Devo: Cómo un Químico Autodidacta Construyó desde Madrid el Motor de Datos que Defiende a la Fuerza Aérea de EE.UU.
Devo: How a Self-Taught Chemist Built the Data Engine Defending the U.S. Air Force from Madrid
Original: In the battlefield of cyberspace, where a state-sponsored attacker can compromise credentials and move laterally through a military network in just 18 minutes and 49 seconds, every second of delay in detection can mean the difference between defending critical infrastructure or losing it. However, for years, the cybersecurity industry accepted it as normal for their analysis tools to take up to 15 minutes to process a simple security log. This is the story of Devo, the chronicle of how a self-taught chemist from Madrid identified that absurd gap in the trenches of a Spanish bank, founded a startup that investors tried to snatch from him, and ended up building the real-time data engine that today protects the networks of the United States Air Force. A journey from the operational suffocation of the financial sector to the status of a $1.9 billion unicorn.
Translation: 在网络空间的战场上,国家支持的攻击者可以在短短18分49秒内窃取凭证并横向渗透军事网络,每一秒的检测延迟都可能决定关键基础设施的存亡。然而多年来,网络安全行业却将分析工具处理一条简单安全日志需要长达15分钟视为常态。这就是Devo的故事:一位来自马德里的自学成才的化学家,在一家西班牙银行的战壕中发现了这一荒谬的缺口,创立了一家被投资者觊觎的初创公司,并最终打造出如今保护美国空军网络的数据引擎。这是一段从金融行业的运营窒息到估值19亿美元独角兽地位的旅程。
Original: The Origin: A Phishing Attack and an Obsession with Speed. The seed of Devo did not germinate in a Silicon Valley garage, but in the Bankinter crisis room in 2003. Pedro Castillo does not fit the archetype of the conventional tech entrepreneur. A Chemistry graduate from the Complutense University of Madrid, he discovered his true vocation by chance when he found a Silicon Graphics computer at his faculty, which sparked a fascination that led him to learn to program entirely on his own. In the mid-nineties, when the Internet was still the exclusive territory of universities and government agencies, Castillo was already providing advanced IT services to corporations like El Corte Inglés. That early experience culminated in the founding of Webline in 1996, his first cybersecurity company, which opened the doors to the Spanish financial sector. Bankinter, one of the country’s most innovative entities, recruited him to become its Director of Technology Security. It was precisely in those banking trenches that everything changed.
Translation: 起源:钓鱼攻击与对速度的痴迷。Devo的种子并非萌芽于硅谷的车库,而是2003年Bankinter银行的危机处理室。佩德罗·卡斯蒂略(Pedro Castillo)并不符合传统科技创业者的原型。作为马德里康普顿斯大学的化学系毕业生,他在学院里偶然发现了一台Silicon Graphics计算机,从而发现了自己真正的志向,这种痴迷促使他完全通过自学掌握了编程。九十年代中期,当互联网还是大学和政府机构的专属领地时,卡斯蒂略就已经在为英格列斯百货(El Corte Inglés)等企业提供高级IT服务。那段早期经历最终促成了他1996年创立第一家网络安全公司Webline,这也为他打开了西班牙金融行业的大门。西班牙最具创新力的机构之一Bankinter招募他担任技术安全总监。正是在这些银行的“战壕”里,一切发生了改变。
Original: In 2003, a sophisticated phishing attack hit Bankinter. Castillo and his team encountered a paralyzing obstacle: the tools of the time were incapable of ingesting and correlating the massive volumes of data generated by servers, firewalls, and network traffic at the speed necessary to stop the attack before the fraud was completed. Existing solutions imposed an impossible choice: pay exorbitant costs to store everything, or filter the data and create “blind spots” that attackers would inevitably exploit. Obsessed with unlocking the value of raw data, Castillo left his comfortable executive position and founded Logtrust in Madrid in 2011. His philosophy was radical: while other startups ran to conferences and the press, he and his team entrenched themselves in software development, building a database engine from scratch. A product, in his own words, “absolutely differential.”
Translation: 2003年,一场复杂的钓鱼攻击袭击了Bankinter。卡斯蒂略和他的团队遇到了一个致命的障碍:当时的工具无法以足够快的速度摄取和关联服务器、防火墙及网络流量产生的大量数据,从而无法在欺诈完成前阻止攻击。现有的解决方案迫使人们做出不可能的选择:要么支付高昂的成本存储所有数据,要么过滤数据并留下攻击者必然会利用的“盲点”。出于对释放原始数据价值的执着,卡斯蒂略放弃了舒适的高管职位,于2011年在马德里创立了Logtrust。他的理念非常激进:当其他初创公司忙于参加会议和接受媒体采访时,他和团队埋头于软件开发,从零开始构建数据库引擎。用他自己的话来说,这是一个“绝对差异化”的产品。
Original: The Technological Revolution: HyperStream and Zero Latency. Why did Devo manage to unseat giants like Splunk in multiple tenders? The answer lies in a radical re-engineering of security data processing. The industry standard, dominated by Splunk, relied on index-on-ingest: data had to be analyzed, normalized, and structured into a massive index before being stored. This design created three critical weaknesses: Lethal delay: In high-volume environments, events took more than 15 minutes to be available to the analyst. Resource contention: Reading and writing the index shared CPU, degrading performance just when speed was most urgent. Prohibitive costs: Maintaining petabyte indexes forced managers to create “blind spots,” leaving up to a third of their systems unmonitored.
Translation: 技术革命:HyperStream与零延迟。为什么Devo能在多次招标中击败Splunk这样的巨头?答案在于对安全数据处理的彻底重构。以Splunk为首的行业标准依赖于“摄取时索引”(index-on-ingest):数据在存储前必须经过分析、标准化并结构化为庞大的索引。这种设计造成了三个关键弱点:致命延迟:在高负载环境下,事件需要超过15分钟才能供分析师查看。资源争用:索引的读写共享CPU,在最需要速度时反而降低了性能。高昂成本:维护PB级索引迫使管理者创建“盲点”,导致多达三分之一的系统处于无人监控状态。
Original: Devo completely discarded traditional indexing and built HyperStream, a proprietary streaming analysis technology based on opposite principles: Ingestion without normalization: Data is stored in its original format. The platform applies the schema at the time of the query (schema-on-read), not when saving the data. Immutable micro-indexes: Instead of a global index, HyperStream creates a daily micro-index per data source that, once generated, is never rewritten. Result: 10:1 compression and massive parallelization. Zero latency: Telemetry is available for alerts and searches the exact millisecond it hits the disk. The convergence of these innovations allowed for an unprecedented achievement: keeping 400 days of data “always hot,” queryable in sub-seconds. While competitors archived old data in cold, unqueryable storage, a forensic analyst with Devo could investigate an intrusion from a year ago with the same speed as if it had happened five minutes ago.
Translation: Devo彻底摒弃了传统索引,构建了HyperStream——一种基于相反原则的专有流分析技术:无需标准化的摄取:数据以原始格式存储。平台在查询时应用模式(schema-on-read),而不是在保存数据时。不可变的微索引:HyperStream不再使用全局索引,而是为每个数据源创建每日微索引,一旦生成,永不重写。结果:10:1的压缩率和大规模并行化。零延迟:遥测数据在触及磁盘的毫秒级即可用于警报和搜索。这些创新的融合实现了一项前所未有的成就:保持400天的数据“始终处于热状态”,并可在亚秒级内完成查询。当竞争对手将旧数据归档到无法查询的冷存储中时,使用Devo的取证分析师可以像调查五分钟前发生的事件一样,快速调查一年前的入侵行为。
Original: The Fire Test: Defending the U.S. Air Force Networks. The definitive validation of HyperStream came in July 2020, when Devo won a $9.5 million contract with the United States Air Force to deploy its technology as the central SIEM of the Enterprise Cyber Defense program. The situation was critical: cyber squadrons were operating with a 1999 SIEM that aggregated up to 70 disconnected applications, generating more than 8 million daily alerts without automated correlation capability. The military “12N12” initiative demanded consolidating that chaos into 12 functional tools in 12 months. The results of the Devo deployment were transformative: A unified dashboard that eliminated operational fragmentation. More than 20,000 human hours saved in manual threat triage. Reorientation of cyber analysts from repetitive tasks toward proactive threat hunting against state actors.
Translation: 终极考验:保卫美国空军网络。HyperStream的最终验证发生在2020年7月,当时Devo赢得了美国空军一份价值950万美元的合同,将其技术部署为企业网络防御计划的核心SIEM(安全信息和事件管理系统)。当时的情况非常危急:网络中队使用的还是1999年的SIEM系统,该系统聚合了多达70个互不关联的应用程序,每天产生超过800万条警报,且缺乏自动关联能力。军方的“12N12”计划要求在12个月内将这种混乱局面整合为12个功能性工具。Devo的部署结果是变革性的:一个消除了运营碎片化的统一仪表板;在手动威胁分类中节省了超过20,000个人工小时;网络分析师从重复性任务中解放出来,转向针对国家级行为体的主动威胁狩猎。