Enterprises face a number of challenges with legacy security analytics solutions that have failed to keep pace with the volume of machine data being generated and the demands being placed on that data. One of our customers—a top-5 athletic apparel manufacturer and retailer—faced these challenges with its existing Splunk Cloud deployment. Data collection constraints forced by Splunk’s licensing and data retention limits and poor query performance meant the company struggled to improve its threat detection capabilities. By leveraging the Devo cloud-based security analytics solution for its security operations center (SOC), the apparel company was able to move beyond the constraints of its previous solution and significantly improve its security posture.

Results

• 100% of security relevant data ingested and queryable
• Query times reduced by up to 98%
• Time-to-alert measured in milliseconds
• All users capable of executing queries in real time
• 400 days of data retained, always hot and encrypted

Due to the architectural advantages of Devo, our customer could, for the first time, ingest and retain all their data, going from 6 to 10TB/day, currently cresting at more than 50TB/day. This scaling was possible with no need to re-architect the solution. With just 10 Devo data nodes the customer can support the 50+TB daily ingest rate while supporting 10x bursts, all while responding to thousands of concurrent queries—without dropping an event or waiting long periods for queries to complete.

Not only is Devo able to exceed the needs of this large enterprise customer, it requires fewer resources to deliver incredible performance, an example of how the Devo no-compromise architecture translates into differentiated capabilities for customers. With these capabilities, our customer is able to address the following use cases:

• Detect DDoS Attacks
• Detect Brute Force Attacks
• Provide Data Loss Protection
• Perform Network Traffic Analysis
• Implement Bot Monitoring
• Analyze IP Traffic
• Enable Malware Detection
• Monitor Threat Activity

A confluence of issues led the customer to make the switch. The apparel maker’s highly instrumented environment generates more than 50 TBs of machine data per day from 100+ data source types. Great demands are placed on this machine data by hundreds of users who extract analytics, from dashboards to ad-hoc queries, as well as queries generated by applications such as SOAR systems. Our customer was unable to react to and prevent security breaches fast enough with its previous solution.

Missing data

One major issue the company encountered was incomplete query results. Data was missing from queries for a couple of reasons:

• New product rollouts caused very bursty periods where 2-3TB of data would be generated in 30 minutes. Not only was this data taking hours to appear in its existing solution, but the company also maxed out buffers and dropped data.
• The large deployment meant the company was constantly dealing with indexers going down, which led to incomplete query results being returned—silently, and without warning to the user.

Inflexible and expensive license costs

The company could not collect all its machine data due to prohibitive licensing costs and a 6TB/day data cap, forcing operations and security staff to make tradeoffs on the data they could ingest. The apparel company required that its data be retained encrypted and hot for 400 days, increasing costs. Also, during the last contract renewal, Splunk discouraged the customer from storing data for longer than 90 days and was trying to lock the company into a long-term contract—neither tradeoff was acceptable.

Degraded performance

The customer also was disappointed by the performance of built-in alerts, some of which were generated hours after an event condition occurred. The 300 users were straining the previous solution to the point where query performance was degrading, increasing MTTR for security incidents and making threat hunting much more challenging.

Shifting from Splunk to Devo

After the athletic apparel leader migrated to Devo, the differences were stark. Our customer is now able to affordably ingest all its machine data and support all the users and systems requiring access to it—with a significant performance increase and limited data management overhead. Additionally, Devo offers a flexible UI, enabling users to rely on just 31 dashboards, instead of the more than 100 previously needed. Other major benefits included with Devo are:

• 100% of machine data ingested now queryable
• Deployment capable of supporting 10x bursts without dropping an event
• Query times reduced by up to 98%
• Time-to-alert measured in milliseconds
• All users capable of executing queries in real time
• 400 days of data retained, always hot and encrypted