Arista NDR Reviews

For us, Awake provides the insights into our network traffic.

It's something of a hybrid. We have on-premise collectors and there's a lot of storage involved, so we keep that on-premise, and then we have a cloud dashboard.

We are able to see lateral movement between networks, which is really important. Having packet captures stored for a period of time helps us with forensic investigations. If we learn something after the fact, we can go back and see what went on at what time and correlate different events. 

I'm a big proponent of Zero Trust and one of the core tenets of Zero Trust is that you log everything. That gives us the ability to have greater insight into our network and what's going on. The goal is to shift us from being reactive, always responding after something went wrong, to being proactive. We've been collecting logs from servers for years, but the missing piece was always the ability to collect network traffic as well.

We find so much value in the threat-hunting service. We didn't have to increase the size of our team and get value out of the product. The product itself is good and valuable, but having to train and retain the talented threat-hunting folks that we'd have to have to go through it would be a real barrier. Having that as a service is really important.

We have TAPs in our network, and they see all traffic, whether it's a managed device or it's a student going to Netflix. We obviously filter out a lot of the traffic that's not relevant to a security appliance. It's one of the key values for a university environment. We've got just as many, if not more, unmanaged devices on our network than we do managed devices. When I think about lateral movement, where folks are talking and whether folks are talking to machines they shouldn't be talking to, the ability to track both managed and unmanaged devices really helps in giving us peace of mind that we're in good shape.

That tracking of managed and unmanaged devices provides really good context. Even if the device is unmanaged, we still have some insight into who they were, what they were doing, what services they accessed. Generally speaking, we can correlate and figure out that it was, for example, a particular student doing something. In a corporate environment, they would likely have a lot fewer unmanaged devices, but it really provides that insight into who people are and where they are going.

The solution also presents us with "Situations" rather than individual events. It does a type of roll-up of what activity happened. In some cases, the activity could be ongoing and you see new events or data populating in real-time, which is really helpful. It's transformed our process in the sense that it really provides visibility into an area we didn't have visibility into before. And it fits really well into our ecosystem. We've got another managed service provider that provides us with a security operations center. It fits really well into the ecosystem.

Awake Security has also decreased the time it takes to discover things, although we don't have it configured to do any automatic orchestration or remediation on its own. 

The most valuable portion is that they offer a threat-hunting service. Using their platform, and all of the data that they're collecting, they actually help us be proactive by having really expert folks that have insight, not just into our accounts, but into other accounts as well. They can be proactive and say, "Well, we saw this incident at some other customer. We ran that same kind of analysis for you and we didn't see that type of activity in your network." If there's a major vulnerability or breach or something that makes the news, they give us that peace of mind by saying, "Yes, for sure, we saw it," or "No, for sure, we didn't see it."

Awake moves away from traditional alerts and instead focuses our team on the entities that pose the highest risks to our environment. We have other tools in our environment that help us monitor for specific kinds of attacks or executive-level accounts with UEBA or other technologies. What this solution gives us is that insight into the network to see, when we've done a packet capture, that this is just an email to a family member and not a malicious activity like we would have assumed if we got that alert from some other monitoring system. It provides that extra level of insight that we'd otherwise be missing.

In addition, the EntityIQ, its AI-based Security Knowledge Graph, was one of the big features that drew us to the product. With the competitors that we looked at, it was very difficult to find out who someone was. We would have to go to other systems to correlate and say, "Okay, well, this was a user and they had access to these machines, but someone else logged on to this machine at a certain time." The value of EntityIQ is huge. It reduces the amount of investigation time, and it helps us correlate events faster and be more responsive. A lot of vendors have tried to do something like that, and it seems like Awake has gotten it right.

While we don't do decryptions, it's still valuable to have insight into the metadata to know where people were going if they match against threat-list IP addresses. It's also valuable just to know the size or length of certain sessions. It's very different if it was just one packet versus hours-long, data-exfiltration-type activity where we can see a lot of data was downloaded. We're also very concerned about privacy, being at a university. So being able to provide some level of insight, even with an encryption, is really important.

When I looked at the competitors, such as Darktrace, they all have prettier interfaces. If Awake could make it a little more user-friendly, that would go a long way.

We started a proof of concept of Awake Security Platform about this time last year, so we've been using it for just about a year.

It's never gone down, so that's pretty stable.

Because there's so much storage required to do as much packet capture as we'd like, it does take up a lot of rack space. Scaling requires additional hardware. It's not necessarily scalable but our network also doesn't grow that quickly from year to year.

As a university, we're an unusual situation. We're like an ISP. We've got 15,000 people who could come to campus any day. We've got outdoor wireless and indoor wireless coverage that cover about a square mile. We've got a high-performance research computing cluster. We do lots of research. We're also a small-to-medium enterprise. We also have several stadiums for different kinds of events. We have a health center as well. It's a very unique environment and there's a lot of complexity as a result.

Their technical support has been pretty good. We haven't had many issues and they're very proactive. That's what we were looking for.

For example, they found an undisclosed Zero-day vulnerability on some consumer software and they were able to identify that in our environment. They provided enough information to help us address it but they also gave us a heads-up before the Zero-day was announced, which I thought was awesome.

We used similar solutions in the past. We switched to Awake Security because they were able to offer a model that was significantly less expensive and the value that we get out of it is higher.

One of the challenges that we've seen in this space, with different providers, was whether they were able to detect an incident if we had one. Some detected what others didn't, and vice versa. But we have had experience with other providers that weren't able to detect incidents. We haven't come across that yet with Awake. That's a good thing, but you don't know what you don't know, and that's always the challenge in security.

The initial setup was pretty straightforward. We were up and running fairly quickly. We knew how to do SPAN and TAP ports and I liked their integration with Arista which provides TAPs. That makes it an all-in-one solution now.

Our proof of concept took a couple of months and I liked the way they worked with us. We do a lot of due diligence before we make a purchase. They were very flexible and worked through lots of scenarios with us before we actually made the purchase. The company is very good to work with. It wasn't as though it was a challenge to set up. It was really just getting to know all the aspects of the product and feeling comfortable. There were no high-pressure sales. They were committed to helping us get the right solution for us.

It was mostly implemented as a result of the PoC. We then had to make sure that we had enough storage to store enough packet captures and to make sure it was in the right networks and was giving us the right visibility. Because of the way we've got to deploy, there is a lot of duplication in traffic between the various TAPs, so doing deduplication is a challenge sometimes.

There's definitely a learning period where you have to help them understand your environment and that's not something that you can outsource. You definitely have to have staff on the inside that knows what's important to you and what's not. What a false positive is will vary drastically between an environment like ours, which is an academic environment at a university, and a locked-down corporate environment at a financial institution. Everything they flag is interesting. It's not necessarily a false positive or not, until we think about who the user is that they're flagging. If it's a student doing something, that's a very different scenario from an executive doing it, for example.

Training their threat-hunting analysts is really the important part of any threat-hunting operation. They need to know how the customer's environment works and what the network looks like; not just what IP ranges are out there but what users are doing. Having all of that data in their own playbook is the secret sauce for success for any company and Awake did a good job of that. They really dug into understanding our environment and assisted us in implementation of this product from the get-go. There's always going to be a learning process for any customer, but they really helped walk us through the process.

On the admin side, the users of the solution are the five people on my team. They are all security engineers.

We looked at Darktrace, ExtraHop and there were a couple others. It really came down to value. What Awake was able to do was to provide the same service that those others were offering but at a lower price, and that lower price also included the threat-hunting. Just getting a tool such as Darktrace or ExtraHop might be great but I would have had to go train a team of people to be able to use it and to get value out of it. Whereas with Awake, I was able to get value out of it on day one.

Every environment is different and you have to start with knowing what your goals are and what your environment looks like, to really find the right product for you. What integrations do you have? A big challenge is how your remote workforce changes the way you think about your environment. How does your cloud adoption strategy affect things? Awake is an on-premise, network-based solution. For us, that makes a lot of sense. We only have one site where all of our users go. If you're totally remote, now, with COVID, and you're mostly a cloud/ SaaS-based shop, it may not be the right fit for you. You want to think about how you can accomplish the goals that are particular to your environment.

Finding a product that allows you to continue to improve, to get you that insight about your network and how it's changing over time or how people are using it, is important. A network is a living, breathing thing. Having a solution that can also help give you insight into how it's changing or whether it's architected appropriately, or give you insight into where you have gaps or lack of visibility is important. It's all about improving every day. That's one of the things that the Awake team has brought us.

My dream is to have a student-led security operation center in-house. We're not there yet, obviously, with COVID. We don't have as many people in-person and on campus. But to be able to sit a student down who is just getting their feet wet in security or technology, and to help them hit the ground running, as an entry-level analyst, that's really the dream. I would like to make them more productive and able to get insights into the network faster. We're not there yet, but Awake really gives us a head-start with that.

Awake gives us more information, which increases our analysts' workloads, but it also streamlines the process. It's addressing a gap in our visibility.

The solution is a kind of Swiss Army knife. It can do a number of different things. We primarily use it for network traffic analysis and threat hunting.

We had an event where an attacker tried to steal login credentials. We were able to find the targets on the network using Awake and we were able to turn on multifactor authentication, not only for those users but for the entire enterprise. We were discovering that that was a very common attack tactic. It was a driver for change. Now, all users at this company have multifactor authentication as a result of Awake's capabilities.

For a long time I was the only person in our company doing security. We're a $30 billion dollar company. So you can imagine how much I appreciate how much time Awake has saved me to be able to do other things. It's been an immense help.

The solution provides us with better situational awareness. In terms of network visibility, it's looking at all network traffic. Anything that's going through, it's doing that full packet capture and it's doing the analysis using the algorithms. And it's telling me what's on the network and what it's doing.

There are quite a few valuable features. The most valuable aspect of the tech is the fact that it's like a "force-multiplier." It will reduce the amount of time and effort it takes to triage a potential compromise. 

That's important because, in everyday slang, time is money. If you've ever done a business-impact analysis — business continuity — if an attacker can reduce the confidentiality, integrity, or availability of a given system, it will have a financial impact. The quicker you can eliminate or mitigate the compromise, or avoid it altogether, the less money you are looking at spending to recover from a hack. If you can discover it, and detect it, and prevent it before the attack is successful, you actually have a return on investment.

The Security Knowledge Graph tries to centralize things that are notable in the environment. Awake uses a lot of AI and ML to bring to an analyst's attention things that should be of concern. It reduces the amount of searching that an analyst has to do to find notable events or devices. It collates all that and it puts it in one spot. So if you have a device that is beaconing out to a malicious IP, to download malware or the like, Awake will see that and it will alert the analyst right away, rather than the analyst trying to find it in aggregate data.

The data science capabilities of Awake Security are very strong. For a network traffic-analysis platform, it's definitely the best in industry. Vectra AI and Darktrace do similar things, but they don't leverage the math the same way that Awake does.

As for the solution’s encrypted traffic analysis, encrypted traffic is the next nut to crack in logging and monitoring. What they're trying to look for are different cipher suites that can be used to encrypt potentially malicious traffic. It's trying to do something that no one else is really doing.

The solution helps us monitor devices used on our network by insiders, contractors, partners, and suppliers. That's the "meat and potatoes" of what the technology does. If there's a device on the network, it doesn't matter who it's owned by. If it's on the network Awake will see it.

Finally, the cloud TAPs for visibility into cloud infrastructure are 100 percent necessary. I don't know how else you're going to see it.

I would like to see a bit more in terms of encrypted traffic. With the advent of programs that live off the land, a smart attacker is going to leverage encryption to execute their operation. So I would like to see improvements there, where possible. Currently, we're not going to be decrypting encrypted traffic. What other approaches could be used?

The scalability is very strong. We are going through an acquisition. Thankfully, I have staff now. But I can go out to the new site, put an appliance there, send that traffic to a hub, and from that hub I can see all three locations that we have now, in one spot.

Awake's technical support is very good. We have a good, solid relationship with them. It's pretty stellar.

We used a SIEM, through IBM. But we're actually using Awake more than we're using QRadar, our SIEM.

The initial setup was very easy. It's a web-based GUI. It's like an application. I didn't have to build anything. All of the algorithms are built into the tech itself on the back end. Once you get traffic going through a TAP or a SPAN port, you send that traffic to the appliance and the appliance does all the work for you.

The deployment took less than a week.

Our implementation strategy was to find our core switches, run the SPAN port off those switches, and send that duplicated traffic to the appliance.

We deployed with the help of an engineer from Awake. I found them to be extremely knowledgeable.

ROI is a very hard exercise in security. I believe a couple of people have tried to come up with a quantified data point to say $2 million, or $3 million; every compromise costs a company $3.47 million. It's difficult to put a financial number on it.

I can point to the fact that we haven't had a successful compromise, and that is likely as a result of Awake's technology.

I looked at Netwitness and Darktrace. Neither of them was as capable.

The primary reason we went with Awake Security was the fact that the machine-learning was working at a different level. It was working in a manner that the other two solutions weren't. Vectra AI comes close, but it's not the same.

I try to describe it as "aggregation." Other solutions will say, "Hey, this device is doing something weird." But they don't aggregate that data point with other data points. With Awake you have what's called a "fact pattern." For example, if there's a smart toaster on the third floor that is beaconing out to an IP address in North Korea, sure that's bizarre. But if that toaster was made in North Korea it's not bizarre. Taking those two data points together, and automating something using machine-learning, is something that no other solution is doing right now. The only solution doing that is Awake. It's aggregating data points.

My advice would be to put it up against any of its competitors. Look at the salient data points. So your machine-learning is telling you that something is unusual. Great. Why? And if you don't have an answer for that then I would suggest you look at Awake. Because Awake gets to the "why."

In terms of maintenance of the solution, I've got five people now, but they don't just do this. I have one person who does security training and awareness. I have one person who does threat hunting, who is the primary user of the technology. I've got a cyber-threat intel person, and I've also got a person to monitor operational technology.

Regarding Awake's false-positive rate compared to other solutions, it's not really a SIEM. It's more of a hunting tool. It tells me something that is notable, but there will be some false positives because I don't think any amount of AI or ML is going to be able to know everything about your environment. That's just an impossibility. But it gets about as close to an actual person as you can get. Really what Awake is trying to be is a network architect or engineer, a person. It's trying to be someone who knows the topology, the exact architecture, what devices are doing what, what ports, which protocols, etc. That's really what Awake is. It's a robotic network engineer.

Compared to its competitors I'd rate it a ten out of ten. I don't think there's anything out there that's doing what it's doing.

We have other network and security appliances and systems in place, but we were looking for something to give us deeper visibility into our network traffic, specifically the lateral, east-west movement. We have pretty good visibility north-south of things going through the firewall, but it was not as good internally. That's our primary use case. And we wanted to have something that would give us relevant alerts and actionable items.

We are using a combination of the Awake Security appliance and their network monitoring services. You can get just the appliance and then do the monitoring yourself, but while we use the appliance, we are not doing the threat-hunting ourselves.

Their monitoring team is really top-notch and they're easy to communicate with. They're very responsive. The combination of the appliance and the team is the biggest benefit. I'm not sure if we had only gotten the appliance that there would be as much of a benefit. We have other tools, we're not without visibility, but we have much better visibility now.

They do all the levels and tiers of monitoring and alerting. We just do incident response if it's required, or we modify or implement additional controls on the network. They tell us how it's going to impact or benefit our security. They are a partner. It's a partnership that's very functional and it's something that works for us. We could use the appliance ourselves and do the monitoring and threat-hunting, but we don't have enough staff for that. And their staff is, obviously, better qualified than if we were doing it in-house.

If there's any traffic that looks like it's a breach of policy or something that seems suspicious lateral movement, or unencrypted passwords, it is really beneficial to have them check it out first. But what it's really doing is more of a confirmation of our network security controls and design, confirming that they're working the way that we want them to. That's the biggest benefit.

We got a couple things out of it that we were looking for. First, it gives us something that is almost like an auditing tool for all of our network controls, to see how they are performing. This is related to compliance so that we can see how we are doing with what we have already implemented. There are things that we had implemented, but we really didn't know if they were working or not. We have that visibility now.

The second thing we were looking to do is to improve on the things that we were not aware of, that we didn't see before. Awake is an additional tool in our defense system, obviously not the only one, but it broadens our security posture and I believe it has also raised our security maturity.

We also use the EntityIQ feature and it is valuable. The user interface is very approachable and easy to navigate. But when it comes to getting deeper into it, creating more of the rules or recipes, we leave that to them. We just explain to them what we want to see and they create it for us.

The monitoring team is, as I said, top-notch. I can't say that anything needs improvement there. Because we have so few cases, we only meet with them once a month to go over things and talk about the status. 

While the appliance is very good, and I think they're working on this, it would probably help if they integrated the MNDR generated cases into the appliance so that everything we are working on with them would be accessible on one platform, on the dashboard, on the portal. Right now, Awake MNDR is just an additional team that uses the same appliance that we use and then we communicate with them directly. Communication isn't through the portal. However, they do send us information and a link where we can look and see the same thing in the appliance that they are seeing, so that's pretty good.

Another thing about the appliance itself, and again I believe they're working on it, is that it would help if there were a broader integration with other security vendors. I know they have some capability to integrate with Splunk and a few others, but it's still a fairly small number of vendors that they have APIs to integrate with.

We have been using the Awake Security appliance and their MNDR service since April of 2020.

It's one of the best and most stable solutions that we have. It is extremely stable. We have had zero downtime, except when they are updating the appliance, and they always call us to let us know and we give them a timeframe. The system is rock-solid and stable; the speed is also good. I'm very pleased with the appliance.

Scalability is less of a concern for us because we have all the remote offices pointing back to our central location and we monitor everything at the central location. For our architecture, one appliance was all we needed.

We have over 500 monitoring points, but being in healthcare, we have certain assets that are very critical, special medical devices, and that's our primary focus. We wanted to make sure that we have visibility to devices that don't have agents on them because they are closed systems. We wanted to make sure that our vendors' and suppliers' communication to these devices was visible to us and that we know what's going on in those connections.

Awake was recently purchased by Arista, so they are part of the bigger company now. That may give them an opportunity to get more resources and expand their customer base, and perhaps hire more analysts for their managed network monitoring and have broader coverage. I think they are looking at offering 24/7 coverage. That's a good development, but there's always a risk that the team that worked cohesively in a smaller company may decide that they want to move on in a bigger company. I don't know what the arrangements are, obviously, but I hope that we won't lose that quality of team members and communication that we have now.

We didn't replace a similar tool with Awake Security, rather, we added Awake to our existing environment. We continue to use Endpoint Detection and Response agents. We still use SIEM and we still use NetFlow tools for a quick look into network traffic, but Awake gives us a deeper look into that traffic. We can get to the packet level when we need to.

But most importantly we have somebody, through their service, looking at our network and watching for any anomalies, or if there's traffic that we're not aware of. It could be legitimate traffic, it could be what we are expecting, but even after we fine-tune it, we still want to know if something similar pops up on the network.

The initial setup was very straightforward and easy, almost plug-and-play. We already had everything set up on our end, network-wise. We already use SPAN ports and all they did was send us the preconfigured appliance and we plugged it in. They didn't even have to come onsite for that. Compared to some other solutions that we looked at, it was extremely simple.

Because we already had things in place it took us about one hour to get started. After a couple of weeks for the appliance looking through our live network data, we start receiving usable intel.

We sent the MNDR team a list of our key high-value assets that we wanted them to pay special attention to, and we sent them a list of all of the normal communication traffic that should be seen on the network, but which is not anything that we want to be alerted on. After that, we worked with them to remove some of the alerts that were repeatable, and that were not really relevant. After a couple of months of fine-tuning—not continuous, just as it came up—we got to a place where we just get one or two alerts a week, and they're valuable. That's been the situation for the last several months. We get all the information from them, what's happening and why, and if it's something that we need to take care of we do it immediately. That's one of the really big pluses: It's valuable information. In addition, the summary of the case tells us why is something happening and gives us enough information that we can remedy it immediately. Now the alerts we get are mostly for unusual but expected traffic. This gives us an opportunity to see that the appliance registers it and that if the same traffic were not expected or approved, we would know about it.

Return on investment is usually easier to show with numbers in other IT applications than in security. But the biggest benefit of having an outsourced managed monitoring team is that we don't tie up our internal resources or have to hire additional resources for that. Comparing the cost of the appliance and MNDR service to other resources we would need, the ROI is certainly there, and it is a benefit for us.

One thing that was specific to network monitoring that I used for some period of time was an open-source solution called Security Onion, which contains Zeek and Suricata, two open-source tools that are focused on network analysis. They work well, but they are fairly time-consuming and, of course, there's the support issue with the open-source that is often hit and miss. Having a network monitoring team on our side with the Awake Security appliance is a big step up.

We also considered and talked to people at ExtraHop, but they were just too expensive for us and they had more complex requirements for implementation.

The solution is very good and the pricing is also better than others, but each organization has to have other security parts and pieces in place. This is not a silver bullet. It's not one thing that can solve all issues or cover all security, but it's a very valuable and needed addition to our security portfolio. 

Anybody who feels that they don't have complete visibility into their network should give Awake Security a try, do a proof of concept with them, and see what results you get. It's a good product and I'm pretty sure it will give you what you are looking for. But do that PoC first, because everyone's environment or needs could be different.

The Ava feature for delivering autonomous triage is there and we can use it, but that is not what we do. The reason we got the appliance with the monitoring service is that we don't have enough staff to dedicate, full-time, to the system. So instead we gave their MNDR group the responsibility for monitoring and we just act on their information, and either remedy or reconfigure the network or whatever is needed on our end.

As for lessons learned from using the solution, we wanted to see if everything that we implemented is actually in compliance and working as we expected. We learned that a few things needed adjustments, needed corrections. Now we are not just compliant on paper but we actually have controls that are functioning. Perhaps, because of that, we haven't had any incidents for months now.

I would give a 10 out of 10 to the service. The team that monitors our system is very approachable, competent, friendly, and they provide resolutions if there is anything we need. The appliance is also very good. I would give it a nine because, as I said, there is still room for improvement. It's nothing major, nothing dysfunctional, but there's room for improvement. I give the appliance a nine, which is very high, because it is very stable, very easy to implement, not expensive, and has a good user interface. It fits pretty well on all the fronts that you want an appliance to fit.

I don't have any complaints.

We use it primarily for network-based security and threat-hunting across the network.

We had an incident that involved a phishing email that came in. We were able to use Awake Security to detect everybody on the network who actually went to the website linked to by the phishing email. It allowed us to take care of the infection. Whereas before, we'd have to wait and base things around user self-reporting.

It also definitely helps us monitor devices used in our network by insiders, contractors, partners, and suppliers. Everything that moves across our network, exits or moves laterally across our network, is picked up by the Awake appliance. So if anybody's using a device on our network, it's captured in the appliance.

In addition, we use Awake Security to identify and assess IoT solutions. We don't have a ton of them on our network but we are a cancer research institution so we do have scientific instruments that are internet-aware and which get their updates across the internet.

Finally, it provides us with better situational awareness. I would say there has been about a 50 percent increase there.

• I really enjoy the query language on it. It makes it very easy.
• The dashboards and displays are very intuitive.

The query language makes it easy to query the records on the network, to do searches for the various threat activities that we're looking for. The dashboard, the Security Knowledge Graph, displays information meaningfully and easily. I am able to find the information that I want to find pretty quickly.

Also, the data science capabilities of the are great. We aren't currently using it, but the behavior-based machine-learning that they do incorporate is really impressive. It's the primary reason why we picked up the product. It gives us a high-fidelity, anomaly-based detections.

I enjoy the query language, but it could be a bit more user-friendly, especially for new users who come across it. I'm conversant with the query language, but if I put it in front of somebody else they have difficulty in learning how to address the query language. That is the biggest area of room for improvement. They should push it more into a natural language style as opposed to a query language.

It's extremely stable. We have only had one minor incident which had to do it with an update. But it's very stable.

We're only using one appliance now, but it seems extremely scalable. We have plans to increase our usage of it. Within the next year, we are going to roll Awake appliances out to our remote sites as well.

Technical support is very responsive and quick to get things done. Any problems I have had with the product, they're usually contacting me about them as opposed to me contacting them. They're very proactive.

We did not have a previous solution.

The initial setup was extremely straightforward. Basically, we just plugged it in and it ran. It's an appliance, so racking is what actually took the longest. It took approximately an hour, at most.

We first started deploying it on the edge, as a PoC. We deployed it for traffic entering and exiting our network, on the edge. Then we expanded it out to traffic that's moving laterally.

We did not use a third-party.

We have seen return on investment but we don't really have the data points around that yet. It's kind of hard to quantify data points with a network security appliance. But we had zero visibility into our network before and so now we have visibility into our network.

The pricing model is an annual subscription. There are no costs in addition to the standard licensing fees.

We evaluated ExtraHop. There were two reasons we went with Awake Security. First, we really liked the artificial intelligence aspect of Awake with its behavioral modeling. And second, honestly, was the price. It was cheaper. We were impressed by them at the RSAC Innovation Sandbox. That's where we initially made contact with them.

ExtraHop is a standard network security appliance. The machine-learning within Awake is what sets it apart.

Make sure that you have a strong networking team in place before you buy the product, because otherwise you may have issues with the TAP aggregation. The product itself will go in quickly and easily.

We don't have the solution's encrypted traffic analysis in place because we aren't doing the decryption at the edge. But it does allow us to see the size of data, and allows us to detect external exfiltration pretty easily.

As for the false-positive rate, I haven't done the math. It's decently high because our network situation is a bit weird. But it would be about the same on any other solution.

We have one person, our Security Engineer, servicing it and maintaining it on our side. Awake maintains it on their side as well. In our environment, we have between 2,500 and 3,000 people, usually.

I would rate it at about eight out of ten. It's a matter of scale. For me, ten means it pretty much mitigates all risks for you. So it would be next to impossible to get a ten, from my perspective.

The use cases for the product are similar to other network protection solutions, focusing on NDR. The key advantage lies in its visibility on the network, providing more insight compared to other technologies, especially when strategically positioned.

Arista NDR's scalability is very good, making it easy to add more hardware components. You can order additional hardware and integrate it by stacking it with the existing setup. This feature cannot be seen in other NDR tools. 

We conducted a proof of value for one of our customers with Arista NDR. In comparison to other NDR solutions, our customer found that Arista NDR provided detailed information that other vendors couldn't match. While I can't speak for all NDR solutions, based on our feedback and customer satisfaction, Arista NDR stands out. It offers enhanced visibility and gathers richer details, making our customers more satisfied with the results.

The tool's real-time traffic analysis helps my clients improve security. 

Arista NDR needs to open legal offices to be closer to customers and partners. It needs more visibility in the NDR market in the Middle East. While they are doing well, they lack sufficient engineers. They need to hire more engineers to meet the demand and expand their presence. The current team is good but not enough to fully capture the market.

The support experience has been positive so far. Although we haven't directly engaged with the technical support team, the presales engineer and solution architect have been highly supportive.

The solution is worth its money. 

The tool's pricing is expensive but it is competitive. 

Initially, there were some difficulties with Arista NDR, but they are addressing and improving the situation. The current NDR solution is the result of an acquisition from a company called Awake Security. It is committed to resolving issues and making the platform easier.

If you have Arista switches, integrating them with Arista NDR offers additional benefits. When Arista NDR is integrated with these switches, it provides enhanced visibility. Arista switches have a dedicated processor for NDR, acting like a small module within their software or hardware. It offers better results. 

The product's integration with existing infrastructure is good. There is some fine-tuning required which already it is working on. 

I rate the overall solution an eight out of ten. 

We use the solution for security purposes. If there is a threat in the network, they try to detect it. Arista products have sensors on their hardware. You don't need to add additional sensors to the network to investigate. A customer sees their traffic for a foreign or suspicious attack on the site.

The solution enables us to see every action in their network in the dashboard. They can take action automatically or manually if there are suspicious things in the network. 

There is no need for additional sensors. You can directly use Arista hardware in your network. It is easy to manage.

The solution should improve their direction, detection, and prevention.

I have been using Arista NDR as a partner for one year. We are using the latest version of the solution.

If you need more investigation, you should add more Arista sensors. It is easily scalable. If you do not use Arista, you should put new sensors. There's only one difficulty in getting traffic to your sensor. If customers can do it, it is very easy.

Customers and government departments in Turkey prefer Arista NDR.

In Turkey, there is always a technical team solving a problem. It is easy to reach the international team. They help us without a problem. The support team is good. They have L3 engineers working for many years in their IT team.

The initial setup is easy. You put Arista devices in the network as normal devices, and the VLAN traffic is passing on it. It requires two people to complete the process and takes a maximum of a day.

The solution's maintenance is easy. You can upgrade and downgrade the software easily because it is modular. You can easily upgrade from one version to another without taking the Middle Path upgrade.

You must use the solution for six months to investigate what's happening in the network.

Overall, I rate the solution a nine out of ten.