NetWitness Platform Reviews

Our primary use case is real-time threat prediction so that we can minimize the person-hours of IT security analysts.

The most valuable features are the threat prediction and network forensics. For example, if there is any malware on the network, I am able to see who received it and who clicked on it. I like this functionality the most.

The deployment of the appliance is easy, where even a non-technical person can configure it.

The SOAR (security orchestration, automation, and response) component has areas for improvement.

Technical support needs to be improved.

Integration with third-party products for industries such as the banking sector, or telecommunications, presents challenges that require help from the OEM.

Lots of competing products have vulnerability protection built into their products, and this solution would be improved by including that support.

We have been using RSA NetWitness for about 10 years.

There are no issues in terms of stability.

This solution is pretty scalable, as I am using the VM infrastructure. It can scale to whatever you need.

I am not happy with the RSA support. Sometimes they can be really annoying because it takes so long to get the support that you need.

I have used RSA enVision and ArcSight in the past. We migrated from RSA enVision because they had declared the product end-of-life and upgraded to the NetWitness platform.

The Logs component is similar to what other competitors, such as IBM, ArcSight, and LogRhythm have. What distinguishes this solution is the Packets component. It is critical and something that people should make use of.

It is easy to deploy the appliance. Anyone can mount and configure it. There is a simple, pre-built OS that they just need to mount in the VM infrastructure, and that is clearly mentioned in the documentation. It will take two or three days to deploy, at most.

The challenge comes with trying to integrate with third-party application servers. 

We deployed this solution with our in-house team.

The number of people required for maintenance depends on your use case. If you are only using it to maintain the infrastructure then two staff is sufficient. However, if you want to implement a full-fledged SOC then you will need at least four or five people.

My advice for anybody who is implementing this solution is to look at both their endpoints and circuit paths. The two components, Logs and Packets, should definitely both be considered. Even if there is an on-premises SIEM log, they can integrate it.

Overall, I feel that the product is very good and my biggest complaint is about their support.

I would rate this solution an eight out of ten.

Primarily, I use this solution to integrate with applications and systems like firewalls and routers. For example, if somebody is trying to log on from two different locations simultaneously, we can catch that.

Over time, NetWitness Logs and Packets has matured from a boxed solution with multiple parts to the current, more streamlined version for which we only need the software license to put it up on our own cloud and deliver it to multiple clients.

An area for improvement would be better automation and more inbuilt use cases. In the next release, RSA should include an inbuilt migration framework that can do remediation.

I've been using this solution since 2011.

This is a stable solution.

The software is scalable to whatever is required, and you can also put a lot of resources in the cloud.

The initial setup isn't much of a challenge and can be completed in under twelve hours.

Our license price is updated yearly, and there are no additional costs.

I would rate NetWitness Logs and Packets as eight out of ten.

We are a solution provider and RSA NetWitness is one of the products that we implement for our clients. We also use it ourselves, They primarily use it for threat protection.

The most valuable feature is the security that it provides.

The log-related capabilities are good.

It integrates well with other risk-assessment tools.

It is not so easy to customize this product.

This product would be improved with the addition of machine learning functionality.

I have been working with this product for perhaps eight years.

Stability is not a problem with NetWitness.

We have not heard any complaints about scalability. This is generally for enterprise-level companies.

The technical support is good and our customers are satisfied with it.

We use McAfee for internal purposes.

The complexity of the initial setup depends on the environment, but overall, I would say that it is quite easy. It isn't the easiest product to install, although it is not difficult, either.

They have just introduced an orchestration tool, although I don't know how it works yet.

Overall, this is a good product and I recommend it. However, I always suggest doing a proof of concept first, to make sure that it meets your needs.

I would rate this solution an eight out of ten.

We use the on-premise deployment model of this solution. Our primary use case of this solution is for malware detection and for reconstruction during the incident and forensic analysis.

The web interface needs improvement because right now they have problems combining an older interface with a newer interface. They're in the middle of the process of combining the old and the new one. It sometimes confuses the user and sometimes you are not able to find the necessary information. You need to click the information and that is something that should be improved.

The data isn't a problem but you need to get used to it. You need to know where to click in order to get the results. Otherwise, you can encounter some problems.

I would be very happy if they would fix all the issues from 11.3 to the 11.4 version to have more advantages from the UEBA because the UEBA we have implemented will be the longest. If they will fully integrate the UEBA with the network data, this could be a very huge advantage and impact on the market. Right now, you have a solution like Darktrace which has the same capabilities as RSA NetWitness so NetWitness should implement the same things. They have UEBA, they have data. They should implement algorithms to digest that data and produce additional, more advanced reporting, alerting and support of internal security teams.

It's very stable if you are talking about the old version. I don't like 11.3 and I don't know 11.4, it's not actually released. It provides accurate information, quick analysis from the endpoint perspective, and quick identification of any potential malware. But the 11.3 version is a complete disaster. You cannot analyze anything. 

I am part of the maintenance team. It's me and a couple more staff members that don't work full-time on this solution. I would say around four employees are required for maintenance but not full-time. 

It's fully scalable. There is no limit. Of course, the license limits per day the number of terabytes. In my opinion, it's very flexible.

We have 10,000 users using this solution.

We do plan to increase the usage of this solution. We want to implement more monitoring of the internal traffic from specific places. We need to implement more decoders, more concentrators, and some kind of organization with the log archiving. 

Their customer service is excellent, one of the best.

I have been using Fidelis and that works. It's all the same approach, but they only gather the metadata, not the full packet capture. If you want to compare those products together, I can safely say that RSA is much better because they offer full packet capture capability. It's more scalable and more flexible.

The initial set up was not very complex. The problem is with the use cases. You need to be very careful to not become overwhelmed with unnecessary data. You need to very carefully decide what should be filtered, what you need to be taken from the network or from the logs. You need to decide whether you need YouTube traffic at all, for example, because it consumes storage. It's a huge amount of data and that data is useless. It is not relevant to malicious activity and if you want to fully get the picture of the user activity or the motor activity you can have with data without Facebook, for example.

We have a perpetual license, so the total cost of ownership is not very expensive. It's a good investment.

We have looked through the Cisco solution to expand more devices from Fidelis to cover more areas of our network. I also evaluated Symantec and I have seen FireEye but it's hard to even compare those products to RSA.

If it's possible, ask for help from primary support to help you implement at the very beginning with the fundamental alert or detection rules. This is my best advice for a customer regardless of the size and scope of the implementation. Use the support to help you with the implementation process.

I would rate it an eight out of ten. 

We are a service providing company and this is one of the products that we implement for our clients. The RSA NetWitness Logs and Packets solution is used for Event Stream Analysis (ESA), and we implement use cases based on our customers' needs. For example, suppose the security device is a Palo Alto device then at the policy level, we implement the use cases. These might be things like phishing attacks or a botnet. Most companies follow the GDPR regulations for compliance.

We have RSA NetWitness implemented in virtual appliances.

The most valuable features are the packet decoder, log decoder, and concentrator. The packet decoder is capable of collecting the flow, whereas the log decoder is capable of collecting the event. NetWitness offers a hybrid solution that collects both and also uses the concentrator.

The alert dashboard is not reflecting events in real-time. We have to refresh in order to view an alert in real-time.

Log aggregation is an issue with this solution because there are a huge number of alerts in a single instance. Compared to ArcSight or QRadar, this is a problem.

We have been using RSA NetWitness for about a year and a half.

The stability of RSA NetWitness is good. It is used on a daily basis.

The ability to scale varies from client to client, and what the client's requirements are. Sometimes the client will want to move to a lighter platform and you have to consider the many inputs related to the cloud. 

We are supporting 10 to 15 clients for this solution. 

With regard to technical support, we have found that their diagnosis makes sense but in some cases, they are very late to reply. Our clients always want to resolve the issue through us, and sometimes the support takes a long time. Because RSA NetWitness is a new product, there are many things that they are trying to find out.

Overall, I would say that the support is good.

We are using multiple tools including QRadar, RSA NetWitness, LogRhythm, and Micro 
Focus ArcSight.

The QRadar setup gave us no issues, and it also works with logs and packets.

LogRhythm fulfills the GDPR compliance.

The initial setup is good, and it is not complex.

The length of time it takes to deploy depends on the type and size of the organization. It takes two to three days to implement this solution, including all of the installation and configuration. Once the company provides the requirements then we implement as per the organizational policy. 

We implement this solution using our in-house team, although if an issue should occur during installation then we can raise a ticket with support. We have had issues with difficult deployments because of the database during installation, which has lead to using the support portal. 

The number of people required for deployment and maintenance depends on how many logs are being integrated. Suppose there are 100 or 200 logs, then 10 people will be sufficient if they focus on deployment and troubleshooting. It also depends on the timeline. If the timeline is longer then five people are enough to complete the implementation.

Many clients are not able to purchase the packet capability because there is a huge amount of data, and the cost depends on the number of EPS (Events per second), as well as the number of gigabytes of data per day. 

My advice to anybody who is researching this solution is to consider the differences between the hardware and the virtual solution. The hardware is okay, but if you have any issues and need to restart then it is easy to do this with the VM. My preference is using the VM, where they can easily increase the size of storage if necessary.

It is important to remember that ESA takes all of the main memory. The minimum requirement is 96 GB of RAM, and this is very easy to implement on a virtual machine. My advice is to implement ESA using the maximum eligibility criteria. Consider what the hardware requires are in terms of RAM and storage, and use the maximum available for ESA.

This solution has a very good dashboard with a separate tab for incidents and alerts. There is a ticketing tool as well. If the problems with the dashboard are corrected then we will not need to have any other tools. The dashboard is a very important feature for clients.

I would rate this solution a seven out of ten.

 Our customers are enterprise-level businesses.

The most valuable features are the integration and ease of use. It is a pretty simple platform that can integrate very well with our system.

The documentation is not as structured as I would like, personally, and I think that it can be improved and made much more user-friendly. I may see it differently than other people.

I would like to see a little question mark beside each button that you can click and find out what that button is for. It would make it much easier for people who are new to the solution. Like a pop-up appearing when hovering over the question mark, attached to each main action and split into branches. 

We began using RSA NetWitness Logs and Packets not long ago.

This is a very stable product.

I have not been in contact with technical support.

I would say that RSA University is fair and square. It is a bit tricky because they have changed the learning platform and I had trouble enrolling in courses. I needed to contact Dell EMC support, which is the same support for RSA, and they assigned the courses to me in one or two hours. In the end, I was very satisfied. It is a bit expensive but the companies are paying for it.

The initial setup is straightforward. I am also coding so it is easy for me to adapt.

I have also worked with RSA SecurID and I can say that from the moment I touched it, it has been very easy for me to use.

The company is very active on the market and it is improving continuously. EMC/RSA are trying to approach a build such that it can meet every user's needs, but you can't satisfy everyone.

I recommend RSA NetWitness alongside other products, although I would suggest this first because of the user-friendly interface and easy-to-manipulate options. The only issue I have is with the documentation.

Overall, this is a good solution with suitable features and it very well fits our needs.

I would rate this solution a nine out of ten.

We are using this solution for security.

The most valuable features are the packet inspection and the automated incident response.

More customizability is required, which is something that they need to improve on.

When it comes to starting a log event, there are not many options available. It is very limited.

The log and event correlation need improvement.

The threat detection capability should be enhanced.

I have been using this solution for one month.

We are using it on a daily basis and, so far, it has been stable.

We have approximately 6000 employees, which means that we have 6000 endpoints that this product is working with. It is easy to scale it up to production.

We have not had to contact technical support.

In this company, they did not use a similar solution prior to this one. Personally, I used Splunk in my previous organization. Definitely, I prefer to use Splunk because there is more functionality, visibility, and options. You can do whatever you want with Splunk.

The initial setup is not complex, and more on the simple side. Our deployment took almost five months in total.

We had assistance from an integrator and the vendor for our deployment.

We have administrators in the company who take care of administration and maintenance. The vendor was only needed for the implementation.

RSA is something that I can recommend.

I would rate this solution a six out of ten.

The RSA NetWitness Logs and Packets solution was set up as part of the SOC. It is set up on two sides. One is for the Data Center (DC) side, and the other is for the Disaster Recovery (DR) side.

The most valuable feature is that we can create our own connectors for any application, and NetWitness provides the training and tools to do it. With some other solutions, creating custom connectors is very costly.

The dashboard is very simple to use.

The initial setup is very complex and should be simplified.

We had some trouble integrating with our Check Point firewall.

I used RSA NetWitness for a couple of months in my previous company.

It was too early to say whether this solution was stable because you need at least a year to determine that. In the initial stages, we were still getting a lot of alerts because there was no time to fine-tune it. Maybe after six or eight months, we would have been able to say whether the product was stable. Just before reaching that point, I left the organization.

What I can say is that for the time I was there, we did not experience any bugs, crashes, or glitches.

This solution is scalable. We had between 20 and 25 users, although, on a daily basis, I would say that 13 to 16 people used it.

We did not interact with technical support because we were working with the vendor, and the vendor was working with them.

We tried to implement Paladion but we were not about to complete our PoC because of problems.

The initial setup is very complex. It requires having knowledge of what components do and which go where. An example is knowing which component will fetch data and where it goes. This is very difficult for somebody new and a person should have a minimum of one to two years of work experience.

Our deployment of the two solutions and having them work simultaneously took between four and five months.

We have an in-house team, but the vendor gave us support as well. The initial setup was very tough, which is why it took four or five months to implement everything and make sure that it was configured as per our requirements.

There were six people involved in the deployment. Three from the vendor's team and three from my team. They were working day and night to make sure that things worked well.

The number of people required for maintenance depends on the hours of operation. If the business hours are 24/7 for the entire year then two people are required for maintenance.

We did not evaluate other options.

My advice for anybody who is implementing this solution is to make sure that the team handling the deployment is skilled. Without support, they will not be able to do it at all.

Also, if somebody wants to make their own connectors then they will need to have a development team. Without knowledge of scripting, it is not possible to make connectors. So, I would say that at an early point there needs to be somebody specialized in the use of this product.

I would rate this solution a six out of ten.