Arista NDR Previous Solutions

JG
Head of Information Security at a engineering company with 10,001+ employees

We were not comprehensively using a previous solution. We had firewalls with DPI enabled but that's not the same thing as Awake being able to monitor internal traffic as well. We needed this kind of core capability.

View full review »
CG
Chief Technology Officer at a financial services firm with 11-50 employees

Previously, we were Darktrace customers, and we had the Darktrace platform set up in two locations: here and our data center. We leveraged them because we wanted to have an NDR solution. Darktrace is great eye candy, but we got a lot of false positives in the environment. When we spoke with Darktrace, they assured us that it was AI with machine learning capabilities so that it would adapt to our environment the longer it was deployed.

I'm not sure if they've gotten better since then because I left them two years ago, but our SOC was spending too much time looking at false positives. When we approached Darktrace and told them that the solution was flagging functions that were normal in our environment, the support was not up to scratch. If you constantly have to change the model and tell it to ignore issues in your environment, then that's not machine learning because it's not learning the environment.

Awake had what I was looking for with Darktrace but didn't get, which was to get a response. So you detect it and respond to it by integrating it with the EDR tool, specifically at the endpoint. I wanted a response, but that automation wasn't there. Darktrace has it now. However, Awake had the EDR integration to Crowdstrike and SentinelOne out-of-the-box, which was great because then I wanted to do it, but it's not fully automated yet. I can isolate the endpoint from the Awake platform but there's still no playbook yet where it says, "Okay, if you find a ransomware attack going on, isolate that endpoint and respond automatically." That's on Awake's roadmap. 

Another reason I moved to Awake was that they're not truly an ML or AI, and they don't sell themselves as that. They look at it differently from a security perspective, and I like that. The integration with EDR is better than what I had. They were looking to integrate with Palo Alto and Cisco firewalls to automate the response to IOC. If an IOC is identified in my environment, it will tell my firewall to start dropping the traffic to the IOC. They don't have this functionality yet, but I know it's in the roadmap because I just had a call with them about a month ago. I have a Palo Alto firewall, and the integration with Palo Alto will come along in Q1 next year. 

I think Darktrace has this, or it's in the process of adding it, but Awake already had it on the roadmap two years ago. That was something they were building towards. Since then, I have expanded my relationship with Awake Arista by signing up for their MNDR service, which has been super helpful because we still get false positives when I tweak the adversarial models to match my environment. I don't think there's a solution that will genuinely learn your environment and know what's normal versus what's not. I've found that dealing with support is better than dealing with Darktrace. Granted, I have the MNDR team also now, but this was the case even before that. With the MNDR team, I send them an email telling them the alerts we've gotten and the workbench queries we used. Then I ask them to tweak the model, so we don't get false positives. After an hour or two, it's done. Compared to Darktrace, the level of responsiveness from Awake has been night and day.

I get low-risk false positives, and I treat them all the same, but I have a managed external SOC, and they will not. I do because I want to see less noise, and I want my SOC to focus on what's important. As such, I want to tweak the adversarial models to focus more on aspects that warrant research and response rather than just an alert that comes in. We can decide to look at something later when we have time because we can see it's a low-level risk. Awake categorizes these, so you know it's low when you see an alert with a risk score of 20. Still, I want to clean it up, so that I don't see them. When I look at my platform dashboard, I want to know that I have had X unique adversarial models for the past week and Y high-risk devices. Then I can zero in on those high-risk devices to see what they are and what they're doing. 

I was a Dell Secureworks customer for a while. They were great tools, but they weren't NextGen. I thought Darktrace was NextGen. I had probably done a demo with them two years before becoming a client. I had Secureworks as a SOC, but then I wanted something more. When it was time to change my SOC from Secureworks, I figured I could use Darktrace and get an external SOC to ingest all of my security logs for the same cost I'm paying Dell Secureworks.

I thought that my SOC was spending too much time investigating all the false positives we were getting out of Darktrace, and it wasn't their job to tweak Darktrace. It was certainly more challenging for me to do it and more brutal to me to work with support to do it. And so, after attempting that for six months, I came across Awake. I can't remember exactly where. It must have been a marketing email I got, and I decided to look into it.

I think they had just come out of stealth mode when I started talking to them, and I decided to put them in at the same time I had Darktrace and do a bake-off. I realized that I was getting fewer false positives but, unfortunately, the platform does not have 3D manipulation, which I call the "eye candy" of Darktrace. It's an excellent visualization tool. It looks fantastic, but it's not easy to dive in and look at the logs.

I like how Darktrace can replay the traffic and show the messages coming in. I thought that was a pretty cool feature that I wish I could do with the Awake. But again, it's eye candy. The information is there, but you can't play it to the second as the traffic comes in. When I tried out Awake, I was taken aback because they had the IOC ingestion and were planning on automating that. They were also planning on integrating Awake with Palo Alto firewalls. Awake also had the EDR implementation as I was looking at migrating from Cylance to Crowdstrike. They already had Cylance integration also. I thought it was a no-brainer as long as I could get it for the same cost as Darktrace. I knew I would get a little more value out of it. I would lose the eye candy and the playback, but my SOC will spend less time looking at false positives.

I don't pay more or less if my SOC gets a thousand tickets or 10, but I also don't believe in my mailbox getting spammed with issues that worry me. Of course, I still get false positives from Awake. At most, it's maybe one a day, which is not terrible. We used to get five, but then I started tweaking it, and now we're getting roughly one every two days. We used to get five a day because no platform is built for your environment. They're built for all environments. They have to look for issues they think are malicious. You get that with SentinelOne too. I get false positives with SentinelOne and Excel files that look like they're meeting a MITRE ATT&CK framework, but they're not.

I think people should be ignored if they tell you there is a tool out there that's truly going to learn your environment. Darktrace claims that the tool will self-adjust the longer that it's in your environment. It won't. I've seen it, and unless that's been massively improved, I don't believe it.

View full review »
DS
Senior Systems Engineer at WealthCounsel, LLC

We did not have a previous solution.

View full review »
Buyer's Guide
Network Traffic Analysis (NTA)
March 2024
Find out what your peers are saying about Arista, Darktrace, Vectra AI and others in Network Traffic Analysis (NTA). Updated: March 2024.
765,386 professionals have used our research since 2012.
DS
Senior Analyst Security and Compliance at a insurance company with 5,001-10,000 employees

We are a start-up company, established within the last two years. We had a bake-off of three AI based network visibility tools, and Awake Security was our selection.

View full review »
EE
Chief Information Security Officer at Dolby Laboratories

We had done a proof of concept with Darktrace for a number of months before Awake. There were a lot of issues with false positives, meaning, there were a lot of alerts coming from the system that when we looked at them, we could tell that that's actually normal business operations for the environment that it was looking at. It was one of those things where we thought that with machine learning, it would pick it up over time and it would start to tune these things out, but we really had consistent problems with it generating too many alerts to the point that the more important alerts were getting lost in the shuffle of the false positives. We ran it for a while to try and understand if it would learn and get better, but we didn't get to a point where we felt confident in the alerts that were coming out of it.

View full review »
JC
Chief Security Officer

At this company, we did not have a previous solution, but I've used other systems, SIEMs for looking outward-in, like QRadar. That was our system at my previous company. The challenge I saw with something like QRadar was that it was outside looking in. It was looking at our border alerts on our firewalls and looking into our network. An analyst would take those alerts and try to trace to the endpoint that might be causing the problem or that was connected to the problem. He would take the alerts early in the morning, spend about four hours tracing everything that needed to be traced, and then finally get into the endpoint. Awake takes the opposite approach and looks at the endpoints that have the most concerning activity and bubbles that up to the top.

I tell people it saves me about four hours' worth of analyst work daily. I can look at it in five minutes and know which endpoints are of concern, and then I spend a few minutes analyzing whether that's activity that I expected or did not expect, and I can move on. I can look at it daily and get a good feel for whether I need to address something, or I've learned that that alert is not really of concern because it's expected activity.

We got to Awake Security because someone recommended it. One of the consultants I work with had a connection with Awake. They said, "Hey, look at this company." I gave them a call; they came out and did a demo really quickly and then we set up a PoC to see if it worked in our environment. Almost instantaneously, my IT manager and I loved the system because of the visibility we could get so quickly.

View full review »
GF
Chief Security Officer at a university with 1,001-5,000 employees

We used similar solutions in the past. We switched to Awake Security because they were able to offer a model that was significantly less expensive and the value that we get out of it is higher.

One of the challenges that we've seen in this space, with different providers, was whether they were able to detect an incident if we had one. Some detected what others didn't, and vice versa. But we have had experience with other providers that weren't able to detect incidents. We haven't come across that yet with Awake. That's a good thing, but you don't know what you don't know, and that's always the challenge in security.

View full review »
CH
CISO at a insurance company with 1,001-5,000 employees

We previously had NetMon, which was a product from LogRhythm. First off, there were a lot of hardware issues along with a lot of sizing and scoping constraints provided to us by LogRhythm that just didn't scale. Also, the data enrichment and data science behind it was very low level and not NextGen.

View full review »
RP
Senior Security Engineer at a pharma/biotech company with 1,001-5,000 employees

We did not have a previous solution.

View full review »
DV
Director of Projects and IT at a healthcare company with 201-500 employees

We didn't replace a similar tool with Awake Security, rather, we added Awake to our existing environment. We continue to use Endpoint Detection and Response agents. We still use SIEM and we still use NetFlow tools for a quick look into network traffic, but Awake gives us a deeper look into that traffic. We can get to the packet level when we need to.

But most importantly we have somebody, through their service, looking at our network and watching for any anomalies, or if there's traffic that we're not aware of. It could be legitimate traffic, it could be what we are expecting, but even after we fine-tune it, we still want to know if something similar pops up on the network.

View full review »
MD
Head of Cyber Threat Operations at a energy/utilities company with 1,001-5,000 employees

We used a SIEM, through IBM. But we're actually using Awake more than we're using QRadar, our SIEM.

View full review »
KL
Director of Information Security at a computer software company with 201-500 employees

Before having Awake, we didn't have the visibility. I could get a lot of the north-south traffic and understand what was emanating, ingressing, and egressing in the network, but didn't have the overall picture. 

We had solutions which allowed us to leverage indicators of compromise for indicators of compromise. Really, it was a bunch of point solutions reporting into our SIEM solution, as we are a Splunk shop. It's important to note that Awake doesn't do all things, but what it does do, it does really well and perhaps the best in the industry. So, Awake also puts its logs into the SIEM solution.

We had a SIEM. I had a lot of indicators of compromise type fingerprints in that SIEM. I had all of the log files throughout the whole of the organization dumping into that SIEM. However, from the network detection and response side, looking at east-west traffic, those fingerprints, and in a single pane of glass, I wasn't getting that before I had the Awake device.

The Awake tool gives me the east-west traffic and lateral movement picture, as well as the north-south traffic. Therefore, I'm getting a full picture of my network at any one point in time. These are things that keep you up at night being in the CISO role.

View full review »
Buyer's Guide
Network Traffic Analysis (NTA)
March 2024
Find out what your peers are saying about Arista, Darktrace, Vectra AI and others in Network Traffic Analysis (NTA). Updated: March 2024.
765,386 professionals have used our research since 2012.