Please share with the community what you think needs improvement with Awake Security Platform.
What are its weaknesses? What would you like to see changed in a future version?
Some of the searching capability is a bit hard to use without in-depth knowledge. In one of the earlier versions, there was a tool that helped you build some of your searches and help you correlate your data manually. This seems to have been removed in a later version. That is probably the biggest thing I've noticed. Be prepared to update your SOPs to have your analysts work in another tool separately. There are some limitations in the integrations right now. One of the things that I want from a security standpoint is integration with multiple tools so I don't need to have my analysts logging into each individual tool. They are working on this at the moment with Splunk and should have something ready in two weeks.
The only issue is that Awake affords you so much information behind its fingerprinting capability. When it does trigger, you need to have a hard look at what is going on because there is a reason for that trigger. They have worked very hard on the interface. I would like to see things laid out somewhat differently, and not due my familiarity with the tool. The tool has grown a lot since I started using it in October, and there is room for user interface improvements. I would like to see the capability to import what's known as STIX/TAXII in an IOC format. It currently doesn't offer this. This would be a nice, like a wish list. We are looking at cloud TAPs for visibility into cloud infrastructure. We offer a software as a service leveraging cloud. To take things to the next level, it is putting the ability and capability of the device into: * Our cloud offering to look for threats. * Leverage it further for any cloud services or SaaS that we use here.
I would like to see a bit more in terms of encrypted traffic. With the advent of programs that live off the land, a smart attacker is going to leverage encryption to execute their operation. So I would like to see improvements there, where possible. Currently, we're not going to be decrypting encrypted traffic. What other approaches could be used?
I enjoy the query language, but it could be a bit more user-friendly, especially for new users who come across it. I'm conversant with the query language, but if I put it in front of somebody else they have difficulty in learning how to address the query language. That is the biggest area of room for improvement. They should push it more into a natural language style as opposed to a query language.
There's room for improvement with some of the definitions, because I don't have time and I'm not a Tier 4 analyst. I believe that is something they're working towards. They're working with me to add new features to make it easier for me to tell what a threat is and determine whether it's important or not. They're making improvements and providing updates almost monthly now, so each time they make those improvements it gets clearer for me.