Datadog vs. Symantec Content & Malware Analysis

Datadog can be pricey for larger scale businesses, so it really depends on your use case. For us, we have a small single deployment application and a small developer team, so our costs are mostly reasonable. There are more features than we can explore which can be somewhat overwhelming. It is mostly easy and intuitive to use but for larger scale you may consider rolling your own solutions.

Incentivized

If you have Symantec based environment including Symantec proxy and endpoints, Content and Malware Analysis is the obvious choice. You can't run the CAS-MAS as a standalone deployment, you need proxies or ICAP supported devices capable to send the files/URLS. It's not a network security device where you can flow/direct the traffic to C/MAS. It does not have UBA, NBA or NTR features, it is just working for analyzing files as expected.

• The thing which Datadog does really well, one of them are its broad range of services integrations and features which makes it one step observability solution for all. We can monitor all types of our application, infrastructure, hosts, databases etc with Datadog.
• Its custom dashboard feature which helps us to visualize the data in a better way . It supports different types of charts through those charts we can create our dashboard more attractive.
• Its AI powered alerting capability though that we can easily identify the root cause and also it has a low noise alerting capability which means it correlated the similar type of issues.

Incentivized

• 0 day detection and prevenion
• Flawless integration with Symantec Ecosystem
• Integration with other vendors supporting ICAP is also working
• Custom and golden image support
• High performance on busy environments
• Many threats are already detected and prevented through the CAS, it improves the performance drastically.
• Already builtin virustotal integration
• Reference to updates and updates information where I can see the product/service detecting which APTs
• Multiple Antivirus engines which you can select/subscribe
• Manual submission of file is supported through the gui
• URL manual submission is also supported

• Alert windows cause lag in notifications (e.g. if the alert window is X errors in 1 hour, we won't get alerted until the end of the 1 hour range)
• I would appreciate more supportive examples for how to filter and view metrics in the explorer
• I would like a more clear interface for metrics that are missing in a time frame, rather than only showing tags/etc. for metrics that were collected within the currently viewed time frame

Incentivized

• API support is lacking
• Symantec/Broadcom security vision in general
• Symantec support is not perfect
• You can't run the product as a standalone network device
• No packet capture capabiliy or work in span mode
• You need a dedicated hardware to make it run
• You need to buy

There is some room for improvement, but the Datadog team sends out updates frequently, and the UI is user-friendly for engineers, with no significant loading issues or region-specific problems. That was one of the key reasons we preferred Datadog; our company has employees worldwide, and it wasn't difficult to transition to the tool.

Incentivized

The support team usually gets it right. We did have a rather complicate issue setting up monitoring on a domain controller. However, they are usually responsive and helpful over chat. The downside would be I don’t think they have any phone support. If that is important to you this might not be a good fit.

Incentivized

It's a one-stop solution for all our needs whereas in other open-source tools, we have an operational overhead to keep and manage the uptime of these tools as well and also manage their versioning, upgrade, and patching cycle. Also if there are any bugs then we have to raise an open source issue and many problems as we have to keep 2 to 3 people aligned to manage the stack.

Incentivized

We have been using many solutions even tested nearly all available 0day sandbox solutions in the market. We choose Symantec CMA as we have already Symantec endpoint protection/EDR on the client, Symantec proxy for the web access, SCMA fits our environment. We have a big bargain when we puchase lots of equipment from the Symantec. Detection and prevention is very good at SCMA but some constant issues; like the product is not designed for heterogeneous environments, we can not integrate the SCMA with WAFs, it's lacking in api and request/reply calls. There's no file scanning, discover the option. SIEM integration is not smooth. I can not run some of the SOAR playbooks through the SCMA.

• Saved us (time & money) from developing our own monitoring utilities that would pale in comparison
• Alerts allow us to remedy issues before our customers even know about them
• Tracking resource usage over time allows us to better plan for future needs, before it becomes a pain-point.

Incentivized

• 0-day and APT risk is covered by the SCMA
• As the SSL is inspected and analyzed at Bluecoat proxy servers, hidden threats, malicous files are passed to SCMA to be analyzed.
• Getting full visibility at file trajectory level
• As it's a full proxy and ICAP integration, we are sure that the files are to analyzed and scanned for malicious activity. This is a big plus compared to NGFW analyze concept, as the NGFWs have special failsafe mechanisms allowing bypass of file analysis. SCMA fully catches the hidden threats.
• Flawless integration with Bluecoat systems is a big plus, customers are getting the same type of messages within their browsers.
• A negative impact is the standardization when I deploy SCAM to one of our locations. Then the auditors demand the same coverage within other areas and it comes with the cost. Especially maintaining these devices on premise environment has a significant cost.