Devo Reviews

We use Devo as a SIEM solution for our customers to detect and respond to things happening in their environment. We are a service provider who uses Devo to provide services to our customers.

We are integrating from a source solution externally. We don't exclusively work inside of Devo. We kind of work in our source solution, pivoting in and back out.

With over 400 days of hot data, we can query and look for patterns historically. We can pivot into past data and look for trends and analytics, without needing to have a change in overall performance nor restore data from cold or frozen data archives to get answers about things that may be long-term trends. Having 400 days of live data means that we can do analytics, both short-term and long-term, with high speed.

The integration of threat intelligence data absolutely provides context to an investigation. Threat intelligence integration provides great contextual data, which has been very important for us in our investigation process as well. The way that the data is integrated and accessible to us is very useful for security analysts. The ability to have the integration of large amounts of threat intelligence data and provide that context dynamically with real time correlation means that, as analysts, we are seeing events as they're happening in customer environments. We are getting the context of whether that is related to something that we're also watching from a threat intelligence perspective, which can help shape an investigation.

The ability to have high performance, high-speed search capability is incredibly important for us. When it comes to doing security analysis, you don't want to be sitting around waiting to get data back while an attacker is sitting on a network, actively attacking it. You need to be able to answer questions quickly. If I see an indicator of attack, I need to be able to rapidly pivot and find data, then analyze it and find more data to answer more questions. You need to be able to do that quickly. If I'm sitting around just waiting to get my first response, then it ends up moving too slow to keep up with the attacker. Devo's speed and performance allows us to query in real-time and keep up with what is actually happening on the network, then respond effectively to events.

The solution’s real-time analytics of security-related data does incredibly well. I think all the SIEM solutions have struggled to be truly real-time, because there are events that happen out in systems and on a network. However, when I look at its overall performance and correlation capabilities, and its ability to then analyze that data rapidly, it has given us performance, which is exceptional.

It is incredibly important in security that the real-time analytics are immediately available for query after ingest. One of the most important things that we have to worry about is attacker dwell time, e.g., how long is an attacker allowed to sit on a system after it is compromised and discover more data, then compromise more systems on a network or expand what they currently have. For us, having the ability to do real-time analytics essentially drives down attacker dwell time because we're able to move quickly and respond more effectively. Therefore, we are able to stop the attacker sooner during the attack lifecycle and before it becomes a problem.

The solution speed is excellent for us, especially in regards to attacker dwell time and the speed that we're able to both discover and analyze data as well as respond to it. The fact that the solution is high performance from a query perspective is very important for us.

Another valuable feature would be detection capability. The ability to write high quality detection rules to do correlation in an advanced manner that really works effectively for us. Sometimes, the correlation in certain engines can be hampered by performance, but it also can be affected by an inability to do certain types of queries or correlate certain types of data together. The flexibility and power of Devo has given us the ability to do better detection, so we have better detection capabilities overall.

The UI is very good. They have an implementation of CyberChef, which is very good for security analysts. It allows us to manipulate, transform, and enrich data for analytics in a very fast, effective manner. The query UI is something that most people who have worked with SIEM platforms will be very used to utilizing. It is very similar to things that they've seen before. Therefore, it's not going to take them a long time to learn their way around the platform.

The pieces of the Activeboards that are built into SecOps have been very good and helpful for us.

They have high performance and high-speed search as well as the ability to pivot quickly. These are the things that they do well.

There is room for improvement in the ability to parse different log types. I would go as far as to say the product is deficient in its ability to parse multiple, different log types, including logs from major vendors that are supported by competitors. Additionally, the time that it takes to turn around a supported parser for customers and common log source types, which are generally accepted standards in the industry, is not acceptable. This has impacted customer onboarding and customer relationships for us on multiple fronts.

I would like to see Devo rely more on the rules engine, seeing more things from the flow, correlation, and rules engine make its way into the standardized product. This would allow a lot of those pieces to be a part of SecOps so we can do advanced JOIN rules and capabilities inside of SecOps without flow. That would be a great functionality to add.

Devo's pricing mechanism, whereby parsed data is charged after metadata is added to the event itself, has led to unexpected price increases for customers based on new parsers being built. Pricing has not been competitive (log source type by log source type) with other vendors in the SEMP space.

Their internal multi-tenant architecture has not mapped directly to ours the way that it was supposed to nor has it worked as advertised. That has created challenges for us. This is something they are still actively working on, but it is not actually released and working, and it was supposed to be released and working. We got early access to it in the very beginning of our relationship. Then, as we went to market with larger customers, they were not able to enable it for those customers because it was still early access. Unfortunately, it is still not generally available for them. As a result, we don't get to use it to help get improvements on multi-tenant architecture for us.

I have been using the solution for about a year.

Stability has been a little bit of a problem. We have had stability problems. Although we have not experienced any catastrophic outages within the platform, there have been numerous impacts to customers. This has caused a degradation of service over time by impacting customer value and the customer's perception of value, both from the platform and our service as a service provider.

We have full-time security engineers who do maintenance work and upkeep for all our SIEM solutions. However, that may be a little different because we are a service provider. We're looking at multiple, large deployments, so that may not be the same thing that other people experience.

We haven't run into any major scalability problems with the solution. It has continued to scale and perform well for query. The one scalability problem that we have encountered has to do with multi-tenancy at scale for solutions integrating SecOps. Devo is still working to bring to market these features to allow multi-tenancy for us in this area. As a result, we have had to implement our own security, correlation rules, and content. That has been a struggle at scale for us, in comparison to using quality built-in, vendor content for SecOps, which has not yet been delivered for us.

There are somewhere between 45 to 55 security analysts and security engineers who use it daily.

Technical support for operational customers has been satisfactory. However, support during onboarding and implementation, including the need for professional services engagements to develop parsers for new log types and troubleshoot problems during onboarding, has been severely lacking. Often, tenant set times and support requests during onboarding have gone weeks and even months without resolution, and sometimes without reply, which has impacted customer relationships.

While we continue to use Splunk as a vendor for the SIEM services that we provide, we have also added Devo as an additional vendor to provide services to customers. We have found similar experiences at both vendors from a support perspective. Although professional services skill level and availability might be better at Devo, the overall experience for onboarding and implementing a customer is still very challenging with both.

The deployment was fairly straightforward. For how we did the setup, we were building an integration with our product, which is a little more complicated, but that's not what most people are going to be doing. 

We were building a full integration with our platform. So, we are writing code to integrate with the APIs.

Not including our coding work that we had to do on the integration side, our deployment took about six weeks.

It was just us and Devo's team building the integration. Expertise was provided from Devo to help work through some things, which was absolutely excellent.

In incidents where we are using Devo for analysis, our mean time to remediation for SIEM is lower. We're able to query faster, find the data that we need, and access it, then respond quicker. There is some ROI on query speed.

Based on adaptations that they have made, where they are essentially charging for metadata around events that we collect now, that extra charge makes up any difference in price savings between Splunk or Azure Sentinel and them. 

Before, the cost was just the data itself, but they have adjusted it now where they even charge if we parse the data and add in names for a field that comes in. For example, we get a username. If you go to log into Windows, and it says, "That username tried to log in." Then, it labels the username with your name. They will charge us for the space that username takes up when they label it. On top of that, this has caused us to lose all of the price savings that were being found before. In fact, in some cases, it is more expensive than the competitors as a result. The charging for metadata on parsed fields has led to significant, unexpected pricing for customers.

Be cautious of metadata inclusion for log types in pricing, as there are some "gotchas" with that. This would not be charged by other vendors, like Splunk, where you are getting Windows Logs. Windows Logs have a bunch of blank space in them. Essentially, Splunk just compresses that. Then, after they compress and label it, that is the parse that you see, but they don't charge you for the white space. They don't charge you for the metadata. Whereas, Devo is charging you for that. There are some "gotchas" there around that. We want to point, "Pay attention to ingest charges for new data types, as you will be charged for metadata as a part of the overall license usage." 

There are charges for metadata, as Devo counts data after parsing and enrichment. It charges it against license usage, whereas other vendors charge the license before parsing and enrichment, e.g., you are looking at the raw, compressed, data first, then they parse and enrich it, and you don't get charged for that part. That difference is hitting some of our customers in a negative way, especially when there is an unparsed log type. They don't support it. One that is not supported right now is Cisco ASA, which should be supported as it is a major vendor out there. If a customer says, "Well, in Splunk, I'm currently bringing 50 gigabytes of Cisco ASA logs," but then they don't consider the fact that this adds 25% metadata in Splunk. Now, when they shift it over to Devo, it will actually be a 25% increase. They are going to see 62.5 gigs now when they move it over, because they are going to get charged for the metadata that they weren't being charged for in Splunk. Even though the price per gig is lower with Devo, by charging more for the metadata, i.e., by charging more gigs in the end, you are ending up either net neutral or even sometimes saving, if there is not a lot of metadata. Then, sometimes you are actually losing money in events that have a ton of metadata, because you are increasing it sometimes by as much as 50%. 

I have addressed this issue with Devo all the way to the CEO. They are not unaware. I talked to everyone, all the way up the chain of command. Then, our CEO has been having a direct call with their CEO. They have had a biweekly call for the last six weeks trying to get things moving forward in the right direction. Devo's new CEO is trying very hard to move things in the right direction, but customers need to be aware, "It's not there yet." They need to know what they are getting into.

We evaluated Graylog as well as QRadar as potential options. Neither of those options met our needs or use cases.

No SIEM deployment is ever going to be easy. You want to attack it in order of priorities for what use cases matter to your business, not just log sources.

The Activeboards are easy to understand and flexible. However, we are not using them quite as much as maybe other people are. However, we are not using them quite as much as other people are. I would suggest investment in developing and working with Activeboards. Wait for a general availability release of SecOps to all your customers for use of this, as a SIEM product, if you lack internal SIEM expertise to develop correlation rules and content for Devo on your own.

I would rate this solution as a five out of 10.

We are primarily using the solution as a cloud observability platform.

Most use cases are related to service operations, not security operations. This is due to the fact that in security operations our company uses Splunk and other platforms. In this case, in my team, we are using Devo for service operations requirements. We correlate across metrics and trace on that data to understand root causes. For example, we'll look at metrics in jobs, time processes, root cause investigations where we have fails, job performance, deals, payments, et cetera. 

With Devo, you integrate and run as a fully managed service. We are very interested in the total of severability for IT and the organization all in a one user interface. With Devo, all analysis is done in a graphical user interface. That gives our analysts the confidence to investigate a problem and fix it.

For example, we can have a lot of matrices and trace data in a single user interface. We can eliminate swivel chair analysis among tools for a streamlined workflow that gives us the most direct path to the root course. 

Devo provides great structural data. Its business-rich data set means better, smarter machine learning and this leads to a smarter analysis of anomalies and a stronger predictive analysis.

Devo, unlike other vendors, doesn't charge extra for playbooks and automation. 

It's very, very versatile. 

Service Operations is a tool inside the product. It offers a constant standard with advanced machine learning. The Devo machine learning workbench also enables you to bring in your own custom-built machine learning models. This is very interesting for us.

I need more empowerment in reporting. For example, when I'm using Qlik or Power BI in terms of reporting for the operations teams they also need analytics. They also need to report to the senior management or other teams. The reporting needs to be customized. You can build some widgets in terms of analytics and representations, however, I want to export these dashboards or these widgets in a PDF file. While you can explore everything as a PDF, it's not very complete. I am missing some customization capabilities in order to build a robust, meaningful report.

The initial setup is a little complex.

Technical support could be better.

There do seem to be quite a few bugs within the version we are using.

In the next update, I'd like it if they explain more about the Devo framework. The Devo framework is a tool inside the product. It's a prototype. It is a tool that provides to the customer a map of processes or a workflow, for example, with an HTML application with a front end. My understanding is that each component of this front attaches data with the queries. It might be customized. I'd like to generally understand this better.

I'd like to understand DevoFlow. Up to now, usage could send data to the platform, retrieve it and enrich it by generating graphs and analytics. However, it's my understanding that Flow provides users the ability to process the data in real-time by defining complex workflows as soon as data arrives in the platform so that you can make analytics in a sequence. I'd like to better understand these new capabilities.

I've been working with the solution for one and a half to two years or so. 

At this moment I consider the solution to be stable. However, I find that I perform any little fixes throughout a project. There are bugs here and there that I do contend with. I'd prefer to have these fixed as opposed to having to install a whole new version.

In the beginning, there were not more than 20 to 25 users. However, our objective remains to get 100 people on the product. We add them little by little due to the nature of our projects.

In terms of scalability, it's a product well-focused on expansion. As a SaaS, they provide you more architecture, more machines in terms of performance, et cetera. We're quite happy with its capability to expand.

Technical support needs to be more direct. For example, when we submit a ticket, the support team will delegate a task to the operations team, for example, or various other teams. This muddles the transparency. We're unsure as to who is in charge of fixing the problem. I simply want an answer to my problem and I want them to fix it and tell me what is wrong. I don't need to know it was sent here, there, or there. We are not 100% satisfied with the level of service provided to us.

The initial setup was a little bit complex, however, we had great support from the Devo team. We are using the public cloud - not on-premise. They provided us the infrastructure. The complexity was mostly around how to build the VPN securitization, the tunnel, as this tunnel was built by us, not by Devo. We, therefore, had to build a lot of technical tests of communications. This was complex.

With Devo, we have to connect by LLDP protocol. For example, Devo at the beginning shows the users as an email and a password. In our company, we needed to connect this mechanism of access to our own mechanism of the corporation. We had to deal with the protocol of connectivity of users, FSAA, for example. Sometimes this was difficult and we had to make a lot of test connections, et cetera.

There isn't too much maintenance required. Devo provides the product. I have to ensure that the mechanism of communication is stable and in continuous service. Our VPN with the tunnel is the responsibility of us while the persistence of data and the performance of searching data representation is the responsibility of Devo.

Devo assisted us with the implementation process.

Devo, like other vendors, doesn't charge extra for playbooks and automation. That way, you are only paying for the side on the data ingestion. If you sign a contract, you are able to process as much as 500 gigabytes per day. With this price, you can connect 10 people, 20 people, 18 people, 80 people - it's very good. It's very efficient in terms of the cost of the license. 

Depending on if you are ingesting more than you sign up for, you have to pay more. There is potential for extra costs only in this one aspect, and not in the other services, or in other people who connect to the product. 

Devo provides you professional services. Professional services is a manner to give service to the clients in terms of consultants. Expert consultants help the customer to design the business case and can show them how to build it. This is an extra option, for people who want to take advantage of their insights.

I have done a lot of assessments with Devo against other products such as Elasticsearch, Kibana, Splunk, and Datadog, among others.

We're just customers and end-users.

We are using the most recent version of the product.

We are using Devo in a public cloud with some other web service we have secured with a VPN built in the company so that it's tunnel secured.

I would rate the solution at an eight out of ten. If the solution required fewer fixes and was a bit more flexible, I would rate it higher.

Our primary use of Devo is as a SIEM, and then as a big-data platform. We do store a lot of data centrally, using the solution, and then we analyze it. The main purpose of the analysis is for security, to detect attacks, abnormalities, and to get an overall view of the health of the network.

We deploy it on-premise. Devo mainly deploys in the cloud, but that's just not possible with our security policy.

We didn't have a proper SIEM platform before, so just having Devo is really a big improvement. We are in the initial phase, but it does make us look at the data differently because we can access it really fast and with ease. The benefit is going to come with more time with the platform. We'll be able to do things we haven't done before, and think outside the box with the platform, because the solution can do things fast. We can experiment. We're now thinking more about more experimentation. Instead of thinking of all the limitations to what you can do with the platform and where you cannot go, it's now open. What would we want to do? We don't have that fear that we will hit the wall.

We have retention policies set globally. We used to have access to the same amount of data before we started with Devo, but that data was not centralized. So the ability to access the old data hasn't really changed. We always had the data. But what has changed is the ease with which we can access this data, the speed, and the ability to be able to correlate this data.

The main result of the centralization is the correlation we can now do. We had a lot of sources with logs, but nobody was centralizing them. Now we have the visibility. By making Devo the central platform and the only platform, we're trying to standardize how the sources and logs work. That means we only have one interface to configure on the sources. We can make instructions that are quite easy to follow for everybody, and which will probably not change over time. Doing this, we break the barrier of logging being difficult to configure and we reduce the issue of destinations changing all the time or of having to change how the data is structured. Even during the deployment process, this really brought way more visibility than we had before. Every day that we're working with the platform, we see problems that nobody ever thought about. It has definitely created a lot of visibility for us.

And with the Devo platform, we can also create long-term use cases. We were not able to do that before because we didn't have the correlation and the data in the same place.

Also, we can now get quite detailed data about communication between different nodes. Sometimes you don't see security incidents right away, and sometimes you have to go back. Now, we can go back three months to a specific date and do a really detailed analysis of what happened. Before, we would have to go to five, 10, or 15 different sources, extract the data and then put it together in a different platform. 

In addition, if we're looking for abnormalities, the longer we have data, the richer and more detailed our model is for what normal behavior is. We can then detect the anomalies more precisely.

Finally, our MTTR has already gone from days to hours. Before we might have had to go to three or four departments and talk to three or four different people to get the logs and manually analyze them. Now, it's a matter of minutes or an hour and we can get a clear picture of what's going on and what to do next. It is a huge change compared to what we had before.

The speed of the platform is one of its most valuable features. The solution is designed differently so it doesn't really matter how far back you go, the speed's going to be the same.

We use its real-time analytics, which are very good. It sends alerts; we have some alerts that update every five minutes, or whenever the data comes in. It's really fast. We can work on really large data sets and have a resolution in minutes for these alerts. It's great. It's not actual, real-time because there is some delay before the logs come from the data collectors. But that's not a problem with the Devo platform. It's just how logs travel around here.

The user interface is really modern. As an end-user, there are a lot of possibilities to tailor the platform to your needs, and that can be done without needing much support from Devo. It's really flexible and modular. The UI is very clean. It makes sense for me, personally, the way it's set up.

The UI also has these little perks. For example, if you do queries and you set a certain time range which you need to reuse in different queries, instead of having to type it in every time there is quick access to all the time ranges you have been using. You can just pick the one you need, instead of typing in, say, January 22nd, 2020, from 15:35 to 15:45. You have quick access to whatever ranges you have already put in. I reuse these a lot and it saves a lot of time.

Another UI feature is that it does a type of pre-aggregation and pre-processing for you. Whenever you hover over certain parameters that can be filtered or adjusted, you get an overview of the top 10 values, with the percentages as well. Sometimes you just want to know what the ratio is between different sources. You don't have to do anything to get that. You just hover your mouse over where you would start setting it up and you can actually see the values right away.

It's full of these little surprises. It has something called CyberChef which is a really rich tool for manipulating IT-related data, IP addresses, encoding, and the like. CyberChef is an open-source tool that I sometimes use through its web interface. But you can actually use it directly in the Devo tool, so that's another big bonus. It looks like Devo thought, "Okay, people who use our platform may use this tool as well. It's open-source, so we'll just include it." It's integrated, creating an interface between them.

And one of the biggest features of the UI is that you see the actual code of what you're doing in the graphical user interface, in a little window on the side. Whatever you're doing, you see the code, what's happening. And you can really quickly switch between using the GUI and using the code. That's really useful too.

Activeboards is another really good feature. With them, you can actually see the code as well. It's really powerful. Sometimes with this type of software, there is a similar dashboard feature, but you're very limited in what you can do with it in the graphical user interface. And if you reach its limits, you have to call the vendor and let the vendor do it. But here, you can see the code. So if you want to go deeper, or if there's some feature that is not reachable with the GUI, you can write it yourself. The documentation is really good, so it's quite easy to do.

Activeboards' ability to build and modify dashboards on the fly is also powerful. We came to Devo from a different solution and, obviously, the users didn't want to change the way they use the platform. They required a certain workflow that is not in Devo. With Activeboards, we can recreate the exact workflow they are used to, without any difficulty. That makes it very easy for the user to switch to Devo. That's the power of the Activeboards. You can really change a lot of things. It's very modular.

I don't use the Activeboards' visual analytics that much. I just look at the data, most of the time. The Activeboards feature is not as mature regarding the look and feel. Its functionality is mature, but the look and feel is not there. For example, if you have some data sets and are trying to get some graphics, you cannot change anything. There's just one format for the graphics. You cannot change the size of the font, the font itself, etc. You get a graphic that works well in some cases, but in other cases, the numbers are too small and you cannot do anything about it. Overall, the graphic presentation of data is okay, but I miss the basic functionality of being able to change how things look.

We've been using Devo for about two months. (as of 02/2020)

I don't remember a single issue with the platform in the two months we've used it. There has been no downtime or data missing, at least during my work hours, eight hours a day, Monday to Friday. Even though it's a new product, I feel it's very mature. There are very few bugs in the platform, even if it's evolving all the time.

The scalability is very good. We had some assessments from Devo and they said, "Oh, for this amount of data at the moment you will need this and this." We were kind of skeptical because the amount of hardware they asked for was way less than the old platform that was running some of the data. But I've seen some performance reports and we're very far from reaching any limits on the platform at the moment.

In our office we're not using that much data, but our colleagues in sister company are using way more than we od and they are happy. Having gone through the implementation I know a little bit about how the architecture works and I think it's built to be scalable.

In the future, over the next 12 months, we'll be using it more in terms of volume of data and how much we're using the platform. We are not utilizing very much of what it can do. We use it a lot in daily workflows, but we are not using it to the full potential yet. 

The tech support is excellent. We used some Agile methodology to install the platform and we had some non-standard channels in our organization, like Slack or Microsoft Teams, where we used instant messaging communication with the team, and their response times were very fast. 

The support was very professional but very flexible. We had defined some requirements at the beginning of the project, which were included in the contract, but then we realized that we wanted to change them. We were a little bit afraid that because they weren't in the contract it would not be possible, but that wasn't a problem at all. There were no questions asked.

We used Splunk prior to Devo. We switched because we were not happy with Splunk. We felt that the platform wasn't built properly and the support was very problematic and expensive. We had an RFQ process, a tender, and Splunk was in the game since it was our current platform. But we were just not happy with them even during the tender. So we decided that we were going to change.

The differences between Splunk and Devo are performance, ease of use, the functionality, and the approach of the company. The latter includes how they do support and development. Devo, overall, is a better solution for us.

Most of the work was done by the Devo team. The work from our side was to get the hardware and the networking ready and to configure the sources. The configuration of the sources was quite straightforward. The main system is not highly complex.

We're going to be doing our own maintenance, level-one and level-two support. Our people are going to training. Devo uses many standard components and standard interfaces. There is no big, proprietary software barrier. It's quite flexible too, in that we could choose our own operating system. They recommend Ubuntu, but in our corporation we run everything on Red Hat. There was no problem at all in this regard.

The hardware requirements were also very flexible, so we could have chosen whatever we wanted; what works for us. Everything was pretty straightforward. There were no issues. Setting up users and alarms — the configuration of the platform — was very easy too.

There were some bottlenecks on our side, but including planning, it took three to four months. The platform was ready in three to four weeks and deploying all our customizations, all our use cases and alarms, was another month. 

The process required five people, including me. We had a project manager, as well as an OSS engineer who was responsible for the hardware and everything that we had to do in that regard — obtaining the hardware, network connectivity, etc. Two of us from network security were responsible for the goals of the platform, defining the use cases, and testing the platform. We also had support from the networking firewall team.

Maintaining the solution is less than half a full-time position. We have a team doing it, but nobody is directly dedicated to it. There are certain processes that that team follows so if we have an issue, we create a ticket and somebody from that team will sort it out.

Overall, we have 10 to 20 people using Devo across our organization. They are in security roles. Because we have a lot of data, some people use it for performance management, while other use it for fault management in the network for the devices. Management uses it to generate security-posture reports. At the moment, it's very security-oriented. So most of the users are security analysts in our group.

We have definitely saved time using Devo, but the greater visibility it gives us is really hard to quantify. Everybody's more effective, obviously. And the hardware costs are down compared to the other solution. Everybody feels it's a good value, especially in mitigating risk or attacks. With the greater visibility and the ability to aggregate and analyze data in a better way, we have better mitigation. We see the threats sooner or more in detail. We can do everything better.

I'm not involved in the financial aspect, but I think the licensing costs are similar to other solutions. If all the solutions have a similar cost, Devo provides more for the money.

Because we are running an in-house solution, there is the extra cost for us, when compared to the cloud, in maintaining our own hardware, and the level-one and -two support we are doing. But we feel we won't need consultants in the future, which we needed with Splunk where we paid extra for a more defined platform and doing the work. Devo is very well-documented and the platform is very open.

There was a Splunk solution and Juniper branded product  that we looked at, along with some open-source solutions.

My advice is to go with scrum Agile method for implementing it. It really works. They're did really good at it.

The biggest lesson I've learned from using Devo is that it is good, functioning software. And there's really good support.

I'm so happy with the platform. I've seen it go from pre-production to production. I was very happy with it in pre-production and I thought, "Okay, maybe when we start loading all the data, the complete set, maybe it will be different," but it's not. It does what it says on the tin. It really works for us.

I rate Devo at nine out of 10. They could be a 10. If they pushed us a little bit harder at the beginning so we actually come up with a more detailed plan for the integration of our sources, that could have made them a 10.

It's an upstart company and we really see great potential with them. They're updating the platform and they're adding a lot of features, features that matter to us, without us actually telling them we need them. So I think they really understand the market. They understand how modern software should work and how people work. It's really refreshing. You feel you're not limited by the platform. You're only limited by your imagination.

Devo is a SIEM replacement technology used to run security operations. It centralizes security management within a business, functioning as a core system for a SOC. This system is the central cybersecurity hub, helping manage and streamline service tickets.

One of Devo's standout features is its cloud-first architecture, which sets it apart from many traditional SIEM providers that still rely on legacy, on-premise solutions. While many companies have started shifting to the cloud, Devo offers a hybrid solid approach with full cloud deployment. This mature architecture is one of Devo's significant strengths. Unlike other providers like Fortinet and Sentinel, which handle specific security parts, Devo offers a more comprehensive, end-to-end solution, making it one of the most advanced SaaS products.

They can improve their AI capabilities. If you look at some integrations like XDR or AI, which add to the platform to correlate situations in events, there are areas for enhancement. For instance, when an event comes in with many tickets, the best systems excel at correlating and grouping the different instances or alerts into a single instance or ticket, providing context. Their correlation engines sometimes miss the mark, leading to false positives. They're not as strong as other vendors, like SentinelOne, regarding AI power and data or event correlation.

I have been using Devo as a partner for four years now.

Devo's stability is a strong point. As a SaaS provider, they've had no performance issues. 

I rate the solution’s stability a ten out of ten.

When it comes to scale, they're architected quite well. They handle some of the biggest customers globally, with significant throughput on their platform, managing thousands of customers. One of the most impressive aspects of Devo is its customer community. A large majority, over 80 percent of their customers, actively participate on a Devo-specific community page. They're contributing to product development and support, events, and user group information, helping each other out. This high level of engagement is rare and demonstrates both the loyalty of their customer base and the quality of their product.

They offer a range of small, medium, and large options to cater to everyone. I sold Devo products while working with them, focusing on enterprise solutions. However, as a small reseller, my customers were typically smaller businesses.

I rate the solution's scalability a nine out of ten.

The community support is excellent. I rate the direct support around eight, mainly because the company is based in America and has more support infrastructure there than in Europe. In the U.S., the support level rating should be closer to ten.

Positive

The initial setup is easy. They have a lot of out-of-the-box integrations and are quite lightweight in their implementation. There are plenty of options for integration, which I would consider one of their strengths. One standout feature beyond data analytics and real-time diagnostics is something called DeepTrace. If I recall correctly, this feature involves automated threat hunting and investigation. It uses AI to expedite the investigation process, identifying attack chains and conducting root cause analysis without human intervention. Essentially, they're using AI to perform tasks typically done by analysts, automating the investigation process. When you start an investigation, their AI-driven tool provides the best guess at identifying the problem, potentially offering root cause analysis without human involvement. You can either use their suggested analysis or investigate further if needed. This DeepTrace feature is likely one of the unique selling points of their platform, making it a significant differentiator for them.

I rate the initial setup an eight out of ten, where one is difficult and ten is easy.

Compared to Splunk or SentinelOne, it is really expensive.

I rate the product’s pricing a nine out of ten, where one is cheap and ten is expensive.

It integrates several critical components, such as SIEM, SOAR, and UEBA, to make it a robust solution for SOCs. The platform's cloud-based architecture ensures excellent performance, scalability, and quick deployment, particularly beneficial in environments with heavy production loads or when integrating additional tools.

Devo provides near-real-time capability for threat alerts, analysis, and updates. This allows SOC teams to stay on top of security incidents as they happen. Additionally, the platform excels in visualization, providing clear and timely dashboards that help SOCs avoid missing critical incidents or failing to interpret data correctly. Its user-friendly design allows for high-level overviews and detailed drill-downs, ensuring security professionals can quickly grasp the situation and act.

They push AI as their differentiation, calling it a next-gen SIEM. It offers a more inclusive platform that delivers end-to-end security for the entire customer. Using some weighting system, they use AI to drive down false positive rates by determining whether something is a real threat. They have an AI-powered system that assesses if an issue is real, though the specifics of how it works are difficult to explain. This includes machine learning and algorithms designed to identify complex issues, with some of that learning built into the tool. However, this is pretty standard for most SIM platforms today. The biggest challenge for SIEMs has been to make the information they present smarter and more context-heavy. This is not a differentiation but rather being on par with other AI-driven platforms that aim to reduce false positives and minimize manual checks.

I 100% recommend the solution. It can help most medium to large enterprises develop their IT capabilities to advance quickly. However, if you're already at the top of your field and willing to invest heavily, some pedigree products might offer a ten out of ten experience, but that would be due to the higher cost and specialized features.

Overall, I rate the solution an eight out of ten.

We have several use cases for Devo. The first is related to the security center (SOC) operations, and they do the log correlation for Devo security.

We now have fraud use cases and application monitoring use cases, and we're starting to work on some use cases related to business analytics.

Devo provides us with high-speed search capabilities and real-time analytics, which is the most important thing for us. The reason is that when we need to analyze something, we need to have the information as fast as possible. It needs to be easy to use because if we have a security incident, or an application monitoring incident, we need to find the problem as quickly as possible, and have the ability to fix it.

It is difficult to correlate in terms of security and application monitoring but in terms of fraud, we have the ability to correlate a lot of different log sources to form a picture. This gives us the ability to reduce fraud cases by 40%.

In our environment, we retain some of our logs for 10 years. This is important for us because of regulatory requirements. We have critical information stored that is related to anti-money laundering, and the law requires us to be able to provide it quickly.

Devo provides us with more clarity when it comes to network, endpoint, and cloud visibility. We use it to ingest a lot of the related information. If you need to detect threats, you need to have the ability to find the network connections, and also the cloud-based connections that the threat actor is trying to access. This is the very reason that we are ingesting all of this information.

This solution helps us to release the full potential of our data, which is one of the most important things that we do. By creating the dashboards that work in real-time, we can see how our services are being used and we can monitor our security ecosystem.

Overall, using Devo has saved us time when compared to our previous security solutions. I estimate that it took us 10 times longer to achieve the same thing without Devo. 

What we find most valuable is the ability to create complex features in the engine, and to do real-time dashboarding. In traditional BI solutions, you need to wait a lot of time to have the ability to create visualizations with the data and to do searches. With this kind of platform, you have that information in real-time.

Devo, as with almost all of the analytics products, is a product that you need to learn how to use. Fortunately, with just a short training time of perhaps four hours, you can get a lot of power with the tool. Overall, it's pretty easy to use.

I would like to have the ability to create more complex dashboards.

We implemented Devo in 2016 and started using it in production in 2017.

Stability-wise, Devo is a good solution.

Scalability is one of the most powerful features. We started with five terabytes and we are now at 30, with almost the same performance. That is pretty scalable.

We have more than 500 users. The roles are security analysts, business users, application developers, and the IT operations team.

We plan to increase our usage in the next couple of years.

The vendor monitors the application and it is quite good. When we were last having a problem, it was solved within two hours.

Devo has a customer-first approach. They are quite open to discussing new features, and they like to be close to the customer to understand any problems that they have.

The support team has exceeded our expectations, in particular, when it came to the implementation. We originally had a four-year plan and in six months, everything was completed. The originally planned work was done, and the work for the next three and a half years was also done.

Prior to Devo, we were using QRadar and Elastic. We switched because Devo is more powerful and the scalability is better.

With respect to analyst threat hunting and incident response, you can create a lot of complex dashboards and consequently, it is easier to perform a deep dive. It is really aligned with Splunk in terms of capabilities and usability.  Our analysis had data from different solutions to work with and they preferred to use what was coming from Devo.

The initial setup is straightforward. It took approximately one week to deploy.

The Devo implementation team came to our building and installed everything. After that, we moved all of our information, which included creating a copy of all of the logs that we had in the other solutions. Once that was complete, we were able to start working with Devo.

Our implementation strategy was originally part of a four-year plan. However, we finished the full implementation early and the four years were reduced to six months.

Devo professional services assisted us with the implementation.

We have two full-time people in charge of maintenance. This includes tasks like implementing new services, doing correlations, alerts, and management.

Devo allows us to ingest more data compared to other solutions, using the same infrastructure. For example, compared to Splunk using the Capacity Planning Tool, Devo can ingest almost double the information in terms of events per second.

Our licensing fees are billed annually and per terabyte. This seems to be that the market is generally going to.

We created an alternative business plan that used QRadar and Elastic, and finally, we selected Devo because it was most aligned with our strategy.

Comparing the cost and value of Devo versus these other solutions, I think that it's very efficient. We're getting a lot of power for the cost, which is good.

Devo provides multi-tenant cloud-native architecture but in our organization, I would rate it a six out of ten in terms of importance. The feature is important, although not so much for our specific use case. I don't expect that this will change in the next few years.

I would rate this solution a nine out of ten.

Our primary use case is so we have historical logs in case of an event or if we need to do any troubleshooting.

Our secondary use of Devo is for incident detection; certain logs trigger alerts, so we now have a 24/7 monitoring service that detects and alerts us to incidents. 

We can ingest virtually any log source, which is much better than our previous solution. We can access those logs more quickly and efficiently, with a better focus on our points of interest.

Cloud log sources were more difficult with our previous solution. Devo isn't wholly worry-free, but it's much more manageable.

With Devo, we don't have desperate multiple log storage solutions; we can do it for the most part with one. The sheer breadth of logs we can ingest is very beneficial.

The solution allows us to ingest much more data; our event volume is around 100 GB. That's ten times the volume we were ingesting before. 

The alerting is much better than I anticipated. We don't get as many alerts as I thought we would, but that nobody's fault, it's just the way it is. 

Having at least one year of data was one of our requirements, so 400 days of hot data benefits us. We are used to this capability, as our previous solution offered the same, and we wouldn't have purchased Devo if it didn't provide that.  

There are some issues from an availability and functionality standpoint, meaning the tool is somewhat slow. There were some slow response periods over the past six to nine months, though it has yet to impact us terribly as we are a relatively small shop. We've noticed it, however, so Devo could improve the responsiveness.

When we first started implementing the solution, the staff that helped us with the migration and getting it set up seemed very new. The tool could be more mature, which we knew going in, but we were hopeful for quick improvements. We would prefer to be further along than we are in that respect, but 18 months later, we still feel pretty good about adopting Devo.

The price could be more friendly as we pay significantly more than what we were paying before, but it's in line with other solutions on the market.

We've used the solution for 18 months. 

The solution is relatively stable; I'd rate it eight out of ten here. We heard about somewhat shaky performance from other customers over the last six to nine months, but we were fine.

The solution seems scalable, though we're a small shop, so we're probably not the best to answer that well.

We have 400-450 end users across three locations. 

Once we get a hold of someone and they respond, customer support is fine. It isn't extraordinary, and the escalation process is a little below average for the industry.

Neutral

We previously used IBM QRadar, and we switched because it was antiquated. We had difficulty ingesting logs from cloud solutions, which is the direction our organization is moving in. We have several cloud solutions now versus two or three years ago, so the migration to Devo from QRadar was very timely for us in that regard.

QRadar's interface was pretty antiquated. They have updated it now, but we weren't satisfied with it at the time. We also had some support-related issues around updating the solution as it was on-prem. We were coming to a point where we had to update the hardware and software, so it was a good time for us to look for another product.

The initial setup was relatively straightforward. 

In terms of maintenance, I go through every quarter to ensure that each of our log sources is still sending logs to Devo. We were a little disappointed that they didn't have a good way of informing us if a log source stopped sending logs. I appreciate that each source sends on a different frequency, but we should be able to define that frequency and receive a notification of any issues.

As is often the case with security solutions, it's hard to measure an ROI because we only need it once an incident occurs. The hope is that we get a return if an incident takes place. Devo is much better than we previously had, but it's also a lot more expensive, so it should be so.

Devo is a hosted or subscription-based solution, whereas before, we purchased QRadar, so we owned it and just had to pay a maintenance fee. We've encountered this with some other products, too, where we went over to subscription-based. Our thought process is that with subscription based, the provider hosts and maintains the tool, and it's offsite. That comes with some additional fees, but we were able to convince our upper management it was worth the price. We used to pay under 10k a year for maintenance, and now we're paying ten times that. It was a relatively tough sell to our management, but I wonder if we have a choice anymore; this is where the market is.

We focused on four solutions: Splunk, AlienVault OSSIM, the incumbent QRadar, and Devo. We narrowed it down pretty quickly to Splunk and Devo, and the latter was a bit cheaper, though less mature. We took a chance and went with Devo.

I rate the solution seven out of ten.

Devo's cloud-native SIEM increased our threat visibility, though we had hoped for a bit higher. Visibility is critical, as we rely upon knowing about security incidents as soon as possible. We expected the solution would provide additional insight, but we're finding it isn't. Devo gives us the historical logs, a fantastic capability we are very happy with. However, the incident and threat detection is not what we had hoped for. Regarding security operations, the tool is different from what we wanted.

Getting our staff up to speed with the solution was right in the middle in terms of difficulty. It wasn't as easy as we had hoped, but it wasn't insurmountable by any stretch of the imagination. Devo provided us with several training sessions, and I wonder how much that helped because our group is very technical. The tool's interface is intuitive, so our staff can find what they need. With regular use, the learning curve is relatively low, but without that, it can take some getting used to, as with any solution. Devo is broad and encompassing, so it requires familiarity to leverage it fully. We don't have dedicated internal staff to manage the solution, so we outsourced the monitoring to an MSP.  

The migration from QRadar to Devo was relatively straightforward and painless; we essentially cut the cord on QRadar, maintained the logs and moved them over to the new solution. The ease of migration was relatively important, the old solution was antiquated, so we expected any newer tool to be better. 

Migrating the bulk of the initial logs took about three months. We got some aspects up and running during a proof of concept while we were still using the old solution. Once we went live, we migrated the POC environment to a production environment, so it was much less stressful than it could have been. 

The Devo team was intimately involved in the migration. They weren't as responsive as we had hoped, and they seemed new and didn't completely understand the product. We received better support on escalation; overall, they were critical to the migration.

Before going down this path, I advise potential customers to document their log sources and what information they need based on their use cases.

I'm a SOC director for a Fortune 500 company, and we use it as our primary SIEM for our leverage SOC service.

Devo has streamlined a lot of our processes. We now have the ability to generate content and create alerting, and we can view all of that across a larger plane than we could with our previous tool.

Devo uniquely provides a direct view into the raw data, as opposed to a lot of tools that give you an ingested, parsed, and normalized view. Normalization is great for some things, but there are other things that it's not so great for. Devo allows you to have both simultaneously. You can parse the data and do some normalization but still have all the raw data the way it came from whatever it came from. That allows you to do deeper dives and look directly at what's coming in, versus a representation of what came in.

It also dramatically shortens the amount of time that we spend doing research in the tool. It has taken the average time that one of our analysts spends on an alert from 10 minutes down to roughly five. They're spending half the amount of time doing research because of the way that we are able to set up the data within Devo. And they can use things like Activeboards to provide a lot more context than our previous toolset could.

We're able to find things quicker and more efficiently, and with broader visibility than we had in our previous toolset.

We're also able to take a look at the data a bit more holistically, and that provides us with a better top-down view so that we can better see where there might be gaps in our coverage.

In terms of ingesting data, Devo literally takes anything we throw at it and as much as we're throwing at it. Our ingestion of events has increased by a full one-third compared to ingestion with our previous SIEM. That increase is a result of our increased customer base as well as the increasing number of things that we're ingesting from our customers.

The most valuable feature is that it has native MSSP capabilities and maintains perfect data separation. It does all of that in a very easy-to-manage cloud-based solution.

And when the Devo Exchange came out, for access to community-driven content, I was one of the first folks who used it. I was part of the advisory board that really pushed to get that product created for them. I'm all about the Devo Exchange. When compared to Devo's peers in the SIEM market, that was the area that they were lacking in: the ability to share types of content. Other platforms have definitive user bases and large external communities that look at how to do different types of alerting, configuring, and threat hunting within their platforms. Because it was relatively new to the market, Devo just didn't have that built up yet. The fact that they have not only built it but have integrated it directly into their product is absolutely fabulous.

The Devo Exchange is literally point-and-click. If you see something you like, you click on it. It tells you whether you have the applicable tables to make that content work. If you do, you can click a button and it automatically installs for you. All you have to do is go in and create any alerting rules that you want associated with it. It's absolutely amazing.

The Exchange has made it much easier for us to deploy new content. We don't have to spend a whole lot of hours cycling through and creating the content ourselves when someone has created similar or exactly the same content that we would be creating. It has shaved 15 to 20 percent off of our deployment times for new alerts, saving us the time that we would have put into building those things.

In addition, there are things in the Exchange that we weren't sure how to do. Once we saw them in the marketplace we pulled them down and they have given us deeper insights into the data that we have.

The biggest area with room for improvement in Devo is the Security Operations module that just isn't there yet. That goes back to building out how they're going to do content and larger correlation and aggregation of data across multiple things, as well as natively ingesting CTI to create rule sets. Exchange has gone a long way to fix some of those gaps, but there's still room for improvement in that area.

I've been using Devo since December of 2020.

Very early on it had some stability issues, but for the last eight months or so, it's been rock-solid. Even when they have put out notices that there has been an issue, rarely have I ever actually seen that impact our operations. Compared to when we onboarded and where we are now, it is a night-and-day difference.

The solution has been able to scale to whatever we have thrown at. There have been zero problems scaling.

It is the primary toolset that we have settled on for our leverage service. The core of our service offering is around the solution. It is absolutely important.

The tech support has been absolutely amazing. We have a technical account manager and I can email him anytime and I generally get an answer back within a few hours. Either that or he'll escalate to the appropriate team to get it taken care of for us.

The only drawback is that we have asked for capabilities and, because of where they are in their growth and funding, getting them has been a little slower than what we would have liked.

Positive

Our previous solution just wasn't as robust in both processing power and the ability to analyze data.

Migrating to Devo was super simple. Their professional services gave us a lot of assistance, making sure that we had the right parsers in Devo at the platform level. Getting stuff pointed to it was relatively simple.

We essentially dual-fed both our SIEM products for a few months and it was fairly seamless. We did the switch from our previous SIEM into Devo about three months earlier than we had planned, based on how robust we were in Devo at that point.

That ease of migration was definitely important to us. Anytime you migrate from one tool to another, there are significant costs in personnel training and rewriting all of your processes and procedures, because it's a new tool. Devo had a very smooth process with their training platform and the professional services when we first onboarded it. That made it a relatively smooth transition.

We started our proof of concept in December and were live by the beginning of March. That's a really short timeline to get into production with them. We saw return of value almost immediately.

It was relatively simple to get our staff up to speed on the solution. Devo provides an amazing training platform to get them set up on the solution itself, as well as some of the modules within it. Typically folks can go through that and get going in the platform, working as analysts, within a week. And that's for someone with no SIEM background at all. If they have a SIEM background it's even faster.

The learning curve is fairly shallow, especially if you've done SIEM tasks before. It's very much like what you'd expect. It involves a slightly different language than what some other SIEMs use. Azure Sentinel uses "KQL," Devo uses "link," which is very SQL-like. If you have a background in anything remotely related to databases or SIEM, the learning curve is fairly negligible once you understand how Devo works. The training platform does a great job of bringing you up to speed on why Devo is different.

We analyzed a bunch of options. Devo was not even one that we had on the map. They put in a response to our request for proposal and, bar none, they outperformed their peers across all of our key requirements. In addition, they had roadmaps for all the things that we wanted to do.

Among the things that were important to us that Devo could provide were its ability to 

• do true MSSP in the cloud with actual data separation per client
• give individual clients access to their data, and only their data, based on the way the data is separated
• give us the ability to do analytics, rule sets, and alerting across all of those environments at one time, which doesn't sound like a huge ask but it's actually monumental.

The ability to have data segregated but still do analytics across multiple data sets is something that's just not really used in a lot of other products. Either everything is mashed into one set of data, and you don't have true separation of that data so you can't, in turn, give customers view sets into that; or it's all separated and you have to do all the work against each silo rather than having a unified view, which is something we have within the Devo platform.

Definitely take a good, hard look and considerate it. It's the fast-growing leader in the SIEM field.

Overall, Devo is awesome, but it's got some room to grow. I would like to see better native ingestion of cyber threat intelligence and building out of deeper correlation capabilities. They have some work that they're doing in Flows to do some of that stuff, but it still has room for some additional maturity.

We are an MSSP and we provide security monitoring services for our customers. We also treat ourselves as a customer. That means we use Devo internally for our own services in addition to using it to monitor our customers. The use case varies by customer, but they are all security-related as well as dealing with a little bit of storage retention, depending on the customer's needs.

Because of the way Devo works, our onboarding time has shrunk by 50 percent at least.

Also, at a high level, Devo's cloud-native SIEM has helped improve visibility into threats with its data analytics. That's very important because, as an MSSP, we need to be able to analyze the data for our customers and spot anomalies. This feature is still relatively new even to Devo, so I cannot say how happy we are with it at the moment; we still haven't taken full advantage of it. But the Big-Data analytics features included with Devo are allowing us to write some advanced alerting mechanisms that were not available to us in the past.

We are also able to ingest data that, in the past, would have been difficult to ingest.

The most powerful feature is the way the data is stored and extracted. The data is always stored in its original format and you can normalize the data after it has been stored.

By way of an analogy, if you have ever taken a text file and inserted it into a spreadsheet, the individual fields within that text file now belong in individual cells in the spreadsheet. If a particular set of data should have been in a single cell but was split into two cells, searching for it as a whole becomes difficult. The way Devo stores its data, it never gets separated. It's always stored as original data. The only time it gets split up is on extraction, when I actually need to look at my data. That gives me control over how the data is parsed or normalized. I don't have to worry about data being mangled as it's being collected and that gives me confidence that I always have 100 percent fidelity in my data.

The second most valuable feature is the way the alerting mechanism works. It is a code-based approach. You write your queries like code, with a lot of flexibility and access to internal libraries. Those aspects are not available in Boolean or natural language alerting mechanisms that are used by Devo's competitors.

For example, IBM's QRadar uses natural language and you construct a sentence out of predefined options to create your alerting mechanism. With ArcSight and McAfee you use Boolean logic statements. That restricts what you can actually do with the alerting mechanism. You cannot do sub-selections or complicated math problems. Those approaches are less data-centric and more just simple logic. Devo takes a Big-Data approach, rather than simple logic, when it comes to alerting. That makes it super-duper powerful.

Another important feature for us, as an MSSP, is that it allows us to carve up the data from each individual customer that fits into each individual tenant, and that data funnels up into a single master tenant through which we control everything. It becomes invaluable for customers who still want access to their data and we don't have to worry about them potentially accessing another customer's data.

In addition, Devo has an extremely powerful API that is now allowing us to create third-party integrations with forensic tools. That allows us to use Devo as a Big-Data storage facility. As a result, when Devo fires off an initial alert, our third-party forensic analytics tools can pull up the alert and use Devo's extremely powerful query engine to pull in all the secondary and tertiary metadata right into them. That allows us to track the incident with even more powerful tools.

The overall performance of extraction could be a lot faster, but that's a common problem in this space in general. 

Also, the stock or default alerting and detecting options could definitely be broader and more all-encompassing. The fact that they're not is why we had to write all our own alerts.

They could also provide more visual dashboards, what they call Activeboards, within their environment. Activeboards enable you to create custom or pre-defined dashboards. In that context, there are a couple of very useful features for us that are not available when I compare them to some of their competitors. They are features that help you quickly analyze data in a visual way. What they have is still pretty decent but they could beef it up a little bit.

We onboarded it a little bit over a year ago. 

In general, any stability issues have not been very impactful. There have been frequent small outages that make things difficult, but we're giving them a little bit of leeway because they're still a growing platform.

It scales really well, at least from our perspective. We don't know if there are any performance issues in the back-end. As I said earlier, it could be faster. But overall, because it's a cloud-based solution, we really don't worry about scaling. We simply onboard a new customer. They go into their own tenant and their data flows up to the management MSSP tenant. We simply size the licensing accordingly, so it's super easy to scale.

Support is pretty good. They're responsive and they usually solve problems relatively well. And if they mess something up, they will actually put professional services people in to solve the problems, if a wide range of issues is involved.

Both our technical and channel-partner relationships have been very good. We meet with them for status calls at least twice a month. They're very good about staying in contact to provide both satisfaction and technical assistance.

Positive

We used McAfee ESM on-prem. We switched because it  

• was getting old and not evolving
• was not cloud-based or cloud-centric
• had limited correlation engine capabilities compared to Devo
• was hard to segment customer data
• required us to host all the hardware in-house.

The list goes on and on and on.

The switch to Devo helped reduce blind spots and had a very good effect on our ability to protect our organization.  With the limitations removed on how data is inserted and extracted, we were able to alert on things we were never able to alert on before.

It was not an easy deployment because we're an MSSP. Devo's core content, its alerting and security content, is limited. We have a very wide variety of requirements with a lot of our customers. Unfortunately, most of the content that came with Devo couldn't be used. We had to write a lot of our content from scratch. 

We're still learning to crawl with the product because it's insanely powerful, but we were able to see value from it almost instantly. The value became instant because of the granularity with which we could write our content and how powerful the writing of that content was. Because the content that it came with was somewhat limited, we're pretty much writing our own content.

McAfee and Devo co-existed for quite a lot of time in our environment because we needed to make sure Devo was stable before we could cut McAfee off. In fact, some customers are still on it.

There is a bit of a learning curve with Devo because its search language is based on Microsoft LINQ. If you're used to graphic-interface types of SIEMs, like McAfee or LogRhythm or QRadar, where you point-click-drag-drop rather than write your own queries, or you haven't worked with Microsoft LINQ before, there's a learning curve. In addition, Devo has its own "flavors" on top of everything, like its own powerful libraries. If you don't know them there is a bit of a learning curve there as well. All of us are still learning it a year later.

But they do offer both basic and advanced training, and that helps you get started. They also have a pretty advanced Knowledge Base library to help.

Devo's team was involved in the migration and they assisted us quite a bit.

Our experience with them was decent. It wasn't bad. They put in quite a few man-hours helping us create the content and setting up the initial cloud environment. But they misunderstood our overall use case, early on. In the beginning, we were going in the wrong direction for a little bit. Once that was figured out, we were able to get back on track but time was already spent moving in that direction.

But they were very closely involved and helped us scope it out and prep everything. They were instrumental in the migration process.

We did a competitive bake-off between Devo, Elastic, and Google.

Google dropped out very early on. They didn't seem to be very forthcoming in the whole process. It turned out their product no longer exists, so that explains why they weren't being very good about the onboarding process. They didn't want to waste anybody's time.

Early on, Elastic was ahead of Devo in our PoC but when it came time to create very advanced security alerting use cases, Elastic was failing to create the advanced alerts we needed. Devo's proof of concept team was able to help us create those advanced use cases. Devo won there. And, price-wise, Devo was the cheapest out of the three in the bake-off.

Between Devo's advanced features, the price, and the longer default retention period of 400 days, compared to Elastic at 90 days, they ticked enough boxes that they won. The retention days were an important aspect because about 90 percent of our customers fall within a 400-day retention range, and that means we don't have to come up with alternative storage solutions and pay extra for them.