Arctic Wolf Managed Detection and Response Reviews

We are basically using it to catch things that we are missing in terms of alerts and other things. We are also using it to provide 24x7 coverage, which we just can't do.

It has sensors that are on-prem, but the data is kept in the cloud. All the alerting and consoles are also in the cloud, but it obviously needs to see our infrastructure in order to see anything that is going on.

It has provided just a little bit more peace of mind in terms of not having to be constantly on our toes and wondering if something is going on while we're trying to enjoy our weekends.

It gives us prescriptive guidance regarding how exactly to install the updates, etc. It doesn't do it for you, but it gives you good heads up and collects good information to let you hit the ground running instead of having to do the research yourself and maybe miss things.

We have also subscribed to an additional feature that they offer for vulnerability management and risk management. It a little bit outside of the SOC. They scan daily for vulnerabilities, and they perform them by using agents. They scan for vulnerabilities on a daily, weekly, or monthly basis based on your preference. They also do a brute force scan of all your equipment, acting like a hacker with a scanner, and then in the risk management console, they list all of your current vulnerabilities that have been detected and what level of risk they present. You can kind of attack the high-level ones first and work your way down. It gives you kind of an action plan. It gives you a place in the console to manage it. This is an additional module that isn't part of the primary Arctic Wolf SOC. It is Arctic Wolf's risk management. It has the same agents and same equipment, but it is an additional feature.

Whenever there is a major thing like Exchange vulnerabilities, it scans our Exchange server for indicators of compromise. It then alerts us and points exactly where we need to go to check for ourselves if it is normal or not.

They focus on detecting administrator-level control compromises. Because they're focusing more on administrator-level compromise, they are less able to see if an individual user has been compromised. It is, admittedly, very difficult because they don't know what normal human behavior is. If a hacker compromises a human account and then acts just like the human, how are you ever going to notice, unless you have some inside knowledge of how the company works? For example, they overlook account lockouts on user accounts, whereas in our own alerting system, we do not. We review every account lockout, and if it is bad, we contact the person, whereas they think of that as noise because they're more focused on the administrator-level compromise. This is not their fault. I'm sure this is common with all SOCs. They can't look at everything, so they look at the important stuff.

I have been using this solution since February. It has just been a few months.

Its stability is good.

It is scalable. If you have particular things that you want them to watch, they'll basically accept an unlimited amount of these additional alerts. If you say, "This should never happen on my network.", they will detect it and tell you whenever it happens. They allow you to customize the kinds of alerts. Something normally might not have been on their radar, but we know that this should never happen. So, for us, that's a definite indicator that an intruder is inside. So, we tell them, "Look at this. Alert us, and call us in the middle of the night if you see this because it is something bad. It may happen all the time in other networks, but it won't happen here."

Their support is good. If you have questions, you can call them or submit a ticket. They're good to work with. They phoned us about the Exchange vulnerability to walk us through that.

We hadn't used anything before.

Its initial setup is fairly straightforward. They put in a couple of appliances, and we have to tie them to our firewall. That's the tricky part. 

If you're monitoring network traffic going out through the firewall, then you would have to tap into the firewall traffic. Some do this, and some don't. Some only have agents, and some have historically been traffic-only. Nowadays, most companies are trying to do both, but some still focus mostly on traffic, and some still focus mostly on agents. I'm sure some focus mostly on just detecting indicators of compromise that they're aware of. They are only looking for those. They are not looking at traffic or agents. So, there're many ways to skin the cat, and different companies are taking or have gotten really good at different approaches. Arctic Wolf's approach is primarily traffic-based, agent-based alerting, and a little bit of indicators compromise.

In terms of duration, if you had all your ducks in a row, it would take a week to wrestle the firewall resources, move cables around, etc.

In terms of maintenance, it doesn't take too much maintenance. The SOC is basically very low maintenance. When they alert you, they need someone to talk to who has administrator access and can deal with the problem. They'll help you deal with the problem, but they don't deal with it for you. They still need on-the-ground company staff to actually take the actions needed to shut down a breach. Normally, we don't have to do much unless they indicate that there has been a compromise, which is fairly rare. It is kind of an all-or-nothing thing. You either have it, or you don't. We may fine-tune it, but it is just there in the background almost invisible, and then they tell you if there is a problem.

We had a consultant for the firewall configuration and the switch configuration. Our experience with them was fine. They manage our Cisco switches and firewalls. They were good.

It is difficult to know. If they managed to stop a major breach that we evaluate as really bad, they might have saved us $4 million, but there is no way to know. Did we prevent something from happening because we were on our toes or because they have a good risk management solution that helped us figure out the vulnerability and be proactive and avoid it altogether? It is hard to know whether they prevented something or not. It is like insurance.

I would rate Arctic Wolf AWN CyberSOC a nine out of ten.

We host many of our customers on the Arctic Wolf subseries in order to manage security events. We receive notifications and take appropriate action in terms of particular proper authentication. We also notify users if there are issues related to their access. We can login remotely. I'm the senior manager in our company. 

The product increases security for any company by detecting malware and preventing access to risky websites. 

Security protection is the best feature of this product. We get alarms or notifications when unauthorized access occurs. It's the reason we subscribe to the service and it's a user friendly product. 

I think the response time could be improved. It can sometimes take up to an hour to get notification of a problem and that's a long time. We currently report to users directly from our own dashboard. It would be helpful if they'd include a feature that would go directly to reports which would reduce the time between detection and communicating to industry partners.

Stability is good. Once we deploy it, it just works. 

Technical support falls somewhere between average and good, but we haven't had any major event to be able to evaluate this fully. 

We previously used a different solution but that was a couple of years ago and I can't recall the name. It was a startup company and the solution was not good. Response time was very poor. 

The initial setup is somewhat complex and requires deployment of hardware and software. Deployment time depends on the number of elements involved. If we have to configure 50 elements to deploy one box it can take up to three weeks. It requires planning. 

I believe the ROI is a reduced risk and a smaller team required for monitoring security operations. It doesn't require skilled resources to manage configuration.

Licensing is paid monthly with an annual contract which we can upgrade as needed. It's based on the number of users and number of elements. It's a fixed monthly rate based on the number of elements. It's pay-per-use. There are no additional costs. 

The management of this product requires a specialized skill. There are many complexities around deploying that consume a lot of time and effort. However, if you're highly security conscious, Arctic Wolf does a good job detecting incidents that come to your notice through your MSP partners. It's a choice between how critical security is for you. For large companies with high security requirements, it would make sense to have it in the cabinet.

I rate this solution a seven out of 10.