IT Central Station is now PeerSpot: Here's why
Art Faccio - PeerSpot reviewer
Director Cyber Threat Intelligence at IGT
Featured Review
Real User
Top 5
Makes it easy to see all our network, endpoint, and cloud on one dashboard, instead of having to jump from system to system
Pros and Cons
  • "The user experience [is] well thought out and the workflows are logical. The dashboards are intuitive and highly customizable."
  • "Some third-parties don't have specific API connectors built, so we had to work with Devo to get the logs and parse the data using custom parsers, rather than an out-of-the-box solution."

What is our primary use case?

We use it for monitoring our core set of network devices, our key systems. We're collecting all the log traffic and using it as a platform to correlate and set up alerts to monitor, and looking for any suspicious behavior.

How has it helped my organization?

One of our early use cases is for compliance and we've set up dashboards that pull in the logs that we need. We have formatted it the way we need it to look and when we meet with internal audit we just show them the dashboard and they have all the information that they need. That's one of the early wins that we've had with it.

When it comes to network, endpoint, and cloud visibility, Devo makes it easy to see all of that. It's all on one dashboard, it's all visible. Instead of having to jump from system to system to system, we can see all of our web traffic and we can see endpoint stats, and whether we need to investigate anything. It's very useful. It definitely raises the level of confidence when we need to take action, compared to our last tool. When a forensic investigation moves forward and we have to do a deeper dive, all that data is there. And the integration team that we're working at Devo is very good at tuning it and showing us what we need. They show us how to extract the relevant pieces and not worry about the less relevant pieces of information.

The solution has saved us time, although we're still in the learning stage. We've only had it in place for three months. I would venture that it's probably saving a few hours a week per analyst, but I expect that to grow as we get better at using it.

What is most valuable?

It's very intuitive. The interface is extremely useful. You can perform many functions from one page. In other tools that we looked at, you'd have to toggle back and forth between screens and you'd have to exit one menu and copy and paste things into another section. With Devo you can do everything using drop-downs. It's very user-friendly when creating queries and dynamic lists. You can modify the interface to look the way you want with columns and sorting. It's very well thought out.

It provides high-speed search capabilities and near real-time analytics. These things are extremely important. 

It's also very easy to pull data into it from various log sources, even if they're custom homegrown apps. The parsers are also very easy to use.

What needs improvement?

If all of the connectors for the third-parties were there, it would be a solid 10. Everything else about it is right there. It's a newer product, so we knew going in that there would be some growing pains and that some things might not be available because not all third-parties would be included.

For how long have I used the solution?

I've been using Devo for about three months.

What do I think about the stability of the solution?

So far, it's been rock-solid. There have been no issues at all.

What do I think about the scalability of the solution?

It should be able to grow as we need it to. It is a SaaS solution, so if we need more data we just purchase more bandwidth.

The size of our environment is about 14,000 users, globally, and about 20,000 endpoints.

How are customer service and technical support?

We haven't had to use their technical support yet. We've only been working with the integration team.

They've been great through the deployment. Obviously, there are going to be little bumps in the road and their team has been very helpful. I've worked with other integration teams that wouldn't even look at the possibility of an issue being at their end until you exhaustively proved that it wasn't at your end. Devo, on the other hand, was very willing to help. They would jump on a call, review the config with us and look through it. They're very willing to spend time and investigate with you; not just push it back on you to double-check everything. They have also pulled in other resources. If the integration engineer didn't know an answer, he would very quickly, usually on the same call or later that day, get another engineer on the phone who was knowledgeable, and we would work through the issue. They're very responsive and it's a very good customer experience. Customer service is very important to them.

Their willingness to go the extra mile and just jump on a call anytime, without having to schedule a call, is an example of where they have exceeded expectations. The project lead would just jump on a call and answer questions anytime.

How was the initial setup?

It was fairly easy to deploy. We had a good deal of on-premises devices where we installed a relay that forwards the log information to the cloud. We also use a large number of SaaS tools. With those it was just a matter of an API connector. Things went very smoothly.

Getting logged in to it and getting logs identified took a week and a half to two weeks.

There were three members of my team involved. One was more focused on getting the collector built and connected, and getting all of our internal log sources forwarding to that. I had two other engineers working on the deployment side, working on rules and carving out the data to send it to specific buckets. Those three are also the ones who take care of maintenance of the solution. We're still in the early stages so we're tweaking things and constantly modifying and figuring out our internal processes.

What about the implementation team?

We used Devo's integration professional services. They worked alongside with my team and they have been excellent.

What was our ROI?

So far we've seen ROI from the fact that when the auditor comes in quarterly and looks at it, as happened the other day, they are extremely impressed. The return value is going to be there. It's already starting, where we're creating custom dashboards for various groups to look at their own data. We don't have to provide reports anymore. We just give them the data and they can log in and look at whatever they want in real time.

It's going to be huge as we move further down the road and we learn to better utilize the tool. We have some big plans for it.

What's my experience with pricing, setup cost, and licensing?

Regarding pricing they were in the ballpark with most of the others we looked at, but one of the things that put them above and beyond is the 400 days of storage. That's big. 

They're a newer company so they may have cut better deals, but they were in the ballpark with at least a couple of the other front-runners that we were looking at. Devo is a good value and, given the quality of the product, I would expect to pay more.

The fact that Devo only charges for ingestion works great for us. In some of the other solutions we looked at, depending on what you were doing with the data, extra charges were assessed. If you wanted to pull playbooks in, that was an extra charge. If you wanted to ingest certain types of logs from certain systems, that was an upcharge. In our environment and our business model, the month-to-month fluctuating charges just weren't an option, and many of the other solutions are going down that road. Devo provides good value: "Hey, here's your ingest, here's what you're licensed for, and here's what your annual bill is going to be. And if you go over that, then you true-up the next year." So it is a beneficial model for us.

Overall, with the pricing model, Devo enables us to ingest more data compared to other solutions we evaluated. We don't have to worry about being billed more if we use any additional functionality or that we may have to set a cap on the ingest for the month or the week.

Which other solutions did I evaluate?

The fact that the solution keeps 400 days of hot data to look for historical patterns was extremely important because many of the competitors kept 90 days or maybe six months. We looked at the big choices that most other companies use. And with those competitors, if you wanted the extra data, it would be put into warm or cold storage and to utilize it you'd have to pull it back in.

Another one of Devo's advantages is, as I've mentioned, the user experience. It's well thought out and the workflows are logical. The dashboards are intuitive and highly customizable.

There are a few drawbacks to it. Some third-parties don't have specific API connectors built, so we had to work with Devo to get the logs and parse the data using custom parsers, rather than an out-of-the-box solution. Most of our third-parties are working on them because it seems that Devo is making some waves in the industry and more and more people are using them. But that has been what we've had to do with three of our third-parties that didn't have a connector. Devo had to create one, and, once again, their customer service was great. They just built it for us and it worked.

When it comes to analyst threat-hunting and incident response, because there are so many options, and Devo has the ability to do many things from one screen, the workflow is a lot more organic and natural. That means you can drill down to the level you need to and pull in the data you need from one screen. You don't have to keep moving around in Devo. It's much more configurable and the options are there to pretty much dig as deep as you need, from one screen.

Overall, Devo approached things a little differently and that's why we ended up going with them.

What other advice do I have?

We did a pretty good job of this, but with hindsight it is always something that we could have done better: the planning of the project. So have a good idea of what logs you want to ingest, right out of the gate, and have the necessary internal teams ready to get you what you need. The pre-planning is the most important thing. We had the relay built and functional for getting the data from site to cloud, literally in 20 minutes. If we had been a little better organized on our end, the implementation would have taken one week instead of a week and a half to two weeks.

So the most important piece of advice in a deployment like this is to know your data. Know what you want and make sure your teams, including the IT teams that need to build the virtual machines, are ready to get the hardware in place quickly.

From my point of view, and from what my team has told me, everything is intuitive and user-friendly. From a logistics point of view, everything is well laid out and well thought out.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
CEO at a tech vendor with 1,001-5,000 employees
MSP
Decreased our MTTR with its immediate visibility, prepackage dashboards, and alerting
Pros and Cons
  • "Even if it's a relatively technical tool or platform, it's very intuitive and graphical. It's very appealing in terms of the user interface. The UI has a graphically interface with the raw data in a table. The table can be as big as you want it, depending on your use case. You can easily get a report combining your data, along with calculations and graphical dashboards. You don't need a lot of training, because the UI is relatively very intuitive."
  • "There's always room to reduce the learning curve over how to deal with events and machine data. They could make the machine data simpler."

What is our primary use case?

We use it for visibility and alerting in a cybersecurity security use case. 

It is a very specific deployment in the sense that it's not general. We integrated it with our own technology. We are a SaaS vendor. The way we integrated Devo was to put it into our platform as an alerting layer. Because you will be doing executables at your computer all the time, such as opening an email, a browser, or Word, all these things are tracked via telemetry. We take all that raw data for events, essentially enriching it with the classification service that we have as a unique part of our own service. So, if you're opening Word or sending an email, we enrich that with our classification, e.g., malware, then we send it to Devo. We build dashboards and alerts based on that. 

Before, you would have a tool just for cybersecurity. Now you have an impressive tool that takes no effort at all. Suddenly, because of the Devo layer, you have an intelligence tool with no extra deployment effort on the side of the customer to see visibility.

Devo is a powerful interface and platform which will ingest our data coming from an endpoint protection solution, putting it in a format and dashboard, then connecting tools where you extract them into an intelligence platform, oversight, or security. That's essentially what we do.

How has it helped my organization?

The solution manages 400 days of hot data for us, which is amazing. We just send it to the Devo platform, then it is there for our customers. It is quite a unique feature because other cybersecurity players typically have a lot of limitations. They normally offer two weeks of historic data with a pain offering of a month. We are sort of unique in the industry because we can offer a year due to Devo. When you're looking at cybersecurity breaches, you will notice that normally attackers have been in your network for more than 300 days. This is the average time that you've been breached and you didn't know, and it's actually close to what we have with Devo. A shorter period of time would be less useful to us.

Because of the module, our customers now have immediate access to telemetry in a way that they didn't have before. The way that we integrate it with a click of a button, activating the Devo module, suddenly they will have immediate access to it. Therefore, the automation and value for customers is quite impressive. 

What is most valuable?

Ease of use: Even if it's a relatively technical tool or platform, it's very intuitive and graphical. It's very appealing in terms of the user interface. The UI has a graphical interface with the raw data in a table. The table can be as big as you want it, depending on your use case. You can easily get a report combining your data, along with calculations and graphical dashboards. You don't need a lot of training, because the UI is relatively very intuitive.

We find the solution’s Activeboards and widgets to be understandable and flexible. Before the summer, we are looking to expand the ability for people to do their own dashboards and variations off-the-shelf.

It performs well. There is a lot of telemetry in our case, and it is cybersecurity. The telemetry is integrated with a lot of data. You need to look at it in real-time because if you are under attack, then you need to see that immediately: What's going on, where it's coming from, where is the zero patient, etc. This is all the while that you're conducting threat detection. The performance is amazing.

The solution’s real-time analytics of security-related data works well for us. It's a module that we buy from the Devo platform and have as a vertical for the customization of our sessions and alerting. It's great for us to know that they will be taking care of our customers. We don't touch it and are very satisfied.

What needs improvement?

There's always room to reduce the learning curve over how to deal with events and machine data. They could make the machine data simpler. 

Lookup tables could be used to minimize the performance impact in bringing together two different sources of data together and correlating them. This could be something that they could improve, but maybe this has already been fixed.

Buyer's Guide
Devo
August 2022
Learn what your peers think about Devo. Get advice and tips from experienced pros sharing their opinions. Updated: August 2022.
622,063 professionals have used our research since 2012.

For how long have I used the solution?

Five to six years, going back to 2014.

What do I think about the stability of the solution?

Maybe two to three times over six years we have found some issues in the system, but normally it is immediately sorted out.

We don't have to worry about how it is maintain and managed over time. That is in their hands, and it is working great.

We have a product manager who maintains the Devo modules part-time (50 percent). There are also five to seven people from our development team who ensure everything is properly integrated. Once every two years, we do a professional services project from them.

What do I think about the scalability of the solution?

We've never found any limitations or drawback included in the data to ingest, map, and integrate into the platform. There have been no issues with scalability.

From a machine data and ingestion perspective, it would be probably be something around a million devices. People actually using the platform is probably several tens of thousands because that's the number of our partners who have sold a Devo module at some point.

Devo is part of our performance, so the more we grow, the more we will need it as part of that blend of growth.

How are customer service and support?

The technical support is very good. Devo is a typical vendor with very capable, technical people who can get to the root cause quickly.

Which solution did I use previously and why did I switch?

We implemented Devo into our platform from scratch. McAfee and other solutions don't have this offering yet. This was a new thing in 2014 when we implemented it.

How was the initial setup?

The initial setup was quite straightforward. The deployment was a few months, then we were up and running.

The only thing we needed to do for implementation was to choose what part of the event information that we would send to Devo, who would need to map that, parse it, and put it into their platform in a way that was understood in order to give the information back to users in a way that it would make sense. For dashboards, prepackaged, and off-the-shelf cybersecurity intelligence, we needed to choose the information that we would send them. They needed to ingest it and make sense of the dashboards that we needed to show our customers. It was a relatively simple, straightforward project on both sides. We saw very huge volumes immediately.

We first launched the product in 2014, then did a major lifting in 2015. On a continuous basis, we are adding new features that Devo releases. 

What about the implementation team?

We have a big development team as we are a vendor. 

It took two people from our company a few months to deploy the solution with seven people (max) from Devo.

What was our ROI?

The solution has decreased our mean time to remediation (MTTR) because of the immediate visibility, the prepackage dashboards, and the alerting that we built. With Devo, even if you didn't have any patch solution in place, you could just click in the platform and it could tell you when, where, and what endpoints were seen by Devo in the last year. Then, you can print a list of those computers and the IT people can just go to those to upgrade the patches. In a situation like WannaCry, as long as you know what you're looking for, the fix is immediate. For example, we have one customer who had a situation where they were waiting months for remediation. With Devo, it is immediate because it is available with a report.

The way that we charge our customers is not the same way we are charged by Devo. We need to keep it under control so it makes economical sense for us to sell our model based off of Devo. That's why we don't expand in an infinite way what we send to the Devo platform. We charge on an endpoint basis per license, subscription, or input annually. That's our business model. Devo charges based on ingestion and the time you store, which can be different one month to three months to a year. Therefore, it was difficult to build a model in the beginning that would work for us. That's why we limit the amount of ingestion that we do in the customers' platforms.

The ROI been great. The fact that we could launch it in a few months instead of a couple of years, that's a return on investment. Also, when you put all the costs together, it is less to have done it than with the open source approach.

What's my experience with pricing, setup cost, and licensing?

We have an OEM agreement with Devo. It is very similar to the standard licensing agreement because we are charged in the same way as any other customer, e.g., we use the backroom. However, we built this vertical model extending our portfolio, which is actually a Devo based model.

We have a very simple invoice every month based on ingestion and the seniority of the data stored, which I think is the standard way they charge. Then, every other year we make a charge on a specific professional services project based on our module integration, which is probably unique for us compared to a standard customer.

Which other solutions did I evaluate?

We were thinking of going with Elasticsearch or an open source solution, but it would have been one to two years of development internally.

We went with Devo which represented more of our core: scalability, stability, and ingestion. All these things are where Devo really excels. We were looking for something focused on enterprise environments.

For patching, the MTTR is immediate compared to a typical Microsoft tool. 

What other advice do I have?

Internal development is underrated. It is a good choice not to invent it all yourself. You should focus on your core business. It made sense to choose Devo to focus on the machine data issues while we focused on cybersecurity and the intelligence that we could build with the platform.

Open source is a good option in some cases, but not for us and our needs.

I would rate the solution as a nine (out of 10).

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner.
PeerSpot user
Dennis Pope - PeerSpot reviewer
Security Delivery Senior Manager, Cyber Solutions Architect/Engineer at a tech services company with 10,001+ employees
Real User
A highly scalable, configurable, and intuitive platform that encourages creativity while delivering on Incident Response requirements
Pros and Cons
  • "The strength of Devo is not only in that it is pretty intuitive, but it gives you the flexibility and creativity to merge feeds. The prime examples would be using the synthesis or union tables that give you phenomenal capabilities... The ability to use a synthesis or union table to combine all those feeds and make heads or tails of what's going on, and link it to go down a thread, is functionality that I hadn't seen before."
  • "An admin who is trying to audit user activity usually cannot go beyond a day in the UI. I would like to have access to pages and pages of that data, going back as far as the storage we have, so I could look at every command or search or deletion or anything that a user has run. As an admin, that would really help. Going back just a day in the UI is not going to help, and that means I have to find a different way to do that."

What is our primary use case?

We're primarily using it to correlate WAN and endpoint activity for our clients. We work with vendors that have endpoint solutions or that control the networks for our clients. We are receiving their feeds, along with some of our other custom deployed equipment, to not only collect endpoint data, but to monitor network activity and correlate it to identify threats, vulnerabilities, attacks, and provide incident response.

How has it helped my organization?

We've integrated Devo with a SOAR solution. We have prioritized the severity of our alerting in Devo and that corresponds directly to automated playbooks that are kicked off in the SOAR. With that SIEM-SOAR solution, we have drastically reduced the number of incidents that our analysts have to work through, and we have improved our time to respond as well as the time to remediate, through that integration.

Devo absolutely saves us time. We brief our project manager and client weekly on the number of man-hours saved just by having this SIEM-SOAR integration. Considering the quantity of data feeds and events and endpoints that we have, we can actually present a funnel chart that shows how many "events" we start with and how many become actual incidents. We then have that calculated into the number of dollars saved. It's phenomenal when you look at it. When we show the people who are in charge of getting funding that we saved this number of man-hours, which correlates to this number of dollars, they're more willing to fight to get that funding for the next fiscal year.

What is most valuable?

The strength of Devo is not only in that it is pretty intuitive, but it gives you the flexibility and creativity to merge feeds. The prime examples would be using the synthesis or union tables that give you phenomenal capabilities. There is such a disparity in how, say, a network feed or an endpoint feed comes in. They're all over the range, not only in the information they present, but in how that information is categorized. The ability to use a synthesis or union table to combine all those feeds and make heads or tails of what's going on, and link it to go down a thread, is functionality that I hadn't seen before.

It also provides high-speed search capabilities and near real-time analytics. I haven't had any problem with it in those contexts. The high-speed search and near real-time analytics are important to us because when it comes to incident response, we have a certain amount of time to turn these events and incidents around. That's how we're graded. That responsiveness, where it's not waiting on any results, is critical to how we do our jobs and how we stay alive in this game.

And because of the ease of integrating Devo with the SOAR solution, we've created an API for a visualization capability, and that works pretty easily. I'm usually an incident response, content development, threat hunting guy. But I was able to do all this stuff on the back end myself. The way it's set up makes it easy for someone who is not a back-end engineer to go in and set up that kind of integration.

We look for historical patterns and analyze trends with that data. That historical data is critical when putting separate events together and trying to detect a pattern or when looking for a low-and-slow, advanced, persistent threat. Without that reach-back capability, you would just see these one-offs and you would never put that information together. What makes a SIEM work is not only seeing the real-time event feed but being able to reach back and put things together. That's at the core of any SIEM solution.

What needs improvement?

We have a list of things that we'd like to see. I have had all my analysts put in suggestions. I've tested a number of solutions through the years, and I've found that companies appreciate that analyst perspective and anything that makes future releases more user-friendly.

The biggest thing we've found, when trying to integrate Devo with the SOAR solution, is the priority or severity rankings. If they could make those a little bit more intuitive that would help. It seems that when we set the priority of an alert, it doesn't always translate, in the back end, the way you would expect. The severities include "very low," "low," "medium," "high," and "very high." Those correlate to numerical value ranges one to three, four to five, six to seven. It's a little confusing. It would help if they made that priority/severity labeling and numerical system match up a little better.

Also, it would help if some of the error messaging could be a little bit more descriptive when you run a query and an error pops up. It would be good to have a log where you could find those, as well. 

Another issue is that an admin who is trying to audit user activity usually cannot go beyond a day in the UI. I would like to have access to pages and pages of that data, going back as far as the storage we have, so I could look at every command or search or deletion or anything that a user has run. As an admin, that would really help. Going back just a day in the UI is not going to help, and that means I have to find a different way to do that. That's a big one.

For how long have I used the solution?

I started looking into it and training on it in August of 2020, so I have been using it for about 16 months.

What do I think about the stability of the solution?

I can count on one hand the number of times it has gone out. It's very stable. A few times we've needed to reboot the stack and that has usually resolved the issue. We're pleased with the solution when it comes to incident response.

What do I think about the scalability of the solution?

It's highly scalable.

How are customer service and support?

I have all the personal numbers of my Devo support guys. I can text them and they usually respond within the hour. It's excellent customer support. I've been in this game for 20 years and you can generally expect someone to get back to you within a business day or two. But if I'm in a pinch, these guys usually respond within an hour.

In terms of being an ally to our business and providing a customer-first approach. They are a highly trusted ally and partner. The success of our solution relies directly on their delivery. We include them in all of our success stories. We consider Devo on par with our company.

How would you rate customer service and support?

Positive

How was the initial setup?

Setting up the solution was pretty complex. Working with the number of external vendors that we had, the way that they would send the information to us, and the fact that they were constantly changing the way that data was being sent, meant we were constantly having to go in and tweak the relay rules. To know what you're doing with the relays, and putting in those rules, takes some homework. Devo was very responsive and worked with us hand in hand, troubleshooting and putting in the parsers and the relay rules to help us get things integrated.

It took six to eight months of that type of work just to get it to work. For our project, the setup was very complex. We had two environments, a lab environment and a live environment and it took that long to get both running. That seems like a lot of time. But we were working with a number of different vendors, and this was the first time any of us had ever done this.

Which other solutions did I evaluate?

I'm a long-time ArcSight and Splunk user. I see Devo as the evolution of both of them. If the capabilities of those two got together and had a baby, it would probably be Devo.

Devo is a definite upgrade from both ArcSight and Splunk, in my experience. It combines some of the best of each and it takes it to another level when it comes to ease of use and how you can expand the capabilities.

Another benefit of Devo is that it enables us to ingest more data compared to other solutions. This project has such a widespread ingestion of so many endpoints and networks.

What other advice do I have?

The ease of use of Devo really depends on whether you've had experience with a SIEM before. If you have, you should be okay. If this is your first time walking into a SIEM, it may be a little bit overwhelming, which is natural for any SIEM.

But it's very easy to pick up and has great documentation. The tutorials that Devo has provided, the upfront user training, and their lab environment are all very helpful. I just sat through a monthly tutorial where they had one of their commercial users come in and speak for 35 minutes on their best-case uses. The support element, combined with the training that they provide upfront, creates a customer experience where you're not flying solo. You have a lot of people to lean on. We use Devo as a service, but I've found that there is so much documentation at my fingertips that I really don't need to reach out to them that often.

Where they have exceeded my expectations is the training element. They're constantly putting out training tidbits and interactive sessions. They don't have to do that but they're holding sessions where they bring in analysts who do straight run-throughs. That's stuff you don't get anywhere else, other than with someone in a SOC environment. Those sessions are invaluable for picking up tips on how to better use the solution.

In terms of Devo providing a multi-tenant cloud-native architecture, if you can switch domains, it does. At this point in the evolution of our architecture, that is not important because we only have one client at this point. But I do see the usefulness of it to separate your domains and your traffic while, at the same time, potentially filing some of that activity or using it for correlation. We're just not at that stage right now.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
PeerSpot user
Buyer's Guide
Devo
August 2022
Learn what your peers think about Devo. Get advice and tips from experienced pros sharing their opinions. Updated: August 2022.
622,063 professionals have used our research since 2012.
Director of Security Architecture & Engineering at a computer software company with 51-200 employees
MSP
Big-Data analytics features allow us to write advanced alerting mechanisms that were not available in other solutions
Pros and Cons
  • "The most powerful feature is the way the data is stored and extracted. The data is always stored in its original format and you can normalize the data after it has been stored."
  • "The overall performance of extraction could be a lot faster, but that's a common problem in this space in general. Also, the stock or default alerting and detecting options could definitely be broader and more all-encompassing. The fact that they're not is why we had to write all our own alerts."

What is our primary use case?

We are an MSSP and we provide security monitoring services for our customers. We also treat ourselves as a customer. That means we use Devo internally for our own services in addition to using it to monitor our customers. The use case varies by customer, but they are all security-related as well as dealing with a little bit of storage retention, depending on the customer's needs.

How has it helped my organization?

Because of the way Devo works, our onboarding time has shrunk by 50 percent at least.

Also, at a high level, Devo's cloud-native SIEM has helped improve visibility into threats with its data analytics. That's very important because, as an MSSP, we need to be able to analyze the data for our customers and spot anomalies. This feature is still relatively new even to Devo, so I cannot say how happy we are with it at the moment; we still haven't taken full advantage of it. But the Big-Data analytics features included with Devo are allowing us to write some advanced alerting mechanisms that were not available to us in the past.

We are also able to ingest data that, in the past, would have been difficult to ingest.

What is most valuable?

The most powerful feature is the way the data is stored and extracted. The data is always stored in its original format and you can normalize the data after it has been stored.

By way of an analogy, if you have ever taken a text file and inserted it into a spreadsheet, the individual fields within that text file now belong in individual cells in the spreadsheet. If a particular set of data should have been in a single cell but was split into two cells, searching for it as a whole becomes difficult. The way Devo stores its data, it never gets separated. It's always stored as original data. The only time it gets split up is on extraction, when I actually need to look at my data. That gives me control over how the data is parsed or normalized. I don't have to worry about data being mangled as it's being collected and that gives me confidence that I always have 100 percent fidelity in my data.

The second most valuable feature is the way the alerting mechanism works. It is a code-based approach. You write your queries like code, with a lot of flexibility and access to internal libraries. Those aspects are not available in Boolean or natural language alerting mechanisms that are used by Devo's competitors.

For example, IBM's QRadar uses natural language and you construct a sentence out of predefined options to create your alerting mechanism. With ArcSight and McAfee you use Boolean logic statements. That restricts what you can actually do with the alerting mechanism. You cannot do sub-selections or complicated math problems. Those approaches are less data-centric and more just simple logic. Devo takes a Big-Data approach, rather than simple logic, when it comes to alerting. That makes it super-duper powerful.

Another important feature for us, as an MSSP, is that it allows us to carve up the data from each individual customer that fits into each individual tenant, and that data funnels up into a single master tenant through which we control everything. It becomes invaluable for customers who still want access to their data and we don't have to worry about them potentially accessing another customer's data.

In addition, Devo has an extremely powerful API that is now allowing us to create third-party integrations with forensic tools. That allows us to use Devo as a Big-Data storage facility. As a result, when Devo fires off an initial alert, our third-party forensic analytics tools can pull up the alert and use Devo's extremely powerful query engine to pull in all the secondary and tertiary metadata right into them. That allows us to track the incident with even more powerful tools.

What needs improvement?

The overall performance of extraction could be a lot faster, but that's a common problem in this space in general. 

Also, the stock or default alerting and detecting options could definitely be broader and more all-encompassing. The fact that they're not is why we had to write all our own alerts.

They could also provide more visual dashboards, what they call Activeboards, within their environment. Activeboards enable you to create custom or pre-defined dashboards. In that context, there are a couple of very useful features for us that are not available when I compare them to some of their competitors. They are features that help you quickly analyze data in a visual way. What they have is still pretty decent but they could beef it up a little bit.

For how long have I used the solution?

We onboarded it a little bit over a year ago. 

What do I think about the stability of the solution?

In general, any stability issues have not been very impactful. There have been frequent small outages that make things difficult, but we're giving them a little bit of leeway because they're still a growing platform.

What do I think about the scalability of the solution?

It scales really well, at least from our perspective. We don't know if there are any performance issues in the back-end. As I said earlier, it could be faster. But overall, because it's a cloud-based solution, we really don't worry about scaling. We simply onboard a new customer. They go into their own tenant and their data flows up to the management MSSP tenant. We simply size the licensing accordingly, so it's super easy to scale.

How are customer service and support?

Support is pretty good. They're responsive and they usually solve problems relatively well. And if they mess something up, they will actually put professional services people in to solve the problems, if a wide range of issues is involved.

Both our technical and channel-partner relationships have been very good. We meet with them for status calls at least twice a month. They're very good about staying in contact to provide both satisfaction and technical assistance.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We used McAfee ESM on-prem. We switched because it  

  • was getting old and not evolving
  • was not cloud-based or cloud-centric
  • had limited correlation engine capabilities compared to Devo
  • was hard to segment customer data
  • required us to host all the hardware in-house.

The list goes on and on and on.

The switch to Devo helped reduce blind spots and had a very good effect on our ability to protect our organization.  With the limitations removed on how data is inserted and extracted, we were able to alert on things we were never able to alert on before.

How was the initial setup?

It was not an easy deployment because we're an MSSP. Devo's core content, its alerting and security content, is limited. We have a very wide variety of requirements with a lot of our customers. Unfortunately, most of the content that came with Devo couldn't be used. We had to write a lot of our content from scratch. 

We're still learning to crawl with the product because it's insanely powerful, but we were able to see value from it almost instantly. The value became instant because of the granularity with which we could write our content and how powerful the writing of that content was. Because the content that it came with was somewhat limited, we're pretty much writing our own content.

McAfee and Devo co-existed for quite a lot of time in our environment because we needed to make sure Devo was stable before we could cut McAfee off. In fact, some customers are still on it.

There is a bit of a learning curve with Devo because its search language is based on Microsoft LINQ. If you're used to graphic-interface types of SIEMs, like McAfee or LogRhythm or QRadar, where you point-click-drag-drop rather than write your own queries, or you haven't worked with Microsoft LINQ before, there's a learning curve. In addition, Devo has its own "flavors" on top of everything, like its own powerful libraries. If you don't know them there is a bit of a learning curve there as well. All of us are still learning it a year later.

But they do offer both basic and advanced training, and that helps you get started. They also have a pretty advanced Knowledge Base library to help.

What about the implementation team?

Devo's team was involved in the migration and they assisted us quite a bit.

Our experience with them was decent. It wasn't bad. They put in quite a few man-hours helping us create the content and setting up the initial cloud environment. But they misunderstood our overall use case, early on. In the beginning, we were going in the wrong direction for a little bit. Once that was figured out, we were able to get back on track but time was already spent moving in that direction.

But they were very closely involved and helped us scope it out and prep everything. They were instrumental in the migration process.

Which other solutions did I evaluate?

We did a competitive bake-off between Devo, Elastic, and Google.

Google dropped out very early on. They didn't seem to be very forthcoming in the whole process. It turned out their product no longer exists, so that explains why they weren't being very good about the onboarding process. They didn't want to waste anybody's time.

Early on, Elastic was ahead of Devo in our PoC but when it came time to create very advanced security alerting use cases, Elastic was failing to create the advanced alerts we needed. Devo's proof of concept team was able to help us create those advanced use cases. Devo won there. And, price-wise, Devo was the cheapest out of the three in the bake-off.

Between Devo's advanced features, the price, and the longer default retention period of 400 days, compared to Elastic at 90 days, they ticked enough boxes that they won. The retention days were an important aspect because about 90 percent of our customers fall within a 400-day retention range, and that means we don't have to come up with alternative storage solutions and pay extra for them.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner/MSSP
Flag as inappropriate
PeerSpot user
Security Operations Center (SOC) Director at a tech company with 51-200 employees
Real User
Provides a better, holistic top-down view, helping us see potential gaps in our coverage
Pros and Cons
  • "The most valuable feature is that it has native MSSP capabilities and maintains perfect data separation. It does all of that in a very easy-to-manage cloud-based solution."
  • "The biggest area with room for improvement in Devo is the Security Operations module that just isn't there yet. That goes back to building out how they're going to do content and larger correlation and aggregation of data across multiple things, as well as natively ingesting CTI to create rule sets."

What is our primary use case?

I'm a SOC director for a Fortune 500 company, and we use it as our primary SIEM for our leverage SOC service.

How has it helped my organization?

Devo has streamlined a lot of our processes. We now have the ability to generate content and create alerting, and we can view all of that across a larger plane than we could with our previous tool.

Devo uniquely provides a direct view into the raw data, as opposed to a lot of tools that give you an ingested, parsed, and normalized view. Normalization is great for some things, but there are other things that it's not so great for. Devo allows you to have both simultaneously. You can parse the data and do some normalization but still have all the raw data the way it came from whatever it came from. That allows you to do deeper dives and look directly at what's coming in, versus a representation of what came in.

It also dramatically shortens the amount of time that we spend doing research in the tool. It has taken the average time that one of our analysts spends on an alert from 10 minutes down to roughly five. They're spending half the amount of time doing research because of the way that we are able to set up the data within Devo. And they can use things like Activeboards to provide a lot more context than our previous toolset could.

We're able to find things quicker and more efficiently, and with broader visibility than we had in our previous toolset.

We're also able to take a look at the data a bit more holistically, and that provides us with a better top-down view so that we can better see where there might be gaps in our coverage.

In terms of ingesting data, Devo literally takes anything we throw at it and as much as we're throwing at it. Our ingestion of events has increased by a full one-third compared to ingestion with our previous SIEM. That increase is a result of our increased customer base as well as the increasing number of things that we're ingesting from our customers.

What is most valuable?

The most valuable feature is that it has native MSSP capabilities and maintains perfect data separation. It does all of that in a very easy-to-manage cloud-based solution.

And when the Devo Exchange came out, for access to community-driven content, I was one of the first folks who used it. I was part of the advisory board that really pushed to get that product created for them. I'm all about the Devo Exchange. When compared to Devo's peers in the SIEM market, that was the area that they were lacking in: the ability to share types of content. Other platforms have definitive user bases and large external communities that look at how to do different types of alerting, configuring, and threat hunting within their platforms. Because it was relatively new to the market, Devo just didn't have that built up yet. The fact that they have not only built it but have integrated it directly into their product is absolutely fabulous.

The Devo Exchange is literally point-and-click. If you see something you like, you click on it. It tells you whether you have the applicable tables to make that content work. If you do, you can click a button and it automatically installs for you. All you have to do is go in and create any alerting rules that you want associated with it. It's absolutely amazing.

The Exchange has made it much easier for us to deploy new content. We don't have to spend a whole lot of hours cycling through and creating the content ourselves when someone has created similar or exactly the same content that we would be creating. It has shaved 15 to 20 percent off of our deployment times for new alerts, saving us the time that we would have put into building those things.

In addition, there are things in the Exchange that we weren't sure how to do. Once we saw them in the marketplace we pulled them down and they have given us deeper insights into the data that we have.

What needs improvement?

The biggest area with room for improvement in Devo is the Security Operations module that just isn't there yet. That goes back to building out how they're going to do content and larger correlation and aggregation of data across multiple things, as well as natively ingesting CTI to create rule sets. Exchange has gone a long way to fix some of those gaps, but there's still room for improvement in that area.

For how long have I used the solution?

I've been using Devo since December of 2020.

What do I think about the stability of the solution?

Very early on it had some stability issues, but for the last eight months or so, it's been rock-solid. Even when they have put out notices that there has been an issue, rarely have I ever actually seen that impact our operations. Compared to when we onboarded and where we are now, it is a night-and-day difference.

What do I think about the scalability of the solution?

The solution has been able to scale to whatever we have thrown at. There have been zero problems scaling.

It is the primary toolset that we have settled on for our leverage service. The core of our service offering is around the solution. It is absolutely important.

How are customer service and support?

The tech support has been absolutely amazing. We have a technical account manager and I can email him anytime and I generally get an answer back within a few hours. Either that or he'll escalate to the appropriate team to get it taken care of for us.

The only drawback is that we have asked for capabilities and, because of where they are in their growth and funding, getting them has been a little slower than what we would have liked.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Our previous solution just wasn't as robust in both processing power and the ability to analyze data.

How was the initial setup?

Migrating to Devo was super simple. Their professional services gave us a lot of assistance, making sure that we had the right parsers in Devo at the platform level. Getting stuff pointed to it was relatively simple.

We essentially dual-fed both our SIEM products for a few months and it was fairly seamless. We did the switch from our previous SIEM into Devo about three months earlier than we had planned, based on how robust we were in Devo at that point.

That ease of migration was definitely important to us. Anytime you migrate from one tool to another, there are significant costs in personnel training and rewriting all of your processes and procedures, because it's a new tool. Devo had a very smooth process with their training platform and the professional services when we first onboarded it. That made it a relatively smooth transition.

We started our proof of concept in December and were live by the beginning of March. That's a really short timeline to get into production with them. We saw return of value almost immediately.

It was relatively simple to get our staff up to speed on the solution. Devo provides an amazing training platform to get them set up on the solution itself, as well as some of the modules within it. Typically folks can go through that and get going in the platform, working as analysts, within a week. And that's for someone with no SIEM background at all. If they have a SIEM background it's even faster.

The learning curve is fairly shallow, especially if you've done SIEM tasks before. It's very much like what you'd expect. It involves a slightly different language than what some other SIEMs use. Azure Sentinel uses "KQL," Devo uses "link," which is very SQL-like. If you have a background in anything remotely related to databases or SIEM, the learning curve is fairly negligible once you understand how Devo works. The training platform does a great job of bringing you up to speed on why Devo is different.

Which other solutions did I evaluate?

We analyzed a bunch of options. Devo was not even one that we had on the map. They put in a response to our request for proposal and, bar none, they outperformed their peers across all of our key requirements. In addition, they had roadmaps for all the things that we wanted to do.

Among the things that were important to us that Devo could provide were its ability to 

  • do true MSSP in the cloud with actual data separation per client
  • give individual clients access to their data, and only their data, based on the way the data is separated
  • give us the ability to do analytics, rule sets, and alerting across all of those environments at one time, which doesn't sound like a huge ask but it's actually monumental.

The ability to have data segregated but still do analytics across multiple data sets is something that's just not really used in a lot of other products. Either everything is mashed into one set of data, and you don't have true separation of that data so you can't, in turn, give customers view sets into that; or it's all separated and you have to do all the work against each silo rather than having a unified view, which is something we have within the Devo platform.

What other advice do I have?

Definitely take a good, hard look and considerate it. It's the fast-growing leader in the SIEM field.

Overall, Devo is awesome, but it's got some room to grow. I would like to see better native ingestion of cyber threat intelligence and building out of deeper correlation capabilities. They have some work that they're doing in Flows to do some of that stuff, but it still has room for some additional maturity.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
PeerSpot user
Director of Security at a tech company with 501-1,000 employees
Real User
Top 20
Gives us one pane of glass to query all our log data, making investigations much more efficient
Pros and Cons
  • "The querying and the log-retention capabilities are pretty powerful. Those provide some of the biggest value-add for us."
  • "Where Devo has room for improvement is the data ingestion and parsing. We tend to have to work with the Devo support team to bring on and ingest new sources of data."

What is our primary use case?

We're mostly using it for log retention and investigations into events or security issues within our environment. We're pumping a lot of the logs from our SaaS tools into it, from tools like Google Workspace (G Suite) and OneLogin and the like. When we have questions or investigations from a security perspective, we go into Devo to help answer them.

How has it helped my organization?

With Devo, we now have a method to investigate things across our platforms. Before Devo, we had to go to individual platforms. For example, if we suspected something was happening, we'd have to go to tool A's logs, and tool B's logs, and tool C's logs. Now all those logs are in one place and we can use one pane of glass to query all of that data. Especially when it comes to security investigations, Devo has made things more efficient.

Previously, an investigation across various logs might have taken an hour for one individual to put together. Now, in Devo, we can do it in minutes, because it's all in one place and we have access to it right away.

And as a result of some of the alerting we've put in, Devo has certainly helped improve visibility into threats. For example, we only have employees in certain parts of the world, and not in that many countries. We put in alerting so that we know if an employee seems to log in from a country we're not based in. That's a red flag. We have other kinds of alerts as well, and that has definitely helped give us more visibility into the overall risk profile for our organization.

What is most valuable?

The querying and the log-retention capabilities are pretty powerful. Those provide some of the biggest value-add for us.

We also find their Activeboards, which are their dashboards, useful for just displaying data and seeing historical trends.

We also use their alerting capability to a limited degree, although we don't really have too much invested in alerting yet.

What needs improvement?

Where Devo has room for improvement is the data ingestion and parsing. We tend to have to work with the Devo support team to bring on and ingest new sources of data. 

I know the Devo Exchange is supposed to make some of that easier, but we've had situations in the past where our data collectors, which are hosted by Devo, have gone down and we've not seen data ingested until we've opened a support ticket with them. 

In general, their data intake process, whether it's how to get new sources in or keep them continuously ingesting, is the biggest area for improvement.

For how long have I used the solution?

I have been using Devo for about a year and a half.

What do I think about the stability of the solution?

It's stable but it's not extremely stable. There have been cases where the ingestion of our log data has stopped, which affects the platform. We've also seen issues where the UI becomes unresponsive, or some of the queries have become really slow. Devo itself is not down a whole lot, but sometimes performance can be a problem. Overall, the stability is okay. It's not the best, but it has not been horrible either.

What do I think about the scalability of the solution?

From a customer's perspective, I just scale in terms of what data tier I want, but everything else is hidden from me.

How are customer service and support?

Their tech support has been great, once we've raised issues with them. They've been pretty responsive and I'm pretty happy with that part.

Whenever we've opened a ticket, especially when it's been high-priority, they've responded fairly quickly. They're certainly friendly and they try to be helpful, within the limits of whatever they can do. They also escalate quickly if it looks like it's not getting to a solution within the purview that they have.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Devo is the first SIEM for us. We didn't have anything before this. We're growing as an organization, and SIEM in general, and Devo in particular, let us scale up our capabilities without having to scale up our manpower.

How was the initial setup?

The complexity comes from getting the data sources ingested. There are some easy ones for common tools like Google or OneLogin or AWS. Getting the logs of those big SaaS tools into Devo was not too difficult. But there are a lot of SaaS tools out there and, especially in the beginning, Devo had to create custom collectors and parsers for us for some of the smaller ones, and that took a while to do.

In terms of getting our staff up to speed on using the solution, on a scale of easy to difficult, it was in the middle. The basic functionality, especially the dashboards and where the data is, is not that difficult. Where the complexity comes in is when it comes to getting value out of that data. There's a query language, called LINQ, which is SQL-like but has quirks that are Devo-specific. That takes some time to learn, but that would probably take time on any platform. Overall, the learning curve is not really easy, but it's not really that difficult either.

What about the implementation team?

Devo certainly helped us deploy it initially.

What was our ROI?

More than anything, we have seen ROI in the amount of time saved during investigations. From that perspective, it has paid for itself. 

Within the first quarter after we started using it, there were incidents that Devo was able to help us quickly assess and investigate. As a tool, it showed its value pretty quickly.

What's my experience with pricing, setup cost, and licensing?

The way Devo prices things is based on the amount of data, and I wish the tiers had more granularity. Maybe at this point they do, but when we first negotiated with them, there were only three or four tiers.

Which other solutions did I evaluate?

We definitely looked at competitors, the standard players in this space: Splunk, LogRhythm, and others. We ended up choosing Devo because of two or three things.

First, as an organization, they were very responsive. The support, even during our PoC and evaluation process, and afterward, was and continues to be phenomenal. We know that they're a smaller company like us, and it felt like they were more attentive to us as customers.

The second factor was the price point. If we had to stand up similarly sized solutions from some of the other vendors, it would be much more expensive.

And one of the biggest reasons we went with Devo was that we're a small security team, and we didn't want to have to manage SIEM infrastructure. Devo meets that requirement for us because it's SaaS. There are other SaaS SIEMs, but Devo seemed like the best. All we had to do was pump logs. With other platforms there are infrastructure aspects, like storage and indexers that you have to worry about. We don't have to do any of that. We just put in the logs that we want, up to a limit, and that's it. It allows us to focus on getting the actual value-add out of the logs, rather than spending a lot of bandwidth managing the infrastructure.

What other advice do I have?

We plan on using the Devo Exchange. It's a pretty new feature. Part of the constraints, for us, has been manpower. Our organization is growing pretty rapidly, and we're working on hiring to keep Devo up to date. We just haven't had the bandwidth to invest more into exploring all the features yet.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
PeerSpot user
IT manager at a tech services company with 1,001-5,000 employees
Real User
Top 10
Versatile, scalable, and has a very useful single user interface
Pros and Cons
  • "It's very, very versatile."
  • "Technical support could be better."

What is our primary use case?

We are primarily using the solution as a cloud observability platform.

Most use cases are related to service operations, not security operations. This is due to the fact that in security operations our company uses Splunk and other platforms. In this case, in my team, we are using Devo for service operations requirements. We correlate across metrics and trace on that data to understand root causes. For example, we'll look at metrics in jobs, time processes, root cause investigations where we have fails, job performance, deals, payments, et cetera. 

What is most valuable?

With Devo, you integrate and run as a fully managed service. We are very interested in the total of severability for IT and the organization all in a one user interface. With Devo, all analysis is done in a graphical user interface. That gives our analysts the confidence to investigate a problem and fix it.

For example, we can have a lot of matrices and trace data in a single user interface. We can eliminate swivel chair analysis among tools for a streamlined workflow that gives us the most direct path to the root course. 

Devo provides great structural data. Its business-rich data set means better, smarter machine learning and this leads to a smarter analysis of anomalies and a stronger predictive analysis.

Devo, unlike other vendors, doesn't charge extra for playbooks and automation. 

It's very, very versatile. 

Service Operations is a tool inside the product. It offers a constant standard with advanced machine learning. The Devo machine learning workbench also enables you to bring in your own custom-built machine learning models. This is very interesting for us.

What needs improvement?

I need more empowerment in reporting. For example, when I'm using Qlik or Power BI in terms of reporting for the operations teams they also need analytics. They also need to report to the senior management or other teams. The reporting needs to be customized. You can build some widgets in terms of analytics and representations, however, I want to export these dashboards or these widgets in a PDF file. While you can explore everything as a PDF, it's not very complete. I am missing some customization capabilities in order to build a robust, meaningful report.

The initial setup is a little complex.

Technical support could be better.

There do seem to be quite a few bugs within the version we are using.

In the next update, I'd like it if they explain more about the Devo framework. The Devo framework is a tool inside the product. It's a prototype. It is a tool that provides to the customer a map of processes or a workflow, for example, with an HTML application with a front end. My understanding is that each component of this front attaches data with the queries. It might be customized. I'd like to generally understand this better.

I'd like to understand DevoFlow. Up to now, usage could send data to the platform, retrieve it and enrich it by generating graphs and analytics. However, it's my understanding that Flow provides users the ability to process the data in real-time by defining complex workflows as soon as data arrives in the platform so that you can make analytics in a sequence. I'd like to better understand these new capabilities.

For how long have I used the solution?

I've been working with the solution for one and a half to two years or so. 

What do I think about the stability of the solution?

At this moment I consider the solution to be stable. However, I find that I perform any little fixes throughout a project. There are bugs here and there that I do contend with. I'd prefer to have these fixed as opposed to having to install a whole new version.

What do I think about the scalability of the solution?

In the beginning, there were not more than 20 to 25 users. However, our objective remains to get 100 people on the product. We add them little by little due to the nature of our projects.

In terms of scalability, it's a product well-focused on expansion. As a SaaS, they provide you more architecture, more machines in terms of performance, et cetera. We're quite happy with its capability to expand.

How are customer service and technical support?

Technical support needs to be more direct. For example, when we submit a ticket, the support team will delegate a task to the operations team, for example, or various other teams. This muddles the transparency. We're unsure as to who is in charge of fixing the problem. I simply want an answer to my problem and I want them to fix it and tell me what is wrong. I don't need to know it was sent here, there, or there. We are not 100% satisfied with the level of service provided to us.

How was the initial setup?

The initial setup was a little bit complex, however, we had great support from the Devo team. We are using the public cloud - not on-premise. They provided us the infrastructure. The complexity was mostly around how to build the VPN securitization, the tunnel, as this tunnel was built by us, not by Devo. We, therefore, had to build a lot of technical tests of communications. This was complex.

With Devo, we have to connect by LLDP protocol. For example, Devo at the beginning shows the users as an email and a password. In our company, we needed to connect this mechanism of access to our own mechanism of the corporation. We had to deal with the protocol of connectivity of users, FSAA, for example. Sometimes this was difficult and we had to make a lot of test connections, et cetera.

There isn't too much maintenance required. Devo provides the product. I have to ensure that the mechanism of communication is stable and in continuous service. Our VPN with the tunnel is the responsibility of us while the persistence of data and the performance of searching data representation is the responsibility of Devo.

What about the implementation team?

Devo assisted us with the implementation process.

What's my experience with pricing, setup cost, and licensing?

Devo, like other vendors, doesn't charge extra for playbooks and automation. That way, you are only paying for the side on the data ingestion. If you sign a contract, you are able to process as much as 500 gigabytes per day. With this price, you can connect 10 people, 20 people, 18 people, 80 people - it's very good. It's very efficient in terms of the cost of the license. 

Depending on if you are ingesting more than you sign up for, you have to pay more. There is potential for extra costs only in this one aspect, and not in the other services, or in other people who connect to the product. 

Devo provides you professional services. Professional services is a manner to give service to the clients in terms of consultants. Expert consultants help the customer to design the business case and can show them how to build it. This is an extra option, for people who want to take advantage of their insights.

Which other solutions did I evaluate?

I have done a lot of assessments with Devo against other products such as Elasticsearch, Kibana, Splunk, and Datadog, among others.

What other advice do I have?

We're just customers and end-users.

We are using the most recent version of the product.

We are using Devo in a public cloud with some other web service we have secured with a VPN built in the company so that it's tunnel secured.

I would rate the solution at an eight out of ten. If the solution required fewer fixes and was a bit more flexible, I would rate it higher.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Digital Security VP at a tech services company with 201-500 employees
Real User
Top 20
Scales well, good support, high-speed search capabilities, and offers good visibility
Pros and Cons
  • "In traditional BI solutions, you need to wait a lot of time to have the ability to create visualizations with the data and to do searches. With this kind of platform, you have that information in real-time."
  • "I would like to have the ability to create more complex dashboards."

What is our primary use case?

We have several use cases for Devo. The first is related to the security center (SOC) operations, and they do the log correlation for Devo security.

We now have fraud use cases and application monitoring use cases, and we're starting to work on some use cases related to business analytics.

How has it helped my organization?

Devo provides us with high-speed search capabilities and real-time analytics, which is the most important thing for us. The reason is that when we need to analyze something, we need to have the information as fast as possible. It needs to be easy to use because if we have a security incident, or an application monitoring incident, we need to find the problem as quickly as possible, and have the ability to fix it.

It is difficult to correlate in terms of security and application monitoring but in terms of fraud, we have the ability to correlate a lot of different log sources to form a picture. This gives us the ability to reduce fraud cases by 40%.

In our environment, we retain some of our logs for 10 years. This is important for us because of regulatory requirements. We have critical information stored that is related to anti-money laundering, and the law requires us to be able to provide it quickly.

Devo provides us with more clarity when it comes to network, endpoint, and cloud visibility. We use it to ingest a lot of the related information. If you need to detect threats, you need to have the ability to find the network connections, and also the cloud-based connections that the threat actor is trying to access. This is the very reason that we are ingesting all of this information.

This solution helps us to release the full potential of our data, which is one of the most important things that we do. By creating the dashboards that work in real-time, we can see how our services are being used and we can monitor our security ecosystem.

Overall, using Devo has saved us time when compared to our previous security solutions. I estimate that it took us 10 times longer to achieve the same thing without Devo. 

What is most valuable?

What we find most valuable is the ability to create complex features in the engine, and to do real-time dashboarding. In traditional BI solutions, you need to wait a lot of time to have the ability to create visualizations with the data and to do searches. With this kind of platform, you have that information in real-time.

Devo, as with almost all of the analytics products, is a product that you need to learn how to use. Fortunately, with just a short training time of perhaps four hours, you can get a lot of power with the tool. Overall, it's pretty easy to use.

What needs improvement?

I would like to have the ability to create more complex dashboards.

For how long have I used the solution?

We implemented Devo in 2016 and started using it in production in 2017.

What do I think about the stability of the solution?

Stability-wise, Devo is a good solution.

What do I think about the scalability of the solution?

Scalability is one of the most powerful features. We started with five terabytes and we are now at 30, with almost the same performance. That is pretty scalable.

We have more than 500 users. The roles are security analysts, business users, application developers, and the IT operations team.

We plan to increase our usage in the next couple of years.

How are customer service and support?

The vendor monitors the application and it is quite good. When we were last having a problem, it was solved within two hours.

Devo has a customer-first approach. They are quite open to discussing new features, and they like to be close to the customer to understand any problems that they have.

The support team has exceeded our expectations, in particular, when it came to the implementation. We originally had a four-year plan and in six months, everything was completed. The originally planned work was done, and the work for the next three and a half years was also done.

Which solution did I use previously and why did I switch?

Prior to Devo, we were using QRadar and Elastic. We switched because Devo is more powerful and the scalability is better.

With respect to analyst threat hunting and incident response, you can create a lot of complex dashboards and consequently, it is easier to perform a deep dive. It is really aligned with Splunk in terms of capabilities and usability.  Our analysis had data from different solutions to work with and they preferred to use what was coming from Devo.

How was the initial setup?

The initial setup is straightforward. It took approximately one week to deploy.

The Devo implementation team came to our building and installed everything. After that, we moved all of our information, which included creating a copy of all of the logs that we had in the other solutions. Once that was complete, we were able to start working with Devo.

Our implementation strategy was originally part of a four-year plan. However, we finished the full implementation early and the four years were reduced to six months.

What about the implementation team?

Devo professional services assisted us with the implementation.

We have two full-time people in charge of maintenance. This includes tasks like implementing new services, doing correlations, alerts, and management.

What was our ROI?

Devo allows us to ingest more data compared to other solutions, using the same infrastructure. For example, compared to Splunk using the Capacity Planning Tool, Devo can ingest almost double the information in terms of events per second.

What's my experience with pricing, setup cost, and licensing?

Our licensing fees are billed annually and per terabyte. This seems to be that the market is generally going to.

Which other solutions did I evaluate?

We created an alternative business plan that used QRadar and Elastic, and finally, we selected Devo because it was most aligned with our strategy.

Comparing the cost and value of Devo versus these other solutions, I think that it's very efficient. We're getting a lot of power for the cost, which is good.

What other advice do I have?

Devo provides multi-tenant cloud-native architecture but in our organization, I would rate it a six out of ten in terms of importance. The feature is important, although not so much for our specific use case. I don't expect that this will change in the next few years.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Download our free Devo Report and get advice and tips from experienced pros sharing their opinions.
Updated: August 2022
Buyer's Guide
Download our free Devo Report and get advice and tips from experienced pros sharing their opinions.