Darktrace alternatives and competitors

Awake has made us more productive. We're spending less time looking at false positives, so we can focus on what's truly important. It hasn't affected the morale of our analysts because we use a third-party SOC. 

When I look at the central dashboards, I can see what adversarial models were matched within the day, and when I click on that day, I can see what models and device names got triggered within my homepage. If I want to dive further into that model, I can click on that, and it tells me what the threats were as well as a lot more information on the endpoint or the asset. Then, if I want to see even more information, such as the actual activities, it's three clicks, and I'm on the activities themselves. I can pull a PCAP and investigate it. Regarding responsiveness and how quickly I get the answer, it's much faster than what I used to have.

It's hard to quantify, but it would have taken me 10 minutes to figure it out in my previous solution because I'm on the platform every day. Awake is easier and more intuitive. You see the day, the triggered models, and the asset. Then you click on the asset and activities. They're right there. I get the source, destination, and details, then download my PCAP, and I'm done.

Awake also tracks unmanaged devices. We have a guest WiFi, so if someone logs in to that, it's an unmanaged device. If they log in and try to do something bad, Awake will flag it and tell me. It's important even though we don't have as many people coming in and using the guest WiFi due to COVID, but we need to know if a guest user is doing something malicious.

It's much easier to create your own queries and hunt for threats. Darktrace's language is more challenging, and it's almost like you have to learn Darktrace's methodology to decipher it. When I create a workbench query in Awake to do threat hunting, it's much easier to query. You get a dictionary popup immediately when you try to type a new query. It says, "You want to search for a device?" Then you type in "D-E," and it gives you a list of commands, like device, data set behavior, etc. That gives you the ability to build your own query. Gathering PCAPs is also quite practical and more straightforward— tweaking the adversarial models, too. With Darktrace, it was tough to do. If you go to another serial model and want to clone it, then edit it and disable the old one, you can do it easily.

We have Palo Altos to decrypt traffic. I have all traffic going in and out via Awake, which can decrypt the traffic. However, Awake doesn't need to decrypt because it can analyze encrypted traffic to get a sense of what it might be. What I find helpful is that Awake can tell me when encrypted files might contain passwords. There is an adversarial model for that, which is great when someone tells me that there are two files with passwords, but the Awake and DR team already has an open ticket for this. They look for files that have "passwords" in the filename. 

That allows me to reach out to the user and tell him that I noticed a file containing passwords, and it's not password-protected. When they password-protect the file, the Awake team still highlights that as a risk but then write to them and say a password now protects the password file, and even though it is a password file, it is encrypted. So if you try to open it, you have to decrypt it with a password. Then we tweak the model to prevent that model from being triggered for that specific filename.

We take in IOCs from my SOC and from AlienVault, and then we focus on traffic that hits IOCs and alerts us to it. The one thing that the Awake platform lacks is the ability to automate the ingestion of IOCs rather than having to import CSV files or JSON files manually. Awake didn't support the manual importation of CSV and JSON in version 3.0, but they added it in version 4.0. It's helpful, but it still has to be a specific CSV format. Automated IOCs are on the roadmap. Hopefully, they will be able to automate the ingestion of IOCs by Q1 next year. I'm currently leveraging Mind Meld, an open-source tool by Palo Alto, to ingest IOCs from external parties. I aggregate those lists and spit them out as a massive list of domains, hashes, file names, IPS. Then we aggregate those into their own specific categories, like a URL category. Awake ingests that just like the Palo Alto firewall does, and then it alerts me if traffic attempts to go into it.

Some of that is already on the Palo Alto firewall, which blocks it, but that doesn't mean that there is no attempted communication. I want to know if there's a communication attempt because there might be an indicator on that specific device trying to reach an IOC. Yes, my Palo Alto blocked it, but there's still something odd sitting there, and what if it can reach a different IOC that I don't have information about? I want to focus on it. I could do that by leveraging Awake if it could ingest the IOCs automatically. That's something I leverage Awake for today. I still have to manually import it, which is cumbersome because I have to manipulate the files that I get from the different IOC providers into a specific format that it understands. Once they add the ability to automate that, it'll be more useful.

I have been using Awake since 2020. They hadn't been acquired yet by Arista when I joined.

Awake is pretty stable. It has come a long way. There were quite a lot of bugs initially when I had them in version 3.0. I'm on 4.11 now, so it's a lot cleaner, more intuitive, and much less buggy. I found bugs as each new release came out. I brought them to the attention of support, and they would fix them, then I'd find a different one. I can't comment now since Arista acquired them, but before Arista, the development to get something fixed was much faster.

I have a larger appliance than I technically would need, but I prefer that. If my organization goes up 100 percent, the appliance will still be suitable. So the scalability is there. If you switch from a 50-person shop to a 1000-person shop, it's easy to upgrade the appliance. They get a new one, install it, migrate the data, and you're done. I don't have any reservations about that.

I don't think anyone is a 10 out of ten. There's always room for improvement. I'll give the Arista support group an eight out of 10, and nine and a half to the MNDR team. Awake's managed network detection and response service is fantastic. Awake MNDR has been there night and day for us. In fact, they've helped me a couple of times where my SOC has fallen short. They got me the answers I wanted, which is precisely why I wanted to sign up for MNDR.

Awake MNDR has made our security posture more comfortable. We get some peace of mind knowing they're there if something should happen. I can reach out, and also, they open their own tickets for things they see that the Awake platform doesn't necessarily catch automatically. You want that human element behind it, not just the EML component of it, where you build these models as an ML. You tell the machine what to look for, and if the machine sees it, then it tells us something about it. It's not machine learning — more like machine finding. These guys are looking for the nuances that the machine can't find.

If they see new IOCs, attack vectors, methods of attack, hashes, or techniques, they're going to log in to random customers and do some threat hunting. We get a lot of value from having the ability to say, "Guys, I heard about X, Y, Z. Can you check if there's any indication of that in my environment?" They can then log in, do their own threat hunting, and tell me, "No, categorically, there isn't." That's a lot more helpful than just having a SOC.

If my SOC is spending a couple of hours doing it, they're not going to be Awake experts, of course, because they're a SOC, and they probably have to leverage so many security tools it's impossible. They all have customers with Vectra, Darktrace, etc., and you can't learn them all. So having the Awake team allows me just to ask the Awake MNDR team, "I got this ticket. Can you guys log in and investigate it?" Or, "I have this question. This user did XYZ. Can you guys investigate this and paint a picture based on what you see in Awake." Of course, they don't have access to SentinelOne or a lot of my other tools like the SOC does, but they can give me a sense of exactly what happened just by leveraging Awake.

Positive

Previously, we were Darktrace customers, and we had the Darktrace platform set up in two locations: here and our data center. We leveraged them because we wanted to have an NDR solution. Darktrace is great eye candy, but we got a lot of false positives in the environment. When we spoke with Darktrace, they assured us that it was AI with machine learning capabilities so that it would adapt to our environment the longer it was deployed.

I'm not sure if they've gotten better since then because I left them two years ago, but our SOC was spending too much time looking at false positives. When we approached Darktrace and told them that the solution was flagging functions that were normal in our environment, the support was not up to scratch. If you constantly have to change the model and tell it to ignore issues in your environment, then that's not machine learning because it's not learning the environment.

Awake had what I was looking for with Darktrace but didn't get, which was to get a response. So you detect it and respond to it by integrating it with the EDR tool, specifically at the endpoint. I wanted a response, but that automation wasn't there. Darktrace has it now. However, Awake had the EDR integration to Crowdstrike and SentinelOne out-of-the-box, which was great because then I wanted to do it, but it's not fully automated yet. I can isolate the endpoint from the Awake platform but there's still no playbook yet where it says, "Okay, if you find a ransomware attack going on, isolate that endpoint and respond automatically." That's on Awake's roadmap. 

Another reason I moved to Awake was that they're not truly an ML or AI, and they don't sell themselves as that. They look at it differently from a security perspective, and I like that. The integration with EDR is better than what I had. They were looking to integrate with Palo Alto and Cisco firewalls to automate the response to IOC. If an IOC is identified in my environment, it will tell my firewall to start dropping the traffic to the IOC. They don't have this functionality yet, but I know it's in the roadmap because I just had a call with them about a month ago. I have a Palo Alto firewall, and the integration with Palo Alto will come along in Q1 next year. 

I think Darktrace has this, or it's in the process of adding it, but Awake already had it on the roadmap two years ago. That was something they were building towards. Since then, I have expanded my relationship with Awake Arista by signing up for their MNDR service, which has been super helpful because we still get false positives when I tweak the adversarial models to match my environment. I don't think there's a solution that will genuinely learn your environment and know what's normal versus what's not. I've found that dealing with support is better than dealing with Darktrace. Granted, I have the MNDR team also now, but this was the case even before that. With the MNDR team, I send them an email telling them the alerts we've gotten and the workbench queries we used. Then I ask them to tweak the model, so we don't get false positives. After an hour or two, it's done. Compared to Darktrace, the level of responsiveness from Awake has been night and day.

I get low-risk false positives, and I treat them all the same, but I have a managed external SOC, and they will not. I do because I want to see less noise, and I want my SOC to focus on what's important. As such, I want to tweak the adversarial models to focus more on aspects that warrant research and response rather than just an alert that comes in. We can decide to look at something later when we have time because we can see it's a low-level risk. Awake categorizes these, so you know it's low when you see an alert with a risk score of 20. Still, I want to clean it up, so that I don't see them. When I look at my platform dashboard, I want to know that I have had X unique adversarial models for the past week and Y high-risk devices. Then I can zero in on those high-risk devices to see what they are and what they're doing. 

I was a Dell Secureworks customer for a while. They were great tools, but they weren't NextGen. I thought Darktrace was NextGen. I had probably done a demo with them two years before becoming a client. I had Secureworks as a SOC, but then I wanted something more. When it was time to change my SOC from Secureworks, I figured I could use Darktrace and get an external SOC to ingest all of my security logs for the same cost I'm paying Dell Secureworks.

I thought that my SOC was spending too much time investigating all the false positives we were getting out of Darktrace, and it wasn't their job to tweak Darktrace. It was certainly more challenging for me to do it and more brutal to me to work with support to do it. And so, after attempting that for six months, I came across Awake. I can't remember exactly where. It must have been a marketing email I got, and I decided to look into it.

I think they had just come out of stealth mode when I started talking to them, and I decided to put them in at the same time I had Darktrace and do a bake-off. I realized that I was getting fewer false positives but, unfortunately, the platform does not have 3D manipulation, which I call the "eye candy" of Darktrace. It's an excellent visualization tool. It looks fantastic, but it's not easy to dive in and look at the logs.

I like how Darktrace can replay the traffic and show the messages coming in. I thought that was a pretty cool feature that I wish I could do with the Awake. But again, it's eye candy. The information is there, but you can't play it to the second as the traffic comes in. When I tried out Awake, I was taken aback because they had the IOC ingestion and were planning on automating that. They were also planning on integrating Awake with Palo Alto firewalls. Awake also had the EDR implementation as I was looking at migrating from Cylance to Crowdstrike. They already had Cylance integration also. I thought it was a no-brainer as long as I could get it for the same cost as Darktrace. I knew I would get a little more value out of it. I would lose the eye candy and the playback, but my SOC will spend less time looking at false positives.

I don't pay more or less if my SOC gets a thousand tickets or 10, but I also don't believe in my mailbox getting spammed with issues that worry me. Of course, I still get false positives from Awake. At most, it's maybe one a day, which is not terrible. We used to get five, but then I started tweaking it, and now we're getting roughly one every two days. We used to get five a day because no platform is built for your environment. They're built for all environments. They have to look for issues they think are malicious. You get that with SentinelOne too. I get false positives with SentinelOne and Excel files that look like they're meeting a MITRE ATT&CK framework, but they're not.

I think people should be ignored if they tell you there is a tool out there that's truly going to learn your environment. Darktrace claims that the tool will self-adjust the longer that it's in your environment. It won't. I've seen it, and unless that's been massively improved, I don't believe it.

I got a deal when I bought Awake. It's if you go to buy a car and end up ripping off the dealer. I don't think many customers got the same deal. Darktrace is way too expensive, and so Awake is more price competitive. I think they'll be able to take a lot of clients from Darktrace because it costs a lot of money. All of these vendors push for four-year agreements and offer discounts for that. Darktrace told me that they only do four-year contracts, but I said I wouldn't be a customer if those were the terms. Instead, I got a four-year agreement with a 12-month opt-out. It's still a four-year agreement, but I could opt out after 12 months with a 90-day notice. So to me, it's a one-year agreement. I was able to get that with Darktrace because they wanted me as a customer.

Because I represent a hedge fund, I have some leverage. I told them that they had to meet my conditions if they wanted me as a client. It was the same way with Awake. They wanted an initial four-year agreement. Initially, we signed on for a one-year contract, but they wanted the four-year deal when it came time for the renewal. I told them that I was not doing that. I said that they either had to do it on my terms, or I'd go somewhere else. I don't want to, but I'll go.

We were able to keep the same conditions that I had, and working with them was pretty easy. I didn't have to jump through many hoops to get what I wanted. I was one of their first clients in the alternative investment space, and I've been a big supporter of what they were doing even before Arista bought them. I was worried when Arista bought them. When a conglomerate company bought this unicorn, I was afraid they would turn it into garbage.

Thankfully, I haven't seen that. The platform is improving, and the development continues. They're doing many exciting improvements that were on the roadmap when I first signed on. I can't disclose some of these improvements, but seeing what's coming down the pipeline is exciting. And like I said, I was fearful of Arista. Now I'm thankful that Arista pumped money into it and kept the team together, did not break them, that they're integrating them to their support model, and the teams will become bigger. And obviously, the interaction with the Arista products will become even larger because they're an Arista company, and they want to apply that to their Arista products.

My other big concern was that once Awake was acquired by Arista, they would have no interest in integrating with Palo Alto and Cisco because they are competitors. The sales rep told me, "No, that's incorrect. We still want to integrate with them. However, we understand customers are always going to have a choice, and not everyone chooses Arista for networking." I don't think Arista even does firewalls, so they put me at ease. 

I'd rate Awake Security Platform nine out of 10. I have recommended them to many of my peers and have done references since. I believe in Awake and what they're building. I know how much more they can do with this. Unlike Darktrace, Awake has been built from the ground up. Darktrace took a lot of open-source tools and integrated them. It may have been a sales pitch, but my understanding is that one aspect that sets Awake apart is that this platform is built from the ground up. They didn't take an open-source tool and bandaid it to another one to create a product. 

That's one of the most exciting aspects of Awake. They can do what they want with this. They can build all these features on top of it. I bought into Awake because I wanted to get these features on a single platform. I want to create playbooks. I want something that can automate playbooks and leverage API calls to connect to your Palo Alto firewalls and SentinelOne. It's all about APIs nowadays. I want to have the ability through a single pane of glass that has your top 10 adversarial models that are critical. If you hit this criticality and you are up to this percentage, the following action that the Awake platform takes is X.

I believe that's where this platform can go, and I don't think any platform out there is at that level yet, even though Darktrace now has integration with EDR. They can automate many aspects, and they have added Palo Alto to it since then. Also, they have an email phishing component. I think Awake has the potential to do much more and based on the roadmap that I've seen, I believe they are well-positioned to do even better.

Vectra was deployed to give us a view of what is happening on the user network. It helps us to check what is being done by users, if that is compliant with our policies, and if what they're doing is dangerous. It covers cyber security stuff, such as detecting bad proxies, malware infections, and using packet defense on strange behaviors, but it can also be used to help with the assessment of compliance and how my policies will apply.

We also use Vectra to administer servers and for accessing restricted networks.

There are on-prem modules, which are called Cognito Detect, the NDR/IDS solution, which captures traffic. We also have the SaaS data lake, and we also have the Cognito Detect for Office 365, which is a SaaS-type sensor within the O365 cloud.

If we didn't have Vectra and the Detect for Office 365, it would be very difficult to know if our Office 365 was compromised. We tried, in the past, to do it with a SIEM solution consuming Office 365 logs and it was really time-consuming. The Office 365 Detect solution has the exact same "mindset" as the Detect solution for networks. It's almost like we can deploy it in the fire-and-forget mode. You deploy the solution and everything is configured. You have all the relevant alerts out-of-the-box. If you want to, you could tweak, configure, contextualize, and rewrite the parser, because some things might be out of date,  and customize the solution. For a big company with a large team it might be feasible, but for small companies, it's an absolute showstopper. The Detect for Office 365 gives us a lot of visibility and I'm very pleased with the tool.

We use three services from Vectra: Cognito Detect, Detect for Office 365, and Cognito Recall, and we are leveraging all these services within the SOC team to have proper assessments. We even use these tools to prepare the new use cases that we want to implement into our SIEM solution. Recall stores all the metadata that is brought up from Cognito Detect at a central point, data-lake style, with an elastic stack and a Kibana interface available for everybody. Using this, we can try to see what are the general steps.
Without this, I would not have been able to have my SOC analyst do the job. Creating a data lake for cyber security would be too expensive and too time-consuming to develop, deploy, and maintain. But with this solution, I have a lot of insight into my network.

An additional thing that is very convenient with the Recall and Detect interfaces is that you can do use cases involving individuals in Recall and have them triggered in Detect. For example, we found ways to track down if users are trying to bypass proxies, which might be quite a mess in a network. We found a type of search within Recall and have it triggering alerts in Detect. As a result, things can be managed.

It's so efficient that I'm thinking about removing my SIEM solution from our organization. Ours is a small organization and having a SIEM solution is really time-consuming. It needs regular attention to properly maintain it, to keep it up and running, consume all the logs, etc. And the value that it's bringing is currently pretty low. If I have to reduce costs, I will cut costs on my SIEM solution, not on Vectra.

The solution also provides visibility into behaviors across the full life cycle of an attack in our network, beyond just the internet gateway. It provides a lot of insight on how an attack might be coming. There are multiple phases of an attack that can be detected. And there is a new feature where it can even consume intelligence feeds from Vectra, and we can also push our own threat-intelligence feeds, although these have to be tested. The behavioral model of the Detect solution also covers major malware and CryptoLockers. I know it's working. We tested some cases and they showed properly in the tool. I'm quite reassured.

It triages threats and correlates them with compromised host devices. One of the convenient things about Detect is that it can be used by almost anybody. It's very clear. It's quite self-explanatory. It shows quadrants that state what is low-risk and what is high-risk. It is able to automatically pinpoint where to look. Every time we have had an internal pen test campaign, the old pen test workstation has popped up right away in the high-risk quadrant, in a matter of seconds. To filter out false positives it can also provide rules that state, "Okay, this is the standard behavior. This subnet or this workstation can do this type of thing." That means we can triage automatically. It also has some features which aren't so obvious, because they are hidden within the interface, to help you to define triage rules and lower the number of alerts. It looks at all your threat or alert landscapes, and says, "Okay, you have many alerts coming from these types of things, so this group of workstations is using this type of service. Consider defining a new, automated triage rule to reduce the number of alerts."

To give you numbers, with my SIEM I'm monitoring some IDS stuff within my network. Everything is concentrated within my SIEM. From my entire site, IDS is giving me about 5,000 more alerts than my Vectra solution. Of course it will depend on how it is configured and what types of alerts it is meant to detect, but Vectra is humanly manageable. You don't have to add something to make the triage manageable, using some time-consuming fine-tuning of the solution, requiring expertise. This is really a strong point with Vectra. You deploy it, and everything is automatically done and you have very few alerts.

Its ability to reduce false positives and help us focus on the highest-risk threats is quite amazing. I don't know how they made their behavioral or detection models, but they're very efficient. Each alert is scored with a probability and a criticality. Using this combination, it provides you insights on alerts and the risks related to alerts or to workstations. For example, a workstation that has a large number of low-criticality alerts might be pinpointed as a critical workstation to have a look at. In fact, in the previous pen test we launched, the guys were aware that the Vectra solution was deployed so they tried some less obvious tests, by not crawling all the domain controllers, and things like that. Because there were multiple, small alerts, workstations were pinpointed as being in the high-risk quadrant. This capability is honestly quite amazing.

And, of course, it has reduced the security analyst workload in our organization, on the one hand, but on the other it has increased it. It reduces the amount of attention analysts have to pay to things because they rely on the tool to do the job. We have confidence in its capability to detect and warn only on specific things of interest. But it also increases the workload because, as the tool is quite interesting to use, my guys tend to spend some time in Recall to check and fix things and to try to define new use cases. Previously, I had four analysts in my shop, and every one of them was monitoring everything that was happening on the network and in the company on a daily basis. Now, I have one analyst who is specialized in Vectra and who is using it more than the others. He is focusing on tweaking the rules and trying to find new detections. It brings us new opportunities, in fact. But it has really reduced the workload around NDS.

In addition, it has helped move work from our Tier 2 to our Tier 1 analysts. Previously, with my old IDS, all the detection had to be cross-checked multiple times before we knew if it was something really dangerous or if it was a false positive or a misconfiguration. Now, all the intelligence steps are done by the tool. It does happen that we sometimes see a false positive within the tool, but one well-trained analyst can handle the tool. I would say about 20 to 30 percent of work has moved from our Tier 2 to our Tier 1 analysts, at a global level. If I focus on only the network detections, by changing all my IDS to Vectra, the number is something like more than 90 percent.

It has increased our security efficiency. If I wanted to have the same type of coverage without Vectra, I would need to almost double the size of my team. We are a small company and my team has five guys in our SOC for monitoring and Tier 1 and Tier 2.

It reduces the time it takes for us to respond to attacks. It's quite difficult to say by how much. It depends on the detections and threat types. Previously, we had an antivirus that was warning us about malicious files that were deployed on a workstation within one year. Now, we can detect it within a few minutes, so the response time can be greatly enhanced. And the response time on a high-criticality incident would go from four hours to one hour.

The most valuable feature for Cognito Detect, the main solution, is that external IDS's create a lot of alerts. When I say a lot of alerts I really mean a lot of alerts. Vectra, on the other hand, contextualizes everything, reducing the number of alerts and pinpointing only the things of interest. This is a key feature for me. Because of this, a non-trained analyst can use it almost right away.

It's very efficient. It can correlate multiple sources of alerts and process them through specific modules. For example, it has some specific patterns to detect data exfiltration and it can pinpoint, in a single area, which stations have exfiltrated data, have gathered data, and from which server at which time frame and with which account. It indicates which server the data is sent to, which websites, and when. It's very effective at concentrating and consolidating all the information. If, at one point in time, multiple workstations are reaching some specific website and it seems to be suspicious, it can also create detection campaigns with all the linked assets. Within a single alert you can see all the things that are linked to the alert: the domains, the workstation involved, the IPs, the subnets, and whatever information you might need.

The key feature for me for Detect for Office 365 is that it can also concentrate all the information and detection at one point, the same as the network solution does. This is the key feature for me because, while accessing data from Office 365 is possible using Microsoft interfaces, they are not really user-friendly and are quite confusing to use. But Detect for Office 365 is aggregating all the info, and it's only the interesting stuff.

We are still in the process of deploying the features of Detect for Office 365, but currently it helps us see mailboxes' configurations. For example, the boss of the company had his mailbox reconfigured by an employee who added some other people with the right to send emails on his behalf, and it was a misconfiguration. The solution was able to pinpoint it. Without it, we would never have been able to see that. The eDiscovery can track down all the accesses and it even helped us to open an incident at Microsoft because some discoveries were made by an employee that were not present in the eDiscovery console on the protection portal from Office 365. That was pinpointed by Vectra. After asking the user, he showed that he was doing some stuff without having the proper rights to do so. We were able to mitigate this bit of risk.

It also correlates behaviors in our network and data centers with behaviors we see in our cloud environment. When we first deployed Vectra, I wanted to cross-check the behavioral detection. After cross-checking everything, I saw that everything was quite relevant. On the behavioral side, the Office 365 module can alert us if an employee is trying to authenticate using non-standard authentication methods, such as validating an SMS as a second factor or authenticating on the VPN instead of the standard way. The behavioral model is quite efficient and quite well deployed.

Vectra is still limited to packet management. It's only monitoring packet exchanges. While it can see a lot of things, it can't see everything, depending on where it's deployed. It has its limits and that's why I still have my SIEM.

I am in contact with the Vectra team, if not weekly then on a monthly basis, to propose improvements. For the time being, the main improvement I can see would be to integrate with more external solutions. Since Vectra provides an API, that  should be quite easy to handle. For example, we're using an open source ticketing system within our team and I want to have it handled properly by Vectra. We'll go forward on that with the API. 

Another area for improvement that I have pinpointed is that the Office 365 solution and the Detect solution cannot match the same users. That means we have two "different worlds" currently, the world from Office 365, which is bringing alerts based on users' emails and email addresses. And we have the network world, which is bringing an Active Directory view. On the one hand we are seeing emails or email addresses, and on the other hand we are seeing things like logons on to the domain controller. From time to time, it does not match and the tool cannot currently cross-check this info and consolidate everything. I would like to be able to see that detection related to one workstation and covering a user: what he is using, what services he is using, and what he did with his Office 365 and configuration. That would help. 

Another major feature would be to have all logs pushed to Cognito Detect, and all these logs should be also pushed to Recall. Currently, within Recall, I can't call up the Office 365 detections and I would love to do so. 

The last point would be an automated IoT threat feed consumption by the tool.

I have been using Vectra for two years.

The stability is absolutely flawless. The last time it was rebooted was almost two years ago. 

The only thing we have seen was some interruption in log feeding to the Recall instance, the SaaS solution. I had a quick call with a product manager in Europe and he was very keen to share information about this issue and willing to improve it.

So, within two years we have faced one stability incident. This incident lasted less than two hours and it was not on the monitoring solution but more on the data lake solution.

The scalability is very good. From the financial perspective, we are not limited by the number of sensors. We can deploy as many virtual sensors as we want. The key factor is the IP addresses that are being monitored. In terms of technical scalability, we have one brain appliance, one very big sensor, and multiple virtual sensors, and I don't see any limits with this solution.

We are currently using all the things that it's possible to use in this solution. One thing I like with Vectra is that it's updated very frequently. Almost every month new features are popping up: new detections, new dashboards, new ways to handle things. That's quite good. I work with our SOC team so that they can use everything right away.

The tech support is surprisingly good. We had questions, we faced some slight issues, and we always got very quick answers. Things are taken into account within a few minutes and answers usually come in less than two hours.

To deploy Recall, which is the data lake in SaaS, or to deploy the Office 365 sensor, it was effortless. It was just a quick call and, within minutes, everything was set up.

It was set up the same way the solution is behaving. It's a turnkey solution. You deploy it and everything works. The configuration steps are minimal. It's exactly the same for the SaaS solution. You deploy the tool and you just have to accept and do very basic configuration. For Office 365, you have to grant rights for the sensors to be able to consume API logs and so on. You grant the rights and everything is properly set up. It's exactly the same for Recall. It was a matter of minutes, and not a matter of days and painful configurations.

In terms of maintenance it is very easy and takes no time. It's self-maintaining, aside from checking if backups have properly ended. And in terms of deployment, when we add a network segment, we have to work a bit to determine where to deploy the new sensors, but the deployment model is quite easy. The Vectra console is providing the OVA to provide a virtual sensor for deployment. It can also automate the deployment of the sensor if you link it with vCenter, which we have not done. But it's very easy. It's absolutely not time-consuming.

If I compare the deployment time to other solutions, it's way easier and way quicker. If I compare it to my standard IDS, in terms of deployment and coverage, it's twice or three times better.

We were in contact with Vectra a lot at the beginning to plan the deployment, to check if everything was properly set up. But the solution is quite easy to set up. The next decisions we had were focused on how to enhance the solution: what seemed to be missing from the tool and what we needed for better efficiency.

The guys from Vectra were more providing guidance in terms of where the sensors needed to be deployed and that was about it.

We had a third-party integrator, Nomios, that provided the appliances, but they did not do anything aside from the delivery of appliances to our building. Our team took the hardware and racked it into the data center on its own. With just a basic PDF, we set up the tool within minutes. The integrator was quite unnecessary.

Nomios are nice guys, but we have deployed some of other solutions with them and we were not so happy about the extra fees. We were not the only ones who were not happy about that. We tried to deploy the ForeScout products with Nomios and it was quite a mess. But they have helped us with other topics and they have been quite efficient with those. So they are good on some things and on other things they are not good.

It's ineffective to speak just about the cost of the solution, because all the solutions are costly. They are too costly if we are only looking at them from a cost perspective. But if I look at the value I can extract from every Euro that I spend on Vectra, and compare it to every Euro I spend on other solutions, the return on investment on Vectra is way better.

ROI is not measurable in my setup, but I can tell you that Vectra is way more cost-efficient than my other solution. The other solution is not expensive, but it's very time-consuming and the hardware on which it's running it's quite expensive. If I look at the global picture, Vectra is three or four times more cost-efficient than my other solution.

The pricing is very good. It's less expensive than many of the tools out there.

I evaluated Darktrace but it wasn't so good. Vectra's capabilities in pinpointing things of interest are way better. With Darktrace, it is like they put a skin of Kibana on some standard IDS stuff.

Vectra enables us to answer investigative questions that other solutions are unable to address. It provides an explanation of why it has detected something, every time, and always provides insights about these detections. That's very helpful. Within the tool, you always have small question marks that you click on and you have a whole explanation of everything that has been detected: Why has it been detected and what work is the recommended course of action. This approach is very helpful because I know that if I ask somebody new, within our team, to use Vectra, I don't have to spend months or days in training for him to be able to handle the solution properly. It's guided everywhere. It's very easy to use.

Do not be afraid to link Vectra to the domain controller, because doing so can bring a lot of value. It can provide a lot of information. It gets everything from the domain controller and that is very efficient.

You don't need any specialized skills to deploy or use Vectra. It's very intuitive and it's very efficient.

We are in the process of deploying the solution’s Privileged Account Analytics for detecting issues with privileged accounts. We are using specific accounts to know whether they have reached some servers. It's quite easy with all these tools to check whether or not a given access to a server is a legitimate one or not.

We don't use the Power Automate functionality in our company, but I was very convinced by their demonstration, and an analyst in my team played with it a bit to check whether or not it was working properly. These are mostly advanced cases for companies that are using Office 365 in a mature manner, which is not the case for our company at the moment.

In our company, less than 10 people are using the Detect solution, and five or six people are using Recall. But we are also extracting reports that are provided to 15 to 20 people.

We primarily use Check Point to provide visibility into our network. It lets us see the east-west traffic, and it gives us a lot of information to work on as far as what kind of traffic was passing through.

Overall, it give me a lot of insight into my network that I didn't have before.

It lets us know about anomalous behavior and it provides alerts regarding activity on certain ports. It lets me decide, for example, whether something is a valid connection, or causes me to question why a certain port is open.

The pain point that I have with this solution is contacting technical support.

I have been working with Check Point IPS for more than a year.

Stability-wise, this product is great.

The scalability comes from the fact that this is an on-premises device that ties into a cloud service. It's a hybrid application. Once you have it installed, it's collecting information. You put it right there in front of your input into the network, and it picks up all of the traffic.

Sometimes, technical support takes a long time to get back to you.

I used Check Point Endpoint Security, as well as the Network Detect and Response (NDR) appliance.

I am currently using Darktrace and Vectra in addition to Check Point. I've been using all three and I find that Check Point is the one where I get the most information from. I will stop using Vectra this year but I will retain Darktrace, as long as they keep it at a certain price.

Darktrace takes a lot more configuration; unlike Check Point, there are a lot more changes that need to be made. When it's fully integrated, it requires a lot of time and it may end up being as useful as the Check Point.

The reason I keep all three is because they all give me a different kind of view. They all give me different information. If they gave the same information, it'd be useless to keep them.

With respect to similar security products, I have demoed CrowdStrike, worked with Symantec, and am also using Check Point.

Check Point was fairly usable out of the box.

I am using an on-premises appliance that ties into a cloud service.

Pricing for this solution is negotiable and I'm happy with our pricing.

I suggest negotiating either at the end of their fiscal year or at the end of every quarter. At the end of the quarter, they have an incentive to lower the prices to sell as many units as possible in order to meet their end-of-quarter quota.

If I could only keep one of my security solutions, it would be Check Point. To me, it provides the most valuable information.

I would rate this solution a nine out of ten.

We use the solution for traffic filtering, security, and antivirus capabilities.

I have found the filter and the antivirus to be most valuable.

The user interface needs some improvement, it is a little rudimentary and not very intuitive. If you are not very technical inclined you may need to be assisted or might struggle to set it up.

The newer version tends to use a lot of system resources. For example, your processor and RAM.

I have been using the solution for approximately four years.

The solution is stable and reliable, it does the job well.

The scalability is excellent, they can support a large environment. However, a large size organization will need its own dedicated appliance.

The customer support is very good.

We have used and still use Darktrace. We do not use it to replace Cisco's NGIPS solution but we use it predominantly as an in-network snooper.

The installation is complex.

We used an in-house team to do the deployment and it takes roughly a day and a half depending on the size of your organization and the configuration. Setting up the rules, all the features, and the licensing takes time.

To do the maintenance you need somebody familiar with Cisco and networking technologies.

By using this solution we have received a return on our investment. 

Cisco products are not cheap and this solution is no different. However, the price of all of the Firepower is part of a bundle when you buy the actual firewall, the Cisco firewall. It is part of the whole bundle package, but Firepower IPS itself has its own costs.

We are on a yearly license and the price depends on the environment, we pay approximately $33,000. The solution has additional components, and each one of the components cost extra.

For those wanting to implement this solution, I was advice before deploying the solution, understand exactly what you want it to do for you. The product has a couple of different capabilities, do you want to expand, or you may not want to expand. These are scenarios that you have to take into account. I would not recommend the solution for small organizations, it would be too time-consuming for that.

I rate Cisco NGIPS an eight out of ten.

We are integrators. We work on integrated systems.

Our clients use this solution to know what is happening in the network and to analyze it. 

Trend Micro is a good solution and our clients are happy with it.

I like the sales operations testing and support.

The ecosystem is good, it's the best. It's also simple to manage.

I would like to see integration with third-party tools to improve the visibility of the dashboards.

I have been working with Trend Micro Deep Discovery Inspector for two years.

The stability is good. We have not experienced any issues.

Scalability with Trend Micro Deep Discovery Inspector is very good. We are satisfied with the scalability.

We do not have users in our company, we use the systems with our clients.

The technical people are good.

We don't have any issues with technical support. 

Local technicians and global support are very good.

We also use one other solution.

The initial setup can be simple, and at times it can be complex when changing the solution.

It is less than a week to deploy Trend Micro, but it can change per the solution type. 

For some solutions, it can take a week, and for others solutions with complex projects, it can take a month. 

Depending on the client's requirement, it can be cheap and at times, more expensive.

Overall, the price is good.

For others who are interested in using this solution, I would recommend it.

I like working with this solution. I would rate Trend Micro Deep Discovery Inspector a nine out of ten.