What is our primary use case?
We are basically using it to catch things that we are missing in terms of alerts and other things. We are also using it to provide 24x7 coverage, which we just can't do.
It has sensors that are on-prem, but the data is kept in the cloud. All the alerting and consoles are also in the cloud, but it obviously needs to see our infrastructure in order to see anything that is going on.
How has it helped my organization?
It has provided just a little bit more peace of mind in terms of not having to be constantly on our toes and wondering if something is going on while we're trying to enjoy our weekends.
It gives us prescriptive guidance regarding how exactly to install the updates, etc. It doesn't do it for you, but it gives you good heads up and collects good information to let you hit the ground running instead of having to do the research yourself and maybe miss things.
We have also subscribed to an additional feature that they offer for vulnerability management and risk management. It a little bit outside of the SOC. They scan daily for vulnerabilities, and they perform them by using agents. They scan for vulnerabilities on a daily, weekly, or monthly basis based on your preference. They also do a brute force scan of all your equipment, acting like a hacker with a scanner, and then in the risk management console, they list all of your current vulnerabilities that have been detected and what level of risk they present. You can kind of attack the high-level ones first and work your way down. It gives you kind of an action plan. It gives you a place in the console to manage it. This is an additional module that isn't part of the primary Arctic Wolf SOC. It is Arctic Wolf's risk management. It has the same agents and same equipment, but it is an additional feature.
What is most valuable?
Whenever there is a major thing like Exchange vulnerabilities, it scans our Exchange server for indicators of compromise. It then alerts us and points exactly where we need to go to check for ourselves if it is normal or not.
What needs improvement?
They focus on detecting administrator-level control compromises. Because they're focusing more on administrator-level compromise, they are less able to see if an individual user has been compromised. It is, admittedly, very difficult because they don't know what normal human behavior is. If a hacker compromises a human account and then acts just like the human, how are you ever going to notice, unless you have some inside knowledge of how the company works? For example, they overlook account lockouts on user accounts, whereas in our own alerting system, we do not. We review every account lockout, and if it is bad, we contact the person, whereas they think of that as noise because they're more focused on the administrator-level compromise. This is not their fault. I'm sure this is common with all SOCs. They can't look at everything, so they look at the important stuff.
For how long have I used the solution?
I have been using this solution since February. It has just been a few months.
What do I think about the stability of the solution?
What do I think about the scalability of the solution?
It is scalable. If you have particular things that you want them to watch, they'll basically accept an unlimited amount of these additional alerts. If you say, "This should never happen on my network.", they will detect it and tell you whenever it happens. They allow you to customize the kinds of alerts. Something normally might not have been on their radar, but we know that this should never happen. So, for us, that's a definite indicator that an intruder is inside. So, we tell them, "Look at this. Alert us, and call us in the middle of the night if you see this because it is something bad. It may happen all the time in other networks, but it won't happen here."
How are customer service and support?
Their support is good. If you have questions, you can call them or submit a ticket. They're good to work with. They phoned us about the Exchange vulnerability to walk us through that.
Which solution did I use previously and why did I switch?
We hadn't used anything before.
How was the initial setup?
Its initial setup is fairly straightforward. They put in a couple of appliances, and we have to tie them to our firewall. That's the tricky part.
If you're monitoring network traffic going out through the firewall, then you would have to tap into the firewall traffic. Some do this, and some don't. Some only have agents, and some have historically been traffic-only. Nowadays, most companies are trying to do both, but some still focus mostly on traffic, and some still focus mostly on agents. I'm sure some focus mostly on just detecting indicators of compromise that they're aware of. They are only looking for those. They are not looking at traffic or agents. So, there're many ways to skin the cat, and different companies are taking or have gotten really good at different approaches. Arctic Wolf's approach is primarily traffic-based, agent-based alerting, and a little bit of indicators compromise.
In terms of duration, if you had all your ducks in a row, it would take a week to wrestle the firewall resources, move cables around, etc.
In terms of maintenance, it doesn't take too much maintenance. The SOC is basically very low maintenance. When they alert you, they need someone to talk to who has administrator access and can deal with the problem. They'll help you deal with the problem, but they don't deal with it for you. They still need on-the-ground company staff to actually take the actions needed to shut down a breach. Normally, we don't have to do much unless they indicate that there has been a compromise, which is fairly rare. It is kind of an all-or-nothing thing. You either have it, or you don't. We may fine-tune it, but it is just there in the background almost invisible, and then they tell you if there is a problem.
What about the implementation team?
We had a consultant for the firewall configuration and the switch configuration. Our experience with them was fine. They manage our Cisco switches and firewalls. They were good.
What was our ROI?
It is difficult to know. If they managed to stop a major breach that we evaluate as really bad, they might have saved us $4 million, but there is no way to know. Did we prevent something from happening because we were on our toes or because they have a good risk management solution that helped us figure out the vulnerability and be proactive and avoid it altogether? It is hard to know whether they prevented something or not. It is like insurance.
What other advice do I have?
I would rate Arctic Wolf AWN CyberSOC a nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.