NetWitness Platform Reviews

Generally, we use the solution for network forensics. It allows us to do visual data detection and prevention. 

The solution should have more integration capabilities with different platforms. The API is nearly open and scalable, so the solution can integrate with many platforms. The solution has more than 200 log sources in the scalability to support, but this is its limit. 

Installation is pretty easy. However, there are a couple of modules involved, so it is not as easy as it could be. We are talking about a distributed module, not a single-module type. This is what makes things a bit complex, instead of easier. I rate it as a seven out of ten on its installation and configuration capabilities.

I have been using RSA NetWitness Logs and Packets (RSA SIEM) for two years.

The solution is really scalable for the high-end power, enterprise customer, but not for the small one.

Mostly, the support is provided remotely and has proven to be good. It was good at the time when we made use of it. I have no idea whether they improved their support over the course of the last year. Previously, our country did not have certified resources, although the first-level of support was available through their local partners, as well as paying-level support, which was handled remotely through India or Singapore. 

Installation is pretty easy. However, there are a couple of modules involved, so it is not as easy as it could be. We are talking about a distributed module, not a single-module type. This is what makes things a bit complex, instead of easier. I rate it as a seven out of ten on its installation and configuration capabilities. 

If one goes the intelligent route, installation should take at least four to five hours. 

There were at least two people involved in the deployment and maintenance. From an operational perspective, there is a need for at least three people, since type one, two and three analysts are involved. Two people are sufficient for the installation, though. 

There is a licensing fee and the customer can choose whether he wishes this to be subscription-based or perpetual. 

Integration is exceedingly minimal, since its project development is much easier than that of LogRythm or IBM. This means that the solution is significantly more flexible for the customer and requires less training.

I would definitely recommend this solution to others, but not to small-sized customers. The solution is one of the best for enterprise customers exceeding 10,000 or 2,000 EPS. 

I rate RSA NetWitness Logs and Packets (RSA SIEM) as a nine out of ten. 

On-premises

The primary use case for the NetWitness Platform is within large companies, particularly in their internal security operation centers (SOCs). They utilize the platform for block collections from the entire company, including subsidiaries, enabling comprehensive security monitoring and analysis. It supports functions such as collections and correlation. Additionally, some licenses may include XDR capabilities. NetWitness stood out for many customers as it was one of the first solutions to collect blocks from endpoints, networks, and logs simultaneously, providing a unified view of security events.

The most valuable feature of the NetWitness Platform, as I've found through occasional engagements, is its Total Customer Ownership (TOC) approach. It encompasses having a unified engine and database where all collected information, including logs, network traffic, and endpoint data, is correlated and analyzed. This centralized database enables efficient analysis and correlation of security events aided by artificial intelligence algorithms. Additionally, customers can develop custom parsers to integrate new data sources into the database, enhancing its speed and reliability.

The product's licensing models are complex to understand. This particular area needs improvement. 

I have been using NetWitness Platform for seven years.

My experience with customer service and support for RSA NetWitness has been positive overall. I know individuals who are specialists in the field and attend meetings organized by RSA. These specialists support customers, including those whose partners or companies sell and implement NetWitness at their sites. Despite the cost, it has a strong reputation. I have received helpful assistance from technical support when needed, such as accessing restricted areas on their website or technology database. Even in complex cases, the support team has been attentive and supportive, ensuring I am not left alone with any issues.

Licensing models can be complex and subject to change over time. It provides tools to assist in selecting the appropriate license and usage scenarios. The trend is shifting towards subscription-based models rather than one-time payments.

I previously prepared comparisons between solutions such as IBM QRadar and RSA NetWitness. Having worked for several large vendors, including IBM, I have insights into various security platforms. IBM QRadar, while mature and feature-rich, was behind RSA NetWitness in certain aspects. RSA was among the first to collect data from multiple sources, including live network traffic, endpoints, and logs, offering a more comprehensive approach to threat detection. Both vendors eventually incorporated Extended Detection and Response (XDR) capabilities into their solutions, but RSA was an early adopter. Nowadays, it's challenging to pinpoint significant differences in functionalities among various vendors, as most deliver similar capabilities. Performance and cost considerations may vary depending on the specific use case and hardware infrastructure. Thus, a thorough evaluation is essential when choosing a security platform.

NetWitness can be highly beneficial for incident detection and response. RSA has incorporated Extended Detection and Response (XDR) functionality through collaborations and licensing agreements with other companies.

It integrates well with other tools, boasting over 600 integrations on its website. The list is continuously updated and readily accessible.

Security improvements will vary depending on the combination of integrations. It's essential to carefully assess both the list of available integrations and each customer's specific needs.

I rate it a ten out of ten.

Our solution is utilized by customers to monitor security alerts by ingesting logs from all their assets. 

They create correlation rules to identify any potential breaches or hacking attempts and receive notifications through the dashboard.

Customers can use additional features to investigate the incident and take the necessary actions.

Prior to implementing the solution, the customers had no visibility of their assets. However, after adopting the solution, they have gained complete visibility over all their assets, including a comprehensive understanding of the network and attack symptoms. With this knowledge, they can respond to any attack and take necessary actions. Essentially, this case has empowered them with comprehensive network visibility.

In my opinion, the solution's most valuable feature is its capacity to monitor network traffic, logs from devices within the network, and network captures.

This capability extends beyond logs to include full network capturing.

I believe that integrating the solution with other products such as Oracle would be beneficial. However, I suggest that the integration process be streamlined and made more efficient to ensure a smooth experience.

It would be great to have the ability to customize reports in a more user-friendly manner.

We are resellers for the NetWitness Platform.

We have not had any issues with the stability of the NetWitness Platform, it is a stable solution.

This solution is very scalable.

We have contacted technical support. They are available. They have around-the-clock support, and they're very helpful.

I would rate them a nine out of ten. There is always room for improvement.

I have worked with Zscaler and Cisco for four or five years.

I am familiar with Elasticsearch, but I prefer NetWitness Platform as it is specifically designed as a security solution for logs, packets, and endpoints rather than a SIEM-only only tool.

The initial setup is complex. It requires some knowledge in order to set it up.

If one is the most difficult and ten is the easiest, I would rate it a three out of ten. It's quite complex.

Initially, we need to prepare the hardware boxes, whether they are physical or virtual or offered as a service. This involves imaging them with the appropriate functions for the module. Then, for network packet capture, the mirror ports must be connected to the packet capture box. Regarding logs, the configuration process involves making NetWitness boxes communicate with each other through the appropriate protocols and ports.

Following this, the next step involves configuring the log sources to send logs to the log box. This process requires the appropriate rules to be configured to initiate log transmission and generate metadata by appropriate parsers on NetWitness. After the setup, the focus shifts to building correlation rules, alerts, and other monitoring activities. These rules and alerts are crucial components for effective monitoring.

The deployment process can vary based on the specific environment and requirements, but typically it takes about one to two weeks to complete.

Maintaining the solution doesn't require a large number of resources. Typically, one or two capable resources are sufficient to maintain the solution effectively.

It's important to continuously monitor and ensure the health and proper functioning of the solution. This involves regularly checking the log sources to ensure that the logs are being ingested correctly and there are no issues such as overutilization or spikes in network traffic.

It is not a cheap product.

The NetWitness Platform may be affordable only for enterprise-level customers, as it may not be within the budget of small and medium-sized businesses.

I would advise taking your time to understand the architecture of the solution, including how the modules communicate with each other and the role of each module. It is recommended to start slowly after gaining this understanding.

I would rate NetWitness Platform an eight out of ten.

On-premises

We have been using the RSA SIEM with the NetWitness Platform for a long time.

The most valuable feature is the hunting ability to work in a CERT.

The log system is a bit complex and has room for improvement.

I have been using the solution for a few years.

The solution is stable and is able to work with a lot of complex data.

Using the software is straightforward, but configuring it is complex. To achieve the best results, we need to set up the log system. We have an RSA team to integrate the log system with the SIEM.

In comparison to other SIEM solutions such as Splunk, NetWitness is less costly.

I give the solution a nine out of ten.

I recommend the solution to others.

On-premises

Primarily, I use this solution to integrate with applications and systems like firewalls and routers. For example, if somebody is trying to log on from two different locations simultaneously, we can catch that.

Over time, NetWitness Logs and Packets has matured from a boxed solution with multiple parts to the current, more streamlined version for which we only need the software license to put it up on our own cloud and deliver it to multiple clients.

An area for improvement would be better automation and more inbuilt use cases. In the next release, RSA should include an inbuilt migration framework that can do remediation.

I've been using this solution since 2011.

This is a stable solution.

The software is scalable to whatever is required, and you can also put a lot of resources in the cloud.

The initial setup isn't much of a challenge and can be completed in under twelve hours.

Our license price is updated yearly, and there are no additional costs.

I would rate NetWitness Logs and Packets as eight out of ten.

Private Cloud

Other

We have two customers using this solution and one of them is a banking business. We are collecting some of the security log sources. In the main use case, we are correlating rules and we are using the endpoint detection capabilities. We are utilizing RSA NetWitness Logs and Packets, to have more insights on an endpoint level.

The newer 11.5 version that my team is using has found it to have good mapping.

The multi-tenant capabilities are lagging compared to IBM QRadar.

We want the OEM to support us when we add a partner. They have to come forward and be ready to give a POC to the customer. For example, if we are identifying any customer, and the customer wants to see the POC but at that time we do not have that resource to showcase the POC or the environment. At this time the OEM should come forward and showcase the POC to the customer. Once the customer is satisfied, we will be gaining the business, as a win-win situation.

I have been using RSA NetWitness Logs and Packets (RSA SIEM) for approximately two years.

The solution is reliable.

I have not tried to expand the solution.

The technical support is responsive. Professional service when it is required is expensive. I wasn't able to compare with other professional services, because we have only one tool we are using at the moment. I am not able to tell you how much other OEM professional services cost. We have heard from the support that it is expensive.

I have previously used IBM QRadar.

The installation is somewhat straightforward. For example, if they want a UBA or SOAR type of platform, then I don't have experience in integrating or installing the SOAR or UPA. If that kind of opportunity comes or a customer requests it, then we have to see. As it is now, RSA NetWitness Logs and Packets (RSA SIEM) installation is straightforward.

We are on an annual license for the use of the solution.

I would recommend version 11.5, it looks good. However, we are looking for an alternative solution.

I rate RSA NetWitness Logs and Packets (RSA SIEM) version 11.4 a seven out of ten.

On-premises

I'm primarily using the solution on my client's site. 

This is a log event management tool. We are integrating this solution for the clients where it is required. Mostly we work with OEMs such as IBM, RSA, Splunk, and Micro Focus. 

With the help of these tools, you can identify any attacks or phishing activity in your network. Most of the time you are able to identify these types of attacks or activity on your firewall. When the firewall will notify the SIEM tools, it will identify which needs to be acted on immediately - unlike when you are using automation tools. With the help of automated tools, you can block those suspicious IPS or you can hand it over back to your security analyst or analyst team to take action ASAP. 

We have not evaluated this tool. It is evaluated by the client's company directly. That said, I have found it has good threat intel insights, comparatively speaking. 

From the client-side, there are economical kinds of features.  It's quite economical compared to other solutions in the market. 

The solution is scalable. 

The technical support is very good.

We are designing reports and automated rules and processes. We are defining them in relation to this product. With the help of automated rules and processes, this product will help the team when they go to production to do operations smoothly, as, most of the time, what happens when you put manual interference into such systems, it may be delayed. This can lead to vulnerabilities. Sometimes, if a hacker enters the system, he might only have a limited time where there is a window of access, however, in that time, he'll take what he can, and even if the vulnerability only lasted for a few minutes, in that time, items can get stolen. 

Therefore, there needs to be more proactively to avoid any downtime. We're adding automating tools to help RSA Netwitness so that if anything happens, RSA can immediately shut anything down. We're in the process of configuring them and adding them in.

The initial setup is complex. There are solutions that are easier to implement.

I've been using the solution for two and a half years.

The solution is reliable. I won't say great, due to the fact that, naturally, if you compare it to other products it is not that great. That said, for the operations, it is good as long as you do not violate your license. The moment you violate your license, this will cause a quite delayed reaction, at least, that is what I've seen compared to Splunk and QRadar.

While the solution isn't necessarily for small organizations, it is good for medium and large organizations.

The solution scales easily.

Technical support is very good. They try to resolve issues with the proper SLAs which are defined by them and they understand the client's requirements as well as the client's infrastructure in a better manner. I'm happy with the support.

The solution is pretty complex to set up. Comparatively, I have worked on IBM QRadar and Splunk. They are much easier to set up. It also depends on the client's infrastructure. It just needs some time and understanding to be deployed. 

Once it is deployed it requires maintenance. Whenever you work on such products, if you do not take the support or support services, it might take some time to work through some things. For some things, the documentation is not the best. Support is always recommended. If you do not buy support, it can be a disaster. 

It's my understanding that the pricing of the product is pretty good. Compared to other options on the market, it's reasonable. 

I would say it's economical, as the licensing part is always a different ball game in the SIEM tools business, as everyone is running their business in a different manner. If you go to IBM, they will charge you in a different way, for example. RSA will charge you in a different way as well, and Splunk has its own unique licensing policies. I would say it's economical. I won't say it's cheap. It is in between.

Currently, there is only one license. There aren't different licensing models. Hardware is included in the price.

I'm on the latest version of the solution. I tend to work on updated versions.

We are systems integrators. We have a partnership with RSA.

If a company decides to try out this product, they need to do the homework properly due to the fact that sometimes on the hardware side or on the software side, you may face some issues. It is better to study thoroughly the troubleshooting part and prepare properly. Only then you can go for implementation.

I'd rate the solution at an eight out of ten.

On-premises

I use NetWitness Platform in the financial industry as a good product with excellent capabilities and integration with various devices.

NetWitness Platform offers flexibility for deployment and robust integration capabilities. It excels in research events, analytics data, and reporting. It is particularly beneficial for reporting purposes, offering efficient solutions.

There is currently no need for improvement in the SIEM, though there could be potential enhancements by integrating with AI.

The support is good, and I would rate it nine out of ten.

Positive

In the financial industry, I used other solutions like Exabeam or UEBA from other providers.

The initial setup was not complex. On a scale of zero to ten, where ten is the easiest, I would rate it seven or eight.

The solution is efficient, though I do not provide specific ROI details.

The pricing is comparable to others, and I consider the cost to be intermediate. Specific cost details are unknown to me.

I used alternatives like Exabeam or UEBA from other providers in other industries.

I would rate the SIEM eight out of ten.

I am using the on-premises deployment model.