It gets a little better as time goes on, but it’s on you to help them tune it. Once onboarded, their SOC is going to send you a god awful amount of informational alarms to “verify”. Onboarding is not too bad, they ask you to provide a bunch of info and then they ship you a box and give you a download for endpoints, then you give them access to your cloud apps if they’re watching those. The sales process is slimy, I’m pretty sure they make it up depending on how much they think they can get. I would rather deal with OEMs that are 100% partner driven than deal with OEMs that will just decide to go direct when it suits them. I just don't know when they are going to fuck us and take deals direct. Which is why I don't bring Dell any opportunities anymore as an SE. They will fuck the partners and go direct with deals when it suits them. There are other OEMs that are not as friendly. They may give a ballpark figure, but they won't put a quote out there in writing because they can't fill it even if the client wanted it. That being said, Arctic Wolf will not give any client a price quote for service without bringing a partner in first. If more scoping has to be done, then we add a bit more to it. ![]() In those cases, we will work with the OEM to get it quoted and give them that figure. Many times clients will want a ballpark figure on a service or product just to see if its affordable. I have dealt with hundreds of OEMs and clients for that matter. They didnt push back with why there was better and complimented us on our stack, so super mellow, which I was hoping for some reasoning as to why there's is $78k more a year better, but they didn't.ĭo you all prequote services with a partner before having the sales call during an engagement with an end client? Once the client told them they had already quoted with us AW asked us a few questions on that call about what we were using, we answered, and they said okay sounds like you guys have things under control. My guess a lot of it had to do with the fact they thought a client who just went through the ransomeware attack would gladly pay that much for it. Same S1 tier, but they used their own SOC while we used a different one and I was blown away with how much they wanted to charge. AW pitched their upsell and it was like $150k/year. Our quote with our margins was like $72k/year. ![]() We had already been working with the client to implement S1 and SOC service in conjunction with their insurance co via some early conversation before the incident. We were called in to run ground operations for the client and assist AW with what they needed for insurance. It was a wierd situation because we were called in and they were called in as well. It was a medical facility that had just been remediated from ransomeware, and they were upselling continuing service at the end of the engagement. This was direct to client pricing for SOC and EDR service. This made tap only alerts very hard to threat hunt and contextualize without our agent to further our investigation. TLDR Our agent is specifically tuned to catch east/west lateral spread in a network and any highly privileged inbound remote activity. ![]() I hope this clears up the air, open to talking one on one anytime. This lets us combine our agent detections / cloud analytics with an EDR/AV’s alert for a nice summary to our SOC to let partners know when those EDR alerts mean something. It is coming up on a year old in May.Īnother shift we did was focusing on managing existing AV/EDR’s our partners were already invested in as an automated event generator for our agent analytics. We then shifted focused to Cloud MDR in the aftermath last year and made our Microsoft 365 / Azure AD monitoring (Cloud Response). Actionable alerts were low, and FPs were high.Ĭombined with the long onboarding time of partners implementing a tap into their client’s networks, we EOLed it. When you think about all the TLS encrypted traffic, domains hackers are using come back unknown or clean (Or they used Google, Azure, Dropbox as C2), and infrastructure they used was AWS or Azure US based servers. We had a network tap product for a while, but time and time again our agent would be the main source of detection / contextualization. ![]() First off, I apologize for any childish antics, let me know through DM and I will get that rectified.
0 Comments
Leave a Reply. |