The query language that they have is quite valuable, especially because the sensor itself is storing some network activity and we're able to query that. That has been useful in a pinch because we don't necessarily use it just for threat hunting, but we also use it for debugging network issues. We can use it to ask questions and get answers about our network. For example: Which users and devices are using the VPN for RDP access? We can write a query pretty quickly and get an answer for that.

It provides us with the base level of what we would hope can be obtained from monitoring encrypted traffic, things like TLS and SNI. We get to see which supposed hosts they're trying to hit. And we get the metadata around encrypted traffic. Awake, as I understand it, does have heuristics and alerts for that. It's good to see that in place because some of the other products we've seen don't handle encrypted traffic well. Whereas no one can truly look deeply into encrypted traffic, what we've seen from Awake is that it is at least looking at the metadata and analyzing the metadata of encrypted traffic, and that's useful.

It's much easier to create your own queries and hunt for threats. Darktrace's language is more challenging, and it's almost like you have to learn Darktrace's methodology to decipher it. When I create a workbench query in Awake to do threat hunting, it's much easier to query. You get a dictionary popup immediately when you try to type a new query. It says, "You want to search for a device?" Then you type in "D-E," and it gives you a list of commands, like device, data set behavior, etc. That gives you the ability to build your own query. Gathering PCAPs is also quite practical and more straightforward— tweaking the adversarial models, too. With Darktrace, it was tough to do. If you go to another serial model and want to clone it, then edit it and disable the old one, you can do it easily.

We have Palo Altos to decrypt traffic. I have all traffic going in and out via Awake, which can decrypt the traffic. However, Awake doesn't need to decrypt because it can analyze encrypted traffic to get a sense of what it might be. What I find helpful is that Awake can tell me when encrypted files might contain passwords. There is an adversarial model for that, which is great when someone tells me that there are two files with passwords, but the Awake and DR team already has an open ticket for this. They look for files that have "passwords" in the filename. 

That allows me to reach out to the user and tell him that I noticed a file containing passwords, and it's not password-protected. When they password-protect the file, the Awake team still highlights that as a risk but then write to them and say a password now protects the password file, and even though it is a password file, it is encrypted. So if you try to open it, you have to decrypt it with a password. Then we tweak the model to prevent that model from being triggered for that specific filename.

The most valuable aspect is their managed services. They do such a good job and they enable us to provide a good level of network security, even with our small team size.

The interface itself is clean and easy to use, yet customizable. I like that I can create my own dashboards fairly easily so that I can see what is important to me. Also, the query language is pretty easy to use. I haven't needed to use it a ton, but as I need to go in and do different queries based on their requests, it has been fairly simple to use. It reminds me of other query languages. I use Splunk a lot and it's similar to that, so I didn't have to relearn a lot.

In addition, at this point, the false positive rate is pretty good. Of course, initially, as it was learning our systems, what traffic was coming in and going out, it was fairly high, although not excessively. But as we've added to our list of known IPs and gone through testing systems, we have marked them. Now, I don't get alerted to anything from their managed resources unless it really is a remote attack. I don't see any false positives for our internal traffic any more.

The expertise of the Awake team across threat hunting and incident response has been pretty good. We have regular meetings with them to go over any issues they've found. I receive emails when they detect any issues and have questions about them. We try to keep them up to date on our infrastructure, IPs, and hostnames. With that information, they can reduce their false positives, so they're not notifying me needlessly. I don't think I've ever received a false positive from their team. With that information, while there have always been issues, they haven't been serious issues. There have always been malicious actors or other factors that were trying to hit us, or we had set up a scanner that I failed to inform them about. They notified me about the scanner and I let them know that, yes, this is an approved scanner that we've employed, and they added it to their list. They've done a really good job.

Awake Labs managed network detection and response (MNDR) service is its most valuable feature. The Awake Security team find incidents that we didn't realize were happening in the environment. Due to our cloud-first approach and outsourcing to managed services, a Tor beacon was observed by the Awake Security team. Files were being uploaded from one of our MSPs. 

I am impressed with the solution’s EntityIQ, which is its AI-based security knowledge graph, in terms of its ability to identify and profile. We evaluated other vendors and were really poking at the AI. Not everyone does AI or machine learning the same way. Awake Security's model is unique in the way that they do their AI with their entities.

We definitely have machines that might not lend themselves to having endpoint security agents on them, either because they can't support an agent or they're testing devices that have very critical configurations that an agent might have a negative impact on. Being able to monitor traffic to and from those devices over the network is definitely preferable and really the only way to do it, to not have a negative performance impact on those machines.

That could be IoT devices. It could be test devices of early-stage prototypes. Being able to understand the traffic coming to and from those devices using Awake has been a big deal for us because it wasn't something we were able to do before with any other technologies.

The security knowledge graph has been very helpful in the sense that whenever you try a new security solution, especially one that's in the detection and response market, you're always worried about getting a lot of false positives or getting too many alerts and not being able to pick out the good from the bad or things that are actual security incidents versus normal day to day operations. We've been pleasantly surprised that Awake does a really good job of only alerting about things that we actually want to look into and understand. They do a good job of understanding normal operations out-of-the-box.

Then for those things that we do want to mark as being normal operations, as opposed to security incidents, whenever we do configure those in the system, they never come up again. They do a good job of weeding those out. We're not actually getting that many alerts from the system and when they do come up, they are definitely things that we want to look at. It's been good. It didn't take us very long to get to that point. From day one of the POC, we were seeing things that we wanted to look at and we weren't looking at a lot of false positives.

The data science capabilities of Awake are a big reason why the false positive rates are so low. The data science side really gives Awake the ability to spot things that are out of the norm. Whether it be IoT devices or devices that are hard to have a standard profile for, it does a good job of figuring out what's out of the norm for that type of device or the type of traffic that would typically come from that device.

The encrypted traffic analyses are a key part because encryption has become the defacto standard for all network traffic, even internal traffic. One of the biggest challenges for security teams over the last five years is that we have more and more encrypted traffic - rightly so - to help protect those data streams, but because of that, it makes it hard to have visibility into that traffic. Awake has the ability to understand encrypted traffic and capture parts of traffic that we want to look at more closely while at the same time has very little impact on that traffic because it's sitting on the side and viewing that traffic without being in front of it and having a negative impact on it.

That was a big deal for us because if you have to decrypt traffic and pull traffic offline and store it, that creates a lot of other privacy and security problems that most teams don't want to get into. Being able to have something in place that can evaluate encrypted traffic is really important now.

Awake Security provides us with better situational awareness. First and foremost in security, the first step is to gain visibility. The nice thing with Awake is that it will give visibility into environments that you likely don't have visibility into today. Part of that visibility is going to increase your situational awareness and start to understand the normal versus the abnormal for that environment.

We have better situational awareness by 25 to 50% but I think a lot of that depends on what your internal network architecture looks like. I think security groups always struggle with how to gain visibility over internal networks. We do pretty good at endpoints and pretty good at the edge, but internal network flow is always a challenge. Depending on how your network is set up, you can gain as much visibility as you'd like using Awake.

The most valuable feature is the ability to see suspicious activity for devices inside my network. It helps me to quickly identify that activity and do analysis to see if it's expected or I need to mitigate that activity quickly. One of the best use cases was when we knew that one of our vendors that came into our site had a ransomware event at their corporation. I was able to quickly find his device using the Awake system and determine that there was no threat in our system. Something like that usually would have taken four to five hours. It took me about five minutes.

Also, the Security Knowledge Graph is a display of the devices and the activities that we see. It doesn't use a heat map but it uses the size of a bubble - a circle representing a device that's probably highest on the threat list - and shows what all the connections are. That provides a great visual, at a glance, of what's going on in my environment at any one time. I really like that feature.

I use the solution to identify and assess IoT solutions, if they connect to our network. The guest network is the best example. People use the guest network to connect to the thermostat or their Apple Watch. I can see that activity. If it's a network IoT type of thing, like a call system or Amazon Echo, I'm going to see that activity on our network and Awake should be able to call that up pretty quickly.

The most valuable portion is that they offer a threat-hunting service. Using their platform, and all of the data that they're collecting, they actually help us be proactive by having really expert folks that have insight, not just into our accounts, but into other accounts as well. They can be proactive and say, "Well, we saw this incident at some other customer. We ran that same kind of analysis for you and we didn't see that type of activity in your network." If there's a major vulnerability or breach or something that makes the news, they give us that peace of mind by saying, "Yes, for sure, we saw it," or "No, for sure, we didn't see it."

Awake moves away from traditional alerts and instead focuses our team on the entities that pose the highest risks to our environment. We have other tools in our environment that help us monitor for specific kinds of attacks or executive-level accounts with UEBA or other technologies. What this solution gives us is that insight into the network to see, when we've done a packet capture, that this is just an email to a family member and not a malicious activity like we would have assumed if we got that alert from some other monitoring system. It provides that extra level of insight that we'd otherwise be missing.

In addition, the EntityIQ, its AI-based Security Knowledge Graph, was one of the big features that drew us to the product. With the competitors that we looked at, it was very difficult to find out who someone was. We would have to go to other systems to correlate and say, "Okay, well, this was a user and they had access to these machines, but someone else logged on to this machine at a certain time." The value of EntityIQ is huge. It reduces the amount of investigation time, and it helps us correlate events faster and be more responsive. A lot of vendors have tried to do something like that, and it seems like Awake has gotten it right.

While we don't do decryptions, it's still valuable to have insight into the metadata to know where people were going if they match against threat-list IP addresses. It's also valuable just to know the size or length of certain sessions. It's very different if it was just one packet versus hours-long, data-exfiltration-type activity where we can see a lot of data was downloaded. We're also very concerned about privacy, being at a university. So being able to provide some level of insight, even with an encryption, is really important.

The portion that I use the most is the Adversarial Modeling trend. This threat graphing is probably the most useful feature that we have right now. It displays the data that Awake collects, displaying it in a very easy to read and understandable manner. This is compared to other tools in this similar space, where I found the learning curve and the ability to understand what those tools were analyzing and reporting difficult because it took a bit more time to learn how they reported. 

The data science capabilities of this solution are good. It provides relative correlations. It seems to be very accurate in its detection based on the data science that it runs. Compared to other tools, it seems to be much easier with its machine learning aspects.

This solution’s encrypted traffic analysis is good. Every time I have needed to retrieve data for decryption, it was available. 

• I really enjoy the query language on it. It makes it very easy.
• The dashboards and displays are very intuitive.

The query language makes it easy to query the records on the network, to do searches for the various threat activities that we're looking for. The dashboard, the Security Knowledge Graph, displays information meaningfully and easily. I am able to find the information that I want to find pretty quickly.

Also, the data science capabilities of the are great. We aren't currently using it, but the behavior-based machine-learning that they do incorporate is really impressive. It's the primary reason why we picked up the product. It gives us a high-fidelity, anomaly-based detections.

We got a couple things out of it that we were looking for. First, it gives us something that is almost like an auditing tool for all of our network controls, to see how they are performing. This is related to compliance so that we can see how we are doing with what we have already implemented. There are things that we had implemented, but we really didn't know if they were working or not. We have that visibility now.

The second thing we were looking to do is to improve on the things that we were not aware of, that we didn't see before. Awake is an additional tool in our defense system, obviously not the only one, but it broadens our security posture and I believe it has also raised our security maturity.

We also use the EntityIQ feature and it is valuable. The user interface is very approachable and easy to navigate. But when it comes to getting deeper into it, creating more of the rules or recipes, we leave that to them. We just explain to them what we want to see and they create it for us.

There are quite a few valuable features. The most valuable aspect of the tech is the fact that it's like a "force-multiplier." It will reduce the amount of time and effort it takes to triage a potential compromise. 

That's important because, in everyday slang, time is money. If you've ever done a business-impact analysis — business continuity — if an attacker can reduce the confidentiality, integrity, or availability of a given system, it will have a financial impact. The quicker you can eliminate or mitigate the compromise, or avoid it altogether, the less money you are looking at spending to recover from a hack. If you can discover it, and detect it, and prevent it before the attack is successful, you actually have a return on investment.

The Security Knowledge Graph tries to centralize things that are notable in the environment. Awake uses a lot of AI and ML to bring to an analyst's attention things that should be of concern. It reduces the amount of searching that an analyst has to do to find notable events or devices. It collates all that and it puts it in one spot. So if you have a device that is beaconing out to a malicious IP, to download malware or the like, Awake will see that and it will alert the analyst right away, rather than the analyst trying to find it in aggregate data.

The data science capabilities of Awake Security are very strong. For a network traffic-analysis platform, it's definitely the best in industry. Vectra AI and Darktrace do similar things, but they don't leverage the math the same way that Awake does.

As for the solution’s encrypted traffic analysis, encrypted traffic is the next nut to crack in logging and monitoring. What they're trying to look for are different cipher suites that can be used to encrypt potentially malicious traffic. It's trying to do something that no one else is really doing.

The solution helps us monitor devices used on our network by insiders, contractors, partners, and suppliers. That's the "meat and potatoes" of what the technology does. If there's a device on the network, it doesn't matter who it's owned by. If it's on the network Awake will see it.

Finally, the cloud TAPs for visibility into cloud infrastructure are 100 percent necessary. I don't know how else you're going to see it.

What is impressive about the tool is the time to value. Plugging it onto our network, we have found things that other tools have just never seen. We found those issues quickly and were able to action against those issues, remediating them quickly. I don't know another product that delivers as much value so quickly.

I have the tool set up to alert, be able to look at things, and put things together graphically. This helps to understand the fingerprints of the device, what the device has done, where it's been, and what it's doing on my network. It really gives me a high assurance that my security posture will remained intact.

I have it now integrated into our security incident and event management (SIEM) tool, so I am able to correlate events across my network using Awake as my front-end or my first line of defense. Then, I can also pull in the Awake information and use that to pivot across to other sources within our environment, whether that be enterprise detection and response at the endpoint level or security orchestration and response.

Awake's Security Knowledge Graph is incredible in terms of a couple of things: 

1. The system is laid out very easily for me to utilize. 
2. I find it comforting if I look at the DNA of the Awake security staff. All of them are deep and wide, in terms of their experiences. You have ex-Mandiant folks along with ex-US military folks who have been through serious cyber situations and assisted large companies, if not governmental organizations. They have seen these threats in the wild. They know how to deal with these threats. Moreover, on weekly calls, they are notifying or diving deep into areas that we might have missed.

The solution enables us to see every action in their network in the dashboard. They can take action automatically or manually if there are suspicious things in the network. 

There is no need for additional sensors. You can directly use Arista hardware in your network. It is easy to manage.

Arista NDR's scalability is very good, making it easy to add more hardware components. You can order additional hardware and integrate it by stacking it with the existing setup. This feature cannot be seen in other NDR tools. 

We conducted a proof of value for one of our customers with Arista NDR. In comparison to other NDR solutions, our customer found that Arista NDR provided detailed information that other vendors couldn't match. While I can't speak for all NDR solutions, based on our feedback and customer satisfaction, Arista NDR stands out. It offers enhanced visibility and gathers richer details, making our customers more satisfied with the results.

The tool's real-time traffic analysis helps my clients improve security.