In terms of where it could be improved, this includes its forensics, incident response, and security operation center features. Additionally, some also struggle with the rules. We need more features in order to create rules to detect or to meet some requirements for other areas, such as catching the event from other authentication tools, like in Okta, for example.

In some cases, I have issues because some tools are not integrated in QRadar, such as other tools similar to DLP (Data Loss Prevention). We need to create all the integrations manually because they are not integrated in QRadar. We have a problem, for example, because they have Symantec DLP integrated in QRadar, however, it is not working because it's not detected automatically. It is not converting all the columns, but we do have the option to create manually. This is not difficult because it's very clear in the procedures.

They should speed up the incident response and also, at the same time, reduce the amount of manual effort that is required.

A nice enhancement would be the incorporation of more artificial intelligence and machine learning capabilities.

The solution is primarily used for threat detection and response. QRadar can be integrated with other services from IBM such as Watson, among others. The main need is for threat detection, incident response, and dealing with threats or hunting threats. 

What else? I mean, it's always you're looking for threats. Usually, whoever buys this SIM solution or buys QRadar, for example, is looking for hidden threats and they get the logs to see what's happening within their system. They want a solution that looks very deep inside in order to correlate those logs and see if there's any information that they can get out of those logs or even live packets that are spanning through their networks. Therefore, it's usually threat hunting. That's the main thing, Others might use it to understand the system, and how it's performing overall.  However, that's the lesser use case.

IBM has recently come out with a new version called Cloud Pak for Security but I haven't used it yet. It contains not just QRadar, but also IBM's resilience incident response products. 

I recommend the solution but because of the issues with pricing and technical support, I rate the solution seven out of 10. 

I like the new dashboard which enables us to understand how many real threat attempts are made in a day. I also like the QRadar incident response, we installed the QIF last week. The solution has improved visibility so that we've been able to discover that some of our customers have not had any protection and were very vulnerable. It's an important area. I also find that the user behavior analysis is relatively simple. We are customers of QRadar. 

The most valuable features are the packet inspection and the automated incident response.

It gives the capability for the incident response team to correlate logs to identify any kind of problem like malware and incidents in a general sense, both for logs and packets. I think the most important thing was that it gives the customer the capability to discover and respond to an incident. It gives customers visibility about their most important servers and devices.

Regarding the packet model, the most important thing is how easy it is to rebuild the raw data. Through one click, you can see an email that was sent even without accessing the mailbox from the user. It's easy to rebuild the raw data, especially the packet.

The threat detection capability and centralizing and upgrading capability need to be improved. The threat alert capability needs to be improved as well because there is some lag time at present. They need to work on their database search too.

I would like to see log storage and threat intelligence features be included in the next release. I would like to see them automate the security incident response.

We use ArcSight primarily to provide logs for the incident response team and cyber security analysts to evaluate everything happening in the network. 

We are currently using it with SIEM, and SOAR which is Security Orchestration, Automation, and Response.

Splunk is primarily used for security, incident response, and security analytics.

We have three main uses for the solution. They are compliance, incident response, and as a tool for information security.

The use case with the business case actually is using LogPoint as a full-blown team system. And actually to orchestrate incident responses.

It's a SIEM system and if you incorporate detection rules and can set alerts, severities, stuff like that. It's the center of a SOC, basically. That's the main use case for it. Of course, it's also sued to fulfill regulatory compliance, which is making a report every week, every day, every month, according to the auditor, what he wants. That's the basic use case.

The incident response area should be improved.

It is more difficult than other products, but overall, it is good. The platform has a lot of options and functionality. So, you need to check almost everything. For new engineers or people who don’t have much experience with this kind of platform, it is a bit difficult, but for experienced engineers, it is not that difficult.

When you have been doing a lot of work for about one or two hours, and you have a lot of tabs open, it slows down or gets stuck. There is a delay of 10 to 15 seconds in opening tabs or dashboards. I don't know why this happens, but for me, it is not a big issue. I just wait, and that's all.

The solution is easy to use and on a whole, it is pretty valuable.

The way it can connect with AWS is very useful, and the integrations are pretty good.

The incident response functionality is good.

We're just a consultant. We give advice to clients and present them with what we think are the best options. I'm not an integrator or user. Our clients rely on our insights and reports.

This solution will potentially be used on a governmental project. We need to have the full set of features. The government is very concerned about protection. We are trying to deploy the data lead, cloud connector, advanced analytics, entity analytics, recounting incident response, case manager and the full package, the full system, in order to collect information and properly detect and respond.

While the scoring is very high so far, I still need to determine the hardware requirements. From what I can see so far, I would rate the solution at an eight out of ten.

You can use it for everything, incident response, automated responses, alerts,  visibility.

The fact that the solution keeps 400 days of hot data to look for historical patterns was extremely important because many of the competitors kept 90 days or maybe six months. We looked at the big choices that most other companies use. And with those competitors, if you wanted the extra data, it would be put into warm or cold storage and to utilize it you'd have to pull it back in.

Another one of Devo's advantages is, as I've mentioned, the user experience. It's well thought out and the workflows are logical. The dashboards are intuitive and highly customizable.

There are a few drawbacks to it. Some third-parties don't have specific API connectors built, so we had to work with Devo to get the logs and parse the data using custom parsers, rather than an out-of-the-box solution. Most of our third-parties are working on them because it seems that Devo is making some waves in the industry and more and more people are using them. But that has been what we've had to do with three of our third-parties that didn't have a connector. Devo had to create one, and, once again, their customer service was great. They just built it for us and it worked.

When it comes to analyst threat-hunting and incident response, because there are so many options, and Devo has the ability to do many things from one screen, the workflow is a lot more organic and natural. That means you can drill down to the level you need to and pull in the data you need from one screen. You don't have to keep moving around in Devo. It's much more configurable and the options are there to pretty much dig as deep as you need, from one screen.

Overall, Devo approached things a little differently and that's why we ended up going with them.

Prior to Devo, we were using QRadar and Elastic. We switched because Devo is more powerful and the scalability is better.

With respect to analyst threat hunting and incident response, you can create a lot of complex dashboards and consequently, it is easier to perform a deep dive. It is really aligned with Splunk in terms of capabilities and usability.  Our analysis had data from different solutions to work with and they preferred to use what was coming from Devo.

We started off with about 10 possibilities and brought it down to three. Devo was one of the three, of course, but I prefer not to mention the names of the others.

But among those we started off with were Elastic, ArcSight, Datadog, Sumo, Splunk, Microsoft systems and solutions, and even some of the Google products. One of our requirements was to have an integrated SIEM and operational monitoring system.

We assessed the solutions at many different levels. We looked at adherence to our upstream architecture for minimal disruption during the onboarding of our existing logs. We wanted minimal changes in our agents. We also assessed various use cases for security monitoring and operational monitoring. During the PoC we assessed their customer support teams. We also looked at things like long-term storage and machine learning. In some of these areas other products were a little bit better, but overall, we felt that in most of these areas Devo was very good. Their customer interface was very nice and our experience with them at the proof-of-value [PoV] level was very strong. 

We also felt that the price point was good. Given that Devo was a newer product in the market, we felt that they would work with us on implementing it and helping us meet our roadmap. All three products that we looked for PoV had good products. This space is fairly mature. They weren't different in major ways, but the price was definitely one of the things that we looked at.

In terms of the threat-hunting and incident response, Devo was definitely on par. I am not a security analyst and I relied on our SIEM engineers to analyze that aspect.

We work with Elastic, Sumo Logic, Splunk, other SIEMs, and more. These solutions are very comparable to Devo when it comes to threat hunting and incident response. It just depends on the end customer and what solution will work best for them.

Some advantages of Devo are multi-tenancy and scale. It was built to be multi-tenant which uses resources in an intelligent way. This helps being able to manage multiple organizations. Some of the security solutions you need to create a separate instance for every single organization, which can be inefficient.

The other advantage or sweet spot of where Devo shines is price/volume at scale. Some of the other vendors may be a better solution at lower volumes of data ingest. Devo really accelerates once you get above 500 gigs or a terabyte a day. Cost-wise, once you start hitting that terabyte mark or above, some of the other vendors won't necessarily compare in price or scale. We have seen it where others would need a lot more TCO infrastructure to manage the same volumes that Devo can handle.

We're primarily using it to correlate WAN and endpoint activity for our clients. We work with vendors that have endpoint solutions or that control the networks for our clients. We are receiving their feeds, along with some of our other custom deployed equipment, to not only collect endpoint data, but to monitor network activity and correlate it to identify threats, vulnerabilities, attacks, and provide incident response.

It is quite efficient. It helps our clients in identifying their security issues and respond quickly. Our clients want to automate incident response and all those things.

It's mostly used for cloud-based analytics for proactive incident response. As an enterprise product, it falls under next-gen SIEM.

I like the unified security console. You can close incidents using Sentinel in all other Microsoft Security portals when it comes to incident response.

The solution helps prioritize threats across your enterprise and that is quite important. There is a concept called "alert fatigue," and Sentinel can also cause that because it detects so many false positives. But usually, the high and medium risks it identifies are things you need to take a look at. So prioritization is quite important.

We also use Defender for Cloud, Defender for Endpoint, and Defender for Cloud Apps. It's quite easy to integrate these Microsoft products because they can easily communicate with other Microsoft products. The tricky part is to integrate other vendors' products, like Cisco or Linux, with Microsoft Sentinel. The actual integration is easy, but they generate a lot of data. But with its entire Defender suite, Microsoft is trying to cover everything in Azure and that is a really strong point.

Sentinel enables you to ingest data from your entire ecosystem and that is vital, but sometimes it's a bit hard to figure out what data you actually need.

Also, the UEBA is a neat feature.