What is our primary use case?
We are using it to try and improve our cybersecurity overall. We are also using it to reflect on our business growth whether we need to invest in more cybersecurity.
We started as a small, family-owned business which was purchased by a U.S. company under the same umbrella. That company wanted to have all their portfolios have a higher level of security. This was an initiative taken by the parent company. This came at the right time because we started to get more phishing attacks as we started to manage more users. There has also been more requirements on the IT department to keep us secure along with more focus in today's world on IT security. Previously, we didn't really pay as much attention because we always thought we were a small company, and thought, "Who would want to hack us?" I guess that is no longer the case.
The service for endpoint protection needs to have an agent installed on the endpoint, and that is pretty much it. There is no specialized hardware required to use their service.
How has it helped my organization?
It removed a huge task from my shoulders onto someone who it's their profession to do this because I'm not from a security background. It definitely makes my life a lot easier. In terms of company, we have invested in something sophisticated and management knows that we have access to a 24/7 service. It makes them feel happier as well, especially these days when you hear about attacks, etc. For them, knowing we have a service like this in place is a good thing.
I receive probably less than five alerts per week. Most of them are caused by OpenDNS, which means there is not much they can do. These happen when our workstation is trying to reach a destination with IP addresses, then it will raise an alert because it suspects someone is trying to bypass the DNS security to go directly to a certain destination. With that kind of alert, the only thing we can do if we don't think it's safe is block it in the firewall. With the service from CRITICALSTART, they don't have the capability to actually block individual IP addresses. That's why those alerts keep coming in whenever there's a new IP. Our regular processes, like our ERP software, are mostly filtered and no longer come up as alerts. This has being cut down by probably more than 80 percent compared to day one.
On whatever CRITICALSTART does, it will show up and be logged. If there is an alert, and someone made a comment or did something, it will all show up in one place. That has sort of a paper trail of what people did. Because we have agents installed on endpoints, I don't know exactly all the details of information that are sent to CRITICALSTART. I assume since this is Zero Trust, they probably be sending everything because we keep thousands of processes with a playbook and a whitelist of filters. So, I never go in and actually check exactly what's being sent over. As far as I can see, if they done anything, like putting something to a whitelist or triggering/disabling a filter, it all shows up.
Now, all I need to do is just go in. Luckily, we're relatively small. With most of the alerts, I'm able to address them right away because I know exactly what they are and they have done most of the leg work, then I ask the team if they will take care of the rest. That definitely saves a lot of time on my side. I can't really make a comparison between now and before last November, because we didn't do much because we weren't equipped to do much then. There might have been something going on, but we didn't know because we didn't have the resources for this kind of service.
We now have the tools and the support to actually have a clear view of what's going on. Before, it was just the traditional antivirus installed on the computer. Whatever it did, it was done without us because we couldn't really do much except block something or whitelist it. There were no humans involved. I'm not spending too much time on this because most of the jobs are done by the team from CRITICALSTART. All I do is just help them confirm whether the alert is legitimate or another regular process that we haven't playbooked yet.
What is most valuable?
The 24/7 SOC security: There is a team of people who monitor our traffic and processes 24/7, so if anything raises a flag or alert, it will escalate back to me right away. That's the most incredible part: Humans working behind the scenes 24/7 to monitor our networks.
The intuitiveness and responsiveness of the updated service's user interface is pretty cool, especially the dark theme, which I like. It is easy on the eyes. It's not like a traditional portal. It looks very futuristic, but I think it's more accessible and less crowded. The new interface is definitely an improvement.
I am a one-man team. Everything is done by just me. I did find that it is easy to find things on the UI. I think it's an improvement from the one we had when I started.
What needs improvement?
Our infrastructure is very simple. The service covers almost all the endpoints, except that a service we use doesn't have a function that can control portable storage. It does scan everything, including whatever you have on a USB plugged into your computer. My suspicion is it will get there, but not right away. It doesn't have a special function to control the portable devices, and that's one thing I see lacking because sometimes we do have users who need this.
In terms of responsiveness, when I open up an alert, sometimes it takes a bit of time to load. However, it only happened once or twice. Most of time, it take just one click, then I'm there.
The dark theme might not be everybody's favorite. When I built the app for our users with a dark theme, everybody kept complaining. However, it's perfect for me and I like it a lot.
For how long have I used the solution?
We have not been using it for very long. We started using it sometime around last November.
What do I think about the scalability of the solution?
We do have every single endpoint covered. That's how extensive it is. One more thing we can do is have company issued mobile device coverage. We haven't done that. It's just that we don't have that many company issued mobile devices. Other than that, we have everything else covered.
As long as we are growing, we can probably stay with a service like this.
How are customer service and technical support?
If I have a question, I do talk to the service provider's analyst, though not very often. This is partly because we're relatively small and don't have as many processes going on a daily basis compared to some of the bigger companies. If there is an alert that I don't quite get, then I will reach out. I think the best part about CRITICALSTART is that you have access to real human beings, and usually, their response is very timely.
It's too early to see but definitely there is value to their service. Because of the size of our business and also it's not a very complex business, we have had maybe two or three incidents that were close to real threats, but not even a threat. They were just some user transfer files, which were questionable, but not malware. However, they are not something we want to have in our system. We have only been working with CRITICALSTART for less than a year, but I do see value in terms of having a team of professionals that we can access anytime that we want to provide more peace of mind. It's like an insurance. You don't have to use it, but having it in place definitely makes us feel better. Given how many phishing emails we receive every day, their service will be become more valuable down the road. Right now, they haven't had the chance to prevent a real attack or threat yet.
In terms of support, they're really good. They have quarterly meetings where we actually talk to an engineer and their support to just go through what has gone on in the past quarter. They will give some tips on how to respond to their tickets. This makes you feel like they have your back all the time. The service side of things is really great. When they see a concern, they reach out and help just to make sure that I actually know what I'm doing.
How was the initial setup?
We were able to start using it almost right away, mainly because this was an initiative taken by our parent company. We got top priority. From the day we signed the contract to the day we started the tuning process, which was during Christmas, it was maybe two to three weeks max because there are things that I had to do on my side. I had to install all the agents on the endpoint. That was the only requirement. But if I remember correctly, it was pretty quick.
Most of the service is very straightforward. We did have a little problem removing it from endpoint, and I had to select that change in the portal. That was the only challenge we had. Part of the service does require us to set up a DNS forwarder onsite, and that took a bit longer than the rest. Overall, everything is very straightforward. Also, when this problem came up, the support was very efficient.
It was a bit worse initially because there would be some Zero Trust; it didn't trust anything. We did have to spend a few months of time building a playbook to whitelist all our common processes and the software that we use. But, as time goes on, all these rapid program were playbooked, then we started to see real behaviors that might cause problems. I think this is a very good approach. It's definitely labor-intensive, but mostly on their side, because that's the service that they provide.
Once they created the playbook, we saw less alerts on a daily basis. I will still see some alerts that were caused by some of our less used programs, which maybe just start triggering alerts. Also, we can start seeing things that look more like real threats, but this stopped a long time ago because of the Zero Trust policy. So, anything new to them will raise a flag, and we will work together to add a filter or block it.
What about the implementation team?
From a project management standpoint, the service provider is pretty good. The onboarding process is very smooth despite the fact that it was Christmas season. Right after we signed the contract, I went on a vacation so they were able to speed up things and make sure that we had this thing up and running before I left for vacation.
What was our ROI?
If you consider sleeping better at night as a return, there is definitely a return in that. It is a comfort to know that there is a team of professionals backing you up, especially in an area that you don't feel 100 percent comfortable. Because we never had an incident in the past, we can't really see whether the service has earned every penny that they charge. Sometimes, I still wonder if I had just gone with Sophos, would we have gotten the same result?
Our expectations have been met in terms of service delivered on time and on spec. It's just the time limits of the response and friendliness of their support. You don't see that in every service provider.
What's my experience with pricing, setup cost, and licensing?
It costs a lot for what we felt comfortable to spend.
We just decided to bite the bullet because we have to do something as a requirement first, and we have to have all our areas covered. In terms of pricing, we probably got a good deal because we are part of a bigger organization now, so we got a discount. But in this case, I guess you get what you pay for. For security, there's a balance somewhere regarding how much money you can spend in relation to how much value it's generating every year. There must be some sort of guideline out there to say what the percentage of IT spending is acceptable. I think it really depends on each company. In my experience with CRITICALSTART, I think if you have the resources to use the service, go for it. Definitely, I think it's worth it.
Which other solutions did I evaluate?
Before we committed to CRITICALSTART, we did shop around. We saw two approaches:
- Having real humans to go through every single process and help create playbooks.
- Using some sort of artificial intelligence, but still trying to do the same thing.
I definitely prefer to have a real team working on this rather than AI, because AI is still not as smart as we would hope it to be. However, it definitely costs more when real people do the job. If a resource is not a problem, I would definitely recommend this type of solution.
We had a few meetings with the guys from Sophos because they came in highly recommended by our teams in the same industry. At that time, we were still in some sort of transition from the family owned business to the larger business. Therefore, we thought Sophos would fit our bill better, as they are cheaper. They have good service. They also have hardware appliances they we were interested in buying. We thought it would be a good fit to our business because we weren't budgeted as much to use a service like CRITICALSTART. We had quite a few meetings. We even had those meetings with the person from our parent company who took the initiative to talk to all their portfolios to push a corporate-wide solution so that we could get better discounts.
We ended up not going with Sophos because:
- As a service, Sophos was all new for us. We had never used them before.
- CRITICALSTART Zero-Trust platform is somewhat more attractive to our non-technical management. It sounds like a lot better idea not to trust anything.
At the end of the day, CRITICALSTART was recommended by a consultant company, which was used by our parent company. So, we thought if Sophos was new to us, it's probably safer to go with what they recommended just in case something happens. That's why we went with CRITICALSTART. Initially, we just felt like it was a huge jump from what we used to have. We were a little bit uncomfortable at first. Once we get used to it, it was a good service and I think we can afford it.
What other advice do I have?
So far, I'm very happy with the service. However, we have no comparison. This is the first ever MDR service that we have used. We have not had enough time to really verify the protection that the service offers is enough because we haven't suffered any attacks. We don't know whether we're lucky or if the service really does work.
You can never do enough to stay safe. It has helped me to see a lot of things going on with our network that I didn't see before. We were just not equipped with the right tools to really have a clear view of our network, and now we do.
For smaller companies, in order for them to grow, they have to trust the professionals. Sometimes, we tend to save every dollar possible and do everything on our own, either by reading a book or taking a course. It's a good thing to learn new things but I learned that no one can cover every aspect of a company's IT needs. When the time is ready, you need to leave certain things to the people who are really good in that area, freeing up yourself to do things that you are really good at.
I would give it nine out of 10 because of the pricing. So far, that's the only downside that I can see.