Chronicle Architecture

Chronicle uses the Unified Data Model to parse all data. Most GCP data sources use this, but non-GCP data sources do not. If custom application logs or data sources outside GCP are important, then Chronicle may not be the best choice. Chronicle comes with 1 year of hot storage included. Search speed for data older than 90 days is good for standard fields like IP address, hostname, etc. But custom searches using regex are much slower.

Devo Architecture

Devo’s cloud-native architecture provides a unique method of ingesting and storing data. This enables significant performance benefits in ingest rate, search performance, and data compression. Devo uses a component known as a Relay to aggregate data from sources, tag it, and transmit it via a secure connection. Data from one or more Relays enters an event load balancer before being sent into the Devo Data Node for storage. As Data Nodes scale up, Meta Nodes coordinate searches across multiple Data Nodes.

Chronicle Features

Chronicle is still immature and that fact is most apparent when it comes to usability and workflows. Custom visualizations and dashboards have to be created in Google’s completely separate data visualization tool Looker. But Looker doesn’t query Chronicle directly – it has to query the BigQuery data lake. And while Google does a good job with detections inside Chronicle, for detailed threat hunting it seems most of that will be done by going to BigQuery directly or through visualizations in Looker. This is a result of a limited number of search types in Chronicle itself. While it is easy and fast to search for IP address, hostname, and a few other things in Chronicle, it is very difficult to do complex multi-field searches. For these kind of searches, you have to go outside Chronicle. This leads to a lot of swivel chair analysis – the last thing an analyst wants to do.

Chronicle does have threat intelligence built in, and uses information gathered by Google’s monitoring of threats from the internet. Additionally, Chronicle has integration with VirusTotal for malware detection, but this comes at an extra cost. However, a major shortcoming in Chronicle’s approach to Threat Intel is that you can’t enrich it from any other sources.

Devo Features

Devo makes SOC analysts more effective in many ways. Devo comes integrated with the MISP threat intelligence storage platform. This is operational on day one and doesn’t require any manual setup, scripting or coding. Other threat intelligence platform integrations, including Recorded Future, also are available. Devo also has an incredibly flexible capability for other types of enrichment. You can load any type of data into a table and create a lookup that enriches data in one table from data in another. This robust ability to enrich data in any table from any source includes the ability to add business-specific context to the raw log data collected

Chronicle Pricing

Chronicle’s pricing model is based either on the number of employees in the customer organization, or by amount of data ingested. Pricing includes a year’s worth of hot data by default. However, since Chronicle has no native dashboard capability, you absolutely need additional GCP products like Looker and BigQuery to do custom dashboards and these are priced separately. Google also has a SOAR (formerly Siemplify) but this is also priced separately. Finally, other Google products such as VirusTotal and Mandiant professional services used in conjunction with Chronicle are also priced separately..

Devo Pricing

Devo pricing is simple to understand and predict. Devo charges based on data ingestion per day averaged over a month-long period. That price includes all functionality, as well as encrypting data at rest. You receive access to the Security Operations application for SecOps use cases, the Service Operations application for ITOps use cases, and centralized log management for all other needs. There are no extra charges for adding users or dashboards. You receive 400 days of hot searchable storage included in the price. The only add-on option for Devo is to replicate data across availability zones. This pricing model makes Devo the more cost-effective option.

Google Chronicle

Chronicle plays well with anything from the GCP ecosystem, but doesn’t integrate well with anything else. Just as Sentinel uses the ASIM as a schema to parse all data, Chronicle uses its own Unified Data Model, or UDM, as a schema to parse all data. This means the original message format is lost, and anything not parsed into this schema at ingestion time is also permanently lost. Like Microsoft, Google also has its own SOAR and Google isn’t interested in integrating with anything outside of its own ecosystem. This means automating actions outside of the GCP platform is going to be difficult at best.

Devo

Devo is a cloud-agnostic solution, thus it works well with most other technologies. Devo has a fully extensible API and can work with the SOAR platform of your choice, regardless of provider. Devo can ingest data from virtually any source, in structured or unstructured formats. Unlike Sentinel and Chronicle, Devo parses data at query time and NOT on ingestion, which preserves the original event in case you want to parse it differently in the future. This also makes Devo the most change tolerant solution since changing data format does not break ingestion.

Chronicle is cloud native and has scalability but it is still too immature a product. Many core capabilities such as case management and IR are in the SOAR product that was just recently acquired from Siemplify and are not well integrated into the SIEM. The fact that you have to go outside of Chronicle to other products such as Looker and BigQuery for dashboards, visualizations, and complex searching makes for cumbersome workflows. Significant development work needs to be done to integrate all the other Google solutions together to make a comprehensive solution.

For most medium-sized to large buyers with multiple environments (data centers and multiple-cloud environments), Devo is a better choice than Chronicle. Devo delivers the most modern and efficient architecture, offers a rich feature set, and has the more attractive cost model.