Awake Security LLC (ANET) Earnings Call Transcript & Summary

Hello, and welcome to today's webinar on Awake Security and AI-driven security transformation. I'm Anshul Sadana, the Chief Operating Officer at Arista Networks. As many of you know, Arista was founded to provide cloud networking solutions to our customers. We did this first in the data centers, including the largest cloud companies. We've scaled up. We've come with distributor designs, the leaf-spine architecture. And now we have introduced the same offerings for modernizing the campus with the distributor architecture, both for wired and wireless. This approach, a more resilient design with automation in mind using EOS and CloudVision has allowed thousands of our customers to benefit. Cybersecurity also needs a similar change. There are new types of attacks. Traditional approaches of defense are not sufficient. Today's solutions in the market are complex and burden the security team to sort out real attacks from false positives. So the challenge is how do you secure the new network? Today, many of the devices getting added to our infrastructure like IoT or unmanaged, attackers can penetrate even without malware. The attack traffic itself is encrypted in more than 70% of the cases. Traditional approaches are no longer sufficient to deal with this problem. You need to leverage your network data to identify these attacks. We need AI-driven threat detection. To talk about this more, I would like to welcome Asheem Chandna, a long time security expert in the industry, Asheem is a leading VC. He's on the Forbes Midas list for top VC investors, in fact, every year, since 2012. He's a luminary cybersecurity VC with investments in over a dozen cybersecurity companies, including Palo Alto Networks, where he was a founding investor and a current Board member, Imperva, Sourcefire, Skyhigh Networks and Awake. Prior to joining Greylock, Asheem was also a Check Point Software as VP of Product Management, when he took his company from pre-IPO stages to over $500 million in sales. Welcome, Asheem.

Thanks, Anshul, for that introduction. It's a privilege to be here today. I'm going to briefly talk about some security market trends and Awake. I've personally been involved with security since 1996, 25 years have gone by fast. And it's interesting to see and note that security has never been more important than it is today. Security has truly become an IT megatrend. Just -- and it's at the same -- many organizations now viewed at the same level of importance as the move to digital, digital transformation, journey to cloud, leveraging AI/ML and then just the role that analytics play. Security professionals today have the voice of the CEO and have a role in the boardroom. Within security, there are many ways to slice and dice security budgets but one way organizations look at this across detection, prevention and response. And taking that taxonomy, it's worth noting that many enterprise organizations today around the world continue to increase their budgets across detection and response. So all of this kind of leads to the Awake founding thesis. Awake was really founded on the thesis around the network being the ground source of truth. The thinking was, can one apply state-of-the-art AI/ML and statistical techniques to the highest precision network data? And what this led to is the founding of a company, which assembled a full stack product team, with the mission to develop the industry's best network detection and response offering. Reinventing the full stack all the way from state-of-the-art network posters to scalable data stores, to AI, machine learning, data science, statistical techniques, and layering on top, next-generation visualization. Fast forward to today, 100% of Awake deployments provide customers with new actionable insights. And these range all the way from understanding security risks around unmanaged users, devices and applications. All the way to James Bond-like detections of nation-state actors that have exploit -- implanted that can be detonated remotely by organizations at varying levels of the globe. Network detection today is a fast-growing spend priority for enterprise customers. And Arista and Awake are well poised and positioned to really deliver together proactive security for cloud networks both across data centers and campus. So what does this mean in terms of the new network? The new network is about speed, agility, scale and security. Networks are changing. They're changing to adapt to the journey to cloud to hybrid, accommodating IoT devices and more recently work from home. All of this required security to take on a more holistic approach. Look across both on-prem and cloud and observe traffic at key junction points to provide new views of security and of risk. And as security continues to evolve to these needs, network detection and response promises to play an important and growing role. This is the new security stack. And again, Arista and Awake are very well poised and positioned to deliver on this.

Thank you, Asheem. And now let me welcome our next speaker, Enrique Salem. Enrique is a partner at Bain Capital Ventures. Enrique is also a cybersecurity expert and was previously the President and CEO of Symantec with 27 years of cybersecurity experience.

Thanks, Anshul. It's great to be here with you and talk a little bit about security. Over the last 33 years, I've had a chance to really experience firsthand, working with some of the largest, most sophisticated customers in the world, kind of some of the challenges they face, securing their enterprise. And there's a few consistent themes that have plagued the industry for as long as we can remember. And it starts with -- there's just not enough security talent available for the numbers of jobs, the numbers of people that are needed to really secure businesses. The other frustration that you consistently hear is your environment is getting more complex, where 20 years ago, 25 years ago, we lived in fairly closed systems. Now we live in widely distributed, networked, cloud-based infrastructure that has increased the complexity of dealing with security. And the other thing that you hear quite a bit is there's quite a bit of alert fatigue. There's too many products that are notifying the security operations center and security practitioners that there's something that needs to be done, some action, some potential thing that there's a threat. And unfortunately, that really has created what we describe as alert fatigue. And when I think about what we've been able to do at Awake. As you said, let's think about getting some real intelligence, some ground truth out of the network and use that signal to really try and minimize what we need to look at, to simplify what the security operations center needs to do and to, quite frankly, make it easier for a wider groups and bigger groups of people to successfully work and be effective in the SOC. If you look at The Gartner's Top 9 Security and Risk Trends for 2020, this combination of Awake and Arista really address the top 3. One of the biggest threats they talk about is this idea of the extended detection. And what we've got is oftentimes, you have this event or alert that comes from the endpoint. It comes from the network. It comes from another device. And ultimately, what this combination, what this technology can do is really simplify that, get it down to one incident that needs to be triaged. And so ultimately, I believe that bringing together the security technology that Awake has put together, the intelligence and understanding of the network and the world's largest customers that Arista has, I think, it's an incredibly powerful combination. And I believe that this is how security should be done. It's really bringing the security intelligence, the understanding of the network together, and that's why I'm really confident that both Arista and Awake together will do something very, very special. And so Anshul, back to you, and thank you for having me.

Now let me welcome Rahul Kashyap. Rahul is the CEO of Awake and will take us deeper into his company's technology.

Thank you, everyone. I am Rahul Kashyap, CEO of Awake Security. We are excited to be a part of the Arista family. And today, I'll be talking about -- a little bit about the Awake Security platform and the team and what lies ahead. To kick start my discussion, I would like to talk a little bit about digital transformation and how the network has vastly evolved in the last decade, especially in the age of IoT, Cloud and the perimeter has fundamentally shifted as well. Unfortunately, network security had not evolved and it's been fragmented and too many tools that are feature-based-make it a complex problem in the cybersecurity world. Awake Security was created to build out a true platform that combines data analytics, forensics and automated threat hunting to enable threat teams to automate complex security tasks. I'm very excited to be a part of the Arista family and join them in this mission and to help all of our joint customer base with this merger. So in terms of the challenge in the new network to broadly define this. This is kind of how it looks like. The lack of innovation in network security has been primarily in the areas where the enterprise IT and security have fundamentally changed. For instance, there are more and more unmanaged devices today. You have Polycoms that can be compromised by attackers. You have a lot of IoT infrastructure on your network which cannot be managed because you just simply cannot install an agent in every IoT device. So it constitutes a huge attack surface. And it is also a big source of insecurity for the CISO and the CIO, who are trying to manage operations on a day-to-day basis. And not just that, not only the network, it is also the threat landscape, which has tremendously evolved in the last few years. We are consistently seeing that more and more attacks don't see the traditional malware. It's no longer somebody sending you an executable. It is far more complex, far more sophisticated and very well planned out attackers that are launching from all over the world. And then not to forget, there is a lot more encryption on the network. So how do you really deal with these challenges? Because today, these challenges lead to high cost of operations. Attackers, once they get in, can stay longer and cause a lot more damage. And of course, not to forget, there's a lot of false negatives, people and technologies keep on missing a lot of these attacks, which are ongoing in your networks today. So let me give you a few examples of what Awake has uncovered in the last few years of our deployments with our customer base and POCs. This is an interesting one, where in the financial services customer. And here, the challenge was that the AWS administrators credentials were stolen to access the organization's cloud infrastructure. And we found this that it turned out that the admin actually had a malicious chrome extension that was used in the attack by filling their credentials via the attack, including the log-in data was compromised in this. So these are very hard-to-detect challenges. First of all, not only was this deeply embedded in the browser as an extension, we also had the challenge that there is no pattern matching there fundamentally. So it defeats a lot of the traditional means which are available in the market to catch these kind of attacks. Next is the malicious insider. This was a fascinating one, where in a consumer finance sector, the IT team called us to do some investigation of the EFS traffic. And as Awake started listening and learning about their infrastructure, we found that some of the Polycom devices, the wire system was actually compromised by an IT insider. And for the -- it [ appeared ] to be a contractor who was tapping into phones, recording them and then explicating the data out. And how we managed to do this was really identifying all of their digital assets and then implementing and analyzing complex algorithms, which identify the anomalous activities, which should not happen from VoIP phones like these. This one was another interesting one, wherein we continuously see these attacks to grow, particularly as companies have M&A as well as you have more and more outside force coming into your organization. So this was an oil and gas company, which was actually compromised by a nation-state attacker. And this is a well-known brand. Obviously, we can't reveal the details of the brand and so on. But what really happened was, on a Friday afternoon, the contractor came into their office of this corporation. And then that laptop was actually compromised. But they had full access to all the infrastructure inside as they were involved in some critical IT related work. The attack has moved in laterally and then ultimately reached all the way to the critical infrastructure and no traditional malware was actually used in this compromise. It was fileless-based malware, which bypassed all of their traditional network and endpoint detections. Another example is, this was a state and local government customer of ours where the critical infrastructure was actually using a legacy windows 2003 server, and we found that it had a RAT, remote access Trojan, which was installed on that machine. And so literally, the remote attacker had complete control of the device and could control the water supply of the entire state local government agency in this case. So we have seen some fascinating attacks, and we continue to see them. Attackers continue to innovate as well, not to forget. So you cannot take this lightly. And Awake was designed to address the true innovative nature of how attacks and threat landscape has evolved. Just as you heard in the previous examples and use cases, attackers continue to try new tactics and procedures to bypass traditional ways of defenses. It's no longer about just identifying behaviors or anomalous activities or just looking at some specific patterns in your environment. You have to be able to deal with the very complex nature of how these attacks are orchestrated and well thought out. Awake is at the cutting-edge of that best breed innovation and brings the best outcome for your customers by being focused on time to value reducing the complexity and the operational costs. So this diagram shows about the 360-degree situational awareness, also called as the SOC Triad. It was coined by Gartner for the first time. And it's a widely accepted means to increase situational awareness in any enterprise. And this is -- these tools are what you would likely to see in any SOC that is owned by the security operations team and then run typically by a CISO. So with an effective NDR platform like Awake, we can provide a true 360-degree situational awareness of your entire environment and it's pretty key because a lot of your digital assets are literally all over the network and cannot be identified without really plugging into the network. So we work and complement EDR technologies, which was the other shift, which happened on the endpoint security side, and we also integrate with SIEMs like Splunk in for instance, to make sure that all your alerts are being prioritized, and you're getting complete visibility of what's really happening in your environment. So to talk about the platform at a high level, this is how we operate at Awake. First of all, we have the Awake sensors, which are available in multiple form factors. It could be VMs, which is completely software based. Or you could also have servers if you prefer that, if you have a high-end networks. So we can -- we deploy it in your campus, your data center, your IoT network or also, we provision in your cloud, we do integrate with GCP and AWS cloud infrastructure, which is available, and they give something called TAP capabilities for these cloud networks as well. So what we do is that we do full packet capture, full packet analysis and then we extract metadata to build out the machine learning and AI algorithms. All of this goes to what is called as the Awake Nucleus, which is the -- which builds out an ensemble of machine learning algorithms. What you get out of this platform is, first of all, high fidelity at hunting. We have built out a language called AML or adversarial modeling language to cover and identify complex threats with low false positives and negative. Not just that, situational awareness, it is a very important aspect, visibility is key to success for any successful security operation. So we have built a technology called EntityIQ, which discovers profiles and tracks devices, users and applications using our advanced AI-based fingerprinting technologies. So just imagine, the moment you connect Awake sensor to your environment, we light up and give you visibility of every digital asset that's talking on your networks. And last but not the least, how do you automate? How do you make this all smarter than ever before? So that's where the AI-based expert system called Ava comes in to automate, triage, investigation and response skills. So this gives a very big cognitive push to your entire security operations ground up and is truly built out as a true broad platform. So here are some examples of some of the common customer needs to be addressed and how we modernize your security operations. First of all, you have the IOT, Shadow IT unmanaged device security problem, which is very key and important for any detection and response strategy. Because unless you know of these devices and can track them, you don't know how to detect and respond to those. Insider risk being on the network, it gives us the capability to help you with your Zero Trust architecture and operations. Next is the cloud security, IaaS and PaaS protection. We can look at your various applications, how you're connected with your cloud security pieces as well. And not to forget, we help you consolidate your tools. So the way the security platform has been built is we can, in an average, displace several legacy tools and you can consolidate with Awake because we bring digital forensics and incident response along with the threat hunting capabilities built into the platform. Next piece, last but not the least, Awake is backed by some of the brightest and the smartest security researchers and who have been doing this for many, many years. We have identified several malicious campaigns and identified attackers in large organizations, including several nation-state breaches. So with the Awake Security, not only do we bring you the best breed technology, but also the best team in the industry to help you and solve some of your toughest cybersecurity problems. Thank you. And with this, I would like to hand over to Keith.

Thanks, Rahul. Now that you understand the problem we set out to address. Let me explain how we addressed it. The foundation of everything we do is the network data we monitor, typically obtained from the span or tap of your data center campus or cloud network and infrastructure. We start by capturing a full forensic packet log, providing the ground truth from which all more advanced results of the platform can be verified. From the packet data, we extract relevant security features, characterizing the activity that is occurring in terms of application level interactions that may be security relevant. The platform supports the basic protocol analysis and model-based behavior identification that other NDR platforms support but goes much further. Sophisticated machine learning technique characterize the actions performed within otherwise opaque data. For example, our encrypted traffic analysis capability can determine when an encrypted connection is being used for interactive remote control, file transfer, streaming or something else without decrypting a traffic and the corresponding privacy and regulatory issues that produces. Additional ML techniques are applied to the extracted security features to build EntityIQ profiles of the entities using the network, such as devices and users. This provides comprehensive visibility into who and what is using your network, including the mobile and IoT devices that don't support EDR or other security agents that have been rapidly proliferating. All this data can be explored and analyzed by the user through the Workbench UI and is continually monitored for behavior that could be associated with malicious intent by skills described in our adversarial modeling language, or AML, a security-focused query and data analysis programming language. AML's full capabilities are available to you to customize detection and security automation to your environment, bringing for the first time, software-defined flexibility to the security domain. Think of it as software-defined security for the new software-defined network. When behavior with malicious intent is found, it is associated with the tracked entity and the affected EntityIQ profile rather than with an IP address that may be used by many different devices compared to the more traditional IDS and NDR solutions that significantly complicate deployment and ongoing operations by requiring third-party data enrichment from, for example, DHCP servers, active directory and so on to achieve similar result, our cutting-edge techniques require just a network tap. There's lots of great technology there, but my favorite part of all of this is what's coming now. Building on top of everything we've discussed so far, Awake introduced Ava, the first autonomous security analyst. Ava has been trained to perform the most fruitful investigation strategies of highly skilled security analysts, automatically surfacing the information you would otherwise spend hours to find or perhaps miss entirely. This information is collected and presented to the security analyst in situations, visualized narratives of ongoing threat. You may be familiar with the way that Expensify or Bill.com apply AI to automatically collect expense data, recognize expense totals from receipts, label and categorize them and present a report of the expenses of an entire trip with minimal effort from the user. Think of situations and the associated AI as a much more sophisticated implementation of the same concept applied to the security of your network. Just like a human analyst would, Ava monitors changes in situations and respond with additional analysis to confirm or refute hypotheses expressed in the situation, iteratively evolving the information in the situation and as new data becomes available. This is AI that delivers on the word intelligence in the acronym. In addition to the information Ava continually infers from network activities, your analyst team can work in tandem with Ava by recording their meaningful investigative results in this situation. Ava will then use that information to further her own analysis, human intelligence and artificial intelligence working together efficiently. When Ava or a member of your team determines responses clearly needed, Ava can autonomously or with analyst's assistance, reach out through our integrations and APIs to take remedial actions, provide appropriate notifications and update other security or network tools. Through situations, Ava and your team work together to rapidly discover, assess and address threats to your environment as never before. But don't take my word for it. Let Gary, my co-founder and a security expert that has responded to some of the world's most consequential breaches, show you the platform in action. Gary, over to you.

Thank you, Keith. And Rahul. Hi there, I'm Gary. I'll be showing you some of the pretty incredible capabilities of the platform that are only available in Awake. We have a lot to cover. So I'm just going to jump right in here. There are several different ways you can begin and explore a network threats in Awake, and we're going to look at just 3 of them here. The first one is the first part of the system you see just after logging in, that's the dashboards. This is where you get risk and threat KPIs at your fingertips. From the status of investigations to the most suspected destinations that are seen in your network to alerts that have been triggering and, of course, risk -- devices by risk. There are also a similar set of metrics available around general network monitoring, as you see here, top protocols and domains and devices. But I think one of the really cool parts of the dashboards is just how customizable they are. So you see we can come in here, create a new dashboard. We'll create one for the risk team, custom dashboard. And maybe I just want to share this particular one with Mark and Eric and Joe, who are on my team, and so we'll create this dashboard. And then we can begin adding visualizations to it. As you see, there are plenty of visualizations here. We can come in and start to customize how they look, changing them to the displays that make most sense for our particular organization. In this case, we see there are a total of 3 high-risk devices and these are the situations that they have been involved in. Situations is actually what I'll describe next here. So while dashboards are great high-level summaries of risk in your network, situations are where you can begin investigating threats. The platform has both found and has fully investigated using a true expert system. So in this situation, we see that we have some C2 or command and control activity, which is what you see from malware when a system is breached or compromised. Just before that, this device, for the very first time, visited these domains. So that's where you see redirection take place and where the exploit was ultimately served from and where the malware comes from. And then we get some follow-on traffic showing the command and control activity. Here, the system has determined that phishing is a high probability because when this activity first happened, the user was interacting with gmail or, as labeled here, Google. And then after what appears to be a compromise here. The system begins interacting with other domains, too. And what's truly remarkable about this is that a human did none of this analysis. All of this was done by the Awake Virtual Assistant or the Awake Expert System. And so what's really fascinating about this is, it's not just that Ava, the Awake Virtual Assistant found that this traffic appears for the first time around the appearance of the command and control, activity. But Ava goes much further, doesn't just take these domains and say, Hey, these are interesting just because they appeared for the first time, but Ava will actually go out, do Internet searches, analyze the results of those Internet searches, not just looking blacklist or see if this is known bad, but see what kind of search results come up around a particular domain? And do a basic sort of topic analysis around what does the internet say about these servers that are out there? And so Ava was able to go through and as we see this little icon here, all these artifacts that have been added were analyzed by Ava, the impact. So it started with -- this activity started with this particular device. But as Ava was going through and doing analysis, determined that there's actually another device in the network who is also afflicted by a similar sort of malware based on their interaction with similar sort of domains. And it's very neat, it's very remarkable to see, when you come into the audit logs and you look and you see actually all the activity that has taken place and an investigation has been done automatically for you. Of course, because the information in a way can be exported to other systems like SIMS, you can use a platform like Splunk to begin investigations as well. Here, we see a handful of threat alerts focused around Bob Robertson. So we can pivot from Splunk back into Awake and specifically into Awake's EntityIQ summary page for the device. Here, we see some high-level information about the device. We see the system has been tracking and analyzing it for about 27 weeks now. I'm going to show you something pretty revolutionary when it comes to device tracking and analysis in just a moment. Here, we see some alerts about information being uploaded from a command line script. And although we don't have time to get into a lot of details here, Awake is extremely sophisticated about knowing that certain types of activity might be normal from one type of application like a web browser, while the same activity might be very suspicious if seen from another application. So doing this, obviously, requires some novel approaches to identifying different applications on the network. You'll get a hint of that when we look at the encrypted traffic example in a moment. It's also worth noting that Awake is a full packet capture system, meaning all the traffic is recorded and saved for forensic search and analysis at a later date. So to reiterate, everything you're seeing throughout this entire demo is derived just from the full packet capture store. So here, we see -- if we look closely, we can see that we have an upload. It's calling at an attachment. We can kind of see something about outlook in here and a definitive merger agreement. So at this point, this would be extremely concerning to see being uploaded in almost any environment. So we can go back to the device details page, and with our endpoint discovery and response integrations, take action on the device. So we can quarantine from the network or do other deeper investigation or remediating. Now we're going to go just one level deeper from a technical perspective here. The last part of the system, I want to show you is the workbench where deeper investigation and hunting is usually performed. But all of which is supported by a Awake's federated and unsupervised machine learning. So the first thing to note here is that we're not looking at a list of IP addresses, but we're looking at a list of devices, some of which have many IP addresses. Here, we see an example. We got IPv4 address that it's had for -- it looks like about 9 weeks. And then a whole series of IPv6 addresses that this device has used. It looks like for a couple of hours at a time, once per day and disappears. And so we track devices as they move around the network, as they change IP addresses. We can tell you where that device has been, again, from the edge of the network, again, without requiring log integration, only doing deep fingerprinting of -- on the traffic that we have recorded and analyzed. And this is really, really important because if you're going to do machine learning-based analysis of devices on the network, that requires time. And as we know, the vast majority of devices on a network change IP addresses, laptops can have half a dozen different IP addresses in a single day or IP addresses that are around conference rooms and places like that. Community areas in a building can have a half dozen different devices on them in a single day, which completely interrupts the ability of analytics to make accurate assessments. So we're going to look at one more device here. This Raspberry Pi device, and we get a really interesting example here. So this device we see has been tracked for about 1 week and 4 days. But it has been triggering these alerts for C2, command and control from the encrypted traffic analysis engine. We're seeing abnormal software that is beaconing out to the Internet, right? So we have a Raspberry Pi with this abnormal software. And if we come in, look at the fingerprints here in a little more detail, what this is telling us is that this particular device is running from software with a very unique TLS fingerprint. So it's encrypted traffic, it's different from the way we see encrypted sessions being set up from other types of software. Also correlated with those sessions is communication with this particular network and ultimately be identified as RealVNC. And so this is very, very useful for identifying the fingerprint of device and the behavior of the person on it or behavior of software on it, and what's nice is, while this is very informative about the device, you don't need to really get into that and do the analysis because we have both the Awake Virtual Assistant, Ava as well as many models running that are looking through and auditing those fingerprints and putting them together to determine when do we see something very suspicious. So in this case, we have a Shadow IoT device, Raspberry Pi, running remote desktop software. And all of that was determined, not because we had some existing signature for Raspberry Pi, you see already VNC, but rather the analytics were able to determine that on the fly using encrypted traffic analytics. So we have other presentations on this. You can search on YouTube. We have more coming up. But we are big fans of encrypted traffic. About 50% on any given week, about 50% of the breaches or compromises that we detect in customer networks are detected because the attacker is using encryption. So that was a quick overview of just some of the pretty radical capabilities of the Awake platform. Of course, there is much more to show that we can't cover in 10 minutes, but we'd absolutely love to show you. So with that, I'll turn it back over to you, guys.

Thank you, Gary. That was a great demo. Now let me talk about Awake and Arista together. Today, we offer a monitoring fabric, the DANZ Monitoring Fabric, DMF, for both data centers and campus. Pockets are steered through TAP aggregation into various tools. DMF can now steer these packets into the Awake sensor, the Awake Nucleus and Ava for analytics. And moving forward, IoTVision, which is part of CloudVision, can show risk ratings as provided by Awake. So in summary, the Awake NDR offering completes the Security Ops Center Visibility Triad. You already have various SIEM and EDR products. Now with NDR, you can look at threats in a different way for unmanaged and encrypted attacks. I am truly excited about Awake. The Awake offering is a magnitude better than alternatives in detecting real threats. The data science expertise and AI-driven technology is key to identifying attacks from false positives. The culture of Awake is great. It's a great team and very customer-focused just like Arista. We are proud to be evolving network security with Awake and look forward to all of our customers trying out NDR for both data center and campus. Thank you to all of you for listening in. Feel free to get in touch with your Arista or Awake sales team for more details.