Arista NDR Reviews

Awake has made us more productive. We're spending less time looking at false positives, so we can focus on what's truly important. It hasn't affected the morale of our analysts because we use a third-party SOC. 

When I look at the central dashboards, I can see what adversarial models were matched within the day, and when I click on that day, I can see what models and device names got triggered within my homepage. If I want to dive further into that model, I can click on that, and it tells me what the threats were as well as a lot more information on the endpoint or the asset. Then, if I want to see even more information, such as the actual activities, it's three clicks, and I'm on the activities themselves. I can pull a PCAP and investigate it. Regarding responsiveness and how quickly I get the answer, it's much faster than what I used to have.

It's hard to quantify, but it would have taken me 10 minutes to figure it out in my previous solution because I'm on the platform every day. Awake is easier and more intuitive. You see the day, the triggered models, and the asset. Then you click on the asset and activities. They're right there. I get the source, destination, and details, then download my PCAP, and I'm done.

Awake also tracks unmanaged devices. We have a guest WiFi, so if someone logs in to that, it's an unmanaged device. If they log in and try to do something bad, Awake will flag it and tell me. It's important even though we don't have as many people coming in and using the guest WiFi due to COVID, but we need to know if a guest user is doing something malicious.

It's much easier to create your own queries and hunt for threats. Darktrace's language is more challenging, and it's almost like you have to learn Darktrace's methodology to decipher it. When I create a workbench query in Awake to do threat hunting, it's much easier to query. You get a dictionary popup immediately when you try to type a new query. It says, "You want to search for a device?" Then you type in "D-E," and it gives you a list of commands, like device, data set behavior, etc. That gives you the ability to build your own query. Gathering PCAPs is also quite practical and more straightforward— tweaking the adversarial models, too. With Darktrace, it was tough to do. If you go to another serial model and want to clone it, then edit it and disable the old one, you can do it easily.

We have Palo Altos to decrypt traffic. I have all traffic going in and out via Awake, which can decrypt the traffic. However, Awake doesn't need to decrypt because it can analyze encrypted traffic to get a sense of what it might be. What I find helpful is that Awake can tell me when encrypted files might contain passwords. There is an adversarial model for that, which is great when someone tells me that there are two files with passwords, but the Awake and DR team already has an open ticket for this. They look for files that have "passwords" in the filename. 

That allows me to reach out to the user and tell him that I noticed a file containing passwords, and it's not password-protected. When they password-protect the file, the Awake team still highlights that as a risk but then write to them and say a password now protects the password file, and even though it is a password file, it is encrypted. So if you try to open it, you have to decrypt it with a password. Then we tweak the model to prevent that model from being triggered for that specific filename.

We have a team of one, me, so we also use their managed services. They monitor things for us and report on any issues. Personally, I haven't had to go into it very much. As they monitor, they will alert me to any issues that they detect through the automated tools and their agents. Once they have an issue, I will look it up and verify the issue and then respond to them on validity; whether it's a known issue or not.

We are only utilizing it for incoming and outgoing traffic for our production systems, our development systems, and our on-prem network. As most of our employees are remote, we don't utilize it for their traffic or for any IoT devices. It's mainly for traffic related to our SaaS platform.

My involvement has been responding to the alerts that they send me, which has been perfect for me. I don't have the manpower to manually monitor all the time, and that is what our goal was with them.

The biggest advantage we have from using Awake is a more complete and comprehensive security posture. Previous to this, we didn't have any way to monitor traffic, as doing so wasn't really required. It's now something that we want to implement. Given that I'm the lone person on the team, I'm covering everything. I don't have the time and resources to dedicate to just network management and the traffic. It helps us, as part of our security posture, to manage and monitor and address these aspects.

Awake definitely helps me focus on the highest risk alerts. There isn't a lot of noise or garbage, at this point, in the information. It really helps me focus on the real issues.

In addition, our on-prem stuff is all encrypted. We can't, of course, see the contents, but it's been enough to determine the source location. A lot of the header traffic has been enough to usually determine, by correlating with other tools that I use internally, if there is an attack. It's sufficient for what we need to do.

It uncovers threats that rely on compromised credentials or supply-chain compromises, rather than focusing just on malware threats. We've had several instances where someone was trying to hit our production traffic using made-up credentials. Awake alerted us to one such incident this morning, that someone was trying to use those types of credentials to get in. Of course, they were bogus and unsuccessful, but they're able to recognize that type of attack.

The solution also tracks both managed and unmanaged devices, because it's pulling all traffic, regardless of its source or destination. It helps because we can, at least for our on-prem location, see which devices are attached and if there are any devices that we were unaware of, or that employees brought in. It's quite helpful in that regard.

That tracking of both managed and unmanaged devices helps detect a broad range of threats and it gives us the context we need to respond. The list of devices that we have on our on-prem network is fairly small, so it's quite obvious when new devices are attached. We haven't had this happen yet, luckily, but if it did, we'd be able to recognize it and see, not only that they showed up, but where the traffic is being sent to from these devices. That would enable us to address it. We can work with Awake on response management and mitigation of that device as well, thanks to the managed services.

In addition, when it comes to productivity, because I have not had to focus on this as much, I have definitely been more productive. I can focus on other security areas and I trust that their solution and their services are managing and catching any issues that arise for us. It has been a huge help.

Awake’s technology, artificial intelligence, and human expertise within the MNDR service have really increased our security abilities. Our security posture is more comprehensive. We can cover more attack vectors coming into our company and our platform because Awake is covering a large amount of that for us. We don't have to dedicate time to it, due to their managed services and their AI engine helping them detect and identify attacks. It's been a great help. We can use our time, which is a limited resource in our company, much more effectively.

It has also helped speed up response times, overall. When they have notified us about issues, I haven't had to go in and hunt down the log information, look at IPs, what it's hitting, et cetera. Their managed services provide me with a lot of that detail. I can use that detail to go into the tool and look at exactly what they're looking at using a query. I can recognize whether I need to investigate it further or, if I know what it is, respond to them. From the instances they have sent me, it takes me about 10 minutes, per instance, to figure things out and respond to them, whereas normally it would take me one to two hours to hunt down all the information.

Awake Security was brought onboard to provide governance over the incident response process, which is a managed service. Challenges were identified, such as, no visibility and no network awareness of what's going on in the environment. Once the network visibility was solved, the decision to look at AI related tools was initiated. 

We will be using its features for compliance as well as threat detection, looking to partner with Awake Security to achieve these goals. Placing their solution in an enterprise financial vertical may allow thinking outside the box, providing additional value in the compliance space.

Right now, they are an on-prem visibility solution. However, we are a cloud-first company.  Awake Security provides the ability to pivot to the cloud and look at what's going on there.

Two compliance use cases: First, we have a new subnet within one of our CSPs, Awake Security will alert when an activity is observed. Second, a new virtual machine has been provisioned and the local endpoint protection is not phoning home. With the correct structured language in place, we will know if the new device has not been seen on the network for longer than five minutes and has not communicated with the update server.

Open communication with the MNDR service has driven down the number of false positives. The current average is five events a week, where four are actionable.

The direction we are heading is moving away from traditional alerts and focusing on entities that pose the highest risk to our environment. With the behind the scenes tuning, this lends to a clearer understanding of what this device does. Awake Security is constantly asking,  "What is the purpose of a device in the environment?" and, "I'll update the LSOP, and we'll get this tuned."

We appreciate the value of the AML (structured query language). We receive security intel feeds for a specific type of malware or ransomware. AML queries looking for the activity is applied in almost real-time. Ultimately, this determines if the activity was not observed on the network.

I'm primarily using it for viewing lateral movement within my network of suspicious activities. It's my internal monitoring of behaviors of endpoints inside my network, going outbound.

The way their algorithm works, they have a threat model that brings up the most concerning activities, pretty much like an analyst who is very knowledgeable. On a tier level, a Tier 4 analyst would recognize the suspicious activity. Their algorithm takes somebody who is a Tier 1 or Tier 2 and gives them that clarity at a glance. Their knowledge is pretty top-notch. I also have the added feature of having an analyst that I work with at Awake to help me interpret some of the risk, which is a top-level-analyst type of assistance.

The biggest thing it has saved me is having to bring on a high-level analyst. We're a startup company so money is very tight. I would have had to hire a Tier 3 or 4 analyst to look at our daily traffic. When we deployed this system I could put off making that hire because we're still growing the system. Now, someone like me, who doesn't have a lot of time, can take a quick glance at what's going on in my environment and know whether I need to take action or not, pretty quickly. It's saving me money, saving me time, and gives me a level of comfort that I have visibility within our network which I don't think I could get very easily any other way.

Awake Security helps me monitor devices used on my network by insiders, contractors, partners, and suppliers. We have vendors coming in all the time, we partner with people who use our WiFi access, the internet from within our environment. I have a few people who come in on my guest network and I don't know who they are, but if an incident happens I can quickly identify the systems that are concerned. A lot of times people bring systems in that aren't under my control or introduce threats in my environment which I can attribute to a visitor log right away. We have BYOD in our environment too, and I don't have control over those devices. Given that people are bringing those devices into my network, I feel a lot more comfortable that, if I get a trigger on Awake, I can quickly identify that device as belonging to one of our employees because I've seen it over a long period of time; or I can identify if it's a new device which could be a visitor or the like. I get a lot more clarity on lateral movement in my environment than I think I could any other way.

I was on a call with them looking for any encrypted traffic going on in my environment. They can spot it pretty quickly. Making sure I'm looking at encrypted traffic going outbound helps me stay in compliance

Finally, it provides me with better situational awareness. It's 1,000 times better. I spent two years in a bigger company and I never felt like I had good visibility into lateral movement. I know what it takes to get that level of visibility and this system does it almost instantaneously.

One of the interesting things that made us lean towards going with Awake was that it fulfilled a couple of use cases. One was the core NDR functionality. We wanted it to be able to monitor our network traffic and alert us on security-relevant events. 

Another request we had was that because our security team was pretty resource-constrained, we wanted a solution that could provide an in-house managed service for monitoring it, as a partner. Awake was able to  provide that, with their MNDR team. and that was something that we found pretty valuable.

Awake's MNDR has affected our overall security posture very positively. Having a team that is able to monitor our network activity has been a huge help.

The solution uncovers the entire attack surface for the environments we're using it in. That is one of the important reasons we brought in Awake, and in general, network monitoring. We wanted to be able to have that visibility at the base layer, at the network layer, into things that may not be covered by other monitoring tools. For example, EDR won't cover shadow IT and systems that simply don't have endpoint protection installed. Awake will at least help us be aware of those and monitor suspicious activity at the network level.

Overall it has improved our InfoSec operations in that it frees up our security engineers from having to triage every little thing that might show up on the network and, instead, rely on Awake—the combination of their technology and the people on their MNDR team—to help offload that work from us.

It tracks both managed and unmanaged devices, the way we have it set up. And that is definitely of value to us because otherwise we wouldn't have a lot of visibility into the unmanaged devices. Awake has helped us identify things like personal devices that were improperly and inappropriately connected to our corporate network. It has helped us to identify devices in the R&D environment that weren't managed. Maybe they were some legacy system that's been sitting around for a while, or an R&D engineer hooked up some custom Linux device to the network. Awake has helped us be aware of those kinds of things. We feel better that Awake is monitoring those kinds of unmanaged devices. We wouldn't have as much visibility into the activity if we didn't have Awake.

In terms of productivity, it wasn't that we had an existing team monitoring the network and that we ended up with a more effective or productive workflow after onboarding Awake. More importantly, we simply didn't have much network visibility before Awake. It speeds up response times but, more importantly, we are now able to respond to things that we simply weren't seeing before.

We use Awake Security to monitor internal networks. We monitor the lateral movement of traffic across sensitive networks.

The most valuable aspect for us is that we have a small team, so when we bring in new security solutions, it's really important that they're tuned well because there are only so many alerts that we're going to be able to deal with. If we put something in place that creates a massive amount of alerts, we're just not going to have the resources necessary to respond to all those. Putting something into place that can look at really sensitive internal networks and do it in a way that doesn't cause us to have to hire a number of additional resources to support that is really important. 

A lot of security teams underestimate the resourcing needed when you put new platforms in just to maintain, care, feed, and respond to the alerts that come from a new system. With Awake, it's very self-sufficient. The tool does a lot of the work and they even have managed services on top, if you need additional resourcing to help you deal with the alerts or configure the system more, that comes as part of the solution. You really put yourself in a situation where you're going to be successful quickly without having to scale your team.

It helps us stay in compliance with government regulations. As more privacy regulations come into effect, we definitely want to make sure that we're meeting privacy regulations both today and have the flexibility that if a new regulation comes out in the near future, we still have something in place that can keep us in compliance and we don't have to change our security architecture. Awake gives us the ability to detect and respond to security incidents while still protecting the privacy of that data.

We use Awake Security to identify and assess IoT solutions. All these technologies need to work on all types of devices, including early-stage and proprietary versions of prototypes of phones and tablets, and at the early stage, versions of new operating systems that come out on those devices. Obviously, those are situations where we wouldn't be able to have a standard security agent running in those environments, but we definitely want to understand if those devices are communicating outwardly to the types of things on the internet that you'd expect them to, or if there are any connections going back and forth to the internet that would be out of the norm for machines that have very strict testing scenarios around them, so it's very easy to understand.

We want to make sure that those devices are only communicating with a pretty strict set of use cases. Being able to understand the traffic coming to and from those devices is really important and using a network tool is really the only way to go.

Cloud TAP's for visibility into cloud infrastructure is something that all security teams need to be looking into. I think a lot of people have jumped to the cloud and realize that they don't have firewalls anymore. People tend to rely on security groups and access controls. As a result, security teams often lose visibility of the network traffic on the cloud that they may have had on-prem. It's not apples for apples. If you don't necessarily have the same security toolset, you can lose visibility. Having something like Awake on the cloud is definitely something people should start thinking about to be able to obtain that visibility.

Our use cases are vast and varied. Quite simply, we looked at tools that would look at network detection and responses out-of-the-box. Looking at Awake, there are hundreds of security use cases built into the system itself. I typically utilize the tool across the enterprise looking to detect those hard to find threats 

I am looking at:

• Indicators of compromise for ransomware
• Possible command and controls
• Privacy
  
• Clear text passwords
• Persistence
• Data ex-filtration and compliance for GDPR
• Various, very hard to detect models of data ex filtration, such as data ex-filtration via  e.g DNS or ICMP
• Bad domains and traffic to bad domains
• The list goes on and on.

I have over a hundred use cases turned on running in the background and looking at the following (for example):

• Defense evasion, use of proxies in order to hide data ex-filtration.
• Rogue hardware, identifying new devices on my network, whether they be wireless, wireless handheld devices, smartphones, laptops, etc.
• Brute force attempts against passwords.
• Password spraying attempts.

It is deployed inline into an appliance on-prem and leveraging a network SPAN port.

We are using the latest version.

It is all about visibility. From an information security standpoint, the capability for the team to be able to single out devices to respond quickly and intelligently, to say for example, "It is this laptop (or endpoint) from this person in finance. I know exactly what it's doing, what's wrong, and I know how to fix it." So, they're empowered walking up to that department or individual. The face of information security used to be, "Oh, the security guys are on that floor." Now, there's a different take. "These guys know what they are doing and are here to help me. I have an issue, and they solved it very quickly." It's making overall security less painful for our folks, which translates into secure adoption of security policies, standards, and awareness. That's another intangible.

Sometimes, the harder part is not interjecting and removing a node, but understanding what it was doing so we have a higher assurance of what type of data may or may not have been exfiltrated because that may trigger reporting laws, etc. 

We operate globally, so we have to adhere to the principles of GDPR, and also in Canada, PIPEDA. We have a regulatory/legal obligation to report if there is a data exfiltration. Understanding the nature of the data (what these devices are connecting to), if there is an exfiltration, goes a long way to shaving the time off my staff has to spend running these issues down. For example, one incident could potentially in gray dollars cost thousands of dollars. If, at the end of that investigation, we find out days later that we potentially would have had a reporting obligation, this makes it very difficult. Now, we would have to dive deeper and find out what that data was before we can report to the regulatory bodies, and in particular, our data protection authority for GDPR.

It also allows me to prioritize my staff. So, there are a lot of intangible dollar savings there. Rather than having a group of folks running around attempting to focus on preventative measures, we are focusing on the situations at hand ensuring that we have a grasp of what's going on in our network.

This solution’s encrypted traffic analysis helps us stay in compliance with government regulations. It is all about understanding data exfiltration, what is ingressing and egressing in our network. One common attack vector is exfiltrating data using encryption. My capabilities to see potential data exfiltration over encrypted traffic is second to none now. 

It is all about being able to say with confidence to the executives, the senior leadership team at the board level, that by putting this tool in place we have visibility into east-west lateral movement and traffic in the north-south. We also have a high degree of confidence that we are maintaining our security posture.

It doesn't matter where in my network, including wireless networks, I have it all feeding into the same mirrored port. I can see the traffic from any device which is plugged into the network at any time. The Awake ML will identify it. Then, on the dashboard, it will show me every morning any net new devices, how many devices are active, and how many devices may be impacted by a potential threat. I can see instantly any suspect domains that those devices are trying to connect into and what domains are unique. It also shows me net new domains every day at a glance. It then categorizes all of that information using its ML capability into an easy to use interface: high, medium and low. If need be, it will allow me to pivot on that device specifically, looking at it graphically. I can use that to understand what that device is connecting to, and in the same view, understand what type of data is moving back and forth.

We have a certain amount of IoT here, but not a lot. We have things behind our firewall that are definitely IoT which made me nervous, but I'm a lot more comfortable now. E.g., we are a very large software as a service company based mid-market. We have somewhat of a startup culture, so we have food vending type services that exist behind our firewall, albeit segmented. These are Internet of things, such as an automated machine that cooks food that is constantly reporting back to the vendor. We have several different other examples of IoT within our shop, and it allows me to see that traffic as well.

The tool generates automated alarms to correlate any network activity that we see with some of that more deep packet inspection which Awake provides.

There is currently not a lot of IoT in our environment.

From a compliance standpoint, we were able to easily identify some security weaknesses built into our systems from an architectural standpoint. We were able to quickly remediate these, e.g., some places encryption was lacking or places where passwords were stored.

This solution help us monitor devices used on our network by insiders, contractors, partners, or suppliers. Its correlation and identification of specific endpoints is very good, especially since we have a large, virtualized environment. It discerns this fairly well. Some of the issues that we have had with other tools is we sometimes are not able to tell the difference between users on some of those virtualized instances. This solution doesn't seem to have an issue because enough data is collected that we can easily tell which users are responsible for the traffic on which systems.

I haven't seen any really false positives from Awake. Everything that I have seen that hasn't been actionable has been either low level stuff or part of the learning that Awake is doing in our environment. These have been some legitimate processes or functions that look bad but are normal in the environment. Therefore, false positives are pretty low in Awake.