What is most valuable?
Ease of use, just connect to a span port on your core switch and you're ready to go. Of course, you will see a bunch of white noise, but the built-in auto tuning system does a great job of detecting legitimate services and devices on the network, and from there you white-list the ones which you've confirmed to be known goods. Built in sandboxing provides an additional layer of defense to shake out suspicious objects and processes. This works especially well if you're running Trend Micro's Office Scan Endpoint Protection, where DDi is able to generate a new virus definition via the sandbox, and push it out to the Office Scan AV engine to provide protection across your network.
How has it helped my organization?
DDi rapidly discovers C2 traffic and pinpoints the offenders, source and recipient. It also provides a set of eyes to keep track of suspicious lateral movements between nodes. The out of the box rule set does a great job of hunting down previously unflagged threats, but can easily be customized for those that like to tweak and refine.
What needs improvement?
Not too much to complain about, really. There were a few instances where legitimate traffic (WPAD) was flagged as C2 communication. There were some challenges in white-listing it, which resulted in a bunch of alerts/noise.
For how long have I used the solution?
What was my experience with deployment of the solution?
What do I think about the stability of the solution?
What do I think about the scalability of the solution?
It can get expensive if you wish to monitor all core switches across many satellite offices. My suggestion is to put one or more DDi appliances at core switches nearest to where your critical data is housed.
How are customer service and technical support?
Customer service is very good. Technical Support
Which solution did I use previously and why did I switch?
FireEye. Fire Eye is incredibly expensive, and requires multiple appliances which together, scan far less protocols than DDi. It also hasn't fared so well in terms of detection rates, in independent tests against competing products.
How was the initial setup?
What about the implementation team?
Implemented in-house along with Trend's team.
What other advice do I have?
Be sure to implement Trend's Control Manager module (free) for more flexible reporting, along with integration with other Trend products (strongly suggest using this along with Office Scan and Deep Discovery Endpoint Sensor, which is an EDR solution).
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Apr 15 2016