Buyer's Guide
Security Information and Event Management (SIEM)
February 2023
Get our free report covering Splunk, Microsoft, IBM, and other competitors of Sumo Logic Security. Updated: February 2023.
687,256 professionals have used our research since 2012.

Read reviews of Sumo Logic Security alternatives and competitors

Director of World Wide Security Services at Open Text
MSP
True multi-tenancy, flexible, responsive support, and offers real-time search capabilities
Pros and Cons
  • "Devo helps us to unlock the full power of our data because they have more than 450 parsers, which means that we can ingest pretty much any type of log data."
  • "We only use the core functionality and one of the reasons for this is that their security operation center needs improvement."

What is our primary use case?

We create solutions around the Devo platform and sell those solutions to our customers.

I use it as a managed SOC, or "SOC as a Service" for customers. I also use it as our managed detection and response platform, where everything goes back into the data lake for analysis and alerting.

How has it helped my organization?

Devo is very easy for our analysts to use. They have the LINQ language, which is easy, and it's like an Excel on steroids.

Devo provides high-speed search capabilities and real-time analytics, which is important to us because we have built 30-minute SLAs. In reality, our detections are within seconds and we allow for 30 minutes as a buffer to ensure that we are successful for our clients. To this point, we haven't found any type of dataset or any data ingestions that has prohibited us from meeting our SLAs.

In the world of cyber, you have to detect things right away. You can't wait hours, days, or weeks. It needs to be detected in an immediate, automatic fashion. Then, with their capabilities to integrate with a SOAR solution, it provides detection and response capability all within seconds, instead of days.

We use Devo more as part of our consultant-based service and the true multi-tenant flexibility, combined with the scalability of AWS, means that we can reach a wide range of customers. For example, we can go outside the United States into the European Union or into the AsiaPac region very seamlessly and very fast, as we're growing our business for managed detection and response in those areas. Just this week alone, we were able to quickly spin up a client in the India region, and we were able to address their concerns and get that spun up very quickly because Devo has that capability already built within AWS. It was approximately a one-day turnaround for us. It's important to us that the product is this nimble, which is in turn because of the AWS architecture.

Devo provides us with 400 days of hot data that we can use to look for historical patterns, which is a key element for us. It means that we can offer our clients different periods for different compliance reasons, such as HIPAA. For the most part, our clients use the 30-day capability but if they are a biotech company then they want to keep data for 180 days. We've had a couple of companies that wanted it for 400 days. The flexibility to keep that hot online is key because they can scale up and scale down at any time they want, and although there is an additional cost to the client, there is no additional infrastructure required. That said, probably 75% of our clients are utilizing the 30-day storage.

This solution gives us better cloud visibility because we're able to ingest any of the cloud logs. We push an EDR agent that then brings all of that telemetry back, and we have correlations with any proxy logs, firewall logs, or authentication logs that we need to have. This gives interoperability between the different log sources. For example, if we see something in an EDR that we want to ensure is connected outbound to something, we can check that through the proxy log and DNS logs that we get from the EDR agent.

This gives us more confidence when it comes to taking action because we'll get that running process, and we are also able to collect the DNS information, which then goes into Devo and we're able to search for it. We can see whether it reached out to this particular URL. What we can do is then go to that proxy server or the firewall log, and just see the outbound traffic and validate it is the same session size or same connection time. This acts as a dual authentication to show that what we saw in the EDR was what we saw on the network as well.

Devo helps us to unlock the full power of our data because they have more than 450 parsers, which means that we can ingest pretty much any type of log data. If we need to, we can go to the Devo professional services and have a log parser created within 48 hours. Any log that we need to ingest or want to ingest or the customer has compliance reasons to ingest, we can. This gives us the flexibility to bring in the core logs that we really need to do our detections or to manage the SOC, together with any other logs that we need to bring in for either correlation purposes or compliance purposes. There's really no type of log that we can't bring in.

This solution saves us a lot of time, although I don't have a before and after to compare because this is the first solution of this type that we implemented. I know of similar solutions in use at other companies that have problems doing what we do, but I don't have a baseline that I can use to calculate time savings.

What is most valuable?

We really use the core feature, which is log management. We bring in and ingest all of the different log sources for our customers and then run our TTPs (Tactics, Techniques, and Procedures) against these for threat detection.

I find the true multi-tenancy to be very valuable. We are able to put all of our detection rules onto our master tenant, and then run those to our sub-tenants when we're looking for all of the detections and alerts. It's essentially the core capability with the kind of vertical app for all of our TTPs that run across our different subdomains.

A big selling point to me is the multi-tenancy. First, we give permission to our clients to log into their domain, and second, we can run different analysis detection rules on different domains, depending on their business vertical. Some of our clients are in the aerospace industry and some are in biotech. They have different concerns than other domains do, so we can write TTPs or detection rules specifically for them because of the multi-tenancy. It doesn't conflict with everybody else. It's not a one size fits all approach, so the multi-tenancy feature is a very key attribute of why we went forward with Devo.

What needs improvement?

We only use the core functionality and one of the reasons for this is that their security operation center needs improvement. It's great for folks that don't really understand advanced detections but for people like us, and other businesses out there that have advanced detections, that becomes problematic and we don't use it.

The detection capabilities and their vertical app capability should be enhanced.

For how long have I used the solution?

I have been working with Devo for two years.

What do I think about the stability of the solution?

This is a very stable solution. We have an uptime of 99.85% from an SLA perspective, and they've never gone below that.

What do I think about the scalability of the solution?

As scalability is tied to AWS, this is a very scalable product. This means that we are able to quickly and easily offer our service in other regions, outside of the United States.

The scalability is a positive point when we're talking to the larger customers. It helps that Devo does not index everything but a lot of it has to do with AWS.

We have a couple of hundred customers and each customer has a few users that access it. At each client site, there are between two and five users that have access to it.

Our plan is to increase our usage. In fact, my company is doubling down on our MDR solution, and the main core of it is Devo. Even at this point, Devo is well-utilized. I expect that in 2022, everyone in the company will be focused on it.

We have 15,000 employees and 300 product lines, and we're looking to make sense of anything that is an opportunity for cross-selling.

How are customer service and support?

Technical support is very good.

We're somewhat like partners of Devo, meaning they'll refer customers to us to manage their environment. They are definitely an ally to our business. We have pretty advanced knowledge of the product, so whenever we really need something, we file a ticket just like everybody else does, but it's usually pretty advanced. This means that we're usually dealing with the professional services folks and we have a really good relationship with them.

Overall, support is very responsive and they take care of any problem that we have pretty quickly.

Which solution did I use previously and why did I switch?

This is the first solution of this type that we implemented.

At other companies, where my teams have come from, it has been very challenging to do the same tasks that we're able to do inside of Devo with other platforms. This is either because they have to index everything, whereas Devo doesn't, or because they don't have a true multi-tenancy. Perhaps they have to bounce between different systems, or because they don't have certain capabilities when it gets above 10 terabytes of data. For instance, at that point, it becomes very problematic to run searches because they'll fail or they'll time out.

The products that my teams were familiar with were Splunk, Sumo Logic, and LogRhythm. 

How was the initial setup?

The initial setup was pretty straightforward. Their documentation is really good and we send it to our customers. It is very precise on exactly what you need to do and how you need to deploy the relay.

We deploy this solution on almost a weekly basis, and it can be done within hours.

Our implementation strategy maximizes ease of use for our customers. We have everything come into one or two forwarding points, then create the certification and push it out to the client. We created an executable that makes it seamless for the client and once that connects, the data flows right into the SIEM. It's the same thing with the relay, which is the other way to get data into the SIEM. The relay is very lightweight, running on VMware Ubuntu. 

What about the implementation team?

Our in-house team is responsible for deployment.

Each customer is assigned a project manager, and usually, each project manager has 35 customers. My other staff includes a technical project manager, a SOC analyst, and a threat hunter.

What was our ROI?

I have seen a return on investment, and without disclosing figures, I can put it in terms of capabilities. This product allows us to scale up the way we need to, without any additional costs, or there's already a fixed cost with that. This is key for us.

We can bring in any size of customer, from the smallest client to the largest company. Also, I have been able to bake in the pricing model to adjust to the margin that I need for a specific customer.

What's my experience with pricing, setup cost, and licensing?

The pricing is very straightforward and they charge per gigabyte. There are no "gotchas" when it comes to pricing. There's no re-ingestion or exfiltration of it.

With respect to retention, it's what you need it to be. They can scale up and scale down and everything is pretty straightforward. Pricewise, I can't think of any things that I wish I would've known ahead of time.

Pricing is based on the number of gigabytes of ingestion by volume, and it's on a 30-day average. If you go over one day, that's not a big deal as long as the average is what you expected it to be.

The fact that the vendor only charges for ingestion is something that I have been able to use in my practice, and I've built pricing models around that. I think that's probably one of the only ways that they can do it from a SIEM perspective. But, from an MSP perspective, because everyone's looking for per-endpoint pricing, it becomes challenging. It means that we have to use some fuzzy math to come up with something the makes sense such that data ingestion equals endpoint pricing.

Which other solutions did I evaluate?

We evaluated Splunk and LogRhythm. Splunk had great analytics but at that time, two or three years ago, their cloud wasn't as developed as it is now. Also, pricing was another major issue.

I do know that Splunk is a lot more challenging when it comes to threat hunting. You have to know the queries to be able to write in the Splunk query language, and it's a little bit more challenging, whereas Devo seemed to be a little bit easier.

Devo is very much like Excel, where you open up a window and hit data search. So, the workflow for threat hunting was very good and it was seamless. They had a lot of good breadcrumbs and it had a good workflow as it related to threat hunting or threat detection.

From a log parser perspective, Devo is able to ingest more data when compared to other solutions. By default, we can ingest any log source that we need to with Devo. With Splunk, at least when we did our evaluation, that was a little bit less on the scalability, and then LogRhythm, we really had a challenge with.

What other advice do I have?

The vendor has exceeded our expectations in terms of being responsive to some of the things that we want to do. We're always trying to push the envelope and try to be creative with vertical apps. They've gone out of their way to help us in this regard. Whenever I call them, they definitely respond to me, and this is outside of the regular ticketing system. The good thing is that I very rarely need to call them.

My advice for anybody who is implementing Devo is to have an understanding of the log sources that you want to ingest and make sure that they comply with your budget. This is true for any SIEM. It is important to recognize that you're getting charged based on ingestion volume because a lot of people don't realize that. If you have logs that aren't necessary to your business, I would not ingest them because it's just going to increase your budget.

The biggest lesson that I have learned from using Devo is that the benefit of having different log sources is that we can get to the truth faster. It allows us to validate our findings in a shorter period of time, which has been invaluable.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
IT Project Manager at Orange España
Real User
Top 5Leaderboard
Enables us to predict future threats with AI, machine learning, and automated security
Pros and Cons
  • "The AI capability is one of the main features of the solution because I believe that in the market, there are few solutions that are providing security solutions based on AI and machine learning."
  • "Sentinel's reporting is complex and can be more user-friendly."

What is our primary use case?

We use Microsoft Sentinel to manage events and automate security. Sentinel is unique in that its AI capabilities help it predict security threats and provide results based on those threats. This allows us to manage all our security automated in one place.

How has it helped my organization?

We have many applications running on the cloud, which are mainly in the financial domain. The transactions and user data are very important to us. We're adapting Sentinel and other Microsoft solutions for security, which helps us provide an end-to-end solution for our devices, operating systems, and networking devices. Microsoft Sentinel helps us prioritize threats across our enterprise.

Security is always a top priority for our organization and for other organizations as well. In terms of financial applications and tools, the security concern is high. Microsoft Sentinel gives us a positive return on investment. Sentinel's flexibility and peace of mind provide the freedom that exceeds expectations.

The solution enables us to ingest data from our entire ecosystem, as well as from SQL, other Microsoft solutions, and SQL databases on the cloud.

The ingestion of data is important for our security. Currently, the ingestion of data is complex because it comes in real-time. Scanning data in real-time is crucial because it affects the speed, performance, and optimization of our data. However, the data is fully optimized.

The solution's built-in AI capabilities enable us to investigate threats and respond holistically from one place.

The ability to investigate threats and respond from one place is very important for us. Sentinel regularly scans the logs and notifies us of any security threats. If this threat is for the application or system, we can take immediate action using Sentinel.

We can create automated SOAR responses to any level of our incidents, or undiscovered, or any simple or more complex data sources so that we can easily configure our policies and easily configure all our Sentinel processes. The SOAR capability gives us flexibility.

If we use cloud-based applications, we are likely familiar with other cloud allocations. So it's easy to integrate Microsoft's solutions with our existing applications. If we find it more complex and difficult to understand, we can get help from the support team. They are always able to understand our concerns and provide us with relevant help.

We do not have a dedicated human resource for monitoring. Sentinel helps us to accommodate those manual security scanning tasks and all the other tasks from their end. This gives us the flexibility we need by providing us with full reports through notifications and analytic tools.

Sentinel has a unified, centralized XDR dashboard that allows us to monitor all our processes, threats, expected threats, future threats, and more, in a single place. This is a capability of Sentinel, which is fully analytics-based.

The consolidation into one dashboard saves our time, effort, organization times, and costs by eliminating the need to develop dedicated resources for monitoring all tasks. This gives us the flexibility to focus on other areas.

Sentinel's threat intelligence helps prepare us for potential threats. This is the AI-based capability of predicting future threats and providing the best possible solution.

Sentinel has a machine-learning algorithm that predicts security and future threats. This makes Sentinel quite intelligent as compared to other existing defenders. It gives us flexibility overall and eliminates our human efforts. If it wasn't for this feature we might not adopt or deploy the solution because the features and the product capabilities Sentinel provides, apart from the AI-based capabilities, are similar to the tools we are already using.

Microsoft Sentinel has saved us around 35 percent of our overall cost.

We have seen around 25 percent of our time decrease in detection and our time to respond because the AI already predicts security threats and provides analytic reports. We monitor and analyze potential threats to our applications and devices.

What is most valuable?

The AI capability is one of the main features of the solution because I believe that in the market, there are few solutions that are providing security solutions based on AI and machine learning. Sentinel provides the features and capabilities we need at a cost-effective price.

Microsoft Sentinel's visibility into threats is very good, it is very fast, and it is very intelligent because it also gives us the result by scanning online and by scanning our on-premises applications and devices. The AI provides us with the results of threats that are not currently available in the market. This is because the AI is able to predict future threats that may affect our devices or applications.

The UI, analytics, and dashboard are excellent. It was easy to understand, and any non-technical person can easily work with it.

Microsoft Sentinel is a fully-managed service that is easy to enable through a few clicks. The service is cloud-based, so we may need some support from the Microsoft team or online support to integrate all our applications and requested data, but it is not complex.

The Microsoft solutions work natively together to deliver coordinated detection and response across our environment. The feature automatically detects all our network traffic, network volume, and multiple network connections within our on-premises and cloud-based applications. We have some of our on-premises applications running on the private cloud and some applications running on the public cloud. We don't have hybrid-based applications yet. This gives it the flexibility to integrate multiple network connections and provide AI-based results and monitoring so we can easily track networking devices within Sentinel.

Sentinel's maintenance is fully managed by Microsoft. 

What needs improvement?

Sentinel's reporting is complex and can be more user-friendly.

Microsoft's solutions present integration challenges with other non-Microsoft products, such as AWS and GCP, because it is designed for Microsoft-based applications. I would like to see less of a dependency for Sentinel with other Microsoft products.

The notifications on mobile devices need improvements. If we're using our mobile device, sometimes we don't receive notifications. We might miss the most important notifications on our mobile devices. 

For how long have I used the solution?

I have been using the solution for one and a half years.

What do I think about the stability of the solution?

Sentinel is stable now. The AI-based algorithms improve every day. 

What do I think about the scalability of the solution?

Microsoft Sentinel has good scalability.

How are customer service and support?

We generally don't need to approach technical support every time, but there are some cases when we do, for example, if we need help understanding reports or the dashboard. The technical support is good.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We previously used Palo Alto Networks and Splunk Enterprise Security.

How was the initial setup?

I was responsible for the initial setup and deployment of the project, as well as for initial conversations with the vendor and internal teams. The initial setup was quite easy. We are running Sentinel both on the public cloud and private.

What about the implementation team?

We implemented the solution in-house with the help of Microsoft.

Which other solutions did I evaluate?

We have evaluated Amazon CloudWatch but the integration proved to be challenging and we did not deploy it.

What other advice do I have?

I give the solution a ten out of ten.

We use multiple Microsoft products that we have integrated. Microsoft offers a variety of tools and software, many of which are integrated with Office 365, Dynamics 365, and Microsoft Purview. These integrations provide a wealth of functionality and options for users.

Most security solutions have an accuracy of 98 percent. There are threats, and security concerns, and ransomware, malware, which they are unable to track and scan. Microsoft Sentinel is also unable to detect all security threats during the scanning time. No solution has the comprehensiveness of providing 100 percent protection.

Microsoft Defender has two features that make it unique: its bi-directional scanning and hand-shaking capability. The bi-directional scanning allows us to scan the system from both the client side and the server side, while the hand-shaking capability ensures that the data is sent and received correctly. Both of the side systems are scanning well and provide the end result we expect. This allows us to easily track where the issue is, whether it is from the server side or the client side.

Sentinel is a good choice for organizations or prospective buyers that are willing to spend a little time on security. Compared to other cloud-based software, Sentinel's AI is very good at predicting future threats.

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Senior data engeneer at a manufacturing company with 11-50 employees
Real User
Top 20Leaderboard
Easy to use with good UI and a nice look and feel
Pros and Cons
  • "A non-tech person can easily get used to it."
  • "Maybe they could make it more user-friendly."

What is our primary use case?

We primarily use it for metrics and reports.

What is most valuable?

It's been absolutely brilliant, I would say. It’s so easy to use and the UI and look and feel are great.

A non-tech person can easily get used to it. Obviously, a tech person finds it more useful and more helpful. However, even for analysts, or maybe some business person who just wants to see some metrics or reports, it is also helpful for them. It's pretty easy, quite useful.

The extensiveness of how we can drill down deeply into each and every index, each and every metric, is quite helpful. The drilling down and the detailed processes are aspects that I really like.

What needs improvement?

I couldn't find anything lacking. It's pretty much perfectly put together. From my side, I don't have any notes as of now for any improvements.

Maybe they could make it more user-friendly. Errors should be shown in terms of text.

For how long have I used the solution?

I’ve used the solution for more than two years.

What do I think about the stability of the solution?

The solution is stable. There are no bugs or glitches. Its performance is good and it is reliable. It doesn’t crash or freeze.

What do I think about the scalability of the solution?

We have 600 to 700 people using the solution currently. It's mainly for the engineering department; for example, back-end engineering uses it a lot.

You can scale it up to as much as you need. They have their hard limit of one billion records, as an example; however, if you want to scale it, you can scale it quickly. There is no external effort you need to put in.

We likely won’t increase usage. We are pretty much okay with the users and the older system we have right now. We are already using it extensively for our alerting and reporting systems and everything.

How are customer service and support?

Technical support is fantastic. They are happy to come on a Zoom call, or a required Teams call, or whatever. They can help you one-on-one. They have chat support systems, yet they are happy to get on the call at any time. I really appreciate their effort in that sense.

Which solution did I use previously and why did I switch?

Before this, we were using Sumo Logic. It's in line with CoreLogix, however, CoreLogix is much better than them. They have more options and the UI is also easy to use.

How was the initial setup?

The initial setup was straightforward. They have their own dedicated person who will help you if you need any help. The support team has their chat system as well. They have their live chat that can help you if you need them. It's pretty easy to use. You just you have to install one agent, and then it's pretty smooth from there.

The deployment itself hardly took a couple of hours.

What about the implementation team?

They have their own team, if you need their help, they can help you.

What's my experience with pricing, setup cost, and licensing?

I'm more often on the technical side. Licensing is done by the business team and then the legal team. I don't have any idea what the costs are.

What other advice do I have?

We are just end users.

I'm using the latest version of the product. They recently made changes in their UI almost six months ago. I'm using the latest version only.

Its deployment is basically third parties services. They have their own setup. They will create your account, and then you go there.

I’d recommend the solution to others. It'll be definitely easier for debugging, error tracking, reporting, and all those other tasks. It will definitely help.

I’d rate the solution nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Technical Lead at a wholesaler/distributor with 1,001-5,000 employees
Real User
Great dashboards, easy to tweak, and showcases helpful metrics
Pros and Cons
  • "The ease of correcting these dashboards and widgets when needed is amazing."
  • "The parallel editing of the dashboards should not cause users to lose the work of another person."

What is our primary use case?

We use Datadog for observability and monitoring primarily. Various cross-functional teams have built various dashboards, including Developers, QA, DevOps, and SRE. 

There are also some dashboards created for senior leadership to keep tabs on days to day activities like cost, scale, issues, etc. 

Also, we've set up monitors and alarms that kick off when any metrics go beyond the threshold. With Slack and PagerDuty integration, correct team members get alerted and react to solve the issue based on various runbooks.

How has it helped my organization?

Using Datadog metrics has helped the organization a lot in many manners. With one centralized monitoring place, it's a lot less effort to keep track of the system and applications' health. 

Using this also helps teams be proactive in dealing with any issues before they get escalated by customers. 

Lastly, having so many integrations makes the DevOps and SRE's lives a lot easier when automating the detection and resolution of any issues hidden in the system or applications. Overall, it has helped a lot.

What is most valuable?

My favorite feature is creating dashboards as that empowers me to sleep calmly at night and not to keep watch on critical system metrics. Be it DB metrics or computer-related metrics, it's always easy to view them. 

The ease of correcting these dashboards and widgets when needed is amazing. 

The only issue I face is when more than one person editing these dashboards simultaneously, one or the other person sometimes loses his/her work. That said,  they will resolve that soon. With the variety of widgets, it's so easy to plot the data in a timely manner, and that makes monitoring a lot easier.

What needs improvement?

The solution can be improved in a few areas. 

The parallel editing of the dashboards should not cause users to lose the work of another person. 

Secondly, we would like to see more demos of tools that are in beta version, when they come live. I am sure they will help us a lot.

For how long have I used the solution?

I've been using the solution for slightly over two years.

What do I think about the stability of the solution?

I find the solution to be very stable.

What do I think about the scalability of the solution?

I totally love it. It is scalable. 

Which solution did I use previously and why did I switch?

We previously used Sumo Logic.

How was the initial setup?

The initial setup is not so difficult.

What about the implementation team?

We implemented the solution in-house.

What was our ROI?

The ROI is very fair so far.

What's my experience with pricing, setup cost, and licensing?

I can't recommend the licensing.

Which other solutions did I evaluate?

I was not involved in any pre-evaluation process.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Buyer's Guide
Security Information and Event Management (SIEM)
February 2023
Get our free report covering Splunk, Microsoft, IBM, and other competitors of Sumo Logic Security. Updated: February 2023.
687,256 professionals have used our research since 2012.