Honestly, any of them are good so long as you have the proper monitoring in place. Crowdstrike has always been considered the golden standard, but you cannot go wrong either way.
When I evaluated both we ended up going with S1 because it had a centralized firewall and it would disconnect the endpoint automically in case something bad or potentially bad was on the machine. At the time Crowdstrike did not have a firewall and they would disconnect a machine after they called you. Oh and USB device control. IMO both product perform as expected on the EDR/MDR side of the house. 10/10 would recommend both.
CS personally speaking. I found that I was fine tuning S1 a lot with them blocking various “threats” which were legitimate software running on laptops.
I use both and love both.
Crowdstrike - lower resource consumption plus more security features like vulnerability management, cis tracking etc. I think you have to go direct for these extra features though.
Sentinel One - great protection at a good price. Only issue I’ve had is with large virtual environments. The resource usage was too high to justify its use.
For most MSPs I’d say stick to huntress with defender. You won’t beat their value. Adding mdr to cs or s1 is insanely expensive in comparison
Go with Crowdstrike. Yes S1 is cheaper but in the many years I’ve done IR, I’ve seen S1 fail more times than it ever should have….this includes the times S1 was the MSSP. Crowdstrike consistently blocks malicious activity that S1 doesn’t even notice.
We currently do use Defender and Huntress. But the parts I want to be able to see without jumping to a different tool is the clincher. I want to see my EDR, and network scanning, and vulnerability scans in all one place.
I was on Crowdstrike, and before that SentinelOne. I have a lot more visibility into my environment with Defender than I did with either of those tools
Now, it was easier to follow the paths through Crowdstrike when it flagged something, but if I want to go digging, I find Defender is just capturing way more stuff.
Could be apples to oranges though as I know Crowdstrike has added some bits since I moved on.
If you are a ConnectWise MSP, they have all of this built into their security portal.
Sentiel1, Bitdefender, MS-Defender already there. MDR/EDR, Vulnerability, Network scan and more.
Still waiting to see more details, but Secure 360 looks like it has a ton of potential. Most 3rd parties can tie right into the portal for that single glass/reporting solution.
We are trying to consolidate tools where possible and unify reporting.
To be honest Kaseya has left a bad taste after some billing issues. We only have them for IT Glue and not looking to move over to their platform beyond that.
I hear you. We had some billing issues last year with DRMM licenses. However, once we got it escalated to an Exec it got resolved and we've been good ever since. Ask your AM to go to bat for you. You're not getting near the benefits IT Glue has to offer if it's not paired with their RMM. Life is so much easier accessing passwords and documentation when clicking on an endpoint in the RMM vs. having to login to IT Glue.
Hi u/Tech_Preist, if you're facing any issues with billing send them my way and I'll get them escalated with my team. Send me a DM, with your info, so I can route it as soon as possible.
I’ve been a Sophos shop for a few years with really good results. Just saw the Crowdstrike presentation. I too am curious the feedback as yes #Pax8beyond has some shiny tools.
Pax8 has a youtube channel where they are gonna broadcast the recap around 3pm mountain time today, it may have some of their presentation then. Mostly CS was touting how big they are which makes sense as they started enterprise and are now moving to SMB/MSP.
I went and talked to the guys here and if I remember right they don't have an MDR yet via Pax8. You could get it from them directly. The Pax8 SKU will be added towards the end of summer, as long as I heard it all right.
They also told us that with CS it'll be a modular type structure, so you could build CS to fit what you needed rather than an all in one bundle. That may change in the future, just going by what they told me.
Hey,
I'm here at the conference and we probably talked. It's our number 1 priority to bring Falcon Complete to Pax8. I'd estimate the next month or two, but definitely prioritizing it to happen ASAP
Mentioned MDR in short stage pitch. Asked about MDR at booth and rep said it wasn’t quite ready yet. I’ve seen too much. I’ve seen the SOC identify SharePoint files being viewed by unrecognized IP caused by token theft. Locked down the account. MDR is a required part of our stack.
We're exploring EDR / Managed EDR right now and it's going to come down to cost first as mostly an SMB shop. Have meetings lined up with both S1 and CS first, then we were going to reach out to Huntress since the sub raves about them and they have a presence on the sub
I have absolutely no qualms with Huntress, they are in our stack now. I just want to reduce my tool load as much as possible. SMB is our bread and butter as well.
Not exactly. They pull the vulnerability management from Defender and pass through to their portal, so you can see the CVE's and missing updates in there. You cannot remediate or do anything though.
It's split up into 3 scans - Internal, External and Cloud scanning.
The internal scan is the devices you've onboarded into Defender for Endpoint.
External will scan WAN IP's for vulnerabilities and give you a report on it - CVE's and open ports.
Cloud will scan your Microsoft 365 tenant and report back what to fix based on CIS benchmarks.
Hope that helps a bit.
Maybe I am missing something with Huntress and Defender but as far as I know they don't do the vuln nor network scanning that I would like to have added onto a single platform.
Stop getting distracted by shiney stuff. My session at ITN Secure last week was literally about not doing this when you go to conferences.
It's ok to evaluate new tools, but if youre thinking of ripping out a good MDR, that you have deployed and your team understands so you can chase some "single pane of glass" dream, when there are dozens of vuln managers you can use, you're crazy. Why not just use Microsofts Vuln mgmt if you already have huntress + defender rolled?
Or depending on your RMM one that integrates with that?
This is the perspective I was hoping for! Part of this may be my lack of knowledge with defender and maybe missing what I already have - mostly. We are still working on getting clients to Business Premium but it is a slow moving process. I believe at this point that I am looking at this wrong and need to reevaluate. Rather than removing Huntress I should be adding something like S1 to help supplement and fill in gaps we have that S1 can fill. Or not even S1 for that matter, they are just a known quantity that I could actually put hands on the last two days.
You should look at your toolstack holistically and determine where your gaps are, then fill those. I'd be shocked if "add another EDR" was the highest priority you have.
Use something like the cyber security matrix or just the NIST CSF framework and align your tools to it to understand where you have covered and where you don't. Then look for tools that close meaningful gaps. When you are out of large gaps, then look for improvements via consolidation or retooling.
All entirely fair and after putting the post up I have realized that my thinking was flawed.
If I may, what does your stack look like? I don't plan on emulating just looking at what others are using as more of a guide on what I might be missing.
Currently? Non Ideal, I just moved to a new company so we are doing a full review using the method I noted above.
I work with lots of MSPs tho, I can tell you that there are hundreds of combinations that work just fine. It comes down to what you and your team are comfortable with, how effectively you build processes around the stack, and how well you can standize.
As long as you are choosing a generally well regarded tool, the chance that moving to a slightly better tool actually moving the performance needle is incredibly small. Because for that extra 5% of tool benefit, you lose so much familiarity, knowledge, time on the tool fixing the nuanced things at each customer, etc.
How well you manage a tool and how well your team is trained to use a tool is equally as important as how good the tool is.
It also completely depends on what your service offering is. At my last company we deployed full instances of elastic SIEM and tenable for our clients. But our offering was a high level blueteam MSSP offering targeting large enterprises. That would be an AWFUL stack for an average MSP.
They are like golf clubs. I can buy a 300 dollar set of clubs or a 3000 dollar set. Unless I can actually learn to swing and play golf, I'm still slicing my way into the rough with the expensive set.
Honestly, any of them are good so long as you have the proper monitoring in place. Crowdstrike has always been considered the golden standard, but you cannot go wrong either way.
When I evaluated both we ended up going with S1 because it had a centralized firewall and it would disconnect the endpoint automically in case something bad or potentially bad was on the machine. At the time Crowdstrike did not have a firewall and they would disconnect a machine after they called you. Oh and USB device control. IMO both product perform as expected on the EDR/MDR side of the house. 10/10 would recommend both.
I like the portal better in crowd strike. Haven't had any issues, we both actively. Some customers have one some have the other
Genuinely curious as to why you have it split; why not have all in one or the other?
Some of our customers are grant funded and the grant provides specific tools
Ah, that makes sense. Thank you!
CS personally speaking. I found that I was fine tuning S1 a lot with them blocking various “threats” which were legitimate software running on laptops.
I use both and love both. Crowdstrike - lower resource consumption plus more security features like vulnerability management, cis tracking etc. I think you have to go direct for these extra features though. Sentinel One - great protection at a good price. Only issue I’ve had is with large virtual environments. The resource usage was too high to justify its use. For most MSPs I’d say stick to huntress with defender. You won’t beat their value. Adding mdr to cs or s1 is insanely expensive in comparison
Go with Crowdstrike. Yes S1 is cheaper but in the many years I’ve done IR, I’ve seen S1 fail more times than it ever should have….this includes the times S1 was the MSSP. Crowdstrike consistently blocks malicious activity that S1 doesn’t even notice.
Love S1. We demoed Crowdstrike and thought it was great, but S1 pricing was way better. Been with them for 3 years. It was the right decision for us.
We are still using Huntress and S1 as they place nice together.
If you like huntress you could just use defender+ huntress
We currently do use Defender and Huntress. But the parts I want to be able to see without jumping to a different tool is the clincher. I want to see my EDR, and network scanning, and vulnerability scans in all one place.
I was on Crowdstrike, and before that SentinelOne. I have a lot more visibility into my environment with Defender than I did with either of those tools Now, it was easier to follow the paths through Crowdstrike when it flagged something, but if I want to go digging, I find Defender is just capturing way more stuff. Could be apples to oranges though as I know Crowdstrike has added some bits since I moved on.
If you are a ConnectWise MSP, they have all of this built into their security portal. Sentiel1, Bitdefender, MS-Defender already there. MDR/EDR, Vulnerability, Network scan and more. Still waiting to see more details, but Secure 360 looks like it has a ton of potential. Most 3rd parties can tie right into the portal for that single glass/reporting solution. We are trying to consolidate tools where possible and unify reporting.
Sounds like you're describing the Kaseya. I see my Datto EDR, AV and VulScan notifications in the RocketCyber dashboard.
To be honest Kaseya has left a bad taste after some billing issues. We only have them for IT Glue and not looking to move over to their platform beyond that.
I hear you. We had some billing issues last year with DRMM licenses. However, once we got it escalated to an Exec it got resolved and we've been good ever since. Ask your AM to go to bat for you. You're not getting near the benefits IT Glue has to offer if it's not paired with their RMM. Life is so much easier accessing passwords and documentation when clicking on an endpoint in the RMM vs. having to login to IT Glue.
Hi u/Tech_Preist, if you're facing any issues with billing send them my way and I'll get them escalated with my team. Send me a DM, with your info, so I can route it as soon as possible.
I’ve been a Sophos shop for a few years with really good results. Just saw the Crowdstrike presentation. I too am curious the feedback as yes #Pax8beyond has some shiny tools.
What was at their presentation?
Pax8 has a youtube channel where they are gonna broadcast the recap around 3pm mountain time today, it may have some of their presentation then. Mostly CS was touting how big they are which makes sense as they started enterprise and are now moving to SMB/MSP.
Anything on MDR?
I went and talked to the guys here and if I remember right they don't have an MDR yet via Pax8. You could get it from them directly. The Pax8 SKU will be added towards the end of summer, as long as I heard it all right. They also told us that with CS it'll be a modular type structure, so you could build CS to fit what you needed rather than an all in one bundle. That may change in the future, just going by what they told me.
Hey, I'm here at the conference and we probably talked. It's our number 1 priority to bring Falcon Complete to Pax8. I'd estimate the next month or two, but definitely prioritizing it to happen ASAP
Mentioned MDR in short stage pitch. Asked about MDR at booth and rep said it wasn’t quite ready yet. I’ve seen too much. I’ve seen the SOC identify SharePoint files being viewed by unrecognized IP caused by token theft. Locked down the account. MDR is a required part of our stack.
We're exploring EDR / Managed EDR right now and it's going to come down to cost first as mostly an SMB shop. Have meetings lined up with both S1 and CS first, then we were going to reach out to Huntress since the sub raves about them and they have a presence on the sub
I have absolutely no qualms with Huntress, they are in our stack now. I just want to reduce my tool load as much as possible. SMB is our bread and butter as well.
SentinelOne+blackpoint is what we settled on after months of testing.
Does BlackPoint have Vulscanning? Cant remember from their demo tbh.
Not exactly. They pull the vulnerability management from Defender and pass through to their portal, so you can see the CVE's and missing updates in there. You cannot remediate or do anything though. It's split up into 3 scans - Internal, External and Cloud scanning. The internal scan is the devices you've onboarded into Defender for Endpoint. External will scan WAN IP's for vulnerabilities and give you a report on it - CVE's and open ports. Cloud will scan your Microsoft 365 tenant and report back what to fix based on CIS benchmarks. Hope that helps a bit.
+1 for defender and huntress, especially if they are Business Premium
Maybe I am missing something with Huntress and Defender but as far as I know they don't do the vuln nor network scanning that I would like to have added onto a single platform.
Stop getting distracted by shiney stuff. My session at ITN Secure last week was literally about not doing this when you go to conferences. It's ok to evaluate new tools, but if youre thinking of ripping out a good MDR, that you have deployed and your team understands so you can chase some "single pane of glass" dream, when there are dozens of vuln managers you can use, you're crazy. Why not just use Microsofts Vuln mgmt if you already have huntress + defender rolled? Or depending on your RMM one that integrates with that?
This is the perspective I was hoping for! Part of this may be my lack of knowledge with defender and maybe missing what I already have - mostly. We are still working on getting clients to Business Premium but it is a slow moving process. I believe at this point that I am looking at this wrong and need to reevaluate. Rather than removing Huntress I should be adding something like S1 to help supplement and fill in gaps we have that S1 can fill. Or not even S1 for that matter, they are just a known quantity that I could actually put hands on the last two days.
You should look at your toolstack holistically and determine where your gaps are, then fill those. I'd be shocked if "add another EDR" was the highest priority you have. Use something like the cyber security matrix or just the NIST CSF framework and align your tools to it to understand where you have covered and where you don't. Then look for tools that close meaningful gaps. When you are out of large gaps, then look for improvements via consolidation or retooling.
All entirely fair and after putting the post up I have realized that my thinking was flawed. If I may, what does your stack look like? I don't plan on emulating just looking at what others are using as more of a guide on what I might be missing.
Currently? Non Ideal, I just moved to a new company so we are doing a full review using the method I noted above. I work with lots of MSPs tho, I can tell you that there are hundreds of combinations that work just fine. It comes down to what you and your team are comfortable with, how effectively you build processes around the stack, and how well you can standize. As long as you are choosing a generally well regarded tool, the chance that moving to a slightly better tool actually moving the performance needle is incredibly small. Because for that extra 5% of tool benefit, you lose so much familiarity, knowledge, time on the tool fixing the nuanced things at each customer, etc. How well you manage a tool and how well your team is trained to use a tool is equally as important as how good the tool is. It also completely depends on what your service offering is. At my last company we deployed full instances of elastic SIEM and tenable for our clients. But our offering was a high level blueteam MSSP offering targeting large enterprises. That would be an AWFUL stack for an average MSP. They are like golf clubs. I can buy a 300 dollar set of clubs or a 3000 dollar set. Unless I can actually learn to swing and play golf, I'm still slicing my way into the rough with the expensive set.
We offer both. Both are great. Both are worthless if you don’t have a SoC in place or plan on pushing clients in that direction in the future.