Use Cases

Advanced security analytics to detect, investigate and hunt for threats like insider attacks, lateral movement, corporate espionage and data exfiltration.


jon miller

Jon Miller

World-Renowned Incident Responder & Security Expert

The ‘last mile’ in security is the most limiting factor in successfully combating threats. Preventing subsequent failures requires understanding how controls failed, while fully remediating a threat requires understanding the scope of their activity. Even for people with the talent to do this, it’s laborious and tedious work. By consuming the ground truth found in network traffic and using analytics to handle the most error-prone and grueling investigative tasks, Awake helps newer and seasoned investigators alike, while giving them the power to analyze threats in ways they couldn’t before.

Key Use Cases for the Security Operations Center

The Awake Advanced Security Analytics Solution supports a wide variety of security use cases across three broad categories. Many of these are either impossible, error-prone or cumbersome to do using any existing technology.
network traffic analysis icon
Identify and track devices across IP addresses. Gain visibility into IoT- and BYO- devices. Using watchlists, detect threat activity that occurs post initial compromise and often goes unnoticed.
investigation icon
Go from alert to deep device understanding including a list of similar devices for campaign analysis. Automatically see notable artifacts for the device and know what questions to ask next.
hunting icon
Hunt for entity behaviors and activities and not just indicators of compromise. Know where to start with an automatic list of entities that are notable and worth investigating.

Case Studies

Awake’s entity-centric view lets analysts see all network traffic, with devices identified and tracked across IP addresses. It offers insight into IoT, BYO and other devices not discoverable with log- or agent-based approaches. Watchlists created using Awake’s behavioral query language can detect insider threats, lateral movement, corporate espionage and data exfiltration, which today often go unnoticed.

Case Study: Lateral Movement Detection
A threat actor was moving laterally within a customer environment using tools that are not malicious themselves. This included standard operating system administrative utilities that were being used to create services on remote hosts. Traditional detection mechanisms deployed by this customer missed this activity as there was no malware in use.

Within a few minutes of Awake being deployed, we surfaced this activity as being suspicious and interesting, prioritizing it for the security analyst to investigate.
Using Awake to uncover lateral movement via remote service creation
network traffic analysis
  • Awake automatically highlighted the use of I/O control commands for service creation.
  • EntityIQ™ surfaced that these commands were not seen across the general user population.
  • Awake automatically identified devices that had a similar work function as those being targeted.
  • With a single click, the analyst could see that the similar devices did not have the same types of network resource connections.
  • Awake also highlighted that the user account being used was accessing more systems than the average.
Analysts can pivot from an alert indicator received from a detection solution to a deep device understanding instantly. This includes behavioral analytics about the device and automated discovery of similar devices for wider campaign analysis. By viewing consequential artifacts associated with the device, analysts know what questions to ask next.

Case Study: Spear Phishing Campaign Investigation
A customer received an alert that one of their users had clicked on a link within a phishing email. The victim was collaborating with a cross-departmental team on some proprietary efforts for the organization. The investigator was concerned about a broader campaign.

Starting with only the email address of the victim, Awake was able to reveal that this was a sustained campaign that had used multiple lures in the past and targeted multiple members of the team working on the project. The entire analysis with Awake was complete in about half an hour.
Using Awake to understand the scope of a spear phishing campaign
alert investigation
  • A search for the email address of the victim returned the list of devices that email address had been used on.
  • EntityIQ™ automatically highlighted other devices that appeared to perform similar work to the victim's devices.
  • The Security Knowledge Graph™ automatically identified users associated with these devices.
  • Searches through the ActivityIQ™ timeline view showed that some of these users had visited the phishing link as well.
  • The same group of users had been targeted in the past using different lures that shared some commonalities e.g. domains being used.
  • The SOC used Awake for ongoing monitoring of the targeted users and devices involved in the critical project.
Awake's rich and responsive user interface enables efficient hunting by allowing analysts to quickly filter and query the Security Knowledge Graph™ data model in real time, not just for indicators of compromise, but also for entity behaviors and activities. EntityIQ™ provides analysts with investigative starting points by highlighting entities with interesting behaviors.

Case Study: Insider Threat Detection
Awake uncovered a malicious hardware implant that was sniffing traffic from local networks and then exfiltrating information externally. Existing tools such as logs and endpoint repositories provided no visibility since the implant was needless to say not part of the organization's infrastructure.

Using Awake the hunting team had visibility to all devices based on network ground truth. Awake automatically surfaces entities that have the most interesting behaviors to the top which highlighted the hardware implant in this case.
Using Awake to find a malicious hardware implant
proactive threat hunting
  • EntityIQ™ surfaced the hardware implant as notable because it has SSL client characteristics that were unique from any other device.
  • The external server that the malicious device was communicating with, also exhibited unique characteristics during the SSL handshake.
  • Awake also highlighted that the device had unusual traffic patterns: communicating only once a day and significantly more data going out than coming in.
  • ActivityIQ™ showed a timeline of when the implant first appeared on the network.

Ready to try Awake?

Benefit from two years of research with hundreds of security
professionals and improve analyst productivity tenfold.