Arista NDR Valuable Features
Chief Technology Officer at a financial services firm with 11-50 employees
It's much easier to create your own queries and hunt for threats. Darktrace's language is more challenging, and it's almost like you have to learn Darktrace's methodology to decipher it. When I create a workbench query in Awake to do threat hunting, it's much easier to query. You get a dictionary popup immediately when you try to type a new query. It says, "You want to search for a device?" Then you type in "D-E," and it gives you a list of commands, like device, data set behavior, etc. That gives you the ability to build your own query. Gathering PCAPs is also quite practical and more straightforward— tweaking the adversarial models, too. With Darktrace, it was tough to do. If you go to another serial model and want to clone it, then edit it and disable the old one, you can do it easily.
We have Palo Altos to decrypt traffic. I have all traffic going in and out via Awake, which can decrypt the traffic. However, Awake doesn't need to decrypt because it can analyze encrypted traffic to get a sense of what it might be. What I find helpful is that Awake can tell me when encrypted files might contain passwords. There is an adversarial model for that, which is great when someone tells me that there are two files with passwords, but the Awake and DR team already has an open ticket for this. They look for files that have "passwords" in the filename.
That allows me to reach out to the user and tell him that I noticed a file containing passwords, and it's not password-protected. When they password-protect the file, the Awake team still highlights that as a risk but then write to them and say a password now protects the password file, and even though it is a password file, it is encrypted. So if you try to open it, you have to decrypt it with a password. Then we tweak the model to prevent that model from being triggered for that specific filename.
Head of Information Security at a engineering company with 10,001+ employees
The query language that they have is quite valuable, especially because the sensor itself is storing some network activity and we're able to query that. That has been useful in a pinch because we don't necessarily use it just for threat hunting, but we also use it for debugging network issues. We can use it to ask questions and get answers about our network. For example: Which users and devices are using the VPN for RDP access? We can write a query pretty quickly and get an answer for that.
It provides us with the base level of what we would hope can be obtained from monitoring encrypted traffic, things like TLS and SNI. We get to see which supposed hosts they're trying to hit. And we get the metadata around encrypted traffic. Awake, as I understand it, does have heuristics and alerts for that. It's good to see that in place because some of the other products we've seen don't handle encrypted traffic well. Whereas no one can truly look deeply into encrypted traffic, what we've seen from Awake is that it is at least looking at the metadata and analyzing the metadata of encrypted traffic, and that's useful.View full review »
We definitely have machines that might not lend themselves to having endpoint security agents on them, either because they can't support an agent or they're testing devices that have very critical configurations that an agent might have a negative impact on. Being able to monitor traffic to and from those devices over the network is definitely preferable and really the only way to do it, to not have a negative performance impact on those machines.
That could be IoT devices. It could be test devices of early-stage prototypes. Being able to understand the traffic coming to and from those devices using Awake has been a big deal for us because it wasn't something we were able to do before with any other technologies.
The security knowledge graph has been very helpful in the sense that whenever you try a new security solution, especially one that's in the detection and response market, you're always worried about getting a lot of false positives or getting too many alerts and not being able to pick out the good from the bad or things that are actual security incidents versus normal day to day operations. We've been pleasantly surprised that Awake does a really good job of only alerting about things that we actually want to look into and understand. They do a good job of understanding normal operations out-of-the-box.
Then for those things that we do want to mark as being normal operations, as opposed to security incidents, whenever we do configure those in the system, they never come up again. They do a good job of weeding those out. We're not actually getting that many alerts from the system and when they do come up, they are definitely things that we want to look at. It's been good. It didn't take us very long to get to that point. From day one of the POC, we were seeing things that we wanted to look at and we weren't looking at a lot of false positives.
The data science capabilities of Awake are a big reason why the false positive rates are so low. The data science side really gives Awake the ability to spot things that are out of the norm. Whether it be IoT devices or devices that are hard to have a standard profile for, it does a good job of figuring out what's out of the norm for that type of device or the type of traffic that would typically come from that device.
The encrypted traffic analyses are a key part because encryption has become the defacto standard for all network traffic, even internal traffic. One of the biggest challenges for security teams over the last five years is that we have more and more encrypted traffic - rightly so - to help protect those data streams, but because of that, it makes it hard to have visibility into that traffic. Awake has the ability to understand encrypted traffic and capture parts of traffic that we want to look at more closely while at the same time has very little impact on that traffic because it's sitting on the side and viewing that traffic without being in front of it and having a negative impact on it.
That was a big deal for us because if you have to decrypt traffic and pull traffic offline and store it, that creates a lot of other privacy and security problems that most teams don't want to get into. Being able to have something in place that can evaluate encrypted traffic is really important now.
Awake Security provides us with better situational awareness. First and foremost in security, the first step is to gain visibility. The nice thing with Awake is that it will give visibility into environments that you likely don't have visibility into today. Part of that visibility is going to increase your situational awareness and start to understand the normal versus the abnormal for that environment.
We have better situational awareness by 25 to 50% but I think a lot of that depends on what your internal network architecture looks like. I think security groups always struggle with how to gain visibility over internal networks. We do pretty good at endpoints and pretty good at the edge, but internal network flow is always a challenge. Depending on how your network is set up, you can gain as much visibility as you'd like using Awake.View full review »
Chief Security Officer at a university with 1,001-5,000 employees
The most valuable portion is that they offer a threat-hunting service. Using their platform, and all of the data that they're collecting, they actually help us be proactive by having really expert folks that have insight, not just into our accounts, but into other accounts as well. They can be proactive and say, "Well, we saw this incident at some other customer. We ran that same kind of analysis for you and we didn't see that type of activity in your network." If there's a major vulnerability or breach or something that makes the news, they give us that peace of mind by saying, "Yes, for sure, we saw it," or "No, for sure, we didn't see it."
Awake moves away from traditional alerts and instead focuses our team on the entities that pose the highest risks to our environment. We have other tools in our environment that help us monitor for specific kinds of attacks or executive-level accounts with UEBA or other technologies. What this solution gives us is that insight into the network to see, when we've done a packet capture, that this is just an email to a family member and not a malicious activity like we would have assumed if we got that alert from some other monitoring system. It provides that extra level of insight that we'd otherwise be missing.
In addition, the EntityIQ, its AI-based Security Knowledge Graph, was one of the big features that drew us to the product. With the competitors that we looked at, it was very difficult to find out who someone was. We would have to go to other systems to correlate and say, "Okay, well, this was a user and they had access to these machines, but someone else logged on to this machine at a certain time." The value of EntityIQ is huge. It reduces the amount of investigation time, and it helps us correlate events faster and be more responsive. A lot of vendors have tried to do something like that, and it seems like Awake has gotten it right.
While we don't do decryptions, it's still valuable to have insight into the metadata to know where people were going if they match against threat-list IP addresses. It's also valuable just to know the size or length of certain sessions. It's very different if it was just one packet versus hours-long, data-exfiltration-type activity where we can see a lot of data was downloaded. We're also very concerned about privacy, being at a university. So being able to provide some level of insight, even with an encryption, is really important.View full review »
The most valuable aspect is their managed services. They do such a good job and they enable us to provide a good level of network security, even with our small team size.
The interface itself is clean and easy to use, yet customizable. I like that I can create my own dashboards fairly easily so that I can see what is important to me. Also, the query language is pretty easy to use. I haven't needed to use it a ton, but as I need to go in and do different queries based on their requests, it has been fairly simple to use. It reminds me of other query languages. I use Splunk a lot and it's similar to that, so I didn't have to relearn a lot.
In addition, at this point, the false positive rate is pretty good. Of course, initially, as it was learning our systems, what traffic was coming in and going out, it was fairly high, although not excessively. But as we've added to our list of known IPs and gone through testing systems, we have marked them. Now, I don't get alerted to anything from their managed resources unless it really is a remote attack. I don't see any false positives for our internal traffic any more.
The expertise of the Awake team across threat hunting and incident response has been pretty good. We have regular meetings with them to go over any issues they've found. I receive emails when they detect any issues and have questions about them. We try to keep them up to date on our infrastructure, IPs, and hostnames. With that information, they can reduce their false positives, so they're not notifying me needlessly. I don't think I've ever received a false positive from their team. With that information, while there have always been issues, they haven't been serious issues. There have always been malicious actors or other factors that were trying to hit us, or we had set up a scanner that I failed to inform them about. They notified me about the scanner and I let them know that, yes, this is an approved scanner that we've employed, and they added it to their list. They've done a really good job.
Director of Projects and IT at a healthcare company with 201-500 employees
We got a couple things out of it that we were looking for. First, it gives us something that is almost like an auditing tool for all of our network controls, to see how they are performing. This is related to compliance so that we can see how we are doing with what we have already implemented. There are things that we had implemented, but we really didn't know if they were working or not. We have that visibility now.
The second thing we were looking to do is to improve on the things that we were not aware of, that we didn't see before. Awake is an additional tool in our defense system, obviously not the only one, but it broadens our security posture and I believe it has also raised our security maturity.
We also use the EntityIQ feature and it is valuable. The user interface is very approachable and easy to navigate. But when it comes to getting deeper into it, creating more of the rules or recipes, we leave that to them. We just explain to them what we want to see and they create it for us.View full review »
Awake Labs managed network detection and response (MNDR) service is its most valuable feature. The Awake Security team find incidents that we didn't realize were happening in the environment. Due to our cloud-first approach and outsourcing to managed services, a Tor beacon was observed by the Awake Security team. Files were being uploaded from one of our MSPs.
I am impressed with the solution’s EntityIQ, which is its AI-based security knowledge graph, in terms of its ability to identify and profile. We evaluated other vendors and were really poking at the AI. Not everyone does AI or machine learning the same way. Awake Security's model is unique in the way that they do their AI with their entities.View full review »