High-performance network vendor Arista this week revealed that it has entered into an agreement to acquire Awake Security, a network detection and response (NDR) solution provider. Awake ingests massive amounts of network data and uses a combination of artificial intelligence (AI) and human expertise to hunt and respond to internal and external threats.
Awake gathers data from its physical and virtual probes that are strategically placed in data centers, campus networks, internet of things (IoT) networks or in the cloud. It then runs that data through its AI algorithms to find anomalous traffic that could indicate a breach. The use of AI results in very high-fidelity threat hunting capabilities that have significantly lower false positives than manual or rules-based correlation.
NDR tools are critical in a world where everything is connected
NDR tools are becoming increasingly important as we move into a world where everything is connected. Historically, the strategy of cybersecurity was to deploy specific technologies in different places. Firewalls protect the perimeter; endpoint detection and response (EDR) tools and anti-malware secure the endpoint; and behavioral tools understand what users are doing. Correlating this type of information is difficult, if not impossible, to do manually, so security teams purchase security information event management (SIEM) that theoretically roll up the alerts and present them in a single dashboard.
It’s fair to say that this model hasn’t exactly knocked the cover off the ball, because breaches happen all the time and SIEM vendors always claim to have seen it, yet the security team missed it. The problem is the rate of false positives is so high that it’s often difficult to remove the noise from the dashboard and understand what’s real. Another challenge is the domain-specific nature of tools is limited. For example, EDR systems can often find a breached endpoint but don't have the scope to see from where the problem emanated. EDR systems are great at the “D,” but the “R” is often weak.
Awake can be a single source of truth for security intelligence
Awake collects network data and can see even the smallest anomaly that could indicate a breach. This is particularly useful for IoT endpoints that are often hard to secure as often, there is no way of putting an agent on it.
Consider the case of a connected thermostat. Its “normal” traffic patterns would have it communicating with the manufacturer periodically. If one day it was attempting to access the accounting servers, that would indicate the IP address was hijacked and the device could be quarantined. This makes Awake an ideal complement to EDR systems, because the NDR capabilities can be used to find where the endpoint breach emanated.
On a call with Arista and Awake, they positioned the security platform as being complementary to SIEMs, because it can help analyze the massive number of alerts in the dashboard, helping security pros understand what to study. While this was the politically correct thing for the Arista and Awake teams to say, Awake could actually replace a SIEM.
The company has an AI-based expert system called Ava that delivers triaged and actionable insights instead of a flood of meaningless alerts. In this case, machine learning is doing the correlation and analysis of data and can provide faster responses, so, theoretically, the SIEM could go away.
I saw “theoretically” as meaning that putting one’s security fate in the hands of machines requires a lot of faith. It’s likely that most organizations will take a belt-and-suspenders approach and run NDR and SIEMs alongside one another, but the more accurate AI-based NDR tools get, the less one needs the SIEM. I believe this transition will happen over time, but most security professionals aren’t ready to take that big of a faith leap yet.
Arista is now a security vendor
This acquisition gives Arista its first legitimate security product and moves it into the cyber market. It’s danced around security with network tools that could infer things and it certainly partners with security vendors. Also, the low-hanging fruit for the monitoring fabric it received in the Big Switch deal is security, because it makes security tools more efficient while it’s still a network product. Awake is a security tool used by security pros, and this has some interesting long-term implications for Arista as it can use this as a foundational component to build more cyber capabilities on.
AI is core to Arista’s strategy
Arista will run Awake as a separate business unit, which makes sense since the buyers could be different but there are a number of integration points with the broader company. For example, Awake could provide feedback to define segmentation services or it can open up trouble tickets in Arista’s CloudVision management tool. There are likely dozens of integration points as the vision for both companies are to add cognitive capabilities on top of the telemetry data provided by the network. Looking at Arista now, the company has a broad and growing portfolio of AI capabilities that are home grown as well as from the acquisitions of MoJo Networks, Big Switch Networks and now Awake. Most people think of Arista as a network company, but they are now an AI company that delivers its capabilities via the network.
Zeus Kerravala is an eWEEK regular contributor and the founder and principal analyst with ZK Research. He spent 10 years at Yankee Group and prior to that held a number of corporate IT positions.