Are we too small for a CrowdStrike/SentinelOne/Arctic Wolf et. al.?
Posted by MentalRip1893@reddit | sysadmin | View on Reddit | 71 comments
We are an IT team of two, and the company is less than 200 people. We did get budget for it, but I'm wondering if we're just going overkill or something. From my perspective we're going to pay an entry level salary to a 3rd party to be on watch at least 24/5 and to react quicker and notice things we wouldn't. Seems like a good deal to me? But we have an over 87% rating on Microsoft Secure Score, running Conditional Access Policies and MFA, have incidents alerting our helpdesk so we do investigate them, and have KnowBe4... Seems like it's a 'manageable' level of security incidents, 90%+ being spam or phishing reports. But just like in the Safety industry "if you can afford it, you should do it".Thoughts?
illicITparameters@reddit
There is no such thing as “too small”. If you have the money, you’d be a fool to not get it.
MentalRip1893@reddit (OP)
Yeah I'm not sure what I was thinking. Perhaps along the lines of not wanting to do something just because "well the big boys do it so if I want to be a big boy i need it" kind of mentality instead of "no, we actually do need this".
illicITparameters@reddit
When it comes to security you SHOULD be doing what the “big boys” are doing
zmaile@reddit
Why would a solution made for large organisations with multiple resources dedicated to servicing IT security also be appropriate for a small company's 1 person IT team? Security is important, but it is still subject to cost/benefit, and big boy solutions have a much higher proportional cost for the same benefit, right?
Nova_Terra@reddit
Something like Crowdstrike for instance is actually quite hands free once set up and its one of many items the big boys use in the big leagues and hence why I think it also scales. The last time I set it up at a previous place all I had to recall doing was basically enabling what they recommended and then having quarterly check ins with my account manager on best practices, what we've seen, issues etc and just like that that was one piece of the puzzle that I could rest assured was as good as any of the other big guys even if I knew I was lacking elsewhere.
WraithYourFace@reddit
Problem with CS is it's a 300 seat minimum. I'm looking at other MDR providers and we only have about 125-150 seats.
Nova_Terra@reddit
I've dealt direct with CS on sub 150 endpoints, might've changed in the last 3-4 years though.
Bad_Kylar@reddit
we're a company of 30 people, we have sentinel one, webroot and the full arctic wolf suite of monitoring tools / hardware. Its worth the money alone for the active directory stuff s1 provides, the risk analysis that AWN provides and just the overall IR of the two companies working together.
unseenspecter@reddit
Why do you have webroot AND S1?
Bad_Kylar@reddit
Webroot has caught some stuff that other AVs haven't in my experience. They work well together. Defense in layers
furtive@reddit
Hah! We evaluated MDR three years ago and nobody wanted to work with us unless we spent $12-14 a seat with a minimum of 40-50 seats and 3 year contract, even though we only needed about 25-30 seats. There's definitely a "too small" unless you're willing to burn through money.
illicITparameters@reddit
VARs are your friend.
fp4@reddit
Usually when that happens they just want you to find a reseller/partner who deals with smaller accounts.
malikto44@reddit
This. If the cash is there, might as well have the infrastructure. Cheaper to have it in place when things are small than to have to graft it in later.
D1TAC@reddit
Yep. This.
gamebrigada@reddit
We had Crowdstrike MDR below 20 people.
WraithYourFace@reddit
Then how was it quoted? They told me a 300 seat minimum. My question is do they just say 300 seats minimum, but can adjust the price according to the amount of seats you actually use?
gamebrigada@reddit
You can't work with them direct for below 300 seats. You'll need to find an MSSP.
dllhell79@reddit
I run S1 with a user base of less than 120.
fuzzylogic_y2k@reddit
Last I checked CS was 300 seat min.
LedKestrel@reddit
When did you last check? You can buy a single Falcon license right off their website direct.
caseynnn@reddit
Less than 200? That's a nice sized company. You should really consider getting it. As others said, cyber sec is not about size. If you can afford it, you should.
BoggyBoyFL@reddit
We are a department of 4 with about 200 employees. We use a SOC as a service, that provides a XDR service that includes Sentional One. I highly recommend www.cybriant.com , allows us to afford a SOC with 24/7/365 monitoring, endpoint, patch management, log collection and monitoring. And for less than what we could do it for in house.
RichBenf@reddit
I can't believe people are saying Arctic Wolf are amazing.
In my experience all they do is provide wazuh and provide very junior soc analysts.who throw every alert back over the fence.
My experience is admittedly a few years out of date so happy to be corrected if the situation has improved
NoEstablishment9123@reddit
Only 65 of us, but we’re planning to go with the AW and add e5 security add-on for our business premium.
Ok-Juggernaut-4698@reddit
IT for a manufacturing company of less than 150. No such thing as too small. Company got hacked over a year ago (before my time there) because their previous IT guy thought they were too small.
Cost a LOT of money to recover from.
Avas_Accumulator@reddit
If I had a company with any value, I'd buy Falcon Complete in an instant even if we were 5 people and if they were interested to sell.
If you're investigating Managed IDP too, make sure the license number is correct because they might charge for 600 users even in a 200 user environment
erack@reddit
If someone offering to pay someone else to watch your fort overnight, TAKE IT. Fuck those 3am nothing alerts. Our managed SoC will only call us after 5pm if it's truly an urgent issue.
abyssea@reddit
This is good planning and since your budget allows, I would go forward with it.
Puffypenwon@reddit
Wasn't artic work on the chopping block recently for sysadmins say they were reporting events almost 24 hours after the had occurred?
KareemPie81@reddit
Any size org should have one
Jalonis@reddit
You literally can't pay for 24/7 coverage for the cost of one of these services. It takes 3 security professionals just for 24/5.
I know annually for my company (450 employees but manufacturing) Crowdstrike is less than half the wage of a single security professional. It's damn near the cost of a single production employee.
BasicallyFake@reddit
No, I actually think its a great thing for a company of that size because it will allow you a bit more comfort as you tackle other things
Michichael@reddit
Sentinel and Arctic Wolf are beyond useless garbage. Though my opinion on Sentinel may be because of how poorly consultants implemented it (basically bricked office, took weeks to clean out.)
Arctic just... was pointless. Absolutely worthless product.
Crowdstrike is good, just expensive. If you've got budget, do it.
SecUnit-Three@reddit
we're less than 200 with Arctic Wolf
Zerguu@reddit
CrowdStrike? You mean ClownStrike?
gumbrilla@reddit
Absolutley take it. You two are not 24x7, hackers can just wait till Friday evening and make hay.
We have 150 people, we have it (CS) and I sleep a lot more soundly in my bed.
bageloid@reddit
We have Rapid7 for MDR and also S1 Vigilance.
Really love not having to worry about shit at midnight.
digitaltransmutation@reddit
Crowdstrike is like an entire job on its own. S1 less so and Arctic Wolf runs itself (you pay them to operate it, that is the point of the product).
You might have to go thru a reseller but you can definitely acquire and use them. I have clients with 30 employees tops that use them.
malikto44@reddit
I've seen a one man firm on E5. I'm guessing it works well enough.
Critical-Variety9479@reddit
Depends on your shop. If you're an all Win shop properly configured Defender will be quite a bit cheaper than CrowdStrike and just if not more effective. Defender has come a long way in the last couple of years. Similarly, you should consider Sentinel as your SIEM, the native integration with all things MS is a breeze with Sentinel. If you've got the cash, you can ingest endpoint logs into Sentinel directly and have all the telemetry you could possibly need. If you're firm on going with CrowdStrike for your EDR, then stick with them for Overwatch.
MentalRip1893@reddit (OP)
yeah we have Defender pretty well set up and have Sentinel, just don't really have the time to do the threat hunting and post mortems and all the other things besides just evaluating alerts.
Critical-Variety9479@reddit
You could potentially automate quite a bit of the threat hunting. Depending on your particular industry, there is likely a great deal of noise that just needs to be filtered out.
Also depends on how efficient the rest of your processes are for the rest of the IT function.
inarius1984@reddit
You're never too small to properly secure your environment/users and to CYA.
Candid-Molasses-6204@reddit
You are perfect for Huntress or Sentinel One. If you have MDE, Patriot Consulting or BlueVoyant is solid too.
secret_configuration@reddit
You may need to find an MSSP. We are at similar size and working with one and purchase S1 and Huntress through them.
it4brown@reddit
Arctic Wolf customer. 220 end users. Myself and one SysAdm under me.
I'll never look back. It's a huge peace of mind and their concierge service is awesome.
IT_audit_freak@reddit
We are similar size and use Arctic Wolf. The IT Manager is in love with it, given how it is basically giving him a dedicated remote SOC team 24/7 at a decent price point. Frees up time for his small team (maybe 4 people?) to focus their efforts elsewhere- while still monitoring for key events. They also provide the IT team with targeted monthly training sessions on various cyber subjects / trends.
IMO if the budget is approved for this, why not do it? What’s the actual drawback here?
RestartRebootRetire@reddit
He have <40 and got Crowdstrike. Grateful they condescended to our humble level and offered us a license. We can't afford the whole hog but we have the standard and sleep much better at night.
Aside from their epic SNAFU a year ago, we've not had a single issue with CS in terms of performance issues.
leaflock7@reddit
nobody with an approved budget ever wondered "should I do it or is it overkill"?
if you have the budget "buy" it.
worst case scenario, after 3-4 years if they no longer approved it, you can easily say "when we were paying for XYZ we could do this and that"
Downinahole94@reddit
If you have IT insurance, see what they will knock off the premium if you have a software. My email software firewall was basically free.
IamNotR0b0t@reddit
Dept of 4 supporting 500 and we have CS and AW currently. Its a game changer for smaller departments. I'm essentially on call 24/7 but can relax knowing if I do miss a call or for whatever reason can be available we have prebuilt escalation with AW and an MSP.
Lets say Christmas eve and your asleep. Server becomes compromised at 2am. You work with both the MSP and AW to determine what happens next. You can allow containment and escalation without your approval within certain windows that you may not be available or unreachable.
Feed all of your Microsoft, Firewall, Endpoint alerts into it and you'll be happy you did and can relax a little more knowing all the weight isnt on your shoulders 24/7.
Rawme9@reddit
That last sentence sums it up
If you can afford it, get it. The only reason companies DONT use something similar is because they can't afford it or don't care (aka haven't been ransomwared yet)
_W-O-P-R_@reddit
Actually, your situation is one of the best use cases for an MSSP, smaller organization that doesn't have dedicated security staff, had a bunch as clients when I was in that world.
Gummyrabbit@reddit
Crowdstrike can hit anyone...big or small...they don't discriminate...😂
One_Presentation4345@reddit
Crowdstrike typically has a minimum user count of 300 users actually, we can usually get some discounting to make up for that minimum threshold for companies that fall below that mark as it still makes sense for 100-200 user shops to use it. Happy to help if needed...
One_Presentation4345@reddit
If you need it, youre not too small. Big question is what does your business really need protected. What is the cost of a major security incident? I've worked with smaller and similar sized companies, it depends what they have at stake and what their internal resources are.
I'd also recommend taking a look at AdLumin they tend to be cheaper than the ones you mentioned and by far provide more new product development for MDR and actual threat response / remediation versus just alerting than at least ArticWolf/SO. Think having a fire truck show up versus just having a fire alarm go off. I can get you pricing or walk through some of the nuances with you on AdLumin/Crowdstrike/SentinelOne/ArticWolf solutions if you'd like, just let me know.
PurpleFlerpy@reddit
Do it, but vet your choice of SOC carefully. Some claim to be MDR but require you to do all the work. Some will flood you with false positives that are difficult, if not impossible, to mark as such.
Thiccpharm@reddit
Arctic wolf has been great, just try to get the demo when they run the headphones promo.
Lost-Droids@reddit
Small team small company big risk therefore we got ceowdstroke , they are the additionally respurce we need.
cheetah1cj@reddit
OP, just remember, all it takes is one user to compromise all your security. You have MFA, but if they click a phishing link and sign in then that bypasses MFA (look up stolen session cookie for more info). If they download one suspicious thing (hopefully you don't give users local admin, but at that small it's not uncommon). Or if they open one malicious PDF then all their passwords/stored credit cards could be stolen without you knowing.
I think that's a great idea to bring in professional 24/5 monitoring to give you a heads up that something may have happened and help you investigate. It sounds like you and your team are killing it despite your size. Keep it up.
Sarcasticly_Unfunny@reddit
We are a smaller company like you. We were already utilizing the O365 platform and Business Premium license. We had defender rolled out and as we had moved from Carbon Black. We added Huntress to work with defender. They provide our identity access and SIEM as well now. We looked at Artic wolf. The costs were too high considering the minimum license requirement. Crowdstrike was good and it was a toss up between them and Huntress. We went with Huntress. We do Ninjio for end users training. This works well.
Last week we had a user get a malicious link from a vendor that they happened to be waiting on paperwork from. Within 15 minutes we were alerted by the Huntress SOC and had the user on the phone to change his passwords and reset all his sessions. I was able to reach the SOC and they explained why it was flagged vs me just thinking it was the expected link. For a small team, this was great.
My only warning is Artic Wolf can be aggressive after speaking with them. I had our rep trying to call our CEO directly. This didn't sit well.
AppIdentityGuy@reddit
It's not it about your size it's more about the value of the data you are trying to protect and fallout of a breach
Hollow3ddd@reddit
Do you need to spend 20-50k for cyber insurance required or beneficial compliance? Do you have a vendor to assist with these apart from them?
binaryhextechdude@reddit
Don't forget the guy who took down his 11 word or 11 line whatever it was library to left align something and broke half the internet. He didn't target anyone but he screwed a ton of people over.
peeinian@reddit
Definitely not too small. We are about 300 users and have Field Effect/Covalence and it’s awesome. We get alerted on all kinds of stuff and if there is something serious a human being calls us within 10 minutes. They also monitor our 365 accounts and can automatically lock the account if a breach is detected.
I sleep much better knowing that we have that service.
Smiling_Jack_@reddit
An XDR+EDR (assuming this is what they’re offering) is going to give so much more visibility into your org. I’d say it’s worth it for far less than 200 employees.
ThrowRAthisthingisvl@reddit
Think of it as some sort of “insurance” + force multiplication for your 2 person IT department. In order words, a tool like CrowdStrike will have your back in the event of malicious activity in your environment.
Benificial-Cucumber@reddit
I can see why you'd question the need for it if you were fighting for the budget, but if you already have budget then screw it, get it.
The downsides to these platforms are overwhelmingly split between cost, and niche circumstances that might not play well with them. If you've covered both of those bases I'm of the opinion that there's literally no reason not to add security.
baconbitswi@reddit
What’s the impact to your business and cash flow if you don’t? You can’t solely rely on your manual intervention of alerts. That said, do you have endpoint protection now? If not, it shouldn’t be a question.
bitslammer@reddit
No. The whole point of an MSSP or MDR service is for orgs that can't reasonably hire their own staff for those things.
Some of the provider in this space have minimums that they require, but you might be fine at your size.