What is our primary use case?
We use Devo as a SIEM solution for our customers to detect and respond to things happening in their environment. We are a service provider who uses Devo to provide services to our customers.
We are integrating from a source solution externally. We don't exclusively work inside of Devo. We kind of work in our source solution, pivoting in and back out.
How has it helped my organization?
It has allowed us to have a better handle on how much data we are bringing in for a customer, so we are able to analyze all the things that are important, instead of making decisions about what data and how long we will keep data for our customers based on cost. It is a better price point as well as having 400 days of data, which has allowed us to make better decisions for customers about what we will collect and analyze as well as what will be the key data points that will be important for investigation in their environment.
With over 400 days of hot data, we can query and look for patterns historically. We can pivot into past data and look for trends and analytics, without needing to have a change in overall performance nor restore data from cold or frozen data archives to get answers about things that may be long-term trends. Having 400 days of live data means that we can do analytics, both short-term and long-term, with high speed.
The integration of threat intelligence data absolutely provides context to an investigation. Threat intelligence integration provides great contextual data, which has been very important for us in our investigation process as well. The way that the data is integrated and accessible to us is very useful for security analysts. The ability to have the integration of large amounts of threat intelligence data and provide that context dynamically with real time correlation means that, as analysts, we are seeing events as they're happening in customer environments. We are getting the context of whether that is related to something that we're also watching from a threat intelligence perspective, which can help shape an investigation.
The solution’s multi-tenant, cloud-native architecture is really important. As a service provider, working in managed services, we're also a multi-tenant. Instead of having to constantly stand up, build, and create new tenants for every single customer who comes onboard, we are able to have a multi-tenant environment where we're using Devo to help manage that and align with the way we do multi-tenancy. We can then add a higher level of visibility to that for my analyst, so that is all being collected up to one architecture (in one place) to one visibility dashboard that allows us to track, monitor, and respond to events without having to constantly pivot and move back into other environments.
The solution has enabled us to bring all your data sources into a central hub. That is both the combination of total size of storage that we can bring onboard at cost, but also has performance implications. It allows us to have multi-tenancy so we can see all of that in one place, instead of having 50 different tenants for my customers who are on SIEM.
What is most valuable?
The ability to have high performance, high-speed search capability is incredibly important for us. When it comes to doing security analysis, you don't want to be doing is sitting around waiting to get data back while an attacker is sitting on a network, actively attacking it. You need to be able to answer questions quickly. If I see an indicator of attack, I need to be able to rapidly pivot and find data, then analyze it and find more data to answer more questions. You need to be able to do that quickly. If I'm sitting around just waiting to get my first response, then it ends up moving too slow to keep up with the attacker. Devo's speed and performance allows us to query in real-time and keep up with what is actually happening on the network, then respond effectively to events.
The solution’s real-time analytics of security-related data does incredibly well. I think all the SIEM solutions have struggled to be truly real-time, because there are events that happen out in systems and on a network. However, when I look at its overall performance and correlation capabilities, and its ability to then analyze that data rapidly, it has given us performance, which is exceptional.
It is incredibly important in security that the real-time analytics are immediately available for query after ingest. One of the most important things that we have to worry about is attacker dwell time, e.g., how long is an attacker allowed to sit on a system after it is compromised and discover more data, then compromise more systems on a network or expand what they currently have. For us, having the ability to do real-time analytics essentially drives down attacker dwell time because we're able to move quickly and respond more effectively. Therefore, we are able to stop the attacker sooner during the attack lifecycle and before it becomes a problem.
The solution speed is excellent for us, especially in regards to attacker dwell time and the speed that we're able to both discover and analyze data as well as respond to it. The fact that the solution is high performance from a query perspective is very important for us.
Another valuable feature would be detection capability. The ability to write high quality detection rules to do correlation in an advanced manner that really works effectively for us. Sometimes, the correlation in certain engines can be hampered by performance, but it also can be efforted by an inability to do certain types of queries or correlate certain types of data together. The flexibility and power of Devo has given the us the ability to do better detection, so we have better detection capabilities overall.
The UI is very good. They have an implementation of CyberChef, which is very good for security analysts. It allows us to manipulate, transform, and enrich data for analytics in a very fast, effective manner. The query UI is something that most people who have worked with SIEM platforms will be very used to utilizing. It is very similar to things that they've seen before. Therefore, it's not going to take them a long time to learn their way around the platform.
The pieces of the Activeboards that are built into SecOps have been very good and helpful for us.
What needs improvement?
There is room for improvement in the ability to parse different log types. The breadth of overall log parsers that exists right now is an area that they could improve. Natively, there's more that could be done by Devo then what it can and can't understand from a parsing perspective.
I would like to see Devo rely more on the rules engine, seeing more things from the flow, correlation, and rules engine make its way into the standardized product. This would allow a lot of those pieces to be a part of SecOps so we can do advanced JOIN rules and capabilities inside of SecOps without flow. That would be a great functionality to add.
For how long have I used the solution?
What do I think about the stability of the solution?
We have had no problems with the solution's stability at all. It has been completely stable with high performance. We haven't encountered any major bugs of any kind.
We have full-time security engineers who do maintenance work and upkeep for all our SIEM solutions. However, that may be a little different because we are a service provider. We're looking at multiple, large deployments, so that may not be the same thing that other people experience.
What do I think about the scalability of the solution?
When you look at the overall data as well as the ability to break things out into separate tenants, the scalability has been phenomenal for our customers and us.
There are somewhere between 45 to 55 security analysts and security engineers who use it daily.
It is still a fairly new solution for us as a service provider. We're probably using it with a third of our total customer base, which is less than 10 percent right now, but it's growing very rapidly.
How are customer service and technical support?
The technical support has been outstanding. We haven't had a problem that we have come across that they have not been able to help us solve.
Which solution did I use previously and why did I switch?
We were using Splunk before Devo, which we still use and have not transitioned off of fully. However, our experience with Devo has been significantly better, especially from a support perspective.
The primary reason that we moved to another vendor is very complex. It's a combination of support, product complexity of cost, market demand, and sentiment towards the current vendor. We had significant problems with Splunk as a service provider and vendor for us. That caused us to evaluate other solutions in the market, which eventually led us to working with Devo.
How was the initial setup?
The deployment was fairly straightforward. For how we did the setup, we were building an integration with our product, which is a little more complicated, but that's not what most people are going to be doing.
We were building a full integration with our platform. So, we are writing code to integrate with the APIs.
Not including our coding work that we had to do in the integration side, our deployment took about six weeks.
What about the implementation team?
It was just us and Devo's team building the integration. Expertise was provided from Devo to help work through some things, which was absolutely excellent.
What was our ROI?
We have seen ROI. We have seen cost savings in maintenance, upkeep, and support.
In incidents where we are using Devo for analysis, our mean time to remediation for SIEM is lower. We're able to query faster, find the data that we need, and access it, then respond quicker.
Which other solutions did I evaluate?
We evaluated Graylog as well as QRadar as potential options. Neither of those options met our needs or use cases.
What other advice do I have?
No SIEM deployment is ever going to be easy. You want to attack it in order of priorities for what use cases matter to your business, not just log sources.
We are not using the Activeboards as much as some of the things that are probably newer features in the solution, like their SecOps module, which allows us not to have to use as many Activeboards, as there is a lot of prebuilt content. That's very effective for us, and it already exists in there.
The Activeboards are easy to understand and flexible. However, we are not using them quite as much as maybe other people are.
We are probably limited in how much we're using Activeboards to build and modify dashboards on the fly because a lot of the things that we need are already built and designed as a part of SecOps, so we don't have to do it as much. There are times where we have to as well as times where that may be asked for by a specific customer, but more often than not, the things that we need are already pre-existing.
We do not really use the MITRE Framework that much as we use other frameworks in our environment.
Biggest lesson learnt: There is the ability to achieve high quality solutions and cost savings at the same time without compromising on quality.
I would rate this solution as an eight out of 10.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
See Devo in Action
See how Devo allows you to free yourself from data management, and make machine data and insights accessible.