Manager at a comms service provider with 10,001+ employees
Real User
Useful correlations tools, simple initial setup, and helpful support
Pros and Cons
  • "The most valuable feature of RSA NetWitness Logs and Packets are the alerts and correlations tools."
  • "RSA NetWitness Logs and Packets can improve the threat level aspect, it is lacking compared to other solutions. Whenever any hacking activity or any other threat factor occurred they used to provide the coverages very fast when comparing RSA NetWitness Logs and Packets. I heard the other three solutions, from a discussion with my team members who had experience in other solutions, they used to say that. Whenever any issues happened across the globe RSA NetWitness Logs and Packets are a little bit slow improving those detection mechanisms."

What is our primary use case?

RSA NetWitness Logs and Packets are used exclusively for monitoring scenarios, insider threat analysis, and log retention.

What is most valuable?

The most valuable feature of RSA NetWitness Logs and Packets are the alerts and correlations tools.

What needs improvement?

RSA NetWitness Logs and Packets can improve the threat level aspect, it is lacking compared to other solutions. Whenever any hacking activity or any other threat factor occurred they used to provide the coverages very fast when comparing RSA NetWitness Logs and Packets. I heard the other three solutions, from a discussion with my team members who had experience in other solutions, they used to say that. Whenever any issues happened across the globe RSA NetWitness Logs and Packets are a little bit slow improving those detection mechanisms.

For how long have I used the solution?

I have been using RSA NetWitness Logs and Packets for six years.

Buyer's Guide
NetWitness Platform
March 2024
Learn what your peers think about NetWitness Platform. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.

What do I think about the stability of the solution?

Some of the RSA NetWitness Logs and Packets versions are not stable. Whenever they are releasing upgrades we were facing some issues.

What do I think about the scalability of the solution?

The scalability could improve. RSA NetWitness Logs and Packets have some limitations in the on-premise sizing. It requires more workers to procure the hardware. It is time-consuming.

The solution is only being used by our security operations team of approximately 10 to 15 people.

How are customer service and support?

When we have any critical issues we escalate them to the support of RSA NetWitness Logs and Packets.

I rate the support from RSA NetWitness Logs and Packets a four out of five.

Which solution did I use previously and why did I switch?

We were using RSA Ticket Analytics and now we are using RSA NetWitness Logs and Packets.

How was the initial setup?

The initial setup of RSA NetWitness Logs and Packets is not complicated, it is easy for us. However, there are some sizing limitations.

What about the implementation team?

We did the implementation of RSA NetWitness Logs and Packets in-house. We have not had any issues with maintenance. 

What's my experience with pricing, setup cost, and licensing?

RSA NetWitness Logs and Packets do not have a subscription model, it's a one-time purchase. There is only a perpetual license.

What other advice do I have?

When comparing the cloud security solutions, RSA feels outdated. I would advise others before choosing RSA NetWitness Logs and Packets, to do a POC process and later they can do the purchase if it fits their needs.

I rate RSA NetWitness Logs and Packets an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Sandeep Sehrawat - PeerSpot reviewer
Information Technology Security Consultant at Sify Technologies
Real User
Top 5
The setup is straightforward and there are multiple connectors to help you integrate
Pros and Cons
  • "Setting up NetWitness is straightforward. There are multiple connectors, including standard and specialized connectors. One purpose of the connectors is the enhanced capability integrate the custom applications. NetWitness comes with E6 appliances and application images that we use for the initial configurations and for the OS stack information. From there, you can consider the correlation rules, integrate the different log sources, and easily create correlation rules and backlog reports."
  • "Nowadays, their support is a little subpar compared to other solutions. I rate RSA support six out of 10."

What is our primary use case?

We provide NetWitness along with Archer, and multiple sites. We are managing their security operations using this other station and Archer. A collector can work in two different ways. It can collect the logs, and it can aggregate the traffic tools from different net flow logs. When I saying "logs," I mean a log collector and when I say "packet," that means the packet or log connector. 

What do I think about the stability of the solution?

The stability all depends upon how well the site is set up. All these solutions are good, but the CPU and OS are the major portion of undoing the correlations. If you have a poor correlation, then you need to have less than 70 percent utilization. Then that may not be good performance. 

What do I think about the scalability of the solution?

NetWitness is scalable. You can scale, but you cannot assume that if you are deploying it today, you could use the same hardware setup as before. You only have two or three connectors. It is not at all possible. However, 20 percent scalability is always there with Odyssey.

How are customer service and support?

Nowadays, their support is a little subpar compared to other solutions. I rate RSA support six out of 10. 

How was the initial setup?

Setting up NetWitness is straightforward. There are multiple connectors, including standard and specialized connectors. One purpose of the connectors is the enhanced capability integrate the custom applications. NetWitness comes with E6 appliances and application images that we use for the initial configurations and for the OS stack information. From there, you can consider the correlation rules, integrate the different log sources, and easily create correlation rules and backlog reports.

The complexity of the deployment depends on the amount and type of log sources. Are there any custom home-grown log sources for which you need to create the custom parsers? How many different logs or log lines in a home grown application? These factors might make your parser development a bit cumbersome.

What's my experience with pricing, setup cost, and licensing?

The licenses are based on the ETS.

What other advice do I have?

I rate RSA NetWitness Logs and Packets eight out of 10. Aside from ETS, it is the second-most important solution for maintaining compliance and how much data you need in the online logs or the offline archival logs.

Disclosure: My company has a business relationship with this vendor other than being a customer: Integrator
PeerSpot user
Buyer's Guide
NetWitness Platform
March 2024
Learn what your peers think about NetWitness Platform. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.
Information Technology Security and Infrastructure Expert at a government with 201-500 employees
Real User
Helps to deal with potential attacks and is available at a reasonable price
Pros and Cons
  • "The product's initial setup phase was not at all difficult."
  • "The tool's integration capability isn't so great."

What is our primary use case?

I use the solution in my company for packets mainly and log analytics.

What is most valuable?

I don't really see any valuable features in the product. I feel that it is time to move away from NetWitness Platform. All SIEM tools have to deal with advanced use cases, and many of them are getting upgrades, but this is not the case with NetWitness Platform. NetWitness Platform has remained the same for almost four to five years. The support and RMAs offered by the product in our region have also become very bad.

What needs improvement?

From an improvement perspective, the NetWitness Platform needs to release new features and improve in areas like log correlation. The tool needs to have easier integrations with the cloud. Building a parser should be made easier in the tool.

The tool needs to have easier integrations. The tool needs to have the extra log-related suggestions. The platform and UI should be easier to use.

For how long have I used the solution?

I have been using NetWitness Platform for eight years. My company is a customer of the tool.

How are customer service and support?

I rate the technical support a six out of ten.

How would you rate customer service and support?

Neutral

How was the initial setup?

The product's initial setup phase was not at all difficult. The tool's upgrades and moving from old hardware to new hardware are difficult and time-consuming. If you have any hardware failures, as per the RMA offered by the tool, it takes a very long time to get some after-service. The product has not been working well in my region recently.

What's my experience with pricing, setup cost, and licensing?

The product price was reasonable for my region and the market.

Which other solutions did I evaluate?

My company has a hybrid environment. I have looked at other products like Splunk and Sentinel. I am still looking around for other solutions in the market. In my company, we are having discussions to move to some other solution.

What other advice do I have?

My company has had many benefits from the use of the product in the last eight years.

The tool has streamlined our company's incident response process since it serves as a log repository, which allows us to correlate events and access different technology stacks. In our company, we were able to actually find some potential attacks, so it has been very helpful.

The tool's integration capability isn't so great. In my company, we managed to integrate it with our Microsoft Azure Subscription, after which we managed to integrate it with other tools. You will face a lot of difficulties if you want to integrate it with your database monitoring tool, PAM solutions, or IAM products.

The product has done well overall for my company's teams to deal with their workflow efficiency.

I would not recommend the product to others.

I rate the tool a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Salah Sabouni - PeerSpot reviewer
Director at ST
Reseller
Top 10
Provides comprehensive network visibility, and has available helpful support
Pros and Cons
  • "In my opinion, the solution's most valuable feature is its capacity to monitor network traffic, logs from devices within the network, and network captures. This capability extends beyond logs to include full network capturing."
  • "I believe that integrating the solution with other products such as Oracle would be beneficial."

What is our primary use case?

Our solution is utilized by customers to monitor security alerts by ingesting logs from all their assets. 

They create correlation rules to identify any potential breaches or hacking attempts and receive notifications through the dashboard.

Customers can use additional features to investigate the incident and take the necessary actions.

How has it helped my organization?

Prior to implementing the solution, the customers had no visibility of their assets. However, after adopting the solution, they have gained complete visibility over all their assets, including a comprehensive understanding of the network and attack symptoms. With this knowledge, they can respond to any attack and take necessary actions. Essentially, this case has empowered them with comprehensive network visibility.

What is most valuable?

In my opinion, the solution's most valuable feature is its capacity to monitor network traffic, logs from devices within the network, and network captures.

This capability extends beyond logs to include full network capturing.

What needs improvement?

I believe that integrating the solution with other products such as Oracle would be beneficial. However, I suggest that the integration process be streamlined and made more efficient to ensure a smooth experience.

It would be great to have the ability to customize reports in a more user-friendly manner.

For how long have I used the solution?

We are resellers for the NetWitness Platform.

What do I think about the stability of the solution?

We have not had any issues with the stability of the NetWitness Platform, it is a stable solution.

What do I think about the scalability of the solution?

This solution is very scalable.

How are customer service and support?

We have contacted technical support. They are available. They have around-the-clock support, and they're very helpful.

I would rate them a nine out of ten. There is always room for improvement.

Which solution did I use previously and why did I switch?

I have worked with Zscaler and Cisco for four or five years.

I am familiar with Elasticsearch, but I prefer NetWitness Platform as it is specifically designed as a security solution for logs, packets, and endpoints rather than a SIEM-only only tool.

How was the initial setup?

The initial setup is complex. It requires some knowledge in order to set it up.

If one is the most difficult and ten is the easiest, I would rate it a three out of ten. It's quite complex.

Initially, we need to prepare the hardware boxes, whether they are physical or virtual or offered as a service. This involves imaging them with the appropriate functions for the module. Then, for network packet capture, the mirror ports must be connected to the packet capture box. Regarding logs, the configuration process involves making NetWitness boxes communicate with each other through the appropriate protocols and ports.

Following this, the next step involves configuring the log sources to send logs to the log box. This process requires the appropriate rules to be configured to initiate log transmission and generate metadata by appropriate parsers on NetWitness. After the setup, the focus shifts to building correlation rules, alerts, and other monitoring activities. These rules and alerts are crucial components for effective monitoring.

The deployment process can vary based on the specific environment and requirements, but typically it takes about one to two weeks to complete.

Maintaining the solution doesn't require a large number of resources. Typically, one or two capable resources are sufficient to maintain the solution effectively.

It's important to continuously monitor and ensure the health and proper functioning of the solution. This involves regularly checking the log sources to ensure that the logs are being ingested correctly and there are no issues such as overutilization or spikes in network traffic.

What's my experience with pricing, setup cost, and licensing?

It is not a cheap product.

The NetWitness Platform may be affordable only for enterprise-level customers, as it may not be within the budget of small and medium-sized businesses.

What other advice do I have?

I would advise taking your time to understand the architecture of the solution, including how the modules communicate with each other and the role of each module. It is recommended to start slowly after gaining this understanding.

I would rate NetWitness Platform an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
Presales Manager at a tech services company with 51-200 employees
Real User
Top 10
Enables incident response team to correlate logs to identify any kind of problem, both for logs and packets
Pros and Cons
  • "It gives the capability for the incident response team to correlate logs to identify any kind of problem like malware and incidents in a general sense, both for logs and packets."
  • "If we have the ability to run a dynamic analysis through malware in the same suite, it would be great to have a sandbox solution to analyze malware through dynamic analysis."

What is our primary use case?

This solution is deployed on-premise.

What is most valuable?

It gives the capability for the incident response team to correlate logs to identify any kind of problem like malware and incidents in a general sense, both for logs and packets. I think the most important thing was that it gives the customer the capability to discover and respond to an incident. It gives customers visibility about their most important servers and devices.

Regarding the packet model, the most important thing is how easy it is to rebuild the raw data. Through one click, you can see an email that was sent even without accessing the mailbox from the user. It's easy to rebuild the raw data, especially the packet.

What needs improvement?

If we have the ability to run a dynamic analysis through malware in the same suite, it would be great to have a sandbox solution to analyze malware through dynamic analysis.

NetWitness has a malware appliance, but in terms of dynamic analysis, we need to integrate with 30 vendors. It would be great to have a sandbox produced by the RSA and the SSL appliance also.

For how long have I used the solution?

I have been working with this solution for six years.

Which solution did I use previously and why did I switch?

I have worked with ArcSight from Micro Focus. One thing to be improved in NetWitness is the capability to correlate event logs in a general sense. We have less resources in the NetWitness correlation engine compared with ArcSight.

What other advice do I have?

I would rate this solution 8 out of 10.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Program Manager at EGYANAM TECH
Real User
Economical with good technical support and is easily scalable
Pros and Cons
  • "It's quite economical compared to other solutions in the market."
  • "The initial setup is complex. There are other solutions that are easier to implement."

What is our primary use case?

I'm primarily using the solution on my client's site. 

This is a log event management tool. We are integrating this solution for the clients where it is required. Mostly we work with OEMs such as IBM, RSA, Splunk, and Micro Focus. 

With the help of these tools, you can identify any attacks or phishing activity in your network. Most of the time you are able to identify these types of attacks or activity on your firewall. When the firewall will notify the SIEM tools, it will identify which needs to be acted on immediately - unlike when you are using automation tools. With the help of automated tools, you can block those suspicious IPS or you can hand it over back to your security analyst or analyst team to take action ASAP. 

What is most valuable?

We have not evaluated this tool. It is evaluated by the client's company directly. That said, I have found it has good threat intel insights, comparatively speaking. 

From the client-side, there are economical kinds of features.  It's quite economical compared to other solutions in the market. 

The solution is scalable. 

The technical support is very good.

What needs improvement?

We are designing reports and automated rules and processes. We are defining them in relation to this product. With the help of automated rules and processes, this product will help the team when they go to production to do operations smoothly, as, most of the time, what happens when you put manual interference into such systems, it may be delayed. This can lead to vulnerabilities. Sometimes, if a hacker enters the system, he might only have a limited time where there is a window of access, however, in that time, he'll take what he can, and even if the vulnerability only lasted for a few minutes, in that time, items can get stolen. 

Therefore, there needs to be more proactively to avoid any downtime. We're adding automating tools to help RSA Netwitness so that if anything happens, RSA can immediately shut anything down. We're in the process of configuring them and adding them in.

The initial setup is complex. There are solutions that are easier to implement.

For how long have I used the solution?

I've been using the solution for two and a half years.

What do I think about the stability of the solution?

The solution is reliable. I won't say great, due to the fact that, naturally, if you compare it to other products it is not that great. That said, for the operations, it is good as long as you do not violate your license. The moment you violate your license, this will cause a quite delayed reaction, at least, that is what I've seen compared to Splunk and QRadar.

What do I think about the scalability of the solution?

While the solution isn't necessarily for small organizations, it is good for medium and large organizations.

The solution scales easily.

How are customer service and technical support?

Technical support is very good. They try to resolve issues with the proper SLAs which are defined by them and they understand the client's requirements as well as the client's infrastructure in a better manner. I'm happy with the support.

How was the initial setup?

The solution is pretty complex to set up. Comparatively, I have worked on IBM QRadar and Splunk. They are much easier to set up. It also depends on the client's infrastructure. It just needs some time and understanding to be deployed. 

Once it is deployed it requires maintenance. Whenever you work on such products, if you do not take the support or support services, it might take some time to work through some things. For some things, the documentation is not the best. Support is always recommended. If you do not buy support, it can be a disaster. 

What's my experience with pricing, setup cost, and licensing?

It's my understanding that the pricing of the product is pretty good. Compared to other options on the market, it's reasonable. 

I would say it's economical, as the licensing part is always a different ball game in the SIEM tools business, as everyone is running their business in a different manner. If you go to IBM, they will charge you in a different way, for example. RSA will charge you in a different way as well, and Splunk has its own unique licensing policies. I would say it's economical. I won't say it's cheap. It is in between.

Currently, there is only one license. There aren't different licensing models. Hardware is included in the price.

What other advice do I have?

I'm on the latest version of the solution. I tend to work on updated versions.

We are systems integrators. We have a partnership with RSA.

If a company decides to try out this product, they need to do the homework properly due to the fact that sometimes on the hardware side or on the software side, you may face some issues. It is better to study thoroughly the troubleshooting part and prepare properly. Only then you can go for implementation.

I'd rate the solution at an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Security Operations Manager at a computer software company with 1,001-5,000 employees
Real User
Reliable, straightforward installation, but lacking multi-tenant capabilities
Pros and Cons
  • "The newer 11.5 version that my team is using has found it to have good mapping."
  • "The multi-tenant capabilities are lagging compared to IBM QRadar."

What is our primary use case?

We have two customers using this solution and one of them is a banking business. We are collecting some of the security log sources. In the main use case, we are correlating rules and we are using the endpoint detection capabilities. We are utilizing RSA NetWitness Logs and Packets, to have more insights on an endpoint level.

What is most valuable?

The newer 11.5 version that my team is using has found it to have good mapping.

What needs improvement?

The multi-tenant capabilities are lagging compared to IBM QRadar.

We want the OEM to support us when we add a partner. They have to come forward and be ready to give a POC to the customer. For example, if we are identifying any customer, and the customer wants to see the POC but at that time we do not have that resource to showcase the POC or the environment. At this time the OEM should come forward and showcase the POC to the customer. Once the customer is satisfied, we will be gaining the business, as a win-win situation.

For how long have I used the solution?

I have been using RSA NetWitness Logs and Packets (RSA SIEM) for approximately two years.

What do I think about the stability of the solution?

The solution is reliable.

What do I think about the scalability of the solution?

I have not tried to expand the solution.

How are customer service and support?

The technical support is responsive. Professional service when it is required is expensive. I wasn't able to compare with other professional services, because we have only one tool we are using at the moment. I am not able to tell you how much other OEM professional services cost. We have heard from the support that it is expensive.

Which solution did I use previously and why did I switch?

I have previously used IBM QRadar.

How was the initial setup?

The installation is somewhat straightforward. For example, if they want a UBA or SOAR type of platform, then I don't have experience in integrating or installing the SOAR or UPA. If that kind of opportunity comes or a customer requests it, then we have to see. As it is now, RSA NetWitness Logs and Packets (RSA SIEM) installation is straightforward.

What's my experience with pricing, setup cost, and licensing?

We are on an annual license for the use of the solution.

What other advice do I have?

I would recommend version 11.5, it looks good. However, we are looking for an alternative solution.

I rate RSA NetWitness Logs and Packets (RSA SIEM) version 11.4 a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
IT and Cybersecurity Professional at a financial services firm
Real User
Easy to deploy with powerful threat prediction and network forensics capabilities
Pros and Cons
  • "The most valuable features are the threat prediction and network forensics."
  • "Lots of competing products have vulnerability protection built into their products, and this solution would be improved by including that support."

What is our primary use case?

Our primary use case is real-time threat prediction so that we can minimize the person-hours of IT security analysts.

What is most valuable?

The most valuable features are the threat prediction and network forensics. For example, if there is any malware on the network, I am able to see who received it and who clicked on it. I like this functionality the most.

The deployment of the appliance is easy, where even a non-technical person can configure it.

What needs improvement?

The SOAR (security orchestration, automation, and response) component has areas for improvement.

Technical support needs to be improved.

Integration with third-party products for industries such as the banking sector, or telecommunications, presents challenges that require help from the OEM.

Lots of competing products have vulnerability protection built into their products, and this solution would be improved by including that support.

For how long have I used the solution?

We have been using RSA NetWitness for about 10 years.

What do I think about the stability of the solution?

There are no issues in terms of stability.

What do I think about the scalability of the solution?

This solution is pretty scalable, as I am using the VM infrastructure. It can scale to whatever you need.

How are customer service and technical support?

I am not happy with the RSA support. Sometimes they can be really annoying because it takes so long to get the support that you need.

Which solution did I use previously and why did I switch?

I have used RSA enVision and ArcSight in the past. We migrated from RSA enVision because they had declared the product end-of-life and upgraded to the NetWitness platform.

The Logs component is similar to what other competitors, such as IBM, ArcSight, and LogRhythm have. What distinguishes this solution is the Packets component. It is critical and something that people should make use of.

How was the initial setup?

It is easy to deploy the appliance. Anyone can mount and configure it. There is a simple, pre-built OS that they just need to mount in the VM infrastructure, and that is clearly mentioned in the documentation. It will take two or three days to deploy, at most.

The challenge comes with trying to integrate with third-party application servers. 

What about the implementation team?

We deployed this solution with our in-house team.

The number of people required for maintenance depends on your use case. If you are only using it to maintain the infrastructure then two staff is sufficient. However, if you want to implement a full-fledged SOC then you will need at least four or five people.

What other advice do I have?

My advice for anybody who is implementing this solution is to look at both their endpoints and circuit paths. The two components, Logs and Packets, should definitely both be considered. Even if there is an on-premises SIEM log, they can integrate it.

Overall, I feel that the product is very good and my biggest complaint is about their support.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free NetWitness Platform Report and get advice and tips from experienced pros sharing their opinions.
Updated: March 2024
Buyer's Guide
Download our free NetWitness Platform Report and get advice and tips from experienced pros sharing their opinions.