Overview of Datadog Cloud SIEM
Datadog entered the SIEM application market with the launch of Datadog Cloud SIEM in 2020. Datadog Cloud SIEM (Security Information and Event Management) is a SaaS-based solution that provides end-to-end security coverage of dynamic, distributed systems. It is part of the Datadog Cloud Security Platform and is designed to provide a single centralized platform for the collection, monitoring, and management of security-related events and log data from across the enterprise. This enables security teams to identify and respond to suspicious behavior patterns more effectively than possible by looking at data from individual systems.
With Datadog Cloud SIEM, you can analyze operational and security logs in real-time, regardless of their volume. Developers, security, and operations teams can leverage detailed observability data to accelerate security investigations in a single, unified platform.
Key features and capabilities include:
- Observability and security See all of your security data in one place, and correlate them with runtime events, application and service logs, and more. Development, security, and operations teams can access the same observability data and drive security investigations in a single, unified platform.
- Out-of-the-box dashboards The Security Overview dashboard allows you to have a high-level view of your security posture. The IP Investigation and User Investigation dashboards enable users to correlate specific IP addresses and users with security signals, events, and logs, so they can quickly hone in on malicious activity patterns.
- Out-of-the-box threat detection rules Datadog Cloud SIEM comes equipped with out-of-the-box threat detection rules that don’t require a query language for widespread attacker techniques and misconfigurations that are mapped to the MITRE ATT&CK framework.
- Built-in vendor-backed security integrations Built-in security integrations with AWS CloudTrail, Okta, G Suite, and more enable users to ingest additional security data in minutes, which provides deeper context and helps accelerate investigations.
A free personalized demo and a free 14-day-trial with full access to all the features are available on request. After that, the software is generally sold through monthly subscription plans based on hosts, events, or logs.
Overview of LogRhythm SIEM
LogRhythm is a U.S-based security intelligence company that specializes in SIEM, log management, security analytics, and network and endpoint monitoring. The LogRhythm SIEM is a mature market-leading next-generation SIEM tool that helps organizations defend against modern security threats. The solution provides security teams with deep visibility into enterprise-wide security data and actionable insight into the most critical threats. It identifies suspicious behaviors based on correlation rules once a security threat is detected.
LogRhythm brings together log management, machine learning, user and entity behavior analytics (UEBA), network traffic and behavior analytics (NTBA), and security orchestration automation and response (SOAR) into a single platform. In 2019, LogRhythm released a cloud-based version of the SIEM Platform, LogRhythm Cloud, to provide a Software as a Service (SaaS). This allows LogRhythm SIEM to be deployed on-premises, in the IaaS of your choice, or through your managed security service provider. LogRhythm has been a Leader in Gartner’s Magic Quadrant for SIEM since 2012 to date.
Key features and capabilities include:
- Detects threats earlier and faster Identify threats, automate and collaborate on investigations, and remediate threats with agility.
- Gain visibility across your environment Eliminate blind spots across your entire enterprise that other vendor solutions miss—from endpoints to the cloud.
- Built-in analytics Analyzes network, endpoint, asset, user, risk, and threat data to uncover known and unknown threats.
- Effective response Get more meaningful alerts with context for enabling faster, more effective decision-making and automated response with an action to resolve the issue.
- Next-generation SIEM capabilities Combines log management, machine learning, UEBA, NTBA, and SOAR into a single platform.
- Artificial Intelligence (AI) Engine AI Engine delivers real-time visibility to risks, threats, and critical operations issues.
- Third-party and cloud integrations Out-of-the-box integration with 950+ third-party technologies, including REST and SOAP APIs to speed data ingestion.
- Flexible deployment options LogRhythm SIEM is available for on-premises and cloud environments, or through MSPs.
- Geolocation capabilities LogRhythm provides automated geographic context around any event, with fully interactive network visualization and relationship mapping.
Datadog Cloud SIEM vs LogRhythm SIEM: How They Compare
Deployment Model
Just as the name implies, Datadog Cloud SIEM is a cloud-based application for cloud-native environments; which means there are no on-premises system requirements and no installation hassles other than the usual sign-up process using an internet-connected device with a supported browser. However, you’ll be required to install local agents specific to the device or service you wish to monitor, for the most part. This deployment makes it ideal for organizations that don’t want to burden themselves with any resource-intensive on-premises SIEM solution.
On the other hand, LogRhythm offers a flexible deployment option. The LogRhythm SIEM solution can be deployed on-premises and in cloud environments, or through MSP. The cloud version just like Datadog needs no installation other than the usual sign-up process using an internet-connected device with a supported browser. The on-premises deployment model is ideal for organizations that want to have granular control, but it comes at a cost—you also have to manage it yourself. Nonetheless, the flexible deployment options ensure that you get the best fit for your organization — no matter what your goals and environmental needs may be.
Data Collection and Analytics
Datadog Cloud SIEM collects logs from many different sources into Datadog. All ingested logs are first parsed and normalized (reformatted) for consistency, easy correlation, and analysis. This helps to uncover malicious activities on the network, preventing bad actors from concealing their tracks. Once logs are collected, ingested, and processed, they are available in Log Explorer. Log Explorer is where you can search, enrich, and view alerts on your logs. This makes it easy to search and filter log data across your entire infrastructure for threat detection and investigation.
LogRhythm’s collection technology facilitates the aggregation of log data, security events, and other machine data. The LogRhythm Open Collector collects and stores logs usually in JSON format from various sources including cloud log sources, flat files, or other formats, which are then parsed and normalized for correlation. The tool then analyzes the data to identify possible signs of malicious activity so humans or automated processes can stop attacks in progress or help recover from successful attacks. LogRhythm’s AI Engine can be used to deliver automated, continuous analysis and correlation of all activity observed within the environment with real-time visibility to risks, threats, and critical operations issues that are otherwise undetectable.
Incident/Threat Detection and Mitigation
Datadog detects threats based on rules and creates a security signal. Datadog provides out-of-the-box rules for widespread attacker techniques, mapped to the MITRE ATT&CK framework. Detection rules take full advantage of Datadog’s “Logging without Limits”, which lets you customize what logs you want to index while still ingesting, processing, and archiving everything. Rules apply to the full stream of ingested, parsed, and enriched logs so that you can maximize detection coverage without any of the traditionally associated performance or cost concerns of indexing all of your log data.
Unlike Datadog, LogRhythm SIEM brings together log management, machine learning, user and entity behavior analytics (UEBA), network traffic and behavior analytics (NTBA), and security orchestration automation and response (SOAR) into a single platform. With SOAR capabilities enabled, security incident response teams can become more efficient, and free up time and resources for more demanding tasks. Similarly, UEBA brings clarity and context to anomalous user behavior by corroborating risk. LogRhythm also comes with a built-in MITRE ATT&CK module that provides prebuilt content mapped to ATT&CK for effective threat detection and response.
Notifications and Alerts
Datadog’s approach to alerts and notifications is based on machine learning (ML), which it calls Watchdog. Watchdog uses ML techniques to identify problems in your infrastructure, applications efficiency, and services, and flag anomalies. Alerts in Datadog are called Monitors. Users can receive alerts using Pagerduty, Slack, and email. These can be based on nearly any metric that Datadog can capture. As a result, every alert is specific, actionable, and contextual—even in large and temporary environments. This unique approach to alerts and notifications makes Datadog stand out and helps to minimize downtime and prevent alert fatigue.
In LogRhythm, alarm rules watch for signs of malicious activities or conditions such as attacks on the network, compliance issues, system errors, and so on. For example, if log data reveals that malware attempted to infect the network, an alarm rule such as “Alarm on Malware” is triggered that notifies the security team. The alarm rule can also trigger SmartResponse remediation actions. Smart Response is an automated script that responds with an action, such as scripts for disabling an Active Directory account or killing a running process, to resolve the issue. Alerts and notifications can be sent via email, SNMP traps, text files, and more.
Compliance and Integration
Instead of generating the usual out-of-the-box reports that most network admins expect, Datadog’s approach to reporting aims to make metrics easily searchable, and it does excellently. Cloud SIEM is fully integrated with all of Datadog’s application and infrastructure monitoring products, which allows users to seamlessly pivot from a potential threat to associated monitoring data to quickly triage security alerts. Datadog’s 500+ integrations let you collect metrics, logs, and traces from your entire stack as well as from your security tools, giving you end-to-end visibility into your environment. Datadog integration with Slack and PagerDuty allows you to automatically loop in relevant teams when a high-severity rule detects a threat. You can also export security signals to collaboration tools like JIRA or ServiceNow.
LogRhythm provides prebuilt content specifically mapped to the individual controls of various regulatory standards to simplify compliance. Compliance automation modules help you detect compliance violations in real-time to minimize any potential issues. Your team can automate and enforce compliance requirements with a full suite of automated compliance reports for SOX, PCI DSS, FISMA, GLBA, HIPAA, NERC CIP, GPG 13, and more.
LogRhythm solution comes with over 800 pre-defined reports plus hundreds of additional templates that can be used to create an unlimited number of custom reports for security, operations, and compliance use cases. It also comes loaded with support for 950+ third-party and cloud integrations, including REST and SOAP APIs to speed data ingestion. This allows you to seamlessly acquire data from your on-premises and cloud infrastructure, applications, and services into your SIEM.
Licensing and Price Plans
Datadog Cloud SIEM pricing model is per GB of analyzed logs, per month billed annually or on-demand. An analyzed log is a text-based record of activity generated by an operating system, an application, or other sources analyzed to detect potential security threats. Datadog charges for analyzed logs based on the total number of gigabytes ingested and analyzed by the Datadog Cloud SIEM service.
LogRhythm offers flexible pricing and licensing with unlimited log sources and users that allows you to select the best fit for your organization’s needs and requirements. You can use your LogRhythm software license for hardware, cloud, and virtual machines, including options for perpetual, subscription, and unlimited data. Security analytics and compliance automation are both embedded in your support plan. Licenses are generally available as SaaS, software, or managed service. Subscription or perpetual licensing models are available for on-premises offering; while only a subscription model is available for SaaS deployment.
Choosing Between Datadog Cloud SIEM and LogRhythm SIEM
Although Datadog is a newcomer in the SIEM market, it has no doubt distinguished itself over the years in the observability space. It is therefore well positioned to meet the security needs of its existing customers and organizations that don’t have dedicated IT personnel to keep tabs on the infrastructure at a granular level. Datadog customers can leverage Datadog Cloud SIEM to aggregate and better analyze events inside their cloud-native applications without looking to third-party SIEM tools. This provides an advantage in terms of cost, implementation, and integration. However, the lack of SOAR and UEBA capabilities makes it less effective in tackling modern security challenges.
Conversely, LogRhythm SIEM is a mature and award-winning SIEM solution managed by one of the foremost security intelligence companies in the world—LogRhythm, Inc. LogRhythm’s flexible deployment option gives organizations the flexibility to choose the deployment model most suitable for them. LogRhythm’s ability to bring together ML-driven SOAR, UEBA, NTBA, geolocation and SmartResponse capabilities puts it in the class of next-generation SIEM which are better positioned to defend against modern security challenges.
Both Datadog and LogRhythm support and integrate with hundreds of technologies. This makes them more versatile and adapted to many different functions, provides deeper context during investigations, and lets you cast a wider net to catch possible security issues. Deciding between duos shouldn’t be about which is better, but about which best meets your business and security needs.
Key factors to consider include:
- Is the SIEM solution capable of meeting your organization’s security and compliance requirements?
- How much native support does the SIEM tool provide for relevant log sources?
- Does the SIEM solution possess the capabilities of next-generation SIEM functionalities such as SOAR and UEBA?
- What is the total cost of ownership, is vendor support available in your region, and to what extent?