What is our primary use case?
Our use cases are vast and varied. Quite simply, we looked at tools that would look at network detention and responses out-of-the-box. Looking at Awake, there are hundreds of security use cases built into the system itself. I typically utilize the tool across the enterprise looking to detect those hard to find threats
I am looking at:
- Indicators of compromise for ransomware
- Possible command and controls
- Clear text passwords
- Data ex-filtration and compliance for GDPR
- Various, very hard to detect models of data ex filtration, such as data ex-filtration via e.g DNS or ICMP
- Bad domains and traffic to bad domains
- The list goes on and on.
I have over a hundred use cases turned on running in the background and looking at the following (for example):
- Defense evasion, use of proxies in order to hide data ex-filtration.
- Rogue hardware, identifying new devices on my network, whether they be wireless, wireless handheld devices, smartphones, laptops, etc.
- Brute force attempts against passwords.
- Password spraying attempts.
It is deployed inline into an appliance on-prem and leveraging a network SPAN port.
We are using the latest version.
How has it helped my organization?
It is all about visibility. From an information security standpoint, the capability for the team to be able to single out devices to respond quickly and intelligently, to say for example, "It is this laptop (or endpoint) from this person in finance. I know exactly what it's doing, what's wrong, and I know how to fix it." So, they're empowered walking up to that department or individual. The face of information security used to be, "Oh, the security guys are on that floor." Now, there's a different take. "These guys know what they are doing and are here to help me. I have an issue, and they solved it very quickly." It's making overall security less painful for our folks, which translates into secure adoption of security policies, standards, and awareness. That's another intangible.
Sometimes, the harder part is not interjecting and removing a node, but understanding what it was doing so we have a higher assurance of what type of data may or may not have been exfiltrated because that may trigger reporting laws, etc.
We operate globally, so we have to adhere to the principles of GDPR, and also in Canada, PIPEDA. We have a regulatory/legal obligation to report if there is a data exfiltration. Understanding the nature of the data (what these devices are connecting to), if there is an exfiltration, goes a long way to shaving the time off my staff has to spend running these issues down. For example, one incident could potentially in gray dollars cost thousands of dollars. If, at the end of that investigation, we find out days later that we potentially would have had a reporting obligation, this makes it very difficult. Now, we would have to dive deeper and find out what that data was before we can report to the regulatory bodies, and in particular, our data protection authority for GDPR.
It also allows me to prioritize my staff. So, there are a lot of intangible dollar savings there. Rather than having a group of folks running around attempting to focus on preventative measures, we are focusing on the situations at hand ensuring that we have a grasp of what's going on in our network.
This solution’s encrypted traffic analysis helps us stay in compliance with government regulations. It is all about understanding data exfiltration, what is ingressing and egressing in our network. One common attack vector is exfiltrating data using encryption. My capabilities to see potential data exfiltration over encrypted traffic is second to none now.
It is all about being able to say with confidence to the executives, the senior leadership team at the board level, that by putting this tool in place we have visibility into east-west lateral movement and traffic in the north-south. We also have a high degree of confidence that we are maintaining our security posture.
It doesn't matter where in my network, including wireless networks, I have it all feeding into the same mirrored port. I can see the traffic from any device which is plugged into the network at any time. The Awake ML will identify it. Then, on the dashboard, it will show me every morning any net new devices, how many devices are active, and how many devices may be impacted by a potential threat. I can see instantly any suspect domains that those devices are trying to connect into and what domains are unique. It also shows me net new domains every day at a glance. It then categorizes all of that information using its ML capability into an easy to use interface: high, medium and low. If need be, it will allow me to pivot on that device specifically, looking at it graphically. I can use that to understand what that device is connecting to, and in the same view, understand what type of data is moving back and forth.
We have a certain amount of IoT here, but not a lot. We have things behind our firewall that are definitely IoT which made me nervous, but I'm a lot more comfortable now. E.g., we are a very large software as a service company based mid-market. We have somewhat of a startup culture, so we have food vending type services that exist behind our firewall, albeit segmented. These are Internet of things, such as an automated machine that cooks food that is constantly reporting back to the vendor. We have several different other examples of IoT within our shop, and it allows me to see that traffic as well.
What is most valuable?
What is impressive about the tool is the time to value. Plugging it onto our network, we have found things that other tools have just never seen. We found those issues quickly and were able to action against those issues, remediating them quickly. I don't know another product that delivers as much value so quickly.
I have the tool set up to alert, be able to look at things, and put things together graphically. This helps to understand the fingerprints of the device, what the device has done, where it's been, and what it's doing on my network. It really gives me a high assurance that my security posture will remained intact.
I have it now integrated into our security incident and event management (SIEM) tool, so I am able to correlate events across my network using Awake as my front-end or my first line of defense. Then, I can also pull in the Awake information and use that to pivot across to other sources within our environment, whether that be enterprise detection and response at the endpoint level or security orchestration and response.
Awake's Security Knowledge Graph is incredible in terms of a couple of things:
- The system is laid out very easily for me to utilize.
- I find it comforting if I look at the DNA of the Awake security staff. All of them are deep and wide, in terms of their experiences. You have ex-Mandiant folks along with ex-US military folks who have been through serious cyber situations and assisted large companies, if not governmental organizations. They have seen these threats in the wild. They know how to deal with these threats. Moreover, on weekly calls, they are notifying or diving deep into areas that we might have missed.
What needs improvement?
The only issue is that Awake affords you so much information behind its fingerprinting capability. When it does trigger, you need to have a hard look at what is going on because there is a reason for that trigger.
They have worked very hard on the interface. I would like to see things laid out somewhat differently, and not due my familiarity with the tool. The tool has grown a lot since I started using it in October, and there is room for user interface improvements.
I would like to see the capability to import what's known as STIX/TAXII in an IOC format. It currently doesn't offer this. This would be a nice, like a wish list.
We are looking at cloud TAPs for visibility into cloud infrastructure. We offer a software as a service leveraging cloud. To take things to the next level, it is putting the ability and capability of the device into:
- Our cloud offering to look for threats.
- Leverage it further for any cloud services or SaaS that we use here.
For how long have I used the solution?
We acquired Awake in October 2019.
What do I think about the stability of the solution?
The stability has been rock solid. I haven't had an issue. I have gone through two system upgrades since October. When the system is to be updated, what is nice and somewhat different than a lot of the other appliance vendors that layer the services on top, they contact me before they push the updates out. For example, I had one of their service techs called me at about five o'clock, "Hi, it's William. Do you mind if we go ahead and perform the upgrade for you at this point in time? If that's not convenient, and you need go through a change control committee, etc. That's not a problem. We can schedule that. But if we're good to go, I can do it now for you." I like that they're high touch.
They do all the maintenance. It is an appliance, so they perform all the upgrades. From an administration standpoint, I have one person dealing with it which is limited to only setting up user IDs. That's really the only administration required in the tool.
What do I think about the scalability of the solution?
As we scale, the tool can scale with us. I'm currently using it with a one gigabit interface. As we scale up, we will scale utilizing the tool.
It's very easy to scale. If we scale in terms of our bandwidth and utilization, it's as simple as looking at the next appliance. Then, assuming we scale to a back-end, if we were to look at a 10 gigabit interface, it's as simple as producing or plugging it in through a Network TAP or another SPAN port.
Seven people are using it right now in an analyst format.
How are customer service and technical support?
One of the nice things about Awake is they are nimble. One of the requests that I put in October for feature enhancement has already been put into the product. They released it with 2.0. That's the ability to utilize situations for situational awareness. When my security analysts look at various issues, we are tracking specific items or indicators that compromise using what they call their situation overlay. Now, that is in beta preview. However, I have an advanced copy which allows me to track and trend an incident all the way through the MITRE ATT&CK chain or kill chain. So, it's a real powerful feature that they have stepped up and implemented in the product.
That is their standard technical support. It is a real "we are here to help" type of feel with just a group of dedicated security professionals. If I look at the DNA of their company, from who's at the senior leadership team level down to the analyst level, these guys have lived it. Their combined experience within the cybersecurity space is second to none.
The last time that I had an issue, it was Awake's technical support told me that I had an issue, which was nice.
Based on standard support terms and conditions, they have always responded in an expected time frame. I've only had one issue of note with the product and that was resolved quickly. I had a response back in less than 20 minutes and the issue was resolved in under two hours.
Which solution did I use previously and why did I switch?
Before having Awake, we didn't have the visibility. I could get a lot of the north-south traffic and understand what was emanating, ingressing, and egressing in the network, but didn't have the overall picture.
We had solutions which allowed us to leverage indicators of compromise for indicators of compromise. Really, it was a bunch of point solutions reporting into our SIEM solution, as we are a Splunk shop. It's important to note that Awake doesn't do all things, but what it does do, it does really well and perhaps the best in the industry. So, Awake also puts its logs into the SIEM solution.
We had a SIEM. I had a lot of indicators of compromise type fingerprints in that SIEM. I had all of the log files throughout the whole of the organization dumping into that SIEM. However, from the network detection and response side, looking at east-west traffic, those fingerprints, and in a single pane of glass, I wasn't getting that before I had the Awake device.
The Awake tool gives me the east-west traffic and lateral movement picture, as well as the north-south traffic. Therefore, I'm getting a full picture of my network at any one point in time. These are things that keep you up at night being in the CISO role.
How was the initial setup?
Here is how straightforward the initial setup was. I got the device in October, which is fourth quarter for us and extremely busy. The Awake team wanted to fly in to do the setup. I told them that it was not going to work due to the timing and logistics. So, they shipped out the box. My team just put it in a rack and plugged it into the SPAN port, then we were done.
That was the entire setup. It is an appliance. All it requires is a Network Tap or SPAN port. We plugged the interface in, gave it a public side interface, and the Awake team did the final config remotely, then we were up and running in under two hours. That includes the rack time.
We had several meetings with Awake in terms of understanding our environment:
- Where it was best to place the sensors.
- What size sensors would we need.
- What type of use cases I was looking for.
- What were my pain points.
- What kept me up at night before we even embarked to the contract signing.
What about the implementation team?
Two people were required for deployment from my side along with one person from Awake.
What was our ROI?
The time from finding threats to remediation is almost instantaneous. For example, I found a threat this morning and remediated it in less than five minutes. The issue that I encountered today was definitely data exfiltration. It was a malware that was hitting domain generated algorithms and also attempting to use Tor to obfuscate the data exfiltration. I found that within three minutes, and then the next following two minutes, we interjected, did the remediation, and had the node off the network.
When you're trying to put a dollar value on the protection of personally identifiable information, potential financial information, and the loss there of, it is very difficult. However, in this instance, it could have been a lot worse. In terms of grey dollars and my staff's time, you're looking at a $1000 worth of savings because we would had to glean through logs, identify the device, chase it down, and understand what it was doing on the network.
The solution has saved thousands of dollars within the first day. Our ROI has to be in the tens of thousands of dollars since October last year. It's about the peace of mind and my ability to pass by the CEO, and say to him, "Don't worry, I got that. There was a network incident, but I'm confident that we caught this endpoint before there was any data exfiltration. I know what it was talking to and what the nature of the issue was." That is powerful right there.
What's my experience with pricing, setup cost, and licensing?
I signed a three-year deal as it was most cost effective for my firm - with no doubt in my mind we will see ROI in year one.
I am hoping to involve them in a managed network detection and response relationship as well, which is another one of their offerings.
There are no additional costs. The product does what it says that it will do.
Which other solutions did I evaluate?
I am impressed with the data science capabilities of Awake, in regards to AI and ML capabilities built into the tool. We stacked up Awake against a competitor. I put both products, Darktrace and Awake, in a head-to-head bake-off back during the October time frame. Awake was the clear winner for a bunch of reasons: ease of use, a lot of the lateral movement for triggers on indicators of compromise and the Awake rule sets were far deeper and more insightful than information I was receiving out of the ML capabilities afforded within Darktrace.
Darktrace had quite a few false positives.
Another problem with Darktrace that I found was the interface and the ability to work within the tool to look at information graphically. While available in Darktrace, the ability to navigate and dive deeper into those fingerprints signatures is very kludgy.
What other advice do I have?
Understand where your network points are and where you are best served to position sensors. The tool won't work unless it's positioned effectively in your network. Rely upon Awake staff's expertise. They have collective information cybersecurity experience in the hundreds of years, so just listen to them in terms of their guidance and where to position your sensors. Understand your traffic flow before moving forward with the solution, making sure that it's right for you. For instance, understand that if you have several satellite offices, you may be challenged and need to purchase several devices or appliances. In our case, this was a non-issue because I back haul all of my traffic to one centralized point.
I am impressed with the product. It is a solid, powerful tool. It's a truly unique plug and play appliance and solution. I'd give it a 10 (out of 10). If I could give it more than a 10, I would. It is really an outstanding product.
We have had a few false positives, two or three. I was looking at one this morning. However, that was a fault of ours because the IP address on the endpoint wasn't in a reserved mode, so the name of the machine changed. Here is where the ML capabilities shines. The IP address changed, thus a new machine name was apparent to the ML engine. Then, the ML engine looked at both the IP and machine name, and said, "I don't know. It's still the same IP, but it's doing lateral movement now." It turns out that IP was reallocated to a machine in our development side for our DevSecOps, where that type of behavior is totally normal. However, the ML in the tool spiked that out immediately.
The biggest lessons that I've learned are thinking that your common point solutions, even though you're aggregating them all will point out all the potential nefarious activities behind your firewall or attempted attacks outside your firewall. You are not going to see everything. You really need to empower machine learning and AI capabilities of one of these tools in order to see the typical advanced persistent threats (APTs) or those low, slow threats on your network. For example, the anomaly that pops up for five minutes every month because it's using a domain generated algorithm is really where this tool shines. It looks for that needle in a haystack and that anomalous behavior that you're not necessarily going to pick out using a SIEM tool. I don't care how good the SIEM tool is, you need a dedicated product to effectively understand that east-west traffic and ascertain whether or not it is hostile.
Which deployment model are you using for this solution?