IT Central Station is now PeerSpot: Here's why

Devo Valuable Features

Elizabeth Manemann - PeerSpot reviewer
Cyber Security Engineer at H&R Block, Inc.

We are using some of the other components, such as Relay, which is used to help us ship logs to Devo.

The most valuable feature is definitely the ability that Devo has to ingest data. From the previous SIEM that I came from and helped my company administer, it really was the type of system where data was parsed on ingest. This meant that if you didn't build the parser efficiently or correctly, sometimes that would bring the system to its knees. You'd have a backlog of processing the logs as it was ingesting them.

One thing that I love about Devo is that you can accept the data in a raw format. It's not going to try to parse it until you query it. This makes it really flexible for us because if the analysts come to us and explain that they need a specific log source, we can just work on the whole transportation system, insofar as how to get it to Devo. We don't have to worry about parsing it out until later. We can actually see the data in the platform and then we can use the queries to perform contextualization on it, parsing out whatever metadata we need.

I really like the flexibility that the queries offer to parse out the data. Parsing out JSON logs, for example, is very easy. You don't have to mess with regex. It's literally just a point-and-click interface. So that has been incredible. I would say overall in a nutshell, one of my favorite parts is that they really have captured the essence of sending us all your data. You don't have to worry about how to parse it. You can get the data onboard and then you can perform transformations on it later. And the transformations that you can perform on it are super flexible.

Devo definitely provides high-speed search capabilities and real-time analytics. The search can be a little bit slow at times. But for the amount of data that we're pulling back relatively speaking, I would say that the speed is very nice. The ability to pull back large amounts of data, also the amount of data that they keep hot and searchable for us is incredible. I would definitely say that they provide real-time analytics and searching.

I have heard from other customers that the multi-tenancy capabilities are pretty good, but I don't have much experience with that in the HR Block though.

View full review »
JerryH - PeerSpot reviewer
Director at a computer software company with 1,001-5,000 employees

So far, the most valuable features are the ease of use and the ease of deployment. We're very early in the process. They've got some nice ways to customize the tool and some nice, out-of-the-box dashboards that are helpful and provide insight, particularly related to security operations.

The UI is 

  • clean
  • easy to use
  • intuitive. 

They've put a lot of work into the UI. There are a few areas they could probably improve, but they've done a really good job of making it easy to use. For us to get engagement from our engineering teams, it needs to be an easy tool to use and I think they've gone a long way to doing that.

The real-time analytics of security-related data are super. There are a lot of data feeds going into it and it's very quick at pulling up and correlating the data and showing you what's going on in your infrastructure. It's fast. The way that their architecture and technology works, they've really focused on the speed of query results and making sure that we can do what we need to do quickly. Devo is pulling back information in a fast fashion, based on real-time events.

The fact that the real-time analytics are immediately available for query after ingest is super-critical in what we do. We're a transportation management company and we provide a SaaS. We need to be able to analyze logs and understand what's going on in our ecosystem in a very close to real-time way, if not in real time, because we're considered critical infrastructure. And that's not only from a security standpoint, but even from an engineering standpoint. There are things going on in our vehicles, inside of our trucks, and inside of our platform. We need to understand what's going on, very quickly, and to respond to it very rapidly.

Also, the integration of threat intelligence data provides context to an investigation. We've got a lot of data feeds that come in and Devo has its own. They have a partnership with Palo Alto, which is our primary security provider. All of that threat information and intel is very good. We know it's very good. We have a lot of confidence that that information is going to be timely and it's going to be relevant. We're very confident that the threat and intel pieces are right on the money. And it's definitely providing insights. We've already used it to shore up a couple of things in our ecosystem, just based on the proof of concept.

The solution’s multi-tenant, cloud-native architecture doesn't really affect our operations, but it gives us a lot of options for splitting things up by business area or different functional groups, as needed. It's pretty simple and straightforward to do so. You can implement those types of things after the fact. It doesn't really impact us too much. We're trying to do everything inside of one tenant, and we don't expose anything to our customers.

We haven't used the solution's Activeboards too much yet. We're in the process of building some of those out. We'll be building dashboards and customized dashboards and Activeboards based on what those tools are doing in Splunk. Devo's going to help us out with our ProServe to make sure that we do that right, and do it quickly.

Based on what I've seen, its Activeboards align nicely with what we need to see. The visual analytics are nice. There's a lot of customization that you can do inside the tool. It really gives you a clean view of what's going on from both interfaces and topology standpoints. We were able to get network topology on some log events, right out of the gate. The visualization and analytics are insightful, to say the least, and they're accurate, which is really good. It's not only the visualization, but it's also the ability to use the API to pull information out. We do a lot of customization in our backend operations and service management platforms, and being able to pull those logs back in and do something with them quickly is also very beneficial.

The customization helps because you can map it into your business requirements. Everybody's business requirements are different when it comes to security and the risks they're willing to take and what they need to do as a result. From a security analyst standpoint, Devo's workflow allows you to customize, in a granular way, what is relevant for your business. Once you get to that point where you've customized it to what you really need to see, that's where there's a lot of value-add for our analysts and our manager of security.

View full review »
Security Analyst at a comms service provider with 10,001+ employees

The speed of the platform is one of its most valuable features. The solution is designed differently so it doesn't really matter how far back you go, the speed's going to be the same.

We use its real-time analytics, which are very good. It sends alerts; we have some alerts that update every five minutes, or whenever the data comes in. It's really fast. We can work on really large data sets and have a resolution in minutes for these alerts. It's great. It's not actual, real-time because there is some delay before the logs come from the data collectors. But that's not a problem with the Devo platform. It's just how logs travel around here.

The user interface is really modern. As an end-user, there are a lot of possibilities to tailor the platform to your needs, and that can be done without needing much support from Devo. It's really flexible and modular. The UI is very clean. It makes sense for me, personally, the way it's set up.

The UI also has these little perks. For example, if you do queries and you set a certain time range which you need to reuse in different queries, instead of having to type it in every time there is quick access to all the time ranges you have been using. You can just pick the one you need, instead of typing in, say, January 22nd, 2020, from 15:35 to 15:45. You have quick access to whatever ranges you have already put in. I reuse these a lot and it saves a lot of time.

Another UI feature is that it does a type of pre-aggregation and pre-processing for you. Whenever you hover over certain parameters that can be filtered or adjusted, you get an overview of the top 10 values, with the percentages as well. Sometimes you just want to know what the ratio is between different sources. You don't have to do anything to get that. You just hover your mouse over where you would start setting it up and you can actually see the values right away.

It's full of these little surprises. It has something called CyberChef which is a really rich tool for manipulating IT-related data, IP addresses, encoding, and the like. CyberChef is an open-source tool that I sometimes use through its web interface. But you can actually use it directly in the Devo tool, so that's another big bonus. It looks like Devo thought, "Okay, people who use our platform may use this tool as well. It's open-source, so we'll just include it." It's integrated, creating an interface between them.

And one of the biggest features of the UI is that you see the actual code of what you're doing in the graphical user interface, in a little window on the side. Whatever you're doing, you see the code, what's happening. And you can really quickly switch between using the GUI and using the code. That's really useful too.

Activeboards is another really good feature. With them, you can actually see the code as well. It's really powerful. Sometimes with this type of software, there is a similar dashboard feature, but you're very limited in what you can do with it in the graphical user interface. And if you reach its limits, you have to call the vendor and let the vendor do it. But here, you can see the code. So if you want to go deeper, or if there's some feature that is not reachable with the GUI, you can write it yourself. The documentation is really good, so it's quite easy to do.

Activeboards' ability to build and modify dashboards on the fly is also powerful. We came to Devo from a different solution and, obviously, the users didn't want to change the way they use the platform. They required a certain workflow that is not in Devo. With Activeboards, we can recreate the exact workflow they are used to, without any difficulty. That makes it very easy for the user to switch to Devo. That's the power of the Activeboards. You can really change a lot of things. It's very modular.

View full review »
Buyer's Guide
June 2022
Learn what your peers think about Devo. Get advice and tips from experienced pros sharing their opinions. Updated: June 2022.
609,272 professionals have used our research since 2012.
Chris Bates - PeerSpot reviewer
CISO at a computer software company with 501-1,000 employees

I like their query language and I like their speed. 

Ultimately what it comes down to for us is, "Can we write advanced queries that bind the different data sets together?" and that is what we're doing. We're able to do things like see an event, this IP or its DNS name here, and then search all our other log streams to also find it there, and then take data from there and search throughout other types of things.

View full review »
Jordan Mauriello - PeerSpot reviewer
SVP of Managed Security at CRITICALSTART

The ability to have high performance, high-speed search capability is incredibly important for us. When it comes to doing security analysis, you don't want to be sitting around waiting to get data back while an attacker is sitting on a network, actively attacking it. You need to be able to answer questions quickly. If I see an indicator of attack, I need to be able to rapidly pivot and find data, then analyze it and find more data to answer more questions. You need to be able to do that quickly. If I'm sitting around just waiting to get my first response, then it ends up moving too slow to keep up with the attacker. Devo's speed and performance allows us to query in real-time and keep up with what is actually happening on the network, then respond effectively to events.

The solution’s real-time analytics of security-related data does incredibly well. I think all the SIEM solutions have struggled to be truly real-time, because there are events that happen out in systems and on a network. However, when I look at its overall performance and correlation capabilities, and its ability to then analyze that data rapidly, it has given us performance, which is exceptional.

It is incredibly important in security that the real-time analytics are immediately available for query after ingest. One of the most important things that we have to worry about is attacker dwell time, e.g., how long is an attacker allowed to sit on a system after it is compromised and discover more data, then compromise more systems on a network or expand what they currently have. For us, having the ability to do real-time analytics essentially drives down attacker dwell time because we're able to move quickly and respond more effectively. Therefore, we are able to stop the attacker sooner during the attack lifecycle and before it becomes a problem.

The solution speed is excellent for us, especially in regards to attacker dwell time and the speed that we're able to both discover and analyze data as well as respond to it. The fact that the solution is high performance from a query perspective is very important for us.

Another valuable feature would be detection capability. The ability to write high quality detection rules to do correlation in an advanced manner that really works effectively for us. Sometimes, the correlation in certain engines can be hampered by performance, but it also can be affected by an inability to do certain types of queries or correlate certain types of data together. The flexibility and power of Devo has given us the ability to do better detection, so we have better detection capabilities overall.

The UI is very good. They have an implementation of CyberChef, which is very good for security analysts. It allows us to manipulate, transform, and enrich data for analytics in a very fast, effective manner. The query UI is something that most people who have worked with SIEM platforms will be very used to utilizing. It is very similar to things that they've seen before. Therefore, it's not going to take them a long time to learn their way around the platform.

The pieces of the Activeboards that are built into SecOps have been very good and helpful for us.

They have high performance and high-speed search as well as the ability to pivot quickly. These are the things that they do well.

View full review »
KevinGolas - PeerSpot reviewer
Director of World Wide Security Services at Open Text

We really use the core feature, which is log management. We bring in and ingest all of the different log sources for our customers and then run our TTPs (Tactics, Techniques, and Procedures) against these for threat detection.

I find the true multi-tenancy to be very valuable. We are able to put all of our detection rules onto our master tenant, and then run those to our sub-tenants when we're looking for all of the detections and alerts. It's essentially the core capability with the kind of vertical app for all of our TTPs that run across our different subdomains.

A big selling point to me is the multi-tenancy. First, we give permission to our clients to log into their domain, and second, we can run different analysis detection rules on different domains, depending on their business vertical. Some of our clients are in the aerospace industry and some are in biotech. They have different concerns than other domains do, so we can write TTPs or detection rules specifically for them because of the multi-tenancy. It doesn't conflict with everybody else. It's not a one size fits all approach, so the multi-tenancy feature is a very key attribute of why we went forward with Devo.

View full review »
Product Director at a insurance company with 10,001+ employees

It provides multi-tenant, cloud-native architecture. Both of those were important aspects for us. A cloud-native solution was not something that was negotiable. We wanted a cloud-native solution. The multi-tenant aspect was not a requirement for us, as long as it allowed us to do things the way we want to do them. We are a global company though, and we need to be able to segregate data by segments, by use cases, and by geographical areas, for data residency and the like.

Usability-wise, Devo is much better than what we had before and is well-positioned compared to the other tools that we looked at. Obviously, it's a new UI for our group and there are some things that, upon implementing it, we found were a little bit less usable than we had thought, but they are working to improve on those things with us.

As for the 400 days of hot data, we have not yet had the system for long enough to take advantage of that. We've only had it in production for a few months. But it's certainly a useful feature to have and we plan to use machine learning, long-term trends, and analytics; all the good features that add to the SIEM functionality. If it weren't for the 400 days of data, we would have had to store that data, and in some cases for even longer than 400 days. As a financial institution, we are usually bound by regulatory requirements. Sometimes it's a year's worth of data. Sometimes it's three years or seven years, depending on the kind of data. So having 400 days of retention of data, out-of-the-box, is huge because there is a cost to retention.

Those 400 days of hot data mean that people can look for trends and at what happened in the past. And they can not only do so from a security point of view, but even for operational use cases. In the past, our operational norm was to keep live data for only 30 days. Our users were constantly asking us for at least 90 days, and we really couldn't even do that. That's one reason that having 400 days of live data is pretty huge. As our users start to use it and adopt this system, we expect people to be able to do those long-term analytics.

View full review »
Gabe Martinez - PeerSpot reviewer
CEO at Analytica 42

Devo’s UI, high-speed search, and analytic capabilities.

The UI ease of use for analysts is very good. We love it. The UI really gives you two ways to work with the data. First, the UI lets junior analysts work through and understand the data. They can interact with the data, perform all kinds of built-in enrichments and/or functions using the intuitive, user-friendly UI.  Second, every UI interaction builds the actual query syntax being used along the way.  Devo’s query code editor gets updated with the query that the user is building via the UI.  Once the user gets comfortable with the query language, which is LINQ, they can continue to use the UI or simply choose to use LINQ directly.   It goes the other way too, you can also start with LINQ and if you get stuck on syntax, you can just leverage the UI and it will update the query you started from. Very nice.

Another nice capability is if some ingested data is nested inside a field that you need for your use case, you can easily parse it out in-line and make the data inside the field usable immediately! You can even go back historically and further process data that has been ingested already.  For Analytica42, the ability to build parsers easily without reliance on Devo Engineers really helps us support all our end customers who might be ingesting that same data source.

On high-speed search capabilities and real-time analytics, it’s one thing to ingest data as quickly as possible, it’s another to query and use that data. We have seen this problem historically in SIEMs where you can ingest data but aren’t really able to query and retrieve that data which makes it kind of pointless. Devo does both quite well.

Finally, you can then take any query you build and easily create alerts and detections that can alert your security team, SOC, and/or drive tools like a SOAR to do response.

View full review »
Art Faccio - PeerSpot reviewer
Director Cyber Threat Intelligence at IGT

It's very intuitive. The interface is extremely useful. You can perform many functions from one page. In other tools that we looked at, you'd have to toggle back and forth between screens and you'd have to exit one menu and copy and paste things into another section. With Devo you can do everything using drop-downs. It's very user-friendly when creating queries and dynamic lists. You can modify the interface to look the way you want with columns and sorting. It's very well thought out.

It provides high-speed search capabilities and near real-time analytics. These things are extremely important. 

It's also very easy to pull data into it from various log sources, even if they're custom homegrown apps. The parsers are also very easy to use.

View full review »
CEO at a tech vendor with 1,001-5,000 employees

Ease of use: Even if it's a relatively technical tool or platform, it's very intuitive and graphical. It's very appealing in terms of the user interface. The UI has a graphical interface with the raw data in a table. The table can be as big as you want it, depending on your use case. You can easily get a report combining your data, along with calculations and graphical dashboards. You don't need a lot of training, because the UI is relatively very intuitive.

We find the solution’s Activeboards and widgets to be understandable and flexible. Before the summer, we are looking to expand the ability for people to do their own dashboards and variations off-the-shelf.

It performs well. There is a lot of telemetry in our case, and it is cybersecurity. The telemetry is integrated with a lot of data. You need to look at it in real-time because if you are under attack, then you need to see that immediately: What's going on, where it's coming from, where is the zero patient, etc. This is all the while that you're conducting threat detection. The performance is amazing.

The solution’s real-time analytics of security-related data works well for us. It's a module that we buy from the Devo platform and have as a vertical for the customization of our sessions and alerting. It's great for us to know that they will be taking care of our customers. We don't touch it and are very satisfied.

View full review »
Dennis Pope - PeerSpot reviewer
Security Delivery Senior Manager, Cyber Solutions Architect/Engineer at a tech services company with 10,001+ employees

The strength of Devo is not only in that it is pretty intuitive, but it gives you the flexibility and creativity to merge feeds. The prime examples would be using the synthesis or union tables that give you phenomenal capabilities. There is such a disparity in how, say, a network feed or an endpoint feed comes in. They're all over the range, not only in the information they present, but in how that information is categorized. The ability to use a synthesis or union table to combine all those feeds and make heads or tails of what's going on, and link it to go down a thread, is functionality that I hadn't seen before.

It also provides high-speed search capabilities and near real-time analytics. I haven't had any problem with it in those contexts. The high-speed search and near real-time analytics are important to us because when it comes to incident response, we have a certain amount of time to turn these events and incidents around. That's how we're graded. That responsiveness, where it's not waiting on any results, is critical to how we do our jobs and how we stay alive in this game.

And because of the ease of integrating Devo with the SOAR solution, we've created an API for a visualization capability, and that works pretty easily. I'm usually an incident response, content development, threat hunting guy. But I was able to do all this stuff on the back end myself. The way it's set up makes it easy for someone who is not a back-end engineer to go in and set up that kind of integration.

We look for historical patterns and analyze trends with that data. That historical data is critical when putting separate events together and trying to detect a pattern or when looking for a low-and-slow, advanced, persistent threat. Without that reach-back capability, you would just see these one-offs and you would never put that information together. What makes a SIEM work is not only seeing the real-time event feed but being able to reach back and put things together. That's at the core of any SIEM solution.

View full review »
Director of Security Architecture & Engineering at a computer software company with 51-200 employees

The most powerful feature is the way the data is stored and extracted. The data is always stored in its original format and you can normalize the data after it has been stored.

By way of an analogy, if you have ever taken a text file and inserted it into a spreadsheet, the individual fields within that text file now belong in individual cells in the spreadsheet. If a particular set of data should have been in a single cell but was split into two cells, searching for it as a whole becomes difficult. The way Devo stores its data, it never gets separated. It's always stored as original data. The only time it gets split up is on extraction, when I actually need to look at my data. That gives me control over how the data is parsed or normalized. I don't have to worry about data being mangled as it's being collected and that gives me confidence that I always have 100 percent fidelity in my data.

The second most valuable feature is the way the alerting mechanism works. It is a code-based approach. You write your queries like code, with a lot of flexibility and access to internal libraries. Those aspects are not available in Boolean or natural language alerting mechanisms that are used by Devo's competitors.

For example, IBM's QRadar uses natural language and you construct a sentence out of predefined options to create your alerting mechanism. With ArcSight and McAfee you use Boolean logic statements. That restricts what you can actually do with the alerting mechanism. You cannot do sub-selections or complicated math problems. Those approaches are less data-centric and more just simple logic. Devo takes a Big-Data approach, rather than simple logic, when it comes to alerting. That makes it super-duper powerful.

Another important feature for us, as an MSSP, is that it allows us to carve up the data from each individual customer that fits into each individual tenant, and that data funnels up into a single master tenant through which we control everything. It becomes invaluable for customers who still want access to their data and we don't have to worry about them potentially accessing another customer's data.

In addition, Devo has an extremely powerful API that is now allowing us to create third-party integrations with forensic tools. That allows us to use Devo as a Big-Data storage facility. As a result, when Devo fires off an initial alert, our third-party forensic analytics tools can pull up the alert and use Devo's extremely powerful query engine to pull in all the secondary and tertiary metadata right into them. That allows us to track the incident with even more powerful tools.

View full review »
Security Operations Center (SOC) Director at a tech company with 51-200 employees

The most valuable feature is that it has native MSSP capabilities and maintains perfect data separation. It does all of that in a very easy-to-manage cloud-based solution.

And when the Devo Exchange came out, for access to community-driven content, I was one of the first folks who used it. I was part of the advisory board that really pushed to get that product created for them. I'm all about the Devo Exchange. When compared to Devo's peers in the SIEM market, that was the area that they were lacking in: the ability to share types of content. Other platforms have definitive user bases and large external communities that look at how to do different types of alerting, configuring, and threat hunting within their platforms. Because it was relatively new to the market, Devo just didn't have that built up yet. The fact that they have not only built it but have integrated it directly into their product is absolutely fabulous.

The Devo Exchange is literally point-and-click. If you see something you like, you click on it. It tells you whether you have the applicable tables to make that content work. If you do, you can click a button and it automatically installs for you. All you have to do is go in and create any alerting rules that you want associated with it. It's absolutely amazing.

The Exchange has made it much easier for us to deploy new content. We don't have to spend a whole lot of hours cycling through and creating the content ourselves when someone has created similar or exactly the same content that we would be creating. It has shaved 15 to 20 percent off of our deployment times for new alerts, saving us the time that we would have put into building those things.

In addition, there are things in the Exchange that we weren't sure how to do. Once we saw them in the marketplace we pulled them down and they have given us deeper insights into the data that we have.

View full review »
Director of Security at a tech company with 501-1,000 employees

The querying and the log-retention capabilities are pretty powerful. Those provide some of the biggest value-add for us.

We also find their Activeboards, which are their dashboards, useful for just displaying data and seeing historical trends.

We also use their alerting capability to a limited degree, although we don't really have too much invested in alerting yet.

View full review »
IT manager at a tech services company with 1,001-5,000 employees

With Devo, you integrate and run as a fully managed service. We are very interested in the total of severability for IT and the organization all in a one user interface. With Devo, all analysis is done in a graphical user interface. That gives our analysts the confidence to investigate a problem and fix it.

For example, we can have a lot of matrices and trace data in a single user interface. We can eliminate swivel chair analysis among tools for a streamlined workflow that gives us the most direct path to the root course. 

Devo provides great structural data. Its business-rich data set means better, smarter machine learning and this leads to a smarter analysis of anomalies and a stronger predictive analysis.

Devo, unlike other vendors, doesn't charge extra for playbooks and automation. 

It's very, very versatile. 

Service Operations is a tool inside the product. It offers a constant standard with advanced machine learning. The Devo machine learning workbench also enables you to bring in your own custom-built machine learning models. This is very interesting for us.

View full review »
Digital Security VP at a tech services company with 201-500 employees

What we find most valuable is the ability to create complex features in the engine, and to do real-time dashboarding. In traditional BI solutions, you need to wait a lot of time to have the ability to create visualizations with the data and to do searches. With this kind of platform, you have that information in real-time.

Devo, as with almost all of the analytics products, is a product that you need to learn how to use. Fortunately, with just a short training time of perhaps four hours, you can get a lot of power with the tool. Overall, it's pretty easy to use.

View full review »
Buyer's Guide
June 2022
Learn what your peers think about Devo. Get advice and tips from experienced pros sharing their opinions. Updated: June 2022.
609,272 professionals have used our research since 2012.