Overview

Cigent Data Defense is a new approach to data security, one that complements existing solutions and places the importance of protecting data above all else. Data Defense takes concepts used in threat containment and continuous authentication and applies them as close to the data stream as possible, bringing proactive protection directly to your data. Data Defense allows users to safely and easily access critically important information, even if the system is already compromised. The result is an unprecedented level of protection, detection, and response to cyberattacks, insider threats, and lost or stolen devices.

Cigent’s management console is the centralized mechanism for monitoring, managing, and controlling Cigent Data Defense deployments. Cigent’s management console natively supports integration with SentinelOne management console providing increased value and security to users of both solutions.

Key Benefits

Cigent Data Defense provides an additional response option for threats discovered by the SentinelOne solution. This response ensures files designated as sensitive by the end user are protected by adding a second factor authentication requirement to access the files during the heightened security state. End users can continue to access their files while in a heightened security state, and even clear the threat should they or their SOC determine the threat has been remediated.

Cigent Product Integration Architecture

The Cigent Management Console Connector Service communicates directly with the SentinelOne management console over the internet using REST APIs. No additional software or infrastructure is required by the customer to enable this integration.

Figure 1 Cigent High Level Architecture

SentinelOne Integration

Cigent Management Console users can set up, activate, and delete integrations to their SentinelOne instance autonomously. This integration is known as a pull integration as the Cigent Management Console will monitor the SentinelOne management console to determine if any threats have been raised for devices under Cigent management. If so, an Active Lock enable request is immediately sent to the Cigent Data Defense endpoint to protect the user’s sensitive files.

Integration Prerequisites

• Both Cigent Data Defense and SentinelOne agents need to be installed on devices to provide users this additional layer of response.
• Users must have administrative access to both Cigent and SentinelOne management consoles.

SentinelOne Integration Setup

Start by creating an API token for use by the Cigent Console integration. The API token generation page is found under the Options menu of the user details page of the SentinelOne console. Click Generate API token.

Figure 2 Creating SentinelOne API Token

Make note of the API token on the subsequent page. You will need to fill these values into the Cigent console in the next section.

Figure 3 SentinelOne API token Details

Cigent Integration Configuration

Navigate to https://central.cigent.com/integrations

Figure 4  Cigent Integrations Page

To configure the Console integration, select “Set up” from the menu available under the ellipse of the SentinelOne tile.

Figure 5  SentinelOne Integration Configuration

Enter the following information into the integration page:

SentinelOne API URL: Enter the API URL which is typically your SentinelOne management console base URL.

SentinelOne API Token: Enter the API token created in the previous section.

Next choose the scope of response to the threats.

• Lock only the device that has a threat
  1. This will engage ActiveLock only on the device with the threat
• Lock all devices in groups to which the device with a threat is a member  
  1. If the device with a threat is a member of a device set (group in the Cigent Console), all members of the group will engage ActiveLock. For example, if the device is a member of the HR Device Set, all members of the HR device set will engage ActiveLock.
• Lock all devices
  1. All devices under management by the Cigent Console will engage ActiveLock.

Future Release: Choose whether the threat can only be cleared by the Console Administrator. Checking this option will hide the ability for the D3E user to clear the threat on the endpoint. 

Click save to return to the main Integrations page. The SentinelOne tile is now white indicating it has been configured.

To enable the integration, toggle the switch next to SentinelOne Console.

Figure 6  Enabling the SentinelOne Integration

Testing the Console Integration

You can test the console integration by generating a threat on an endpoint having both SentinelOne and Cigent Data Defense installed. Within a minute of generating the threat, Data Defense should display a message indicating ActiveLock has engaged from the console due to a SentinelOne detected threat.

Figure 7  Example SentinelOne threat in Cigent Data Defense

.

You can also review the threats in the Threat History page even after the threats are cleared.

Cigent Data Defense Endpoint Installation

Cigent Data Defense installation guidance available on the Cigent Support site.

https://cigent.freshdesk.com/support/solutions/articles/73000541216-cigent-basic-installation

SentinelOne agent installation

Refer to SentinelOne agent installation documentation for guidance.

No special setup or configuration of the SentinelOne agent is required to enable integration.