cost Effectiveness – By utilizing ransomware rollback, organizations can avoid the need to pay the ransom demanded by attackers. This helps to save significant expenses that would otherwise be incurred.
• Data Protection – Ransomware rollback ensures that valuable data remains secure and unaffected during an attack. This guarantees the integrity and confidentiality of sensitive information, preventing data loss or compromise.
• Strengthened Cyber Resilience – The ability to recover quickly and efficiently from ransomware attacks enhances an organization’s overall cyber resilience. By effectively managing and responding to threats, organizations are better prepared to handle future cybersecurity challenges.

SentinelOne Singularity | The Ultimate XDR Solution with Ransomware Rollback

SentinelOne Singularity stands out as an advanced XDR platform that delivers extensive defense against a range of cyber threats, specifically targeting ransomware. With its cutting-edge security capabilities, including ransomware rollback, the platform equips organizations with comprehensive protection and efficient recovery mechanisms in the face of ransomware attacks.

What sets the Singularity platform apart is its exceptional ability to offer enterprise-grade ransomware rollback functionalities. By leveraging the power of artificial intelligence and machine learning, SentinelOne Singularity constantly monitors and analyzes file activities, promptly identifying ransomware attacks and autonomously triggering the rollback process.

Configuration Guide

The Dashboard

First we have to install the agent on the ENDPOINT. When installing you have to assign the Site Token which can be get in the SentinelOne Admin Panel.

Now you have to copy the Site Token and Install it.

Installation is Done

And you can see the Device is being added.

Now lets apply the policy to Detect Mode so we can see how the malware is Detected and Roll Back

Now I have downloaded a Ransomware Wannacry from GitHub Open-source Repo.
Lets Drag and drop the Ransomware Wannacry on Test Endpoint Desktop, and you will see an alert message.

Let’s Install the WannaCry.

It’s being installed and execute, you will get an alert message too

In the SentinelOne Incident -> Threat, you will see the execution happening in the Endpoint

In the Task Manager

And the Ransomware is being Installed Fully.

Now to Roll Back to the previous state as we discussed above, go to the SentinelOne Incident -> Threat and Select the 4 Tasks and Click the Mitigation Action.

It’s time to click the action Roll Back and watch the Magic happens.

Magic Moment:

As I explained how this work in above. Let me show you the Volume Shadow Copy Service (VSS)

The Endpoint has been Mitigated Successfully

We can also do the Threat Hunting for the Endpoint

Important Note: SentinelOne only gives you alert in the Detect Mode, I used detect mode policy to showcase the Rollback incase of Ransomware attack.

If Protect mode is enabled the ransomware will not even be drag and drop to the desktop.

In the Sentinels Option we have to use the Protect Mode when implementing in Industry.

Conclusion

Ransomware rollback is a robust functionality found in advanced XDR solutions, allowing organizations to swiftly and efficiently recover from ransomware attacks. SentinelOne Singularity, an acclaimed XDR platform in the industry, offers this crucial feature, enabling organizations to safeguard their valuable data and ensure uninterrupted business operations in the constantly changing landscape of cyber threats. By incorporating SentinelOne Singularity and adopting recommended measures for ransomware defense, organizations can enhance their overall cybersecurity readiness and effectively combat the escalating risks posed by ransomware attacks.