NetWitness Platform OverviewUNIXBusinessApplication

NetWitness Platform is the #11 ranked solution in top Security Information and Event Management (SIEM) tools and #12 ranked solution in Log Management Software. PeerSpot users give NetWitness Platform an average rating of 7.6 out of 10. NetWitness Platform is most commonly compared to Splunk: NetWitness Platform vs Splunk. NetWitness Platform is popular among the large enterprise segment, accounting for 64% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 19% of all views.
NetWitness Platform Buyer's Guide

Download the NetWitness Platform Buyer's Guide including reviews and more. Updated: November 2022

What is NetWitness Platform?

NetWitness Platform is an evolved SIEM and threat detection and response solution that functions as a single, unified platform for ALL your security data. It features an advanced analyst workbench for triaging alerts and incidents, and it orchestrates security operations programs end to end. In short: NetWitness Platform is all you need to run an intelligent SOC.

NetWitness Platform was previously known as RSA Security Analytics.

NetWitness Platform Customers

Los Angeles World Airports, Reply

Archived NetWitness Platform Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Associate Manager Human Resources at a financial services firm with 1,001-5,000 employees
Real User
Good packet inspection and automated incident response, but it needs to be more customizable
Pros and Cons
  • "The most valuable features are the packet inspection and the automated incident response."
  • "More customizability is required, which is something that they need to improve on."

What is our primary use case?

We are using this solution for security.

What is most valuable?

The most valuable features are the packet inspection and the automated incident response.

What needs improvement?

More customizability is required, which is something that they need to improve on.

When it comes to starting a log event, there are not many options available. It is very limited.

The log and event correlation need improvement.

The threat detection capability should be enhanced.

For how long have I used the solution?

I have been using this solution for one month.

Buyer's Guide
NetWitness Platform
November 2022
Learn what your peers think about NetWitness Platform. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
657,397 professionals have used our research since 2012.

What do I think about the stability of the solution?

We are using it on a daily basis and, so far, it has been stable.

What do I think about the scalability of the solution?

We have approximately 6000 employees, which means that we have 6000 endpoints that this product is working with. It is easy to scale it up to production.

How are customer service and support?

We have not had to contact technical support.

Which solution did I use previously and why did I switch?

In this company, they did not use a similar solution prior to this one. Personally, I used Splunk in my previous organization. Definitely, I prefer to use Splunk because there is more functionality, visibility, and options. You can do whatever you want with Splunk.

How was the initial setup?

The initial setup is not complex, and more on the simple side. Our deployment took almost five months in total.

What about the implementation team?

We had assistance from an integrator and the vendor for our deployment.

We have administrators in the company who take care of administration and maintenance. The vendor was only needed for the implementation.

What other advice do I have?

RSA is something that I can recommend.

I would rate this solution a six out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Analyst at Microland Limited
Real User
Easy to set up with good UEBA functionality
Pros and Cons
  • "What we are mainly using are the RSA concentrator, RSA Decoder, Archiver, Broker, and Log Decoder."
  • "Security needs improvement."

What is our primary use case?

The primary use case of this solution is for security.

We use the UEBA tool.

What is most valuable?

What we are mainly using are the RSA Concentrator, RSA Decoder, Archiver, Broker, and Log Decoder.

What needs improvement?

Security needs improvement.

We would still like to know how the traffic is entering the organization. We can find out but it will take time before we know, leaving the organization vulnerable for attack.

There is no SIEM tool in the world that can provide 100% security.

For how long have I used the solution?

I have been using this solution for five months.

What do I think about the stability of the solution?

Stability has not been an issue with this product.

What do I think about the scalability of the solution?

It's a scalable solution.

How was the initial setup?

The initial setup was straightforward, not at all complex.

There are approximately 1,400 devices that are integrated into RSA in my organization. While I was not a part of the integration, from my knowledge, it would take a week.

Which other solutions did I evaluate?

We have looked at similar systems and find that the architecture is somewhat different, yet the functionality is similar.

What other advice do I have?

This is a product that I recommend.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
NetWitness Platform
November 2022
Learn what your peers think about NetWitness Platform. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
657,397 professionals have used our research since 2012.
Security Engineer/Architect at Telecom Italia
Real User
Offers good security, integrates well, and they have good technical support
Pros and Cons
  • "The most valuable feature is the security that it provides."
  • "It is not so easy to customize this product."

What is our primary use case?

We are a solution provider and RSA NetWitness is one of the products that we implement for our clients. We also use it ourselves, They primarily use it for threat protection.

What is most valuable?

The most valuable feature is the security that it provides.

The log-related capabilities are good.

It integrates well with other risk-assessment tools.

What needs improvement?

It is not so easy to customize this product.

This product would be improved with the addition of machine learning functionality.

For how long have I used the solution?

I have been working with this product for perhaps eight years.

What do I think about the stability of the solution?

Stability is not a problem with NetWitness.

What do I think about the scalability of the solution?

We have not heard any complaints about scalability. This is generally for enterprise-level companies.

How are customer service and technical support?

The technical support is good and our customers are satisfied with it.

Which solution did I use previously and why did I switch?

We use McAfee for internal purposes.

How was the initial setup?

The complexity of the initial setup depends on the environment, but overall, I would say that it is quite easy. It isn't the easiest product to install, although it is not difficult, either.

What other advice do I have?

They have just introduced an orchestration tool, although I don't know how it works yet.

Overall, this is a good product and I recommend it. However, I always suggest doing a proof of concept first, to make sure that it meets your needs.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
IT and Cybersecurity Professional at a financial services firm
Real User
Easy to deploy with powerful threat prediction and network forensics capabilities
Pros and Cons
  • "The most valuable features are the threat prediction and network forensics."
  • "Lots of competing products have vulnerability protection built into their products, and this solution would be improved by including that support."

What is our primary use case?

Our primary use case is real-time threat prediction so that we can minimize the person-hours of IT security analysts.

What is most valuable?

The most valuable features are the threat prediction and network forensics. For example, if there is any malware on the network, I am able to see who received it and who clicked on it. I like this functionality the most.

The deployment of the appliance is easy, where even a non-technical person can configure it.

What needs improvement?

The SOAR (security orchestration, automation, and response) component has areas for improvement.

Technical support needs to be improved.

Integration with third-party products for industries such as the banking sector, or telecommunications, presents challenges that require help from the OEM.

Lots of competing products have vulnerability protection built into their products, and this solution would be improved by including that support.

For how long have I used the solution?

We have been using RSA NetWitness for about 10 years.

What do I think about the stability of the solution?

There are no issues in terms of stability.

What do I think about the scalability of the solution?

This solution is pretty scalable, as I am using the VM infrastructure. It can scale to whatever you need.

How are customer service and technical support?

I am not happy with the RSA support. Sometimes they can be really annoying because it takes so long to get the support that you need.

Which solution did I use previously and why did I switch?

I have used RSA enVision and ArcSight in the past. We migrated from RSA enVision because they had declared the product end-of-life and upgraded to the NetWitness platform.

The Logs component is similar to what other competitors, such as IBM, ArcSight, and LogRhythm have. What distinguishes this solution is the Packets component. It is critical and something that people should make use of.

How was the initial setup?

It is easy to deploy the appliance. Anyone can mount and configure it. There is a simple, pre-built OS that they just need to mount in the VM infrastructure, and that is clearly mentioned in the documentation. It will take two or three days to deploy, at most.

The challenge comes with trying to integrate with third-party application servers. 

What about the implementation team?

We deployed this solution with our in-house team.

The number of people required for maintenance depends on your use case. If you are only using it to maintain the infrastructure then two staff is sufficient. However, if you want to implement a full-fledged SOC then you will need at least four or five people.

What other advice do I have?

My advice for anybody who is implementing this solution is to look at both their endpoints and circuit paths. The two components, Logs and Packets, should definitely both be considered. Even if there is an on-premises SIEM log, they can integrate it.

Overall, I feel that the product is very good and my biggest complaint is about their support.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Information Securuty Analyst at a tech services company with 11-50 employees
Real User
Good performance, reporting, and log archiving capability
Pros and Cons
  • "Performance and reporting are very good."
  • "The user interface is a little bit difficult for new users and it needs to be improved."

What is our primary use case?

I am currently working in a security operations center and RSA NetWitness Log and Packets is part of our security solution. We use it for log management and anomaly identification. It is used for compliance as well because it has a log archiving capability that will span at least a couple of years.

We are also using it to facilitate monitoring and research.

What is most valuable?

Performance and reporting are very good. 

What needs improvement?

The user interface is a little bit difficult for new users and it needs to be improved.

It takes a lot of time to register when compared to other solutions.

For how long have I used the solution?

I have been using this solution for about one year, although it has been in the company for a couple of years.

What do I think about the stability of the solution?

We did have some issues before our upgrade from version 10.6., although they were not major. Since the upgrade, I have noticed that some of these things have gotten better.

I would say that this is a stable solution, although there are some minor issues that need to be settled. Currently, they are being investigated.

What do I think about the scalability of the solution?

We have never had issues with scalability. We can reduce the usage as per our requirement and we increased our capacity in 2019. We are planning to further increase, either this year or next year. Scalability overall is quite easy.

How are customer service and technical support?

When we started finding problems, we got in touch with technical support and opened tickets. They worked with us to resolve them. I would rate them good, although not great. At times, I felt that they were being really short with me.

How was the initial setup?

I was not part of the initial setup but my understanding is that there were no issues and everything was good. I was part of the upgrade from version 10.6 to 11.3 and it was smooth, with no major issues.

What about the implementation team?

The deployment was done by my manager a couple of years ago.

What other advice do I have?

My advice to anybody who is considering this solution is that it is a relatively good program, but you want to take some time to get used to it. Once it is deployed and you are used to it, you can do whatever you want. Orchestration is another element that is there.

I would recommend this solution for large organizations that need to be compliant with these types of things. My main complaint is about the user interface.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
AdrianMache - PeerSpot reviewer
RSA Specialist at a computer software company with 1,001-5,000 employees
Real User
A user-friendly solution that integrates well with our system
Pros and Cons
  • "The most valuable features are the integration and ease of use."
  • "The documentation is not as structured as I would like, personally, and I think that it can be improved and made much more user-friendly."

What is our primary use case?

 Our customers are enterprise-level businesses.

What is most valuable?

The most valuable features are the integration and ease of use. It is a pretty simple platform that can integrate very well with our system.

What needs improvement?

The documentation is not as structured as I would like, personally, and I think that it can be improved and made much more user-friendly. I may see it differently than other people.

I would like to see a little question mark beside each button that you can click and find out what that button is for. It would make it much easier for people who are new to the solution. Like a pop-up appearing when hovering over the question mark, attached to each main action and split into branches. 

For how long have I used the solution?

We began using RSA NetWitness Logs and Packets not long ago.

What do I think about the stability of the solution?

This is a very stable product.

How are customer service and technical support?

I have not been in contact with technical support.

I would say that RSA University is fair and square. It is a bit tricky because they have changed the learning platform and I had trouble enrolling in courses. I needed to contact Dell EMC support, which is the same support for RSA, and they assigned the courses to me in one or two hours. In the end, I was very satisfied. It is a bit expensive but the companies are paying for it.

How was the initial setup?

The initial setup is straightforward. I am also coding so it is easy for me to adapt.

What other advice do I have?

I have also worked with RSA SecurID and I can say that from the moment I touched it, it has been very easy for me to use.

The company is very active on the market and it is improving continuously. EMC/RSA are trying to approach a build such that it can meet every user's needs, but you can't satisfy everyone.

I recommend RSA NetWitness alongside other products, although I would suggest this first because of the user-friendly interface and easy-to-manipulate options. The only issue I have is with the documentation.

Overall, this is a good solution with suitable features and it very well fits our needs.

I would rate this solution a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
IT Security Head with 1,001-5,000 employees
Real User
Has a simple dashboard and you can develop connectors for any application, but it is difficult to set up
Pros and Cons
  • "The most valuable feature is that we can create our own connectors for any application, and NetWitness provides the training and tools to do it."
  • "The initial setup is very complex and should be simplified."

What is our primary use case?

The RSA NetWitness Logs and Packets solution was set up as part of the SOC. It is set up on two sides. One is for the Data Center (DC) side, and the other is for the Disaster Recovery (DR) side.

What is most valuable?

The most valuable feature is that we can create our own connectors for any application, and NetWitness provides the training and tools to do it. With some other solutions, creating custom connectors is very costly.

The dashboard is very simple to use.

What needs improvement?

The initial setup is very complex and should be simplified.

We had some trouble integrating with our Check Point firewall.

For how long have I used the solution?

I used RSA NetWitness for a couple of months in my previous company.

What do I think about the stability of the solution?

It was too early to say whether this solution was stable because you need at least a year to determine that. In the initial stages, we were still getting a lot of alerts because there was no time to fine-tune it. Maybe after six or eight months, we would have been able to say whether the product was stable. Just before reaching that point, I left the organization.

What I can say is that for the time I was there, we did not experience any bugs, crashes, or glitches.

What do I think about the scalability of the solution?

This solution is scalable. We had between 20 and 25 users, although, on a daily basis, I would say that 13 to 16 people used it.

How are customer service and technical support?

We did not interact with technical support because we were working with the vendor, and the vendor was working with them.

Which solution did I use previously and why did I switch?

We tried to implement Paladion but we were not about to complete our PoC because of problems.

How was the initial setup?

The initial setup is very complex. It requires having knowledge of what components do and which go where. An example is knowing which component will fetch data and where it goes. This is very difficult for somebody new and a person should have a minimum of one to two years of work experience.

Our deployment of the two solutions and having them work simultaneously took between four and five months.

What about the implementation team?

We have an in-house team, but the vendor gave us support as well. The initial setup was very tough, which is why it took four or five months to implement everything and make sure that it was configured as per our requirements.

There were six people involved in the deployment. Three from the vendor's team and three from my team. They were working day and night to make sure that things worked well.

The number of people required for maintenance depends on the hours of operation. If the business hours are 24/7 for the entire year then two people are required for maintenance.

Which other solutions did I evaluate?

We did not evaluate other options.

What other advice do I have?

My advice for anybody who is implementing this solution is to make sure that the team handling the deployment is skilled. Without support, they will not be able to do it at all.

Also, if somebody wants to make their own connectors then they will need to have a development team. Without knowledge of scripting, it is not possible to make connectors. So, I would say that at an early point there needs to be somebody specialized in the use of this product.

I would rate this solution a six out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
RamneshDubey - PeerSpot reviewer
Senior Cyber Security Specialist at a computer software company with 10,001+ employees
Real User
Good support, powerful decoders and concentrator, but the dashboard is not reflecting events in real-time
Pros and Cons
  • "The most valuable features are the packet decoder, log decoder, and concentrator."
  • "Log aggregation is an issue with this solution because there are a huge number of alerts in a single instance."

What is our primary use case?

We are a service providing company and this is one of the products that we implement for our clients. The RSA NetWitness Logs and Packets solution is used for Event Stream Analysis (ESA), and we implement use cases based on our customers' needs. For example, suppose the security device is a Palo Alto device then at the policy level, we implement the use cases. These might be things like phishing attacks or a botnet. Most companies follow the GDPR regulations for compliance.

We have RSA NetWitness implemented in virtual appliances.

What is most valuable?

The most valuable features are the packet decoder, log decoder, and concentrator. The packet decoder is capable of collecting the flow, whereas the log decoder is capable of collecting the event. NetWitness offers a hybrid solution that collects both and also uses the concentrator.

What needs improvement?

The alert dashboard is not reflecting events in real-time. We have to refresh in order to view an alert in real-time.

Log aggregation is an issue with this solution because there are a huge number of alerts in a single instance. Compared to ArcSight or QRadar, this is a problem.

For how long have I used the solution?

We have been using RSA NetWitness for about a year and a half.

What do I think about the stability of the solution?

The stability of RSA NetWitness is good. It is used on a daily basis.

What do I think about the scalability of the solution?

The ability to scale varies from client to client, and what the client's requirements are. Sometimes the client will want to move to a lighter platform and you have to consider the many inputs related to the cloud. 

We are supporting 10 to 15 clients for this solution. 

How are customer service and technical support?

With regard to technical support, we have found that their diagnosis makes sense but in some cases, they are very late to reply. Our clients always want to resolve the issue through us, and sometimes the support takes a long time. Because RSA NetWitness is a new product, there are many things that they are trying to find out.

Overall, I would say that the support is good.

Which solution did I use previously and why did I switch?

We are using multiple tools including QRadar, RSA NetWitness, LogRhythm, and Micro 
Focus ArcSight.

The QRadar setup gave us no issues, and it also works with logs and packets.

LogRhythm fulfills the GDPR compliance.

How was the initial setup?

The initial setup is good, and it is not complex.

The length of time it takes to deploy depends on the type and size of the organization. It takes two to three days to implement this solution, including all of the installation and configuration. Once the company provides the requirements then we implement as per the organizational policy. 

What about the implementation team?

We implement this solution using our in-house team, although if an issue should occur during installation then we can raise a ticket with support. We have had issues with difficult deployments because of the database during installation, which has lead to using the support portal. 

The number of people required for deployment and maintenance depends on how many logs are being integrated. Suppose there are 100 or 200 logs, then 10 people will be sufficient if they focus on deployment and troubleshooting. It also depends on the timeline. If the timeline is longer then five people are enough to complete the implementation.

What's my experience with pricing, setup cost, and licensing?

Many clients are not able to purchase the packet capability because there is a huge amount of data, and the cost depends on the number of EPS (Events per second), as well as the number of gigabytes of data per day. 

What other advice do I have?

My advice to anybody who is researching this solution is to consider the differences between the hardware and the virtual solution. The hardware is okay, but if you have any issues and need to restart then it is easy to do this with the VM. My preference is using the VM, where they can easily increase the size of storage if necessary.

It is important to remember that ESA takes all of the main memory. The minimum requirement is 96 GB of RAM, and this is very easy to implement on a virtual machine. My advice is to implement ESA using the maximum eligibility criteria. Consider what the hardware requires are in terms of RAM and storage, and use the maximum available for ESA.

This solution has a very good dashboard with a separate tab for incidents and alerts. There is a ticketing tool as well. If the problems with the dashboard are corrected then we will not need to have any other tools. The dashboard is a very important feature for clients.

I would rate this solution a seven out of ten.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Hubert Luberek - PeerSpot reviewer
Information Technology Security Architect at a financial services firm with 5,001-10,000 employees
Real User
Provides accurate information, quick analysis from the endpoint perspective, and quick identification of any potential malware
Pros and Cons
  • "It's fully scalable. There is no limit. Of course, the license limits per day the number of terabytes. In my opinion, it's very flexible."
  • "They should implement algorithms to digest that data and produce additional, more advanced reporting, alerting and support of internal security teams."

What is our primary use case?

We use the on-premise deployment model of this solution. Our primary use case of this solution is for malware detection and for reconstruction during the incident and forensic analysis.

What needs improvement?

The web interface needs improvement because right now they have problems combining an older interface with a newer interface. They're in the middle of the process of combining the old and the new one. It sometimes confuses the user and sometimes you are not able to find the necessary information. You need to click the information and that is something that should be improved.

The data isn't a problem but you need to get used to it. You need to know where to click in order to get the results. Otherwise, you can encounter some problems.

I would be very happy if they would fix all the issues from 11.3 to the 11.4 version to have more advantages from the UEBA because the UEBA we have implemented will be the longest. If they will fully integrate the UEBA with the network data, this could be a very huge advantage and impact on the market. Right now, you have a solution like Darktrace which has the same capabilities as RSA NetWitness so NetWitness should implement the same things. They have UEBA, they have data. They should implement algorithms to digest that data and produce additional, more advanced reporting, alerting and support of internal security teams.

For how long have I used the solution?

I have been using this solution for almost three years.

What do I think about the stability of the solution?

It's very stable if you are talking about the old version. I don't like 11.3 and I don't know 11.4, it's not actually released. It provides accurate information, quick analysis from the endpoint perspective, and quick identification of any potential malware. But the 11.3 version is a complete disaster. You cannot analyze anything. 

I am part of the maintenance team. It's me and a couple more staff members that don't work full-time on this solution. I would say around four employees are required for maintenance but not full-time. 

What do I think about the scalability of the solution?

It's fully scalable. There is no limit. Of course, the license limits per day the number of terabytes. In my opinion, it's very flexible.

We have 10,000 users using this solution.

We do plan to increase the usage of this solution. We want to implement more monitoring of the internal traffic from specific places. We need to implement more decoders, more concentrators, and some kind of organization with the log archiving. 

How are customer service and technical support?

Their customer service is excellent, one of the best.

Which solution did I use previously and why did I switch?

I have been using Fidelis and that works. It's all the same approach, but they only gather the metadata, not the full packet capture. If you want to compare those products together, I can safely say that RSA is much better because they offer full packet capture capability. It's more scalable and more flexible.

How was the initial setup?

The initial set up was not very complex. The problem is with the use cases. You need to be very careful to not become overwhelmed with unnecessary data. You need to very carefully decide what should be filtered, what you need to be taken from the network or from the logs. You need to decide whether you need YouTube traffic at all, for example, because it consumes storage. It's a huge amount of data and that data is useless. It is not relevant to malicious activity and if you want to fully get the picture of the user activity or the motor activity you can have with data without Facebook, for example.

What's my experience with pricing, setup cost, and licensing?

We have a perpetual license, so the total cost of ownership is not very expensive. It's a good investment.

Which other solutions did I evaluate?

We have looked through the Cisco solution to expand more devices from Fidelis to cover more areas of our network. I also evaluated Symantec and I have seen FireEye but it's hard to even compare those products to RSA.

What other advice do I have?

If it's possible, ask for help from primary support to help you implement at the very beginning with the fundamental alert or detection rules. This is my best advice for a customer regardless of the size and scope of the implementation. Use the support to help you with the implementation process.

I would rate it an eight out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Maor Hojberg - PeerSpot reviewer
Team Leader & Head of MSSP at We Ankor
Real User
Good features for investigating network problems but it is pricey and lacking in usability
Pros and Cons
  • "The most valuable feature is the ability to write rules and triggers for network communication, and then being able to investigate based on that."
  • "The system looks like it is a mix of a bunch of different systems, and nothing looked like it was quite together."

What is our primary use case?

We are no longer using this solution, however, it was used mostly for network monitoring. 

What is most valuable?

The most valuable feature is the ability to write rules and triggers for network communication and then being able to investigate based on that. You can see the payload and deconstruct the packets.

What needs improvement?

The solution would be greatly improved by unifying the management to one configuration option. One of the problems the system had is that you always have to choose the managed host. For example, if you want to write a rule, you have to duplicate it across your managed hosts. It should have centralized management. If you want to make a change then it should be configured automatically, so that you don't need to go one by one, changing it. That is really annoying.

Another problem is that the EPL (Event Processing Language) is not properly explained, and the expert could not even use it when they came to our site. It was causing the system to crash, so they should really consider using something else.

The system looks like it is a mix of a bunch of different systems, and nothing looked like it was quite together. I think that it could be better integrated, and it would be great for new customers or even existing customers.

For how long have I used the solution?

About one year, on and off.

What do I think about the stability of the solution?

I cannot say that the solution was stable because it tended to crash. We were using it before version 11, where some of the problems were supposed to be solved. I have heard from insiders that version 11 does not hold up to the hype and they're still facing some of the same problems.

What do I think about the scalability of the solution?

I think that the solution is scalable because you can easily add news hosts. This is one of the things that was really straightforward and we appreciated. 

How are customer service and technical support?

The people that we spoke with from technical support were really professional. Some visited us on-site and did some training with our analysists. They are really good staff and we really liked it. The company that did the integration at the site where I was working was planning on re-hiring them for other customers, so they made a good impression.

The support is responsive by email, but initially, it is a little bit lacking. Beyond the initial emails, it is quite professional.

How was the initial setup?

I was not part of the initial setup, but I can tell you that managing the system, in general, is not straightforward. It is quite elusive and very confusing, even after calls to technical support.

What's my experience with pricing, setup cost, and licensing?

This is a pricey solution; it's not cheap.

Perhaps if the implementation is small then it is not bad, but if you have a global network or a security agency that needs to be segregated on the network, then it can be quite pricey.

What other advice do I have?

This solution has some good features, but it is lacking in usability. This means that I would rate it somewhere in the middle. I would rate this solution a five out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
PeerSpot user
Sr Manager InfoSecurity at a healthcare company with 10,001+ employees
Real User
Overly complex and requires an army of people to keep it going

What is our primary use case?

We don't have a primary use case. There are many use cases that we have defined based on business needs.

What is most valuable?

The most valuable features are its

  • ingestion of logs 
  • raising of alerts based on those logs.

What needs improvement?

I'd like to see improvement in its ease of use. It's basically unusable. It's overly complex.

What about the implementation team?

We used RSA as our consultants. Our experience with them wasn't the most productive. We also have various other consultants in to help as well. Their ability to configure this particular platform is limited because it's such a complex product. There are so many classes you need to take in order to be proficient at it. There are so few people on the planet who can do it. You need an army of people to keep this thing going.

What other advice do I have?

It's supposed to help our security program maturity. Has it? I think that's another question.

I rate this product at three out of ten. It is overly complicated. It has taken years to implement and the return on investment just isn't there.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Allan Vargas - PeerSpot reviewer
IT security specialist at a comms service provider with 201-500 employees
Real User
Detects ransomware in our internal network and offers good protection
Pros and Cons
  • "Their technical support responds quickly and are knowledgable."
  • "The initial setup was complex because it takes a lot of time to complete the implementation."

What is our primary use case?

Our primary use case is for the administration of the internal network.

How has it helped my organization?

The detection of ransomware in the internal network has benefited my organization.

What is most valuable?

The protection that we get from the firewall is the most valuable aspect that we get from this solution.

What needs improvement?

I would like for them to incorporate IPS. Only the monitoring detects abnormal behavior so we'd like to see IPS. 

I would like to see a dashboard include PAM so that it's a one-stop shop. 

For how long have I used the solution?

Three to five years.

Which solution did I use previously and why did I switch?

We were using Splunk. We switched because it's difficult to configure and it demanded too many network resources. 

How was the initial setup?

The initial setup was complex because it took a lot of time to complete the implementation. The deployment took three to six months. We require four people for maintenance.

We have eight users using this solution and plan to increase usage. 

What's my experience with pricing, setup cost, and licensing?

The licenses are good but the cost is very expensive. 

Which other solutions did I evaluate?

We also looked at IBM QRadar.

What other advice do I have?

I would recommend this solution to somebody considering it. 

I would rate it a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Allan Vargas - PeerSpot reviewer
IT security specialist at a comms service provider with 201-500 employees
Real User
The most valuable feature is the correlation. It can report in real-time and monitor the management.

What is our primary use case?

Our primary use case is for detecting or monitoring the process that we use in devices, servers, or databases.

How has it helped my organization?

The manner in which we can manage logs and information is very important for our organization. 

What is most valuable?

The most valuable feature is the correlation. It can report in real-time and monitor the management. 

What needs improvement?

The implementation needs assistance.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

The stability of this solution is good. 

What do I think about the scalability of the solution?

This solution meets our scalability needs. 

How is customer service and technical support?

The technical support is good. 

How was the initial setup?

I was not involved in the initial setup of this solution. 

What was our ROI?

I like to say it has the trifecta:

  • Good
  • Beautiful
  • Cheap.

What's my experience with pricing, setup cost, and licensing?

It is a cheap solution. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Maor Hojberg - PeerSpot reviewer
Team Leader & Head of MSSP at We Ankor
Real User
It alerts anomalies on the network. But, we have encountered issues with unresolved crashes.

What is our primary use case?

We use it as a network tool to alert any anomalies on the network.

What is most valuable?

It gives the ability to investigate into network traffic in the Net and the organization what we couldn't do before.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

The product continues to crash. Even with tech support help, it does not resolve itself.

How are customer service and technical support?

Yes, we have had extensive use of tech support and they have not been as helpful as we would have liked. We had the crashing issue, and we had special sessions with tech support. The UAE representative and the IR response team were both on our site, and they could not understand why the system crashes. They configured the rules and then it crashed again. It is quite frustrating.

Which solution did I use previously and why did I switch?

The packet has a model that is called the extracting and it doesn't really work that well. Usually, it crashes and the re-issue improves it because it is one of the main functions that we use and it doesn't work properly.

How was the initial setup?

It was very hard to implement. After implementation, we found e had to revise everything. With help of support, we eventually managed to stabilize it. But, it took a full year to do so.

Which other solutions did I evaluate?

The only other solution similar to this is Solera and I do not think our organization will be switching to that. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Elias Lefate Tebele - PeerSpot reviewer
ACD - Level 3 Analyst at a tech services company with 10,001+ employees
Real User
Advance monitoring and alerting feature is not stable, though it is easy to integrate common data sources

How has it helped my organization?

Reliable in terms of no data loss. Plays a huge role in device health checks (Event Source Monitor). Provides FSEs relevant information prior to end user problem solutions (if data sources are integrated and parsed properly).

What is most valuable?

  • Packet Solution: Allows analyst proactive hunting and alerting on daily sophisticated APTs.
  • Broker service: Aggregate multiple concentrator devices deployed in various sites which accelerates analyst’s duties.
  • Archiver – Does log retention for three to five years for forensics purposes or targeted investigations in the future.

What needs improvement?

Advance monitoring and alerting feature is not stable (Event Stream Analysis). Does not allow certain use cases running parallel.

The reporting module: If only their dashboards resembled anything you would see on any BI reporting tools.

What do I think about the stability of the solution?

More than once with fine tuning use cases (ESA feature) for real-time monitoring.

Reporting feature suddenly limits the amount of log extraction over certain cycles.

What do I think about the scalability of the solution?

Never.

How are customer service and technical support?

An eight out of 10. RSA tech support is awesome.

Sometimes they face huge challenges when an unknown bug hits their system and tech support must take their cases to engineering.

Which solution did I use previously and why did I switch?

None in production other than RSA. However, I will be using IBM QRadar towards the end of this year.

How was the initial setup?

I was never involved in setting up the solution with any of my employers. I get to learn the architecture and see the environment once it's complete.

What's my experience with pricing, setup cost, and licensing?

RSA licensing ranges per core devices and services.

An additional Designated Support Engineer can be acquired at quite a pricy cost. They are reliable as your system and will be given a higher priority than any other support case(s).

Which other solutions did I evaluate?

Our partnership with RSA was already in place. No room for evaluation.

Top SIEM tools such as HP Arcsight, McAfee ESM, and IBM QRadar.

What other advice do I have?

Either operating this solution in-house or reselling. First, outline all your data sources. Give more priority to the assets you want to protect.

Event source type and versions will be key.

Additional useful features:

  • Easy to integrate common data sources.
  • User friendly GUI.
  • Basic SQL rule syntax.

We are using RSA Security analytics version 10.6.3.2 and upgrading to 10.6.4 in mid-September. NetWitness suite v11 is due in October as a major upgrade.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner and reseller.
PeerSpot user
it_user365328 - PeerSpot reviewer
Founder & CEO at a tech services company with 11-50 employees
Consultant
The Alerting Module provides real-time event processing language on the logs/packets stream.
Pros and Cons
  • "Alerting Module: It provides real-time event processing language on all the logs/packets stream for advanced alerting, i.e., using SQL LIKE statements."
  • "Health monitoring of the event sources and devices."

How has it helped my organization?

As mentioned elsewhere, this product provides full visibility for the activities in the networks and systems. For example, it provides detection of the attacks in early stages (brute-force attacks), by which the attackers try to gain access to the systems, by trying to log in using different usernames and passwords (might be in a dictionary).

What is most valuable?

RSA NetWitness is a SIEM and real-time network traffic solution. It collects logs/packets and applies a set of alerting, reporting and analysis rules on them. Thus, it provides the enterprise with a full visibility of the networks and activities of the systems.

Its main features/components are:

  • Investigation Module: It is the location where the SOC analysts can find all logs/packets captured in a time-frame, that are related/non-related and have drill-down/filtration capabilities all in one table, for investigation and analysis.
  • Alerting Module: It provides real-time event processing language on all the logs/packets stream for advanced alerting, i.e., using SQL LIKE statements.
  • Reporting Module: It provides advanced reporting capabilities.
  • Dashboard Module: It provides dashboards for specific activities on the systems and networks.
  • Command and Control Detection: In additional to identifying the C&C IPs through threat intelligence, NetWitness investigates the packets to determine any type of suspicious C&C communication, by using a feature called Automated Threat Detection.
  • Threat Hunting Package: By using this advanced technique, NetWitness automatically investigates all the service sessions, files/packets and then it identifies any IoCs, BoCs and EoCs.
  • Context Lookup: In order to give an overview during investigation, this feature highlights any value related to the previous alert, incident, RSA ECAT feed mentioned or even if it had any comment from the RSA community, that leads to detecting any recent attack (even if it is still not announced on threat intelligence).
  • Incident Module: It provides an automated incident handling utility to ensure that right actions have been taken to close the incident.
  • Malware Analysis Module: It provides a file analysis environment including sandboxing, community etc., so as to investigate more of the files captured through the environment traffic.

What needs improvement?

  • Out-of-the-box alerts and investigation rules
  • Health monitoring of the event sources and devices
  • Threat intelligence for data accuracy

What do I think about the stability of the solution?

We encountered stability issues in the earlier versions, and much fewer in the newer versions.

What do I think about the scalability of the solution?

There were no scalability issues.

What's my experience with pricing, setup cost, and licensing?

The new pricing and licensing mechanisms are fair. I would advise always to get the full solution (i.e., not only Logs).

Which other solutions did I evaluate?

I did not evaluate other solutions.

What other advice do I have?

The only thing I advise others is to spend enough time for fine-tuning and the initial rule development.

You should also develop a plan for the ongoing development and fine-tuning, as found in all the other leading SIEM solutions.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are a sub-contractor.
PeerSpot user
it_user698622 - PeerSpot reviewer
it_user698622Advisory Consultant at SCIS SECURITY
MSP

I agree, with Alireza's comment. It's always best practice regardless of the SIEM. Traditionally, we've used the Netwitness platform mainly for full packet capture and basic alerting. To make better use as a full SIEM, it's important for others to note that customers need to buy additional modules and hardware including ESA. The additional content out of the box requires subscriptions to their RSA live and threat intel feeds as well in many cases. It's not the usage that is too difficult; it's the administration that makes it a bear. I advise, like many other solutions to get vendor formal training if you intend to self-administrate or create your own content

See all 2 comments
it_user619134 - PeerSpot reviewer
Direct Sales Director at a tech services company with 501-1,000 employees
Consultant
We can investigate incidents based on logs and raw packets.
Pros and Cons
  • "Possibility to investigate incidents based on logs and raw packets, such as extracting files sent over the network"
  • "The system architecture is complex and sometimes it’s hard to troubleshoot potential problems."

What is most valuable?

Full packet capture: A must in an SOC

Possibility to investigate incidents based on logs and raw packets, such as extracting files sent over the network

Built-in Incident Management module for small security/SOC teams

Advanced correlation engine based on metadata flow: Provides nearly real time correlation

Rich reporting options

How has it helped my organization?

We can monitor all traffic to/from our company.

It is possible to track end user behaviour.

With RSA NetWitness Endpoint, we are able to monitor not only the network, but also what’s happening on endpoints, i.e., behaviour analytics for processes inside the operating system.

Thanks to this tool, we have a small SOC running in our company.

What needs improvement?

Integration with external tools should be built-in, such as an external sandbox for files.

We can import data using external feeds, using STIX or CVS files.

The REST API is poor

The system architecture is complex and sometimes it’s hard to troubleshoot potential problems.

RSA should improve backup options and High Availability architecture.

Data is stored on separate components without redundancy. It’s possible to have backup for data, but you have to use an external backup solution.

For how long have I used the solution?

I have used this product for two and a half years.

What do I think about the stability of the solution?

The system is stable if you provide enough CPU, RAM, and HDD (IOPS). Sizing should be done by RSA Professional Services or by an experienced partner for Virtual Machines. The hardware is sized well.

What do I think about the scalability of the solution?

There were no scalability issues, but you have to know what you are doing. Proper network deployment is important. Metadata flows are quite big between internal system components. Of course, it depends on how many network packets and logs are logged into the system.

How are customer service and technical support?

I would give technical support a rating of 8/10. Sometimes you have to wait for an initial response, especially if it’s not a critical problem. But when they start investigating, they do it quite well.

Which solution did I use previously and why did I switch?

For full packet capture, we had Blue Coat Security Analytics. We switched because in NetWitness, we have everything needed to run a small SOC in our company.(Packets, logs, endpoints, incident management module, correlation, reporting, and investigation available for analysts.)

How was the initial setup?

It’s a very easy product to install, when you know what you are doing. Customers without any experience should cooperate with RSA Professional Services or a partner company. It’s too complex of a product to deploy for someone without experience. It can be done, but the value coming from RSA or a partner is incomparable.

What's my experience with pricing, setup cost, and licensing?

Prepare use cases, i.e., what to do and how.

Collect information about EPS for logs and total bandwidth for packets. This will allow you to properly size the licensing.

Hardware is too expensive in my opinion (Eastern Europe). It’s cheaper to run virtual machines in a VMware environment. (Keep in mind that CPU, RAM, and especially HDD requirements must be matched.)

Which other solutions did I evaluate?

We had Blue Coat Security Analytics, but we’re an RSA partner so it was natural to use the technology available to us.

What other advice do I have?

  • Don’t rush. Prepare use cases for packets and logs as it is a very important part of deployment and future use.
  • Use RSA Professional Services or a partner. Don’t deploy alone.
  • A basic administration course is a must for all administrators.
  • System architecture may be very easy or very complex. Do sizing well with external help.
Disclosure: My company has a business relationship with this vendor other than being a customer: RSA Partner.
PeerSpot user
Alireza Ghahrood - PeerSpot reviewer
Alireza GhahroodConsultant & Instructor -Cyber Security,GovernanceRIskCompliance (CISO as a Services) at Independent
Top 10Real User

Built-in Incident Management module for small security/SOC teams

it_user130770 - PeerSpot reviewer
Managing Architect at a tech company with 10,001+ employees
Vendor
Since the solution has been under way we have seen a large decrease of threats and proactive reactions to incidents.

Valuable Features

I have found the Security Intelligence most valuable.

Improvements to My Organization

Adding Threat Globe and SA(Analytics).

Room for Improvement

Cross Platform Integration could be improved.

Use of Solution

I have been using the solution for more than 8 Years.

Deployment Issues

No issues with deployment.

Stability Issues

No issues with stability.

Scalability Issues

Yes.

Customer Service and Technical Support

Customer Service: It's good for Enterprise Customer’s.Technical Support: It's good for Enterprise Customer’s.

ROI

Since the solution has been under way we have seen a large decrease of threats and proactive reactions to incidents.

Other Advice

This purely is an Enterprise Product and one has to have a defined budget and plan; it’s good to fit Business requirements first, and then go for products.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free NetWitness Platform Report and get advice and tips from experienced pros sharing their opinions.
Updated: November 2022
Buyer's Guide
Download our free NetWitness Platform Report and get advice and tips from experienced pros sharing their opinions.