We now spend a lot less time supporting different pieces of the SIEM. Log integration is super easy and super fast, and it handles all the data we can throw at it. That was a big deal because we send quite a bit of data to it.

We started using Devo Exchange within the last few months. We've used it to install some active boards and to get some help with different log sources. We used it to access community-driven content. That's how we got some of the active boards. This community-driven content for protecting our organization is very important. One of the problems we had with our previous SIEM was getting adequate support and information about the things we needed, and that hasn't been an issue since the community has been helping us.

It's very easy to use Devo Exchange. There is a bit of a learning curve to learn how they classify and use the data, but once you understand it, it's a very simple platform. This ease of use has improved our incident response capabilities. We've got a much more robust alert stack now. We've been able to build out use cases for things we couldn't in the past. It has been very helpful.

Devo Exchange has saved us weeks. The community gets back really quickly, whereas, for some of the support tickets that we opened previously, it would take so long.

Devo Exchange has been great. With our previous SIEM, there were log sources where we couldn't get any help, and we couldn't get much support because even the company we were working with didn't understand them. With Exchange, because people all over the place have had experience with it, and they are able to give us some ideas.

Devo has absolutely improved our visibility. We had a lot of visibility gaps, especially in our cloud solutions, and integrating cloud solutions with Devo has been great. It increased visibility into our organization.

Devo has allowed us to ingest quite a bit more data. Our data ingestion has almost doubled.

Devo saves us hours in every investigation. Previously, just getting the data to return with searches and things like that was cumbersome. A lot of the interfaces were very slow. We haven't had any issues like that with Devo. It has been very quick.

We had multiple teams that were managing multiple products. We had a team that was managing ELK and another team that was managing ArcSight. My team was the "data bus" that was aggregating the onboarding of people, and then sending logs through different channels. We had another team that managed the Kafka part of things. There was a little bit of a loss of ownership because there were so many different teams and players. When an issue happened, we had to figure out where the issue was happening. Was it in ELK? Was it in ArcSight? Was it in Kafka? Was it in syslog? Was it on the source? As a company, we have between 25,000 and 40,000 sources, depending on how you count them, and troubleshooting was a pretty difficult exercise. Having one integrated tool helped us by removing the multiple teams, multiple pieces of equipment, and multiple software solutions from the equation. Devo has helped a lot in simplifying the support model for our users and the sources that are onboarding.

We have certainly had fewer incidents, fewer complaints from our users, and less downtime.

Devo has definitely also saved us time. We have reduced the number of teams involved. Even though we were using open-source and vendor products, the number of teams that are involved in building and maintaining the product has been reduced, and that has saved us time for sure. Leveraging Devo's features is much better than building everything.

One of the immediate improvements that come to mind is the amount of hot, searchable data. In the SIEM we had before, we were only able to search back 90 days of hot, searchable data, whereas here we have 400 days worth. That definitely has improved our threat hunting capabilities. 

We're also able to ingest quite a bit more data than we were before. We're able to ingest a lot of our net flow data, which if we had sent that to our previous SIEM would have brought it to its knees. So the amount of data that the analysts are able to see and investigate has been a really big beneficial use case. I'd say that's the biggest benefit that it's provided.

I myself do not leverage the fact that Devo keeps 400 days of hot data to look at historical patterns or analyze trends. A lot of times I will look at that to see the log volumes, the traffic, make sure there are no bottlenecks as far as how log sources are sending to Devo. I would say that the analysts definitely for certain cases will go back and try to retroactively view where a user was logging in, for example. At the moment, we haven't really had a use case to push the limit of that 400 days so to speak, and really go really far back. We definitely use the past couple of months of data for a lot of the analyst cases.

This is an important feature for our company especially with the recent SolarWinds attack, which was a big deal. We did not have Devo available, but because that happened so far in the past, it was a struggle to pull that data for it to look for those IOCs. That was definitely a really big selling point for this platform with our company.

Devo definitely provides us with more clarity when it comes to network endpoint or cloud visibility. We're able to onboard a lot of our net flow logs. We are able to drill down on what the network traffic looks like in our environment. For the cloud visibility, we're still working on trying to conceptualize that data and really get a grasp around it to make sure that we understand what those logs mean and what resources they're looking at. Also, there's a company push to make sure that everything in the cloud is actually logging to Devo. As far as cloud visibility, we as a company need to analyze it and conceptualize it a little bit more. For network visibility, I would say that Devo's definitely helped with that.

The fact that Devo stores the data raw and doesn't perform any transformation on it really gives us confidence when we know that what we are looking at is accurate. It hasn't been transformed in any way. I'd definitely say that the ability to send a bunch of data to Devo without worrying about if the infrastructure can handle it definitely allows us to have a bigger and better view of our environment, so when we make decisions, we can really address all the different tendencies. We're collecting a lot more types of log sources than we were before. So we can really see all sides of the issue; the vast amount of data and the ability to really take our decision and back it up with the data, and not just random data but we can use a query and display the data in a way that backs up the decision that we're making.

Devo helps to release the full potential of all our data. The Activeboards like the interactive dashboards that Devo provides really help us to filter our data, to have a workflow. There are a lot of different widgets that are available for us to visualize the data in different ways. The Activeboards can be a little slow at times, a little bit difficult to load, and a little bit heavy on the browser. So sometimes the speed of that visualization is not quite as fast as I would like but it's balanced by the vast amount of options that we have.

That's one of the big things that like all security companies, security departments really purported having that single pane of glass. The Devo Activeboards really allow us to have that single pane of glass. That part is really important to us as a company to be able to really visualize the data. I haven't found the loading speeds have become a significant roadblock for any of our workflows or anything, it's an enhancement and a nice to have.

We all want everything faster, so it's definitely not a roadblock but the ability to represent the data in that visualized format is very important to us. It's been really helpful, especially because we have a couple of IT managers, non-technical people that I am onboarding into the platform because they just want to see an overall high-level view, like how many users are added to a specific group, or how many users have logged in X amount of days. The ability to provide them not only with that high-level view, but allow them to drill down and be interactive with it has really been super helpful for us as a company.

Devo has definitely saved us time. The SIEM that we were on before was completely on-prem, so there were a lot of admin activities that I would have to do as an engineer that would take away from my time of contextualizing the data, parsing out the data, or fulfilling analysts requests and making enhancements. The fact that it is a stock platform has saved me a ton of time, taking away all those SIF admin activities. 

I wouldn't say that it really increased the speed of investigations, but it definitely didn't slow it down either. They can do a lot more analysis on their own, so that really takes away from the time that it takes to reach out to other people. If you went back 90 days, you had to go through a time-consuming process of restoring some archives. The analysts don't have to do that anymore, so that also cuts off several days' worth of waiting. We had to wait for that archive restoration process to complete. Now it's just you pull it back and it's searchable. It's right there. Overall, I would say Devo has definitely saved us a lot of time. For the engineering space, I would say it saves on average about one business day worth of time every two weeks because a lot of times with on-prem infrastructure, there would be some instances where it would go down where I'd have to stay up half the night, the whole night to get it back up. I haven't had to do that with the Devo platform because I'm not managing that infrastructure. 

One of our early use cases is for compliance and we've set up dashboards that pull in the logs that we need. We have formatted it the way we need it to look and when we meet with internal audit we just show them the dashboard and they have all the information that they need. That's one of the early wins that we've had with it.

When it comes to network, endpoint, and cloud visibility, Devo makes it easy to see all of that. It's all on one dashboard, it's all visible. Instead of having to jump from system to system to system, we can see all of our web traffic and we can see endpoint stats, and whether we need to investigate anything. It's very useful. It definitely raises the level of confidence when we need to take action, compared to our last tool. When a forensic investigation moves forward and we have to do a deeper dive, all that data is there. And the integration team that we're working at Devo is very good at tuning it and showing us what we need. They show us how to extract the relevant pieces and not worry about the less relevant pieces of information.

The solution has saved us time, although we're still in the learning stage. We've only had it in place for three months. I would venture that it's probably saving a few hours a week per analyst, but I expect that to grow as we get better at using it.

With over 400 days of hot data, we can query and look for patterns historically. We can pivot into past data and look for trends and analytics, without needing to have a change in overall performance nor restore data from cold or frozen data archives to get answers about things that may be long-term trends. Having 400 days of live data means that we can do analytics, both short-term and long-term, with high speed.

The integration of threat intelligence data absolutely provides context to an investigation. Threat intelligence integration provides great contextual data, which has been very important for us in our investigation process as well. The way that the data is integrated and accessible to us is very useful for security analysts. The ability to have the integration of large amounts of threat intelligence data and provide that context dynamically with real time correlation means that, as analysts, we are seeing events as they're happening in customer environments. We are getting the context of whether that is related to something that we're also watching from a threat intelligence perspective, which can help shape an investigation.

Devo helps organizations save money and become more efficient by providing a scalable cost-effective data platform. A lot of organizations have the challenge of way too many data stores. This might be the result of company acquisition, different projects in time, etc.  But the result is they end up having one for each SIEM, Hadoop clusters, S3 buckets, custom solutions, etc. Basically, the data is everywhere. Devo provides a cost-effective, scalable way to get all that data into one place and streamline their processes.

Devo also provides a multi-tenant, cloud-native architecture. This is critical for managed service provider environments or multinational organizations who may have subsidiaries globally. It gives organizations a way to consolidate their data in a single accessible location yet keep the data separate. This allows for global views and/or isolated views restricted by access controls by company or business unit.

Devo keeps 400 days of hot data to look for historical patterns or analyze trends. A lot of organizations top out from the limitations of their hardware. Depending on the volume of data, they may be limited to only 30, 60, or 90 days retention for analysis.  After which, they might have to roll out data off to long term storage. They must do this because it is so costly to have the hardware to support long-term real-time analysis. Even if this “saves” some money, this also becomes a configuration and technical logistics challenge. Whereas with Devo, they just give you 400 days of accessible, searchable hot storage. This also helps with better visibility and meet a lot of compliance requirements.

We can ingest virtually any log source, which is much better than our previous solution. We can access those logs more quickly and efficiently, with a better focus on our points of interest.

Cloud log sources were more difficult with our previous solution. Devo isn't wholly worry-free, but it's much more manageable.

With Devo, we don't have desperate multiple log storage solutions; we can do it for the most part with one. The sheer breadth of logs we can ingest is very beneficial.

The solution allows us to ingest much more data; our event volume is around 100 GB. That's ten times the volume we were ingesting before. 

We're very early in the process so it's hard to say what the improvements are. The main reason that we bought this tool is that we were a conglomeration of several different companies. We were the original Qualcomm company way back in the day. After they made billions in IP and wireless, they spun us off to Vista Equity, and we rapidly and in succession bought three or four companies in the 2014/2015 timeframe. Since then, we've acquired three or four more. Unfortunately, we haven't done a very good job of integrating those companies, from a security and business services standpoint.

This tool is going to be our global SIEM and log-aggregation and management solution. We're going to be able to really shore up our visibility across all of our business areas, across international boundaries. We have businesses in Canada and Mexico, so our entire North American operations should benefit from this. We should have a global view into what's going on in our infrastructure for the first time ever.

The solution is enabling us to bring all our data sources into a central hub. That's the goal. If we can have all of our data sources in one hub and are then able to pull them back and analyze that data as fast as possible, and then archive it, that will be helpful. We have a lot of regulatory and compliance requirements as well, because we do business in the EU. Obviously, data privacy is a big concern and this is really going to help us out from that standpoint.

We have a varied array of threat vectors in our environment. We OEM and provide a SaaS service that runs on people's mobiles, plus we provide an in-cab mobile in truck fleets and tractor trailers that are both short- and long-haul. That means our threat surface is quite large, not only from the web services and web-native applications that we expose to our customers, but also from our in-cab and mobile application products that we sell. Being able to pull all that information into one central location is going to be huge for us. Securing that type of landscape is challenging because we have a lot of different moving parts. But it will at least give us some insight into where we need to focus our efforts and get the most bang for the buck.

We've found some insights fairly early in the process but I don't think we've gotten to the point where we can determine that our mean time to resolution has improved. We do expect it to help to reduce our MTTR, absolutely, especially for security incidents. It's critical to be able to find a threat and do something about it sooner. Devo's relationship with Palo Alto is very interesting in that regard because there's a possibility that we will be pushing this as a direct integration with our Layer 4 through Layer 7 security infrastructure, to be able to push real-time actions. Once we get the baseline stuff done, we'll start to evolve our maturity and our capabilities on the platform and use a lot more of the advanced features of Devo. We'll get it hooked up across all of our infrastructure in a more significant way so that we can use the platform to not only help us see what's going on, but to do something about it.

Being able to build and modify dashboards on the fly with Activeboards streamlines my analyst time because my analysts aren't doing it across spreadsheets or five different tools to try to build a timeline out themselves. They can just ingest it all, build a timeline out across all the logging, and all the different information sources in one dashboard. So, it's a huge time saver. It also has the accuracy of being able to look at all those data sources in one view. The log analysis, which would take 40 hours, we can probably get through it in about five to eight hours using Devo.

When you deal with logs, a lot of times the log fields from different vendors have partial data. For instance, an endpoint log may have the domain user name as Jay Grant, whereas the network log has it as example.com/jaygrant. Because of the way that you can manipulate the log sources and do the search, you can do a search for Jay Grant across all these log sources, even though the fields are a bit different. That is something very difficult to do in a one-off scenario, where you are able to do it with Devo. Then, once you have things built out on the Activeboards, you can build out alerts and build off automation processes where you can right click and execute other tools to run based on data sets that you found.

As far as reporting to our customers, it gives us time back where traditionally we would have to sit and write out written reports and take snapshots to illustrate things to our customer. It's easy so I can give role based access to my customer directly to the data. I can render it to them, visualizing it in the way that we want them to see it, and they're able to export that out on their own. It sort of takes away the need for my analysts to write reports like they have in the past. We can have the customer's log write and render results in real-time without stopping and writing reports, then picking up analysis again. It's easily saved us 60 percent of time from a log analysis, correlation, and timeline perspective.

I can bring cloud, on-prem, a static security tool, and static forensic tools in it. This has greatly affected our visibility into key business functions. It's a cross correlation of real-time data that's coming in, investigative data findings, being able to overlay it and see it in real-time, and what's going on based on the investigative findings that we've had.

Devo is very easy for our analysts to use. They have the LINQ language, which is easy, and it's like an Excel on steroids.

Devo provides high-speed search capabilities and real-time analytics, which is important to us because we have built 30-minute SLAs. In reality, our detections are within seconds and we allow for 30 minutes as a buffer to ensure that we are successful for our clients. To this point, we haven't found any type of dataset or any data ingestions that has prohibited us from meeting our SLAs.

In the world of cyber, you have to detect things right away. You can't wait hours, days, or weeks. It needs to be detected in an immediate, automatic fashion. Then, with their capabilities to integrate with a SOAR solution, it provides detection and response capability all within seconds, instead of days.

We use Devo more as part of our consultant-based service and the true multi-tenant flexibility, combined with the scalability of AWS, means that we can reach a wide range of customers. For example, we can go outside the United States into the European Union or into the AsiaPac region very seamlessly and very fast, as we're growing our business for managed detection and response in those areas. Just this week alone, we were able to quickly spin up a client in the India region, and we were able to address their concerns and get that spun up very quickly because Devo has that capability already built within AWS. It was approximately a one-day turnaround for us. It's important to us that the product is this nimble, which is in turn because of the AWS architecture.

Devo provides us with 400 days of hot data that we can use to look for historical patterns, which is a key element for us. It means that we can offer our clients different periods for different compliance reasons, such as HIPAA. For the most part, our clients use the 30-day capability but if they are a biotech company then they want to keep data for 180 days. We've had a couple of companies that wanted it for 400 days. The flexibility to keep that hot online is key because they can scale up and scale down at any time they want, and although there is an additional cost to the client, there is no additional infrastructure required. That said, probably 75% of our clients are utilizing the 30-day storage.

This solution gives us better cloud visibility because we're able to ingest any of the cloud logs. We push an EDR agent that then brings all of that telemetry back, and we have correlations with any proxy logs, firewall logs, or authentication logs that we need to have. This gives interoperability between the different log sources. For example, if we see something in an EDR that we want to ensure is connected outbound to something, we can check that through the proxy log and DNS logs that we get from the EDR agent.

This gives us more confidence when it comes to taking action because we'll get that running process, and we are also able to collect the DNS information, which then goes into Devo and we're able to search for it. We can see whether it reached out to this particular URL. What we can do is then go to that proxy server or the firewall log, and just see the outbound traffic and validate it is the same session size or same connection time. This acts as a dual authentication to show that what we saw in the EDR was what we saw on the network as well.

Devo helps us to unlock the full power of our data because they have more than 450 parsers, which means that we can ingest pretty much any type of log data. If we need to, we can go to the Devo professional services and have a log parser created within 48 hours. Any log that we need to ingest or want to ingest or the customer has compliance reasons to ingest, we can. This gives us the flexibility to bring in the core logs that we really need to do our detections or to manage the SOC, together with any other logs that we need to bring in for either correlation purposes or compliance purposes. There's really no type of log that we can't bring in.

This solution saves us a lot of time, although I don't have a before and after to compare because this is the first solution of this type that we implemented. I know of similar solutions in use at other companies that have problems doing what we do, but I don't have a baseline that I can use to calculate time savings.

Because of the way Devo works, our onboarding time has shrunk by 50 percent at least.

Also, at a high level, Devo's cloud-native SIEM has helped improve visibility into threats with its data analytics. That's very important because, as an MSSP, we need to be able to analyze the data for our customers and spot anomalies. This feature is still relatively new even to Devo, so I cannot say how happy we are with it at the moment; we still haven't taken full advantage of it. But the Big-Data analytics features included with Devo are allowing us to write some advanced alerting mechanisms that were not available to us in the past.

We are also able to ingest data that, in the past, would have been difficult to ingest.

We've integrated Devo with a SOAR solution. We have prioritized the severity of our alerting in Devo and that corresponds directly to automated playbooks that are kicked off in the SOAR. With that SIEM-SOAR solution, we have drastically reduced the number of incidents that our analysts have to work through, and we have improved our time to respond as well as the time to remediate, through that integration.

Devo absolutely saves us time. We brief our project manager and client weekly on the number of man-hours saved just by having this SIEM-SOAR integration. Considering the quantity of data feeds and events and endpoints that we have, we can actually present a funnel chart that shows how many "events" we start with and how many become actual incidents. We then have that calculated into the number of dollars saved. It's phenomenal when you look at it. When we show the people who are in charge of getting funding that we saved this number of man-hours, which correlates to this number of dollars, they're more willing to fight to get that funding for the next fiscal year.

Devo has streamlined a lot of our processes. We now have the ability to generate content and create alerting, and we can view all of that across a larger plane than we could with our previous tool.

Devo uniquely provides a direct view into the raw data, as opposed to a lot of tools that give you an ingested, parsed, and normalized view. Normalization is great for some things, but there are other things that it's not so great for. Devo allows you to have both simultaneously. You can parse the data and do some normalization but still have all the raw data the way it came from whatever it came from. That allows you to do deeper dives and look directly at what's coming in, versus a representation of what came in.

It also dramatically shortens the amount of time that we spend doing research in the tool. It has taken the average time that one of our analysts spends on an alert from 10 minutes down to roughly five. They're spending half the amount of time doing research because of the way that we are able to set up the data within Devo. And they can use things like Activeboards to provide a lot more context than our previous toolset could.

We're able to find things quicker and more efficiently, and with broader visibility than we had in our previous toolset.

We're also able to take a look at the data a bit more holistically, and that provides us with a better top-down view so that we can better see where there might be gaps in our coverage.

In terms of ingesting data, Devo literally takes anything we throw at it and as much as we're throwing at it. Our ingestion of events has increased by a full one-third compared to ingestion with our previous SIEM. That increase is a result of our increased customer base as well as the increasing number of things that we're ingesting from our customers.

With Devo, we now have a method to investigate things across our platforms. Before Devo, we had to go to individual platforms. For example, if we suspected something was happening, we'd have to go to tool A's logs, and tool B's logs, and tool C's logs. Now all those logs are in one place and we can use one pane of glass to query all of that data. Especially when it comes to security investigations, Devo has made things more efficient.

Previously, an investigation across various logs might have taken an hour for one individual to put together. Now, in Devo, we can do it in minutes, because it's all in one place and we have access to it right away.

And as a result of some of the alerting we've put in, Devo has certainly helped improve visibility into threats. For example, we only have employees in certain parts of the world, and not in that many countries. We put in alerting so that we know if an employee seems to log in from a country we're not based in. That's a red flag. We have other kinds of alerts as well, and that has definitely helped give us more visibility into the overall risk profile for our organization.

Devo provides high-speed search capabilities and real-time analytics. Nowadays, everything is about the data analytics. Our infrastructure is many disparate things that have to work in unison to make something happen, and our security is various things, working in different ways, to make something happen. Being able to combine that data together and get real-time context and alerting and visibility into it is key. Prior, we'd have to go look in the G Suite log to find an authentication issue, and then we'd have to enrich that authentication issue with something from someplace else. Usually it would even be a separate person doing it. The old way of doing it was very problematic. Having one repository where the data is combined, and you can do the analytics and all the enrichments, saves a tremendous amount of time.

We benefit from the speed at which we can triage and troubleshoot things and get to the bottom of certain security events and issues. What used to take many minutes, and up to hours, to do, things like different API calls and gathering different data sources, is now streamed in real time as it happens, into Devo, and we can look at it.

As an example, I'm building profiles on analytics for GitHub, so that I know what normal access looks like for a GitHub repository and what abnormal access looks like for a GitHub repository. If someone modifies the GitHub repository in a way it shouldn't be changed, I know that right away. 

I also know if someone tries to access some of our internal repos or other SaaS solutions, without being on our Zero Trust networking. Those types of things really start to stand out. It takes a large amount of data to make those work from disparate systems, and troubleshooting them can be very problematic unless you have that data in a centralized location. So the speed at which we can operate our security stack is something we've gained.

It saves us hours a day. It really depends on what we're troubleshooting, but it has saved me hours on just the stuff I need to do. There's definitely a cost savings.

It provides more clarity for network, endpoint, and cloud visibility because we're pumping all our data into it. We're pumping DNS traffic data, Zero Trust data from Zscaler, all of the authentication data from Okta, Google, and O365, as well as the endpoint data from our own product. We can query all that data in a centralized manner, and correlate it in a certain manner. But that's because we're putting the data into it. Confidence in the actions needed is about context. Being able to get the most context, before you do something or make a decision, is better. The context we can get from having everything centralized, by combining all those data sources together, gives us an understanding of the complete picture of the issue and how long the issue has persisted. Then we can make a better decision on how we're going to solve things.

Devo provides us with high-speed search capabilities and real-time analytics, which is the most important thing for us. The reason is that when we need to analyze something, we need to have the information as fast as possible. It needs to be easy to use because if we have a security incident, or an application monitoring incident, we need to find the problem as quickly as possible, and have the ability to fix it.

It is difficult to correlate in terms of security and application monitoring but in terms of fraud, we have the ability to correlate a lot of different log sources to form a picture. This gives us the ability to reduce fraud cases by 40%.

In our environment, we retain some of our logs for 10 years. This is important for us because of regulatory requirements. We have critical information stored that is related to anti-money laundering, and the law requires us to be able to provide it quickly.

Devo provides us with more clarity when it comes to network, endpoint, and cloud visibility. We use it to ingest a lot of the related information. If you need to detect threats, you need to have the ability to find the network connections, and also the cloud-based connections that the threat actor is trying to access. This is the very reason that we are ingesting all of this information.

This solution helps us to release the full potential of our data, which is one of the most important things that we do. By creating the dashboards that work in real-time, we can see how our services are being used and we can monitor our security ecosystem.

Overall, using Devo has saved us time when compared to our previous security solutions. I estimate that it took us 10 times longer to achieve the same thing without Devo. 

We didn't have a proper SIEM platform before, so just having Devo is really a big improvement. We are in the initial phase, but it does make us look at the data differently because we can access it really fast and with ease. The benefit is going to come with more time with the platform. We'll be able to do things we haven't done before, and think outside the box with the platform, because the solution can do things fast. We can experiment. We're now thinking more about more experimentation. Instead of thinking of all the limitations to what you can do with the platform and where you cannot go, it's now open. What would we want to do? We don't have that fear that we will hit the wall.

We have retention policies set globally. We used to have access to the same amount of data before we started with Devo, but that data was not centralized. So the ability to access the old data hasn't really changed. We always had the data. But what has changed is the ease with which we can access this data, the speed, and the ability to be able to correlate this data.

The main result of the centralization is the correlation we can now do. We had a lot of sources with logs, but nobody was centralizing them. Now we have the visibility. By making Devo the central platform and the only platform, we're trying to standardize how the sources and logs work. That means we only have one interface to configure on the sources. We can make instructions that are quite easy to follow for everybody, and which will probably not change over time. Doing this, we break the barrier of logging being difficult to configure and we reduce the issue of destinations changing all the time or of having to change how the data is structured. Even during the deployment process, this really brought way more visibility than we had before. Every day that we're working with the platform, we see problems that nobody ever thought about. It has definitely created a lot of visibility for us.

And with the Devo platform, we can also create long-term use cases. We were not able to do that before because we didn't have the correlation and the data in the same place.

Also, we can now get quite detailed data about communication between different nodes. Sometimes you don't see security incidents right away, and sometimes you have to go back. Now, we can go back three months to a specific date and do a really detailed analysis of what happened. Before, we would have to go to five, 10, or 15 different sources, extract the data and then put it together in a different platform. 

In addition, if we're looking for abnormalities, the longer we have data, the richer and more detailed our model is for what normal behavior is. We can then detect the anomalies more precisely.

Finally, our MTTR has already gone from days to hours. Before we might have had to go to three or four departments and talk to three or four different people to get the logs and manually analyze them. Now, it's a matter of minutes or an hour and we can get a clear picture of what's going on and what to do next. It is a huge change compared to what we had before.

The solution manages 400 days of hot data for us, which is amazing. We just send it to the Devo platform, then it is there for our customers. It is quite a unique feature because other cybersecurity players typically have a lot of limitations. They normally offer two weeks of historic data with a pain offering of a month. We are sort of unique in the industry because we can offer a year due to Devo. When you're looking at cybersecurity breaches, you will notice that normally attackers have been in your network for more than 300 days. This is the average time that you've been breached and you didn't know, and it's actually close to what we have with Devo. A shorter period of time would be less useful to us.

Because of the module, our customers now have immediate access to telemetry in a way that they didn't have before. The way that we integrate it with a click of a button, activating the Devo module, suddenly they will have immediate access to it. Therefore, the automation and value for customers is quite impressive.