We evaluated Corelight, which commercializes the open source solution Bro, or as it's now known, Zeek. We also evaluated Darktrace as well as a couple of other vendors that are new in the space with solutions that claim more of an AI/ML-based approach. Vectra AI was one of them. We also evaluated Extra Hop. We didn't go into a full PoC with most of these because it would have been too much for us. We sat through a variety of demos and technical discussions with the vendors. We only PoC'ed Darktrace and Awake.

Between Darktrace and Awake, Awake was a lot more hands-off, which was good for a smaller team starting out. But at the same time, it was also more understandable. The query language made sense, meaning it was learnable and we could see ourselves using it in the future. Whereas, with Darktrace, it was more of a black box. It tended to have a lot more noise for us.

I'm not as convinced about the AI/ML portion and that's not why we went with Awake. I understand that there's some AI/ML in it, although I don't have a lot of insight into what that does, but we like the fact that it also has more standard and traditional heuristics. They have this query language where you can write heuristics to alert on certain kinds of interesting events. We really like that because it is more understandable in many ways than a pure AI/ML-based solution, the kinds we've seen from other vendors.

I evaluated several solutions. One of them was Darktrace, and it looked very similar, although the interface was different. It was very flashy and a little bit more difficult to get around in, but, at that time, the deciding factor was cost. Darktrace was much higher in cost than Awake. The evaluation happened at the beginning of COVID and everyone was scaling back, so the evaluation project died. But the main motivation for not returning to it afterwards was the cost factor.

Another one I looked at was Security Onion, an open-source solution. The cost was right in our ballpark, but the amount of time that I would have had to spend on it didn't make sense for us. We love Awake because of the managed services. If we had gone with Security Onion, I would have been the sole one to manage it, configure it, go through all the false positives, and I would have spent a lot of time on it. It would have almost been a full-time job for me, so it was the time issue that made me decide not to use Security Onion, as well as the interface. It was a collection of different open-source tools bundled together and the interfaces weren't completely unified. Awake is a lot easier to navigate and use.

The original project driver was network visibility, as we didn't have any. We brought in Darktrace, Stealthwatch, and Awake Security for a bake-off. Awake Security filled the need for visibility by being augmented with the MNDR service. 

We found other tool interfaces more polished and more cosmetic in nature. Some folks like to look at that stuff, but you're missing the whole point of Awake Security if you look at it from that perspective.

Awake Security sold the MNDR service as part of their solution. So, the direction was: "Come back and tell me what your MNDR guys have found." They did find incidents our managed virtual SOC had not. There was overlap where the Awake Security team found events our current SOC did not. 

We also looked at Arctic Wolf. They're a managed service around incident response. We did an hour demo. It is a good product, but we are happy that we selected Awake Labs.

The other options were very expensive. Most of them were deploying endpoint agents, which was something I didn't really want to do, just yet. Endpoint agents usually help you off-prem, but I was more concerned about what was going on on-prem, and Awake seemed to be the best solution, the most complete solution we could get in the short-term, without spending a lot of money.

We looked at Darktrace, ExtraHop and there were a couple others. It really came down to value. What Awake was able to do was to provide the same service that those others were offering but at a lower price, and that lower price also included the threat-hunting. Just getting a tool such as Darktrace or ExtraHop might be great but I would have had to go train a team of people to be able to use it and to get value out of it. Whereas with Awake, I was able to get value out of it on day one.

We evaluated Darktrace. We got more valuable data from Awake than we actually got from Darktrace. As far as I'm concerned, Darktrace was a 100 percent false positives after doing Awake. After doing a PoC with Awake, we realized that the entire PoC with Darktrace was completely inaccurate. That was something that Awake showed us within its first week of being in. They said, "Hey, this is what we're seeing. It's half the size of what we expected compared to what Darktrace was telling you." So, I can't even give an accurate statement as to false positives specifically with Darktrace because I think the entire PoC scene was a giant false positive based on terrible data that they didn't recognize was bad.

Awake has really easy of use. It was just far easier to use as far as seeing rich, actionable data than LogRythm. There was less of a learning curve to understand what they were trying to represent. The other thing was I found much fewer false positives in Awake. The data was more accurate, especially during that PoC faze. 

From my opinion of the engineers that I met on each side of the table, Awake had engineers who really knew what they were doing. They were able to identify issues more quickly with the way our appliance was collecting and seeing data. Awake came to us after a week, and said, "We're seeing duplicate data." That was data that Darktrace was trying to charge us double for. Therefore, the technical expertise and understanding from the team seemed much greater at Awake than it did at Darktrace.

I didn't even consider LogRhythm to be on the same level. 

We evaluated ExtraHop. There were two reasons we went with Awake Security. First, we really liked the artificial intelligence aspect of Awake with its behavioral modeling. And second, honestly, was the price. It was cheaper. We were impressed by them at the RSAC Innovation Sandbox. That's where we initially made contact with them.

ExtraHop is a standard network security appliance. The machine-learning within Awake is what sets it apart.

One thing that was specific to network monitoring that I used for some period of time was an open-source solution called Security Onion, which contains Zeek and Suricata, two open-source tools that are focused on network analysis. They work well, but they are fairly time-consuming and, of course, there's the support issue with the open-source that is often hit and miss. Having a network monitoring team on our side with the Awake Security appliance is a big step up.

We also considered and talked to people at ExtraHop, but they were just too expensive for us and they had more complex requirements for implementation.

I looked at Netwitness and Darktrace. Neither of them was as capable.

The primary reason we went with Awake Security was the fact that the machine-learning was working at a different level. It was working in a manner that the other two solutions weren't. Vectra AI comes close, but it's not the same.

I try to describe it as "aggregation." Other solutions will say, "Hey, this device is doing something weird." But they don't aggregate that data point with other data points. With Awake you have what's called a "fact pattern." For example, if there's a smart toaster on the third floor that is beaconing out to an IP address in North Korea, sure that's bizarre. But if that toaster was made in North Korea it's not bizarre. Taking those two data points together, and automating something using machine-learning, is something that no other solution is doing right now. The only solution doing that is Awake. It's aggregating data points.

I am impressed with the data science capabilities of Awake, in regards to AI and ML capabilities built into the tool. We stacked up Awake against a competitor. I put both products, Darktrace and Awake, in a head-to-head bake-off back during the October time frame. Awake was the clear winner for a bunch of reasons: ease of use, a lot of the lateral movement for triggers on indicators of compromise and the Awake rule sets were far deeper and more insightful than information I was receiving out of the ML capabilities afforded within Darktrace.

Darktrace had quite a few false positives. 

Another problem with Darktrace that I found was the interface and the ability to work within the tool to look at information graphically. While available in Darktrace, the ability to navigate and dive deeper into those fingerprints signatures is very kludgy.