By Michael Callahan
I vividly remember the conversation that, for me, was the start of Awake Security.
While I was an entrepreneur in residence at Greylock Partners, a team of executives from one of the country’s largest financial services companies graciously agreed to share their security challenges with me. We had a wide-ranging talk about the difficulties they faced, despite their large security team and sizeable resources.
Their SOC analysts were drowning in alerts and had no confidence they could discover which alerts really mattered or hunt effectively for threats their alert stream might not cover. For the small fraction of alerts that they had the time to examine, it became increasingly difficult to investigate them to a useful conclusion. Even though they had made significant investments in custom development, the problem wasn’t getting much better.
Finally, the most senior executive leaned back in his chair, spread his arms, and summed up their situation.
“If you want to get into our network, you probably will. And we’ll never find you.”
I was stunned not just by the candor, but the sense of resignation. Days later it happened again when the CISO of a highly-regarded tech company confided, “look, the one thing we know is, we don’t know what’s going on in our network.” Clearly, if even these well-resourced companies were struggling, no organization could feel assured. Something had to be done.
Now, after more than two years of hard work, and generous collaboration and feedback from security professionals across dozens of companies, we are excited today to unveil Awake’s advanced security analytics solution and announce our over $30 million in funding from some of the best and most experienced security investors in the world—Greylock Partners, which incubated us as they did Palo Alto Networks a decade ago, and Bain Capital Ventures, which brought deep, recent operational experience in security.
The mission we adopted from the outset was clear: help security teams answer the questions they must to do their critical job, quickly and accurately. It wouldn’t do to be just another product with a virtual blinking red light, spewing alerts and demanding attention.
Nor, it quickly became obvious, would it suffice to provide simply an(other) analytics layer on top of log data. We saw analysts consulting thirty or more different tools and data sources in the course of the day, precisely because logs did not contain the context they needed to assess their alerts.
Instead, we decided to mine a ground-truth data source, the network, in a new way, to expand the scope of questions that can be answered. We witnessed how the most expert investigators could use network data alone to work seeming miracles of deduction: to locate and track individual machines (in environments with tens of thousands of endpoints), characterize the hardware and software on those machines, and identify the work functions of the people using the machines, the applications and data they interacted with, and their workgroups and frequent collaborators. In short, they were able to gather deep context purely from the network.
The trouble was that such expertise was extremely scarce and the process was hugely labor-intensive and time-consuming. If, however, this approach could be embodied in software, every analyst would be able to detect, investigate, and hunt for threats they otherwise would miss.
Such software, though, would require a rethinking of the entire stack, from collecting all the signals from the network that experienced investigators look for, through building analytics to reproduce the deductive techniques they use, to designing a UI that supports analysts as they move through their daily workflows.
Fortunately, I’ve had the great privilege to work with an exceptional, multidisciplinary group of collaborators who could overcome these challenges, starting with my three cofounders.
Gary Golomb has helped build innovative security technologies for nearly 20 years, including early IDS (Dragon from Enterasys), network forensics (NetWitness) and next-generation, machine-learning-based endpoint defense (Cylance). He has also been a hands-on investigator of some of the most high-profile intrusions, including nation-state actions, of the last decade. He brings a deep understanding of the possibilities for, and the challenges of the day-to-day security practitioner, that guides everything we do.
Debabrata Dash was an early employee at ArcSight and was the analytics architect for their category-defining SIEM, both before and after HP’s ArcSight acquisition. He also got a PhD in database systems at CMU. He contributes unparalleled experience in analytics for security and leads our data team.
Finally, for nearly two decades, Keith Amidon has made software do amazing things with packets, first as a cofounder of Intruvert, which helped establish the IPS market and was acquired by McAfee, and then as an early employee and key leader at Nicira and then, after its acquisition, VMware, building network virtualization. Keith leads our networking team.
In addition, we’ve built a diverse team including executives with backgrounds at FireEye, Cisco, McAfee and Symantec, engineers from social media giants and small analytics startups, PhDs in programming languages, databases, mathematics and machine learning, and former National Labs researchers in scalable data processing and security.
We have been grateful for the exceptionally generous collaboration we’ve received from security professionals across many companies, starting with leaders at Fortune 500 companies who allowed us to refine our earliest exploratory prototypes in their production networks.
As a result, we’ve been able to deliver the world’s first advanced security analytics system that uses network ground-truth to map the real-world entities in an environment, building what we call the Security Knowledge Graph. With Awake, analysts can get immediate answers to questions about devices and users that are difficult or impossible to answer today.
We will be working with new and existing customers to expand our solution. If you are interested in how Awake could help you, or in joining our team, we would love to talk.
Our promise is to continue to put analysts first: to build technology that helps them get the visibility and answers they need, so that organizations can be secure, and no one has to say,
“you can probably get in, and we’ll never find you.”