NetWitness Platform Reviews

Our solution is utilized by customers to monitor security alerts by ingesting logs from all their assets. 

They create correlation rules to identify any potential breaches or hacking attempts and receive notifications through the dashboard.

Customers can use additional features to investigate the incident and take the necessary actions.

Prior to implementing the solution, the customers had no visibility of their assets. However, after adopting the solution, they have gained complete visibility over all their assets, including a comprehensive understanding of the network and attack symptoms. With this knowledge, they can respond to any attack and take necessary actions. Essentially, this case has empowered them with comprehensive network visibility.

In my opinion, the solution's most valuable feature is its capacity to monitor network traffic, logs from devices within the network, and network captures.

This capability extends beyond logs to include full network capturing.

I believe that integrating the solution with other products such as Oracle would be beneficial. However, I suggest that the integration process be streamlined and made more efficient to ensure a smooth experience.

It would be great to have the ability to customize reports in a more user-friendly manner.

We are resellers for the NetWitness Platform.

We have not had any issues with the stability of the NetWitness Platform, it is a stable solution.

This solution is very scalable.

We have contacted technical support. They are available. They have around-the-clock support, and they're very helpful.

I would rate them a nine out of ten. There is always room for improvement.

I have worked with Zscaler and Cisco for four or five years.

I am familiar with Elasticsearch, but I prefer NetWitness Platform as it is specifically designed as a security solution for logs, packets, and endpoints rather than a SIEM-only only tool.

The initial setup is complex. It requires some knowledge in order to set it up.

If one is the most difficult and ten is the easiest, I would rate it a three out of ten. It's quite complex.

Initially, we need to prepare the hardware boxes, whether they are physical or virtual or offered as a service. This involves imaging them with the appropriate functions for the module. Then, for network packet capture, the mirror ports must be connected to the packet capture box. Regarding logs, the configuration process involves making NetWitness boxes communicate with each other through the appropriate protocols and ports.

Following this, the next step involves configuring the log sources to send logs to the log box. This process requires the appropriate rules to be configured to initiate log transmission and generate metadata by appropriate parsers on NetWitness. After the setup, the focus shifts to building correlation rules, alerts, and other monitoring activities. These rules and alerts are crucial components for effective monitoring.

The deployment process can vary based on the specific environment and requirements, but typically it takes about one to two weeks to complete.

Maintaining the solution doesn't require a large number of resources. Typically, one or two capable resources are sufficient to maintain the solution effectively.

It's important to continuously monitor and ensure the health and proper functioning of the solution. This involves regularly checking the log sources to ensure that the logs are being ingested correctly and there are no issues such as overutilization or spikes in network traffic.

It is not a cheap product.

The NetWitness Platform may be affordable only for enterprise-level customers, as it may not be within the budget of small and medium-sized businesses.

I would advise taking your time to understand the architecture of the solution, including how the modules communicate with each other and the role of each module. It is recommended to start slowly after gaining this understanding.

I would rate NetWitness Platform an eight out of ten.

On-premises

We have been using the RSA SIEM with the NetWitness Platform for a long time.

The most valuable feature is the hunting ability to work in a CERT.

The log system is a bit complex and has room for improvement.

I have been using the solution for a few years.

The solution is stable and is able to work with a lot of complex data.

Using the software is straightforward, but configuring it is complex. To achieve the best results, we need to set up the log system. We have an RSA team to integrate the log system with the SIEM.

In comparison to other SIEM solutions such as Splunk, NetWitness is less costly.

I give the solution a nine out of ten.

I recommend the solution to others.

On-premises

RSA NetWitness Logs and Packets are used exclusively for monitoring scenarios, insider threat analysis, and log retention.

The most valuable feature of RSA NetWitness Logs and Packets are the alerts and correlations tools.

RSA NetWitness Logs and Packets can improve the threat level aspect, it is lacking compared to other solutions. Whenever any hacking activity or any other threat factor occurred they used to provide the coverages very fast when comparing RSA NetWitness Logs and Packets. I heard the other three solutions, from a discussion with my team members who had experience in other solutions, they used to say that. Whenever any issues happened across the globe RSA NetWitness Logs and Packets are a little bit slow improving those detection mechanisms.

I have been using RSA NetWitness Logs and Packets for six years.

Some of the RSA NetWitness Logs and Packets versions are not stable. Whenever they are releasing upgrades we were facing some issues.

The scalability could improve. RSA NetWitness Logs and Packets have some limitations in the on-premise sizing. It requires more workers to procure the hardware. It is time-consuming.

The solution is only being used by our security operations team of approximately 10 to 15 people.

When we have any critical issues we escalate them to the support of RSA NetWitness Logs and Packets.

I rate the support from RSA NetWitness Logs and Packets a four out of five.

We were using RSA Ticket Analytics and now we are using RSA NetWitness Logs and Packets.

The initial setup of RSA NetWitness Logs and Packets is not complicated, it is easy for us. However, there are some sizing limitations.

We did the implementation of RSA NetWitness Logs and Packets in-house. We have not had any issues with maintenance. 

RSA NetWitness Logs and Packets do not have a subscription model, it's a one-time purchase. There is only a perpetual license.

When comparing the cloud security solutions, RSA feels outdated. I would advise others before choosing RSA NetWitness Logs and Packets, to do a POC process and later they can do the purchase if it fits their needs.

I rate RSA NetWitness Logs and Packets an eight out of ten.

On-premises

We have two customers using this solution and one of them is a banking business. We are collecting some of the security log sources. In the main use case, we are correlating rules and we are using the endpoint detection capabilities. We are utilizing RSA NetWitness Logs and Packets, to have more insights on an endpoint level.

The newer 11.5 version that my team is using has found it to have good mapping.

The multi-tenant capabilities are lagging compared to IBM QRadar.

We want the OEM to support us when we add a partner. They have to come forward and be ready to give a POC to the customer. For example, if we are identifying any customer, and the customer wants to see the POC but at that time we do not have that resource to showcase the POC or the environment. At this time the OEM should come forward and showcase the POC to the customer. Once the customer is satisfied, we will be gaining the business, as a win-win situation.

I have been using RSA NetWitness Logs and Packets (RSA SIEM) for approximately two years.

The solution is reliable.

I have not tried to expand the solution.

The technical support is responsive. Professional service when it is required is expensive. I wasn't able to compare with other professional services, because we have only one tool we are using at the moment. I am not able to tell you how much other OEM professional services cost. We have heard from the support that it is expensive.

I have previously used IBM QRadar.

The installation is somewhat straightforward. For example, if they want a UBA or SOAR type of platform, then I don't have experience in integrating or installing the SOAR or UPA. If that kind of opportunity comes or a customer requests it, then we have to see. As it is now, RSA NetWitness Logs and Packets (RSA SIEM) installation is straightforward.

We are on an annual license for the use of the solution.

I would recommend version 11.5, it looks good. However, we are looking for an alternative solution.

I rate RSA NetWitness Logs and Packets (RSA SIEM) version 11.4 a seven out of ten.

On-premises

I use NetWitness Platform in the financial industry as a good product with excellent capabilities and integration with various devices.

NetWitness Platform offers flexibility for deployment and robust integration capabilities. It excels in research events, analytics data, and reporting. It is particularly beneficial for reporting purposes, offering efficient solutions.

There is currently no need for improvement in the SIEM, though there could be potential enhancements by integrating with AI.

The support is good, and I would rate it nine out of ten.

Positive

In the financial industry, I used other solutions like Exabeam or UEBA from other providers.

The initial setup was not complex. On a scale of zero to ten, where ten is the easiest, I would rate it seven or eight.

The solution is efficient, though I do not provide specific ROI details.

The pricing is comparable to others, and I consider the cost to be intermediate. Specific cost details are unknown to me.

I used alternatives like Exabeam or UEBA from other providers in other industries.

I would rate the SIEM eight out of ten.

I am using the on-premises deployment model.

We provide NetWitness along with Archer, and multiple sites. We are managing their security operations using this other station and Archer. A collector can work in two different ways. It can collect the logs, and it can aggregate the traffic tools from different net flow logs. When I saying "logs," I mean a log collector and when I say "packet," that means the packet or log connector. 

The stability all depends upon how well the site is set up. All these solutions are good, but the CPU and OS are the major portion of undoing the correlations. If you have a poor correlation, then you need to have less than 70 percent utilization. Then that may not be good performance. 

NetWitness is scalable. You can scale, but you cannot assume that if you are deploying it today, you could use the same hardware setup as before. You only have two or three connectors. It is not at all possible. However, 20 percent scalability is always there with Odyssey.

Nowadays, their support is a little subpar compared to other solutions. I rate RSA support six out of 10. 

Setting up NetWitness is straightforward. There are multiple connectors, including standard and specialized connectors. One purpose of the connectors is the enhanced capability integrate the custom applications. NetWitness comes with E6 appliances and application images that we use for the initial configurations and for the OS stack information. From there, you can consider the correlation rules, integrate the different log sources, and easily create correlation rules and backlog reports.

The complexity of the deployment depends on the amount and type of log sources. Are there any custom home-grown log sources for which you need to create the custom parsers? How many different logs or log lines in a home grown application? These factors might make your parser development a bit cumbersome.

The licenses are based on the ETS.

I rate RSA NetWitness Logs and Packets eight out of 10. Aside from ETS, it is the second-most important solution for maintaining compliance and how much data you need in the online logs or the offline archival logs.

Primarily, I use this solution to integrate with applications and systems like firewalls and routers. For example, if somebody is trying to log on from two different locations simultaneously, we can catch that.

Over time, NetWitness Logs and Packets has matured from a boxed solution with multiple parts to the current, more streamlined version for which we only need the software license to put it up on our own cloud and deliver it to multiple clients.

An area for improvement would be better automation and more inbuilt use cases. In the next release, RSA should include an inbuilt migration framework that can do remediation.

I've been using this solution since 2011.

This is a stable solution.

The software is scalable to whatever is required, and you can also put a lot of resources in the cloud.

The initial setup isn't much of a challenge and can be completed in under twelve hours.

Our license price is updated yearly, and there are no additional costs.

I would rate NetWitness Logs and Packets as eight out of ten.

Private Cloud

Other

This solution is deployed on-premise.

It gives the capability for the incident response team to correlate logs to identify any kind of problem like malware and incidents in a general sense, both for logs and packets. I think the most important thing was that it gives the customer the capability to discover and respond to an incident. It gives customers visibility about their most important servers and devices.

Regarding the packet model, the most important thing is how easy it is to rebuild the raw data. Through one click, you can see an email that was sent even without accessing the mailbox from the user. It's easy to rebuild the raw data, especially the packet.

If we have the ability to run a dynamic analysis through malware in the same suite, it would be great to have a sandbox solution to analyze malware through dynamic analysis.

NetWitness has a malware appliance, but in terms of dynamic analysis, we need to integrate with 30 vendors. It would be great to have a sandbox produced by the RSA and the SSL appliance also.

I have been working with this solution for six years.

I have worked with ArcSight from Micro Focus. One thing to be improved in NetWitness is the capability to correlate event logs in a general sense. We have less resources in the NetWitness correlation engine compared with ArcSight.

I would rate this solution 8 out of 10.

On-premises