How Does SentinelOne's Ransomware Guarantee Stack Up?Protection: Up to $1,000 Per Endpoint - Subject to Terms and Conditions
Everyone fears ransomware. The file-encrypting malware is a time-wasting nightmare, at best, even for well-prepared administrators or users. Many anti-malware products also routinely fail to detect and block recent ransomware variants.
But help could be to hand: SentinelOne, an endpoint protection vendor, is seeking to stoke confidence in its security product by offering to pay a victim's ransom if its endpoint security product should fail to block the initial infection or effect-related remediation.
"We do expect to make some payouts here and there. It's going to be a statistical fact"
The guarantee program is spearheaded by Jeremiah Grossman, who formerly served as Yahoo's CISO and who also founded application security firm WhiteHat Security. Grossman joined SentinelOne as chief of security strategy in June, and while the new scheme might seem like a dicey gambit, the program is structured in such a way as to hedge the company's losses, should its product fail.
This isn't the first time Grossman has sought to put his money where his mouth is. At WhiteHat, he pioneered a guarantee program focused on web application security. It also worked well, at least from the standpoint that WhiteHat reports that it never received a related claim. Grossman has also been asserting for years that the security industry is the only sector in the world in which vendors have no liability when their products don't perform as advertised, resulting in an epic mismatch of vendors' and customers' interests.
"It's a $75 billion industry that functions like a garage sale," Grossman tells me. "All sales are final for every product in security you buy. We do not accept this in any other industry that I'm aware of."
The Devil in the Details?
SentinelOne's program offers to reimburse customers up to $1,000 per infected endpoint, or up to $1 million in total. But there are many conditions, and the guarantee isn't free. In fact, the whole thing reads more like a mini cyber insurance policy.
To obtain the related coverage, Grossman says clients will pay a surcharge of between 5 to 10 percent of the per-seat cost of their SentinelOne license, which varies according to the vagaries of software license subscription negotiations. At least in the information security space, volume discounts are also quite common.
The SentinelOne guarantee is also contingent on customers configuring their software and computers in certain ways. For example, organizations must have Windows Volume Shadow Copy Service enabled, which allows machines to be rolled back and restored.
That's where another of SentinelOne's conditions comes in: The guarantee isn't that you won't be infected, but rather that the payment covers the cost of a ransom demand if the computers can't be remediated.
"It is about remediation," says Peter Stelzhammer of AV Comparatives, an anti-virus testing organization based in Austria. "You can nearly always remediate, especially if shadow copy is turned on."
But ransomware authors have known that shadow copies can wreck their chances of obtaining a ransom, and they often disable it. Indeed, Grossman says nearly all ransomware families from the past six months meddle with shadow copies. But because legitimate third-party software never touches shadow copies, SentinelOne views any such meddling as a sign that ransomware may be on a machine and blocks related processes.
Of course, the security software might still fail to stop the ransomware. "We do expect to make some payouts here and there," Grossman says. "It's going to be a statistical fact."
But even compensating victims has benefits for SentinelOne, Grossman says. If the company has to pay $1,000 for an infected endpoint, for example, its research and development team can incorporate what it learned from that failure to improve the product. "For us - a weird way to look at it - it's R&D. We just paid $1,000 to help protect all of our customers," he says.
The guarantee also stipulates that if ransomware gets detected on a system - but for some reason doesn't get blocked - then customers must take action. In particular, the terms and conditions require that a threat be added to a blacklist within an hour of a user receiving an alert. But as Simon Edwards, founder of the anti-virus testing organization SE Labs in London, says, "this might not be realistic."
Edwards says if a non-technical user comes across such a warning, for example over the weekend, the person may not be able to reach someone who has the admin rights to edit the blacklist. Grossman says that's a good point, but tells me that the product itself will also allow any user to submit a report on something suspicious.
SentinelOne's Safeguard: Insurance
When weighing the pros and cons of this offer, keep in mind that SentinelOne only reimburses organizations for the cost of a ransom if remediation fails, and it won't immediately bail victims out. That means a potential victim would still need to have cash - or bitcoins - on hand to pay the ransom and recover their data, if they decide that this is their best course of action. Of course, the merits and ethics of paying ransoms continues to be debated.
Grossman says that from a business standpoint, SentinelOne has safeguarded the business - in the event that compensation gets out of hand - by taking out its own insurance policy to cover the cost of claims. "It's a liability equation," he says.
To date, SentinelOne has published a press release with details about the guarantee program. But will SentinelOne reveal if it has to pay a claim? Grossman says that's a good question, and that he'd like SentinelOne to publish an end-of-the-year summary on any payouts the company has made, together with details on related circumstances.
"We suffer this credibility crisis where no one really believes what we do, [and] that this [software] is going to work," Grossman says. "I think security vendors should stand by the marketing claims of their products."