We use it primarily for network-based security and threat-hunting across the network.
Senior Security Engineer at a pharma/biotech company with 1,001-5,000 employees
Behavior-based machine-learning gives us high-fidelity, anomaly-based detections
Pros and Cons
- "The query language makes it easy to query the records on the network, to do searches for the various threat activities that we're looking for. The dashboard, the Security Knowledge Graph, displays information meaningfully and easily. I am able to find the information that I want to find pretty quickly."
- "I enjoy the query language, but it could be a bit more user-friendly, especially for new users who come across it... They should push it more into a natural language style as opposed to a query language."
What is our primary use case?
How has it helped my organization?
We had an incident that involved a phishing email that came in. We were able to use Awake Security to detect everybody on the network who actually went to the website linked to by the phishing email. It allowed us to take care of the infection. Whereas before, we'd have to wait and base things around user self-reporting.
It also definitely helps us monitor devices used in our network by insiders, contractors, partners, and suppliers. Everything that moves across our network, exits or moves laterally across our network, is picked up by the Awake appliance. So if anybody's using a device on our network, it's captured in the appliance.
In addition, we use Awake Security to identify and assess IoT solutions. We don't have a ton of them on our network but we are a cancer research institution so we do have scientific instruments that are internet-aware and which get their updates across the internet.
Finally, it provides us with better situational awareness. I would say there has been about a 50 percent increase there.
What is most valuable?
- I really enjoy the query language on it. It makes it very easy.
- The dashboards and displays are very intuitive.
The query language makes it easy to query the records on the network, to do searches for the various threat activities that we're looking for. The dashboard, the Security Knowledge Graph, displays information meaningfully and easily. I am able to find the information that I want to find pretty quickly.
Also, the data science capabilities of the are great. We aren't currently using it, but the behavior-based machine-learning that they do incorporate is really impressive. It's the primary reason why we picked up the product. It gives us a high-fidelity, anomaly-based detections.
What needs improvement?
I enjoy the query language, but it could be a bit more user-friendly, especially for new users who come across it. I'm conversant with the query language, but if I put it in front of somebody else they have difficulty in learning how to address the query language. That is the biggest area of room for improvement. They should push it more into a natural language style as opposed to a query language.
Buyer's Guide
Arista NDR
December 2024
Learn what your peers think about Arista NDR. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,053 professionals have used our research since 2012.
For how long have I used the solution?
We installed it in January of this year, so we've been using it for about eight months now.
What do I think about the stability of the solution?
It's extremely stable. We have only had one minor incident which had to do it with an update. But it's very stable.
What do I think about the scalability of the solution?
We're only using one appliance now, but it seems extremely scalable. We have plans to increase our usage of it. Within the next year, we are going to roll Awake appliances out to our remote sites as well.
How are customer service and support?
Technical support is very responsive and quick to get things done. Any problems I have had with the product, they're usually contacting me about them as opposed to me contacting them. They're very proactive.
Which solution did I use previously and why did I switch?
We did not have a previous solution.
How was the initial setup?
The initial setup was extremely straightforward. Basically, we just plugged it in and it ran. It's an appliance, so racking is what actually took the longest. It took approximately an hour, at most.
We first started deploying it on the edge, as a PoC. We deployed it for traffic entering and exiting our network, on the edge. Then we expanded it out to traffic that's moving laterally.
What about the implementation team?
We did not use a third-party.
What was our ROI?
We have seen return on investment but we don't really have the data points around that yet. It's kind of hard to quantify data points with a network security appliance. But we had zero visibility into our network before and so now we have visibility into our network.
What's my experience with pricing, setup cost, and licensing?
The pricing model is an annual subscription. There are no costs in addition to the standard licensing fees.
Which other solutions did I evaluate?
We evaluated ExtraHop. There were two reasons we went with Awake Security. First, we really liked the artificial intelligence aspect of Awake with its behavioral modeling. And second, honestly, was the price. It was cheaper. We were impressed by them at the RSAC Innovation Sandbox. That's where we initially made contact with them.
ExtraHop is a standard network security appliance. The machine-learning within Awake is what sets it apart.
What other advice do I have?
Make sure that you have a strong networking team in place before you buy the product, because otherwise you may have issues with the TAP aggregation. The product itself will go in quickly and easily.
We don't have the solution's encrypted traffic analysis in place because we aren't doing the decryption at the edge. But it does allow us to see the size of data, and allows us to detect external exfiltration pretty easily.
As for the false-positive rate, I haven't done the math. It's decently high because our network situation is a bit weird. But it would be about the same on any other solution.
We have one person, our Security Engineer, servicing it and maintaining it on our side. Awake maintains it on their side as well. In our environment, we have between 2,500 and 3,000 people, usually.
I would rate it at about eight out of ten. It's a matter of scale. For me, ten means it pretty much mitigates all risks for you. So it would be next to impossible to get a ten, from my perspective.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Director of Projects and IT at a healthcare company with 201-500 employees
Gives us the combination of an appliance for visibility and a top-notch monitoring team that is very responsive
Pros and Cons
- "It gives us something that is almost like an auditing tool for all of our network controls, to see how they are performing. This is related to compliance so that we can see how we are doing with what we have already implemented. There are things that we implemented, but we really didn't know if they were working or not. We have that visibility now."
- "While the appliance is very good, and I think they're working on it, it would probably help if they integrated the management team cases into the appliance so that everything we are working on with them would be accessible on our platform, on the dashboard, on the portal. Right now, Awake is just an additional team that uses the appliance that we use and then we communicate with them directly. Communication isn't through the portal."
What is our primary use case?
We have other network and security appliances and systems in place, but we were looking for something to give us deeper visibility into our network traffic, specifically the lateral, east-west movement. We have pretty good visibility north-south of things going through the firewall, but it was not as good internally. That's our primary use case. And we wanted to have something that would give us relevant alerts and actionable items.
We are using a combination of the Awake Security appliance and their network monitoring services. You can get just the appliance and then do the monitoring yourself, but while we use the appliance, we are not doing the threat-hunting ourselves.
How has it helped my organization?
Their monitoring team is really top-notch and they're easy to communicate with. They're very responsive. The combination of the appliance and the team is the biggest benefit. I'm not sure if we had only gotten the appliance that there would be as much of a benefit. We have other tools, we're not without visibility, but we have much better visibility now.
They do all the levels and tiers of monitoring and alerting. We just do incident response if it's required, or we modify or implement additional controls on the network. They tell us how it's going to impact or benefit our security. They are a partner. It's a partnership that's very functional and it's something that works for us. We could use the appliance ourselves and do the monitoring and threat-hunting, but we don't have enough staff for that. And their staff is, obviously, better qualified than if we were doing it in-house.
If there's any traffic that looks like it's a breach of policy or something that seems suspicious lateral movement, or unencrypted passwords, it is really beneficial to have them check it out first. But what it's really doing is more of a confirmation of our network security controls and design, confirming that they're working the way that we want them to. That's the biggest benefit.
What is most valuable?
We got a couple things out of it that we were looking for. First, it gives us something that is almost like an auditing tool for all of our network controls, to see how they are performing. This is related to compliance so that we can see how we are doing with what we have already implemented. There are things that we had implemented, but we really didn't know if they were working or not. We have that visibility now.
The second thing we were looking to do is to improve on the things that we were not aware of, that we didn't see before. Awake is an additional tool in our defense system, obviously not the only one, but it broadens our security posture and I believe it has also raised our security maturity.
We also use the EntityIQ feature and it is valuable. The user interface is very approachable and easy to navigate. But when it comes to getting deeper into it, creating more of the rules or recipes, we leave that to them. We just explain to them what we want to see and they create it for us.
What needs improvement?
The monitoring team is, as I said, top-notch. I can't say that anything needs improvement there. Because we have so few cases, we only meet with them once a month to go over things and talk about the status.
While the appliance is very good, and I think they're working on this, it would probably help if they integrated the MNDR generated cases into the appliance so that everything we are working on with them would be accessible on one platform, on the dashboard, on the portal. Right now, Awake MNDR is just an additional team that uses the same appliance that we use and then we communicate with them directly. Communication isn't through the portal. However, they do send us information and a link where we can look and see the same thing in the appliance that they are seeing, so that's pretty good.
Another thing about the appliance itself, and again I believe they're working on it, is that it would help if there were a broader integration with other security vendors. I know they have some capability to integrate with Splunk and a few others, but it's still a fairly small number of vendors that they have APIs to integrate with.
For how long have I used the solution?
We have been using the Awake Security appliance and their MNDR service since April of 2020.
What do I think about the stability of the solution?
It's one of the best and most stable solutions that we have. It is extremely stable. We have had zero downtime, except when they are updating the appliance, and they always call us to let us know and we give them a timeframe. The system is rock-solid and stable; the speed is also good. I'm very pleased with the appliance.
What do I think about the scalability of the solution?
Scalability is less of a concern for us because we have all the remote offices pointing back to our central location and we monitor everything at the central location. For our architecture, one appliance was all we needed.
We have over 500 monitoring points, but being in healthcare, we have certain assets that are very critical, special medical devices, and that's our primary focus. We wanted to make sure that we have visibility to devices that don't have agents on them because they are closed systems. We wanted to make sure that our vendors' and suppliers' communication to these devices was visible to us and that we know what's going on in those connections.
How are customer service and technical support?
Awake was recently purchased by Arista, so they are part of the bigger company now. That may give them an opportunity to get more resources and expand their customer base, and perhaps hire more analysts for their managed network monitoring and have broader coverage. I think they are looking at offering 24/7 coverage. That's a good development, but there's always a risk that the team that worked cohesively in a smaller company may decide that they want to move on in a bigger company. I don't know what the arrangements are, obviously, but I hope that we won't lose that quality of team members and communication that we have now.
Which solution did I use previously and why did I switch?
We didn't replace a similar tool with Awake Security, rather, we added Awake to our existing environment. We continue to use Endpoint Detection and Response agents. We still use SIEM and we still use NetFlow tools for a quick look into network traffic, but Awake gives us a deeper look into that traffic. We can get to the packet level when we need to.
But most importantly we have somebody, through their service, looking at our network and watching for any anomalies, or if there's traffic that we're not aware of. It could be legitimate traffic, it could be what we are expecting, but even after we fine-tune it, we still want to know if something similar pops up on the network.
How was the initial setup?
The initial setup was very straightforward and easy, almost plug-and-play. We already had everything set up on our end, network-wise. We already use SPAN ports and all they did was send us the preconfigured appliance and we plugged it in. They didn't even have to come onsite for that. Compared to some other solutions that we looked at, it was extremely simple.
Because we already had things in place it took us about one hour to get started. After a couple of weeks for the appliance looking through our live network data, we start receiving usable intel.
We sent the MNDR team a list of our key high-value assets that we wanted them to pay special attention to, and we sent them a list of all of the normal communication traffic that should be seen on the network, but which is not anything that we want to be alerted on. After that, we worked with them to remove some of the alerts that were repeatable, and that were not really relevant. After a couple of months of fine-tuning—not continuous, just as it came up—we got to a place where we just get one or two alerts a week, and they're valuable. That's been the situation for the last several months. We get all the information from them, what's happening and why, and if it's something that we need to take care of we do it immediately. That's one of the really big pluses: It's valuable information. In addition, the summary of the case tells us why is something happening and gives us enough information that we can remedy it immediately. Now the alerts we get are mostly for unusual but expected traffic. This gives us an opportunity to see that the appliance registers it and that if the same traffic were not expected or approved, we would know about it.
What was our ROI?
Return on investment is usually easier to show with numbers in other IT applications than in security. But the biggest benefit of having an outsourced managed monitoring team is that we don't tie up our internal resources or have to hire additional resources for that. Comparing the cost of the appliance and MNDR service to other resources we would need, the ROI is certainly there, and it is a benefit for us.
Which other solutions did I evaluate?
One thing that was specific to network monitoring that I used for some period of time was an open-source solution called Security Onion, which contains Zeek and Suricata, two open-source tools that are focused on network analysis. They work well, but they are fairly time-consuming and, of course, there's the support issue with the open-source that is often hit and miss. Having a network monitoring team on our side with the Awake Security appliance is a big step up.
We also considered and talked to people at ExtraHop, but they were just too expensive for us and they had more complex requirements for implementation.
What other advice do I have?
The solution is very good and the pricing is also better than others, but each organization has to have other security parts and pieces in place. This is not a silver bullet. It's not one thing that can solve all issues or cover all security, but it's a very valuable and needed addition to our security portfolio.
Anybody who feels that they don't have complete visibility into their network should give Awake Security a try, do a proof of concept with them, and see what results you get. It's a good product and I'm pretty sure it will give you what you are looking for. But do that PoC first, because everyone's environment or needs could be different.
The Ava feature for delivering autonomous triage is there and we can use it, but that is not what we do. The reason we got the appliance with the monitoring service is that we don't have enough staff to dedicate, full-time, to the system. So instead we gave their MNDR group the responsibility for monitoring and we just act on their information, and either remedy or reconfigure the network or whatever is needed on our end.
As for lessons learned from using the solution, we wanted to see if everything that we implemented is actually in compliance and working as we expected. We learned that a few things needed adjustments, needed corrections. Now we are not just compliant on paper but we actually have controls that are functioning. Perhaps, because of that, we haven't had any incidents for months now.
I would give a 10 out of 10 to the service. The team that monitors our system is very approachable, competent, friendly, and they provide resolutions if there is anything we need. The appliance is also very good. I would give it a nine because, as I said, there is still room for improvement. It's nothing major, nothing dysfunctional, but there's room for improvement. I give the appliance a nine, which is very high, because it is very stable, very easy to implement, not expensive, and has a good user interface. It fits pretty well on all the fronts that you want an appliance to fit.
I don't have any complaints.
Which deployment model are you using for this solution?
On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Arista NDR
December 2024
Learn what your peers think about Arista NDR. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,053 professionals have used our research since 2012.
Head of Cyber Threat Operations at a energy/utilities company with 1,001-5,000 employees
Machine-learning works at a different level — it's like a robotic network engineer
Pros and Cons
- "Other solutions will say, "Hey, this device is doing something weird." But they don't aggregate that data point with other data points. With Awake you have what's called a "fact pattern." For example, if there's a smart toaster on the third floor that is beaconing out to an IP address in North Korea, sure that's bizarre. But if that toaster was made in North Korea it's not bizarre. Taking those two data points together, and automating something using machine-learning is something that no other solution is doing right now."
- "I would like to see a bit more in terms of encrypted traffic. With the advent of programs that live off the land, a smart attacker is going to leverage encryption to execute their operation. So I would like to see improvements there, where possible. Currently, we're not going to be decrypting encrypted traffic. What other approaches could be used?"
What is our primary use case?
The solution is a kind of Swiss Army knife. It can do a number of different things. We primarily use it for network traffic analysis and threat hunting.
How has it helped my organization?
We had an event where an attacker tried to steal login credentials. We were able to find the targets on the network using Awake and we were able to turn on multifactor authentication, not only for those users but for the entire enterprise. We were discovering that that was a very common attack tactic. It was a driver for change. Now, all users at this company have multifactor authentication as a result of Awake's capabilities.
For a long time I was the only person in our company doing security. We're a $30 billion dollar company. So you can imagine how much I appreciate how much time Awake has saved me to be able to do other things. It's been an immense help.
The solution provides us with better situational awareness. In terms of network visibility, it's looking at all network traffic. Anything that's going through, it's doing that full packet capture and it's doing the analysis using the algorithms. And it's telling me what's on the network and what it's doing.
What is most valuable?
There are quite a few valuable features. The most valuable aspect of the tech is the fact that it's like a "force-multiplier." It will reduce the amount of time and effort it takes to triage a potential compromise.
That's important because, in everyday slang, time is money. If you've ever done a business-impact analysis — business continuity — if an attacker can reduce the confidentiality, integrity, or availability of a given system, it will have a financial impact. The quicker you can eliminate or mitigate the compromise, or avoid it altogether, the less money you are looking at spending to recover from a hack. If you can discover it, and detect it, and prevent it before the attack is successful, you actually have a return on investment.
The Security Knowledge Graph tries to centralize things that are notable in the environment. Awake uses a lot of AI and ML to bring to an analyst's attention things that should be of concern. It reduces the amount of searching that an analyst has to do to find notable events or devices. It collates all that and it puts it in one spot. So if you have a device that is beaconing out to a malicious IP, to download malware or the like, Awake will see that and it will alert the analyst right away, rather than the analyst trying to find it in aggregate data.
The data science capabilities of Awake Security are very strong. For a network traffic-analysis platform, it's definitely the best in industry. Vectra AI and Darktrace do similar things, but they don't leverage the math the same way that Awake does.
As for the solution’s encrypted traffic analysis, encrypted traffic is the next nut to crack in logging and monitoring. What they're trying to look for are different cipher suites that can be used to encrypt potentially malicious traffic. It's trying to do something that no one else is really doing.
The solution helps us monitor devices used on our network by insiders, contractors, partners, and suppliers. That's the "meat and potatoes" of what the technology does. If there's a device on the network, it doesn't matter who it's owned by. If it's on the network Awake will see it.
Finally, the cloud TAPs for visibility into cloud infrastructure are 100 percent necessary. I don't know how else you're going to see it.
What needs improvement?
I would like to see a bit more in terms of encrypted traffic. With the advent of programs that live off the land, a smart attacker is going to leverage encryption to execute their operation. So I would like to see improvements there, where possible. Currently, we're not going to be decrypting encrypted traffic. What other approaches could be used?
For how long have I used the solution?
I've been using Awake for about two-and-a-half years. We're using the most current version.
What do I think about the scalability of the solution?
The scalability is very strong. We are going through an acquisition. Thankfully, I have staff now. But I can go out to the new site, put an appliance there, send that traffic to a hub, and from that hub I can see all three locations that we have now, in one spot.
How are customer service and technical support?
Awake's technical support is very good. We have a good, solid relationship with them. It's pretty stellar.
Which solution did I use previously and why did I switch?
We used a SIEM, through IBM. But we're actually using Awake more than we're using QRadar, our SIEM.
How was the initial setup?
The initial setup was very easy. It's a web-based GUI. It's like an application. I didn't have to build anything. All of the algorithms are built into the tech itself on the back end. Once you get traffic going through a TAP or a SPAN port, you send that traffic to the appliance and the appliance does all the work for you.
The deployment took less than a week.
Our implementation strategy was to find our core switches, run the SPAN port off those switches, and send that duplicated traffic to the appliance.
What about the implementation team?
We deployed with the help of an engineer from Awake. I found them to be extremely knowledgeable.
What was our ROI?
ROI is a very hard exercise in security. I believe a couple of people have tried to come up with a quantified data point to say $2 million, or $3 million; every compromise costs a company $3.47 million. It's difficult to put a financial number on it.
I can point to the fact that we haven't had a successful compromise, and that is likely as a result of Awake's technology.
Which other solutions did I evaluate?
I looked at Netwitness and Darktrace. Neither of them was as capable.
The primary reason we went with Awake Security was the fact that the machine-learning was working at a different level. It was working in a manner that the other two solutions weren't. Vectra AI comes close, but it's not the same.
I try to describe it as "aggregation." Other solutions will say, "Hey, this device is doing something weird." But they don't aggregate that data point with other data points. With Awake you have what's called a "fact pattern." For example, if there's a smart toaster on the third floor that is beaconing out to an IP address in North Korea, sure that's bizarre. But if that toaster was made in North Korea it's not bizarre. Taking those two data points together, and automating something using machine-learning, is something that no other solution is doing right now. The only solution doing that is Awake. It's aggregating data points.
What other advice do I have?
My advice would be to put it up against any of its competitors. Look at the salient data points. So your machine-learning is telling you that something is unusual. Great. Why? And if you don't have an answer for that then I would suggest you look at Awake. Because Awake gets to the "why."
In terms of maintenance of the solution, I've got five people now, but they don't just do this. I have one person who does security training and awareness. I have one person who does threat hunting, who is the primary user of the technology. I've got a cyber-threat intel person, and I've also got a person to monitor operational technology.
Regarding Awake's false-positive rate compared to other solutions, it's not really a SIEM. It's more of a hunting tool. It tells me something that is notable, but there will be some false positives because I don't think any amount of AI or ML is going to be able to know everything about your environment. That's just an impossibility. But it gets about as close to an actual person as you can get. Really what Awake is trying to be is a network architect or engineer, a person. It's trying to be someone who knows the topology, the exact architecture, what devices are doing what, what ports, which protocols, etc. That's really what Awake is. It's a robotic network engineer.
Compared to its competitors I'd rate it a ten out of ten. I don't think there's anything out there that's doing what it's doing.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Director of Information Security at a computer software company with 201-500 employees
The time from finding threats to remediation is almost instantaneous
Pros and Cons
- "This solution’s encrypted traffic analysis helps us stay in compliance with government regulations. It is all about understanding data exfiltration, what is ingressing and egressing in our network. One common attack vector is exfiltrating data using encryption. My capabilities to see potential data exfiltration over encrypted traffic is second to none now."
- "I would like to see the capability to import what's known as STIX/TAXII in an IOC format. It currently doesn't offer this."
What is our primary use case?
Our use cases are vast and varied. Quite simply, we looked at tools that would look at network detection and responses out-of-the-box. Looking at Awake, there are hundreds of security use cases built into the system itself. I typically utilize the tool across the enterprise looking to detect those hard to find threats
I am looking at:
- Indicators of compromise for ransomware
- Possible command and controls
- Privacy
- Clear text passwords
- Persistence
- Data ex-filtration and compliance for GDPR
- Various, very hard to detect models of data ex filtration, such as data ex-filtration via e.g DNS or ICMP
- Bad domains and traffic to bad domains
- The list goes on and on.
I have over a hundred use cases turned on running in the background and looking at the following (for example):
- Defense evasion, use of proxies in order to hide data ex-filtration.
- Rogue hardware, identifying new devices on my network, whether they be wireless, wireless handheld devices, smartphones, laptops, etc.
- Brute force attempts against passwords.
- Password spraying attempts.
It is deployed inline into an appliance on-prem and leveraging a network SPAN port.
We are using the latest version.
How has it helped my organization?
It is all about visibility. From an information security standpoint, the capability for the team to be able to single out devices to respond quickly and intelligently, to say for example, "It is this laptop (or endpoint) from this person in finance. I know exactly what it's doing, what's wrong, and I know how to fix it." So, they're empowered walking up to that department or individual. The face of information security used to be, "Oh, the security guys are on that floor." Now, there's a different take. "These guys know what they are doing and are here to help me. I have an issue, and they solved it very quickly." It's making overall security less painful for our folks, which translates into secure adoption of security policies, standards, and awareness. That's another intangible.
Sometimes, the harder part is not interjecting and removing a node, but understanding what it was doing so we have a higher assurance of what type of data may or may not have been exfiltrated because that may trigger reporting laws, etc.
We operate globally, so we have to adhere to the principles of GDPR, and also in Canada, PIPEDA. We have a regulatory/legal obligation to report if there is a data exfiltration. Understanding the nature of the data (what these devices are connecting to), if there is an exfiltration, goes a long way to shaving the time off my staff has to spend running these issues down. For example, one incident could potentially in gray dollars cost thousands of dollars. If, at the end of that investigation, we find out days later that we potentially would have had a reporting obligation, this makes it very difficult. Now, we would have to dive deeper and find out what that data was before we can report to the regulatory bodies, and in particular, our data protection authority for GDPR.
It also allows me to prioritize my staff. So, there are a lot of intangible dollar savings there. Rather than having a group of folks running around attempting to focus on preventative measures, we are focusing on the situations at hand ensuring that we have a grasp of what's going on in our network.
This solution’s encrypted traffic analysis helps us stay in compliance with government regulations. It is all about understanding data exfiltration, what is ingressing and egressing in our network. One common attack vector is exfiltrating data using encryption. My capabilities to see potential data exfiltration over encrypted traffic is second to none now.
It is all about being able to say with confidence to the executives, the senior leadership team at the board level, that by putting this tool in place we have visibility into east-west lateral movement and traffic in the north-south. We also have a high degree of confidence that we are maintaining our security posture.
It doesn't matter where in my network, including wireless networks, I have it all feeding into the same mirrored port. I can see the traffic from any device which is plugged into the network at any time. The Awake ML will identify it. Then, on the dashboard, it will show me every morning any net new devices, how many devices are active, and how many devices may be impacted by a potential threat. I can see instantly any suspect domains that those devices are trying to connect into and what domains are unique. It also shows me net new domains every day at a glance. It then categorizes all of that information using its ML capability into an easy to use interface: high, medium and low. If need be, it will allow me to pivot on that device specifically, looking at it graphically. I can use that to understand what that device is connecting to, and in the same view, understand what type of data is moving back and forth.
We have a certain amount of IoT here, but not a lot. We have things behind our firewall that are definitely IoT which made me nervous, but I'm a lot more comfortable now. E.g., we are a very large software as a service company based mid-market. We have somewhat of a startup culture, so we have food vending type services that exist behind our firewall, albeit segmented. These are Internet of things, such as an automated machine that cooks food that is constantly reporting back to the vendor. We have several different other examples of IoT within our shop, and it allows me to see that traffic as well.
What is most valuable?
What is impressive about the tool is the time to value. Plugging it onto our network, we have found things that other tools have just never seen. We found those issues quickly and were able to action against those issues, remediating them quickly. I don't know another product that delivers as much value so quickly.
I have the tool set up to alert, be able to look at things, and put things together graphically. This helps to understand the fingerprints of the device, what the device has done, where it's been, and what it's doing on my network. It really gives me a high assurance that my security posture will remained intact.
I have it now integrated into our security incident and event management (SIEM) tool, so I am able to correlate events across my network using Awake as my front-end or my first line of defense. Then, I can also pull in the Awake information and use that to pivot across to other sources within our environment, whether that be enterprise detection and response at the endpoint level or security orchestration and response.
Awake's Security Knowledge Graph is incredible in terms of a couple of things:
- The system is laid out very easily for me to utilize.
- I find it comforting if I look at the DNA of the Awake security staff. All of them are deep and wide, in terms of their experiences. You have ex-Mandiant folks along with ex-US military folks who have been through serious cyber situations and assisted large companies, if not governmental organizations. They have seen these threats in the wild. They know how to deal with these threats. Moreover, on weekly calls, they are notifying or diving deep into areas that we might have missed.
What needs improvement?
The only issue is that Awake affords you so much information behind its fingerprinting capability. When it does trigger, you need to have a hard look at what is going on because there is a reason for that trigger.
They have worked very hard on the interface. I would like to see things laid out somewhat differently, and not due my familiarity with the tool. The tool has grown a lot since I started using it in October, and there is room for user interface improvements.
I would like to see the capability to import what's known as STIX/TAXII in an IOC format. It currently doesn't offer this. This would be a nice, like a wish list.
We are looking at cloud TAPs for visibility into cloud infrastructure. We offer a software as a service leveraging cloud. To take things to the next level, it is putting the ability and capability of the device into:
- Our cloud offering to look for threats.
- Leverage it further for any cloud services or SaaS that we use here.
For how long have I used the solution?
We acquired Awake in October 2019.
What do I think about the stability of the solution?
The stability has been rock solid. I haven't had an issue. I have gone through two system upgrades since October. When the system is to be updated, what is nice and somewhat different than a lot of the other appliance vendors that layer the services on top, they contact me before they push the updates out. For example, I had one of their service techs called me at about five o'clock, "Hi, it's William. Do you mind if we go ahead and perform the upgrade for you at this point in time? If that's not convenient, and you need go through a change control committee, etc. That's not a problem. We can schedule that. But if we're good to go, I can do it now for you." I like that they're high touch.
They do all the maintenance. It is an appliance, so they perform all the upgrades. From an administration standpoint, I have one person dealing with it which is limited to only setting up user IDs. That's really the only administration required in the tool.
What do I think about the scalability of the solution?
As we scale, the tool can scale with us. I'm currently using it with a one gigabit interface. As we scale up, we will scale utilizing the tool.
It's very easy to scale. If we scale in terms of our bandwidth and utilization, it's as simple as looking at the next appliance. Then, assuming we scale to a back-end, if we were to look at a 10 gigabit interface, it's as simple as producing or plugging it in through a Network TAP or another SPAN port.
Seven people are using it right now in an analyst format.
How are customer service and technical support?
One of the nice things about Awake is they are nimble. One of the requests that I put in October for feature enhancement has already been put into the product. They released it with 2.0. That's the ability to utilize situations for situational awareness. When my security analysts look at various issues, we are tracking specific items or indicators that compromise using what they call their situation overlay. Now, that is in beta preview. However, I have an advanced copy which allows me to track and trend an incident all the way through the MITRE ATT&CK chain or kill chain. So, it's a real powerful feature that they have stepped up and implemented in the product.
That is their standard technical support. It is a real "we are here to help" type of feel with just a group of dedicated security professionals. If I look at the DNA of their company, from who's at the senior leadership team level down to the analyst level, these guys have lived it. Their combined experience within the cybersecurity space is second to none.
The last time that I had an issue, it was Awake's technical support told me that I had an issue, which was nice.
Based on standard support terms and conditions, they have always responded in an expected time frame. I've only had one issue of note with the product and that was resolved quickly. I had a response back in less than 20 minutes and the issue was resolved in under two hours.
Which solution did I use previously and why did I switch?
Before having Awake, we didn't have the visibility. I could get a lot of the north-south traffic and understand what was emanating, ingressing, and egressing in the network, but didn't have the overall picture.
We had solutions which allowed us to leverage indicators of compromise for indicators of compromise. Really, it was a bunch of point solutions reporting into our SIEM solution, as we are a Splunk shop. It's important to note that Awake doesn't do all things, but what it does do, it does really well and perhaps the best in the industry. So, Awake also puts its logs into the SIEM solution.
We had a SIEM. I had a lot of indicators of compromise type fingerprints in that SIEM. I had all of the log files throughout the whole of the organization dumping into that SIEM. However, from the network detection and response side, looking at east-west traffic, those fingerprints, and in a single pane of glass, I wasn't getting that before I had the Awake device.
The Awake tool gives me the east-west traffic and lateral movement picture, as well as the north-south traffic. Therefore, I'm getting a full picture of my network at any one point in time. These are things that keep you up at night being in the CISO role.
How was the initial setup?
Here is how straightforward the initial setup was. I got the device in October, which is fourth quarter for us and extremely busy. The Awake team wanted to fly in to do the setup. I told them that it was not going to work due to the timing and logistics. So, they shipped out the box. My team just put it in a rack and plugged it into the SPAN port, then we were done.
That was the entire setup. It is an appliance. All it requires is a Network Tap or SPAN port. We plugged the interface in, gave it a public side interface, and the Awake team did the final config remotely, then we were up and running in under two hours. That includes the rack time.
We had several meetings with Awake in terms of understanding our environment:
- Where it was best to place the sensors.
- What size sensors would we need.
- What type of use cases I was looking for.
- What were my pain points.
- What kept me up at night before we even embarked to the contract signing.
What about the implementation team?
Two people were required for deployment from my side along with one person from Awake.
What was our ROI?
The time from finding threats to remediation is almost instantaneous. For example, I found a threat this morning and remediated it in less than five minutes. The issue that I encountered today was definitely data exfiltration. It was a malware that was hitting domain generated algorithms and also attempting to use Tor to obfuscate the data exfiltration. I found that within three minutes, and then the next following two minutes, we interjected, did the remediation, and had the node off the network.
When you're trying to put a dollar value on the protection of personally identifiable information, potential financial information, and the loss there of, it is very difficult. However, in this instance, it could have been a lot worse. In terms of grey dollars and my staff's time, you're looking at a $1000 worth of savings because we would had to glean through logs, identify the device, chase it down, and understand what it was doing on the network.
The solution has saved thousands of dollars within the first day. Our ROI has to be in the tens of thousands of dollars since October last year. It's about the peace of mind and my ability to pass by the CEO, and say to him, "Don't worry, I got that. There was a network incident, but I'm confident that we caught this endpoint before there was any data exfiltration. I know what it was talking to and what the nature of the issue was." That is powerful right there.
What's my experience with pricing, setup cost, and licensing?
I signed a three-year deal as it was most cost effective for my firm - with no doubt in my mind we will see ROI in year one.
I am hoping to involve them in a managed network detection and response relationship as well, which is another one of their offerings.
There are no additional costs. The product does what it says that it will do.
Which other solutions did I evaluate?
I am impressed with the data science capabilities of Awake, in regards to AI and ML capabilities built into the tool. We stacked up Awake against a competitor. I put both products, Darktrace and Awake, in a head-to-head bake-off back during the October time frame. Awake was the clear winner for a bunch of reasons: ease of use, a lot of the lateral movement for triggers on indicators of compromise and the Awake rule sets were far deeper and more insightful than information I was receiving out of the ML capabilities afforded within Darktrace.
Darktrace had quite a few false positives.
Another problem with Darktrace that I found was the interface and the ability to work within the tool to look at information graphically. While available in Darktrace, the ability to navigate and dive deeper into those fingerprints signatures is very kludgy.
What other advice do I have?
Understand where your network points are and where you are best served to position sensors. The tool won't work unless it's positioned effectively in your network. Rely upon Awake staff's expertise. They have collective information cybersecurity experience in the hundreds of years, so just listen to them in terms of their guidance and where to position your sensors. Understand your traffic flow before moving forward with the solution, making sure that it's right for you. For instance, understand that if you have several satellite offices, you may be challenged and need to purchase several devices or appliances. In our case, this was a non-issue because I back haul all of my traffic to one centralized point.
I am impressed with the product. It is a solid, powerful tool. It's a truly unique plug and play appliance and solution. I'd give it a 10 (out of 10). If I could give it more than a 10, I would. It is really an outstanding product.
We have had a few false positives, two or three. I was looking at one this morning. However, that was a fault of ours because the IP address on the endpoint wasn't in a reserved mode, so the name of the machine changed. Here is where the ML capabilities shines. The IP address changed, thus a new machine name was apparent to the ML engine. Then, the ML engine looked at both the IP and machine name, and said, "I don't know. It's still the same IP, but it's doing lateral movement now." It turns out that IP was reallocated to a machine in our development side for our DevSecOps, where that type of behavior is totally normal. However, the ML in the tool spiked that out immediately.
The biggest lessons that I've learned are thinking that your common point solutions, even though you're aggregating them all will point out all the potential nefarious activities behind your firewall or attempted attacks outside your firewall. You are not going to see everything. You really need to empower machine learning and AI capabilities of one of these tools in order to see the typical advanced persistent threats (APTs) or those low, slow threats on your network. For example, the anomaly that pops up for five minutes every month because it's using a domain generated algorithm is really where this tool shines. It looks for that needle in a haystack and that anomalous behavior that you're not necessarily going to pick out using a SIEM tool. I don't care how good the SIEM tool is, you need a dedicated product to effectively understand that east-west traffic and ascertain whether or not it is hostile.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Network Consultant at a tech services company with 11-50 employees
Helps detect threats and investigates
What is our primary use case?
We use the solution for security purposes. If there is a threat in the network, they try to detect it. Arista products have sensors on their hardware. You don't need to add additional sensors to the network to investigate. A customer sees their traffic for a foreign or suspicious attack on the site.
What is most valuable?
The solution enables us to see every action in their network in the dashboard. They can take action automatically or manually if there are suspicious things in the network.
There is no need for additional sensors. You can directly use Arista hardware in your network. It is easy to manage.
What needs improvement?
The solution should improve their direction, detection, and prevention.
For how long have I used the solution?
I have been using Arista NDR as a partner for one year. We are using the latest version of the solution.
What do I think about the scalability of the solution?
If you need more investigation, you should add more Arista sensors. It is easily scalable. If you do not use Arista, you should put new sensors. There's only one difficulty in getting traffic to your sensor. If customers can do it, it is very easy.
Customers and government departments in Turkey prefer Arista NDR.
How are customer service and support?
In Turkey, there is always a technical team solving a problem. It is easy to reach the international team. They help us without a problem. The support team is good. They have L3 engineers working for many years in their IT team.
How was the initial setup?
The initial setup is easy. You put Arista devices in the network as normal devices, and the VLAN traffic is passing on it. It requires two people to complete the process and takes a maximum of a day.
What other advice do I have?
The solution's maintenance is easy. You can upgrade and downgrade the software easily because it is modular. You can easily upgrade from one version to another without taking the Middle Path upgrade.
You must use the solution for six months to investigate what's happening in the network.
Overall, I rate the solution a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Systems Engineer at a tech services company with 11-50 employees
Offers visibility and detailed insights but needs to focus more on expansion
Pros and Cons
- "Arista NDR's scalability is very good, making it easy to add more hardware components. You can order additional hardware and integrate it by stacking it with the existing setup. This feature cannot be seen in other NDR tools."
- "Arista NDR needs to open legal offices to be closer to customers and partners. It needs more visibility in the NDR market in the Middle East. While they are doing well, they lack sufficient engineers. They need to hire more engineers to meet the demand and expand their presence. The current team is good but not enough to fully capture the market."
What is our primary use case?
The use cases for the product are similar to other network protection solutions, focusing on NDR. The key advantage lies in its visibility on the network, providing more insight compared to other technologies, especially when strategically positioned.
What is most valuable?
Arista NDR's scalability is very good, making it easy to add more hardware components. You can order additional hardware and integrate it by stacking it with the existing setup. This feature cannot be seen in other NDR tools.
We conducted a proof of value for one of our customers with Arista NDR. In comparison to other NDR solutions, our customer found that Arista NDR provided detailed information that other vendors couldn't match. While I can't speak for all NDR solutions, based on our feedback and customer satisfaction, Arista NDR stands out. It offers enhanced visibility and gathers richer details, making our customers more satisfied with the results.
The tool's real-time traffic analysis helps my clients improve security.
What needs improvement?
Arista NDR needs to open legal offices to be closer to customers and partners. It needs more visibility in the NDR market in the Middle East. While they are doing well, they lack sufficient engineers. They need to hire more engineers to meet the demand and expand their presence. The current team is good but not enough to fully capture the market.
How are customer service and support?
The support experience has been positive so far. Although we haven't directly engaged with the technical support team, the presales engineer and solution architect have been highly supportive.
What was our ROI?
The solution is worth its money.
What's my experience with pricing, setup cost, and licensing?
The tool's pricing is expensive but it is competitive.
What other advice do I have?
Initially, there were some difficulties with Arista NDR, but they are addressing and improving the situation. The current NDR solution is the result of an acquisition from a company called Awake Security. It is committed to resolving issues and making the platform easier.
If you have Arista switches, integrating them with Arista NDR offers additional benefits. When Arista NDR is integrated with these switches, it provides enhanced visibility. Arista switches have a dedicated processor for NDR, acting like a small module within their software or hardware. It offers better results.
The product's integration with existing infrastructure is good. There is some fine-tuning required which already it is working on.
I rate the overall solution an eight out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: reseller
Buyer's Guide
Download our free Arista NDR Report and get advice and tips from experienced pros
sharing their opinions.
Updated: December 2024
Popular Comparisons
Darktrace
Vectra AI
Cisco Secure Network Analytics
Cynet
Trend Micro Deep Discovery
ExtraHop Reveal(x)
Trellix Network Detection and Response
Corelight
NetWitness NDR
Stellar Cyber Open XDR
Bitdefender GravityZone Extended Detection and Response (XDR)
Buyer's Guide
Download our free Arista NDR Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- How does Network Detection and Response (NDR) Differ from SIEM?
- What aspects of network security are more concerning to small and medium-sized enterprises?
- What are the best practices for Security Operations Center (SOC)?
- What is the future of the Network Operation Center (NOC)?
- Which alternative solutions (other than Darktrace) do you recommend for an SMB?
- Why is Network Detection and Response (NDR) important for companies?
- When evaluating Network Detection and Response (NDR), what aspect do you think is the most important to look for?
- GoDaddy has been hacked again. What can be done better?
- What is Data-Centric vs Application-Centric security architecture?
- What are your top Extended Detection and Response (XDR) predictions for 2022?