NetWitness NDR Reviews

The product is mainly used for security, log reviews, and monitoring.

In India, mostly on the requirement segment, we don't deploy the solution on the cloud. We use the solution on-premises.

The log correlation is good. There may be some benefits to the solution, but most of my time has gone to configure it rather than to work with it. So maybe I'm not so aware of that.

The problem with this product is that it's a bit slow. I am not very happy with this product. In the past, I have worked with a different tool, which was only maintaining a log, but I found that solution much better than NetWitness. It is not properly configured yet.

One part of this product that needs to be improved is the log passing. Often, it doesn't work or logs go missing. There are many licensing complications as well.

I have been working with this product for almost one year. I'm not working directly with the product. I do the implementation for companies. We use the latest versions of the solution.

I'm technically not hands-on with these tools because I manage the team, so I am not exposed to anything.

My own network is very complex. It might be stable, but many times, even our appliances are not. We have had improper shutdowns, so I will not blame RSA. If an improper shutdown happens, then it takes a lot of time to make it up. It doesn't work until you start the machine, and it will work. Finally, you have to get a ticket, then they will do lots of things on them. The services will start and then it will work. We've been having some power issues in my previous assignments, and a lot of trouble in that way.

The solution is scalable. It creates 3,000 lab logs per second. I think the solution is suitable for large companies, or medium to large companies.

I don't think RSA has good support.

The deployment process is complex. I don't know why, but this solution will suddenly stop working. Logs stop coming. Often, one thing or another stops working. Most of the time, one of my team members is troubleshooting and working with technical support. Log passing is also one of the biggest challenges. Sometimes you don't get the logs, but even when we make the log passes, they don't work. They suddenly stop working. It might just be a problem from my side as well, but the end result is that it is not working as smoothly as it should.

Deployment time just depends on different circumstances. Many times, our men were unable to get to the data center. There were some wiring problems and improper shutdowns. We did have trouble with connecting with other people in our department. It took an unusual amount of time. I think we should have been done in 45 to 60 days, but it took us more than eight or nine months to get it done. The deployment time just depends on the current scenario. Tech support would say, "We don't do this, we don't do that. You have to purchase that service and that service."

The pricing is not very economical. It is a costly product for India. When you purchase it, you have to purchase a module separately.

I would rate this solution 4 out of 10. I would not suggest that someone use this solution because support is a main issue. I would prefer to go with IBM QRadar or some other new AI-based tools.

It is our all-in-one platform for logs and packets for our network and for EDR.

It is very easy to use, and its usability is great. The use cases are also very easy. 

The visualizations of the use cases are magnificent. You cannot find this in any other solution. From my point of view, it is great.

Its price could be improved. It is an expensive product. Its training is also too expensive. It would be great if they can have a better pricing scheme for the training.

I have been using this solution for about two or three years.

It is very stable.

It is not meant for small businesses. It is for medium to very large enterprises.

They have very good staff in tech support.

Its installation is easy. 

I did it myself.

It is an expensive product.

I would rate RSA NetWitness Network a ten out of ten.

We use this solution to detect indicators of compromise, where incidents that occur are analyzed and given risk scores. For example, if the endpoint is of high risk then it will be indicated in red. By contrast, if it's of low risk then it will be indicated in green. The scoring criteria are what we call the Indicators of Compromise.

The overall goal is to detect malware that is affecting the endpoints and then provide a response. It is often used by banks and telecom companies.

The incident response is very good.

When you are searching for malware, you can easily decrease the endpoints to narrow the search and find it. Examples of endpoints can be servers or laptops, each with different operating systems. This solution allows us to locate the malware in real-time.

I like the performance. It can detect signatureless malware, which many perimeter control and antivirus solutions cannot do. It is helpful for discovering unknown malware and it is so lightweight that you don't even notice that it is installed in your environment. It doesn't load the network and it uses less bandwidth than some other products.

The reporting is perfect and I haven't seen any problems with it.

RSA can easily integrate with third-party applications like Rapid7. All of the documentation for integration with other platforms and other vendors is available. The API makes integration even easier.

I would like to see Security Orchestration and Response Automation (SOAR) integration. This way, if there is an endpoint that has been compromised, you don't have to go about repairing or blacklisting it manually. Ideally, the system can have its own intelligence so that it can perform automated tasks without human intervention.

One of the drawbacks of using this product is that when you deploy, you have to create MSI files. These files have to be created for different operating systems, which means that you have to be conscious of which ones exist in your environment. For example, if you have Linux, MacBooks, and Windows machines, then you have to have MSI files created for each of them. Ideally, a single MSI file would be created to support deployment on any of the supported operating systems.

I have been working with RSA for more than four years.

This product is very stable. It gives you real-time data if there's an endpoint being compromised. It is not a heavy platform.

NetWitness Endpoint is very scalable.

The technical support from RSA is 100%. They are available 24/7 and I am very satisfied with them.

The initial setup is straightforward.

I was working with another technical consultant and the two of us made up the team that implemented this solution. The last project that I was working on was larger in size and spanned over a two-month period. For the RSA NetWitness Endpoint component, it took between five and ten days to deploy, which included documentation.

One consultant is all that is needed to deploy it, as long as they understand the expectations held by the customer.

This is not an expensive product. The cost depends on the number of endpoints that you want to monitor, but it is not expensive.

There are several SIEM technologies that are available but one advantage of using RSA NetWitness is that you don't have to outsource the EDR component. It comes as part of the platform. This is in contrast to solutions like IBM QRadar, where you have to outsource the EDR.

In a further comparison with QRadar, it doesn't give accurate results because there are a lot of false positives.

This is a product that I recommend. My advice for anybody who is implementing it is to make sure that they have somebody who understands it very well. Having somebody who will configure it properly is the right way to have it generate the output that you want.

Also, you have to make sure that all of the endpoints are up to date. They have to be online all of the time so that you're able to have visibility on any compromises that may happen. If an endpoint is instead offline, it becomes difficult to investigate or to monitor compromises or malware.

I would also suggest deploying a virtual environment. By doing so, it can be cloud-based, and what you need to do is called Event Source Onboarding. This is the process whereby you are providing the consultant with the events that you want to collect data from.

In my opinion, this is the best platform, world-wide, and I am happy with it.

I would rate this solution a ten out of ten.

We are using this solution as a network forensic tool with other security devices such as IPS and SIEM.

The most valuable feature is the way it captures the traffic, and it contains every detail of the communication.

When analyzing something, you have to click several times. It requires a lot of effort to find something. The sole purpose of NetWitness is to find text easily, so this is an area that needs to be improved.

The scalability needs improvement, but I think that it is technically difficult.

This is a complex tool to use.

In the next release, if they could include a detection feature or improve the detection then I would like it better.

I have been working with this solution for about one year.

This solution is very stable.

It does not scale. It's one network segment that captures all of the traffic, so it's not scalable at all.

We have six analysts who use this product, with maybe only three or four people in our company.

For support, we contact our reseller.

The initial setup is not complex, it was easy.

We deployed everything on port mirroring.

I set up this solution by myself.

Architects love to use this tool, but the analysis is very complex, which is the point of NetWitness Network.

It's not the best, but it's good. The analytics is probably a ten but because it is complex, but overall, I would rate this solution an eight out of ten.

We use the solution for the contamination. We detect the incidents and then proceed for the contamination and error notification. For example, there's some intrusion history to the endpoint and there's a partial command that detects the code imbalance. We're able to find it and deal with it.

The detection rate and tracking features including historical tracking, tracking of the fires on the desk, and tracking of the file last monitored are all quite valuable for us.

The contamination feature could be improved.

I've been using the solution for six years now.

The stability of the solution is good. I'd rate it seven out of ten overall. We've had minor technical issues.

The solution is highly scalable. Users just need to install the agent on the products. Right now, we have about 1,000 users. We use the solution daily.

We've contacted technical support several times. They've been very good. They have been able to help us resolve our issues.

We didn't previously use another solution.

The initial setup was pretty straightforward. We didn't run into any issues. I can't recall how long it took to deploy.

We had a professional service assist us with the initial setup.

We use the on-premises deployment model.

The contamination should be improved. If a new user needs better contamination capabilities, they should use something else.

I'd rate the solution seven out of ten. If it offered better triaging of incidents, I'd rate it higher.

We are using it as a SIEM tool. 

One of the most valuable features is the Orchestrator.

This solution needs an upgrade in reporting. I have heard from RSA that they are working on this, but as of yet it is not available.

It is stable. We have been using it for some time, without any issues.

I think it would scale nicely but we have not needed to expand our organizational needs yet.

The initial setup was not complex.

I do not have any opinion on the pricing or licensing of the product.

I used other solutions such as EnVision in the past.

It is mainly for market analysis. It has been performing exceedingly well.

It helps our security team respond more accurately when there are threats, then we get less false positives or negatives.

RSA NetWitness does market analysis in a more granular form. It gives you full visibility. You have good visibility across the flow of markets, then you can connect with more security devices across the network. 

The solution is modular, for example you can buy the RSA ePack, which you buy as a module is not part of the conduit solution. They could include it and have it as an all-in-one solution. However, customers understand the model, so they buy them in modules and put them together.

The stability is good. It does not fail.

It is highly scalable. It can be bought based on your requirements.

The product has excellent support.

The initial setup requires a high level of skill, then the setup is good and smooth. If you have the skill, then you will get through it easily.

The pricing is good. It is competitive. With RSA, there is flexibility in choosing the service, products, and the range that meets your requirement, as well as they are flexible in terms of pricing. They can easily adjust if you have the requirements which are required. If you have a budget cut or a budget constraint, they can bend.

I would highly recommend the solution. Just go ahead and get it. It is the best you can get.

We chose a solution of RSA endpoint protection because of the value proposition they offered. It became clear that they have the right solution for a serious enterprise and the security operation center (SOC), and they offered the right value.

It meets our major requirements and gives you peace of mind.