Deciding whether to renew Arctic Wolf or cut losses and move to another MDR

Posted by Signal-Hotel5845@reddit | sysadmin | View on Reddit | 44 comments

Hi all, coming up on renewal with Arctic Wolf but the entire solution is starting to feel a bit like a bait and switch for some things and my confidence in them is slowly eroding. I’m curious if anyone has first-hand experience with AW and/or suggestions for weeding through choosing a potential replacement (with full network monitoring, IDP integrations, EDR integration, etc.)

For more context, I was talking with our CST specifically around their lack of clear lines for when an incident would trigger the need to engage their IR team as opposed to what the SOC would engage with (i.e. when does an incident get ’too large’ for their SOC and they punt it into their paid IR). The sales and onboarding teams made it sound much less nebulous and the seams of that are starting to show. Also, their "Security Operations Warranty" sounded great until I realized that it's more of just an "oops, well something got through, you pay for IR upfront and we'll reimburse you after the fact".

I've also been seeing a lot of negative sentiment towards AW with some horror stories sprinkled in about lack of response from AW during incidents and Pentests. To be clear, our CST team has been great and pleasant to work with so far but the hardening advice and 'threat hunting' afforded to us by our package level is fairly generic and so far very hands-off on their part (I'm very comfortable implementing suggested changes and they've highlighted some glaring issues in our environment but boy the sales team made it sound like things would be way more proactive.)

I’m currently feeling somewhat left out in the cold with a lot of telemetry but no real rubber on the road.

[-]

Surfin_Cow@reddit

I think people are expecting a lot for an outsourced SOC. They have no skin in the game in terms of keeping you safe other than their automated SIEM/SOAR playbooks and contractual obligations. I agree if people want vested, responsive, deep business knowledge individuals no amount of outsourcing or money is going to produce what an internal team can/will do. Heck let AW handle the low level stuff and hire on someone for the big picture stuff seems to be what OP needs.

[-]

modder9@reddit

Exactly. A single internal guy to dial in your internal monitoring/playbooks and to steer AW (or whatever external SOC you choose).

The worst outcome is getting dog walked by a bottom of the barrel offshore service telling you to do random remediations with no thought to their actual risk or impact.

[-]

Hot_Sun0422@reddit

Now this I can get behind. This is how any outside SOC should managed.

[-]

modder9@reddit

It’s literally what I said from the start. You assumed otherwise.

[-]

Hot_Sun0422@reddit

It may be what you thought you said, but it’s not what you actually said. This response was a better thought out statement.

[-]

PrincipleExciting457@reddit

It’s literally what he said. Not sure how you implied anything else.

[-]

Hot_Sun0422@reddit

It's literally now. Litterally, there's way more written becausee they took the time to properly expand on their statement. The first can easily be construted as hiring internally instead of using an outside service, especially because OP is posting, looking for a solution to replace AW. The second statement offers up a clear idea, hire internal to coordinate your internal security program and steer your outside vendor to make sure they are helping to achieve business goals. Way different. For fuck sakes, some people need to learn how to communciate.

"They are there to check a box for cyber insurance. Hire internal if you want real proactive support and someone who cares."

"Exactly. A single internal guy to dial in your internal monitoring/playbooks and to steer AW (or whatever external SOC you choose).

The worst outcome is getting dog walked by a bottom of the barrel offshore service telling you to do random remediations with no thought to their actual risk or impact."

[-]

PrincipleExciting457@reddit

Notice how it seems like most aren’t having trouble filling in a lot of the holes you needed clarification on?

He didnt say remove the SOC. He said hire internal if you want the proactive support. Anyone that can follow a conversation can assume he is talking about what a large chunk of orgs are doing which is to have a few dedicated to security while working along a SOC.

Not everyone needs a detailed step-by-step break down to follow a conversation. Pandering over established talking points wastes time.

[-]

Hot_Sun0422@reddit

Our educational system is failing you.

For fuck sakes, learn to communicate

Radar91@reddit

We cut out AW at the renewal period. Best thing they did for us was prove we are more mature than their offering.

PTCruiserGT@reddit

Same, almost every meeting with them was telling them "we already do that" - mostly because our cyber insurance would be way higher if we didn't.

What the final nail in the coffin was we couldn't view our own logs. We didn't pay that fee, and to wait sometimes days to get an investigation back was unacceptable.

Gumbyohson@reddit

I've had good experiences with Huntress after moving away from AW

JangoBolls@reddit

Thats what we are doing at the moment.

We are a current AW customer.

I will say sales and our CST team have been very clear on IR.

The SOC will only alert and contain if an incident occurs. They will not help with response and recovery. That’s when the IR plan kicks in if you choose to engage. AW is not a MDR. They are a security SOC and managed SIEM.

We are on year two and we will be executing our first pen test with AW in place. I’m curious to see how this turns out.

Ok-Double-7982@reddit

"AW is not a[n] MDR".

https://arcticwolf.com/solutions/managed-detection-and-response/

I guess this illustrates why AW confuses everyone. You are correct. Technically they are an MDR. However, I see MDR as being Sentinel One’ managed platform where they are respond by not only containing, but removing any malicious files as well. AW will not do this. Their response, is very limited compared to other MDR services. They should stick to calling themselves a managed SIEM.

HorseShedShingle@reddit

With their Cylance acquisition they are certainly trying to change that

I don't know enough about Cylance but I do know a bit about S1's MDR.

I had to help manually cleanup several orgs hit with the 3CX malware three years ago because S1 Vigilance (now Wayfinder MDR) initially marked it as a false positive 😠

https://www.reddit.com/r/msp/comments/1298161/your_flavor_of_edrmdrs_did_it_catch_3cx_before/

Storage-Q@reddit

Used them for 3 years and found their offering basic for our organization. We have since switched. Feel free to DM if you want any specifics!

Curious what you switched to and how they compare?

Consistent_Buddy_698@reddit

me and team needed to use smth where you get real time feedback when things escalate and tried Atera and so far, it's been really helpful.

They have a lot of SKUs (MDR, MR, Endpoint now via their Cylance Acquisition, MSA (email phishing), IR, etc.

It really depends on a) what are you paying for, b) is the solution fully deployed, c) what is your containment policy with them.

At a high level they will alert on stuff and then your internal team is boots on the ground. If there is an active incident they will contain workstations/servers if you’ve agreed to let them. Actual incident response with specialized help requires an IR team.

godspeedfx@reddit

We use them and it's been great. We're a small team with a large footprint and they've been invaluable.

We really just use them for the monitoring and alerting, and containment if necessary but fortunately we haven't had to test that yet. We just don't have the staff to handle all the logs we generate so they were a great fit for us.

They've caught quite a few things that we didn't notice over the last couple years. We have the option for IR if needed, but it's unlikely we'd use it.

They are there to check a box for cyber insurance. Hire internal if you want real proactive support.

No thanks. I’m not staffing a security team 24/7 an AW is more than checking a box.

Where did I say to staff a 24x7 team?

if your going to replace AW with an internal team, you’ll need 24/7 coverage.

PacketSmeller@reddit

Exactly. Meat in the seat would be 4-5 people for 24/7 coverage. That's not even considering the minimal salary per person for "someone who cares."

You guys misunderstand. OP said he was disappointed in their additional offerings beyond having a pulse and being in a chair.

The correct path is to have an outside SOC to meet any insurance requirements, but to have internal driving your security posture forward.

My rough numbers, there’s 168 hours in a 7 day week. Allowing for a 40 hour work week because we value work life balance at our organization, that would be 4 teams. To allow for vacations and random callouts, each team would need at least 3 people but my gut says that might be 1 person lite per team. So I’d say 12 people to have 24/7 coverage.

thortgot@reddit

That assumes even staffing for all hours which we all know isnt reasonable.

Security works scales insanely well. You don't need 12 people for a 24/7 SOC

I don’t see how you have a 5-6 person team work 168 hours and account for vacations and the random sick day. It’s not uncommon to have 1 person on PTO leave and another to call out sick. How are you going to properly offer coverage in this situation unless you stack your team with more than 40 hours? Doing that is going to greatly increase the salary for “someone who cares”.

If your team has 33% of their staff out even on an irregular basis, something is fundamentally wrong. You shouldn't hire people that don't care. Yes even if it makes the salary higher.

Security scales beautifully. Especially with modern tooling.

So you’re against vacations and sick leave? Nobody is allowed to have family issues? You expect 6 people to be there on their schedule and when they are scheduled off, they need to be ready to be called in to cover?

We’re not talking about technology scaling. We’re talking about Guaranteed coverage in the event life happens.

I run 24/7 teams. 6 is a reasonable number that rarely has issues. PTO and sick days overlapping are sub 1% scenario, you don't staff for that. You manage that as an exception.

Please. No you don’t. Now I know you’re bullshitting.

discgman@reddit

First year with Arctic Wolf. I am my own SOC so its even harder. If you are hands off be lucky your job is paying for the monitoring. I like it overall, does some good stuff. Some of the memory blocking is confusing but once you can hash out all the issue its solid for the most part. I wouldn't want to switch to anything else anytime soon. I also get good support when I need it.

SlipPresent3433@reddit

AW is mostly an insurance check box and fall into the socaas bucket. You still need remediation and Ir and for more mature environments to do hunting.

Current_Anybody8325@reddit

We've been pretty happy with Rapid7 for several years.

KStieers@reddit

In the past we had pentests and they didn't see anything, and I called them on it.
The last one, they saw what was going on. If you have a pen-test and they're not seeing it, make sure to call them on it.

My frustrations are in how abstracted from the backend/devs the CST team is... Getting answers or getting things fixed takes longer than it should.

When you engage their IR is probably YOUR call more than it is their call.

We use Arctic Wolf here and we are generally pretty happy with them. I am curious as to what it is specifically that you are not getting? I think you trusted the sales team too much. Of course they are going to promise you the world. Do you get quarterly account reviews? We do and I find them very helpful. We go over the environment, changes, and get time to ask questions.

At the end of the day, are they fulfilling your needs/requirements? Is there more you need from them? Perhaps that warrants a conversation with your account manager to see what it is that you are wanting but not being provided? At the end of the day, AW is mostly an insurance check box for us, but helpful in filling in gaps with our already small team which frankly lacks the skill/knowledge for in-depth security defense. Take what I am saying with a grain of salt as we have very few services open to the internet. Our biggest concern is probably phishing. If you want granular control over what your sec team is doing, you will have to bring it inhouse, or shell out more money for paid services.

krattalak@reddit

Move.

Signal-Hotel5845@reddit (OP)

Context and reasoning?