Devo Valuable Features
We are using some of the other components, such as Relay, which is used to help us ship logs to Devo.
The most valuable feature is definitely the ability that Devo has to ingest data. From the previous SIEM that I came from and helped my company administer, it really was the type of system where data was parsed on ingest. This meant that if you didn't build the parser efficiently or correctly, sometimes that would bring the system to its knees. You'd have a backlog of processing the logs as it was ingesting them.
One thing that I love about Devo is that you can accept the data in a raw format. It's not going to try to parse it until you query it. This makes it really flexible for us because if the analysts come to us and explain that they need a specific log source, we can just work on the whole transportation system, insofar as how to get it to Devo. We don't have to worry about parsing it out until later. We can actually see the data in the platform and then we can use the queries to perform contextualization on it, parsing out whatever metadata we need.
I really like the flexibility that the queries offer to parse out the data. Parsing out JSON logs, for example, is very easy. You don't have to mess with regex. It's literally just a point-and-click interface. So that has been incredible. I would say overall in a nutshell, one of my favorite parts is that they really have captured the essence of sending us all your data. You don't have to worry about how to parse it. You can get the data onboard and then you can perform transformations on it later. And the transformations that you can perform on it are super flexible.
Devo definitely provides high-speed search capabilities and real-time analytics. The search can be a little bit slow at times. But for the amount of data that we're pulling back relatively speaking, I would say that the speed is very nice. The ability to pull back large amounts of data, also the amount of data that they keep hot and searchable for us is incredible. I would definitely say that they provide real-time analytics and searching.
I have heard from other customers that the multi-tenancy capabilities are pretty good, but I don't have much experience with that in the HR Block though.View full review »
So far, the most valuable features are the ease of use and the ease of deployment. We're very early in the process. They've got some nice ways to customize the tool and some nice, out-of-the-box dashboards that are helpful and provide insight, particularly related to security operations.
The UI is
- easy to use
They've put a lot of work into the UI. There are a few areas they could probably improve, but they've done a really good job of making it easy to use. For us to get engagement from our engineering teams, it needs to be an easy tool to use and I think they've gone a long way to doing that.
The real-time analytics of security-related data are super. There are a lot of data feeds going into it and it's very quick at pulling up and correlating the data and showing you what's going on in your infrastructure. It's fast. The way that their architecture and technology works, they've really focused on the speed of query results and making sure that we can do what we need to do quickly. Devo is pulling back information in a fast fashion, based on real-time events.
The fact that the real-time analytics are immediately available for query after ingest is super-critical in what we do. We're a transportation management company and we provide a SaaS. We need to be able to analyze logs and understand what's going on in our ecosystem in a very close to real-time way, if not in real time, because we're considered critical infrastructure. And that's not only from a security standpoint, but even from an engineering standpoint. There are things going on in our vehicles, inside of our trucks, and inside of our platform. We need to understand what's going on, very quickly, and to respond to it very rapidly.
Also, the integration of threat intelligence data provides context to an investigation. We've got a lot of data feeds that come in and Devo has its own. They have a partnership with Palo Alto, which is our primary security provider. All of that threat information and intel is very good. We know it's very good. We have a lot of confidence that that information is going to be timely and it's going to be relevant. We're very confident that the threat and intel pieces are right on the money. And it's definitely providing insights. We've already used it to shore up a couple of things in our ecosystem, just based on the proof of concept.
The solution’s multi-tenant, cloud-native architecture doesn't really affect our operations, but it gives us a lot of options for splitting things up by business area or different functional groups, as needed. It's pretty simple and straightforward to do so. You can implement those types of things after the fact. It doesn't really impact us too much. We're trying to do everything inside of one tenant, and we don't expose anything to our customers.
We haven't used the solution's Activeboards too much yet. We're in the process of building some of those out. We'll be building dashboards and customized dashboards and Activeboards based on what those tools are doing in Splunk. Devo's going to help us out with our ProServe to make sure that we do that right, and do it quickly.
Based on what I've seen, its Activeboards align nicely with what we need to see. The visual analytics are nice. There's a lot of customization that you can do inside the tool. It really gives you a clean view of what's going on from both interfaces and topology standpoints. We were able to get network topology on some log events, right out of the gate. The visualization and analytics are insightful, to say the least, and they're accurate, which is really good. It's not only the visualization, but it's also the ability to use the API to pull information out. We do a lot of customization in our backend operations and service management platforms, and being able to pull those logs back in and do something with them quickly is also very beneficial.
The customization helps because you can map it into your business requirements. Everybody's business requirements are different when it comes to security and the risks they're willing to take and what they need to do as a result. From a security analyst standpoint, Devo's workflow allows you to customize, in a granular way, what is relevant for your business. Once you get to that point where you've customized it to what you really need to see, that's where there's a lot of value-add for our analysts and our manager of security.
The speed of the platform is one of its most valuable features. The solution is designed differently so it doesn't really matter how far back you go, the speed's going to be the same.
We use its real-time analytics, which are very good. It sends alerts; we have some alerts that update every five minutes, or whenever the data comes in. It's really fast. We can work on really large data sets and have a resolution in minutes for these alerts. It's great. It's not actual, real-time because there is some delay before the logs come from the data collectors. But that's not a problem with the Devo platform. It's just how logs travel around here.
The user interface is really modern. As an end-user, there are a lot of possibilities to tailor the platform to your needs, and that can be done without needing much support from Devo. It's really flexible and modular. The UI is very clean. It makes sense for me, personally, the way it's set up.
The UI also has these little perks. For example, if you do queries and you set a certain time range which you need to reuse in different queries, instead of having to type it in every time there is quick access to all the time ranges you have been using. You can just pick the one you need, instead of typing in, say, January 22nd, 2020, from 15:35 to 15:45. You have quick access to whatever ranges you have already put in. I reuse these a lot and it saves a lot of time.
Another UI feature is that it does a type of pre-aggregation and pre-processing for you. Whenever you hover over certain parameters that can be filtered or adjusted, you get an overview of the top 10 values, with the percentages as well. Sometimes you just want to know what the ratio is between different sources. You don't have to do anything to get that. You just hover your mouse over where you would start setting it up and you can actually see the values right away.
It's full of these little surprises. It has something called CyberChef which is a really rich tool for manipulating IT-related data, IP addresses, encoding, and the like. CyberChef is an open-source tool that I sometimes use through its web interface. But you can actually use it directly in the Devo tool, so that's another big bonus. It looks like Devo thought, "Okay, people who use our platform may use this tool as well. It's open-source, so we'll just include it." It's integrated, creating an interface between them.
And one of the biggest features of the UI is that you see the actual code of what you're doing in the graphical user interface, in a little window on the side. Whatever you're doing, you see the code, what's happening. And you can really quickly switch between using the GUI and using the code. That's really useful too.
Activeboards is another really good feature. With them, you can actually see the code as well. It's really powerful. Sometimes with this type of software, there is a similar dashboard feature, but you're very limited in what you can do with it in the graphical user interface. And if you reach its limits, you have to call the vendor and let the vendor do it. But here, you can see the code. So if you want to go deeper, or if there's some feature that is not reachable with the GUI, you can write it yourself. The documentation is really good, so it's quite easy to do.
Activeboards' ability to build and modify dashboards on the fly is also powerful. We came to Devo from a different solution and, obviously, the users didn't want to change the way they use the platform. They required a certain workflow that is not in Devo. With Activeboards, we can recreate the exact workflow they are used to, without any difficulty. That makes it very easy for the user to switch to Devo. That's the power of the Activeboards. You can really change a lot of things. It's very modular.View full review »
I like their query language and I like their speed.
Ultimately what it comes down to for us is, "Can we write advanced queries that bind the different data sets together?" and that is what we're doing. We're able to do things like see an event, this IP or its DNS name here, and then search all our other log streams to also find it there, and then take data from there and search throughout other types of things.
The Activeboards are the most valuable feature. Given multiple different types of unstructured and structured data, we can then build Activeboards that can do queries across all those data sources with one query, being able to visualize the data from multiple different sources. That is probably the most useful thing that we find in Devo.
The visual analytics are extremely easy to understand. You have to learn how the queries need to be built and how to do that in an effective manner, but once you have someone trained in how to do the queries and Activeboards, it's very easy for that person to build them and render the data in whatever manner you need. If I bring in forensic memory analysis, forensic hard drive analysis, and network data, I can point it to specific fields in each of those logs and have it correlated altogether.
The solution is very nice because of the Activeboards that we build out. It's multi-tenant and easy for us to pull the code into other tenants and leverage them for other customers. From an attack perspective, Devo also allows us to scan across multiple tenant environments to see if the same attack is occurring towards multiple different customers. Then, it also keeps their data isolated from each other in compliance conformity. This is a huge factor for us, and one of the reasons why we looked at Devo originally. They were the only ones that we saw who offered that multi-tenant environment.
Devo manages 400 days of hot data, which is obviously great because you have the ability to go back in logs and correlate against things that you've seen. If you have a web attack come in on day 300, you can go back across all the logs with Activeboards and look for that same artifact for almost a year's time. So, it's very effective in what it can do. Depending on the logs themselves, it could be even longer than those 400 days. It just depends on how deep and rich those logs are.
I like the UI. It's simple to use. When you get into the advanced features, once you have some training, it's very easy to toggle around. But, even from a novice standpoint, you can definitely get in there, find information and data that you're looking for, and everything else, which is good.View full review »
The ability to have high performance, high-speed search capability is incredibly important for us. When it comes to doing security analysis, you don't want to be doing is sitting around waiting to get data back while an attacker is sitting on a network, actively attacking it. You need to be able to answer questions quickly. If I see an indicator of attack, I need to be able to rapidly pivot and find data, then analyze it and find more data to answer more questions. You need to be able to do that quickly. If I'm sitting around just waiting to get my first response, then it ends up moving too slow to keep up with the attacker. Devo's speed and performance allows us to query in real-time and keep up with what is actually happening on the network, then respond effectively to events.
The solution’s real-time analytics of security-related data does incredibly well. I think all the SIEM solutions have struggled to be truly real-time, because there are events that happen out in systems and on a network. However, when I look at its overall performance and correlation capabilities, and its ability to then analyze that data rapidly, it has given us performance, which is exceptional.
It is incredibly important in security that the real-time analytics are immediately available for query after ingest. One of the most important things that we have to worry about is attacker dwell time, e.g., how long is an attacker allowed to sit on a system after it is compromised and discover more data, then compromise more systems on a network or expand what they currently have. For us, having the ability to do real-time analytics essentially drives down attacker dwell time because we're able to move quickly and respond more effectively. Therefore, we are able to stop the attacker sooner during the attack lifecycle and before it becomes a problem.
The solution speed is excellent for us, especially in regards to attacker dwell time and the speed that we're able to both discover and analyze data as well as respond to it. The fact that the solution is high performance from a query perspective is very important for us.
Another valuable feature would be detection capability. The ability to write high quality detection rules to do correlation in an advanced manner that really works effectively for us. Sometimes, the correlation in certain engines can be hampered by performance, but it also can be efforted by an inability to do certain types of queries or correlate certain types of data together. The flexibility and power of Devo has given us the ability to do better detection, so we have better detection capabilities overall.
The UI is very good. They have an implementation of CyberChef, which is very good for security analysts. It allows us to manipulate, transform, and enrich data for analytics in a very fast, effective manner. The query UI is something that most people who have worked with SIEM platforms will be very used to utilizing. It is very similar to things that they've seen before. Therefore, it's not going to take them a long time to learn their way around the platform.
The pieces of the Activeboards that are built into SecOps have been very good and helpful for us.View full review »
It's very intuitive. The interface is extremely useful. You can perform many functions from one page. In other tools that we looked at, you'd have to toggle back and forth between screens and you'd have to exit one menu and copy and paste things into another section. With Devo you can do everything using drop-downs. It's very user-friendly when creating queries and dynamic lists. You can modify the interface to look the way you want with columns and sorting. It's very well thought out.
It provides high-speed search capabilities and near real-time analytics. These things are extremely important.
It's also very easy to pull data into it from various log sources, even if they're custom homegrown apps. The parsers are also very easy to use.View full review »
Ease of use: Even if it's a relatively technical tool or platform, it's very intuitive and graphical. It's very appealing in terms of the user interface. The UI has a graphical interface with the raw data in a table. The table can be as big as you want it, depending on your use case. You can easily get a report combining your data, along with calculations and graphical dashboards. You don't need a lot of training, because the UI is relatively very intuitive.
We find the solution’s Activeboards and widgets to be understandable and flexible. Before the summer, we are looking to expand the ability for people to do their own dashboards and variations off-the-shelf.
It performs well. There is a lot of telemetry in our case, and it is cybersecurity. The telemetry is integrated with a lot of data. You need to look at it in real-time because if you are under attack, then you need to see that immediately: What's going on, where it's coming from, where is the zero patient, etc. This is all the while that you're conducting threat detection. The performance is amazing.
The solution’s real-time analytics of security-related data works well for us. It's a module that we buy from the Devo platform and have as a vertical for the customization of our sessions and alerting. It's great for us to know that they will be taking care of our customers. We don't touch it and are very satisfied.View full review »
With Devo, you integrate and run as a fully managed service. We are very interested in the total of severability for IT and the organization all in a one user interface. With Devo, all analysis is done in a graphical user interface. That gives our analysts the confidence to investigate a problem and fix it.
For example, we can have a lot of matrices and trace data in a single user interface. We can eliminate swivel chair analysis among tools for a streamlined workflow that gives us the most direct path to the root course.
Devo provides great structural data. Its business-rich data set means better, smarter machine learning and this leads to a smarter analysis of anomalies and a stronger predictive analysis.
Devo, unlike other vendors, doesn't charge extra for playbooks and automation.
It's very, very versatile.
Service Operations is a tool inside the product. It offers a constant standard with advanced machine learning. The Devo machine learning workbench also enables you to bring in your own custom-built machine learning models. This is very interesting for us.View full review »