The cloud-native platform for centralized log management
Analytics, visualizations, and workflows purpose built for practitioners
Leading firms gaining more value from their machine data
Any source, any velocity – centralize logs, metrics, and traces for full visibility.
Close the gap between detection and response with an analyst-focused, cloud-native approach.
Understand complex environments with visual analysis and KPIs that matter most.
The most recent articles & research from Devo
In previous posts, we’ve written about two topics covered in the Devo eBook The Shift Is On, which presents the use case for centralized log management (CLM) in the cloud. First, we looked at the 5 best practices for security logging in the cloud. Next, we delved into the question of when your organization should adopt centralized logging.
In our final installment, let’s examine the five key evaluation criteria for choosing the right CLM solution for your business.
Once you decide to pursue centralized log management, you’ll find several options in the market. How do you choose the best solution for your needs? Following are five key criteria for comparing different CLM solutions so you can determine which one is right for your organization.
What are the data ingest limits? Think about the upper limits of your data ingest needs. Are they consistent over time, or do you have periodic spikes in data at the end of the month, or during the holidays? Make sure you test how a prospective solution performs at the upper limits of your data ingestion needs. A CLM solution that slows to a crawl at peak times, or worse, drops data during peak times, is not the right choice.
What is the solution’s tolerance for change in data sources? How does the CLM handle changes to data sources or format? Sometimes a data format change can negatively affect the ability of the CLM to ingest, parse, and store the data. Does a change in format break or adversely affect data ingestion? Does the CLM discard data that doesn’t fit into the schema?
If digital transformation is a key use case, you may want to consider keeping the raw data intact, since you may need the ability to re-analyze it later. You also need to decide how important the raw data is to your organization. Does the CLM store the data raw, or is the raw data lost after it is parsed and stored? Will you need to go back and re-examine your old data in new ways?
Does the CLM should cater to the needs of your users? The visualizations, dashboards, and features should be attuned to the needs of your users. Think about how your security professionals will use the CLM solution every day. What dashboards will they need to see? What are their most common workflows? Make sure you test your prospective CLM solution to see how easy it is (or isn’t) to move through these workflows. And don’t just test use cases for advanced users or power users. Give users of all skill levels some hands-on time with your prospective CLM solution and get their feedback on how intuitive they find it. Test the use cases for your Tier-1 analysts, too.
Remember, the value of the solution will be determined by the number of people who can effectively use it on a daily basis. Be sure to test both common and advanced uses cases. Give users of all skill levels some hands-on time with your prospective CLM solution and get their feedback on how intuitive they find it. Test if multiple users running simultaneous queries impacts system performance. Testing the performance of the entire system as multiple users run concurrent queries is an excellent measure of how the CLM will perform once you deploy it.
Are the solution’s machine-learning capabilities robust enough for your organization? Many solutions claim to offer artificial intelligence (AI) and machine-learning (ML) capabilities—but do they work for your use cases? Test these ML capabilities on your specific needs. In large enterprises, a CLM can collect a vast amount of security-related data. So, having help spotting anomalies, correlating events, and enriching data can take a big load off your analysts. Take the time to explore the ML/AI capabilities and how they can extend the capabilities of your team.
How much control will your team have over alerts and notifications? Most SecOps teams are drowning in alerts. It’s much more critical to receive meaningful alerts and notifications, and to have flexibility in alert policies. Can alerts be suppressed to prevent a flood? Do you have to set static alert thresholds, or can thresholds be dynamic?
Reducing alert noise and fatigue can significantly improve your analysts’ effectiveness. Sit down with analysts of all levels to get their perspectives on what exactly should trigger an alert, how they would resolve it, and the best way to distribute alerts to your team over different times of the day, week, and month. Also consider how alerts integrate with your processes. Do alerts integrate with other solutions your team relies on such as Slack, ServiceNow, and others?
To see the full story of how to deploy CLM the right way for your specific business needs, download the eBook The Shift Is On.
By Kevin Flanagan
Sign up to stay informed with the latest updates from Devo.