NetWitness Platform Reviews

We are no longer using this solution, however, it was used mostly for network monitoring. 

The most valuable feature is the ability to write rules and triggers for network communication and then being able to investigate based on that. You can see the payload and deconstruct the packets.

The solution would be greatly improved by unifying the management to one configuration option. One of the problems the system had is that you always have to choose the managed host. For example, if you want to write a rule, you have to duplicate it across your managed hosts. It should have centralized management. If you want to make a change then it should be configured automatically, so that you don't need to go one by one, changing it. That is really annoying.

Another problem is that the EPL (Event Processing Language) is not properly explained, and the expert could not even use it when they came to our site. It was causing the system to crash, so they should really consider using something else.

The system looks like it is a mix of a bunch of different systems, and nothing looked like it was quite together. I think that it could be better integrated, and it would be great for new customers or even existing customers.

I cannot say that the solution was stable because it tended to crash. We were using it before version 11, where some of the problems were supposed to be solved. I have heard from insiders that version 11 does not hold up to the hype and they're still facing some of the same problems.

I think that the solution is scalable because you can easily add news hosts. This is one of the things that was really straightforward and we appreciated. 

The people that we spoke with from technical support were really professional. Some visited us on-site and did some training with our analysists. They are really good staff and we really liked it. The company that did the integration at the site where I was working was planning on re-hiring them for other customers, so they made a good impression.

The support is responsive by email, but initially, it is a little bit lacking. Beyond the initial emails, it is quite professional.

I was not part of the initial setup, but I can tell you that managing the system, in general, is not straightforward. It is quite elusive and very confusing, even after calls to technical support.

This is a pricey solution; it's not cheap.

Perhaps if the implementation is small then it is not bad, but if you have a global network or a security agency that needs to be segregated on the network, then it can be quite pricey.

This solution has some good features, but it is lacking in usability. This means that I would rate it somewhere in the middle. I would rate this solution a five out of ten.

As mentioned elsewhere, this product provides full visibility for the activities in the networks and systems. For example, it provides detection of the attacks in early stages (brute-force attacks), by which the attackers try to gain access to the systems, by trying to log in using different usernames and passwords (might be in a dictionary).

RSA NetWitness is a SIEM and real-time network traffic solution. It collects logs/packets and applies a set of alerting, reporting and analysis rules on them. Thus, it provides the enterprise with a full visibility of the networks and activities of the systems.

Its main features/components are:

• Investigation Module: It is the location where the SOC analysts can find all logs/packets captured in a time-frame, that are related/non-related and have drill-down/filtration capabilities all in one table, for investigation and analysis.
• Alerting Module: It provides real-time event processing language on all the logs/packets stream for advanced alerting, i.e., using SQL LIKE statements.
• Reporting Module: It provides advanced reporting capabilities.
• Dashboard Module: It provides dashboards for specific activities on the systems and networks.
• Command and Control Detection: In additional to identifying the C&C IPs through threat intelligence, NetWitness investigates the packets to determine any type of suspicious C&C communication, by using a feature called Automated Threat Detection.
• Threat Hunting Package: By using this advanced technique, NetWitness automatically investigates all the service sessions, files/packets and then it identifies any IoCs, BoCs and EoCs.
• Context Lookup: In order to give an overview during investigation, this feature highlights any value related to the previous alert, incident, RSA ECAT feed mentioned or even if it had any comment from the RSA community, that leads to detecting any recent attack (even if it is still not announced on threat intelligence).
• Incident Module: It provides an automated incident handling utility to ensure that right actions have been taken to close the incident.
• Malware Analysis Module: It provides a file analysis environment including sandboxing, community etc., so as to investigate more of the files captured through the environment traffic.

• Out-of-the-box alerts and investigation rules
• Health monitoring of the event sources and devices
• Threat intelligence for data accuracy

We encountered stability issues in the earlier versions, and much fewer in the newer versions.

There were no scalability issues.

The new pricing and licensing mechanisms are fair. I would advise always to get the full solution (i.e., not only Logs).

I did not evaluate other solutions.

The only thing I advise others is to spend enough time for fine-tuning and the initial rule development.

You should also develop a plan for the ongoing development and fine-tuning, as found in all the other leading SIEM solutions.

The primary use case of this solution is for security.

We use the UEBA tool.

What we are mainly using are the RSA Concentrator, RSA Decoder, Archiver, Broker, and Log Decoder.

Security needs improvement.

We would still like to know how the traffic is entering the organization. We can find out but it will take time before we know, leaving the organization vulnerable for attack.

There is no SIEM tool in the world that can provide 100% security.

I have been using this solution for five months.

Stability has not been an issue with this product.

It's a scalable solution.

The initial setup was straightforward, not at all complex.

There are approximately 1,400 devices that are integrated into RSA in my organization. While I was not a part of the integration, from my knowledge, it would take a week.

We have looked at similar systems and find that the architecture is somewhat different, yet the functionality is similar.

This is a product that I recommend.

I would rate this solution an eight out of ten.

I am currently working in a security operations center and RSA NetWitness Log and Packets is part of our security solution. We use it for log management and anomaly identification. It is used for compliance as well because it has a log archiving capability that will span at least a couple of years.

We are also using it to facilitate monitoring and research.

Performance and reporting are very good. 

The user interface is a little bit difficult for new users and it needs to be improved.

It takes a lot of time to register when compared to other solutions.

I have been using this solution for about one year, although it has been in the company for a couple of years.

We did have some issues before our upgrade from version 10.6., although they were not major. Since the upgrade, I have noticed that some of these things have gotten better.

I would say that this is a stable solution, although there are some minor issues that need to be settled. Currently, they are being investigated.

We have never had issues with scalability. We can reduce the usage as per our requirement and we increased our capacity in 2019. We are planning to further increase, either this year or next year. Scalability overall is quite easy.

When we started finding problems, we got in touch with technical support and opened tickets. They worked with us to resolve them. I would rate them good, although not great. At times, I felt that they were being really short with me.

I was not part of the initial setup but my understanding is that there were no issues and everything was good. I was part of the upgrade from version 10.6 to 11.3 and it was smooth, with no major issues.

The deployment was done by my manager a couple of years ago.

My advice to anybody who is considering this solution is that it is a relatively good program, but you want to take some time to get used to it. Once it is deployed and you are used to it, you can do whatever you want. Orchestration is another element that is there.

I would recommend this solution for large organizations that need to be compliant with these types of things. My main complaint is about the user interface.

I would rate this solution an eight out of ten.

Reliable in terms of no data loss. Plays a huge role in device health checks (Event Source Monitor). Provides FSEs relevant information prior to end user problem solutions (if data sources are integrated and parsed properly).

• Packet Solution: Allows analyst proactive hunting and alerting on daily sophisticated APTs.
• Broker service: Aggregate multiple concentrator devices deployed in various sites which accelerates analyst’s duties.
• Archiver – Does log retention for three to five years for forensics purposes or targeted investigations in the future.

Advance monitoring and alerting feature is not stable (Event Stream Analysis). Does not allow certain use cases running parallel.

The reporting module: If only their dashboards resembled anything you would see on any BI reporting tools.

More than once with fine tuning use cases (ESA feature) for real-time monitoring.

Reporting feature suddenly limits the amount of log extraction over certain cycles.

Never.

An eight out of 10. RSA tech support is awesome.

Sometimes they face huge challenges when an unknown bug hits their system and tech support must take their cases to engineering.

None in production other than RSA. However, I will be using IBM QRadar towards the end of this year.

I was never involved in setting up the solution with any of my employers. I get to learn the architecture and see the environment once it's complete.

RSA licensing ranges per core devices and services.

An additional Designated Support Engineer can be acquired at quite a pricy cost. They are reliable as your system and will be given a higher priority than any other support case(s).

Our partnership with RSA was already in place. No room for evaluation.

Top SIEM tools such as HP Arcsight, McAfee ESM, and IBM QRadar.

Either operating this solution in-house or reselling. First, outline all your data sources. Give more priority to the assets you want to protect.

Event source type and versions will be key.

Additional useful features:

• Easy to integrate common data sources.
• User friendly GUI.
• Basic SQL rule syntax.

We are using RSA Security analytics version 10.6.3.2 and upgrading to 10.6.4 in mid-September. NetWitness suite v11 is due in October as a major upgrade.

The customer that we work with uses it to gather logs from all the devices in their enterprise so that they have that single point of visibility into trace information in the environment.

The packet capture aspect of it is a valuable feature because it is quite different from a traditional SIEM solution that only carries out investigations based on captured logs. So, the capture packet also gives you specific insight into what's going on in the network, and it makes your trace investigation much more comprehensive.

The user interface is fine.

The reporting aspect could be improved. There are instances where you try to run the reports and then it does not give you the desired outcome. At times, it appears as if the reporting feature might be buggy.

You want to actually follow the trends and see how technology is advancing. I think they've done that with regard to security orchestration, automation, and response. However, I think that they could do better with the automation and response.

We have been selling RSA NetWitness Logs and Packets (RSA SIEM) for 18 months now.

It is stable.

This solution is scalable.

Technical support has been quite a challenge. There are instances where you reach out to support, and the initial response is fast. When they get to experience what the problem is, we would expect them to be able to fix it on time, but then, we'd notice that there could be quite a lot of back and forth with customers in trying to get an issue resolved.

This is a situation where you have other solutions plugging into this one, so there are times when the issue being experienced has to do with another solution. So there are problems with accepting responsibility.

In general, I would rate them at 70% on technical support.

I've not been involved in initial setup, but I've seen upgrades. I think it's quite straightforward.

From a pricing perspective, I wouldn't say it's too expensive because recently, they came up with a good plan that would also work for small enterprises.

At the early stage, it was quite appliance-based, but now you have virtual machines that take away the appliance cost for customers. So, price wise, it is fair compared to the cost of other SIEM solutions.

It's a comprehensive SIEM solution. The packet capture feature is one thing that will be very beneficial for all accounts because it gives you that general visibility into what's going on even on your network. It's a great product, and I would rate it at eight on a scale from one to ten. It's way ahead of the others. 

We don't have a primary use case. There are many use cases that we have defined based on business needs.

The most valuable features are its

• ingestion of logs 
• raising of alerts based on those logs.

I'd like to see improvement in its ease of use. It's basically unusable. It's overly complex.

We used RSA as our consultants. Our experience with them wasn't the most productive. We also have various other consultants in to help as well. Their ability to configure this particular platform is limited because it's such a complex product. There are so many classes you need to take in order to be proficient at it. There are so few people on the planet who can do it. You need an army of people to keep this thing going.

It's supposed to help our security program maturity. Has it? I think that's another question.

I rate this product at three out of ten. It is overly complicated. It has taken years to implement and the return on investment just isn't there.

Full packet capture: A must in an SOC

Possibility to investigate incidents based on logs and raw packets, such as extracting files sent over the network

Built-in Incident Management module for small security/SOC teams

Advanced correlation engine based on metadata flow: Provides nearly real time correlation

Rich reporting options

We can monitor all traffic to/from our company.

It is possible to track end user behaviour.

With RSA NetWitness Endpoint, we are able to monitor not only the network, but also what’s happening on endpoints, i.e., behaviour analytics for processes inside the operating system.

Thanks to this tool, we have a small SOC running in our company.

Integration with external tools should be built-in, such as an external sandbox for files.

We can import data using external feeds, using STIX or CVS files.

The REST API is poor

The system architecture is complex and sometimes it’s hard to troubleshoot potential problems.

RSA should improve backup options and High Availability architecture.

Data is stored on separate components without redundancy. It’s possible to have backup for data, but you have to use an external backup solution.

I have used this product for two and a half years.

The system is stable if you provide enough CPU, RAM, and HDD (IOPS). Sizing should be done by RSA Professional Services or by an experienced partner for Virtual Machines. The hardware is sized well.

There were no scalability issues, but you have to know what you are doing. Proper network deployment is important. Metadata flows are quite big between internal system components. Of course, it depends on how many network packets and logs are logged into the system.

I would give technical support a rating of 8/10. Sometimes you have to wait for an initial response, especially if it’s not a critical problem. But when they start investigating, they do it quite well.

For full packet capture, we had Blue Coat Security Analytics. We switched because in NetWitness, we have everything needed to run a small SOC in our company.(Packets, logs, endpoints, incident management module, correlation, reporting, and investigation available for analysts.)

It’s a very easy product to install, when you know what you are doing. Customers without any experience should cooperate with RSA Professional Services or a partner company. It’s too complex of a product to deploy for someone without experience. It can be done, but the value coming from RSA or a partner is incomparable.

Prepare use cases, i.e., what to do and how.

Collect information about EPS for logs and total bandwidth for packets. This will allow you to properly size the licensing.

Hardware is too expensive in my opinion (Eastern Europe). It’s cheaper to run virtual machines in a VMware environment. (Keep in mind that CPU, RAM, and especially HDD requirements must be matched.)

We had Blue Coat Security Analytics, but we’re an RSA partner so it was natural to use the technology available to us.

• Don’t rush. Prepare use cases for packets and logs as it is a very important part of deployment and future use.
• Use RSA Professional Services or a partner. Don’t deploy alone.
• A basic administration course is a must for all administrators.
• System architecture may be very easy or very complex. Do sizing well with external help.