After working there for well over a month now I can say that I have learned a lot in my time working for Digital Flow. I now have a pretty good understanding of SentinelOne and its usage in endpoint protection. I also understand why endpoint teams need these tools for detection. I also appreciate how these tools show relevant data for detection. At this point, my duties for the internship were the report it mailbox and verifying a detection but not acting on them. With this, I learned how dangerous phishing attacks can be as well as some different styles of attack that a hacker could use. One instance that I saw was known as a “campaign” where a sender would send out a bunch of phishing emails to either a business or to an entire department and would see how many people would click on the link and how many would send credentials. I found that using SentialOne was very useful in discovering if someone clicked on a link or installed a file from an attachment and then opened it. SentinelOne would detect malware on an attached file and would let the team know that a device was infected. The team would then take action such as suspending the affected person’s account and running a clean-up on the computer and once the computer was verified to not have any malware on the system then they would restore access to the account.

Working in a professional cybersecurity environment I have learned to scrutinize everything. The best principle that I found in my time working was to treat every detection as a threat until it is proven without a doubt that it is a false positive. One case that this was proven true was when there was a detection at four am which was irregular as it was when the company that we were servicing was closed. The detection came from an alert about a Teamviewer session that had connected to a tool called Automate. This was alarming because this tool was vital for running automated programs and with this being a potential threat we had to investigate what was run through Automate. We used the Deep visibility function on Sential One to investigate and scrutinize every command written in the program. With some communication with the company and no apparent malicious code after our initial investigation, we found that the detection was set off by a legitimate technician working on an issue with Automate. This was a false positive as the person who was running a diagnostic of the program ran it at an irregular hour. This goes to show how important Sential One is but also how important it is to have an Endpoint team examine these detections as the majority of the time they end up being a false positive however in the chance that they are not a false positive and require immediate response. Unfortunately during my time at the internship, there was not an event that was not a false positive. However, for every single detection that happened, we treated it as a false positive. Even when we had used SentialOne’s Deep visibility function and we found nothing we still treated this as a potential threat as it could be a risk factor for an attack that either we did not see or the system failed to pick up. However, after we received verification from the company we then determined it was a false positive.