Active Defense & Deception , Endpoint Detection & Response (EDR) , Identity & Access Management

Inside SentinelOne's Bid for Defense Firm Attivo Networks

Security Experts Weigh 'Super Cool' Deception Tech, Worries in $615.5 Million Deal
Inside SentinelOne's Bid for Defense Firm Attivo Networks

Automation leader SentinelOne has announced this week its plans to buy Attivo Networks, a leading identity and cyber deception security firm, for $615.5 million in a cash and stock transaction.

See Also: Why the Future of Security Is Identity

Described as a play to enhance zero trust integration and thwart identity-based attacks, Attivo Networks' endpoint agent will blend into SentinelOne's Singularity XDR platform. The merge would also add more visibility into end-user activity as remote work and cloud adoption have increased organizational network risk via end users.

"Identity Threat Detection and Response (ITDR) is the missing link in holistic XDR and zero trust strategies. Our Attivo acquisition is a natural platform progression for protecting organizations from threats at every stage of the attack life cycle," SentinelOne COO Nicholas Warner says in a statement.

Some are commending the announcement, saying it will aid in deterring attackers from targeting networks monitored by this technology. Other analysts, however, view the acquisition as a consolidation move, fearing it may stifle innovation or worse, as this trend continues in 2022.

SentinelOne, based in California, was founded in Israel by Tomer Weinergarten, the current CEO, and former CTO Almog Cohen in 2013. Its website details the Singularity platform as an innovative, AI-powered defense tool "performing at a faster speed, greater scale, and higher accuracy than possible from any single human or even a crowd."

The agreement, if terms are met, will close during SentinelOne's second quarter this summer. It would mark the largest buy of a deception security firm to date, according to Forrester senior research analyst David Holmes.

Deception Tech Takes Center Stage

Network defenders are seeking more effective threat detection tools to combat AI tactics already leveraged by threat actors to steal credentials.

Deception security tools make use of decoys to lead attackers away from enterprise networks. Attivo Networks, for instance, offers unique cloaking capabilities through its ITDR solutions that can shield and deny attackers access to credentials, shared folders and other data, a spokesperson tells Information Security Media Group.

Attivo Networks has built a strong client base, providing endpoint defense solutions for the U.S Department of Homeland Security, Global Cyber Alliance, Amazon Web Services and Google Cloud, among many other Fortune 500 companies. The firm has often been hailed by early investors and partners for its development of highly sophisticated identity tools.

Tushar Kothari, CEO for Attivo Networks, celebrated the partnership with SentinelOne. He says Attivo's technology could complement the XDR platform, as well as boost organizational security posture.

“As the threat landscape evolves, identity remains the central nervous system of the enterprise. Combined with the power of SentinelOne’s autonomous XDR, we’ll bring real-time identity threat detection and response to the front lines of cyber defense," Kothari says.

The value in this technology is akin to activating a home or auto security system on a network, according to Southern Methodist University CISO George Finney. He says this buy would allow SentinelOne to bake state-of-the-art offerings into its XDR platform, merging automation with a stealthy security tool that fights off attackers.

Finney says purchasing Attivo Networks would be a "great move" for SentinelOne and tells ISMG: "Attivo's acquisition by a mainstream EDR product will mean it will be even easier to scale deception networks. And some recent research from the NSA indicates that the bad guys spend less time on your networks when they know deception is being used, similar to how a burglar spends less time in a house with an alarm system. Deception is an active defense that puts the pressure back on the attackers to question themselves."

Forrester's Holmes compares the acquisition to other deception security deals, such as CrowdStrike's $96 million merge with Preempt. He says deception cybersecurity is "super cool" but it never took off on its own and is potentially better as an added feature. Generally, deception security firms are folding into larger vendor portfolios.

"The SentinelOne press release mentions identity just under 30 times and deception only three," Holmes writes in a blog post. "This word-count snubbing of honeypots and honeynets seems to confirm that the acquisition was all about identity, right? Or is that just what SentinelOne wants us to believe?"

Consolidation and Other Concerns

The SentinelOne acquisition announcement touches on several buzzy cybersecurity words: identity, zero trust adoption and cloud migration. This leads some experts to consider there may be more to the agreement than what lies on the surface.

"Identity is not equal to zero trust, but instead is consumed in zero trust environments," says John Kindervag, the founding father of the zero trust architecture and an ISMG contributor. He says that the merge could very well be a way for SentinelOne to rely less on third-party vendors, such as Okta or Duo Security, and calls this strategy "interesting but not transformative."

"I anticipate more of these type of consolidation plays by the larger cyber vendors as they hope to move from a product play to a platform play," says Kindervag, former CTO for Palo Alto Networks.

Security and technology giants seeking to tighten identity and other solutions could lead to larger problems, hindering the competition that keeps product innovation fresh.

"Sadly, there is a point where we may reach monoculture," Alexandre Blanc, CISO of Vars Corp., writes in a LinkedIn post. "And we know, when this happens, technology tend[s] to switch from useful to bloatware, or the kind of abuses we see with big tech and the cloud."

Carolyn Crandall, chief security advocate and CMO for Attivo Networks, tells ISMG that SentinelOne is committed to upholding and improving products currently offered by Attivo.

About the Author

Devon Warren-Kachelein

Devon Warren-Kachelein

Former Staff Writer, ISMG

Warren-Kachelein began her information security journey as a multimedia journalist for SecureWorld, a Portland, Oregon-based cybersecurity events and media group. There she covered topics ranging from government policy to nation-states, as well as topics related to diversity and security awareness. She began her career reporting news for a Southern California-based paper called The Log and also contributed to tech media company Digital Trends.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.