Reduce Risk and Increase Security Operations Efficiency with Arctic Wolf

Background

Protecting an organization from cyber-attacks has become more difficult as attackers gain sophistication and knowledge through experience, developing stealthy attacks that target key personnel in weakly protected organizations. These attackers threaten organizations with automated tools that reduce their cost and effort and enable them to target a larger population at scale.

Organizations face additional challenges securing their infrastructure due to the rapidly changing and evolving threat landscape, the growing attack surface as organizations shift to support mobile and remote workers, and the increased volume of alerts. These challenges are exacerbated by the global cybersecurity skills shortage: according to ESG research, organizations have been facing a shortage of cybersecurity skills since 2013, and almost half (48%) of organizations rank cybersecurity as one of their most critical skills shortages for 2021 (see Figure 1).¹

The skills shortage makes it harder for organizations of any size to appropriately staff cybersecurity teams, and this is driving many organizations to turn to third parties. Indeed, according to ESG research, 73% of organizations that reported a problematic shortage of cybersecurity skills said they would increase their use of third-party security services to cope with that shortage.²

Arctic Wolf Managed Security Operations

Arctic Wolf is a managed security operations services provider with a mission of ending cyber risk. Believing that security breaches are rooted in operational failures rather than simply product failures, Arctic Wolf aims to help organizations become so effective at security operations that both the risk and impact of a cyber-attack are minimized far beyond what an organization would be able to achieve on its own.

To achieve this goal, Arctic Wolf has developed the cloud-native Arctic Wolf Platform to provide security operations as a concierge service, including managed detection and response (MDR), managed risk, and managed cloud monitoring. Arctic Wolf delivers these services using a concierge security team of highly trained and experienced security experts that work as an extension of the organization’s internal teams to provide continuous monitoring, detection, and response, as well as ongoing risk management. This helps organizations proactively monitor and protect their infrastructure while strengthening their security postures.

The platform enhances the customer’s existing security stack to obtain broad visibility across the entire cloud and on-premises infrastructure. The platform becomes the centralized store for all security logs and telemetry. This helps the organization meet compliance requirements and enables Arctic Wolf to enrich the data with additional context from more than 30 sources of security data and threat intelligence. Across the entire customer base, the platform collects and analyzes more than 135 billion events every day.

Providing concierge security operations means that Arctic Wolf is responsible for reviewing and resolving security alerts. Arctic Wolf sends only those alerts that require action from the organization’s infrastructure teams to the customer. Thus, daily, across the Arctic Wolf customer base, millions of security data observations are enriched and analyzed, reducing them to thousands of security alerts. Arctic Wolf’s internal security analysts evaluate and resolve most alerts. This translates into customers having to respond to just a few actionable security events. Each customer is assigned a dedicated concierge security team that works hand-in-hand with the customer, providing round-the-clock coverage and guided response to triage alerts, stop threats, prevent damage, find root causes, validate remediations, and collaborate with the customer to continuously improve the organization’s overall security posture.

The concierge security team is also designed to work with the customer to manage and reduce risk. Managed risk efforts are focused on identifying, categorizing, and hardening risky software, assets, and accounts. Activities include cloud security posture management (CSPM), network and host-based vulnerability assessments, dark web scanning, account takeover risk assessment, and security controls benchmarking. The concierge security team can help the customer develop and manage risk reduction project plans.

Customers can add managed cloud monitoring to their managed security operations. This service identifies exposed cloud platforms and accounts, monitors IaaS services for configuration risks, monitors SaaS apps for key threats and indicators of compromise, and streamlines cloud security with cloud experts and concierge deployment and management.

Increase Efficiency With The Arctic Wolf Customer Portal

The Arctic Wolf customer portal dashboard, shown in Figure 2, is informational, providing an at-a-glance summary of the organization’s security posture, along with a summary of Arctic Wolf activity. The security score ranks the security posture relative to similar organizations in the industry. Arctic Wolf designed the score to drive security posture conversations—it is meant to be a starting point for the customer’s journey to increased security and decreased risk.

Other information includes the number of online endpoints (obtained via the Arctic Wolf agent) and security telemetry network sensors in the customer’s environment, as well as a map showing the countries generating the most threats and attacks targeting the organization.

Demonstrating how Arctic Wolf’s internal security team reduces the customer workload, the portal shows that the team analyzed and investigated 569 different data points, most of which were taken care of without having to involve the customer. Ten incidents required customer action, and these are tracked as ticketed incidents in the customer portal.

Arctic Wolf alerts customers to actionable incidents using a ticketing system. The platform creates a new ticket for each incident and alerts the customer by email and other methods, as dictated by the customer. As part of the white-glove customer onboarding process, Arctic Wolf and the customer jointly map out custom alerting and escalation procedures for various types of incidents. For example, some customers may want instant notification via email for every type of incident, whereas others may want to receive an email for everything, and an immediate phone call for ransomware. The notification and escalation configuration is captured and automated in the customer directory section of the platform’s backend.

Customers can review all open incidents through the ticketing interface, shown in Figure 3, which provides searchable and filterable incident summary and status. Clicking on a ticket provides incident details, including description, affected systems, and suggested remediation. Customers can provide status updates and feedback, and all activities and comments are captured in the incident ticket. Customers can also speak directly to the concierge security team to better understand the issue and get additional help.

Reduce Risk With Arctic Wolf Managed Detection And Response Service

ESG reviewed the concierge security team’s internal interface to the Arctic Wolf platform to help us understand how Arctic Wolf reduces customer risk while increasing both its own and its customers’ operational efficiency. The backend interface is for Arctic Wolf’s internal use and is designed to streamline the customer’s experience.

Figure 6 shows an example of an Arctic Wolf security analyst dashboard used by one team for managing risk. The dashboards are customizable to meet the needs of each analyst performing their specific security tasks (threat hunting, investigation, remediation, etc.), and over time the security analysts have developed and customized hundreds of their own dashboards to ensure they maximize their productivity.

The platform provides a wealth of information and environmental data to an Arctic Wolf security analyst investigating an incident. Figure 7 shows an investigation of a possible DocuSign phishing landing page with the page URL, the user and device information correlated from AD, DNS, DHCP logs, and more. The incident focus includes a customized playbook, guiding the security analyst through the investigation. Should the security analyst decide that the customer needs to act on the incident, the analyst can automatically create an incident ticket and alert the customer.

After deciding that the DocuSign landing page was a legitimate phishing attempt, the security analyst annotated the IP address with additional information, as shown in Figure 8. The concierge security team assigned to a customer can also share information, such as the fact that the customer normally does not allow logins from international locations, but the CEO is on vacation for a week in the Bahamas, so logins by the CEO from this location should be allowed and should not be considered a breach.

This formalized method of information and intelligence sharing spans all customers and feeds into all parts of the Arctic Wolf business, ensuring that all members of the team have immediate access to relevant data without having to search in daily notes or logs, increasing effectiveness and efficiency.

The platform incorporates a complete customer relationship management (CRM) system developed from the perspective of the customer. The CRM captures with whom Arctic Wolf is engaging, as well as their role, location, and other critical information.

Arctic Wolf captures the incident-type specific notification and escalation chain in the platform and automatically populates incident tickets with the correct notification information. Thus, the platform prevents the wrong person from being notified, or, worse, the correct people from not being notified in a timely manner about critical incidents.

Other critical information such as regular meeting schedules, outage windows, data retention policies, shared secrets, and more, are captured in the platform, making the platform the source of all truth and knowledge about a customer.

Arctic Wolf uses both its own and the customer’s network; external and agent-based risk scanners; threat intelligence; and other techniques to identify risks such as vulnerabilities, dark web alerts, CSPM problems, and more, in the infrastructure. Customers and concierge security team members can use the risks section of the risk management portal to view the list of detected risks on assets, as shown in Figure 13. The portal supports searching and filtering and users can update risk status directly from the list of risks. When a risk has been remediated, the user can change the status to Mitigation/Fix in Progress, which means that the remediation will be verified at the next scan cycle.

Clicking on an entry in the list displayed the details of the asset, including scan history, networking configuration, software packages, hotfixes, task list, and more, as shown in Figure 14. This information helps both the customer and the concierge security team understand asset health and state, hunt for active threats, and triage and prioritize risk and remediation efforts for maximum ROI.

Arctic Wolf’s goal is to advance the customer’s security journey towards ending cyber-risk. Instead of just providing a list of vulnerabilities, the concierge security team collaborates with the customer to streamline and simplify the often daunting risk mitigation effort. The result of this effort is a set of risk remediation project plans and schedules that are tracked directly in the risk management portal, as shown in Figure 15.

Customers can also create and track their own plans. Each plan can include rules defining the assets or risks that will be addressed. Thus, plans are automatically updated as assets are added or changed, risks are mitigated, and new issues are discovered.

Arctic Wolf reviews with the customer their remediation plans and efforts during monthly and quarterly status meetings and these plans help the customer understand and reduce risk over time.

This ESG Technical Validation was commissioned by Arctic Wolf and is distributed under license from ESG.

¹ Source: ESG Master Survey Results, 2021 Technology Spending Intentions Survey, Dec 2020.
² Source: ESG Master Survey Results, 2020 Technology Spending Intentions Survey, Jan 2020.
³ Source: ESG Master Survey Results, 2021 Technology Spending Intentions Survey, Dec 2020.

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.