GLIMPS integrates with SentinelOne for enhanced cybersecurity

Faced with the evolution of cyber-attacks, cybersecurity companies and managed service providers (MSSPs) have to deal with major challenges: a growing volume of alerts, tools that are sometimes limited in their ability to contextualize threats, and SOC (Security Operations Centers) analyst fatigue, commonly referred to as alert fatigue.

To deal with this flow of events, analysts need automatable solutions that not only identify threats, but also provide detailed information to speed up and inform decision-making.

SentinelOne’s EDR integration with GLIMPS Malware provides just such a solution, simplifying threat qualification. Our experts explain.

SOCs, whether in-house or handled by cybersecurity managed service providers, face major operational challenges in an environment where cyber threats are becoming increasingly complex.

One of the main issues is the high volume of alerts generated daily by Endpoint Detection and Response (EDR) agents such as SentinelOne EDR. According to Vectra, 81% of SOC analysts spend more than 2 hours a day examining and sorting security events. 50% of these professionals say they are only able to process 38% of the alerts they receive from their security tools.

Tackling volumes that can reach hundreds of alerts per agent per day, these solutions, while effective at detecting suspicious or malicious behavior, often lack precision.

As Rodolphe Bitaud, Business Development Manager at GLIMPS, explains: “With these EDRs, it’s not uncommon to see cases where a file is detected as malicious or suspicious, but for which the specialist has no additional information to understand the typology of the threat and therefore the context. For example: is this file close in design to a known strain? What indicators have we been able to extract from the threat? What are the techniques and tactics used by the malicious file when it is activated?”

So, when an alert is raised, it indicates that a file has abnormal characteristics, but without always confirming whether the threat is real. The result: a large number of false positives that are difficult for experts to process.

These false positives force engineers, particularly those at level 1, to carry out a manual enquiry to determine whether an alert requires action, or to escalate the alert to level 2 or 3 analysts, resulting in a time-consuming sequence of actions that requires specialists to juggle multiple tools to collect the missing information.

Faced with a constant flow of repetitive and sometimes monotonous activities, these professionals quickly suffer from what is known as alert fatigue. Alert fatigue refers to a phenomenon of analyst desensitization which reduces the expert’s ability to react effectively to an alert.

This phenomenon, combined with limited contextualization tools, highlights the need for a more automated and enriched approach to freeing analysts from redundant, low value-added tasks.

The integration between SentinelOne and GLIMPS Malware aims to resolve the limitations of detection tools by autonomously handling threat qualification and enriching alerts.

When a suspicious file is detected by the SentinelOne EDR, it is automatically retrieved by GLIMPS Malware via a simple API call for further examination.

Once received by the GLIMPS Malware engine, the file goes through an advanced static analysis process, called Deep File Inspection. This method examines the file directly, without the need to run it in a dynamic environment such as a sandbox, and identifies:

• The exact type of malware (e.g. ransomware, loader or Trojan).
• The tactics and techniques used, aligned with the MITRE ATT&CK repository.
• Whether the alert is a false positive or a genuine threat.

At the end of the process, the enriched results are sent back to the SentinelOne EDR in the form of a detailed note, providing SOC professionals with clear, actionable information.

GLIMPS Malware also lets you modify the behavior of the EDR by directly correcting the Analyst Verdict field in the SentinelOne console incident report. A file recognized as suspicious by SentinelOne can then be requalified by GLIMPS as a “True Positive”. If the EDR has been configured to respond automatically to this type of verdict, a complete remediation chain then follows on the user workstation concerned. This new integration takes direct advantage of GLIMPS Malware‘s advanced analysis capabilities to automate the remediation process and drastically reduce MTTR (Mean Time to Response).

On the deployment side, integration is fast and frictionless, requiring only the URL of the SentinelOne instance and an API key. This guarantees integration with no impact on current operations.

The integration between SentinelOne and GLIMPS Malware solutions brings tangible benefits to SOC analysts, reducing their workload while improving their reactivity to threats.

Reduced workload

This integration saves considerable time in terms of threat qualification, as Jordan Théodore, Product Engineer at GLIMPS, points out: “We’ve seen a 75% reduction in threat qualification tasks thanks to this automation. As a result, alert triage is significantly improved, and detection specialists can fully focus on the most critical incidents.”
By making these tasks automatic, Level 1 SOC analysts are freed from repetitive operations and can concentrate on more complex, high value-added incidents.

This autonomous response also improves SOC responsiveness by reducing mean time to detection (MTTD), paving the way for faster identification of threats and limiting their persistence in the system. In addition, faster and more accurate processing of alerts contributes to a reduction in mean time to response (MTTR), facilitating decision-making and the rapid application of corrective measures.

Better defense against advanced threats

Another advantage of this integration lies in its ability to counter advanced cyberattacks, particularly those involving loaders designed to bypass EDRs. Difficult to detect, these threats exploit techniques such as IAT (Import Address Table) obfuscation and dynamic evasion, a modus operandi in which the malware masks its real behavior to evade sandbox detection.

Thanks to its advanced static analysis, GLIMPS Malware is able to identify these hidden or encoded files and detect malicious behavior that traditional approaches fail to spot.

Finally, GLIMPS Malware automates reverse-engineering tasks such as binary processing and behavior extraction, lightening the load on Level 3 SOC experts. This feature speeds up complex investigations, improves the accuracy of results and enhances the ability of teams to respond to sophisticated threats.

The integration of SentinelOne EDR and GLIMPS Malware improves the performance of SOC teams by lightening the load on analysts, speeding up threat response and enhancing detection accuracy.

For more information, our experts are at your disposal to help you integrate this solution and meet your cybersecurity needs.