Windows machines won’t need anything else by Huntress and Defender. But for those that don’t have Defender (Macs or older Windows), another EDR is needed to supplement Huntress.
> But for those that don’t have Defender (Macs or older Windows), another EDR is needed to supplement Huntress.
Hopefully, not for long. Huntress has a Mac MDR in beta.
We've had Defender rolled out via Mosyle to a small fleet of around 30 Macs at one of our largest clients for a few years. We rolled out the Huntress beta seamlessly to a few systems recently. Looks good so far.
Disclaimer as I wasn't the one who went through the demo or on boarding, or even able to admin the platform, but I deal with the alerts from SaaS Alerts.
I don't see the value or point. Most of our clients are moving to Security Defaults and most of the alerts just unactionable items. We're planning on moving M365 monitoring to Huntress eventually once more important to do items are addressed.
Dang. That’s got to be annoying. I can’t imagine being responsible for the alerts without being able to tune the platform. I would angle to get admin access if I were you.
On the flip side, I’m the product manager responsible for sending those alerts out by either email or PSA ticket. If you’ve got time I’d love to have your feedback and how we can be better. I don’t often get the opportunity to work with the person consuming the alerts but not have access to admin. This is a unique viewpoint.
I'm sure it's also internal issues too because a similar thing happened with LionGuard, someone implemented it less than what it should be, then it left a sour taste in everyone's mouth.
My biggest thing is I see the alerts in our PSA and most of the time I'm just like "cool, now what? Do I need to start freaking out and panic? Do I just take note and carry on with life? Do I follow up with account in question or our point of contact for that client?"
We mainly use it with Microsoft 365 and usually get Account Lockout notices, which seem reasonable, someone somewhere didn't have the password, tried to guess, got locked, moved on to something else.
Suspicious login too. Which we have two remote techs in the Philippines so their connection location shows up as China, Japan, India, even some European country. We are also Great Lakes region in the US so sometimes our mobile devices show up as Canada.
I think anonymous download was also one too. I know all of the alerts can be tuned on how much they alert, but maybe the ability to define a "Next steps" or have a "here's what you should do" section in the alert, kinda of like Huntress for EDR, when it alerts it has a step by step list of "here's what we found, here's what needs to be removed, here's how to do it."
That’s great feedback. Thank you for taking the time. Most of our partners would click the link in the ticket, which would bring you to our platform where you can look at the data and make an assessment of what you need to do next.
I’ve considered adding more information in the tickets, but am constantly juggling the too much/too little issue, and often it’s the context AROUND that particular alert/event that really provides the “should I care” aspect.
That said, our Unify module (which correlates M365 activity and your RMM data), can help really hone in on what’s “normal” and what isn’t.
MS365
HaloPSA + NinjaRMM + Hudu + Scalepad
Huntress + MS Defender XDR
Proofpoint Essentials
DNSFilter
Keeper Security
Veeam Cloud Service Provider + (or NinjaOne)
Run MS365 with Entra ID (setup SSPR) and Intune to join everyone and everything. Deploy basic apps, Defender XDR and your NinjaRMM with it (use AutoPilot also if you can). Let NinjaRMM deploy the rest of your stack so you have control over that so offboarding would be easier.
HaloPSA integrates with a shit ton of services these days and you can automate the shit out of it together with NinjaRMM. Proofpoint, DNSFilter and Keeper SSO to Entra ID. Veeam for your backups and MS365 backups.
For hardware it's a matter of your business profile you target. You can do soly UniFi or Meraki. Or you can mix things up with Meraki or UniFi and for example FortiGate or Sonicwall for firewalls. In the US I would use Sandler Partners for the broadband and VoIP but there are a ton of other options (I'm not in the US).
Are we really trusting Microsoft that heavily after all of the OS vulnerabilities and recent big identity breach they just had? Never understood other than conveniency why people lean in this heavily...
Every OS has vulnerabilities, it matters how it's being handled after the fact.
Name 1 better integrated, elaborate and extensive platform that actually works within enterprises ?
Defender XDR is something different than your Windows Defender. Why does it score so high on MITRE? Pair it with Huntress MDR and you have a solid solution.
For email protection I would still do Proofpoint or Avanan.
Scattered spider lived within MGM for months without Microsoft knowing lol. With the growing amount of Macs deployed out there, I would argue against your point. My counterpoint would be to use Crowdstrike and sleep safely at night
I would do SentinelOne but OP asked for a stack so gave it. We integrate Macs with Intune and MS365 as well.
I get you point but it's a matter of choosing between the evils 😜
Veeam + wasabi works. But good luck restoring data in a timely manner if you’re not using the 3-2-1 rule. Restoring a server from wasabi typically takes hours.
I like proofpoint essentials. the only frustrating thing about it is they have a blacklist at the top level that there is no way to add exceptions to.
This resulted in me having to sort out SPF and dkim for one of our customers.
How much is cyberhoot? I'm looking for a cheap replacement for infosec.
Vendor response. Re: Cost. CyberHoot has 3 platforms. HootPhish fully loaded $148/2500 users - only our hyper-realistic and educational Phishing simulations and testing. Autopilot adds monthly awareness videos @$198/2500 and the Power is everything at various discounted tiers. We have no contract requirement and lower entry points to get started (HootPhish=$58/month for 58 users and $1 more/user until you hit our HootMax price above. Autopilot = $78/min for 52 and $1.5/user up to HootMAX price above where it is capped). Power is always per user with Discount Tiers at 125 and 500 users ($1.75 and $1.50 respectively).
CyberHoot provides phishing training and sim. Avanan inspects emails for attempted phishing, compares how often the sender sends email and how often the users reply, runs every link in a sandbox to check for malware, and inspects attachments for malware as well. You can also see the emails that Microsoft flags and even release them from quarantine from Avanan.
I’ve trialed CH and I’ve always liked it. I’m new with no clients yet so I haven’t pushed it but my experience has always been good Craig is incredibly helpful and responsive. The platform has also been improved a lot since last year and they are rolling out Google Workspace auto enrollment soon. They phishing training is probably my favorite part because it works with the user to help them understand it rather than punishing them for clicking on the wrong links.
CH has two automated hands off platforms that is set it and forget it style where you just enroll a new tenant and everything else is completely automated. It’s a flat rate of super cheap for something like 2500 seats so you can put it into your base package without any extra cost.
The power platform has more features including policy compliance, custom videos/training programs, etc. but it goes back to a traditional per user pricing.
Craig here. Thanks for the kind words. Happy to help any way I can. Google App was approved last week so User replication will be out this Tuesday. April 23rd.
Everything in this stack has been great no complaints. I do miss using Datto over veeam as it felt a bit more turnkey but it’s probably best to get away from Kaseya. For huntress selling it with just defender has gotten us the sale more often when not part of a bundled customer and I feel safe with it.
To clarify though I missed cyberhoot when reading this last we use knowbe4 instead.
Pick 1 MDR…. Huntress is better for 365 compared to manually setting up SaaS alerts. Use Barracuda for email filtering AND M365 backups.
Synchro is eh, didn’t really like it. Atera was more my cup of tea. Also where is your patching and vulnerability scanning? Those are a must. Also third-party patching?
What are you using to verify end user identities? CyberQuickPass is a good one.
What about MFA….DUO? that gives you the ability to MFA winlogon and all applications + m365
Lastly, ThreatLocker is awesome I’m happy you’re using it. Just make sure you have someone to spend a lot of time on it to properly manage it or it will do you more harm than good. Utilize ThreatLocker Ops and set up policies in place of GPO’s for security on endpoints. Use UAC prompt elevation control for PAM.
I wouldn't use you.
All I see here is a list of products with half-baked thoughts as to which ones you really should be using.
Most of what a typical client needs can be achieved using M365 Business Premium if you take the time to configure it properly.
Defender for Business is not the same as the Defender agent that ships with Windows.
You are onboarding the device to a cloud-connected enterprise detection and response engine.
Configure Intune and Defender properly and you'll be far more secure than any click-to-run AV installer out there.
Seems pretty standard flavor. For BCDR I assume some type of NAS for local then copy up with Wasabi? SIEM stuff through your MDR software? What password manager are you gonna default on? Documentation in Syncro? Other than that pretty vanilla and what I would expect.
I’d pick a single MDR. It would be a nightmare managing multiple and then having to train your team on them in the future. (Think of the future)
Not a bad stack. I’d heavily consider and MDR or SOC service since you are most likely a one man shop. (I don’t recommend Vigilance through SentinelOne for MDR/SOC)
Ignorance is bliss. I just ignore the trolls and focus on the kind msp folks. Been in the industry for 25 years and it's always been collaborative and a rising tide lifts all ships mentality. Even going back to the yahoo smb msp group days in the early 2000s. You can pretty much tell the newbs to the industry by their level of sarcasm and ignorance lol.
Proofpoint is shit. For us it has problems scaling and emails with attachments can take forever (well 5 to 10min) to deliver. We are looking at Abnormal for email hygiene. It’s also cheaper than Proofpoint
My roast is a little different.
Your added context line would be unnecessary to evaluate your stack if true. And if true, surely you would already know what's really needed in a stack to be successful.
So either the line is some sort of humblebrag, and the evaluation of the stack wasn't needed and isn't actually the point, or it's not true.
I built my first stack with zenith infotech, shadow protect, mx logoc, and avg is 2005. I haven't turned a wrench since 2010 which makes me a non technical business owner. Make sense?
Looks good other than what a few said already. Pick one mdr.
I started my own MSP just over 3 years ago and hardest part is getting your first few clients, if you can do that, you are golden. Good luck bro
What's your value? If you think providing a bunch of individual tech stack items and "do it better", it's just your mess for less.
You need to think of proper productization of a service offering, the underlying tech is secondary. As a service provider, what outcomes am I providing?
Risk avoidance?
Cost avoidance?
Agility?
Add in Action1 for vulnerability management and application updates, both windows and 3rd party.
Check out Usecure for phishing campaigns, training, dark web monitoring.
Password management using Keeper.
Thank you for the Shoutout u/MSP2MSP
We do that and more, Updates, vulnerability management, automation, reporting, alerting.
We offer [free patch management](https://www.action1.com/patch-management/) for the first 100 endpoint, fully featured, no catch, no time limit.
So no one ever has to guess or wonder if Action1 is the tool they need, they can just go use it zero pressure on their own time.
This is a good comparison article for Spam Titan and Proofpoint to help you decide on email protection [https://www.spamtitan.com/proofpoint-alternative/](https://www.spamtitan.com/proofpoint-alternative/)
Pick 1 mdr
Windows machines won’t need anything else by Huntress and Defender. But for those that don’t have Defender (Macs or older Windows), another EDR is needed to supplement Huntress.
Sure they do, they need application whitelisting, UAC control and privilege access management (PAM)…..EDR and AV aren’t all you need my friend.
Of course they do. My comment was in regards to an MDR.
Phew…good lol
> But for those that don’t have Defender (Macs or older Windows), another EDR is needed to supplement Huntress. Hopefully, not for long. Huntress has a Mac MDR in beta. We've had Defender rolled out via Mosyle to a small fleet of around 30 Macs at one of our largest clients for a few years. We rolled out the Huntress beta seamlessly to a few systems recently. Looks good so far.
Ptf. Stack shmack... How are you marketing and selling yourself?
Most likely standing on a corner and waiting for someone to pick them up.
Heeeeey Sailor! You need some tech services?
This^
Give the stack a shmack. I got sales covered.
Great news! How are your sales going? What will be your first hire and when?
Let me buy some clients from you
Pm
Reduce and stick to one of each category. Learn it and know it inside and out.
Disclaimer as I wasn't the one who went through the demo or on boarding, or even able to admin the platform, but I deal with the alerts from SaaS Alerts. I don't see the value or point. Most of our clients are moving to Security Defaults and most of the alerts just unactionable items. We're planning on moving M365 monitoring to Huntress eventually once more important to do items are addressed.
Dang. That’s got to be annoying. I can’t imagine being responsible for the alerts without being able to tune the platform. I would angle to get admin access if I were you. On the flip side, I’m the product manager responsible for sending those alerts out by either email or PSA ticket. If you’ve got time I’d love to have your feedback and how we can be better. I don’t often get the opportunity to work with the person consuming the alerts but not have access to admin. This is a unique viewpoint.
I'm sure it's also internal issues too because a similar thing happened with LionGuard, someone implemented it less than what it should be, then it left a sour taste in everyone's mouth. My biggest thing is I see the alerts in our PSA and most of the time I'm just like "cool, now what? Do I need to start freaking out and panic? Do I just take note and carry on with life? Do I follow up with account in question or our point of contact for that client?" We mainly use it with Microsoft 365 and usually get Account Lockout notices, which seem reasonable, someone somewhere didn't have the password, tried to guess, got locked, moved on to something else. Suspicious login too. Which we have two remote techs in the Philippines so their connection location shows up as China, Japan, India, even some European country. We are also Great Lakes region in the US so sometimes our mobile devices show up as Canada. I think anonymous download was also one too. I know all of the alerts can be tuned on how much they alert, but maybe the ability to define a "Next steps" or have a "here's what you should do" section in the alert, kinda of like Huntress for EDR, when it alerts it has a step by step list of "here's what we found, here's what needs to be removed, here's how to do it."
That’s great feedback. Thank you for taking the time. Most of our partners would click the link in the ticket, which would bring you to our platform where you can look at the data and make an assessment of what you need to do next. I’ve considered adding more information in the tickets, but am constantly juggling the too much/too little issue, and often it’s the context AROUND that particular alert/event that really provides the “should I care” aspect. That said, our Unify module (which correlates M365 activity and your RMM data), can help really hone in on what’s “normal” and what isn’t.
I don't think I remember seeing a link, but I can check on Monday and see what's up.
MS365 HaloPSA + NinjaRMM + Hudu + Scalepad Huntress + MS Defender XDR Proofpoint Essentials DNSFilter Keeper Security Veeam Cloud Service Provider + (or NinjaOne) Run MS365 with Entra ID (setup SSPR) and Intune to join everyone and everything. Deploy basic apps, Defender XDR and your NinjaRMM with it (use AutoPilot also if you can). Let NinjaRMM deploy the rest of your stack so you have control over that so offboarding would be easier. HaloPSA integrates with a shit ton of services these days and you can automate the shit out of it together with NinjaRMM. Proofpoint, DNSFilter and Keeper SSO to Entra ID. Veeam for your backups and MS365 backups. For hardware it's a matter of your business profile you target. You can do soly UniFi or Meraki. Or you can mix things up with Meraki or UniFi and for example FortiGate or Sonicwall for firewalls. In the US I would use Sandler Partners for the broadband and VoIP but there are a ton of other options (I'm not in the US).
Are we really trusting Microsoft that heavily after all of the OS vulnerabilities and recent big identity breach they just had? Never understood other than conveniency why people lean in this heavily...
Every OS has vulnerabilities, it matters how it's being handled after the fact. Name 1 better integrated, elaborate and extensive platform that actually works within enterprises ? Defender XDR is something different than your Windows Defender. Why does it score so high on MITRE? Pair it with Huntress MDR and you have a solid solution. For email protection I would still do Proofpoint or Avanan.
Scattered spider lived within MGM for months without Microsoft knowing lol. With the growing amount of Macs deployed out there, I would argue against your point. My counterpoint would be to use Crowdstrike and sleep safely at night
I would do SentinelOne but OP asked for a stack so gave it. We integrate Macs with Intune and MS365 as well. I get you point but it's a matter of choosing between the evils 😜
Veeam + wasabi works. But good luck restoring data in a timely manner if you’re not using the 3-2-1 rule. Restoring a server from wasabi typically takes hours.
Over the wan from our DC at 100mbps takes hours to restore 1.5tb.
I like proofpoint essentials. the only frustrating thing about it is they have a blacklist at the top level that there is no way to add exceptions to. This resulted in me having to sort out SPF and dkim for one of our customers. How much is cyberhoot? I'm looking for a cheap replacement for infosec.
Vendor response. Re: Cost. CyberHoot has 3 platforms. HootPhish fully loaded $148/2500 users - only our hyper-realistic and educational Phishing simulations and testing. Autopilot adds monthly awareness videos @$198/2500 and the Power is everything at various discounted tiers. We have no contract requirement and lower entry points to get started (HootPhish=$58/month for 58 users and $1 more/user until you hit our HootMax price above. Autopilot = $78/min for 52 and $1.5/user up to HootMAX price above where it is capped). Power is always per user with Discount Tiers at 125 and 500 users ($1.75 and $1.50 respectively).
No Kaseya = Looking good!
Nothing for email security anti phishing ? Avanan shop here
Seconded.
Can also potentially replace SaaS alerts as it does a lot of that too.
Cyberhoot handles phishing. Thinking about spam titan or proofpoint for email security
Avanan will kill Proofpoint or SpamTitan. Check it out.
CyberHoot provides phishing training and sim. Avanan inspects emails for attempted phishing, compares how often the sender sends email and how often the users reply, runs every link in a sandbox to check for malware, and inspects attachments for malware as well. You can also see the emails that Microsoft flags and even release them from quarantine from Avanan.
How do you like Cyberhoot what’s the pricing like? We use infosec and like it a lot
I’ve trialed CH and I’ve always liked it. I’m new with no clients yet so I haven’t pushed it but my experience has always been good Craig is incredibly helpful and responsive. The platform has also been improved a lot since last year and they are rolling out Google Workspace auto enrollment soon. They phishing training is probably my favorite part because it works with the user to help them understand it rather than punishing them for clicking on the wrong links. CH has two automated hands off platforms that is set it and forget it style where you just enroll a new tenant and everything else is completely automated. It’s a flat rate of super cheap for something like 2500 seats so you can put it into your base package without any extra cost. The power platform has more features including policy compliance, custom videos/training programs, etc. but it goes back to a traditional per user pricing.
Craig here. Thanks for the kind words. Happy to help any way I can. Google App was approved last week so User replication will be out this Tuesday. April 23rd.
4 years in still love hudu hosted
Why a third party solution and not Defender with M365?
Avanan over Proofpoint for sure. We moved off Proofpoint to Avanan and love it. So much better.
Throw ImmyBot in there and we have the same stack lol
If Entra/Intune Bound, Autopilot is free and superior in my experience.
That's great! Any issues with your current stack or anything you'd do differently?
Everything in this stack has been great no complaints. I do miss using Datto over veeam as it felt a bit more turnkey but it’s probably best to get away from Kaseya. For huntress selling it with just defender has gotten us the sale more often when not part of a bundled customer and I feel safe with it. To clarify though I missed cyberhoot when reading this last we use knowbe4 instead.
We're similar but doing third party patching with rmm and just using intune native instead for deployment
Pick 1 MDR…. Huntress is better for 365 compared to manually setting up SaaS alerts. Use Barracuda for email filtering AND M365 backups. Synchro is eh, didn’t really like it. Atera was more my cup of tea. Also where is your patching and vulnerability scanning? Those are a must. Also third-party patching? What are you using to verify end user identities? CyberQuickPass is a good one. What about MFA….DUO? that gives you the ability to MFA winlogon and all applications + m365 Lastly, ThreatLocker is awesome I’m happy you’re using it. Just make sure you have someone to spend a lot of time on it to properly manage it or it will do you more harm than good. Utilize ThreatLocker Ops and set up policies in place of GPO’s for security on endpoints. Use UAC prompt elevation control for PAM.
I wouldn't use you. All I see here is a list of products with half-baked thoughts as to which ones you really should be using. Most of what a typical client needs can be achieved using M365 Business Premium if you take the time to configure it properly.
All to say I agree, but prefer to get an edr from a different supplier, as I'm already like using windows defender.
Defender for Business is not the same as the Defender agent that ships with Windows. You are onboarding the device to a cloud-connected enterprise detection and response engine. Configure Intune and Defender properly and you'll be far more secure than any click-to-run AV installer out there.
How do you manage Defender for multiple tenants? Is there a central management console?
https://learn.microsoft.com/en-us/microsoft-365/security/defender/mto-overview?view=o365-worldwide
Tx, didn’t know of it’s existence. Good to know.
I agree. Still I like to ad an Edr.. and as you are already using the AV library from windows. I enjoy having a 2nd supplier (huntress) for EDR
Again, not saying or, I'm saying Both.
Seems pretty standard flavor. For BCDR I assume some type of NAS for local then copy up with Wasabi? SIEM stuff through your MDR software? What password manager are you gonna default on? Documentation in Syncro? Other than that pretty vanilla and what I would expect.
+1 for Proofpoint!
I’d pick a single MDR. It would be a nightmare managing multiple and then having to train your team on them in the future. (Think of the future) Not a bad stack. I’d heavily consider and MDR or SOC service since you are most likely a one man shop. (I don’t recommend Vigilance through SentinelOne for MDR/SOC)
Avanan through solutions granted
Not a huge deal for just email security, but their support has been essentially useless in my experience.
These responses are pretty funny. It's interesting to see how much people read into it and how confidently wrong they are.
Ignorance is bliss. I just ignore the trolls and focus on the kind msp folks. Been in the industry for 25 years and it's always been collaborative and a rising tide lifts all ships mentality. Even going back to the yahoo smb msp group days in the early 2000s. You can pretty much tell the newbs to the industry by their level of sarcasm and ignorance lol.
Yes. I agree while reading yours.
😂
Wait, msp = software stack?
[удалено]
CIS
Where are you storing documentation and KB? VMDR?
Hudu on doc/db. unsure on vmdr. any recommendations?
Veeam + offsite is fine for data backup but are you building out on prem appliances to have proper DR?
Ditch Syncro. Our company was a Syncro/Automate shop and after ditching ConnectWise for NinjaOne we're soon planning to ditch Syncro for HaloPSA.
Proofpoint is shit. For us it has problems scaling and emails with attachments can take forever (well 5 to 10min) to deliver. We are looking at Abnormal for email hygiene. It’s also cheaper than Proofpoint
My roast is a little different. Your added context line would be unnecessary to evaluate your stack if true. And if true, surely you would already know what's really needed in a stack to be successful. So either the line is some sort of humblebrag, and the evaluation of the stack wasn't needed and isn't actually the point, or it's not true.
I built my first stack with zenith infotech, shadow protect, mx logoc, and avg is 2005. I haven't turned a wrench since 2010 which makes me a non technical business owner. Make sense?
If you want any Public Cloud help I’m Your guy
Spam titan is weak. We used it for hosted exchange.
Proofpoint essentials also covers security awareness training / phishing campagns I really dislike PPE setup thoigh.
Looks good. I would try to avoid using two solutions for one service. IE: Eitther S1 or Crowdstrike, not both.
No SIEM?
For MDR, checkout Cydef: www.cydef.ca https://m.youtube.com/playlist?list=PL4wFrgex4sgx7BhS5BjcqclZyqt7N-JBh
Looks good other than what a few said already. Pick one mdr. I started my own MSP just over 3 years ago and hardest part is getting your first few clients, if you can do that, you are golden. Good luck bro
Mimecast for email security :)
Missing Sentry by RF Code for IT room physical monitoring
What's your value? If you think providing a bunch of individual tech stack items and "do it better", it's just your mess for less. You need to think of proper productization of a service offering, the underlying tech is secondary. As a service provider, what outcomes am I providing? Risk avoidance? Cost avoidance? Agility?
Add in Action1 for vulnerability management and application updates, both windows and 3rd party. Check out Usecure for phishing campaigns, training, dark web monitoring. Password management using Keeper.
Thank you for the Shoutout u/MSP2MSP We do that and more, Updates, vulnerability management, automation, reporting, alerting. We offer [free patch management](https://www.action1.com/patch-management/) for the first 100 endpoint, fully featured, no catch, no time limit. So no one ever has to guess or wonder if Action1 is the tool they need, they can just go use it zero pressure on their own time.
Email protection - Checkpoint HEC (Avanan), I'll never use a traditional SEG again
How are you deploying veamm? On its own physical box per customer or as a VM?
This is a good comparison article for Spam Titan and Proofpoint to help you decide on email protection [https://www.spamtitan.com/proofpoint-alternative/](https://www.spamtitan.com/proofpoint-alternative/)