Awake Security Platform Review

Gives us the capabilities of a Tier 4 analyst without hiring one; at a glance we can see what's happening in our environment


What is our primary use case?

I'm primarily using it for viewing lateral movement within my network of suspicious activities. It's my internal monitoring of behaviors of endpoints inside my network, going outbound.

How has it helped my organization?

The way their algorithm works, they have a threat model that brings up the most concerning activities, pretty much like an analyst who is very knowledgeable. On a tier level, a Tier 4 analyst would recognize the suspicious activity. Their algorithm takes somebody who is a Tier 1 or Tier 2 and gives them that clarity at a glance. Their knowledge is pretty top-notch. I also have the added feature of having an analyst that I work with at Awake to help me interpret some of the risk, which is a top-level-analyst type of assistance.

The biggest thing it has saved me is having to bring on a high-level analyst. We're a startup company so money is very tight. I would have had to hire a Tier 3 or 4 analyst to look at our daily traffic. When we deployed this system I could put off making that hire because we're still growing the system. Now, someone like me, who doesn't have a lot of time, can take a quick glance at what's going on in my environment and know whether I need to take action or not, pretty quickly. It's saving me money, saving me time, and gives me a level of comfort that I have visibility within our network which I don't think I could get very easily any other way.

Awake Security helps me monitor devices used on my network by insiders, contractors, partners, and suppliers. We have vendors coming in all the time, we partner with people who use our WiFi access, the internet from within our environment. I have a few people who come in on my guest network and I don't know who they are, but if an incident happens I can quickly identify the systems that are concerned. A lot of times people bring systems in that aren't under my control or introduce threats in my environment which I can attribute to a visitor log right away. We have BYOD in our environment too, and I don't have control over those devices. Given that people are bringing those devices into my network, I feel a lot more comfortable that, if I get a trigger on Awake, I can quickly identify that device as belonging to one of our employees because I've seen it over a long period of time; or I can identify if it's a new device which could be a visitor or the like. I get a lot more clarity on lateral movement in my environment than I think I could any other way.

I was on a call with them looking for any encrypted traffic going on in my environment. They can spot it pretty quickly. Making sure I'm looking at encrypted traffic going outbound helps me stay in compliance

Finally, it provides me with better situational awareness. It's 1,000 times better. I spent two years in a bigger company and I never felt like I had good visibility into lateral movement. I know what it takes to get that level of visibility and this system does it almost instantaneously.

What is most valuable?

The most valuable feature is the ability to see suspicious activity for devices inside my network. It helps me to quickly identify that activity and do analysis to see if it's expected or I need to mitigate that activity quickly. One of the best use cases was when we knew that one of our vendors that came into our site had a ransomware event at their corporation. I was able to quickly find his device using the Awake system and determine that there was no threat in our system. Something like that usually would have taken four to five hours. It took me about five minutes.

Also, the Security Knowledge Graph is a display of the devices and the activities that we see. It doesn't use a heat map but it uses the size of a bubble - a circle representing a device that's probably highest on the threat list - and shows what all the connections are. That provides a great visual, at a glance, of what's going on in my environment at any one time. I really like that feature.

I use the solution to identify and assess IoT solutions, if they connect to our network. The guest network is the best example. People use the guest network to connect to the thermostat or their Apple Watch. I can see that activity. If it's a network IoT type of thing, like a call system or Amazon Echo, I'm going to see that activity on our network and Awake should be able to call that up pretty quickly.

What needs improvement?

There's room for improvement with some of the definitions, because I don't have time and I'm not a Tier 4 analyst. I believe that is something they're working towards. They're working with me to add new features to make it easier for me to tell what a threat is and determine whether it's important or not. They're making improvements and providing updates almost monthly now, so each time they make those improvements it gets clearer for me.

For how long have I used the solution?

I started the PoC in November, 2018 and we signed a contract with them in early January, 2019. I've been using it since November, but we officially onboarded with them in early January. I'm on the current, latest version.

What do I think about the stability of the solution?

We've had no outages. A couple times we've had some power outages at our facilities, but it came right back up online.

What do I think about the scalability of the solution?

Some of what we're working on now is getting our satellite offices redirected. If I worked for a larger company it would be harder to get this implemented in all of our sites. It's good, site-per-site. I'm still trying to figure out how I can get some visibility into the satellite, small, one- and two-man offices. They're working with me to help come up with that solution.

Right now, it really requires having your internet traffic go through it to have the right level of visibility. For a bigger company that's a little more challenging, depending on how the corporate environment is structured. In my old company, we had 80 different ways to get the internet. That was challenging in and of itself. This company is much smaller so I don't have that big of a challenge, but I do have some satellite offices and I need to figure out how to redirect that traffic through this system so I get some level of visibility there.

How are customer service and technical support?

Usually, when I have an issue where I don't understand what I'm seeing, they're pretty responsive in trying to work on ways to make that clearer. I've been pretty happy with that.

Technical support is definitely a ten out of ten. They've been very responsive and very knowledgeable and usually get right to the heart of any concerns I have.

If you previously used a different solution, which one did you use and why did you switch?

At this company, we did not have a previous solution, but I've used other systems, SIEMs for looking outward-in, like QRadar. That was our system at my previous company. The challenge I saw with something like QRadar was that it was outside looking in. It was looking at our border alerts on our firewalls and looking into our network. An analyst would take those alerts and try to trace to the endpoint that might be causing the problem or that was connected to the problem. He would take the alerts early in the morning, spend about four hours tracing everything that needed to be traced, and then finally get into the endpoint. Awake takes the opposite approach and looks at the endpoints that have the most concerning activity and bubbles that up to the top.

I tell people it saves me about four hours' worth of analyst work daily. I can look at it in five minutes and know which endpoints are of concern, and then I spend a few minutes analyzing whether that's activity that I expected or did not expect, and I can move on. I can look at it daily and get a good feel for whether I need to address something, or I've learned that that alert is not really of concern because it's expected activity.

We got to Awake Security because someone recommended it. One of the consultants I work with had a connection with Awake. They said, "Hey, look at this company." I gave them a call; they came out and did a demo really quickly and then we set up a PoC to see if it worked in our environment. Almost instantaneously, my IT manager and I loved the system because of the visibility we could get so quickly.

How was the initial setup?

The initial setup was pretty easy. They came in and deployed a server on site. We had to make sure that we had the right VLANs exposed to the server so that we could see all the traffic. The user interface was pretty straightforward, just a sign on and password to the server. 

It was pretty intuitive to look at the different threat pictures that they had on the site. It automatically populates the most concerning ones at the top, so I adapted to it very quickly. The search features were pretty good. When I wasn't seeing what I needed to on the automated displays, I could use the menu to clip through a device or just look for a domain or for something that I knew might be concerning. For one incident, when I was trying to find a vendor who had an issue at their shop and I knew they had visited us, I just searched for their domain in our environment. It popped up and it showed me their device pretty quickly. It was a five-minute turnaround, which typically would have taken me a whole lot longer.

There was about a day of install and then about another day of initial setup. Then there was a little bit of tweaking we had to do when we weren't seeing all of the traffic that we thought we should be seeing, but that was on our end. That was just a matter of working with their team to tune the deployment for the server.

For our implementation strategy, we just connected to a SPAN port on our exit router at our main facility. Then we had to tune it to make sure all the VLANs that we had internally were going through that SPAN port. We had to set up a server, and we set it up in our server rack; we happened to have room which was nice. It only took up one or two U's. It wasn't very big.

Initially, to deploy it, I needed my IT staff and it took one network engineer. To maintain is really nothing. It's me using the system. Everything else has been remotely controlled by Awake, so there's been no need for us to interface with it, once deployed.

What about the implementation team?

Awake Security assisted us with deployment. They were great, very responsive.

What was our ROI?

When you compare the cost of hiring and retaining a sophisticated analyst, the Awake Security Platform pays for itself in a matter of months and goes on to save me money, longer-term. In addition, finding an analyst of that caliber in this market can be a challenge in itself. 

The bottom line is that this solution not only gives me the peace of mind and the same level of comfort as having an uber analyst, it also allows me to defer hiring for longer.

What's my experience with pricing, setup cost, and licensing?

Compare the cost of hiring and retaining a sophisticated analyst to the Awake Security Platform. The solution pays for itself in a matter of months and goes on to save you money, longer-term.

Which other solutions did I evaluate?

The other options were very expensive. Most of them were deploying endpoint agents, which was something I didn't really want to do, just yet. Endpoint agents usually help you off-prem, but I was more concerned about what was going on on-prem, and Awake seemed to be the best solution, the most complete solution we could get in the short-term, without spending a lot of money.

What other advice do I have?

My advice would certainly be to do a PoC to make sure it works in your environment. The way your network is configured is going to have a big impact on whether this tool works for you. If you can't get your traffic to go through a single or a reasonable number of exit points to the internet, it may not be a complete solution for you. When I was working at that larger company, I probably would have used this in our engineering lab environment because those guys were like the "Wild West" and deployed whatever they wanted whenever they wanted, and that was usually my biggest concern. I probably would have deployed something like this because it would have given me the visibility, what I couldn't see at the firewall level. I would need to see at a router level and needed something they could make sense of for me. I think Awake would have done it very quickly without much effort.

It's my main tool for network security right now. I'm using it very extensively. We're trying to reconfigure, because we're a startup and I don't want to buy another system, to get as much as we can out of this current system, but I would plan to use this as we grow as a company. If we were to grow globally, I could see us using Awake as our primary threat intelligence for lateral movement particularly, in our environment.

In terms of cloud infrastructure and Awake seeing that activity, it only sees it on-prem because that's the way we have it deployed. Any connection to a cloud, like AWS, we will see that. We should be able to see what activities' connections are occurring. If it's encrypting from the browser to the cloud, we may see that activity but I don't know if we can pull out the content unless we break encryption before it gets to that device. There are certain cloud connections that make sense in our environment and others that don't. We don't use AWS, so any AWS going outbound would be something of concern. I'd go to that device or that individual to see what they're making those connections for.

I don't know how to count how many false positives I get. Usually, I'm looking at concerning activity and it's up to me to determine if it is expected or not expected. Generally, it is exactly what I want to see because it's at the device level that I want to know if the activity is expected or not. Generally, it ends up being expected. It's hard to give it a false-positive rating because I would guess about half of them are things I expect to see. But as a system goes, it's almost 100 percent accurate in calling those events out. It hasn't called out events where I would say, "Oh, it didn't need to call that out because that activity shouldn't have been flagged."

It doesn't know what I know about what's normal, so there's still a little bit of knowing what's normal in your environment. That's the onus of the person running the environment. I can tell Awake that something is normal and not to look at that again, so there is that tuning aspect that has to happen. I typically don't tune it out because I want to see any new traffic patterns. If it's a regular backup that's about the only time I will say, "Don't ever worry about it coming from this device because I expect that to happen on a regular basis."

The false-positive resolution with Awake Security is so much faster that it doesn't have as big an impact as it would have on another solution. If you gave me a false positive with a SIEM, I would have to invest four hours to find out that it was a false positive. If you give me a false positive on Awake, I have to spend five to ten minutes to figure it out. That's because the data is right there. It's populating for me and it's easy to search. It's almost not a fair marker to look at a false-positive rate because the resolution time for the false positive is so much shorter.

Overall, I would rate this solution at ten out of ten.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
1 visitor found this review helpful
Try Awake Security

Schedule a Demo and See it in Action

Add a Comment
Guest
Sign Up with Email