9 min Security

‘Security industry is good at making money, not at securing customers’

Insight: Security

‘Security industry is good at making money, not at securing customers’

Arctic Wolf’s SecOps platform should make it possible for all organizations to get the most out of their security investments.

Earlier this year, we wrote an article arguing that the security industry is fundamentally broken. There are an enormous number of providers of security tools, who primarily exist to entice as many customers as possible to purchase these tools. One of the consequences is that many organizations are left with a large number of tools that they are not using optimally. This also means that all those tools do not necessarily make an organization more secure. At least, not as secure as it could be.

At the beginning of our conversation with Ian McShane, Vice President of Strategy & Planning and Field CTO of Arctic Wolf, he comes up with a similar point of view. “The security industry is very good at making money, not at securing people and organizations,” he states. One of the basic mistakes he sees is that many of the security solution providers are still far too concerned with telemetry. That’s just not the problem right now, according to McShane. The problem is the scale of the security issue. It goes far beyond what we know from traditional security. As an example of scaling up, he cites the role of firewalls. Those used to be able to keep out anything you didn’t want to allow into your environment. Nowadays, however, hardly anything is completely in your own infrastructure anymore. That means that organizations have to stop unwanted traffic much more broadly now. In other words, they need to scale it up.

This scaling up also means more complexity. And where complexity arises more or less unchecked, things get messy. This is certainly true within security, we learn from McShane. The issue is not just that organizations simply have too many tools, but als how to deploy them properly. This is a “struggle” for organizations, according to McShane.

Solving the real problem of end users

McShane can certainly be called a veteran in the security industry. He has more than 20 years under his belt, not only with some well-known security players, but also as an analyst at Gartner. There he was lead endpoint analyst, he says. In that role, he more or less saw that the security industry is not in very good shape. In his role there, he talked to many end users/organizations, all of whom had questions around actually deploying security tools in practice. He also often received calls from organizations asking if they needed to migrate from one tool to another. “In most cases, migrating from one vendor to another doesn’t accomplish anything for an organization,” McShane argues. It’s much more about what you do with the solutions you already have.

Ian McShane, VP of Strategy & Planning, Field CTO at Arctic Wolf

At Gartner, however, McShane could not solve the above problem. Hence, he said goodbye to what he calls his “dream job” and went back to the vendor side. According to him, Arctic Wolf was founded with solving that problem as its primary goal. “Arctic Wolf has built a platform that can basically pull in telemetry from pretty much any other tool,” he indicates. The platform enriches and analyzes all this incoming data, and triggers the desired response.

Arctic Wolf: focused on ‘XDR’ from the start

Anyone who is regularly involved in cybersecurity will no doubt have come across the term XDR. That term seems to be only a few years old. However, the concept is older, McShane says. In fact, you might even say Arctic Wolf invented it about a decade ago. That is, the company was set up from the beginning to do what the industry later labeled as XDR. That is often not the case for the other vendors in the market that are very vocal about XDR these days, McShane points out. Among others, he mentions CrowdStrike and SentinelOne by name.

The big difference between Arctic Wolf and these vendors is that Arctic Wolf’s platform does not depend on the endpoint to function. The other vendors build on EDR for XDR. That is, the agents on it remain a crucial part of those solutions. This approach also ensures that those vendors offer a more or less closed version of XDR. That is, you purchase it entirely from that one vendor.

Arctic Wolf does things differently and has built an Open XDR platform. This means that it does not matter where the data comes from or through which tool it comes in. That sounds good, but there is a reason why agents are so important in cybersecurity. That is, no agents often also means you can’t go as deep. At least, that is our experience. Does that apply to Arctic Wolf as well? “Yes, in principle it does, but we can go deep enough to detect everything we need,” McShane answers. And should the need arise, Arctic Wolf does have an agent available, just as it also has a network sensor in its portfolio. But in principle, these are not mandatory.

Support throughout the security journey

Technically, Arctic Wolf works differently from other XDR providers, that much is clear by now. However, that is not all. The company also distinguishes itself in other areas. More specifically, they offer something they call concierge services. These consist of people from Arctic Wolf who support customers through the entire security journey, as McShane calls it. They go to work with customers to properly configure tools to close any gaps. In theory, the vendors of those products could do this, but that doesn’t happen, according to McShane. In addition, end users could and actually should ask about it themselves, but rarely do. For Arctic Wolf, this way of working is also simply necessary, by the way. If the customer’s environment is set up optimally, Arctic Wolf can also work as efficiently as possible.

So Arctic Wolf provides a pretty comprehensive service. Customers themselves have nothing else to worry about, is the message it wants to send. In other words, we are talking about a fully managed service. Arctic Wolf delivers this service from the cloud to customers. “We’re not an MSSP,” McShane points out by way of clarification. “Those just send alerts; we tell customers exactly what to do.” In other words, the concierge team is actually an extension of the security team at customers. The advantage is that those teams now don’t have to do the boring and tedious work. At Arctic Wolf, they go through more than 2 trillion events per week. This results in well under 10 actual alerts per customer per week, according to McShane. Those are the only security alerts the customer has to worry about.

Arctic Wolf is more than MDR

Up until now, we have really only talked about the MDR service that Arctic Wolf provides. Mostly because this is the foundation of what the company does. However, MDR is only a small part of SecOps, McShane points out. He also particularly wants to highlight the offerings around security awareness training. Regular followers of this website know that we are not always keen on this part of the security industry. When we point this out during our conversation, McShane understands this attitude. “Traditionally, security awareness training has been developed with compliance in mind,” he points out. As far as he’s concerned, that’s not the right motivation to go with it.

Arctic Wolf’s fully managed service around security awareness training certainly does not have a compliance-driven slant, McShane tells us. This service delivers customized training to employees within organizations. Not every employee has the same set of duties within an organization. One result is that they are at risk in different ways. Hence, Arctic Wolf has developed a method that takes this into account. Employees are offered training that is relevant to what they do. This way, at least in theory, the training sessions have the greatest impact. Of course, employees still have to carry it out in practice. But even that is at least theoretically more achievable than if they have to do all kinds of training that have nothing to do with their tasks.

In addition to security awareness training, there are three other components that fall within the Arctic Wolf platform. We won’t go too deeply into these in this article, but we wanted to mention them anyway. Perhaps in a future article on Arctic Wolf we will dive into these a little more. They are Cloud Detection and Response, Cloud Security Posture Management and Managed Risk. The first of these is basically the same as the MDR service, but for the cloud. Cloud Security Posture Management does what the name implies. Finally, Managed Risk deals with things like asset management and prioritizing threats and actions to be taken.

Outsourcing SecOps is only logical

Outsourcing often has a somewhat negative connotation. That was certainly true of managed services as well, McShane points out. If you needed those, you were more or less saying you couldn’t do it yourself. But with the transition from endpoint to SIEM and now XDR, managed services are simply necessary. It’s all getting too complex and messy for organizations to efficiently set it up optimally themselves.

Given the trend towards managed services, it is not surprising that Arctic Wolf is growing very fast at the moment. However, despite this fast growth, Arctic Wolf will still have to pay some attention to making the platform available to organizations that may not or cannot purchase a cloud-based service. At the moment, Arctic Wolf does not have a solution for that. Apart from this, the company has a modern story that is of interest to many organizations. We would recommend all organizations that can’t see the forest for the trees when it comes to the security tools they are running to take a look at Arctic Wolf’s platform.