Three Pillar

Protect, Detect, Recover in Practice: Building a Complete Stack

08 December 2025 · 0x1m3 · 6 min read

The Three Pillar methodology — Protect, Detect, Recover — defines what a complete security posture looks like. But how does a three pillar security implementation actually work in practice? What gets deployed, in what order, and how do the pieces fit together?

This guide walks IT managers through each pillar: what it covers, which technology delivers it, and how the three layers integrate into a unified defence managed from a single console.

The Unified Console Advantage

Before diving into each pillar, it is worth understanding the architecture. All three technologies — SentinelOne (Protect), N-able N-central (Detect), and Cove Data Protection (Recover) — operate from the N-able N-central platform. This gives OAS a single pane of glass across every client environment.

No switching between dashboards. No correlating alerts across disconnected tools. One console, one view, one managed service.

Pillar 1 — Protect: SentinelOne EDR/XDR

What it covers: Autonomous endpoint detection and response. SentinelOne is the first line of defence — it prevents threats from executing on any device in your environment.

How it works:

SentinelOne's behavioural AI engine analyses process behaviour in real time. It does not rely on signature databases that need constant updating. Instead, it watches what software does — file modifications, registry changes, network connections, privilege escalation — and intervenes the moment behaviour turns malicious.

Key capabilities for your environment:

- Autonomous quarantine — malicious processes are killed and isolated without waiting for a human analyst. Response time drops to seconds - Ransomware rollback — patented capability that reverses file encryption using Volume Shadow Copy integration. Files are restored to their pre-attack state automatically - Storyline technology — reconstructs the full attack narrative across processes, files, and network events. Your IT team sees exactly what happened, not just that something was blocked - Purple AI — natural language threat hunting. Ask questions like "show me all processes that accessed sensitive directories in the last 24 hours" and get immediate answers - Offline protection — on-device AI operates without cloud connectivity, critical for remote sites and branch offices

SentinelOne is deployed via N-able policies and managed directly from the N-central console. OAS handles deployment, configuration, and ongoing management.

<div style="display: flex; gap: 20px; margin: 24px 0; flex-wrap: wrap;"> <div style="background: #F5F5F5; border-left: 4px solid #2E5090; padding: 20px; flex: 1; min-width: 200px;"> <div style="font-size: 32px; font-weight: 700; color: #1B2A4A; animation: fadeInUp 0.6s ease-out;">5 Years</div> <div style="color: #000000; margin: 4px 0 0;">Gartner Magic Quadrant Leader for Endpoint Protection</div> </div> <div style="background: #F5F5F5; border-left: 4px solid #2E5090; padding: 20px; flex: 1; min-width: 200px;"> <div style="font-size: 32px; font-weight: 700; color: #1B2A4A; animation: fadeInUp 0.6s ease-out 0.2s; animation-fill-mode: both;">Seconds</div> <div style="color: #000000; margin: 4px 0 0;">Autonomous response time — no human delay</div> </div> <div style="background: #F5F5F5; border-left: 4px solid #2E5090; padding: 20px; flex: 1; min-width: 200px;"> <div style="font-size: 32px; font-weight: 700; color: #1B2A4A; animation: fadeInUp 0.6s ease-out 0.4s; animation-fill-mode: both;">1-Click</div> <div style="color: #000000; margin: 4px 0 0;">Ransomware rollback to pre-attack state</div> </div> </div>

<style> @keyframes fadeInUp { from { opacity: 0; transform: translateY(20px); } to { opacity: 1; transform: translateY(0); } } </style>

Pillar 2 — Detect: N-able N-central RMM

What it covers: 24/7 remote monitoring, automated patch management, and proactive threat detection across every device in your environment.

How it works:

N-able N-central deploys a lightweight agent to every endpoint, server, and network device. The agent reports health metrics, security status, software inventory, and network activity back to the central console. Automated rules trigger alerts and remediation actions when thresholds are breached.

Key capabilities for your environment:

- Continuous monitoring — 24/7 visibility across Windows, macOS, and Linux endpoints with configurable alerting thresholds - OS patch management — every Microsoft update class and severity, plus macOS and Linux patching. Patches deploy to devices on or off the network - Third-party patching — automated, in-house-tested patches for 100+ applications including Chrome, Adobe, Java, Zoom, and Teams. Rule-based approval workflows mean patches deploy automatically once they pass validation - Automation engine — 700+ pre-built recipes for routine maintenance, software deployment, and health checks. Visual Automation Manager supports conditional logic without coding - Network discovery — multi-protocol device detection reveals unmanaged devices and shadow IT on your network - Script repository — centralised management with support for PowerShell, Bash, Python, and Shell scripts

Detection is the pillar that catches what protection misses. It identifies the early indicators of compromise — unusual login patterns, unexpected software installations, network anomalies — before they escalate into full-blown incidents.

<div style="display: flex; gap: 20px; margin: 24px 0; flex-wrap: wrap;"> <div style="background: #F5F5F5; border-left: 4px solid #2E5090; padding: 20px; flex: 1; min-width: 200px;"> <div style="font-size: 32px; font-weight: 700; color: #1B2A4A; animation: fadeInUp 0.6s ease-out;">700+</div> <div style="color: #000000; margin: 4px 0 0;">Pre-built automation recipes proven across millions of devices</div> </div> <div style="background: #F5F5F5; border-left: 4px solid #2E5090; padding: 20px; flex: 1; min-width: 200px;"> <div style="font-size: 32px; font-weight: 700; color: #1B2A4A; animation: fadeInUp 0.6s ease-out 0.2s; animation-fill-mode: both;">100+</div> <div style="color: #000000; margin: 4px 0 0;">Third-party apps patched automatically</div> </div> <div style="background: #F5F5F5; border-left: 4px solid #2E5090; padding: 20px; flex: 1; min-width: 200px;"> <div style="font-size: 32px; font-weight: 700; color: #1B2A4A; animation: fadeInUp 0.6s ease-out 0.4s; animation-fill-mode: both;">24/7</div> <div style="color: #000000; margin: 4px 0 0;">Continuous endpoint and server monitoring</div> </div> </div>

Pillar 3 — Recover: Cove Data Protection

What it covers: Cloud-first backup and disaster recovery for servers, workstations, and Microsoft 365. Cove is the safety net that ensures data survives when prevention and detection are not enough.

How it works:

Cove backs up data directly to N-able's private cloud — no on-site appliances, no local storage targets that ransomware can reach. TrueDelta technology tracks changes at the block level, producing incremental backups dramatically smaller than traditional image-based solutions. This means more frequent backups, faster transfers, and tighter recovery objectives.

Key capabilities for your environment:

- Direct-to-cloud backup — servers, workstations, and Microsoft 365 protected without on-site hardware - TrueDelta incrementals — up to 60x smaller than traditional image backups. More restore points within the same backup window - Microsoft 365 protection — Exchange backed up 6x per day, SharePoint (including Teams) 4x per day, OneDrive included. Granular restore of individual emails, files, and calendar items - Immutable backups — AES-256 encrypted, isolated from your production network. Attackers cannot encrypt or delete cloud-stored backups - Multiple recovery methods — file-level restore, bare-metal recovery, virtual recovery to Hyper-V/VMware/Azure, and Standby Image for near-instant failover - Automated recovery testing — every 14 or 30 days, Cove creates a virtual machine in the cloud, boots it, and verifies recoverability with AI/ML-powered validation - South African data residency — 30 data centre locations across five continents, including support for SA data sovereignty requirements

<div style="display: flex; gap: 20px; margin: 24px 0; flex-wrap: wrap;"> <div style="background: #F5F5F5; border-left: 4px solid #2E5090; padding: 20px; flex: 1; min-width: 200px;"> <div style="font-size: 32px; font-weight: 700; color: #1B2A4A; animation: fadeInUp 0.6s ease-out;">60x</div> <div style="color: #000000; margin: 4px 0 0;">Smaller incremental backups with TrueDelta</div> </div> <div style="background: #F5F5F5; border-left: 4px solid #2E5090; padding: 20px; flex: 1; min-width: 200px;"> <div style="font-size: 32px; font-weight: 700; color: #1B2A4A; animation: fadeInUp 0.6s ease-out 0.2s; animation-fill-mode: both;">6x/day</div> <div style="color: #000000; margin: 4px 0 0;">Exchange backup frequency for M365</div> </div> <div style="background: #F5F5F5; border-left: 4px solid #2E5090; padding: 20px; flex: 1; min-width: 200px;"> <div style="font-size: 32px; font-weight: 700; color: #1B2A4A; animation: fadeInUp 0.6s ease-out 0.4s; animation-fill-mode: both;">99%+</div> <div style="color: #000000; margin: 4px 0 0;">Automated recovery testing success rate</div> </div> </div>

How the Three Pillars Work Together

Here is the integration in action during a ransomware incident:

1. SentinelOne detects malicious behaviour and auto-contains the affected endpoint in seconds 2. N-able N-central provides device context — network location, user details, connected systems — and alerts the OAS team 3. OAS investigates using SentinelOne Storyline to understand the full attack narrative 4. SentinelOne rolls back encrypted files to their pre-attack state 5. If rollback is insufficient, Cove restores from immutable cloud backup — verified clean, tested automatically 6. OAS delivers a full incident report with root cause analysis and prevention recommendations

Two independent recovery paths. One unified response. No coordination delays between disconnected vendors.

Deployment Sequence

For IT managers planning a three pillar security implementation, here is the typical deployment order:

1. N-able N-central agent first — establishes device inventory, baseline monitoring, and remote management capability 2. SentinelOne deployed via N-able policies — endpoint protection activated and configured across all devices 3. Cove configured for servers, workstations, and Microsoft 365 — backup schedules, retention policies, and recovery testing enabled 4. Monitoring dashboards built — unified view across all three pillars in N-central 5. Ongoing managed service — OAS handles monitoring, incident response, patching, and backup verification

The entire deployment typically takes days, not weeks. OAS manages the process end to end.

---

<div style="background: #F5F5F5; border-radius: 8px; padding: 32px; margin: 24px 0; text-align: center;"> <p style="font-family: Calibri, sans-serif; font-size: 18px; color: #1B2A4A; font-weight: 700; margin: 0 0 8px 0;">Ready to build a complete security stack? OAS implements all three pillars with one partner, one console.</p> <p style="margin: 16px 0 0 0;"><a href="/contact/sales" style="background: #2E5090; color: #FFFFFF; padding: 12px 24px; border-radius: 6px; text-decoration: none; font-family: Calibri, sans-serif; font-weight: 700;">Build Your Three Pillar Stack →</a></p> </div>

---

Related Reading

- Cybersecurity & Endpoint Protection - Why Your Security Strategy Needs All Three Pillars - The Hidden Cost of Incomplete Security

Related solution

Read more →

Want to Discuss This Further?

OAS's specialists are available to talk through how this applies to your organisation.

Request a Demo Explore Solutions