IT Central Station is now PeerSpot: Here's why

Arista NDR OverviewUNIXBusinessApplication

Arista NDR is #4 ranked solution in top Network Detection and Response (NDR) tools and #5 ranked solution in Network Traffic Analysis tools. PeerSpot users give Arista NDR an average rating of 8.6 out of 10. Arista NDR is most commonly compared to Darktrace: Arista NDR vs Darktrace. Arista NDR is popular among the large enterprise segment, accounting for 62% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 28% of all views.
Arista NDR Buyer's Guide

Download the Arista NDR Buyer's Guide including reviews and more. Updated: August 2022

What is Arista NDR?

Arista NDR (formerly Awake Security) is the only advanced network detection and response company that delivers answers, not alerts. By combining artificial intelligence with human expertise, Arista NDR hunts for both insider and external attacker behaviors, while providing autonomous triage and response with full forensics across traditional, IoT, and cloud networks. Arista NDR delivers continuous diagnostics for the entire enterprise threat landscape, processes countless network data points, senses abnormalities or threats, and reacts if necessary—all in a matter of seconds. The Arista NDP platform stands out from traditional security because it is designed to mimic the human brain. It recognizes malicious intent and learns over time, giving defenders greater visibility and insight into what threats exist and how to respond to them. 

The Advent of Advanced Network Detection and Response & Why it Matters

The 5 Levels of Autonomous Security paper

Arista NDR was previously known as Awake Security Platform.

Arista NDR Customers

- Dolby Laboratories
- Seattle Genetics
- ARM Energy
- Ooma
- Prophix
- Yapstone

Arista NDR Video

Archived Arista NDR Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Eric Etherington - PeerSpot reviewer
Chief Information Security Officer at Dolby Laboratories
Real User
Enables us to monitor lateral movement of traffic across sensitive networks
Pros and Cons
  • "The security knowledge graph has been very helpful in the sense that whenever you try a new security solution, especially one that's in the detection and response market, you're always worried about getting a lot of false positives or getting too many alerts and not being able to pick out the good from the bad or things that are actual security incidents versus normal day to day operations. We've been pleasantly surprised that Awake does a really good job of only alerting about things that we actually want to look into and understand. They do a good job of understanding normal operations out-of-the-box."
  • "They've been focused on really developing their data science, their ability to detect, but over time, they need to be able to tie into other systems because other systems might detect something that they don't."

What is our primary use case?

We use Awake Security to monitor internal networks. We monitor the lateral movement of traffic across sensitive networks.

How has it helped my organization?

The most valuable aspect for us is that we have a small team, so when we bring in new security solutions, it's really important that they're tuned well because there are only so many alerts that we're going to be able to deal with. If we put something in place that creates a massive amount of alerts, we're just not going to have the resources necessary to respond to all those. Putting something into place that can look at really sensitive internal networks and do it in a way that doesn't cause us to have to hire a number of additional resources to support that is really important. 

A lot of security teams underestimate the resourcing needed when you put new platforms in just to maintain, care, feed, and respond to the alerts that come from a new system. With Awake, it's very self-sufficient. The tool does a lot of the work and they even have managed services on top, if you need additional resourcing to help you deal with the alerts or configure the system more, that comes as part of the solution. You really put yourself in a situation where you're going to be successful quickly without having to scale your team.

It helps us stay in compliance with government regulations. As more privacy regulations come into effect, we definitely want to make sure that we're meeting privacy regulations both today and have the flexibility that if a new regulation comes out in the near future, we still have something in place that can keep us in compliance and we don't have to change our security architecture. Awake gives us the ability to detect and respond to security incidents while still protecting the privacy of that data.

We use Awake Security to identify and assess IoT solutions. All these technologies need to work on all types of devices, including early-stage and proprietary versions of prototypes of phones and tablets, and at the early stage, versions of new operating systems that come out on those devices. Obviously, those are situations where we wouldn't be able to have a standard security agent running in those environments, but we definitely want to understand if those devices are communicating outwardly to the types of things on the internet that you'd expect them to, or if there are any connections going back and forth to the internet that would be out of the norm for machines that have very strict testing scenarios around them, so it's very easy to understand.

We want to make sure that those devices are only communicating with a pretty strict set of use cases. Being able to understand the traffic coming to and from those devices is really important and using a network tool is really the only way to go.

Cloud TAP's for visibility into cloud infrastructure is something that all security teams need to be looking into. I think a lot of people have jumped to the cloud and realize that they don't have firewalls anymore. People tend to rely on security groups and access controls. As a result, security teams often lose visibility of the network traffic on the cloud that they may have had on-prem. It's not apples for apples. If you don't necessarily have the same security toolset, you can lose visibility. Having something like Awake on the cloud is definitely something people should start thinking about to be able to obtain that visibility.

What is most valuable?

We definitely have machines that might not lend themselves to having endpoint security agents on them, either because they can't support an agent or they're testing devices that have very critical configurations that an agent might have a negative impact on. Being able to monitor traffic to and from those devices over the network is definitely preferable and really the only way to do it, to not have a negative performance impact on those machines.

That could be IoT devices. It could be test devices of early-stage prototypes. Being able to understand the traffic coming to and from those devices using Awake has been a big deal for us because it wasn't something we were able to do before with any other technologies.

The security knowledge graph has been very helpful in the sense that whenever you try a new security solution, especially one that's in the detection and response market, you're always worried about getting a lot of false positives or getting too many alerts and not being able to pick out the good from the bad or things that are actual security incidents versus normal day to day operations. We've been pleasantly surprised that Awake does a really good job of only alerting about things that we actually want to look into and understand. They do a good job of understanding normal operations out-of-the-box.

Then for those things that we do want to mark as being normal operations, as opposed to security incidents, whenever we do configure those in the system, they never come up again. They do a good job of weeding those out. We're not actually getting that many alerts from the system and when they do come up, they are definitely things that we want to look at. It's been good. It didn't take us very long to get to that point. From day one of the POC, we were seeing things that we wanted to look at and we weren't looking at a lot of false positives.

The data science capabilities of Awake are a big reason why the false positive rates are so low. The data science side really gives Awake the ability to spot things that are out of the norm. Whether it be IoT devices or devices that are hard to have a standard profile for, it does a good job of figuring out what's out of the norm for that type of device or the type of traffic that would typically come from that device.

The encrypted traffic analyses are a key part because encryption has become the defacto standard for all network traffic, even internal traffic. One of the biggest challenges for security teams over the last five years is that we have more and more encrypted traffic - rightly so - to help protect those data streams, but because of that, it makes it hard to have visibility into that traffic. Awake has the ability to understand encrypted traffic and capture parts of traffic that we want to look at more closely while at the same time has very little impact on that traffic because it's sitting on the side and viewing that traffic without being in front of it and having a negative impact on it.

That was a big deal for us because if you have to decrypt traffic and pull traffic offline and store it, that creates a lot of other privacy and security problems that most teams don't want to get into. Being able to have something in place that can evaluate encrypted traffic is really important now.

Awake Security provides us with better situational awareness. First and foremost in security, the first step is to gain visibility. The nice thing with Awake is that it will give visibility into environments that you likely don't have visibility into today. Part of that visibility is going to increase your situational awareness and start to understand the normal versus the abnormal for that environment.

We have better situational awareness by 25 to 50% but I think a lot of that depends on what your internal network architecture looks like. I think security groups always struggle with how to gain visibility over internal networks. We do pretty good at endpoints and pretty good at the edge, but internal network flow is always a challenge. Depending on how your network is set up, you can gain as much visibility as you'd like using Awake.

What needs improvement?

It's important that Awake continues to develop its APIs to be able to help intertwine their product into the overall security architecture of a company, just because it is a single tool. Likely a company will have a number of tools in place that you want to be able to communicate and correlate events between and be able to pull actions and information from different security systems. Whenever I look at a new security solution today, their ability on the API side is always one of the first things we look at.

The great thing about Awake is that it has really solid visibility. You might get a detection that happens on a different platform, and one of the first things you want to do is ask the Awake system for more context around an alert because they do have visibility into encrypted traffic. Being able to ask questions of the Awake platform from other systems is really important.

They've been focused on really developing their data science, their ability to detect, but over time, they need to be able to tie into other systems because other systems might detect something that they don't.

Buyer's Guide
Arista NDR
August 2022
Learn what your peers think about Arista NDR. Get advice and tips from experienced pros sharing their opinions. Updated: August 2022.
621,548 professionals have used our research since 2012.

For how long have I used the solution?

We've been a customer for around a year and a quarter now. We had been doing a POC with them for a few months before that, so about a year and a half total.

What do I think about the stability of the solution?

The stability has been rock solid. There have been updates on a regular cycle that are more featured updates. I haven't seen emergency bug fixes or notices from Awake that caused us to have to do emergency patches or pull the system down. It's been up 100% of the time, and it's just been a matter of us being aware when upgrades were scheduled. There was no downtime as a result.

What do I think about the scalability of the solution?

Scalability goes back to that design you have to do upfront to figure out what parts of the network you are most concerned about. If you do that work upfront, you can scale it as much as you want to. You should be thinking about how many devices you really need. In terms of scaling the devices and having a management console to do that, that part of it is pretty simple.

We have three people that interact with it on a regular basis. We have a Cyber Defense Manager and two incident response analysts that use it on a regular basis. We do a weekly call with Awake Security, where we review new detections that we might work with them on and that take time to develop or specific things that we might have been seeing in other parts of the environment that we want to make sure that they're aware of.

Our Cyber Defense Manager is more involved in the tuning of the device, and he talks to them on a weekly basis. Then the IR analysts are reviewing alerts on a daily basis or an as-needed basis as they come through. They're also involved in the weekly calls.

We use it in our locations with the most sensitive engineering-related use cases today. Not all of our locations, some of our locations. Our largest locations tend to have an engineering arm at those locations. That's where we focus the Awake devices today. So far, our deployment has been on-premise only, but we are starting to look at their cloud options as different business groups start to expand to AWS and GCP.

How are customer service and support?

The technical support has been surprisingly good. With most companies, they do a good job of getting you through the initial customer success phase of getting off the ground then getting support afterward is a challenge. With Awake Security, I feel like it's been more of a partnership, meaning we have those kinds of ongoing weekly calls with our customer success manager to really make sure that we're getting the most out of the product. In terms of just straight support issues, those have been very minimal. Whenever they have come up, they've been addressed right away. It's been one of the things that stands out that, that we haven't had issues in that area.

Which solution did I use previously and why did I switch?

We had done a proof of concept with Darktrace for a number of months before Awake. There were a lot of issues with false positives, meaning, there were a lot of alerts coming from the system that when we looked at them, we could tell that that's actually normal business operations for the environment that it was looking at. It was one of those things where we thought that with machine learning, it would pick it up over time and it would start to tune these things out, but we really had consistent problems with it generating too many alerts to the point that the more important alerts were getting lost in the shuffle of the false positives. We ran it for a while to try and understand if it would learn and get better, but we didn't get to a point where we felt confident in the alerts that were coming out of it.

How was the initial setup?

The initial setup was straightforward. If people have ever put something on a SPAN port before, it's just really a matter of understanding what parts of your network you want to focus on. I would say we spent one hour doing a whiteboard session with Awake and our networking team to decide what's the best place to set these devices to have the most visibility. Then we were up and running the same week.

Awake is one of those things you want to focus your most critical networks on. If you know where your critical data is, especially data that's meant to stay internal or segmented in some way, Awake is a really good way to help monitor those environments. Especially if you have environments where you might have devices that for whatever reason, you can't have a standard endpoint security approach with environments that might be used for research, testing, or things that are really meant to be black-box type environments.

Awake can give you visibility into areas that you typically wouldn't have. In our implementation strategy, we really looked and defined those areas and figured out, what would be the right placement of devices to give us the visibility of our most sensitive data.

What was our ROI?

We have seen ROI. The alerts that come through, they're all things that we want to follow up on. There are things that help us improve our security stance over time. As we've addressed those issues, I think they've led to improvements in the process by engineering teams. They've led to better security controls. Those are the two biggest areas of improvement.

What other advice do I have?

The piece that people should be considering should be how much storage they want for data in the platform and how long they need to retain data for. It's not sitting in the middle of network traffic but for incidents that come up or alerts that are generated, it will store Pcap information for those alerts. You want to make sure that you have enough storage of information around those alerts so that you can go back, whether it be six days, a week, a month, whatever you want your retention period to be. That's something you should think about when you're putting this into place.

Also consider if the data is going to be piped off somewhere else and stored, or if it is going to be stored locally on the box because that's one of those things you can do either way. People should be thinking about it going in because it can generate a lot of data if you want it to.

I would rate Awake Security a nine out of 10. As soon as the API gets a bit more mature, I think they're on track to be a 10..

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Dwayne Samson - PeerSpot reviewer
Senior Analyst Security and Compliance at a insurance company with 5,001-10,000 employees
Real User
Reduced the time my team focused on incident response and provided the visibility we were looking for
Pros and Cons
  • "We appreciate the value of the AML (structured query language). We receive security intel feeds for a specific type of malware or ransomware. AML queries looking for the activity is applied in almost real-time. Ultimately, this determines if the activity was not observed on the network."
  • "Awake Security needs to move to a 24/7 support model in the MNDR space. Once they do that, it will make them even better."

What is our primary use case?

Awake Security was brought onboard to provide governance over the incident response process, which is a managed service. Challenges were identified, such as, no visibility and no network awareness of what's going on in the environment. Once the network visibility was solved, the decision to look at AI related tools was initiated. 

We will be using its features for compliance as well as threat detection, looking to partner with Awake Security to achieve these goals. Placing their solution in an enterprise financial vertical may allow thinking outside the box, providing additional value in the compliance space.

Right now, they are an on-prem visibility solution. However, we are a cloud-first company.  Awake Security provides the ability to pivot to the cloud and look at what's going on there.

Two compliance use cases: First, we have a new subnet within one of our CSPs, Awake Security will alert when an activity is observed. Second, a new virtual machine has been provisioned and the local endpoint protection is not phoning home. With the correct structured language in place, we will know if the new device has not been seen on the network for longer than five minutes and has not communicated with the update server.

How has it helped my organization?

Open communication with the MNDR service has driven down the number of false positives. The current average is five events a week, where four are actionable.

The direction we are heading is moving away from traditional alerts and focusing on entities that pose the highest risk to our environment. With the behind the scenes tuning, this lends to a clearer understanding of what this device does. Awake Security is constantly asking,  "What is the purpose of a device in the environment?" and, "I'll update the LSOP, and we'll get this tuned."

We appreciate the value of the AML (structured query language). We receive security intel feeds for a specific type of malware or ransomware. AML queries looking for the activity is applied in almost real-time. Ultimately, this determines if the activity was not observed on the network.

What is most valuable?

Awake Labs managed network detection and response (MNDR) service is its most valuable feature. The Awake Security team find incidents that we didn't realize were happening in the environment. Due to our cloud-first approach and outsourcing to managed services, a Tor beacon was observed by the Awake Security team. Files were being uploaded from one of our MSPs. 

I am impressed with the solution’s EntityIQ, which is its AI-based security knowledge graph, in terms of its ability to identify and profile. We evaluated other vendors and were really poking at the AI. Not everyone does AI or machine learning the same way. Awake Security's model is unique in the way that they do their AI with their entities.

What needs improvement?

Awake Security markets themselves as a security shop, and that's what they are. However, compliance with our partnership can enhance its capabilities.  

Awake Security needs to move to a 24/7 support model in the MNDR space. Once they do that, it will make them even better. For anyone searching to outsource a Level 1 or 2 incident response team, it would be prudent to look at Awake Labs. 

For how long have I used the solution?

We purchased Awake Security a few months back. We made a good choice.

What do I think about the stability of the solution?

The stability has been rock-solid with no issues. It was sized properly.

The platform was recently upgraded. The upgrade went seamlessly. I have been working with the new interface and like it. 

What do I think about the scalability of the solution?

There is enough overhead. When we start adding additional traffic, like our cloud landing zones, it will be not be a problem.

We will be increasing usage, and it will be geared more towards the compliance around our financial vertical.

How are customer service and technical support?

Awake Security get high marks for their communications. We speak at least a few times weekly to ensure the system is tuned correctly. High incident tickets are usually accompanied by a phone call. A review of tickets is scheduled on a monthly basis. 

Our experience with the technical support has been great. The department manager receives an intelligence feed about new ransomware observed in the wild. We engage the Awake Security team and request a custom AML signature be written for detection. In one specific example, a request email was sent to Awake Security at 8:30 AM in the morning. By 10 AM, Awake Security's signature was in place. 

Which solution did I use previously and why did I switch?

We are a start-up company, established within the last two years. We had a bake-off of three AI based network visibility tools, and Awake Security was our selection.

How was the initial setup?

The initial setup was straightforward, not complex, from when the box arrived to when it was installed, 

We are planning to pivot to visibility in our cloud landing zones. That's where we will brainstorm or whiteboard stuff that says, "Here's what we can see," and then what we do is say, "Okay, if this happens, I want to know about it." Afterwards, we'll come back to the Awake Security guys, and say, "Here's the stuff that we want you to alert us on," which is really around the compliance stuff. For example, you're not supposed to egress out Azure's Internet. Everything has to come back to us. But we find people have configured it incorrectly and are sending traffic out to the public Internet through Azure's egress. Once we have network visibility up there, we will get alerted when that stuff happens, stating, "Outbound egress traffic has been seen. Here is the host and where it was going." We can then go back and either stop it or talk to the person who set it up.

What about the implementation team?

I have worked with support from Awake Security, and it was straightforward. We already had architecture network visibility, IP addressing, and interface feeds that were provided beforehand by the Awake Security team. Awake Security shipped the devices with the configurations. We plugged them in, and they worked.

What was our ROI?

The current legacy service is strictly based off of logs. Incidents are being generated by the rules algorithms. With Awake Security, their approach is different due to the network context. Awake Security has allowed us to focus on other items, not just on incident response.

What's my experience with pricing, setup cost, and licensing?

The pricing and licensing are competitive. 

Awake Security was the least expensive among their competitors. Everyone was within $15,000 of each other. The other solutions were not providing the MNDR service, which is standard with Awake Security's pricing/licensing model.

When we pivot to the cloud, in order to capture that data, the additional cost is minimal or non-existent. 

Which other solutions did I evaluate?

The original project driver was network visibility, as we didn't have any. We brought in Darktrace, Stealthwatch, and Awake Security for a bake-off. Awake Security filled the need for visibility by being augmented with the MNDR service. 

We found other tool interfaces more polished and more cosmetic in nature. Some folks like to look at that stuff, but you're missing the whole point of Awake Security if you look at it from that perspective.

Awake Security sold the MNDR service as part of their solution. So, the direction was: "Come back and tell me what your MNDR guys have found." They did find incidents our managed virtual SOC had not. There was overlap where the Awake Security team found events our current SOC did not. 

We also looked at Arctic Wolf. They're a managed service around incident response. We did an hour demo. It is a good product, but we are happy that we selected Awake Labs.

What other advice do I have?

The Awake Security team does a good job with communication. With the encrypted traffic, you can't see inside the packet. Encrypted traffic was not a hindrance, since most traffic nowadays is encrypted. The Awake Security team does a good job of determining what's wrong, even though they don't have the full view of the content inside the packet.

Awake Security gets a solid nine (out of 10) based on our experience. That's based on their technology, professionalism, and communication. It was their MNDR service that set them apart when we were looking at other technologies.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Arista NDR
August 2022
Learn what your peers think about Arista NDR. Get advice and tips from experienced pros sharing their opinions. Updated: August 2022.
621,548 professionals have used our research since 2012.
CISO at a insurance company with 1,001-5,000 employees
Real User
Data is displayed in a very easy to read and understandable manner
Pros and Cons
  • "This solution help us monitor devices used on our network by insiders, contractors, partners, or suppliers. Its correlation and identification of specific endpoints is very good, especially since we have a large, virtualized environment. It discerns this fairly well. Some of the issues that we have had with other tools is we sometimes are not able to tell the difference between users on some of those virtualized instances."
  • "Be prepared to update your SOPs to have your analysts work in another tool separately. There are some limitations in the integrations right now. One of the things that I want from a security standpoint is integration with multiple tools so I don't need to have my analysts logging into each individual tool."

What is our primary use case?

The tool generates automated alarms to correlate any network activity that we see with some of that more deep packet inspection which Awake provides.

There is currently not a lot of IoT in our environment.

How has it helped my organization?

From a compliance standpoint, we were able to easily identify some security weaknesses built into our systems from an architectural standpoint. We were able to quickly remediate these, e.g., some places encryption was lacking or places where passwords were stored.

This solution help us monitor devices used on our network by insiders, contractors, partners, or suppliers. Its correlation and identification of specific endpoints is very good, especially since we have a large, virtualized environment. It discerns this fairly well. Some of the issues that we have had with other tools is we sometimes are not able to tell the difference between users on some of those virtualized instances. This solution doesn't seem to have an issue because enough data is collected that we can easily tell which users are responsible for the traffic on which systems.

I haven't seen any really false positives from Awake. Everything that I have seen that hasn't been actionable has been either low level stuff or part of the learning that Awake is doing in our environment. These have been some legitimate processes or functions that look bad but are normal in the environment. Therefore, false positives are pretty low in Awake.

What is most valuable?

The portion that I use the most is the Adversarial Modeling trend. This threat graphing is probably the most useful feature that we have right now. It displays the data that Awake collects, displaying it in a very easy to read and understandable manner. This is compared to other tools in this similar space, where I found the learning curve and the ability to understand what those tools were analyzing and reporting difficult because it took a bit more time to learn how they reported. 

The data science capabilities of this solution are good. It provides relative correlations. It seems to be very accurate in its detection based on the data science that it runs. Compared to other tools, it seems to be much easier with its machine learning aspects.

This solution’s encrypted traffic analysis is good. Every time I have needed to retrieve data for decryption, it was available. 

What needs improvement?

Some of the searching capability is a bit hard to use without in-depth knowledge. In one of the earlier versions, there was a tool that helped you build some of your searches and help you correlate your data manually. This seems to have been removed in a later version. That is probably the biggest thing I've noticed.

Be prepared to update your SOPs to have your analysts work in another tool separately. There are some limitations in the integrations right now. One of the things that I want from a security standpoint is integration with multiple tools so I don't need to have my analysts logging into each individual tool. They are working on this at the moment with Splunk and should have something ready in two weeks.

For how long have I used the solution?

I have been using it since August.

What do I think about the stability of the solution?

The stability seems to be fine with no impacts to our network or any of our systems; there has been nothing I have noticed as far as stability-wise with the Awake platform. 

I run the cyber information security team for the entire organization and have oversight on the security operations center (SOC) as well.

What do I think about the scalability of the solution?

For the scalability portion of it, we haven't really looked into that yet. Cloud TAPs and stuff like that will help determine when it is time for us to look into it. From what I can see, the scalability is pretty easy. Awake really provides a roadmap and guide which makes it pretty straightforward.

We are still somewhat in an onboarding phase because we have scaled back, focusing on specifically on Awake. Right now, an analyst and I log in and just review the adversarial model trend to look for any kind of alerts that have been escalated in the last day. Eventually, we will be onboarding it with our SOC and having about four or five additional people monitor that activity.

Currently, we do have a limit on the visibility we have with it, but we are seeing about 95 percent of our network traffic in our primary data center. Therefore, the scope of it is that we have 2,700 employees and approximately 6,000 devices. We don't have any definitive plans to increase usage in the near term. Ideally, we would like the budget requirements to expand into the cloud and get that remaining five percent visibility in our other data centers.

Which solution did I use previously and why did I switch?

We previously had NetMon, which was a product from LogRhythm. First off, there were a lot of hardware issues along with a lot of sizing and scoping constraints provided to us by LogRhythm that just didn't scale. Also, the data enrichment and data science behind it was very low level and not NextGen.

How was the initial setup?

The initial setup was very straightforward. They shipped us the device. They sent us an engineer to work onsite. We already had a network TAP port configured, which they plugged in. Then, the configuration and data normalization was all handled by Awake. There was very little to no effort other than by the Awake engineer who came to our data center.

It took one day to physically deploy and a week for normalization of data. 

What about the implementation team?

We left the implementation strategy up to Awake.

Deployment and maintenance are handled by Awake. Just last week, we received an email saying, "There's an upgrade. When do we have a patching window?" You just provide them the time and they do the update.

What was our ROI?

We have seen ROI. Fortunately, we haven't seen anything really bad from a malicious standpoint. However, some of the visibility Awake gave us into some of those compliance, architecture, and system engineering flaws that we were not previously aware about has let us remediate them.

Which other solutions did I evaluate?

We evaluated Darktrace. We got more valuable data from Awake than we actually got from Darktrace. As far as I'm concerned, Darktrace was a 100 percent false positives after doing Awake. After doing a PoC with Awake, we realized that the entire PoC with Darktrace was completely inaccurate. That was something that Awake showed us within its first week of being in. They said, "Hey, this is what we're seeing. It's half the size of what we expected compared to what Darktrace was telling you." So, I can't even give an accurate statement as to false positives specifically with Darktrace because I think the entire PoC scene was a giant false positive based on terrible data that they didn't recognize was bad.

Awake has really easy of use. It was just far easier to use as far as seeing rich, actionable data than LogRythm. There was less of a learning curve to understand what they were trying to represent. The other thing was I found much fewer false positives in Awake. The data was more accurate, especially during that PoC faze. 

From my opinion of the engineers that I met on each side of the table, Awake had engineers who really knew what they were doing. They were able to identify issues more quickly with the way our appliance was collecting and seeing data. Awake came to us after a week, and said, "We're seeing duplicate data." That was data that Darktrace was trying to charge us double for. Therefore, the technical expertise and understanding from the team seemed much greater at Awake than it did at Darktrace.

I didn't even consider LogRhythm to be on the same level. 

What other advice do I have?

We have not used the functionality for cloud TAPs.

I would rate this solution as a nine (out of 10).

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Kristofer-Laxdal - PeerSpot reviewer
Director of Information Security at a computer software company with 201-500 employees
Real User
The time from finding threats to remediation is almost instantaneous
Pros and Cons
  • "This solution’s encrypted traffic analysis helps us stay in compliance with government regulations. It is all about understanding data exfiltration, what is ingressing and egressing in our network. One common attack vector is exfiltrating data using encryption. My capabilities to see potential data exfiltration over encrypted traffic is second to none now."
  • "I would like to see the capability to import what's known as STIX/TAXII in an IOC format. It currently doesn't offer this."

What is our primary use case?

Our use cases are vast and varied. Quite simply, we looked at tools that would look at network detection and responses out-of-the-box. Looking at Awake, there are hundreds of security use cases built into the system itself. I typically utilize the tool across the enterprise looking to detect those hard to find threats 

I am looking at:

  • Indicators of compromise for ransomware
  • Possible command and controls
  • Privacy
  • Clear text passwords
  • Persistence
  • Data ex-filtration and compliance for GDPR
  • Various, very hard to detect models of data ex filtration, such as data ex-filtration via  e.g DNS or ICMP
  • Bad domains and traffic to bad domains
  • The list goes on and on.

I have over a hundred use cases turned on running in the background and looking at the following (for example):

  • Defense evasion, use of proxies in order to hide data ex-filtration.
  • Rogue hardware, identifying new devices on my network, whether they be wireless, wireless handheld devices, smartphones, laptops, etc.
  • Brute force attempts against passwords.
  • Password spraying attempts.

It is deployed inline into an appliance on-prem and leveraging a network SPAN port.

We are using the latest version.

How has it helped my organization?

It is all about visibility. From an information security standpoint, the capability for the team to be able to single out devices to respond quickly and intelligently, to say for example, "It is this laptop (or endpoint) from this person in finance. I know exactly what it's doing, what's wrong, and I know how to fix it." So, they're empowered walking up to that department or individual. The face of information security used to be, "Oh, the security guys are on that floor." Now, there's a different take. "These guys know what they are doing and are here to help me. I have an issue, and they solved it very quickly." It's making overall security less painful for our folks, which translates into secure adoption of security policies, standards, and awareness. That's another intangible.

Sometimes, the harder part is not interjecting and removing a node, but understanding what it was doing so we have a higher assurance of what type of data may or may not have been exfiltrated because that may trigger reporting laws, etc. 

We operate globally, so we have to adhere to the principles of GDPR, and also in Canada, PIPEDA. We have a regulatory/legal obligation to report if there is a data exfiltration. Understanding the nature of the data (what these devices are connecting to), if there is an exfiltration, goes a long way to shaving the time off my staff has to spend running these issues down. For example, one incident could potentially in gray dollars cost thousands of dollars. If, at the end of that investigation, we find out days later that we potentially would have had a reporting obligation, this makes it very difficult. Now, we would have to dive deeper and find out what that data was before we can report to the regulatory bodies, and in particular, our data protection authority for GDPR.

It also allows me to prioritize my staff. So, there are a lot of intangible dollar savings there. Rather than having a group of folks running around attempting to focus on preventative measures, we are focusing on the situations at hand ensuring that we have a grasp of what's going on in our network.

This solution’s encrypted traffic analysis helps us stay in compliance with government regulations. It is all about understanding data exfiltration, what is ingressing and egressing in our network. One common attack vector is exfiltrating data using encryption. My capabilities to see potential data exfiltration over encrypted traffic is second to none now. 

It is all about being able to say with confidence to the executives, the senior leadership team at the board level, that by putting this tool in place we have visibility into east-west lateral movement and traffic in the north-south. We also have a high degree of confidence that we are maintaining our security posture.

It doesn't matter where in my network, including wireless networks, I have it all feeding into the same mirrored port. I can see the traffic from any device which is plugged into the network at any time. The Awake ML will identify it. Then, on the dashboard, it will show me every morning any net new devices, how many devices are active, and how many devices may be impacted by a potential threat. I can see instantly any suspect domains that those devices are trying to connect into and what domains are unique. It also shows me net new domains every day at a glance. It then categorizes all of that information using its ML capability into an easy to use interface: high, medium and low. If need be, it will allow me to pivot on that device specifically, looking at it graphically. I can use that to understand what that device is connecting to, and in the same view, understand what type of data is moving back and forth.

We have a certain amount of IoT here, but not a lot. We have things behind our firewall that are definitely IoT which made me nervous, but I'm a lot more comfortable now. E.g., we are a very large software as a service company based mid-market. We have somewhat of a startup culture, so we have food vending type services that exist behind our firewall, albeit segmented. These are Internet of things, such as an automated machine that cooks food that is constantly reporting back to the vendor. We have several different other examples of IoT within our shop, and it allows me to see that traffic as well.

What is most valuable?

What is impressive about the tool is the time to value. Plugging it onto our network, we have found things that other tools have just never seen. We found those issues quickly and were able to action against those issues, remediating them quickly. I don't know another product that delivers as much value so quickly.

I have the tool set up to alert, be able to look at things, and put things together graphically. This helps to understand the fingerprints of the device, what the device has done, where it's been, and what it's doing on my network. It really gives me a high assurance that my security posture will remained intact.

I have it now integrated into our security incident and event management (SIEM) tool, so I am able to correlate events across my network using Awake as my front-end or my first line of defense. Then, I can also pull in the Awake information and use that to pivot across to other sources within our environment, whether that be enterprise detection and response at the endpoint level or security orchestration and response.

Awake's Security Knowledge Graph is incredible in terms of a couple of things: 

  1. The system is laid out very easily for me to utilize. 
  2. I find it comforting if I look at the DNA of the Awake security staff. All of them are deep and wide, in terms of their experiences. You have ex-Mandiant folks along with ex-US military folks who have been through serious cyber situations and assisted large companies, if not governmental organizations. They have seen these threats in the wild. They know how to deal with these threats. Moreover, on weekly calls, they are notifying or diving deep into areas that we might have missed.

What needs improvement?

The only issue is that Awake affords you so much information behind its fingerprinting capability. When it does trigger, you need to have a hard look at what is going on because there is a reason for that trigger.

They have worked very hard on the interface. I would like to see things laid out somewhat differently, and not due my familiarity with the tool. The tool has grown a lot since I started using it in October, and there is room for user interface improvements. 

I would like to see the capability to import what's known as STIX/TAXII in an IOC format. It currently doesn't offer this. This would be a nice, like a wish list. 

We are looking at cloud TAPs for visibility into cloud infrastructure. We offer a software as a service leveraging cloud. To take things to the next level, it is putting the ability and capability of the device into:

  1. Our cloud offering to look for threats.
  2. Leverage it further for any cloud services or SaaS that we use here.

For how long have I used the solution?

We acquired Awake in October 2019.

What do I think about the stability of the solution?

The stability has been rock solid. I haven't had an issue. I have gone through two system upgrades since October. When the system is to be updated, what is nice and somewhat different than a lot of the other appliance vendors that layer the services on top, they contact me before they push the updates out. For example, I had one of their service techs called me at about five o'clock, "Hi, it's William. Do you mind if we go ahead and perform the upgrade for you at this point in time? If that's not convenient, and you need go through a change control committee, etc. That's not a problem. We can schedule that. But if we're good to go, I can do it now for you." I like that they're high touch.

They do all the maintenance. It is an appliance, so they perform all the upgrades. From an administration standpoint, I have one person dealing with it which is limited to only setting up user IDs. That's really the only administration required in the tool.

What do I think about the scalability of the solution?

As we scale, the tool can scale with us. I'm currently using it with a one gigabit interface. As we scale up, we will scale utilizing the tool.

It's very easy to scale. If we scale in terms of our bandwidth and utilization, it's as simple as looking at the next appliance. Then, assuming we scale to a back-end, if we were to look at a 10 gigabit interface, it's as simple as producing or plugging it in through a Network TAP or another SPAN port.

Seven people are using it right now in an analyst format.

How are customer service and technical support?

One of the nice things about Awake is they are nimble. One of the requests that I put in October for feature enhancement has already been put into the product. They released it with 2.0. That's the ability to utilize situations for situational awareness. When my security analysts look at various issues, we are tracking specific items or indicators that compromise using what they call their situation overlay. Now, that is in beta preview. However, I have an advanced copy which allows me to track and trend an incident all the way through the MITRE ATT&CK chain or kill chain. So, it's a real powerful feature that they have stepped up and implemented in the product.

That is their standard technical support. It is a real "we are here to help" type of feel with just a group of dedicated security professionals. If I look at the DNA of their company, from who's at the senior leadership team level down to the analyst level, these guys have lived it. Their combined experience within the cybersecurity space is second to none.

The last time that I had an issue, it was Awake's technical support told me that I had an issue, which was nice.

Based on standard support terms and conditions, they have always responded in an expected time frame. I've only had one issue of note with the product and that was resolved quickly. I had a response back in less than 20 minutes and the issue was resolved in under two hours.

Which solution did I use previously and why did I switch?

Before having Awake, we didn't have the visibility. I could get a lot of the north-south traffic and understand what was emanating, ingressing, and egressing in the network, but didn't have the overall picture. 

We had solutions which allowed us to leverage indicators of compromise for indicators of compromise. Really, it was a bunch of point solutions reporting into our SIEM solution, as we are a Splunk shop. It's important to note that Awake doesn't do all things, but what it does do, it does really well and perhaps the best in the industry. So, Awake also puts its logs into the SIEM solution.

We had a SIEM. I had a lot of indicators of compromise type fingerprints in that SIEM. I had all of the log files throughout the whole of the organization dumping into that SIEM. However, from the network detection and response side, looking at east-west traffic, those fingerprints, and in a single pane of glass, I wasn't getting that before I had the Awake device.

The Awake tool gives me the east-west traffic and lateral movement picture, as well as the north-south traffic. Therefore, I'm getting a full picture of my network at any one point in time. These are things that keep you up at night being in the CISO role.

How was the initial setup?

Here is how straightforward the initial setup was. I got the device in October, which is fourth quarter for us and extremely busy. The Awake team wanted to fly in to do the setup. I told them that it was not going to work due to the timing and logistics. So, they shipped out the box. My team just put it in a rack and plugged it into the SPAN port, then we were done.

That was the entire setup. It is an appliance. All it requires is a Network Tap or SPAN port. We plugged the interface in, gave it a public side interface, and the Awake team did the final config remotely, then we were up and running in under two hours. That includes the rack time.

We had several meetings with Awake in terms of understanding our environment:

  • Where it was best to place the sensors.
  • What size sensors would we need.
  • What type of use cases I was looking for.
  • What were my pain points.
  • What kept me up at night before we even embarked to the contract signing.

What about the implementation team?

Two people were required for deployment from my side along with one person from Awake.

What was our ROI?

The time from finding threats to remediation is almost instantaneous. For example, I found a threat this morning and remediated it in less than five minutes. The issue that I encountered today was definitely data exfiltration. It was a malware that was hitting domain generated algorithms and also attempting to use Tor to obfuscate the data exfiltration. I found that within three minutes, and then the next following two minutes, we interjected, did the remediation, and had the node off the network. 

When you're trying to put a dollar value on the protection of personally identifiable information, potential financial information, and the loss there of, it is very difficult. However, in this instance, it could have been a lot worse. In terms of grey dollars and my staff's time, you're looking at a $1000 worth of savings because we would had to glean through logs, identify the device, chase it down, and understand what it was doing on the network.

The solution has saved thousands of dollars within the first day. Our ROI has to be in the tens of thousands of dollars since October last year. It's about the peace of mind and my ability to pass by the CEO, and say to him, "Don't worry, I got that. There was a network incident, but I'm confident that we caught this endpoint before there was any data exfiltration. I know what it was talking to and what the nature of the issue was." That is powerful right there.

What's my experience with pricing, setup cost, and licensing?

I signed a three-year deal as it was most cost effective for my firm - with no doubt in my mind we will see ROI in year one.

I am hoping to involve them in a managed network detection and response relationship as well, which is another one of their offerings.

There are no additional costs. The product does what it says that it will do. 

Which other solutions did I evaluate?

I am impressed with the data science capabilities of Awake, in regards to AI and ML capabilities built into the tool. We stacked up Awake against a competitor. I put both products, Darktrace and Awake, in a head-to-head bake-off back during the October time frame. Awake was the clear winner for a bunch of reasons: ease of use, a lot of the lateral movement for triggers on indicators of compromise and the Awake rule sets were far deeper and more insightful than information I was receiving out of the ML capabilities afforded within Darktrace.

Darktrace had quite a few false positives. 

Another problem with Darktrace that I found was the interface and the ability to work within the tool to look at information graphically. While available in Darktrace, the ability to navigate and dive deeper into those fingerprints signatures is very kludgy.

What other advice do I have?

Understand where your network points are and where you are best served to position sensors. The tool won't work unless it's positioned effectively in your network. Rely upon Awake staff's expertise. They have collective information cybersecurity experience in the hundreds of years, so just listen to them in terms of their guidance and where to position your sensors. Understand your traffic flow before moving forward with the solution, making sure that it's right for you. For instance, understand that if you have several satellite offices, you may be challenged and need to purchase several devices or appliances. In our case, this was a non-issue because I back haul all of my traffic to one centralized point.

I am impressed with the product. It is a solid, powerful tool. It's a truly unique plug and play appliance and solution. I'd give it a 10 (out of 10). If I could give it more than a 10, I would. It is really an outstanding product.

We have had a few false positives, two or three. I was looking at one this morning. However, that was a fault of ours because the IP address on the endpoint wasn't in a reserved mode, so the name of the machine changed. Here is where the ML capabilities shines. The IP address changed, thus a new machine name was apparent to the ML engine. Then, the ML engine looked at both the IP and machine name, and said, "I don't know. It's still the same IP, but it's doing lateral movement now." It turns out that IP was reallocated to a machine in our development side for our DevSecOps, where that type of behavior is totally normal. However, the ML in the tool spiked that out immediately.

The biggest lessons that I've learned are thinking that your common point solutions, even though you're aggregating them all will point out all the potential nefarious activities behind your firewall or attempted attacks outside your firewall. You are not going to see everything. You really need to empower machine learning and AI capabilities of one of these tools in order to see the typical advanced persistent threats (APTs) or those low, slow threats on your network. For example, the anomaly that pops up for five minutes every month because it's using a domain generated algorithm is really where this tool shines. It looks for that needle in a haystack and that anomalous behavior that you're not necessarily going to pick out using a SIEM tool. I don't care how good the SIEM tool is, you need a dedicated product to effectively understand that east-west traffic and ascertain whether or not it is hostile.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Head of Cyber Threat Operations at a energy/utilities company with 1,001-5,000 employees
Vendor
Machine-learning works at a different level — it's like a robotic network engineer
Pros and Cons
  • "Other solutions will say, "Hey, this device is doing something weird." But they don't aggregate that data point with other data points. With Awake you have what's called a "fact pattern." For example, if there's a smart toaster on the third floor that is beaconing out to an IP address in North Korea, sure that's bizarre. But if that toaster was made in North Korea it's not bizarre. Taking those two data points together, and automating something using machine-learning is something that no other solution is doing right now."
  • "I would like to see a bit more in terms of encrypted traffic. With the advent of programs that live off the land, a smart attacker is going to leverage encryption to execute their operation. So I would like to see improvements there, where possible. Currently, we're not going to be decrypting encrypted traffic. What other approaches could be used?"

What is our primary use case?

The solution is a kind of Swiss Army knife. It can do a number of different things. We primarily use it for network traffic analysis and threat hunting.

How has it helped my organization?

We had an event where an attacker tried to steal login credentials. We were able to find the targets on the network using Awake and we were able to turn on multifactor authentication, not only for those users but for the entire enterprise. We were discovering that that was a very common attack tactic. It was a driver for change. Now, all users at this company have multifactor authentication as a result of Awake's capabilities.

For a long time I was the only person in our company doing security. We're a $30 billion dollar company. So you can imagine how much I appreciate how much time Awake has saved me to be able to do other things. It's been an immense help.

The solution provides us with better situational awareness. In terms of network visibility, it's looking at all network traffic. Anything that's going through, it's doing that full packet capture and it's doing the analysis using the algorithms. And it's telling me what's on the network and what it's doing.

What is most valuable?

There are quite a few valuable features. The most valuable aspect of the tech is the fact that it's like a "force-multiplier." It will reduce the amount of time and effort it takes to triage a potential compromise. 

That's important because, in everyday slang, time is money. If you've ever done a business-impact analysis — business continuity — if an attacker can reduce the confidentiality, integrity, or availability of a given system, it will have a financial impact. The quicker you can eliminate or mitigate the compromise, or avoid it altogether, the less money you are looking at spending to recover from a hack. If you can discover it, and detect it, and prevent it before the attack is successful, you actually have a return on investment.

The Security Knowledge Graph tries to centralize things that are notable in the environment. Awake uses a lot of AI and ML to bring to an analyst's attention things that should be of concern. It reduces the amount of searching that an analyst has to do to find notable events or devices. It collates all that and it puts it in one spot. So if you have a device that is beaconing out to a malicious IP, to download malware or the like, Awake will see that and it will alert the analyst right away, rather than the analyst trying to find it in aggregate data.

The data science capabilities of Awake Security are very strong. For a network traffic-analysis platform, it's definitely the best in industry. Vectra AI and Darktrace do similar things, but they don't leverage the math the same way that Awake does.

As for the solution’s encrypted traffic analysis, encrypted traffic is the next nut to crack in logging and monitoring. What they're trying to look for are different cipher suites that can be used to encrypt potentially malicious traffic. It's trying to do something that no one else is really doing.

The solution helps us monitor devices used on our network by insiders, contractors, partners, and suppliers. That's the "meat and potatoes" of what the technology does. If there's a device on the network, it doesn't matter who it's owned by. If it's on the network Awake will see it.

Finally, the cloud TAPs for visibility into cloud infrastructure are 100 percent necessary. I don't know how else you're going to see it.

What needs improvement?

I would like to see a bit more in terms of encrypted traffic. With the advent of programs that live off the land, a smart attacker is going to leverage encryption to execute their operation. So I would like to see improvements there, where possible. Currently, we're not going to be decrypting encrypted traffic. What other approaches could be used?

For how long have I used the solution?

I've been using Awake for about two-and-a-half years. We're using the most current version.

What do I think about the scalability of the solution?

The scalability is very strong. We are going through an acquisition. Thankfully, I have staff now. But I can go out to the new site, put an appliance there, send that traffic to a hub, and from that hub I can see all three locations that we have now, in one spot.

How are customer service and technical support?

Awake's technical support is very good. We have a good, solid relationship with them. It's pretty stellar.

Which solution did I use previously and why did I switch?

We used a SIEM, through IBM. But we're actually using Awake more than we're using QRadar, our SIEM.

How was the initial setup?

The initial setup was very easy. It's a web-based GUI. It's like an application. I didn't have to build anything. All of the algorithms are built into the tech itself on the back end. Once you get traffic going through a TAP or a SPAN port, you send that traffic to the appliance and the appliance does all the work for you.

The deployment took less than a week.

Our implementation strategy was to find our core switches, run the SPAN port off those switches, and send that duplicated traffic to the appliance.

What about the implementation team?

We deployed with the help of an engineer from Awake. I found them to be extremely knowledgeable.

What was our ROI?

ROI is a very hard exercise in security. I believe a couple of people have tried to come up with a quantified data point to say $2 million, or $3 million; every compromise costs a company $3.47 million. It's difficult to put a financial number on it.

I can point to the fact that we haven't had a successful compromise, and that is likely as a result of Awake's technology.

Which other solutions did I evaluate?

I looked at Netwitness and Darktrace. Neither of them was as capable.

The primary reason we went with Awake Security was the fact that the machine-learning was working at a different level. It was working in a manner that the other two solutions weren't. Vectra AI comes close, but it's not the same.

I try to describe it as "aggregation." Other solutions will say, "Hey, this device is doing something weird." But they don't aggregate that data point with other data points. With Awake you have what's called a "fact pattern." For example, if there's a smart toaster on the third floor that is beaconing out to an IP address in North Korea, sure that's bizarre. But if that toaster was made in North Korea it's not bizarre. Taking those two data points together, and automating something using machine-learning, is something that no other solution is doing right now. The only solution doing that is Awake. It's aggregating data points.

What other advice do I have?

My advice would be to put it up against any of its competitors. Look at the salient data points. So your machine-learning is telling you that something is unusual. Great. Why? And if you don't have an answer for that then I would suggest you look at Awake. Because Awake gets to the "why."

In terms of maintenance of the solution, I've got five people now, but they don't just do this. I have one person who does security training and awareness. I have one person who does threat hunting, who is the primary user of the technology. I've got a cyber-threat intel person, and I've also got a person to monitor operational technology.

Regarding Awake's false-positive rate compared to other solutions, it's not really a SIEM. It's more of a hunting tool. It tells me something that is notable, but there will be some false positives because I don't think any amount of AI or ML is going to be able to know everything about your environment. That's just an impossibility. But it gets about as close to an actual person as you can get. Really what Awake is trying to be is a network architect or engineer, a person. It's trying to be someone who knows the topology, the exact architecture, what devices are doing what, what ports, which protocols, etc. That's really what Awake is. It's a robotic network engineer.

Compared to its competitors I'd rate it a ten out of ten. I don't think there's anything out there that's doing what it's doing.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Senior Security Engineer at a pharma/biotech company with 1,001-5,000 employees
Real User
Behavior-based machine-learning gives us high-fidelity, anomaly-based detections
Pros and Cons
  • "The query language makes it easy to query the records on the network, to do searches for the various threat activities that we're looking for. The dashboard, the Security Knowledge Graph, displays information meaningfully and easily. I am able to find the information that I want to find pretty quickly."
  • "I enjoy the query language, but it could be a bit more user-friendly, especially for new users who come across it... They should push it more into a natural language style as opposed to a query language."

What is our primary use case?

We use it primarily for network-based security and threat-hunting across the network.

How has it helped my organization?

We had an incident that involved a phishing email that came in. We were able to use Awake Security to detect everybody on the network who actually went to the website linked to by the phishing email. It allowed us to take care of the infection. Whereas before, we'd have to wait and base things around user self-reporting.

It also definitely helps us monitor devices used in our network by insiders, contractors, partners, and suppliers. Everything that moves across our network, exits or moves laterally across our network, is picked up by the Awake appliance. So if anybody's using a device on our network, it's captured in the appliance.

In addition, we use Awake Security to identify and assess IoT solutions. We don't have a ton of them on our network but we are a cancer research institution so we do have scientific instruments that are internet-aware and which get their updates across the internet.

Finally, it provides us with better situational awareness. I would say there has been about a 50 percent increase there.

What is most valuable?

  • I really enjoy the query language on it. It makes it very easy.
  • The dashboards and displays are very intuitive.

The query language makes it easy to query the records on the network, to do searches for the various threat activities that we're looking for. The dashboard, the Security Knowledge Graph, displays information meaningfully and easily. I am able to find the information that I want to find pretty quickly.

Also, the data science capabilities of the are great. We aren't currently using it, but the behavior-based machine-learning that they do incorporate is really impressive. It's the primary reason why we picked up the product. It gives us a high-fidelity, anomaly-based detections.

What needs improvement?

I enjoy the query language, but it could be a bit more user-friendly, especially for new users who come across it. I'm conversant with the query language, but if I put it in front of somebody else they have difficulty in learning how to address the query language. That is the biggest area of room for improvement. They should push it more into a natural language style as opposed to a query language.

For how long have I used the solution?

We installed it in January of this year, so we've been using it for about eight months now.

What do I think about the stability of the solution?

It's extremely stable. We have only had one minor incident which had to do it with an update. But it's very stable.

What do I think about the scalability of the solution?

We're only using one appliance now, but it seems extremely scalable. We have plans to increase our usage of it. Within the next year, we are going to roll Awake appliances out to our remote sites as well.

How are customer service and technical support?

Technical support is very responsive and quick to get things done. Any problems I have had with the product, they're usually contacting me about them as opposed to me contacting them. They're very proactive.

Which solution did I use previously and why did I switch?

We did not have a previous solution.

How was the initial setup?

The initial setup was extremely straightforward. Basically, we just plugged it in and it ran. It's an appliance, so racking is what actually took the longest. It took approximately an hour, at most.

We first started deploying it on the edge, as a PoC. We deployed it for traffic entering and exiting our network, on the edge. Then we expanded it out to traffic that's moving laterally.

What about the implementation team?

We did not use a third-party.

What was our ROI?

We have seen return on investment but we don't really have the data points around that yet. It's kind of hard to quantify data points with a network security appliance. But we had zero visibility into our network before and so now we have visibility into our network.

What's my experience with pricing, setup cost, and licensing?

The pricing model is an annual subscription. There are no costs in addition to the standard licensing fees.

Which other solutions did I evaluate?

We evaluated ExtraHop. There were two reasons we went with Awake Security. First, we really liked the artificial intelligence aspect of Awake with its behavioral modeling. And second, honestly, was the price. It was cheaper. We were impressed by them at the RSAC Innovation Sandbox. That's where we initially made contact with them.

ExtraHop is a standard network security appliance. The machine-learning within Awake is what sets it apart.

What other advice do I have?

Make sure that you have a strong networking team in place before you buy the product, because otherwise you may have issues with the TAP aggregation. The product itself will go in quickly and easily.

We don't have the solution's encrypted traffic analysis in place because we aren't doing the decryption at the edge. But it does allow us to see the size of data, and allows us to detect external exfiltration pretty easily.

As for the false-positive rate, I haven't done the math. It's decently high because our network situation is a bit weird. But it would be about the same on any other solution.

We have one person, our Security Engineer, servicing it and maintaining it on our side. Awake maintains it on their side as well. In our environment, we have between 2,500 and 3,000 people, usually.

I would rate it at about eight out of ten. It's a matter of scale. For me, ten means it pretty much mitigates all risks for you. So it would be next to impossible to get a ten, from my perspective.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Chief Security Officer
Real User
Gives us the capabilities of a Tier 4 analyst without hiring one; at a glance we can see what's happening in our environment
Pros and Cons
  • "The most valuable feature is the ability to see suspicious activity for devices inside my network. It helps me to quickly identify that activity and do analysis to see if it's expected or I need to mitigate that activity quickly."
  • "There's room for improvement with some of the definitions, because I don't have time and I'm not a Tier 4 analyst. I believe that is something they're working towards."

What is our primary use case?

I'm primarily using it for viewing lateral movement within my network of suspicious activities. It's my internal monitoring of behaviors of endpoints inside my network, going outbound.

How has it helped my organization?

The way their algorithm works, they have a threat model that brings up the most concerning activities, pretty much like an analyst who is very knowledgeable. On a tier level, a Tier 4 analyst would recognize the suspicious activity. Their algorithm takes somebody who is a Tier 1 or Tier 2 and gives them that clarity at a glance. Their knowledge is pretty top-notch. I also have the added feature of having an analyst that I work with at Awake to help me interpret some of the risk, which is a top-level-analyst type of assistance.

The biggest thing it has saved me is having to bring on a high-level analyst. We're a startup company so money is very tight. I would have had to hire a Tier 3 or 4 analyst to look at our daily traffic. When we deployed this system I could put off making that hire because we're still growing the system. Now, someone like me, who doesn't have a lot of time, can take a quick glance at what's going on in my environment and know whether I need to take action or not, pretty quickly. It's saving me money, saving me time, and gives me a level of comfort that I have visibility within our network which I don't think I could get very easily any other way.

Awake Security helps me monitor devices used on my network by insiders, contractors, partners, and suppliers. We have vendors coming in all the time, we partner with people who use our WiFi access, the internet from within our environment. I have a few people who come in on my guest network and I don't know who they are, but if an incident happens I can quickly identify the systems that are concerned. A lot of times people bring systems in that aren't under my control or introduce threats in my environment which I can attribute to a visitor log right away. We have BYOD in our environment too, and I don't have control over those devices. Given that people are bringing those devices into my network, I feel a lot more comfortable that, if I get a trigger on Awake, I can quickly identify that device as belonging to one of our employees because I've seen it over a long period of time; or I can identify if it's a new device which could be a visitor or the like. I get a lot more clarity on lateral movement in my environment than I think I could any other way.

I was on a call with them looking for any encrypted traffic going on in my environment. They can spot it pretty quickly. Making sure I'm looking at encrypted traffic going outbound helps me stay in compliance

Finally, it provides me with better situational awareness. It's 1,000 times better. I spent two years in a bigger company and I never felt like I had good visibility into lateral movement. I know what it takes to get that level of visibility and this system does it almost instantaneously.

What is most valuable?

The most valuable feature is the ability to see suspicious activity for devices inside my network. It helps me to quickly identify that activity and do analysis to see if it's expected or I need to mitigate that activity quickly. One of the best use cases was when we knew that one of our vendors that came into our site had a ransomware event at their corporation. I was able to quickly find his device using the Awake system and determine that there was no threat in our system. Something like that usually would have taken four to five hours. It took me about five minutes.

Also, the Security Knowledge Graph is a display of the devices and the activities that we see. It doesn't use a heat map but it uses the size of a bubble - a circle representing a device that's probably highest on the threat list - and shows what all the connections are. That provides a great visual, at a glance, of what's going on in my environment at any one time. I really like that feature.

I use the solution to identify and assess IoT solutions, if they connect to our network. The guest network is the best example. People use the guest network to connect to the thermostat or their Apple Watch. I can see that activity. If it's a network IoT type of thing, like a call system or Amazon Echo, I'm going to see that activity on our network and Awake should be able to call that up pretty quickly.

What needs improvement?

There's room for improvement with some of the definitions, because I don't have time and I'm not a Tier 4 analyst. I believe that is something they're working towards. They're working with me to add new features to make it easier for me to tell what a threat is and determine whether it's important or not. They're making improvements and providing updates almost monthly now, so each time they make those improvements it gets clearer for me.

For how long have I used the solution?

I started the PoC in November, 2018 and we signed a contract with them in early January, 2019. I've been using it since November, but we officially onboarded with them in early January. I'm on the current, latest version.

What do I think about the stability of the solution?

We've had no outages. A couple times we've had some power outages at our facilities, but it came right back up online.

What do I think about the scalability of the solution?

Some of what we're working on now is getting our satellite offices redirected. If I worked for a larger company it would be harder to get this implemented in all of our sites. It's good, site-per-site. I'm still trying to figure out how I can get some visibility into the satellite, small, one- and two-man offices. They're working with me to help come up with that solution.

Right now, it really requires having your internet traffic go through it to have the right level of visibility. For a bigger company that's a little more challenging, depending on how the corporate environment is structured. In my old company, we had 80 different ways to get the internet. That was challenging in and of itself. This company is much smaller so I don't have that big of a challenge, but I do have some satellite offices and I need to figure out how to redirect that traffic through this system so I get some level of visibility there.

How are customer service and technical support?

Usually, when I have an issue where I don't understand what I'm seeing, they're pretty responsive in trying to work on ways to make that clearer. I've been pretty happy with that.

Technical support is definitely a ten out of ten. They've been very responsive and very knowledgeable and usually get right to the heart of any concerns I have.

Which solution did I use previously and why did I switch?

At this company, we did not have a previous solution, but I've used other systems, SIEMs for looking outward-in, like QRadar. That was our system at my previous company. The challenge I saw with something like QRadar was that it was outside looking in. It was looking at our border alerts on our firewalls and looking into our network. An analyst would take those alerts and try to trace to the endpoint that might be causing the problem or that was connected to the problem. He would take the alerts early in the morning, spend about four hours tracing everything that needed to be traced, and then finally get into the endpoint. Awake takes the opposite approach and looks at the endpoints that have the most concerning activity and bubbles that up to the top.

I tell people it saves me about four hours' worth of analyst work daily. I can look at it in five minutes and know which endpoints are of concern, and then I spend a few minutes analyzing whether that's activity that I expected or did not expect, and I can move on. I can look at it daily and get a good feel for whether I need to address something, or I've learned that that alert is not really of concern because it's expected activity.

We got to Awake Security because someone recommended it. One of the consultants I work with had a connection with Awake. They said, "Hey, look at this company." I gave them a call; they came out and did a demo really quickly and then we set up a PoC to see if it worked in our environment. Almost instantaneously, my IT manager and I loved the system because of the visibility we could get so quickly.

How was the initial setup?

The initial setup was pretty easy. They came in and deployed a server on site. We had to make sure that we had the right VLANs exposed to the server so that we could see all the traffic. The user interface was pretty straightforward, just a sign on and password to the server. 

It was pretty intuitive to look at the different threat pictures that they had on the site. It automatically populates the most concerning ones at the top, so I adapted to it very quickly. The search features were pretty good. When I wasn't seeing what I needed to on the automated displays, I could use the menu to clip through a device or just look for a domain or for something that I knew might be concerning. For one incident, when I was trying to find a vendor who had an issue at their shop and I knew they had visited us, I just searched for their domain in our environment. It popped up and it showed me their device pretty quickly. It was a five-minute turnaround, which typically would have taken me a whole lot longer.

There was about a day of install and then about another day of initial setup. Then there was a little bit of tweaking we had to do when we weren't seeing all of the traffic that we thought we should be seeing, but that was on our end. That was just a matter of working with their team to tune the deployment for the server.

For our implementation strategy, we just connected to a SPAN port on our exit router at our main facility. Then we had to tune it to make sure all the VLANs that we had internally were going through that SPAN port. We had to set up a server, and we set it up in our server rack; we happened to have room which was nice. It only took up one or two U's. It wasn't very big.

Initially, to deploy it, I needed my IT staff and it took one network engineer. To maintain is really nothing. It's me using the system. Everything else has been remotely controlled by Awake, so there's been no need for us to interface with it, once deployed.

What about the implementation team?

Awake Security assisted us with deployment. They were great, very responsive.

What was our ROI?

When you compare the cost of hiring and retaining a sophisticated analyst, the Awake Security Platform pays for itself in a matter of months and goes on to save me money, longer-term. In addition, finding an analyst of that caliber in this market can be a challenge in itself. 

The bottom line is that this solution not only gives me the peace of mind and the same level of comfort as having an uber analyst, it also allows me to defer hiring for longer.

Which other solutions did I evaluate?

The other options were very expensive. Most of them were deploying endpoint agents, which was something I didn't really want to do, just yet. Endpoint agents usually help you off-prem, but I was more concerned about what was going on on-prem, and Awake seemed to be the best solution, the most complete solution we could get in the short-term, without spending a lot of money.

What other advice do I have?

My advice would certainly be to do a PoC to make sure it works in your environment. The way your network is configured is going to have a big impact on whether this tool works for you. If you can't get your traffic to go through a single or a reasonable number of exit points to the internet, it may not be a complete solution for you. When I was working at that larger company, I probably would have used this in our engineering lab environment because those guys were like the "Wild West" and deployed whatever they wanted whenever they wanted, and that was usually my biggest concern. I probably would have deployed something like this because it would have given me the visibility, what I couldn't see at the firewall level. I would need to see at a router level and needed something they could make sense of for me. I think Awake would have done it very quickly without much effort.

It's my main tool for network security right now. I'm using it very extensively. We're trying to reconfigure, because we're a startup and I don't want to buy another system, to get as much as we can out of this current system, but I would plan to use this as we grow as a company. If we were to grow globally, I could see us using Awake as our primary threat intelligence for lateral movement particularly, in our environment.

In terms of cloud infrastructure and Awake seeing that activity, it only sees it on-prem because that's the way we have it deployed. Any connection to a cloud, like AWS, we will see that. We should be able to see what activities' connections are occurring. If it's encrypting from the browser to the cloud, we may see that activity but I don't know if we can pull out the content unless we break encryption before it gets to that device. There are certain cloud connections that make sense in our environment and others that don't. We don't use AWS, so any AWS going outbound would be something of concern. I'd go to that device or that individual to see what they're making those connections for.

I don't know how to count how many false positives I get. Usually, I'm looking at concerning activity and it's up to me to determine if it is expected or not expected. Generally, it is exactly what I want to see because it's at the device level that I want to know if the activity is expected or not. Generally, it ends up being expected. It's hard to give it a false-positive rating because I would guess about half of them are things I expect to see. But as a system goes, it's almost 100 percent accurate in calling those events out. It hasn't called out events where I would say, "Oh, it didn't need to call that out because that activity shouldn't have been flagged."

It doesn't know what I know about what's normal, so there's still a little bit of knowing what's normal in your environment. That's the onus of the person running the environment. I can tell Awake that something is normal and not to look at that again, so there is that tuning aspect that has to happen. I typically don't tune it out because I want to see any new traffic patterns. If it's a regular backup that's about the only time I will say, "Don't ever worry about it coming from this device because I expect that to happen on a regular basis."

The false-positive resolution with Awake Security is so much faster that it doesn't have as big an impact as it would have on another solution. If you gave me a false positive with a SIEM, I would have to invest four hours to find out that it was a false positive. If you give me a false positive on Awake, I have to spend five to ten minutes to figure it out. That's because the data is right there. It's populating for me and it's easy to search. It's almost not a fair marker to look at a false-positive rate because the resolution time for the false positive is so much shorter.

Overall, I would rate this solution at ten out of ten.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Download our free Arista NDR Report and get advice and tips from experienced pros sharing their opinions.
Updated: August 2022
Buyer's Guide
Download our free Arista NDR Report and get advice and tips from experienced pros sharing their opinions.