Awake Security Platform Review

Enables us to monitor lateral movement of traffic across sensitive networks

What is our primary use case?

We use Awake Security to monitor internal networks. We monitor the lateral movement of traffic across sensitive networks.

How has it helped my organization?

The most valuable aspect for us is that we have a small team, so when we bring in new security solutions, it's really important that they're tuned well because there are only so many alerts that we're going to be able to deal with. If we put something in place that creates a massive amount of alerts, we're just not going to have the resources necessary to respond to all those. Putting something into place that can look at really sensitive internal networks and do it in a way that doesn't cause us to have to hire a number of additional resources to support that is really important. 

A lot of security teams underestimate the resourcing needed when you put new platforms in just to maintain, care, feed, and respond to the alerts that come from a new system. With Awake, it's very self-sufficient. The tool does a lot of the work and they even have managed services on top, if you need additional resourcing to help you deal with the alerts or configure the system more, that comes as part of the solution. You really put yourself in a situation where you're going to be successful quickly without having to scale your team.

It helps us stay in compliance with government regulations. As more privacy regulations come into effect, we definitely want to make sure that we're meeting privacy regulations both today and have the flexibility that if a new regulation comes out in the near future, we still have something in place that can keep us in compliance and we don't have to change our security architecture. Awake gives us the ability to detect and respond to security incidents while still protecting the privacy of that data.

We use Awake Security to identify and assess IoT solutions. All these technologies need to work on all types of devices, including early-stage and proprietary versions of prototypes of phones and tablets, and at the early stage, versions of new operating systems that come out on those devices. Obviously, those are situations where we wouldn't be able to have a standard security agent running in those environments, but we definitely want to understand if those devices are communicating outwardly to the types of things on the internet that you'd expect them to, or if there are any connections going back and forth to the internet that would be out of the norm for machines that have very strict testing scenarios around them, so it's very easy to understand.

We want to make sure that those devices are only communicating with a pretty strict set of use cases. Being able to understand the traffic coming to and from those devices is really important and using a network tool is really the only way to go.

Cloud TAP's for visibility into cloud infrastructure is something that all security teams need to be looking into. I think a lot of people have jumped to the cloud and realize that they don't have firewalls anymore. People tend to rely on security groups and access controls. As a result, security teams often lose visibility of the network traffic on the cloud that they may have had on-prem. It's not apples for apples. If you don't necessarily have the same security toolset, you can lose visibility. Having something like Awake on the cloud is definitely something people should start thinking about to be able to obtain that visibility.

What is most valuable?

We definitely have machines that might not lend themselves to having endpoint security agents on them, either because they can't support an agent or they're testing devices that have very critical configurations that an agent might have a negative impact on. Being able to monitor traffic to and from those devices over the network is definitely preferable and really the only way to do it, to not have a negative performance impact on those machines.

That could be IoT devices. It could be test devices of early-stage prototypes. Being able to understand the traffic coming to and from those devices using Awake has been a big deal for us because it wasn't something we were able to do before with any other technologies.

The security knowledge graph has been very helpful in the sense that whenever you try a new security solution, especially one that's in the detection and response market, you're always worried about getting a lot of false positives or getting too many alerts and not being able to pick out the good from the bad or things that are actual security incidents versus normal day to day operations. We've been pleasantly surprised that Awake does a really good job of only alerting about things that we actually want to look into and understand. They do a good job of understanding normal operations out-of-the-box.

Then for those things that we do want to mark as being normal operations, as opposed to security incidents, whenever we do configure those in the system, they never come up again. They do a good job of weeding those out. We're not actually getting that many alerts from the system and when they do come up, they are definitely things that we want to look at. It's been good. It didn't take us very long to get to that point. From day one of the POC, we were seeing things that we wanted to look at and we weren't looking at a lot of false positives.

The data science capabilities of Awake are a big reason why the false positive rates are so low. The data science side really gives Awake the ability to spot things that are out of the norm. Whether it be IoT devices or devices that are hard to have a standard profile for, it does a good job of figuring out what's out of the norm for that type of device or the type of traffic that would typically come from that device.

The encrypted traffic analyses are a key part because encryption has become the defacto standard for all network traffic, even internal traffic. One of the biggest challenges for security teams over the last five years is that we have more and more encrypted traffic - rightly so - to help protect those data streams, but because of that, it makes it hard to have visibility into that traffic. Awake has the ability to understand encrypted traffic and capture parts of traffic that we want to look at more closely while at the same time has very little impact on that traffic because it's sitting on the side and viewing that traffic without being in front of it and having a negative impact on it.

That was a big deal for us because if you have to decrypt traffic and pull traffic offline and store it, that creates a lot of other privacy and security problems that most teams don't want to get into. Being able to have something in place that can evaluate encrypted traffic is really important now.

Awake Security provides us with better situational awareness. First and foremost in security, the first step is to gain visibility. The nice thing with Awake is that it will give visibility into environments that you likely don't have visibility into today. Part of that visibility is going to increase your situational awareness and start to understand the normal versus the abnormal for that environment.

We have better situational awareness by 25 to 50% but I think a lot of that depends on what your internal network architecture looks like. I think security groups always struggle with how to gain visibility over internal networks. We do pretty good at endpoints and pretty good at the edge, but internal network flow is always a challenge. Depending on how your network is set up, you can gain as much visibility as you'd like using Awake.

What needs improvement?

It's important that Awake continues to develop its APIs to be able to help intertwine their product into the overall security architecture of a company, just because it is a single tool. Likely a company will have a number of tools in place that you want to be able to communicate and correlate events between and be able to pull actions and information from different security systems. Whenever I look at a new security solution today, their ability on the API side is always one of the first things we look at.

The great thing about Awake is that it has really solid visibility. You might get a detection that happens on a different platform, and one of the first things you want to do is ask the Awake system for more context around an alert because they do have visibility into encrypted traffic. Being able to ask questions of the Awake platform from other systems is really important.

They've been focused on really developing their data science, their ability to detect, but over time, they need to be able to tie into other systems because other systems might detect something that they don't.

For how long have I used the solution?

We've been a customer for around a year and a quarter now. We had been doing a POC with them for a few months before that, so about a year and a half total.

What do I think about the stability of the solution?

The stability has been rock solid. There have been updates on a regular cycle that are more featured updates. I haven't seen emergency bug fixes or notices from Awake that caused us to have to do emergency patches or pull the system down. It's been up 100% of the time, and it's just been a matter of us being aware when upgrades were scheduled. There was no downtime as a result.

What do I think about the scalability of the solution?

Scalability goes back to that design you have to do upfront to figure out what parts of the network you are most concerned about. If you do that work upfront, you can scale it as much as you want to. You should be thinking about how many devices you really need. In terms of scaling the devices and having a management console to do that, that part of it is pretty simple.

We have three people that interact with it on a regular basis. We have a Cyber Defense Manager and two incident response analysts that use it on a regular basis. We do a weekly call with Awake Security, where we review new detections that we might work with them on and that take time to develop or specific things that we might have been seeing in other parts of the environment that we want to make sure that they're aware of.

Our Cyber Defense Manager is more involved in the tuning of the device, and he talks to them on a weekly basis. Then the IR analysts are reviewing alerts on a daily basis or an as-needed basis as they come through. They're also involved in the weekly calls.

We use it in our locations with the most sensitive engineering-related use cases today. Not all of our locations, some of our locations. Our largest locations tend to have an engineering arm at those locations. That's where we focus the Awake devices today. So far, our deployment has been on-premise only, but we are starting to look at their cloud options as different business groups start to expand to AWS and GCP.

How are customer service and technical support?

The technical support has been surprisingly good. With most companies, they do a good job of getting you through the initial customer success phase of getting off the ground then getting support afterward is a challenge. With Awake Security, I feel like it's been more of a partnership, meaning we have those kinds of ongoing weekly calls with our customer success manager to really make sure that we're getting the most out of the product. In terms of just straight support issues, those have been very minimal. Whenever they have come up, they've been addressed right away. It's been one of the things that stands out that, that we haven't had issues in that area.

Which solution did I use previously and why did I switch?

We had done a proof of concept with Darktrace for a number of months before Awake. There were a lot of issues with false positives, meaning, there were a lot of alerts coming from the system that when we looked at them, we could tell that that's actually normal business operations for the environment that it was looking at. It was one of those things where we thought that with machine learning, it would pick it up over time and it would start to tune these things out, but we really had consistent problems with it generating too many alerts to the point that the more important alerts were getting lost in the shuffle of the false positives. We ran it for a while to try and understand if it would learn and get better, but we didn't get to a point where we felt confident in the alerts that were coming out of it.

How was the initial setup?

The initial setup was straightforward. If people have ever put something on a SPAN port before, it's just really a matter of understanding what parts of your network you want to focus on. I would say we spent one hour doing a whiteboard session with Awake and our networking team to decide what's the best place to set these devices to have the most visibility. Then we were up and running the same week.

Awake is one of those things you want to focus your most critical networks on. If you know where your critical data is, especially data that's meant to stay internal or segmented in some way, Awake is a really good way to help monitor those environments. Especially if you have environments where you might have devices that for whatever reason, you can't have a standard endpoint security approach with environments that might be used for research, testing, or things that are really meant to be black-box type environments.

Awake can give you visibility into areas that you typically wouldn't have. In our implementation strategy, we really looked and defined those areas and figured out, what would be the right placement of devices to give us the visibility of our most sensitive data.

What was our ROI?

We have seen ROI. The alerts that come through, they're all things that we want to follow up on. There are things that help us improve our security stance over time. As we've addressed those issues, I think they've led to improvements in the process by engineering teams. They've led to better security controls. Those are the two biggest areas of improvement.

What other advice do I have?

The piece that people should be considering should be how much storage they want for data in the platform and how long they need to retain data for. It's not sitting in the middle of network traffic but for incidents that come up or alerts that are generated, it will store Pcap information for those alerts. You want to make sure that you have enough storage of information around those alerts so that you can go back, whether it be six days, a week, a month, whatever you want your retention period to be. That's something you should think about when you're putting this into place.

Also consider if the data is going to be piped off somewhere else and stored, or if it is going to be stored locally on the box because that's one of those things you can do either way. People should be thinking about it going in because it can generate a lot of data if you want it to.

I would rate Awake Security a nine out of 10. As soon as the API gets a bit more mature, I think they're on track to be a 10..

**Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
More Awake Security Platform reviews from users
...who compared it with Darktrace
Identify hidden network threats

Your network may have security risks that you don't know about. Schedule a live demo to see how you can use Awake Security to identify and mitigate these threats.

Add a Comment