If you were talking to someone whose organization is considering Awake Security Platform, what would you say?
How would you rate it and why? Any other tips or advice?
One thing to be aware of, for someone else using Awake, is to be ready, at the beginning, to clearly define what is expected network activity and what is not. That helps both teams. For us, it has been an interesting challenge because our network is quite complex. In the life sciences, we have pretty varied environments for physical manufacturing, R&D, and SGNA. It spans the whole gamut. What helps in that environment is being very clear, up front, about documenting and giving context to the Awake MNDR team about which devices are domain controllers and the kinds of traffic they should expect from them; which subnets are segmented off in different ways so that they should not expect certain kinds of traffic from them. Include what kinds of applications you have at the company, applications that are approved or behaviors that are approved, so that they know to tune their models to not alert on that. Getting a better picture, if possible, ahead of time, so that you don't have to refine that over time with the Awake team, is something that would help. That's not a criticism of Awake. It's more just a lesson learned. In terms of the solution's false positive rate, we're still working through it. We don't look at the console too much ourselves these days unless we need to run a particular query to answer a question. Normally, we just rely on the MNDR team to surface anything that needs escalation to us. In some ways we're still in an onboarding period. The MNDR team will raise some sort of alert, and some of them definitely warrant further investigation, which has been really helpful. That's helped us identify certain risky behaviors that users are engaging in, and remediate them. At other times, we continue to refine our SOP with them. They'll alert us of something suspicious and we'll say, "Oh, that's okay. We allow large uploads to Box." They're usually pretty good about just saying, "Yeah, we'll put that in as an exception." When it comes to the solution moving away from traditional alerts and focusing our team on the entities that pose the highest risk, we haven't really seen that as much, ourselves, because we've been pretty hands-off and leaving it to the MNDR team to monitor the appliance. We looked at the appliance during the PoC process and have looked at it ourselves occasionally. But one of the things that's tricky about our deployment is that we also have it monitoring our guest network, where we do see a lot of high-risk devices that are clearly going into bad domains but, at the same time, it's our guest network so it's not something we actively police. The combination of Awake's technology and human expertise within the MNDR service has been really good. We're pretty happy with Awake. It helps us sleep better at night because we know that there's another team out there helping to watch activities on our network. Awake is a great solution to get started with, for getting that initial network visibility, especially with the MNDR team. It also seems like a great medium-maturity solution where you could have an enterprise that wants to roll off of the MNDR team and have more of an internal capability and an internal team monitoring and utilizing Awake. That would work too. That's where we're thinking we might go, eventually. I'd give it an eight out of 10 overall. It provides a lot of value. There are a couple of rough edges that they're still working on and that we'd like to see improved, but it's definitely very useful to have in the toolbox.
The solution is very good and the pricing is also better than others, but each organization has to have other security parts and pieces in place. This is not a silver bullet. It's not one thing that can solve all issues or cover all security, but it's a very valuable and needed addition to our security portfolio. Anybody who feels that they don't have complete visibility into their network should give Awake Security a try, do a proof of concept with them, and see what results you get. It's a good product and I'm pretty sure it will give you what you are looking for. But do that PoC first, because everyone's environment or needs could be different. The Ava feature for delivering autonomous triage is there and we can use it, but that is not what we do. The reason we got the appliance with the monitoring service is that we don't have enough staff to dedicate, full-time, to the system. So instead we gave their MNDR group the responsibility for monitoring and we just act on their information, and either remedy or reconfigure the network or whatever is needed on our end. As for lessons learned from using the solution, we wanted to see if everything that we implemented is actually in compliance and working as we expected. We learned that a few things needed adjustments, needed corrections. Now we are not just compliant on paper but we actually have controls that are functioning. Perhaps, because of that, we haven't had any incidents for months now. I would give a 10 out of 10 to the service. The team that monitors our system is very approachable, competent, friendly, and they provide resolutions if there is anything we need. The appliance is also very good. I would give it a nine because, as I said, there is still room for improvement. It's nothing major, nothing dysfunctional, but there's room for improvement. I give the appliance a nine, which is very high, because it is very stable, very easy to implement, not expensive, and has a good user interface. It fits pretty well on all the fronts that you want an appliance to fit. I don't have any complaints.
Every environment is different and you have to start with knowing what your goals are and what your environment looks like, to really find the right product for you. What integrations do you have? A big challenge is how your remote workforce changes the way you think about your environment. How does your cloud adoption strategy affect things? Awake is an on-premise, network-based solution. For us, that makes a lot of sense. We only have one site where all of our users go. If you're totally remote, now, with COVID, and you're mostly a cloud/ SaaS-based shop, it may not be the right fit for you. You want to think about how you can accomplish the goals that are particular to your environment. Finding a product that allows you to continue to improve, to get you that insight about your network and how it's changing over time or how people are using it, is important. A network is a living, breathing thing. Having a solution that can also help give you insight into how it's changing or whether it's architected appropriately, or give you insight into where you have gaps or lack of visibility is important. It's all about improving every day. That's one of the things that the Awake team has brought us. My dream is to have a student-led security operation center in-house. We're not there yet, obviously, with COVID. We don't have as many people in-person and on campus. But to be able to sit a student down who is just getting their feet wet in security or technology, and to help them hit the ground running, as an entry-level analyst, that's really the dream. I would like to make them more productive and able to get insights into the network faster. We're not there yet, but Awake really gives us a head-start with that. Awake gives us more information, which increases our analysts' workloads, but it also streamlines the process. It's addressing a gap in our visibility.
The Awake Security team does a good job with communication. With the encrypted traffic, you can't see inside the packet. Encrypted traffic was not a hindrance, since most traffic nowadays is encrypted. The Awake Security team does a good job of determining what's wrong, even though they don't have the full view of the content inside the packet. Awake Security gets a solid nine (out of 10) based on our experience. That's based on their technology, professionalism, and communication. It was their MNDR service that set them apart when we were looking at other technologies.
The piece that people should be considering should be how much storage they want for data in the platform and how long they need to retain data for. It's not sitting in the middle of network traffic but for incidents that come up or alerts that are generated, it will store Pcap information for those alerts. You want to make sure that you have enough storage of information around those alerts so that you can go back, whether it be six days, a week, a month, whatever you want your retention period to be. That's something you should think about when you're putting this into place. Also consider if the data is going to be piped off somewhere else and stored, or if it is going to be stored locally on the box because that's one of those things you can do either way. People should be thinking about it going in because it can generate a lot of data if you want it to. I would rate Awake Security a nine out of 10. As soon as the API gets a bit more mature, I think they're on track to be a 10..
We have not used the functionality for cloud TAPs. I would rate this solution as a nine (out of 10).
Understand where your network points are and where you are best served to position sensors. The tool won't work unless it's positioned effectively in your network. Rely upon Awake staff's expertise. They have collective information cybersecurity experience in the hundreds of years, so just listen to them in terms of their guidance and where to position your sensors. Understand your traffic flow before moving forward with the solution, making sure that it's right for you. For instance, understand that if you have several satellite offices, you may be challenged and need to purchase several devices or appliances. In our case, this was a non-issue because I back haul all of my traffic to one centralized point. I am impressed with the product. It is a solid, powerful tool. It's a truly unique plug and play appliance and solution. I'd give it a 10 (out of 10). If I could give it more than a 10, I would. It is really an outstanding product. We have had a few false positives, two or three. I was looking at one this morning. However, that was a fault of ours because the IP address on the endpoint wasn't in a reserved mode, so the name of the machine changed. Here is where the ML capabilities shines. The IP address changed, thus a new machine name was apparent to the ML engine. Then, the ML engine looked at both the IP and machine name, and said, "I don't know. It's still the same IP, but it's doing lateral movement now." It turns out that IP was reallocated to a machine in our development side for our DevSecOps, where that type of behavior is totally normal. However, the ML in the tool spiked that out immediately. The biggest lessons that I've learned are thinking that your common point solutions, even though you're aggregating them all will point out all the potential nefarious activities behind your firewall or attempted attacks outside your firewall. You are not going to see everything. You really need to empower machine learning and AI capabilities of one of these tools in order to see the typical advanced persistent threats (APTs) or those low, slow threats on your network. For example, the anomaly that pops up for five minutes every month because it's using a domain generated algorithm is really where this tool shines. It looks for that needle in a haystack and that anomalous behavior that you're not necessarily going to pick out using a SIEM tool. I don't care how good the SIEM tool is, you need a dedicated product to effectively understand that east-west traffic and ascertain whether or not it is hostile.
My advice would be to put it up against any of its competitors. Look at the salient data points. So your machine-learning is telling you that something is unusual. Great. Why? And if you don't have an answer for that then I would suggest you look at Awake. Because Awake gets to the "why." In terms of maintenance of the solution, I've got five people now, but they don't just do this. I have one person who does security training and awareness. I have one person who does threat hunting, who is the primary user of the technology. I've got a cyber-threat intel person, and I've also got a person to monitor operational technology. Regarding Awake's false-positive rate compared to other solutions, it's not really a SIEM. It's more of a hunting tool. It tells me something that is notable, but there will be some false positives because I don't think any amount of AI or ML is going to be able to know everything about your environment. That's just an impossibility. But it gets about as close to an actual person as you can get. Really what Awake is trying to be is a network architect or engineer, a person. It's trying to be someone who knows the topology, the exact architecture, what devices are doing what, what ports, which protocols, etc. That's really what Awake is. It's a robotic network engineer. Compared to its competitors I'd rate it a ten out of ten. I don't think there's anything out there that's doing what it's doing.
Make sure that you have a strong networking team in place before you buy the product, because otherwise you may have issues with the TAP aggregation. The product itself will go in quickly and easily. We don't have the solution's encrypted traffic analysis in place because we aren't doing the decryption at the edge. But it does allow us to see the size of data, and allows us to detect external exfiltration pretty easily. As for the false-positive rate, I haven't done the math. It's decently high because our network situation is a bit weird. But it would be about the same on any other solution. We have one person, our Security Engineer, servicing it and maintaining it on our side. Awake maintains it on their side as well. In our environment, we have between 2,500 and 3,000 people, usually. I would rate it at about eight out of ten. It's a matter of scale. For me, ten means it pretty much mitigates all risks for you. So it would be next to impossible to get a ten, from my perspective.
My advice would certainly be to do a PoC to make sure it works in your environment. The way your network is configured is going to have a big impact on whether this tool works for you. If you can't get your traffic to go through a single or a reasonable number of exit points to the internet, it may not be a complete solution for you. When I was working at that larger company, I probably would have used this in our engineering lab environment because those guys were like the "Wild West" and deployed whatever they wanted whenever they wanted, and that was usually my biggest concern. I probably would have deployed something like this because it would have given me the visibility, what I couldn't see at the firewall level. I would need to see at a router level and needed something they could make sense of for me. I think Awake would have done it very quickly without much effort. It's my main tool for network security right now. I'm using it very extensively. We're trying to reconfigure, because we're a startup and I don't want to buy another system, to get as much as we can out of this current system, but I would plan to use this as we grow as a company. If we were to grow globally, I could see us using Awake as our primary threat intelligence for lateral movement particularly, in our environment. In terms of cloud infrastructure and Awake seeing that activity, it only sees it on-prem because that's the way we have it deployed. Any connection to a cloud, like AWS, we will see that. We should be able to see what activities' connections are occurring. If it's encrypting from the browser to the cloud, we may see that activity but I don't know if we can pull out the content unless we break encryption before it gets to that device. There are certain cloud connections that make sense in our environment and others that don't. We don't use AWS, so any AWS going outbound would be something of concern. I'd go to that device or that individual to see what they're making those connections for. I don't know how to count how many false positives I get. Usually, I'm looking at concerning activity and it's up to me to determine if it is expected or not expected. Generally, it is exactly what I want to see because it's at the device level that I want to know if the activity is expected or not. Generally, it ends up being expected. It's hard to give it a false-positive rating because I would guess about half of them are things I expect to see. But as a system goes, it's almost 100 percent accurate in calling those events out. It hasn't called out events where I would say, "Oh, it didn't need to call that out because that activity shouldn't have been flagged." It doesn't know what I know about what's normal, so there's still a little bit of knowing what's normal in your environment. That's the onus of the person running the environment. I can tell Awake that something is normal and not to look at that again, so there is that tuning aspect that has to happen. I typically don't tune it out because I want to see any new traffic patterns. If it's a regular backup that's about the only time I will say, "Don't ever worry about it coming from this device because I expect that to happen on a regular basis." The false-positive resolution with Awake Security is so much faster that it doesn't have as big an impact as it would have on another solution. If you gave me a false positive with a SIEM, I would have to invest four hours to find out that it was a false positive. If you give me a false positive on Awake, I have to spend five to ten minutes to figure it out. That's because the data is right there. It's populating for me and it's easy to search. It's almost not a fair marker to look at a false-positive rate because the resolution time for the false positive is so much shorter. Overall, I would rate this solution at ten out of ten.
What do you like most about Awake Security Platform?
Thanks for sharing your thoughts with the community!