We just raised a $30M Series A: Read our story

Awake Security Platform OverviewUNIXBusinessApplication

Awake Security Platform is #4 ranked solution in top Network Detection and Response (NDR) tools and #6 ranked solution in Network Traffic Analysis tools. IT Central Station users give Awake Security Platform an average rating of 8 out of 10. Awake Security Platform is most commonly compared to Darktrace:Awake Security Platform vs Darktrace. Awake Security Platform is popular among the midsize enterprise segment, accounting for 47% of users researching this solution on IT Central Station. The top industry researching this solution are professionals from a computer software company, accounting for 28% of all views.
What is Awake Security Platform?

Awake Security is the only advanced network traffic analysis company that delivers a privacy-aware solution capable of detecting and visualizing behavioral, mal-intent and compliance incidents with full forensics context. Powered by Ava, Awake’s security expert system, the Awake Security Platform combines federated machine learning, threat intelligence and human expertise. The platform analyzes billions of communications to autonomously discover, profile and classify every device, user and application on any network. Through automated hunting and investigation, Awake uncovers malicious intent from insiders and external attackers alike. The company is ranked #1 for time to value because of its frictionless approach that delivers answers rather than alerts.

Awake Security Platform is also known as Awake.

Awake Security Platform Buyer's Guide

Download the Awake Security Platform Buyer's Guide including reviews and more. Updated: November 2021

Awake Security Platform Customers

Coming Soon...

Awake Security Platform Video

Pricing Advice

What users are saying about Awake Security Platform pricing:
  • "The solution has saved thousands of dollars within the first day. Our ROI has to be in the tens of thousands of dollars since October last year."
  • "The pricing seems pretty reasonable for what we get out of it. We also found it to be more competitive than some other vendors that we've looked at."
  • "We switched to Awake Security because they were able to offer a model that was significantly less expensive and the value that we get out of it is higher."
  • "Awake's pricing was very competitive. It's not a cheap option though. It's an investment to utilize it, but it's one that we decided was worth the cost, with the managed services. At our scale, it was a much better option to utilize their software and their managed services to handle this, rather than hiring another person to be an analyst. It was quite cost-effective for us."
  • "The solution is very good and the pricing is also better than others..."
  • "Awake Security was the least expensive among their competitors. Everyone was within $15,000 of each other. The other solutions were not providing the MNDR service, which is standard with Awake Security's pricing/licensing model."

Awake Security Platform Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Kristofer-Laxdal
Director of Information Security at a computer software company with 201-500 employees
Real User
Top 5
The time from finding threats to remediation is almost instantaneous

Pros and Cons

  • "This solution’s encrypted traffic analysis helps us stay in compliance with government regulations. It is all about understanding data exfiltration, what is ingressing and egressing in our network. One common attack vector is exfiltrating data using encryption. My capabilities to see potential data exfiltration over encrypted traffic is second to none now."
  • "I would like to see the capability to import what's known as STIX/TAXII in an IOC format. It currently doesn't offer this."

What is our primary use case?

Our use cases are vast and varied. Quite simply, we looked at tools that would look at network detection and responses out-of-the-box. Looking at Awake, there are hundreds of security use cases built into the system itself. I typically utilize the tool across the enterprise looking to detect those hard to find threats 

I am looking at:

  • Indicators of compromise for ransomware
  • Possible command and controls
  • Privacy
  • Clear text passwords
  • Persistence
  • Data ex-filtration and compliance for GDPR
  • Various, very hard to detect models of data ex filtration, such as data ex-filtration via  e.g DNS or ICMP
  • Bad domains and traffic to bad domains
  • The list goes on and on.

I have over a hundred use cases turned on running in the background and looking at the following (for example):

  • Defense evasion, use of proxies in order to hide data ex-filtration.
  • Rogue hardware, identifying new devices on my network, whether they be wireless, wireless handheld devices, smartphones, laptops, etc.
  • Brute force attempts against passwords.
  • Password spraying attempts.

It is deployed inline into an appliance on-prem and leveraging a network SPAN port.

We are using the latest version.

How has it helped my organization?

It is all about visibility. From an information security standpoint, the capability for the team to be able to single out devices to respond quickly and intelligently, to say for example, "It is this laptop (or endpoint) from this person in finance. I know exactly what it's doing, what's wrong, and I know how to fix it." So, they're empowered walking up to that department or individual. The face of information security used to be, "Oh, the security guys are on that floor." Now, there's a different take. "These guys know what they are doing and are here to help me. I have an issue, and they solved it very quickly." It's making overall security less painful for our folks, which translates into secure adoption of security policies, standards, and awareness. That's another intangible.

Sometimes, the harder part is not interjecting and removing a node, but understanding what it was doing so we have a higher assurance of what type of data may or may not have been exfiltrated because that may trigger reporting laws, etc. 

We operate globally, so we have to adhere to the principles of GDPR, and also in Canada, PIPEDA. We have a regulatory/legal obligation to report if there is a data exfiltration. Understanding the nature of the data (what these devices are connecting to), if there is an exfiltration, goes a long way to shaving the time off my staff has to spend running these issues down. For example, one incident could potentially in gray dollars cost thousands of dollars. If, at the end of that investigation, we find out days later that we potentially would have had a reporting obligation, this makes it very difficult. Now, we would have to dive deeper and find out what that data was before we can report to the regulatory bodies, and in particular, our data protection authority for GDPR.

It also allows me to prioritize my staff. So, there are a lot of intangible dollar savings there. Rather than having a group of folks running around attempting to focus on preventative measures, we are focusing on the situations at hand ensuring that we have a grasp of what's going on in our network.

This solution’s encrypted traffic analysis helps us stay in compliance with government regulations. It is all about understanding data exfiltration, what is ingressing and egressing in our network. One common attack vector is exfiltrating data using encryption. My capabilities to see potential data exfiltration over encrypted traffic is second to none now. 

It is all about being able to say with confidence to the executives, the senior leadership team at the board level, that by putting this tool in place we have visibility into east-west lateral movement and traffic in the north-south. We also have a high degree of confidence that we are maintaining our security posture.

It doesn't matter where in my network, including wireless networks, I have it all feeding into the same mirrored port. I can see the traffic from any device which is plugged into the network at any time. The Awake ML will identify it. Then, on the dashboard, it will show me every morning any net new devices, how many devices are active, and how many devices may be impacted by a potential threat. I can see instantly any suspect domains that those devices are trying to connect into and what domains are unique. It also shows me net new domains every day at a glance. It then categorizes all of that information using its ML capability into an easy to use interface: high, medium and low. If need be, it will allow me to pivot on that device specifically, looking at it graphically. I can use that to understand what that device is connecting to, and in the same view, understand what type of data is moving back and forth.

We have a certain amount of IoT here, but not a lot. We have things behind our firewall that are definitely IoT which made me nervous, but I'm a lot more comfortable now. E.g., we are a very large software as a service company based mid-market. We have somewhat of a startup culture, so we have food vending type services that exist behind our firewall, albeit segmented. These are Internet of things, such as an automated machine that cooks food that is constantly reporting back to the vendor. We have several different other examples of IoT within our shop, and it allows me to see that traffic as well.

What is most valuable?

What is impressive about the tool is the time to value. Plugging it onto our network, we have found things that other tools have just never seen. We found those issues quickly and were able to action against those issues, remediating them quickly. I don't know another product that delivers as much value so quickly.

I have the tool set up to alert, be able to look at things, and put things together graphically. This helps to understand the fingerprints of the device, what the device has done, where it's been, and what it's doing on my network. It really gives me a high assurance that my security posture will remained intact.

I have it now integrated into our security incident and event management (SIEM) tool, so I am able to correlate events across my network using Awake as my front-end or my first line of defense. Then, I can also pull in the Awake information and use that to pivot across to other sources within our environment, whether that be enterprise detection and response at the endpoint level or security orchestration and response.

Awake's Security Knowledge Graph is incredible in terms of a couple of things: 

  1. The system is laid out very easily for me to utilize. 
  2. I find it comforting if I look at the DNA of the Awake security staff. All of them are deep and wide, in terms of their experiences. You have ex-Mandiant folks along with ex-US military folks who have been through serious cyber situations and assisted large companies, if not governmental organizations. They have seen these threats in the wild. They know how to deal with these threats. Moreover, on weekly calls, they are notifying or diving deep into areas that we might have missed.

What needs improvement?

The only issue is that Awake affords you so much information behind its fingerprinting capability. When it does trigger, you need to have a hard look at what is going on because there is a reason for that trigger.

They have worked very hard on the interface. I would like to see things laid out somewhat differently, and not due my familiarity with the tool. The tool has grown a lot since I started using it in October, and there is room for user interface improvements. 

I would like to see the capability to import what's known as STIX/TAXII in an IOC format. It currently doesn't offer this. This would be a nice, like a wish list. 

We are looking at cloud TAPs for visibility into cloud infrastructure. We offer a software as a service leveraging cloud. To take things to the next level, it is putting the ability and capability of the device into:

  1. Our cloud offering to look for threats.
  2. Leverage it further for any cloud services or SaaS that we use here.

For how long have I used the solution?

We acquired Awake in October 2019.

What do I think about the stability of the solution?

The stability has been rock solid. I haven't had an issue. I have gone through two system upgrades since October. When the system is to be updated, what is nice and somewhat different than a lot of the other appliance vendors that layer the services on top, they contact me before they push the updates out. For example, I had one of their service techs called me at about five o'clock, "Hi, it's William. Do you mind if we go ahead and perform the upgrade for you at this point in time? If that's not convenient, and you need go through a change control committee, etc. That's not a problem. We can schedule that. But if we're good to go, I can do it now for you." I like that they're high touch.

They do all the maintenance. It is an appliance, so they perform all the upgrades. From an administration standpoint, I have one person dealing with it which is limited to only setting up user IDs. That's really the only administration required in the tool.

What do I think about the scalability of the solution?

As we scale, the tool can scale with us. I'm currently using it with a one gigabit interface. As we scale up, we will scale utilizing the tool.

It's very easy to scale. If we scale in terms of our bandwidth and utilization, it's as simple as looking at the next appliance. Then, assuming we scale to a back-end, if we were to look at a 10 gigabit interface, it's as simple as producing or plugging it in through a Network TAP or another SPAN port.

Seven people are using it right now in an analyst format.

How are customer service and technical support?

One of the nice things about Awake is they are nimble. One of the requests that I put in October for feature enhancement has already been put into the product. They released it with 2.0. That's the ability to utilize situations for situational awareness. When my security analysts look at various issues, we are tracking specific items or indicators that compromise using what they call their situation overlay. Now, that is in beta preview. However, I have an advanced copy which allows me to track and trend an incident all the way through the MITRE ATT&CK chain or kill chain. So, it's a real powerful feature that they have stepped up and implemented in the product.

That is their standard technical support. It is a real "we are here to help" type of feel with just a group of dedicated security professionals. If I look at the DNA of their company, from who's at the senior leadership team level down to the analyst level, these guys have lived it. Their combined experience within the cybersecurity space is second to none.

The last time that I had an issue, it was Awake's technical support told me that I had an issue, which was nice.

Based on standard support terms and conditions, they have always responded in an expected time frame. I've only had one issue of note with the product and that was resolved quickly. I had a response back in less than 20 minutes and the issue was resolved in under two hours.

Which solution did I use previously and why did I switch?

Before having Awake, we didn't have the visibility. I could get a lot of the north-south traffic and understand what was emanating, ingressing, and egressing in the network, but didn't have the overall picture. 

We had solutions which allowed us to leverage indicators of compromise for indicators of compromise. Really, it was a bunch of point solutions reporting into our SIEM solution, as we are a Splunk shop. It's important to note that Awake doesn't do all things, but what it does do, it does really well and perhaps the best in the industry. So, Awake also puts its logs into the SIEM solution.

We had a SIEM. I had a lot of indicators of compromise type fingerprints in that SIEM. I had all of the log files throughout the whole of the organization dumping into that SIEM. However, from the network detection and response side, looking at east-west traffic, those fingerprints, and in a single pane of glass, I wasn't getting that before I had the Awake device.

The Awake tool gives me the east-west traffic and lateral movement picture, as well as the north-south traffic. Therefore, I'm getting a full picture of my network at any one point in time. These are things that keep you up at night being in the CISO role.

How was the initial setup?

Here is how straightforward the initial setup was. I got the device in October, which is fourth quarter for us and extremely busy. The Awake team wanted to fly in to do the setup. I told them that it was not going to work due to the timing and logistics. So, they shipped out the box. My team just put it in a rack and plugged it into the SPAN port, then we were done.

That was the entire setup. It is an appliance. All it requires is a Network Tap or SPAN port. We plugged the interface in, gave it a public side interface, and the Awake team did the final config remotely, then we were up and running in under two hours. That includes the rack time.

We had several meetings with Awake in terms of understanding our environment:

  • Where it was best to place the sensors.
  • What size sensors would we need.
  • What type of use cases I was looking for.
  • What were my pain points.
  • What kept me up at night before we even embarked to the contract signing.

What about the implementation team?

Two people were required for deployment from my side along with one person from Awake.

What was our ROI?

The time from finding threats to remediation is almost instantaneous. For example, I found a threat this morning and remediated it in less than five minutes. The issue that I encountered today was definitely data exfiltration. It was a malware that was hitting domain generated algorithms and also attempting to use Tor to obfuscate the data exfiltration. I found that within three minutes, and then the next following two minutes, we interjected, did the remediation, and had the node off the network. 

When you're trying to put a dollar value on the protection of personally identifiable information, potential financial information, and the loss there of, it is very difficult. However, in this instance, it could have been a lot worse. In terms of grey dollars and my staff's time, you're looking at a $1000 worth of savings because we would had to glean through logs, identify the device, chase it down, and understand what it was doing on the network.

The solution has saved thousands of dollars within the first day. Our ROI has to be in the tens of thousands of dollars since October last year. It's about the peace of mind and my ability to pass by the CEO, and say to him, "Don't worry, I got that. There was a network incident, but I'm confident that we caught this endpoint before there was any data exfiltration. I know what it was talking to and what the nature of the issue was." That is powerful right there.

What's my experience with pricing, setup cost, and licensing?

I signed a three-year deal as it was most cost effective for my firm - with no doubt in my mind we will see ROI in year one.

I am hoping to involve them in a managed network detection and response relationship as well, which is another one of their offerings.

There are no additional costs. The product does what it says that it will do. 

Which other solutions did I evaluate?

I am impressed with the data science capabilities of Awake, in regards to AI and ML capabilities built into the tool. We stacked up Awake against a competitor. I put both products, Darktrace and Awake, in a head-to-head bake-off back during the October time frame. Awake was the clear winner for a bunch of reasons: ease of use, a lot of the lateral movement for triggers on indicators of compromise and the Awake rule sets were far deeper and more insightful than information I was receiving out of the ML capabilities afforded within Darktrace.

Darktrace had quite a few false positives. 

Another problem with Darktrace that I found was the interface and the ability to work within the tool to look at information graphically. While available in Darktrace, the ability to navigate and dive deeper into those fingerprints signatures is very kludgy.

What other advice do I have?

Understand where your network points are and where you are best served to position sensors. The tool won't work unless it's positioned effectively in your network. Rely upon Awake staff's expertise. They have collective information cybersecurity experience in the hundreds of years, so just listen to them in terms of their guidance and where to position your sensors. Understand your traffic flow before moving forward with the solution, making sure that it's right for you. For instance, understand that if you have several satellite offices, you may be challenged and need to purchase several devices or appliances. In our case, this was a non-issue because I back haul all of my traffic to one centralized point.

I am impressed with the product. It is a solid, powerful tool. It's a truly unique plug and play appliance and solution. I'd give it a 10 (out of 10). If I could give it more than a 10, I would. It is really an outstanding product.

We have had a few false positives, two or three. I was looking at one this morning. However, that was a fault of ours because the IP address on the endpoint wasn't in a reserved mode, so the name of the machine changed. Here is where the ML capabilities shines. The IP address changed, thus a new machine name was apparent to the ML engine. Then, the ML engine looked at both the IP and machine name, and said, "I don't know. It's still the same IP, but it's doing lateral movement now." It turns out that IP was reallocated to a machine in our development side for our DevSecOps, where that type of behavior is totally normal. However, the ML in the tool spiked that out immediately.

The biggest lessons that I've learned are thinking that your common point solutions, even though you're aggregating them all will point out all the potential nefarious activities behind your firewall or attempted attacks outside your firewall. You are not going to see everything. You really need to empower machine learning and AI capabilities of one of these tools in order to see the typical advanced persistent threats (APTs) or those low, slow threats on your network. For example, the anomaly that pops up for five minutes every month because it's using a domain generated algorithm is really where this tool shines. It looks for that needle in a haystack and that anomalous behavior that you're not necessarily going to pick out using a SIEM tool. I don't care how good the SIEM tool is, you need a dedicated product to effectively understand that east-west traffic and ascertain whether or not it is hostile.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
JG
Head of Information Security at a engineering company with 10,001+ employees
Real User
Top 10
Gives us network layer visibility into things that may not be covered by other monitoring tools, such as shadow IT

Pros and Cons

  • "The query language that they have is quite valuable, especially because the sensor itself is storing some network activity and we're able to query that. That has been useful in a pinch because we don't necessarily use it just for threat hunting, but we also use it for debugging network issues. We can use it to ask questions and get answers about our network. For example: Which users and devices are using the VPN for RDP access? We can write a query pretty quickly and get an answer for that."
  • "One concern I do have with Awake is that, ideally, it should be able identify high-risk users and devices and entities. However, we don't have confidence in their entity resolution, and we've provided this feedback to Awake. My understanding is that this is where some of the AI/ML is, and it hasn't been reliable in correctly identifying which device an activity is associated with. We have also encountered issues where it has merged two devices into one entity profile when they shouldn't be merged. The entity resolution is the weakest point of Awake so far."

What is our primary use case?

One of the interesting things that made us lean towards going with Awake was that it fulfilled a couple of use cases. One was the core NDR functionality. We wanted it to be able to monitor our network traffic and alert us on security-relevant events. 

Another request we had was that because our security team was pretty resource-constrained, we wanted a solution that could provide an in-house managed service for monitoring it, as a partner. Awake was able to  provide that, with their MNDR team. and that was something that we found pretty valuable.

How has it helped my organization?

Awake's MNDR has affected our overall security posture very positively. Having a team that is able to monitor our network activity has been a huge help.

The solution uncovers the entire attack surface for the environments we're using it in. That is one of the important reasons we brought in Awake, and in general, network monitoring. We wanted to be able to have that visibility at the base layer, at the network layer, into things that may not be covered by other monitoring tools. For example, EDR won't cover shadow IT and systems that simply don't have endpoint protection installed. Awake will at least help us be aware of those and monitor suspicious activity at the network level.

Overall it has improved our InfoSec operations in that it frees up our security engineers from having to triage every little thing that might show up on the network and, instead, rely on Awake—the combination of their technology and the people on their MNDR team—to help offload that work from us.

It tracks both managed and unmanaged devices, the way we have it set up. And that is definitely of value to us because otherwise we wouldn't have a lot of visibility into the unmanaged devices. Awake has helped us identify things like personal devices that were improperly and inappropriately connected to our corporate network. It has helped us to identify devices in the R&D environment that weren't managed. Maybe they were some legacy system that's been sitting around for a while, or an R&D engineer hooked up some custom Linux device to the network. Awake has helped us be aware of those kinds of things. We feel better that Awake is monitoring those kinds of unmanaged devices. We wouldn't have as much visibility into the activity if we didn't have Awake.

In terms of productivity, it wasn't that we had an existing team monitoring the network and that we ended up with a more effective or productive workflow after onboarding Awake. More importantly, we simply didn't have much network visibility before Awake. It speeds up response times but, more importantly, we are now able to respond to things that we simply weren't seeing before.

What is most valuable?

The query language that they have is quite valuable, especially because the sensor itself is storing some network activity and we're able to query that. That has been useful in a pinch because we don't necessarily use it just for threat hunting, but we also use it for debugging network issues. We can use it to ask questions and get answers about our network. For example: Which users and devices are using the VPN for RDP access? We can write a query pretty quickly and get an answer for that.

It provides us with the base level of what we would hope can be obtained from monitoring encrypted traffic, things like TLS and SNI. We get to see which supposed hosts they're trying to hit. And we get the metadata around encrypted traffic. Awake, as I understand it, does have heuristics and alerts for that. It's good to see that in place because some of the other products we've seen don't handle encrypted traffic well. Whereas no one can truly look deeply into encrypted traffic, what we've seen from Awake is that it is at least looking at the metadata and analyzing the metadata of encrypted traffic, and that's useful.

What needs improvement?

One concern I do have with Awake is that, ideally, it should be able identify high-risk users and devices and entities. However, we don't have confidence in their entity resolution, and we've provided this feedback to Awake. My understanding is that this is where some of the AI/ML is, and it hasn't been reliable in correctly identifying which device an activity is associated with. We have also encountered issues where it has merged two devices into one entity profile when they shouldn't be merged. The entity resolution is the weakest point of Awake so far. Even without that it's useful because with the MNDR team, they'll at least do some of that work for us and then we can follow up on certain things. But that is something that we would want to see improved.

Because we have the MNDR team, in some ways we don't work as hands-on with the interface itself as we did before. But another thing that would be helpful would be easier ways to integrate it with other systems. The integrations seem to exist, but they're a little weak in terms of how easy they are to set up, or what kind of information can be pulled in. That's something they've said that they're working on, as part of their roadmap, but that is something that I would like to see improved.

For how long have I used the solution?

We have been using Awake Security Platform for about half a year. 

What do I think about the stability of the solution?

We have not had issues with the stability. It's pretty much always available when we need it. We're not concerned about that, whereas we do have issues with stability with other products.

What do I think about the scalability of the solution?

We haven't encountered too many scalability issues yet, but we haven't really tested scalability. We haven't tried running a massive amount of artificial network traffic through it, but for our purposes, it has been performing fine.

We expect to increase usage in the future because the InfoSec team is growing and we have more bandwidth. Our strategy for onboarding Awake was always with the awareness that our InfoSec team was very small. When we onboarded it, we needed that additional external resource, the MNDR team, to help us monitor the network as well as the appliance itself to provide visibility. But when we were evaluating Awake, we also saw that there was a growth path, that there are more capabilities to the appliance and it's an appliance that we can dive into, hands-on, ourselves. As the team grows, it's something that will grow with us and allow us to get more immersed in, ourselves.

How are customer service and technical support?

Technical support has been good. The good news is that we haven't had to utilize their technical support too much, and when we have had issues, like the SFP transceiver that was shipped with the product, they've been pretty responsive about getting them fixed.

My impression is that their MNDR team has been pretty proactive about notifying us of events. Their expertise seems pretty reasonable. When we've had the monthly reviews of events with the person they have assigned to our account—when we have questions like, "Hey, why did this alert come up?" Or "What does this mean exactly?"—they've been pretty willing to either answer the question on the spot. Or if that person doesn't know, they've been willing to to go back and follow up with the team on that. They've been pretty responsive and we haven't had any concerns.

Which solution did I use previously and why did I switch?

We were not comprehensively using a previous solution. We had firewalls with DPI enabled but that's not the same thing as Awake being able to monitor internal traffic as well. We needed this kind of core capability.

How was the initial setup?

The initial setup was fairly straightforward. We deployed the sensor on-premises and then we deployed other sensors at other sites. We have our own VPN tunnels between sites, so working with Awake's team and our IT team didn't to be a huge problem. We did run into one small issue, having the wrong SFP transceiver for one of the appliances, but that was just a logistical issue, it had nothing to do with the technology itself.

The initial deployment, so that we could start seeing visibility on a lot of our traffic, was very quick, and took a week or two. Part of that time was just the physical aspect, especially during quarantine, of needing to get someone physically out to the office to rack it up and hook it up. I have no particular concerns about the deployment. It went pretty smoothly overall.

One of the good things that they had was a site survey and that got the conversation rolling regarding what connectivity we would need across sites, and what the basic strategy would be. That strategy was, "Okay, let's start with a combined sensor-plus-hub appliance at HQ and, from there, we'll just ship smaller appliances out to our various branch offices—the ones that we are initially bringing onboard."

As for maintenance of Awake Security, we almost require no one, which is good. The maintenance really hasn't been a problem. Once we make sure that the physical appliances are racked and stacked, they pretty much stay where they are. Occasionally, if we have a new office, it's pretty easy. We talk to Awake, we buy a new appliance, it gets shipped out to where we need it to be, and we rack and stack it. But once it's in place the maintenance is very low.

We have about five people who are users of Awake, although that's changing. It continues to grow as we onboard new staff. We have security engineers who use Awake. They're not analysts, they're engineers, so they don't monitor it but they will occasionally use it because it does have that query language. We also have our IT engineers who occasionally coordinate with Awake when Awake says there's a new version available. Awake will coordinate a time to upgrade. That has generally gone pretty smoothly.

I think they're still a little bit of a startup, even internally at Arista, because occasionally things get dropped. For example, it wasn't a version upgrade, but we upgraded to a new appliance because the one that we had picked for our PoC ended up being a little undersized. We had to expand the scale of the appliance as we brought on new offices. Things like the user accounts didn't get transferred over as we would have expected. That was a little bit of a hiccup but nothing too concerning.

What about the implementation team?

We only worked with Awake, which is what we prefer. We like things that we can deploy and implement ourselves, just with the vendor, that don't require professional services.

On our side, the deployment was done by a network engineer and assistant engineer.

What was our ROI?

For a security tool, ROI is always a little harder to get at. Was there some breach that could have happened if we didn't have Awake? Maybe. We don't really know and can't quantify it concretely.

But it does save time for us not having to manually correlate across different network devices to investigate something funny that's happening. Instead, we essentially have the Awake team monitoring it for us and making us aware of any kinds of funny activity. Beyond that, there have been time savings because of one of our use cases which is using the query language to debug and ask questions of the network. We can do that instead of having to manually correlate across systems.

What's my experience with pricing, setup cost, and licensing?

The pricing seems pretty reasonable for what we get out of it. We also found it to be more competitive than some other vendors that we've looked at.

We paid for the appliances and for the MNDR and the pricing was fairly comprehensive. There wasn't any nickel and diming.

Which other solutions did I evaluate?

We evaluated Corelight, which commercializes the open source solution Bro, or as it's now known, Zeek. We also evaluated Darktrace as well as a couple of other vendors that are new in the space with solutions that claim more of an AI/ML-based approach. Vectra AI was one of them. We also evaluated Extra Hop. We didn't go into a full PoC with most of these because it would have been too much for us. We sat through a variety of demos and technical discussions with the vendors. We only PoC'ed Darktrace and Awake.

Between Darktrace and Awake, Awake was a lot more hands-off, which was good for a smaller team starting out. But at the same time, it was also more understandable. The query language made sense, meaning it was learnable and we could see ourselves using it in the future. Whereas, with Darktrace, it was more of a black box. It tended to have a lot more noise for us.

I'm not as convinced about the AI/ML portion and that's not why we went with Awake. I understand that there's some AI/ML in it, although I don't have a lot of insight into what that does, but we like the fact that it also has more standard and traditional heuristics. They have this query language where you can write heuristics to alert on certain kinds of interesting events. We really like that because it is more understandable in many ways than a pure AI/ML-based solution, the kinds we've seen from other vendors.

What other advice do I have?

One thing to be aware of, for someone else using Awake, is to be ready, at the beginning, to clearly define what is expected network activity and what is not. That helps both teams. For us, it has been an interesting challenge because our network is quite complex. In the life sciences, we have pretty varied environments for physical manufacturing, R&D, and SGNA. It spans the whole gamut. What helps in that environment is being very clear, up front, about documenting and giving context to the Awake MNDR team about which devices are domain controllers and the kinds of traffic they should expect from them; which subnets are segmented off in different ways so that they should not expect certain kinds of traffic from them. Include what kinds of applications you have at the company, applications that are approved or behaviors that are approved, so that they know to tune their models to not alert on that. Getting a better picture, if possible, ahead of time, so that you don't have to refine that over time with the Awake team, is something that would help. That's not a criticism of Awake. It's more just a lesson learned.

In terms of the solution's false positive rate, we're still working through it. We don't look at the console too much ourselves these days unless we need to run a particular query to answer a question. Normally, we just rely on the MNDR team to surface anything that needs escalation to us. In some ways we're still in an onboarding period. The MNDR team will raise some sort of alert, and some of them definitely warrant further investigation, which has been really helpful. That's helped us identify certain risky behaviors that users are engaging in, and remediate them. At other times, we continue to refine our SOP with them. They'll alert us of something suspicious and we'll say, "Oh, that's okay. We allow large uploads to Box." They're usually pretty good about just saying, "Yeah, we'll put that in as an exception."

When it comes to the solution moving away from traditional alerts and focusing our team on the entities that pose the highest risk, we haven't really seen that as much, ourselves, because we've been pretty hands-off and leaving it to the MNDR team to monitor the appliance. We looked at the appliance during the PoC process and have looked at it ourselves occasionally. But one of the things that's tricky about our deployment is that we also have it monitoring our guest network, where we do see a lot of high-risk devices that are clearly going into bad domains but, at the same time, it's our guest network so it's not something we actively police.

The combination of Awake's technology and human expertise within the MNDR service has been really good. We're pretty happy with Awake. It helps us sleep better at night because we know that there's another team out there helping to watch activities on our network.

Awake is a great solution to get started with, for getting that initial network visibility, especially with the MNDR team. It also seems like a great medium-maturity solution where you could have an enterprise that wants to roll off of the MNDR team and have more of an internal capability and an internal team monitoring and utilizing Awake. That would work too. That's where we're thinking we might go, eventually.

I'd give it an eight out of 10 overall. It provides a lot of value. There are a couple of rough edges that they're still working on and that we'd like to see improved, but it's definitely very useful to have in the toolbox.

Which deployment model are you using for this solution?

On-premises
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
Learn what your peers think about Awake Security Platform. Get advice and tips from experienced pros sharing their opinions. Updated: November 2021.
552,407 professionals have used our research since 2012.
Eric Etherington
Chief Information Security Officer at Dolby Laboratories
Real User
Top 10
Enables us to monitor lateral movement of traffic across sensitive networks

Pros and Cons

  • "The security knowledge graph has been very helpful in the sense that whenever you try a new security solution, especially one that's in the detection and response market, you're always worried about getting a lot of false positives or getting too many alerts and not being able to pick out the good from the bad or things that are actual security incidents versus normal day to day operations. We've been pleasantly surprised that Awake does a really good job of only alerting about things that we actually want to look into and understand. They do a good job of understanding normal operations out-of-the-box."
  • "They've been focused on really developing their data science, their ability to detect, but over time, they need to be able to tie into other systems because other systems might detect something that they don't."

What is our primary use case?

We use Awake Security to monitor internal networks. We monitor the lateral movement of traffic across sensitive networks.

How has it helped my organization?

The most valuable aspect for us is that we have a small team, so when we bring in new security solutions, it's really important that they're tuned well because there are only so many alerts that we're going to be able to deal with. If we put something in place that creates a massive amount of alerts, we're just not going to have the resources necessary to respond to all those. Putting something into place that can look at really sensitive internal networks and do it in a way that doesn't cause us to have to hire a number of additional resources to support that is really important. 

A lot of security teams underestimate the resourcing needed when you put new platforms in just to maintain, care, feed, and respond to the alerts that come from a new system. With Awake, it's very self-sufficient. The tool does a lot of the work and they even have managed services on top, if you need additional resourcing to help you deal with the alerts or configure the system more, that comes as part of the solution. You really put yourself in a situation where you're going to be successful quickly without having to scale your team.

It helps us stay in compliance with government regulations. As more privacy regulations come into effect, we definitely want to make sure that we're meeting privacy regulations both today and have the flexibility that if a new regulation comes out in the near future, we still have something in place that can keep us in compliance and we don't have to change our security architecture. Awake gives us the ability to detect and respond to security incidents while still protecting the privacy of that data.

We use Awake Security to identify and assess IoT solutions. All these technologies need to work on all types of devices, including early-stage and proprietary versions of prototypes of phones and tablets, and at the early stage, versions of new operating systems that come out on those devices. Obviously, those are situations where we wouldn't be able to have a standard security agent running in those environments, but we definitely want to understand if those devices are communicating outwardly to the types of things on the internet that you'd expect them to, or if there are any connections going back and forth to the internet that would be out of the norm for machines that have very strict testing scenarios around them, so it's very easy to understand.

We want to make sure that those devices are only communicating with a pretty strict set of use cases. Being able to understand the traffic coming to and from those devices is really important and using a network tool is really the only way to go.

Cloud TAP's for visibility into cloud infrastructure is something that all security teams need to be looking into. I think a lot of people have jumped to the cloud and realize that they don't have firewalls anymore. People tend to rely on security groups and access controls. As a result, security teams often lose visibility of the network traffic on the cloud that they may have had on-prem. It's not apples for apples. If you don't necessarily have the same security toolset, you can lose visibility. Having something like Awake on the cloud is definitely something people should start thinking about to be able to obtain that visibility.

What is most valuable?

We definitely have machines that might not lend themselves to having endpoint security agents on them, either because they can't support an agent or they're testing devices that have very critical configurations that an agent might have a negative impact on. Being able to monitor traffic to and from those devices over the network is definitely preferable and really the only way to do it, to not have a negative performance impact on those machines.

That could be IoT devices. It could be test devices of early-stage prototypes. Being able to understand the traffic coming to and from those devices using Awake has been a big deal for us because it wasn't something we were able to do before with any other technologies.

The security knowledge graph has been very helpful in the sense that whenever you try a new security solution, especially one that's in the detection and response market, you're always worried about getting a lot of false positives or getting too many alerts and not being able to pick out the good from the bad or things that are actual security incidents versus normal day to day operations. We've been pleasantly surprised that Awake does a really good job of only alerting about things that we actually want to look into and understand. They do a good job of understanding normal operations out-of-the-box.

Then for those things that we do want to mark as being normal operations, as opposed to security incidents, whenever we do configure those in the system, they never come up again. They do a good job of weeding those out. We're not actually getting that many alerts from the system and when they do come up, they are definitely things that we want to look at. It's been good. It didn't take us very long to get to that point. From day one of the POC, we were seeing things that we wanted to look at and we weren't looking at a lot of false positives.

The data science capabilities of Awake are a big reason why the false positive rates are so low. The data science side really gives Awake the ability to spot things that are out of the norm. Whether it be IoT devices or devices that are hard to have a standard profile for, it does a good job of figuring out what's out of the norm for that type of device or the type of traffic that would typically come from that device.

The encrypted traffic analyses are a key part because encryption has become the defacto standard for all network traffic, even internal traffic. One of the biggest challenges for security teams over the last five years is that we have more and more encrypted traffic - rightly so - to help protect those data streams, but because of that, it makes it hard to have visibility into that traffic. Awake has the ability to understand encrypted traffic and capture parts of traffic that we want to look at more closely while at the same time has very little impact on that traffic because it's sitting on the side and viewing that traffic without being in front of it and having a negative impact on it.

That was a big deal for us because if you have to decrypt traffic and pull traffic offline and store it, that creates a lot of other privacy and security problems that most teams don't want to get into. Being able to have something in place that can evaluate encrypted traffic is really important now.

Awake Security provides us with better situational awareness. First and foremost in security, the first step is to gain visibility. The nice thing with Awake is that it will give visibility into environments that you likely don't have visibility into today. Part of that visibility is going to increase your situational awareness and start to understand the normal versus the abnormal for that environment.

We have better situational awareness by 25 to 50% but I think a lot of that depends on what your internal network architecture looks like. I think security groups always struggle with how to gain visibility over internal networks. We do pretty good at endpoints and pretty good at the edge, but internal network flow is always a challenge. Depending on how your network is set up, you can gain as much visibility as you'd like using Awake.

What needs improvement?

It's important that Awake continues to develop its APIs to be able to help intertwine their product into the overall security architecture of a company, just because it is a single tool. Likely a company will have a number of tools in place that you want to be able to communicate and correlate events between and be able to pull actions and information from different security systems. Whenever I look at a new security solution today, their ability on the API side is always one of the first things we look at.

The great thing about Awake is that it has really solid visibility. You might get a detection that happens on a different platform, and one of the first things you want to do is ask the Awake system for more context around an alert because they do have visibility into encrypted traffic. Being able to ask questions of the Awake platform from other systems is really important.

They've been focused on really developing their data science, their ability to detect, but over time, they need to be able to tie into other systems because other systems might detect something that they don't.

For how long have I used the solution?

We've been a customer for around a year and a quarter now. We had been doing a POC with them for a few months before that, so about a year and a half total.

What do I think about the stability of the solution?

The stability has been rock solid. There have been updates on a regular cycle that are more featured updates. I haven't seen emergency bug fixes or notices from Awake that caused us to have to do emergency patches or pull the system down. It's been up 100% of the time, and it's just been a matter of us being aware when upgrades were scheduled. There was no downtime as a result.

What do I think about the scalability of the solution?

Scalability goes back to that design you have to do upfront to figure out what parts of the network you are most concerned about. If you do that work upfront, you can scale it as much as you want to. You should be thinking about how many devices you really need. In terms of scaling the devices and having a management console to do that, that part of it is pretty simple.

We have three people that interact with it on a regular basis. We have a Cyber Defense Manager and two incident response analysts that use it on a regular basis. We do a weekly call with Awake Security, where we review new detections that we might work with them on and that take time to develop or specific things that we might have been seeing in other parts of the environment that we want to make sure that they're aware of.

Our Cyber Defense Manager is more involved in the tuning of the device, and he talks to them on a weekly basis. Then the IR analysts are reviewing alerts on a daily basis or an as-needed basis as they come through. They're also involved in the weekly calls.

We use it in our locations with the most sensitive engineering-related use cases today. Not all of our locations, some of our locations. Our largest locations tend to have an engineering arm at those locations. That's where we focus the Awake devices today. So far, our deployment has been on-premise only, but we are starting to look at their cloud options as different business groups start to expand to AWS and GCP.

How are customer service and technical support?

The technical support has been surprisingly good. With most companies, they do a good job of getting you through the initial customer success phase of getting off the ground then getting support afterward is a challenge. With Awake Security, I feel like it's been more of a partnership, meaning we have those kinds of ongoing weekly calls with our customer success manager to really make sure that we're getting the most out of the product. In terms of just straight support issues, those have been very minimal. Whenever they have come up, they've been addressed right away. It's been one of the things that stands out that, that we haven't had issues in that area.

Which solution did I use previously and why did I switch?

We had done a proof of concept with Darktrace for a number of months before Awake. There were a lot of issues with false positives, meaning, there were a lot of alerts coming from the system that when we looked at them, we could tell that that's actually normal business operations for the environment that it was looking at. It was one of those things where we thought that with machine learning, it would pick it up over time and it would start to tune these things out, but we really had consistent problems with it generating too many alerts to the point that the more important alerts were getting lost in the shuffle of the false positives. We ran it for a while to try and understand if it would learn and get better, but we didn't get to a point where we felt confident in the alerts that were coming out of it.

How was the initial setup?

The initial setup was straightforward. If people have ever put something on a SPAN port before, it's just really a matter of understanding what parts of your network you want to focus on. I would say we spent one hour doing a whiteboard session with Awake and our networking team to decide what's the best place to set these devices to have the most visibility. Then we were up and running the same week.

Awake is one of those things you want to focus your most critical networks on. If you know where your critical data is, especially data that's meant to stay internal or segmented in some way, Awake is a really good way to help monitor those environments. Especially if you have environments where you might have devices that for whatever reason, you can't have a standard endpoint security approach with environments that might be used for research, testing, or things that are really meant to be black-box type environments.

Awake can give you visibility into areas that you typically wouldn't have. In our implementation strategy, we really looked and defined those areas and figured out, what would be the right placement of devices to give us the visibility of our most sensitive data.

What was our ROI?

We have seen ROI. The alerts that come through, they're all things that we want to follow up on. There are things that help us improve our security stance over time. As we've addressed those issues, I think they've led to improvements in the process by engineering teams. They've led to better security controls. Those are the two biggest areas of improvement.

What other advice do I have?

The piece that people should be considering should be how much storage they want for data in the platform and how long they need to retain data for. It's not sitting in the middle of network traffic but for incidents that come up or alerts that are generated, it will store Pcap information for those alerts. You want to make sure that you have enough storage of information around those alerts so that you can go back, whether it be six days, a week, a month, whatever you want your retention period to be. That's something you should think about when you're putting this into place.

Also consider if the data is going to be piped off somewhere else and stored, or if it is going to be stored locally on the box because that's one of those things you can do either way. People should be thinking about it going in because it can generate a lot of data if you want it to.

I would rate Awake Security a nine out of 10. As soon as the API gets a bit more mature, I think they're on track to be a 10..

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
GF
Chief Security Officer at a university with 1,001-5,000 employees
Real User
Top 20
With the threat-hunting service, we didn't have to increase our team size to realize value

Pros and Cons

  • "The most valuable portion is that they offer a threat-hunting service. Using their platform, and all of the data that they're collecting, they actually help us be proactive by having really expert folks that have insight, not just into our accounts, but into other accounts as well. They can be proactive and say, 'Well, we saw this incident at some other customer. We ran that same kind of analysis for you and we didn't see that type of activity in your network.'"
  • "When I looked at the competitors, such as Darktrace, they all have prettier interfaces. If Awake could make it a little more user-friendly, that would go a long way."

What is our primary use case?

For us, Awake provides the insights into our network traffic.

It's something of a hybrid. We have on-premise collectors and there's a lot of storage involved, so we keep that on-premise, and then we have a cloud dashboard.

How has it helped my organization?

We are able to see lateral movement between networks, which is really important. Having packet captures stored for a period of time helps us with forensic investigations. If we learn something after the fact, we can go back and see what went on at what time and correlate different events. 

I'm a big proponent of Zero Trust and one of the core tenets of Zero Trust is that you log everything. That gives us the ability to have greater insight into our network and what's going on. The goal is to shift us from being reactive, always responding after something went wrong, to being proactive. We've been collecting logs from servers for years, but the missing piece was always the ability to collect network traffic as well.

We find so much value in the threat-hunting service. We didn't have to increase the size of our team and get value out of the product. The product itself is good and valuable, but having to train and retain the talented threat-hunting folks that we'd have to have to go through it would be a real barrier. Having that as a service is really important.

We have TAPs in our network, and they see all traffic, whether it's a managed device or it's a student going to Netflix. We obviously filter out a lot of the traffic that's not relevant to a security appliance. It's one of the key values for a university environment. We've got just as many, if not more, unmanaged devices on our network than we do managed devices. When I think about lateral movement, where folks are talking and whether folks are talking to machines they shouldn't be talking to, the ability to track both managed and unmanaged devices really helps in giving us peace of mind that we're in good shape.

That tracking of managed and unmanaged devices provides really good context. Even if the device is unmanaged, we still have some insight into who they were, what they were doing, what services they accessed. Generally speaking, we can correlate and figure out that it was, for example, a particular student doing something. In a corporate environment, they would likely have a lot fewer unmanaged devices, but it really provides that insight into who people are and where they were going.

The solution also presents us with "Situations" rather than individual events. It does a type of roll-up of what activity happened. In some cases, the activity could be ongoing and you see new events or data populating in real-time, which is really helpful. It's transformed our process in the sense that it really provides visibility into an area we didn't have visibility into before. And it fits really well into our ecosystem. We've got another managed service provider that provides us with a security operations center. It fits really well into the ecosystem.

Awake Security has also decreased the time it takes to discover things, although we don't have it configured to do any automatic orchestration or remediation on its own. 

What is most valuable?

The most valuable portion is that they offer a threat-hunting service. Using their platform, and all of the data that they're collecting, they actually help us be proactive by having really expert folks that have insight, not just into our accounts, but into other accounts as well. They can be proactive and say, "Well, we saw this incident at some other customer. We ran that same kind of analysis for you and we didn't see that type of activity in your network." If there's a major vulnerability or breach or something that makes the news, they give us that peace of mind by saying, "Yes, for sure, we saw it," or "No, for sure, we didn't see it."

Awake moves away from traditional alerts and instead focuses our team on the entities that pose the highest risks to our environment. We have other tools in our environment that help us monitor for specific kinds of attacks or executive-level accounts with UEBA or other technologies. What this solution gives us is that insight into the network to see, when we've done a packet capture, that this is just an email to a family member and not a malicious activity like we would have assumed if we got that alert from some other monitoring system. It provides that extra level of insight that we'd otherwise be missing.

In addition, the EntityIQ, its AI-based Security Knowledge Graph, was one of the big features that drew us to the product. With the competitors that we looked at, it was very difficult to find out who someone was. We would have to go to other systems to correlate and say, "Okay, well, this was a user and they had access to these machines, but someone else logged on to this machine at a certain time." The value of EntityIQ is huge. It reduces the amount of investigation time, and it helps us correlate events faster and be more responsive. A lot of vendors have tried to do something like that, and it seems like Awake has gotten it right.

While we don't do decryptions, it's still valuable to have insight into the metadata to know where people were going if they match against threat-list IP addresses. It's also valuable just to know the size or length of certain sessions. It's very different if it was just one packet versus hours-long, data-exfiltration-type activity where we can see a lot of data was downloaded. We're also very concerned about privacy, being at a university. So being able to provide some level of insight, even with an encryption, is really important.

What needs improvement?

When I looked at the competitors, such as Darktrace, they all have prettier interfaces. If Awake could make it a little more user-friendly, that would go a long way.

For how long have I used the solution?

We started a proof of concept of Awake Security Platform about this time last year, so we've been using it for just about a year.

What do I think about the stability of the solution?

It's never gone down, so that's pretty stable.

What do I think about the scalability of the solution?

Because there's so much storage required to do as much packet capture as we'd like, it does take up a lot of rack space. Scaling requires additional hardware. It's not necessarily scalable but our network also doesn't grow that quickly from year to year.

As a university, we're an unusual situation. We're like an ISP. We've got 15,000 people who could come to campus any day. We've got outdoor wireless and indoor wireless coverage that cover about a square mile. We've got a high-performance research computing cluster. We do lots of research. We're also a small-to-medium enterprise. We also have several stadiums for different kinds of events. We have a health center as well. It's a very unique environment and there's a lot of complexity as a result.

How are customer service and technical support?

Their technical support has been pretty good. We haven't had many issues and they're very proactive. That's what we were looking for.

For example, they found an undisclosed Zero-day vulnerability on some consumer software and they were able to identify that in our environment. They provided enough information to help us address it but they also gave us a heads-up before the Zero-day was announced, which I thought was awesome.

Which solution did I use previously and why did I switch?

We used similar solutions in the past. We switched to Awake Security because they were able to offer a model that was significantly less expensive and the value that we get out of it is higher.

One of the challenges that we've seen in this space, with different providers, was whether they were able to detect an incident if we had one. Some detected what others didn't, and vice versa. But we have had experience with other providers that weren't able to detect incidents. We haven't come across that yet with Awake. That's a good thing, but you don't know what you don't know, and that's always the challenge in security.

How was the initial setup?

The initial setup was pretty straightforward. We were up and running fairly quickly. We knew how to do SPAN and TAP ports and I liked their integration with Arista which provides TAPs. That makes it an all-in-one solution now.

Our proof of concept took a couple of months and I liked the way they worked with us. We do a lot of due diligence before we make a purchase. They were very flexible and worked through lots of scenarios with us before we actually made the purchase. The company is very good to work with. It wasn't as though it was a challenge to set up. It was really just getting to know all the aspects of the product and feeling comfortable. There were no high-pressure sales. They were committed to helping us get the right solution for us.

It was mostly implemented as a result of the PoC. We then had to make sure that we had enough storage to store enough packet captures and to make sure it was in the right networks and was giving us the right visibility. Because of the way we've got to deploy, there is a lot of duplication in traffic between the various TAPs, so doing deduplication is a challenge sometimes.

There's definitely a learning period where you have to help them understand your environment and that's not something that you can outsource. You definitely have to have staff on the inside that knows what's important to you and what's not. What a false positive is will vary drastically between an environment like ours, which is an academic environment at a university, and a locked-down corporate environment at a financial institution. Everything they flag is interesting. It's not necessarily a false positive or not, until we think about who the user is that they're flagging. If it's a student doing something, that's a very different scenario from an executive doing it, for example.

Training their threat-hunting analysts is really the important part of any threat-hunting operation. They need to know how the customer's environment works and what the network looks like; not just what IP ranges are out there but what users are doing. Having all of that data in their own playbook is the secret sauce for success for any company and Awake did a good job of that. They really dug into understanding our environment and assisted us in implementation of this product from the get-go. There's always going to be a learning process for any customer, but they really helped walk us through the process.

On the admin side, the users of the solution are the five people on my team. They are all security engineers.

Which other solutions did I evaluate?

We looked at Darktrace, ExtraHop and there were a couple others. It really came down to value. What Awake was able to do was to provide the same service that those others were offering but at a lower price, and that lower price also included the threat-hunting. Just getting a tool such as Darktrace or ExtraHop might be great but I would have had to go train a team of people to be able to use it and to get value out of it. Whereas with Awake, I was able to get value out of it on day one.

What other advice do I have?

Every environment is different and you have to start with knowing what your goals are and what your environment looks like, to really find the right product for you. What integrations do you have? A big challenge is how your remote workforce changes the way you think about your environment. How does your cloud adoption strategy affect things? Awake is an on-premise, network-based solution. For us, that makes a lot of sense. We only have one site where all of our users go. If you're totally remote, now, with COVID, and you're mostly a cloud/ SaaS-based shop, it may not be the right fit for you. You want to think about how you can accomplish the goals that are particular to your environment.

Finding a product that allows you to continue to improve, to get you that insight about your network and how it's changing over time or how people are using it, is important. A network is a living, breathing thing. Having a solution that can also help give you insight into how it's changing or whether it's architected appropriately, or give you insight into where you have gaps or lack of visibility is important. It's all about improving every day. That's one of the things that the Awake team has brought us.

My dream is to have a student-led security operation center in-house. We're not there yet, obviously, with COVID. We don't have as many people in-person and on campus. But to be able to sit a student down who is just getting their feet wet in security or technology, and to help them hit the ground running, as an entry-level analyst, that's really the dream. I would like to make them more productive and able to get insights into the network faster. We're not there yet, but Awake really gives us a head-start with that.

Awake gives us more information, which increases our analysts' workloads, but it also streamlines the process. It's addressing a gap in our visibility.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
David Saville
Senior Systems Engineer at Wealth Counsel
Real User
Top 20
Increases our security abilities by covering more attack vectors through managed services

Pros and Cons

  • "The interface itself is clean and easy to use, yet customizable. I like that I can create my own dashboards fairly easily so that I can see what is important to me. Also, the query language is pretty easy to use. I haven't needed to use it a ton, but as I need to go in and do different queries based on their requests, it has been fairly simple to use."
  • "One thing I would like to see is a little bit more education or experience on AWS cloud for their managed services team. We've explained how we have the information set up, that the traffic coming in goes to the AWS load balancer and then gets sent on to our internal servers... but when I get notices they always tell me this traffic is coming from the IPs belonging to the load balancers, not the source IPs. So a little bit more education for their team about how AWS manages the traffic might help out."

What is our primary use case?

We have a team of one, me, so we also use their managed services. They monitor things for us and report on any issues. Personally, I haven't had to go into it very much. As they monitor, they will alert me to any issues that they detect through the automated tools and their agents. Once they have an issue, I will look it up and verify the issue and then respond to them on validity; whether it's a known issue or not.

We are only utilizing it for incoming and outgoing traffic for our production systems, our development systems, and our on-prem network. As most of our employees are remote, we don't utilize it for their traffic or for any IoT devices. It's mainly for traffic related to our SaaS platform.

My involvement has been responding to the alerts that they send me, which has been perfect for me. I don't have the manpower to manually monitor all the time, and that is what our goal was with them.

How has it helped my organization?

The biggest advantage we have from using Awake is a more complete and comprehensive security posture. Previous to this, we didn't have any way to monitor traffic, as doing so wasn't really required. It's now something that we want to implement. Given that I'm the lone person on the team, I'm covering everything. I don't have the time and resources to dedicate to just network management and the traffic. It helps us, as part of our security posture, to manage and monitor and address these aspects.

Awake definitely helps me focus on the highest risk alerts. There isn't a lot of noise or garbage, at this point, in the information. It really helps me focus on the real issues.

In addition, our on-prem stuff is all encrypted. We can't, of course, see the contents, but it's been enough to determine the source location. A lot of the header traffic has been enough to usually determine, by correlating with other tools that I use internally, if there is an attack. It's sufficient for what we need to do.

It uncovers threats that rely on compromised credentials or supply-chain compromises, rather than focusing just on malware threats. We've had several instances where someone was trying to hit our production traffic using made-up credentials. Awake alerted us to one such incident this morning, that someone was trying to use those types of credentials to get in. Of course, they were bogus and unsuccessful, but they're able to recognize that type of attack.

The solution also tracks both managed and unmanaged devices, because it's pulling all traffic, regardless of its source or destination. It helps because we can, at least for our on-prem location, see which devices are attached and if there are any devices that we were unaware of, or that employees brought in. It's quite helpful in that regard.

That tracking of both managed and unmanaged devices helps detect a broad range of threats and it gives us the context we need to respond. The list of devices that we have on our on-prem network is fairly small, so it's quite obvious when new devices are attached. We haven't had this happen yet, luckily, but if it did, we'd be able to recognize it and see, not only that they showed up, but where the traffic is being sent to from these devices. That would enable us to address it. We can work with Awake on response management and mitigation of that device as well, thanks to the managed services.

In addition, when it comes to productivity, because I have not had to focus on this as much, I have definitely been more productive. I can focus on other security areas and I trust that their solution and their services are managing and catching any issues that arise for us. It has been a huge help.

Awake’s technology, artificial intelligence, and human expertise within the MNDR service have really increased our security abilities. Our security posture is more comprehensive. We can cover more attack vectors coming into our company and our platform because Awake is covering a large amount of that for us. We don't have to dedicate time to it, due to their managed services and their AI engine helping them detect and identify attacks. It's been a great help. We can use our time, which is a limited resource in our company, much more effectively.

It has also helped speed up response times, overall. When they have notified us about issues, I haven't had to go in and hunt down the log information, look at IPs, what it's hitting, et cetera. Their managed services provide me with a lot of that detail. I can use that detail to go into the tool and look at exactly what they're looking at using a query. I can recognize whether I need to investigate it further or, if I know what it is, respond to them. From the instances they have sent me, it takes me about 10 minutes, per instance, to figure things out and respond to them, whereas normally it would take me one to two hours to hunt down all the information.

What is most valuable?

The most valuable aspect is their managed services. They do such a good job and they enable us to provide a good level of network security, even with our small team size.

The interface itself is clean and easy to use, yet customizable. I like that I can create my own dashboards fairly easily so that I can see what is important to me. Also, the query language is pretty easy to use. I haven't needed to use it a ton, but as I need to go in and do different queries based on their requests, it has been fairly simple to use. It reminds me of other query languages. I use Splunk a lot and it's similar to that, so I didn't have to relearn a lot.

In addition, at this point, the false positive rate is pretty good. Of course, initially, as it was learning our systems, what traffic was coming in and going out, it was fairly high, although not excessively. But as we've added to our list of known IPs and gone through testing systems, we have marked them. Now, I don't get alerted to anything from their managed resources unless it really is a remote attack. I don't see any false positives for our internal traffic any more.

The expertise of the Awake team across threat hunting and incident response has been pretty good. We have regular meetings with them to go over any issues they've found. I receive emails when they detect any issues and have questions about them. We try to keep them up to date on our infrastructure, IPs, and hostnames. With that information, they can reduce their false positives, so they're not notifying me needlessly. I don't think I've ever received a false positive from their team. With that information, while there have always been issues, they haven't been serious issues. There have always been malicious actors or other factors that were trying to hit us, or we had set up a scanner that I failed to inform them about. They notified me about the scanner and I let them know that, yes, this is an approved scanner that we've employed, and they added it to their list. They've done a really good job.

What needs improvement?

One thing I would like to see is a little bit more education or experience on AWS cloud for their managed services team. We've explained how we have the information set up, that the traffic coming in goes to the AWS load balancer and then gets sent on to our internal servers. Because we are grabbing traffic behind that load balancer, it shows the source IP of all traffic coming from the load balancer. In reality, you need to look at the exported, four-header IP to see where it's actually coming from. I've explained that to them several times, but when I get notices they always tell me this traffic is coming from the IPs belonging to the load balancers, not the source IPs. So a little bit more education for their team about how AWS manages the traffic might help out.

They might also be able to improve on the cloud side. Right now we're in the process of migrating all of our on-prem stuff to just the AWS cloud. We'll be utilizing this service as AWS-only. They said that we can set it up that way, but without the hardware appliance, I'm curious to see how that goes. It seemed to me, when we were setting up, that the AWS portion was still in its infancy, and still being tested or developed. It works great, but it did take a bit of work to get set up, so I'm curious to see how having the entire solution in the AWS cloud works. I'm hoping it works well when we do that migration in the next month or two.

For how long have I used the solution?

We have been using Awake Security Platform for about a year.

What do I think about the stability of the solution?

It's very stable. We've had no issues with downtime or outages or the like.

What do I think about the scalability of the solution?

It's scalable. With the AWS sensors talking to the main appliance, I'm not worried about scalability as our cloud infrastructure scales. I can see how deploying new sensors in new locations would scale easily with my main infrastructure growth.

We're hoping to increase our team from one to two. I'm hoping, as we increase our team, that I can focus more on delving into this, and not solely rely on managed services for reporting. I hope to be able to go in and explore and do my own investigations and utilize it more.

How are customer service and support?

Their technical support has been very good. Any time I've had questions or issues, they've been quite responsive.

Which solution did I use previously and why did I switch?

We did not have a previous solution.

How was the initial setup?

The initial setup of the solution was mostly straightforward. The appliance setup was very easy. The AWS cloud node took a bit of work to get going. They had to have a tech connect in several times and reconfigure it and make some changes until it was working. That was the only hiccup we had. Since then, it has been running flawlessly.

The appliance took about half a day to set up, because I already had a bunch of the network configuration, routing and port configuration, already done before we hooked up the appliance. The AWS part took about two days because they had to make configuration changes.

What about the implementation team?

I did it myself, working with their tech support.

What was our ROI?

We have seen a return on our investment indirectly. Our security posture is more comprehensive. As we talk to clients or go through audits or do insurance, having this capability for our security portfolio is a big plus. It shows that we are really taking a comprehensive approach to our security.

What's my experience with pricing, setup cost, and licensing?

Awake's pricing was very competitive. It's not a cheap option though. It's an investment to utilize it, but it's one that we decided was worth the cost, with the managed services. At our scale, it was a much better option to utilize their software and their managed services to handle this, rather than hiring another person to be an analyst. It was quite cost-effective for us. While it wasn't cheap, it was at a good price point for the services and capabilities they offer.

In addition to the standard fees, we have an incident retainer. If there is an incident and we need to hire their services to manage it and resolve it, we have a retainer on hand with them for that.

Which other solutions did I evaluate?

I evaluated several solutions. One of them was Darktrace, and it looked very similar, although the interface was different. It was very flashy and a little bit more difficult to get around in, but, at that time, the deciding factor was cost. Darktrace was much higher in cost than Awake. The evaluation happened at the beginning of COVID and everyone was scaling back, so the evaluation project died. But the main motivation for not returning to it afterwards was the cost factor.

Another one I looked at was Security Onion, an open-source solution. The cost was right in our ballpark, but the amount of time that I would have had to spend on it didn't make sense for us. We love Awake because of the managed services. If we had gone with Security Onion, I would have been the sole one to manage it, configure it, go through all the false positives, and I would have spent a lot of time on it. It would have almost been a full-time job for me, so it was the time issue that made me decide not to use Security Onion, as well as the interface. It was a collection of different open-source tools bundled together and the interfaces weren't completely unified. Awake is a lot easier to navigate and use.

What other advice do I have?

I've been happy with it. It's been very smooth. It's easy to jump around in. The interface isn't bad. I looked at a couple of other solutions but they seemed showy and it was hard to find the details.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
DV
Director of Projects and IT at a healthcare company with 201-500 employees
Real User
Top 20
Gives us the combination of an appliance for visibility and a top-notch monitoring team that is very responsive

Pros and Cons

  • "It gives us something that is almost like an auditing tool for all of our network controls, to see how they are performing. This is related to compliance so that we can see how we are doing with what we have already implemented. There are things that we implemented, but we really didn't know if they were working or not. We have that visibility now."
  • "While the appliance is very good, and I think they're working on it, it would probably help if they integrated the management team cases into the appliance so that everything we are working on with them would be accessible on our platform, on the dashboard, on the portal. Right now, Awake is just an additional team that uses the appliance that we use and then we communicate with them directly. Communication isn't through the portal."

What is our primary use case?

We have other network and security appliances and systems in place, but we were looking for something to give us deeper visibility into our network traffic, specifically the lateral, east-west movement. We have pretty good visibility north-south of things going through the firewall, but it was not as good internally. That's our primary use case. And we wanted to have something that would give us relevant alerts and actionable items.

We are using a combination of the Awake Security appliance and their network monitoring services. You can get just the appliance and then do the monitoring yourself, but while we use the appliance, we are not doing the threat-hunting ourselves.

How has it helped my organization?

Their monitoring team is really top-notch and they're easy to communicate with. They're very responsive. The combination of the appliance and the team is the biggest benefit. I'm not sure if we had only gotten the appliance that there would be as much of a benefit. We have other tools, we're not without visibility, but we have much better visibility now.

They do all the levels and tiers of monitoring and alerting. We just do incident response if it's required, or we modify or implement additional controls on the network. They tell us how it's going to impact or benefit our security. They are a partner. It's a partnership that's very functional and it's something that works for us. We could use the appliance ourselves and do the monitoring and threat-hunting, but we don't have enough staff for that. And their staff is, obviously, better qualified than if we were doing it in-house.

If there's any traffic that looks like it's a breach of policy or something that seems suspicious lateral movement, or unencrypted passwords, it is really beneficial to have them check it out first. But what it's really doing is more of a confirmation of our network security controls and design, confirming that they're working the way that we want them to. That's the biggest benefit.

What is most valuable?

We got a couple things out of it that we were looking for. First, it gives us something that is almost like an auditing tool for all of our network controls, to see how they are performing. This is related to compliance so that we can see how we are doing with what we have already implemented. There are things that we had implemented, but we really didn't know if they were working or not. We have that visibility now.

The second thing we were looking to do is to improve on the things that we were not aware of, that we didn't see before. Awake is an additional tool in our defense system, obviously not the only one, but it broadens our security posture and I believe it has also raised our security maturity.

We also use the EntityIQ feature and it is valuable. The user interface is very approachable and easy to navigate. But when it comes to getting deeper into it, creating more of the rules or recipes, we leave that to them. We just explain to them what we want to see and they create it for us.

What needs improvement?

The monitoring team is, as I said, top-notch. I can't say that anything needs improvement there. Because we have so few cases, we only meet with them once a month to go over things and talk about the status. 

While the appliance is very good, and I think they're working on this, it would probably help if they integrated the MNDR generated cases into the appliance so that everything we are working on with them would be accessible on one platform, on the dashboard, on the portal. Right now, Awake MNDR is just an additional team that uses the same appliance that we use and then we communicate with them directly. Communication isn't through the portal. However, they do send us information and a link where we can look and see the same thing in the appliance that they are seeing, so that's pretty good.

Another thing about the appliance itself, and again I believe they're working on it, is that it would help if there were a broader integration with other security vendors. I know they have some capability to integrate with Splunk and a few others, but it's still a fairly small number of vendors that they have APIs to integrate with.

For how long have I used the solution?

We have been using the Awake Security appliance and their MNDR service since April of 2020.

What do I think about the stability of the solution?

It's one of the best and most stable solutions that we have. It is extremely stable. We have had zero downtime, except when they are updating the appliance, and they always call us to let us know and we give them a timeframe. The system is rock-solid and stable; the speed is also good. I'm very pleased with the appliance.

What do I think about the scalability of the solution?

Scalability is less of a concern for us because we have all the remote offices pointing back to our central location and we monitor everything at the central location. For our architecture, one appliance was all we needed.

We have over 500 monitoring points, but being in healthcare, we have certain assets that are very critical, special medical devices, and that's our primary focus. We wanted to make sure that we have visibility to devices that don't have agents on them because they are closed systems. We wanted to make sure that our vendors' and suppliers' communication to these devices was visible to us and that we know what's going on in those connections.

How are customer service and technical support?

Awake was recently purchased by Arista, so they are part of the bigger company now. That may give them an opportunity to get more resources and expand their customer base, and perhaps hire more analysts for their managed network monitoring and have broader coverage. I think they are looking at offering 24/7 coverage. That's a good development, but there's always a risk that the team that worked cohesively in a smaller company may decide that they want to move on in a bigger company. I don't know what the arrangements are, obviously, but I hope that we won't lose that quality of team members and communication that we have now.

Which solution did I use previously and why did I switch?

We didn't replace a similar tool with Awake Security, rather, we added Awake to our existing environment. We continue to use Endpoint Detection and Response agents. We still use SIEM and we still use NetFlow tools for a quick look into network traffic, but Awake gives us a deeper look into that traffic. We can get to the packet level when we need to.

But most importantly we have somebody, through their service, looking at our network and watching for any anomalies, or if there's traffic that we're not aware of. It could be legitimate traffic, it could be what we are expecting, but even after we fine-tune it, we still want to know if something similar pops up on the network.

How was the initial setup?

The initial setup was very straightforward and easy, almost plug-and-play. We already had everything set up on our end, network-wise. We already use SPAN ports and all they did was send us the preconfigured appliance and we plugged it in. They didn't even have to come onsite for that. Compared to some other solutions that we looked at, it was extremely simple.

Because we already had things in place it took us about one hour to get started. After a couple of weeks for the appliance looking through our live network data, we start receiving usable intel.

We sent the MNDR team a list of our key high-value assets that we wanted them to pay special attention to, and we sent them a list of all of the normal communication traffic that should be seen on the network, but which is not anything that we want to be alerted on. After that, we worked with them to remove some of the alerts that were repeatable, and that were not really relevant. After a couple of months of fine-tuning—not continuous, just as it came up—we got to a place where we just get one or two alerts a week, and they're valuable. That's been the situation for the last several months. We get all the information from them, what's happening and why, and if it's something that we need to take care of we do it immediately. That's one of the really big pluses: It's valuable information. In addition, the summary of the case tells us why is something happening and gives us enough information that we can remedy it immediately. Now the alerts we get are mostly for unusual but expected traffic. This gives us an opportunity to see that the appliance registers it and that if the same traffic were not expected or approved, we would know about it.

What was our ROI?

Return on investment is usually easier to show with numbers in other IT applications than in security. But the biggest benefit of having an outsourced managed monitoring team is that we don't tie up our internal resources or have to hire additional resources for that. Comparing the cost of the appliance and MNDR service to other resources we would need, the ROI is certainly there, and it is a benefit for us.

Which other solutions did I evaluate?

One thing that was specific to network monitoring that I used for some period of time was an open-source solution called Security Onion, which contains Zeek and Suricata, two open-source tools that are focused on network analysis. They work well, but they are fairly time-consuming and, of course, there's the support issue with the open-source that is often hit and miss. Having a network monitoring team on our side with the Awake Security appliance is a big step up.

We also considered and talked to people at ExtraHop, but they were just too expensive for us and they had more complex requirements for implementation.

What other advice do I have?

The solution is very good and the pricing is also better than others, but each organization has to have other security parts and pieces in place. This is not a silver bullet. It's not one thing that can solve all issues or cover all security, but it's a very valuable and needed addition to our security portfolio. 

Anybody who feels that they don't have complete visibility into their network should give Awake Security a try, do a proof of concept with them, and see what results you get. It's a good product and I'm pretty sure it will give you what you are looking for. But do that PoC first, because everyone's environment or needs could be different.

The Ava feature for delivering autonomous triage is there and we can use it, but that is not what we do. The reason we got the appliance with the monitoring service is that we don't have enough staff to dedicate, full-time, to the system. So instead we gave their MNDR group the responsibility for monitoring and we just act on their information, and either remedy or reconfigure the network or whatever is needed on our end.

As for lessons learned from using the solution, we wanted to see if everything that we implemented is actually in compliance and working as we expected. We learned that a few things needed adjustments, needed corrections. Now we are not just compliant on paper but we actually have controls that are functioning. Perhaps, because of that, we haven't had any incidents for months now.

I would give a 10 out of 10 to the service. The team that monitors our system is very approachable, competent, friendly, and they provide resolutions if there is anything we need. The appliance is also very good. I would give it a nine because, as I said, there is still room for improvement. It's nothing major, nothing dysfunctional, but there's room for improvement. I give the appliance a nine, which is very high, because it is very stable, very easy to implement, not expensive, and has a good user interface. It fits pretty well on all the fronts that you want an appliance to fit.

I don't have any complaints.

Which deployment model are you using for this solution?

On-premises
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Dwayne Samson
Senior Analyst Security and Compliance at a insurance company with 5,001-10,000 employees
Real User
Top 5Leaderboard
Reduced the time my team focused on incident response and provided the visibility we were looking for

Pros and Cons

  • "We appreciate the value of the AML (structured query language). We receive security intel feeds for a specific type of malware or ransomware. AML queries looking for the activity is applied in almost real-time. Ultimately, this determines if the activity was not observed on the network."
  • "Awake Security needs to move to a 24/7 support model in the MNDR space. Once they do that, it will make them even better."

What is our primary use case?

Awake Security was brought onboard to provide governance over the incident response process, which is a managed service. Challenges were identified, such as, no visibility and no network awareness of what's going on in the environment. Once the network visibility was solved, the decision to look at AI related tools was initiated. 

We will be using its features for compliance as well as threat detection, looking to partner with Awake Security to achieve these goals. Placing their solution in an enterprise financial vertical may allow thinking outside the box, providing additional value in the compliance space.

Right now, they are an on-prem visibility solution. However, we are a cloud-first company.  Awake Security provides the ability to pivot to the cloud and look at what's going on there.

Two compliance use cases: First, we have a new subnet within one of our CSPs, Awake Security will alert when an activity is observed. Second, a new virtual machine has been provisioned and the local endpoint protection is not phoning home. With the correct structured language in place, we will know if the new device has not been seen on the network for longer than five minutes and has not communicated with the update server.

How has it helped my organization?

Open communication with the MNDR service has driven down the number of false positives. The current average is five events a week, where four are actionable.

The direction we are heading is moving away from traditional alerts and focusing on entities that pose the highest risk to our environment. With the behind the scenes tuning, this lends to a clearer understanding of what this device does. Awake Security is constantly asking,  "What is the purpose of a device in the environment?" and, "I'll update the LSOP, and we'll get this tuned."

We appreciate the value of the AML (structured query language). We receive security intel feeds for a specific type of malware or ransomware. AML queries looking for the activity is applied in almost real-time. Ultimately, this determines if the activity was not observed on the network.

What is most valuable?

Awake Labs managed network detection and response (MNDR) service is its most valuable feature. The Awake Security team find incidents that we didn't realize were happening in the environment. Due to our cloud-first approach and outsourcing to managed services, a Tor beacon was observed by the Awake Security team. Files were being uploaded from one of our MSPs. 

I am impressed with the solution’s EntityIQ, which is its AI-based security knowledge graph, in terms of its ability to identify and profile. We evaluated other vendors and were really poking at the AI. Not everyone does AI or machine learning the same way. Awake Security's model is unique in the way that they do their AI with their entities.

What needs improvement?

Awake Security markets themselves as a security shop, and that's what they are. However, compliance with our partnership can enhance its capabilities.  

Awake Security needs to move to a 24/7 support model in the MNDR space. Once they do that, it will make them even better. For anyone searching to outsource a Level 1 or 2 incident response team, it would be prudent to look at Awake Labs. 

For how long have I used the solution?

We purchased Awake Security a few months back. We made a good choice.

What do I think about the stability of the solution?

The stability has been rock-solid with no issues. It was sized properly.

The platform was recently upgraded. The upgrade went seamlessly. I have been working with the new interface and like it. 

What do I think about the scalability of the solution?

There is enough overhead. When we start adding additional traffic, like our cloud landing zones, it will be not be a problem.

We will be increasing usage, and it will be geared more towards the compliance around our financial vertical.

How are customer service and technical support?

Awake Security get high marks for their communications. We speak at least a few times weekly to ensure the system is tuned correctly. High incident tickets are usually accompanied by a phone call. A review of tickets is scheduled on a monthly basis. 

Our experience with the technical support has been great. The department manager receives an intelligence feed about new ransomware observed in the wild. We engage the Awake Security team and request a custom AML signature be written for detection. In one specific example, a request email was sent to Awake Security at 8:30 AM in the morning. By 10 AM, Awake Security's signature was in place. 

Which solution did I use previously and why did I switch?

We are a start-up company, established within the last two years. We had a bake-off of three AI based network visibility tools, and Awake Security was our selection.

How was the initial setup?

The initial setup was straightforward, not complex, from when the box arrived to when it was installed, 

We are planning to pivot to visibility in our cloud landing zones. That's where we will brainstorm or whiteboard stuff that says, "Here's what we can see," and then what we do is say, "Okay, if this happens, I want to know about it." Afterwards, we'll come back to the Awake Security guys, and say, "Here's the stuff that we want you to alert us on," which is really around the compliance stuff. For example, you're not supposed to egress out Azure's Internet. Everything has to come back to us. But we find people have configured it incorrectly and are sending traffic out to the public Internet through Azure's egress. Once we have network visibility up there, we will get alerted when that stuff happens, stating, "Outbound egress traffic has been seen. Here is the host and where it was going." We can then go back and either stop it or talk to the person who set it up.

What about the implementation team?

I have worked with support from Awake Security, and it was straightforward. We already had architecture network visibility, IP addressing, and interface feeds that were provided beforehand by the Awake Security team. Awake Security shipped the devices with the configurations. We plugged them in, and they worked.

What was our ROI?

The current legacy service is strictly based off of logs. Incidents are being generated by the rules algorithms. With Awake Security, their approach is different due to the network context. Awake Security has allowed us to focus on other items, not just on incident response.

What's my experience with pricing, setup cost, and licensing?

The pricing and licensing are competitive. 

Awake Security was the least expensive among their competitors. Everyone was within $15,000 of each other. The other solutions were not providing the MNDR service, which is standard with Awake Security's pricing/licensing model.

When we pivot to the cloud, in order to capture that data, the additional cost is minimal or non-existent. 

Which other solutions did I evaluate?

The original project driver was network visibility, as we didn't have any. We brought in Darktrace, Stealthwatch, and Awake Security for a bake-off. Awake Security filled the need for visibility by being augmented with the MNDR service. 

We found other tool interfaces more polished and more cosmetic in nature. Some folks like to look at that stuff, but you're missing the whole point of Awake Security if you look at it from that perspective.

Awake Security sold the MNDR service as part of their solution. So, the direction was: "Come back and tell me what your MNDR guys have found." They did find incidents our managed virtual SOC had not. There was overlap where the Awake Security team found events our current SOC did not. 

We also looked at Arctic Wolf. They're a managed service around incident response. We did an hour demo. It is a good product, but we are happy that we selected Awake Labs.

What other advice do I have?

The Awake Security team does a good job with communication. With the encrypted traffic, you can't see inside the packet. Encrypted traffic was not a hindrance, since most traffic nowadays is encrypted. The Awake Security team does a good job of determining what's wrong, even though they don't have the full view of the content inside the packet.

Awake Security gets a solid nine (out of 10) based on our experience. That's based on their technology, professionalism, and communication. It was their MNDR service that set them apart when we were looking at other technologies.

Which deployment model are you using for this solution?

On-premises
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
CH
CISO at a insurance company with 1,001-5,000 employees
Real User
Top 20
Data is displayed in a very easy to read and understandable manner

Pros and Cons

  • "This solution help us monitor devices used on our network by insiders, contractors, partners, or suppliers. Its correlation and identification of specific endpoints is very good, especially since we have a large, virtualized environment. It discerns this fairly well. Some of the issues that we have had with other tools is we sometimes are not able to tell the difference between users on some of those virtualized instances."
  • "Be prepared to update your SOPs to have your analysts work in another tool separately. There are some limitations in the integrations right now. One of the things that I want from a security standpoint is integration with multiple tools so I don't need to have my analysts logging into each individual tool."

What is our primary use case?

The tool generates automated alarms to correlate any network activity that we see with some of that more deep packet inspection which Awake provides.

There is currently not a lot of IoT in our environment.

How has it helped my organization?

From a compliance standpoint, we were able to easily identify some security weaknesses built into our systems from an architectural standpoint. We were able to quickly remediate these, e.g., some places encryption was lacking or places where passwords were stored.

This solution help us monitor devices used on our network by insiders, contractors, partners, or suppliers. Its correlation and identification of specific endpoints is very good, especially since we have a large, virtualized environment. It discerns this fairly well. Some of the issues that we have had with other tools is we sometimes are not able to tell the difference between users on some of those virtualized instances. This solution doesn't seem to have an issue because enough data is collected that we can easily tell which users are responsible for the traffic on which systems.

I haven't seen any really false positives from Awake. Everything that I have seen that hasn't been actionable has been either low level stuff or part of the learning that Awake is doing in our environment. These have been some legitimate processes or functions that look bad but are normal in the environment. Therefore, false positives are pretty low in Awake.

What is most valuable?

The portion that I use the most is the Adversarial Modeling trend. This threat graphing is probably the most useful feature that we have right now. It displays the data that Awake collects, displaying it in a very easy to read and understandable manner. This is compared to other tools in this similar space, where I found the learning curve and the ability to understand what those tools were analyzing and reporting difficult because it took a bit more time to learn how they reported. 

The data science capabilities of this solution are good. It provides relative correlations. It seems to be very accurate in its detection based on the data science that it runs. Compared to other tools, it seems to be much easier with its machine learning aspects.

This solution’s encrypted traffic analysis is good. Every time I have needed to retrieve data for decryption, it was available. 

What needs improvement?

Some of the searching capability is a bit hard to use without in-depth knowledge. In one of the earlier versions, there was a tool that helped you build some of your searches and help you correlate your data manually. This seems to have been removed in a later version. That is probably the biggest thing I've noticed.

Be prepared to update your SOPs to have your analysts work in another tool separately. There are some limitations in the integrations right now. One of the things that I want from a security standpoint is integration with multiple tools so I don't need to have my analysts logging into each individual tool. They are working on this at the moment with Splunk and should have something ready in two weeks.

For how long have I used the solution?

I have been using it since August.

What do I think about the stability of the solution?

The stability seems to be fine with no impacts to our network or any of our systems; there has been nothing I have noticed as far as stability-wise with the Awake platform. 

I run the cyber information security team for the entire organization and have oversight on the security operations center (SOC) as well.

What do I think about the scalability of the solution?

For the scalability portion of it, we haven't really looked into that yet. Cloud TAPs and stuff like that will help determine when it is time for us to look into it. From what I can see, the scalability is pretty easy. Awake really provides a roadmap and guide which makes it pretty straightforward.

We are still somewhat in an onboarding phase because we have scaled back, focusing on specifically on Awake. Right now, an analyst and I log in and just review the adversarial model trend to look for any kind of alerts that have been escalated in the last day. Eventually, we will be onboarding it with our SOC and having about four or five additional people monitor that activity.

Currently, we do have a limit on the visibility we have with it, but we are seeing about 95 percent of our network traffic in our primary data center. Therefore, the scope of it is that we have 2,700 employees and approximately 6,000 devices. We don't have any definitive plans to increase usage in the near term. Ideally, we would like the budget requirements to expand into the cloud and get that remaining five percent visibility in our other data centers.

Which solution did I use previously and why did I switch?

We previously had NetMon, which was a product from LogRhythm. First off, there were a lot of hardware issues along with a lot of sizing and scoping constraints provided to us by LogRhythm that just didn't scale. Also, the data enrichment and data science behind it was very low level and not NextGen.

How was the initial setup?

The initial setup was very straightforward. They shipped us the device. They sent us an engineer to work onsite. We already had a network TAP port configured, which they plugged in. Then, the configuration and data normalization was all handled by Awake. There was very little to no effort other than by the Awake engineer who came to our data center.

It took one day to physically deploy and a week for normalization of data. 

What about the implementation team?

We left the implementation strategy up to Awake.

Deployment and maintenance are handled by Awake. Just last week, we received an email saying, "There's an upgrade. When do we have a patching window?" You just provide them the time and they do the update.

What was our ROI?

We have seen ROI. Fortunately, we haven't seen anything really bad from a malicious standpoint. However, some of the visibility Awake gave us into some of those compliance, architecture, and system engineering flaws that we were not previously aware about has let us remediate them.

Which other solutions did I evaluate?

We evaluated Darktrace. We got more valuable data from Awake than we actually got from Darktrace. As far as I'm concerned, Darktrace was a 100 percent false positives after doing Awake. After doing a PoC with Awake, we realized that the entire PoC with Darktrace was completely inaccurate. That was something that Awake showed us within its first week of being in. They said, "Hey, this is what we're seeing. It's half the size of what we expected compared to what Darktrace was telling you." So, I can't even give an accurate statement as to false positives specifically with Darktrace because I think the entire PoC scene was a giant false positive based on terrible data that they didn't recognize was bad.

Awake has really easy of use. It was just far easier to use as far as seeing rich, actionable data than LogRythm. There was less of a learning curve to understand what they were trying to represent. The other thing was I found much fewer false positives in Awake. The data was more accurate, especially during that PoC faze. 

From my opinion of the engineers that I met on each side of the table, Awake had engineers who really knew what they were doing. They were able to identify issues more quickly with the way our appliance was collecting and seeing data. Awake came to us after a week, and said, "We're seeing duplicate data." That was data that Darktrace was trying to charge us double for. Therefore, the technical expertise and understanding from the team seemed much greater at Awake than it did at Darktrace.

I didn't even consider LogRhythm to be on the same level. 

What other advice do I have?

We have not used the functionality for cloud TAPs.

I would rate this solution as a nine (out of 10).

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.