If you were talking to someone whose organization is considering Awake Security Platform, what would you say?
How would you rate it and why? Any other tips or advice?
We have not used the functionality for cloud TAPs. I would rate this solution as a nine (out of 10).
Understand where your network points are and where you are best served to position sensors. The tool won't work unless it's positioned effectively in your network. Rely upon Awake staff's expertise. They have collective information cybersecurity experience in the hundreds of years, so just listen to them in terms of their guidance and where to position your sensors. Understand your traffic flow before moving forward with the solution, making sure that it's right for you. For instance, understand that if you have several satellite offices, you may be challenged and need to purchase several devices or appliances. In our case, this was a non-issue because I back haul all of my traffic to one centralized point. I am impressed with the product. It is a solid, powerful tool. It's a truly unique plug and play appliance and solution. I'd give it a 10 (out of 10). If I could give it more than a 10, I would. It is really an outstanding product. We have had a few false positives, two or three. I was looking at one this morning. However, that was a fault of ours because the IP address on the endpoint wasn't in a reserved mode, so the name of the machine changed. Here is where the ML capabilities shines. The IP address changed, thus a new machine name was apparent to the ML engine. Then, the ML engine looked at both the IP and machine name, and said, "I don't know. It's still the same IP, but it's doing lateral movement now." It turns out that IP was reallocated to a machine in our development side for our DevSecOps, where that type of behavior is totally normal. However, the ML in the tool spiked that out immediately. The biggest lessons that I've learned are thinking that your common point solutions, even though you're aggregating them all will point out all the potential nefarious activities behind your firewall or attempted attacks outside your firewall. You are not going to see everything. You really need to empower machine learning and AI capabilities of one of these tools in order to see the typical advanced persistent threats (APTs) or those low, slow threats on your network. For example, the anomaly that pops up for five minutes every month because it's using a domain generated algorithm is really where this tool shines. It looks for that needle in a haystack and that anomalous behavior that you're not necessarily going to pick out using a SIEM tool. I don't care how good the SIEM tool is, you need a dedicated product to effectively understand that east-west traffic and ascertain whether or not it is hostile.
My advice would be to put it up against any of its competitors. Look at the salient data points. So your machine-learning is telling you that something is unusual. Great. Why? And if you don't have an answer for that then I would suggest you look at Awake. Because Awake gets to the "why." In terms of maintenance of the solution, I've got five people now, but they don't just do this. I have one person who does security training and awareness. I have one person who does threat hunting, who is the primary user of the technology. I've got a cyber-threat intel person, and I've also got a person to monitor operational technology. Regarding Awake's false-positive rate compared to other solutions, it's not really a SIEM. It's more of a hunting tool. It tells me something that is notable, but there will be some false positives because I don't think any amount of AI or ML is going to be able to know everything about your environment. That's just an impossibility. But it gets about as close to an actual person as you can get. Really what Awake is trying to be is a network architect or engineer, a person. It's trying to be someone who knows the topology, the exact architecture, what devices are doing what, what ports, which protocols, etc. That's really what Awake is. It's a robotic network engineer. Compared to its competitors I'd rate it a ten out of ten. I don't think there's anything out there that's doing what it's doing.
Make sure that you have a strong networking team in place before you buy the product, because otherwise you may have issues with the TAP aggregation. The product itself will go in quickly and easily. We don't have the solution's encrypted traffic analysis in place because we aren't doing the decryption at the edge. But it does allow us to see the size of data, and allows us to detect external exfiltration pretty easily. As for the false-positive rate, I haven't done the math. It's decently high because our network situation is a bit weird. But it would be about the same on any other solution. We have one person, our Security Engineer, servicing it and maintaining it on our side. Awake maintains it on their side as well. In our environment, we have between 2,500 and 3,000 people, usually. I would rate it at about eight out of ten. It's a matter of scale. For me, ten means it pretty much mitigates all risks for you. So it would be next to impossible to get a ten, from my perspective.
My advice would certainly be to do a PoC to make sure it works in your environment. The way your network is configured is going to have a big impact on whether this tool works for you. If you can't get your traffic to go through a single or a reasonable number of exit points to the internet, it may not be a complete solution for you. When I was working at that larger company, I probably would have used this in our engineering lab environment because those guys were like the "Wild West" and deployed whatever they wanted whenever they wanted, and that was usually my biggest concern. I probably would have deployed something like this because it would have given me the visibility, what I couldn't see at the firewall level. I would need to see at a router level and needed something they could make sense of for me. I think Awake would have done it very quickly without much effort. It's my main tool for network security right now. I'm using it very extensively. We're trying to reconfigure, because we're a startup and I don't want to buy another system, to get as much as we can out of this current system, but I would plan to use this as we grow as a company. If we were to grow globally, I could see us using Awake as our primary threat intelligence for lateral movement particularly, in our environment. In terms of cloud infrastructure and Awake seeing that activity, it only sees it on-prem because that's the way we have it deployed. Any connection to a cloud, like AWS, we will see that. We should be able to see what activities' connections are occurring. If it's encrypting from the browser to the cloud, we may see that activity but I don't know if we can pull out the content unless we break encryption before it gets to that device. There are certain cloud connections that make sense in our environment and others that don't. We don't use AWS, so any AWS going outbound would be something of concern. I'd go to that device or that individual to see what they're making those connections for. I don't know how to count how many false positives I get. Usually, I'm looking at concerning activity and it's up to me to determine if it is expected or not expected. Generally, it is exactly what I want to see because it's at the device level that I want to know if the activity is expected or not. Generally, it ends up being expected. It's hard to give it a false-positive rating because I would guess about half of them are things I expect to see. But as a system goes, it's almost 100 percent accurate in calling those events out. It hasn't called out events where I would say, "Oh, it didn't need to call that out because that activity shouldn't have been flagged." It doesn't know what I know about what's normal, so there's still a little bit of knowing what's normal in your environment. That's the onus of the person running the environment. I can tell Awake that something is normal and not to look at that again, so there is that tuning aspect that has to happen. I typically don't tune it out because I want to see any new traffic patterns. If it's a regular backup that's about the only time I will say, "Don't ever worry about it coming from this device because I expect that to happen on a regular basis." The false-positive resolution with Awake Security is so much faster that it doesn't have as big an impact as it would have on another solution. If you gave me a false positive with a SIEM, I would have to invest four hours to find out that it was a false positive. If you give me a false positive on Awake, I have to spend five to ten minutes to figure it out. That's because the data is right there. It's populating for me and it's easy to search. It's almost not a fair marker to look at a false-positive rate because the resolution time for the false positive is so much shorter. Overall, I would rate this solution at ten out of ten.