Awake's MNDR has affected our overall security posture very positively. Having a team that is able to monitor our network activity has been a huge help.

The solution uncovers the entire attack surface for the environments we're using it in. That is one of the important reasons we brought in Awake, and in general, network monitoring. We wanted to be able to have that visibility at the base layer, at the network layer, into things that may not be covered by other monitoring tools. For example, EDR won't cover shadow IT and systems that simply don't have endpoint protection installed. Awake will at least help us be aware of those and monitor suspicious activity at the network level.

Overall it has improved our InfoSec operations in that it frees up our security engineers from having to triage every little thing that might show up on the network and, instead, rely on Awake—the combination of their technology and the people on their MNDR team—to help offload that work from us.

It tracks both managed and unmanaged devices, the way we have it set up. And that is definitely of value to us because otherwise we wouldn't have a lot of visibility into the unmanaged devices. Awake has helped us identify things like personal devices that were improperly and inappropriately connected to our corporate network. It has helped us to identify devices in the R&D environment that weren't managed. Maybe they were some legacy system that's been sitting around for a while, or an R&D engineer hooked up some custom Linux device to the network. Awake has helped us be aware of those kinds of things. We feel better that Awake is monitoring those kinds of unmanaged devices. We wouldn't have as much visibility into the activity if we didn't have Awake.

In terms of productivity, it wasn't that we had an existing team monitoring the network and that we ended up with a more effective or productive workflow after onboarding Awake. More importantly, we simply didn't have much network visibility before Awake. It speeds up response times but, more importantly, we are now able to respond to things that we simply weren't seeing before.

Awake has made us more productive. We're spending less time looking at false positives, so we can focus on what's truly important. It hasn't affected the morale of our analysts because we use a third-party SOC. 

When I look at the central dashboards, I can see what adversarial models were matched within the day, and when I click on that day, I can see what models and device names got triggered within my homepage. If I want to dive further into that model, I can click on that, and it tells me what the threats were as well as a lot more information on the endpoint or the asset. Then, if I want to see even more information, such as the actual activities, it's three clicks, and I'm on the activities themselves. I can pull a PCAP and investigate it. Regarding responsiveness and how quickly I get the answer, it's much faster than what I used to have.

It's hard to quantify, but it would have taken me 10 minutes to figure it out in my previous solution because I'm on the platform every day. Awake is easier and more intuitive. You see the day, the triggered models, and the asset. Then you click on the asset and activities. They're right there. I get the source, destination, and details, then download my PCAP, and I'm done.

Awake also tracks unmanaged devices. We have a guest WiFi, so if someone logs in to that, it's an unmanaged device. If they log in and try to do something bad, Awake will flag it and tell me. It's important even though we don't have as many people coming in and using the guest WiFi due to COVID, but we need to know if a guest user is doing something malicious.

The biggest advantage we have from using Awake is a more complete and comprehensive security posture. Previous to this, we didn't have any way to monitor traffic, as doing so wasn't really required. It's now something that we want to implement. Given that I'm the lone person on the team, I'm covering everything. I don't have the time and resources to dedicate to just network management and the traffic. It helps us, as part of our security posture, to manage and monitor and address these aspects.

Awake definitely helps me focus on the highest risk alerts. There isn't a lot of noise or garbage, at this point, in the information. It really helps me focus on the real issues.

In addition, our on-prem stuff is all encrypted. We can't, of course, see the contents, but it's been enough to determine the source location. A lot of the header traffic has been enough to usually determine, by correlating with other tools that I use internally, if there is an attack. It's sufficient for what we need to do.

It uncovers threats that rely on compromised credentials or supply-chain compromises, rather than focusing just on malware threats. We've had several instances where someone was trying to hit our production traffic using made-up credentials. Awake alerted us to one such incident this morning, that someone was trying to use those types of credentials to get in. Of course, they were bogus and unsuccessful, but they're able to recognize that type of attack.

The solution also tracks both managed and unmanaged devices, because it's pulling all traffic, regardless of its source or destination. It helps because we can, at least for our on-prem location, see which devices are attached and if there are any devices that we were unaware of, or that employees brought in. It's quite helpful in that regard.

That tracking of both managed and unmanaged devices helps detect a broad range of threats and it gives us the context we need to respond. The list of devices that we have on our on-prem network is fairly small, so it's quite obvious when new devices are attached. We haven't had this happen yet, luckily, but if it did, we'd be able to recognize it and see, not only that they showed up, but where the traffic is being sent to from these devices. That would enable us to address it. We can work with Awake on response management and mitigation of that device as well, thanks to the managed services.

In addition, when it comes to productivity, because I have not had to focus on this as much, I have definitely been more productive. I can focus on other security areas and I trust that their solution and their services are managing and catching any issues that arise for us. It has been a huge help.

Awake’s technology, artificial intelligence, and human expertise within the MNDR service have really increased our security abilities. Our security posture is more comprehensive. We can cover more attack vectors coming into our company and our platform because Awake is covering a large amount of that for us. We don't have to dedicate time to it, due to their managed services and their AI engine helping them detect and identify attacks. It's been a great help. We can use our time, which is a limited resource in our company, much more effectively.

It has also helped speed up response times, overall. When they have notified us about issues, I haven't had to go in and hunt down the log information, look at IPs, what it's hitting, et cetera. Their managed services provide me with a lot of that detail. I can use that detail to go into the tool and look at exactly what they're looking at using a query. I can recognize whether I need to investigate it further or, if I know what it is, respond to them. From the instances they have sent me, it takes me about 10 minutes, per instance, to figure things out and respond to them, whereas normally it would take me one to two hours to hunt down all the information.

Open communication with the MNDR service has driven down the number of false positives. The current average is five events a week, where four are actionable.

The direction we are heading is moving away from traditional alerts and focusing on entities that pose the highest risk to our environment. With the behind the scenes tuning, this lends to a clearer understanding of what this device does. Awake Security is constantly asking,  "What is the purpose of a device in the environment?" and, "I'll update the LSOP, and we'll get this tuned."

We appreciate the value of the AML (structured query language). We receive security intel feeds for a specific type of malware or ransomware. AML queries looking for the activity is applied in almost real-time. Ultimately, this determines if the activity was not observed on the network.

The most valuable aspect for us is that we have a small team, so when we bring in new security solutions, it's really important that they're tuned well because there are only so many alerts that we're going to be able to deal with. If we put something in place that creates a massive amount of alerts, we're just not going to have the resources necessary to respond to all those. Putting something into place that can look at really sensitive internal networks and do it in a way that doesn't cause us to have to hire a number of additional resources to support that is really important. 

A lot of security teams underestimate the resourcing needed when you put new platforms in just to maintain, care, feed, and respond to the alerts that come from a new system. With Awake, it's very self-sufficient. The tool does a lot of the work and they even have managed services on top, if you need additional resourcing to help you deal with the alerts or configure the system more, that comes as part of the solution. You really put yourself in a situation where you're going to be successful quickly without having to scale your team.

It helps us stay in compliance with government regulations. As more privacy regulations come into effect, we definitely want to make sure that we're meeting privacy regulations both today and have the flexibility that if a new regulation comes out in the near future, we still have something in place that can keep us in compliance and we don't have to change our security architecture. Awake gives us the ability to detect and respond to security incidents while still protecting the privacy of that data.

We use Awake Security to identify and assess IoT solutions. All these technologies need to work on all types of devices, including early-stage and proprietary versions of prototypes of phones and tablets, and at the early stage, versions of new operating systems that come out on those devices. Obviously, those are situations where we wouldn't be able to have a standard security agent running in those environments, but we definitely want to understand if those devices are communicating outwardly to the types of things on the internet that you'd expect them to, or if there are any connections going back and forth to the internet that would be out of the norm for machines that have very strict testing scenarios around them, so it's very easy to understand.

We want to make sure that those devices are only communicating with a pretty strict set of use cases. Being able to understand the traffic coming to and from those devices is really important and using a network tool is really the only way to go.

Cloud TAP's for visibility into cloud infrastructure is something that all security teams need to be looking into. I think a lot of people have jumped to the cloud and realize that they don't have firewalls anymore. People tend to rely on security groups and access controls. As a result, security teams often lose visibility of the network traffic on the cloud that they may have had on-prem. It's not apples for apples. If you don't necessarily have the same security toolset, you can lose visibility. Having something like Awake on the cloud is definitely something people should start thinking about to be able to obtain that visibility.

The way their algorithm works, they have a threat model that brings up the most concerning activities, pretty much like an analyst who is very knowledgeable. On a tier level, a Tier 4 analyst would recognize the suspicious activity. Their algorithm takes somebody who is a Tier 1 or Tier 2 and gives them that clarity at a glance. Their knowledge is pretty top-notch. I also have the added feature of having an analyst that I work with at Awake to help me interpret some of the risk, which is a top-level-analyst type of assistance.

The biggest thing it has saved me is having to bring on a high-level analyst. We're a startup company so money is very tight. I would have had to hire a Tier 3 or 4 analyst to look at our daily traffic. When we deployed this system I could put off making that hire because we're still growing the system. Now, someone like me, who doesn't have a lot of time, can take a quick glance at what's going on in my environment and know whether I need to take action or not, pretty quickly. It's saving me money, saving me time, and gives me a level of comfort that I have visibility within our network which I don't think I could get very easily any other way.

Awake Security helps me monitor devices used on my network by insiders, contractors, partners, and suppliers. We have vendors coming in all the time, we partner with people who use our WiFi access, the internet from within our environment. I have a few people who come in on my guest network and I don't know who they are, but if an incident happens I can quickly identify the systems that are concerned. A lot of times people bring systems in that aren't under my control or introduce threats in my environment which I can attribute to a visitor log right away. We have BYOD in our environment too, and I don't have control over those devices. Given that people are bringing those devices into my network, I feel a lot more comfortable that, if I get a trigger on Awake, I can quickly identify that device as belonging to one of our employees because I've seen it over a long period of time; or I can identify if it's a new device which could be a visitor or the like. I get a lot more clarity on lateral movement in my environment than I think I could any other way.

I was on a call with them looking for any encrypted traffic going on in my environment. They can spot it pretty quickly. Making sure I'm looking at encrypted traffic going outbound helps me stay in compliance

Finally, it provides me with better situational awareness. It's 1,000 times better. I spent two years in a bigger company and I never felt like I had good visibility into lateral movement. I know what it takes to get that level of visibility and this system does it almost instantaneously.

We are able to see lateral movement between networks, which is really important. Having packet captures stored for a period of time helps us with forensic investigations. If we learn something after the fact, we can go back and see what went on at what time and correlate different events. 

I'm a big proponent of Zero Trust and one of the core tenets of Zero Trust is that you log everything. That gives us the ability to have greater insight into our network and what's going on. The goal is to shift us from being reactive, always responding after something went wrong, to being proactive. We've been collecting logs from servers for years, but the missing piece was always the ability to collect network traffic as well.

We find so much value in the threat-hunting service. We didn't have to increase the size of our team and get value out of the product. The product itself is good and valuable, but having to train and retain the talented threat-hunting folks that we'd have to have to go through it would be a real barrier. Having that as a service is really important.

We have TAPs in our network, and they see all traffic, whether it's a managed device or it's a student going to Netflix. We obviously filter out a lot of the traffic that's not relevant to a security appliance. It's one of the key values for a university environment. We've got just as many, if not more, unmanaged devices on our network than we do managed devices. When I think about lateral movement, where folks are talking and whether folks are talking to machines they shouldn't be talking to, the ability to track both managed and unmanaged devices really helps in giving us peace of mind that we're in good shape.

That tracking of managed and unmanaged devices provides really good context. Even if the device is unmanaged, we still have some insight into who they were, what they were doing, what services they accessed. Generally speaking, we can correlate and figure out that it was, for example, a particular student doing something. In a corporate environment, they would likely have a lot fewer unmanaged devices, but it really provides that insight into who people are and where they are going.

The solution also presents us with "Situations" rather than individual events. It does a type of roll-up of what activity happened. In some cases, the activity could be ongoing and you see new events or data populating in real-time, which is really helpful. It's transformed our process in the sense that it really provides visibility into an area we didn't have visibility into before. And it fits really well into our ecosystem. We've got another managed service provider that provides us with a security operations center. It fits really well into the ecosystem.

Awake Security has also decreased the time it takes to discover things, although we don't have it configured to do any automatic orchestration or remediation on its own. 

From a compliance standpoint, we were able to easily identify some security weaknesses built into our systems from an architectural standpoint. We were able to quickly remediate these, e.g., some places encryption was lacking or places where passwords were stored.

This solution help us monitor devices used on our network by insiders, contractors, partners, or suppliers. Its correlation and identification of specific endpoints is very good, especially since we have a large, virtualized environment. It discerns this fairly well. Some of the issues that we have had with other tools is we sometimes are not able to tell the difference between users on some of those virtualized instances. This solution doesn't seem to have an issue because enough data is collected that we can easily tell which users are responsible for the traffic on which systems.

I haven't seen any really false positives from Awake. Everything that I have seen that hasn't been actionable has been either low level stuff or part of the learning that Awake is doing in our environment. These have been some legitimate processes or functions that look bad but are normal in the environment. Therefore, false positives are pretty low in Awake.

We had an incident that involved a phishing email that came in. We were able to use Awake Security to detect everybody on the network who actually went to the website linked to by the phishing email. It allowed us to take care of the infection. Whereas before, we'd have to wait and base things around user self-reporting.

It also definitely helps us monitor devices used in our network by insiders, contractors, partners, and suppliers. Everything that moves across our network, exits or moves laterally across our network, is picked up by the Awake appliance. So if anybody's using a device on our network, it's captured in the appliance.

In addition, we use Awake Security to identify and assess IoT solutions. We don't have a ton of them on our network but we are a cancer research institution so we do have scientific instruments that are internet-aware and which get their updates across the internet.

Finally, it provides us with better situational awareness. I would say there has been about a 50 percent increase there.

Their monitoring team is really top-notch and they're easy to communicate with. They're very responsive. The combination of the appliance and the team is the biggest benefit. I'm not sure if we had only gotten the appliance that there would be as much of a benefit. We have other tools, we're not without visibility, but we have much better visibility now.

They do all the levels and tiers of monitoring and alerting. We just do incident response if it's required, or we modify or implement additional controls on the network. They tell us how it's going to impact or benefit our security. They are a partner. It's a partnership that's very functional and it's something that works for us. We could use the appliance ourselves and do the monitoring and threat-hunting, but we don't have enough staff for that. And their staff is, obviously, better qualified than if we were doing it in-house.

If there's any traffic that looks like it's a breach of policy or something that seems suspicious lateral movement, or unencrypted passwords, it is really beneficial to have them check it out first. But what it's really doing is more of a confirmation of our network security controls and design, confirming that they're working the way that we want them to. That's the biggest benefit.

We had an event where an attacker tried to steal login credentials. We were able to find the targets on the network using Awake and we were able to turn on multifactor authentication, not only for those users but for the entire enterprise. We were discovering that that was a very common attack tactic. It was a driver for change. Now, all users at this company have multifactor authentication as a result of Awake's capabilities.

For a long time I was the only person in our company doing security. We're a $30 billion dollar company. So you can imagine how much I appreciate how much time Awake has saved me to be able to do other things. It's been an immense help.

The solution provides us with better situational awareness. In terms of network visibility, it's looking at all network traffic. Anything that's going through, it's doing that full packet capture and it's doing the analysis using the algorithms. And it's telling me what's on the network and what it's doing.

It is all about visibility. From an information security standpoint, the capability for the team to be able to single out devices to respond quickly and intelligently, to say for example, "It is this laptop (or endpoint) from this person in finance. I know exactly what it's doing, what's wrong, and I know how to fix it." So, they're empowered walking up to that department or individual. The face of information security used to be, "Oh, the security guys are on that floor." Now, there's a different take. "These guys know what they are doing and are here to help me. I have an issue, and they solved it very quickly." It's making overall security less painful for our folks, which translates into secure adoption of security policies, standards, and awareness. That's another intangible.

Sometimes, the harder part is not interjecting and removing a node, but understanding what it was doing so we have a higher assurance of what type of data may or may not have been exfiltrated because that may trigger reporting laws, etc. 

We operate globally, so we have to adhere to the principles of GDPR, and also in Canada, PIPEDA. We have a regulatory/legal obligation to report if there is a data exfiltration. Understanding the nature of the data (what these devices are connecting to), if there is an exfiltration, goes a long way to shaving the time off my staff has to spend running these issues down. For example, one incident could potentially in gray dollars cost thousands of dollars. If, at the end of that investigation, we find out days later that we potentially would have had a reporting obligation, this makes it very difficult. Now, we would have to dive deeper and find out what that data was before we can report to the regulatory bodies, and in particular, our data protection authority for GDPR.

It also allows me to prioritize my staff. So, there are a lot of intangible dollar savings there. Rather than having a group of folks running around attempting to focus on preventative measures, we are focusing on the situations at hand ensuring that we have a grasp of what's going on in our network.

This solution’s encrypted traffic analysis helps us stay in compliance with government regulations. It is all about understanding data exfiltration, what is ingressing and egressing in our network. One common attack vector is exfiltrating data using encryption. My capabilities to see potential data exfiltration over encrypted traffic is second to none now. 

It is all about being able to say with confidence to the executives, the senior leadership team at the board level, that by putting this tool in place we have visibility into east-west lateral movement and traffic in the north-south. We also have a high degree of confidence that we are maintaining our security posture.

It doesn't matter where in my network, including wireless networks, I have it all feeding into the same mirrored port. I can see the traffic from any device which is plugged into the network at any time. The Awake ML will identify it. Then, on the dashboard, it will show me every morning any net new devices, how many devices are active, and how many devices may be impacted by a potential threat. I can see instantly any suspect domains that those devices are trying to connect into and what domains are unique. It also shows me net new domains every day at a glance. It then categorizes all of that information using its ML capability into an easy to use interface: high, medium and low. If need be, it will allow me to pivot on that device specifically, looking at it graphically. I can use that to understand what that device is connecting to, and in the same view, understand what type of data is moving back and forth.

We have a certain amount of IoT here, but not a lot. We have things behind our firewall that are definitely IoT which made me nervous, but I'm a lot more comfortable now. E.g., we are a very large software as a service company based mid-market. We have somewhat of a startup culture, so we have food vending type services that exist behind our firewall, albeit segmented. These are Internet of things, such as an automated machine that cooks food that is constantly reporting back to the vendor. We have several different other examples of IoT within our shop, and it allows me to see that traffic as well.