Datadog Cloud SIEM vs McAfee SIEM

Overview of Datadog Cloud SIEM

Datadog Cloud SIEM
Figure 1.0 | Datadog Cloud SIEM dashboard

Datadog entered the SIEM application market with the launch of Datadog Cloud SIEM in 2020. Datadog Cloud SIEM (Security Information and Event Management) is a SaaS-based solution that provides end-to-end security coverage of dynamic, distributed systems. It is part of the Datadog Cloud Security Platform and is designed to provide a single centralized platform for the collection, monitoring, and management of security-related events and log data from across the enterprise. This enables security teams to identify and respond to suspicious behavior patterns more effectively than possible by looking at data from individual systems.

With Datadog Cloud SIEM, you can analyze operational and security logs in real-time regardless of their volume. Developers, security, and operations teams can leverage detailed observability data to accelerate security investigations in a single, unified platform.

Key features and capabilities include: 

  • Observability and security See all of your security data in one place and correlate them with runtime events, application and service logs, and more. Development, security, and operations teams can access the same observability data and drive security investigations in a single, unified platform.
  • Out-of-the-box dashboards The Security Overview dashboard allows you to have a high-level view of your security posture. The IP Investigation and User Investigation dashboards enable users to correlate specific IP addresses and users with security signals, events, and logs, so they can quickly hone in on malicious activity patterns.
  • Out-of-the-box threat detection rules Datadog Cloud SIEM comes equipped with rules that don’t require a query language for widespread attacker techniques and misconfigurations that are mapped to the MITRE ATT&CK framework.
  • Built-in vendor-backed security integrations Built-in security integrations with AWS CloudTrail, Okta, G Suite, and more enable users to ingest additional security data in minutes, which provides deeper context and helps accelerate investigations.

A free personalized demo and a free 14-day-trial with full access to all the features are available on request. After that, the software is generally sold through monthly subscription plans based on hosts, events, or logs.

Overview of McAfee SIEM

Figure 2.0 | McAfee SIEM architecture overview

McAfee is a well-known reputable brand in the IT security space. McAfee’s approach to SIEM is different from the stock. The McAfee SIEM solution isn’t a single product but rather a family of products that bring together input data such as an event, threat, and risk data from several sources. The McAfee SIEM comes with streamlined workflows which allow for more timely and effective incident management, and an optimized user experience for increased flexibility, ease of customization, and faster response to investigations. McAfee has been recognized in the 2021 Gartner Magic Quadrant for Security Information and Event Management (SIEM).

The various components of the McAfee SIEM solution are described as follows:

  • McAfee Event Receiver Collects data and events from security devices, databases, networks, systems, and applications, and normalizes them to identify possible threats.
  • McAfee Log Management Solutions This is made up of McAfee Enterprise Log Search which leverages Elasticsearch to perform high-speed searching across raw data; and McAfee Enterprise Log Manager which collects and stores security events data for future reference.
  • McAfee Advanced Correlation Engine Correlates (or identifies) patterns in the information to identify potential security threats.
  • McAfee Enterprise Security Manager (ESM) This is the foundation of the McAfee SIEM solution portfolio. McAfee ESM ties together all of the data feeds from the various components and enables analysts to investigate and respond to security incidents more effectively.
  • McAfee Data Streaming Bus Facilitates device interconnection and provides a streaming data platform for external integrations.
  • McAfee Global Threat Intelligence (GTI) Delivers a constantly updated, rich threat feed that enables quick identification of attack paths and past interactions with known bad actors to boost threat detection accuracy.
  • McAfee Application Data Monitor Delivers full visibility into the application layer, by examining and analyzing the underlying protocols and the full application session.
  • McAfee Database Event Monitor Provides a complete audit trail of all database activities, including queries, results, authentication activity, and privilege escalations. This data is then normalized, correlated, and analyzed to boost security operations and compliance auditing.

Analyst monitors and identifies threats using dashboards, alarms, watchlists, cases, and reports. Threats are identified with tools such as Data Exchange Layer (DXL), McAfee Advanced Threat Defense, and McAfee Threat Intelligence Exchange (TIE). The McAfee ePolicy Orchestrator is then used to respond to threats immediately and automatically. The McAfee ESM is available as an on-prem appliance, or a cloud-based service called ESM Cloud. A free ESM Cloud trial is available on request.

Datadog Cloud SIEM vs McAfee SIEM: How They Compare

Deployment Model

Just as the name implies, Datadog Cloud SIEM is a cloud-based application for cloud-native environments; which means there are no on-premise system requirements and no installation hassles other than the usual sign-up process using an internet-connected device with a supported browser. However, you’ll be required to install local agents specific to the device or service you wish to monitor for the most part. This deployment makes it ideal for organizations that don’t want to burden themselves with any resource-intensive on-premise SIEM solution.

On the other hand, McAfee offers a flexible deployment option. The McAfee SIEM solution can be deployed all in one or distributed over multiple appliances, including physical and virtual appliances with high-availability options. This gives organizations the flexibility to deploy the solution in a way that best suits their environment and to scale up as the need grows. The McAfee ESM is available in two deployment models: The first is a cloud-based service, called ESM Cloud. This is probably the more accessible option that appeals to most organizations.  The second is the regular on-prem option available as an appliance. McAfee also provides professional services to support your organization’s deployment objectives, accelerate time to protection, and enhance your security investment.

Data Collection and Analytics

Datadog Cloud SIEM collects logs from many different sources into Datadog. All ingested logs are first parsed and normalized (reformatted) for consistency, easy correlation, and analysis. This helps to uncover malicious activities on the network, preventing bad actors from concealing their tracks. Once logs are collected, ingested, and processed, they are available in Log Explorer. Log Explorer is where you can search, enrich, and view alerts on your logs. This makes it easy to search and filter log data across your entire infrastructure for threat detection and investigation.

Similarly, the McAfee ESM uses what it calls “Receivers” as data collectors which can be distributed as needed throughout your network. Valuable data is collected from hundreds of third-party security devices and threat intelligence feeds. The McAfee Global Threat Intelligence (GTI) for example brings in data from more than 100 million McAfee Labs global sensors, offering a constantly updated feed of known malicious IP addresses. The McAfee Enterprise Log Manager also collects and stores logs from various sources which are then parsed and normalized for correlation and analyses to uncover incidents and possible threats and to meet compliance requirements.

Incident/Threat Detection and Mitigation

Datadog detects threats based on rules and creates a security signal. Datadog provides out-of-the-box rules for widespread attacker techniques, mapped to the MITRE ATT&CK framework. Detection rules take full advantage of Datadog’s “Logging without Limits”, which lets you customize what logs you want to index while still ingesting, processing, and archiving everything. Rules apply to the full stream of ingested, parsed, and enriched logs so that you can maximize detection coverage without any of the traditionally associated performance or cost concerns of indexing all of your log data.

On the other hand, McAfee’s SIEM solution detects incidents and threats using a variety of tools such as McAfee Advanced Correlation Engine, McAfee GTI, and others. The McAfee GTI enables organizations to quickly identify attack paths and past interactions with known bad actors and increase threat detection accuracy while reducing response time.

The capabilities of McAfee SIEM can be greatly enhanced by integrating it with McAfee Behavioral Analytics—a dedicated user and entity behavior analytics (UEBA) solution that distills billions of security events down to hundreds of anomalies to produce a handful of prioritized threat leads and allows analysts to discover unusual and high-risk security threats, often unidentifiable by other solutions. The McAfee ePolicy Orchestrator enables faster response. McAfee also works with independent SOAR solution providers such as D3 SOAR which delivers the automation capabilities you need to respond to incidents and cyber threats. The D3 SOAR platform is the first and only platform that combines automation and orchestration with MITRE ATT&CK Intelligence.

Notifications and Alerts

Datadog’s approach to alerts and notifications is based on machine learning (ML), which it calls Watchdog. Watchdog uses ML techniques to identify problems in your infrastructure, applications efficiency, and services, and flag anomalies. Alerts in Datadog are called Monitors. Users can receive alerts using Pagerduty, Slack, and email. These can be based on nearly any metric that Datadog can capture. As a result, every alert is specific, actionable, and contextual—even in large and temporary environments. This unique approach to alerts and notifications makes Datadog stand out and helps to minimize downtime and prevent alert fatigue.

McAfee SIEM notifications and alerts are based on the concept of alarms. Alarms drive actions in response to specific threat events. McAfee ESM allows you to define conditions that trigger alarms and what happens when alarms trigger. Security admins can respond to triggered alarms from the dashboard. Yellow, orange, or red alerts can be generated to notify you of increasing threats against key systems and services. However, there is limited information about receiving alerts on external applications such as email, SMS, Slack, and others. This is where Datadog has an edge.

Compliance and Integration

Instead of generating the usual out-of-the-box reports that most network admins expect, Datadog’s approach to reporting aims to make metrics easily searchable, and it does excellently. Cloud SIEM is fully integrated with all of Datadog’s application and infrastructure monitoring products, which allows users to seamlessly pivot from a potential threat to associated monitoring data to quickly triage security alerts. Datadog’s 500+ integrations let you collect metrics, logs, and traces from your entire stack as well as from your security tools, giving you end-to-end visibility into your environment. Datadog integration with Slack and PagerDuty allows you to automatically loop in relevant teams when a high-severity rule detects a threat. You can also export security signals to collaboration tools like JIRA or ServiceNow.

McAfee SIEM comes with an in-built compliance framework that simplifies audits and governance. The McAfee Advanced Correlation Engine produces audit trails that support investigations and compliance reporting efforts. McAfee ESM offers integration with dozens of complementary incident management and analytics solutions, including McAfee Threat Intelligence Exchange based on endpoint monitoring and McAfee GTI which brings in data from more than 100 million McAfee Labs global sensors.

Licensing and Price Plans

Datadog Cloud SIEM pricing model is per GB of analyzed logs, per month billed annually or on-demand. An analyzed log is a text-based record of activity generated by an operating system, an application, or other sources analyzed to detect potential security threats. Datadog charges for analyzed logs based on the total number of gigabytes ingested and analyzed by the Datadog Cloud SIEM service.

McAfee offers two key forms of licensing: Subscription and Perpetual. Subscription licensing is ideal for customers who prefer renewable annual contracts; while perpetual licensing is ideal for customers who prefer an indefinite software license term, backed by a renewable annual Technical Support agreement to gain entitlement to software maintenance. A more flexible pricing model exists for SIEM VMs, which offers licensing for each device as an eight-core VM. Users can add cores in smaller increments to an existing license.

Choosing Between Datadog Cloud SIEM and McAfee SIEM

Although Datadog is a newcomer in the SIEM market, it has no doubt distinguished itself over the years in the observability space. It is therefore well positioned to meet the security needs of its existing customers and organizations that don’t have dedicated IT personnel to keep tabs on the infrastructure at a granular level. Datadog customers can leverage Datadog Cloud SIEM to aggregate and better analyze events inside their cloud-native applications without looking to third-party SIEM tools. This provides an advantage in terms of cost, implementation, and integration.

Datadog’s ability to support and integrate with more than 500 technologies makes it more versatile and adapted to many different functions, provides deeper context during investigations, and lets you cast a wider net to catch possible security issues. However, the lack of SOAR and UEBA capabilities makes it less effective in responding to modern security challenges.

McAfee SIEM is a globally recognized application managed by a well-known brand in the IT security space. McAfee’s flexible deployment option gives organizations the flexibility to choose the deployment model most suitable for them. McAfee SIEM’s ability to leverage McAfee’s UEBA solution as well as SOAR capabilities from independent providers puts it in a better position to defend against modern security challenges. However, contrary to popular practice, the UEBA and SOAR capabilities are not an in-built feature in the SIEM package, but a separate module in the McAfee security portfolio or a third-party solution. Customers that want to use these powerful features will have to pay more, thereby increasing the total cost of ownership.

Notwithstanding, choosing between Datadog and McAfee shouldn’t be just about which is better. The focus should be on which SIEM solution best meets your business and security needs. Key factors to consider should  include:

  • Is the SIEM solution capable of meeting your organization’s security and compliance requirements?
  • How much native support does the SIEM tool provide for relevant log sources?
  • Does the SIEM solution possess the capabilities of next-generation SIEM functionalities such as SOAR and UEBA?
  • What is the total cost of ownership, is vendor support available in your region, and to what extent?