Post-Webinar Thoughts on Huntress’ M365 MDR

MSP | 0 comments

Edit 2024-02-12: I am going to leave this post up, but at this point you really ought to find some newer and more relevant information.

All edits on 2023-10-10.

Edit: it’s definitely a SOC.

Some initial analysis on their newly announced product:

An MDR/SOC solution for 365 is very attractive right now, if I know that it works, but I don’t know that: Huntress didn’t provide any objective data that their protection works.

Huntress never fails to put on an engaging marketing event: that includes their ability to dig into technical details of attacks, and narratives, instead of a focus on their service or tool.

Kyle also didn’t inspire a lot of confidence that their MDR is fully baked. To dig in for a moment: I really don’t understand how they can possibly have 486 incidents across 730k users1, that seems impossibly low. With about 2m events per day that is 0.000162 events per day. I went back to re-listen and this is what they said, “[we] went back and checked these numbers right before we went live.”

I also don’t understand how it is different than Rocket Cyber (Edit: the Huntress tool is a SOC.). I wished I had dug into that. That matters quite a bit: RC’s SOC is more proactive in remediation across a much wider range of tools.2 It’s not clear why Huntress’ SOC would be any better and could be worse. RC is also a quasi-SIEM, which Huntress clearly is not.

Some of the things that were missing are important. They can’t block any logins. They don’t support geo-fencing (and unreasonably dump on the idea). MFA isn’t in the reports.

Their response appears to be limited:

Question: What are some remediation steps that Huntress can take in M365?

Answer: A Huntress analyst can disable and lock an account without partner intervention. We can also provide an assisted remediation to remove malicious inbox rules. We also provide manual remediation steps beyond that to kick out threat actors.

Is this MDR or quasi-MDR? (Edit: it’s definitely a SOC.)

To sum it up: I’m not sure how this is different from any other SOC, except for it’s brand name and narrow focus.

Edit: this last line was 100% accurate.

  1. In the comments Huntress (Josh) said, “730K *identities* includes a lot more than users!
    ” but the slide clearly said “monitored users”

    Edit: I later verified this number with Huntress directly. They defended it as accurate and appropriate, i.e., they caught most or all stuff.
  2. Edit: After RC’s most recent webinar I don’t know that it is more proactive. It does work with more tools. ↩︎


What's your $0.02?

This site uses Akismet to reduce spam. Learn how your comment data is processed.