The product is mainly used for security, log reviews, and monitoring.
In India, mostly on the requirement segment, we don't deploy the solution on the cloud. We use the solution on-premises.
Download the Extended Detection and Response (XDR) Buyer's Guide including reviews and more. Updated: January 2023
Using a centralized combination of network and endpoint analysis, behavioral analysis, data science techniques and threat intelligence, NetWitness XDR helps analysts detect and resolve known and unknown attacks while automating and orchestrating the incident response lifecycle. With these capabilities on one platform, security teams can collapse disparate tools and data into a powerful, blazingly fast user interface.
NetWitness XDR was previously known as RSA ECAT, NetWitness Network.
ADP, Ameritas, Partners Healthcare
The product is mainly used for security, log reviews, and monitoring.
In India, mostly on the requirement segment, we don't deploy the solution on the cloud. We use the solution on-premises.
The log correlation is good. There may be some benefits to the solution, but most of my time has gone to configure it rather than to work with it. So maybe I'm not so aware of that.
The problem with this product is that it's a bit slow. I am not very happy with this product. In the past, I have worked with a different tool, which was only maintaining a log, but I found that solution much better than NetWitness. It is not properly configured yet.
One part of this product that needs to be improved is the log passing. Often, it doesn't work or logs go missing. There are many licensing complications as well.
I have been working with this product for almost one year. I'm not working directly with the product. I do the implementation for companies. We use the latest versions of the solution.
I'm technically not hands-on with these tools because I manage the team, so I am not exposed to anything.
My own network is very complex. It might be stable, but many times, even our appliances are not. We have had improper shutdowns, so I will not blame RSA. If an improper shutdown happens, then it takes a lot of time to make it up. It doesn't work until you start the machine, and it will work. Finally, you have to get a ticket, then they will do lots of things on them. The services will start and then it will work. We've been having some power issues in my previous assignments, and a lot of trouble in that way.
The solution is scalable. It creates 3,000 lab logs per second. I think the solution is suitable for large companies, or medium to large companies.
I don't think RSA has good support.
The deployment process is complex. I don't know why, but this solution will suddenly stop working. Logs stop coming. Often, one thing or another stops working. Most of the time, one of my team members is troubleshooting and working with technical support. Log passing is also one of the biggest challenges. Sometimes you don't get the logs, but even when we make the log passes, they don't work. They suddenly stop working. It might just be a problem from my side as well, but the end result is that it is not working as smoothly as it should.
Deployment time just depends on different circumstances. Many times, our men were unable to get to the data center. There were some wiring problems and improper shutdowns. We did have trouble with connecting with other people in our department. It took an unusual amount of time. I think we should have been done in 45 to 60 days, but it took us more than eight or nine months to get it done. The deployment time just depends on the current scenario. Tech support would say, "We don't do this, we don't do that. You have to purchase that service and that service."
The pricing is not very economical. It is a costly product for India. When you purchase it, you have to purchase a module separately.
I would rate this solution 4 out of 10. I would not suggest that someone use this solution because support is a main issue. I would prefer to go with IBM QRadar or some other new AI-based tools.
RSA NetWitness Endpoint is used to get an instant detection response from network threats. Additionally, it has the capability to do malware analysis and investigations.
RSA NetWitness Endpoint has helped our organization from its many advantages and because it provides overall visibility of all of our endpoints within the enterprise network. You are able to see what exactly is going on and it provides real-time incident reports, instant management, and investigations.
They have recently updated the features and the most valuable ones are the instant threat response, ease of use, web interface, integration, and easy access. RSA NetWitness Endpoint is very compatible with other solutions and technologies. However, they do not rely on third-party solutions and have most features built-in.
I have been using RSA NetWitness Endpoint for approximately six years.
The solution is very stable and does not overwhelm the network.
The solution is highly scalable and is easy to scale.
When comparing RSA NetWitness Endpoint to Splunk, we have found Splunk is missing some features. For example, the user identity and analytics capabilities are not available with Splunk. You will have to depends on third-party tools to provide those features. What makes Splunk very good is that it is dependent on third parties but all those third parties have to integrate together. Splunk should have someone who is very good at API integration to be able to integrate all the third-party tools, otherwise, the solution will not work well.
We have approximately six people using this solution in my organization.
The annual license comes with free online support and all you do is open a ticket through the 24/7 support. The support is very good and they provide different levels of incident priority, such as level one and high priority level, they typically respond within 24 hours.
The installation was simple.
We did the implementation of the solution ourselves. The vendor provides the datasheet manuals which are readily available online. They are easy to follow to complete the implementation.
We have a license for the vendor to do maintenance.
There are different licenses available for the use of this solution. The license that comes with support is more expensive than the basic license.
The price of the solution depends on the environment. If the environment is large then it will cost more. However, the larger the environment with more endpoints, you will receive an increased discount. If the environment is very small, then you might think it is expensive. It is always better to buy in bulk to receive a discount. The minimum number of assets is usually 500, with discounts on 1000 and 2000.
The perpetual license is not good because it does not cover maintenance, you have to pay maintenance separately. However, they are slowly moving away from perpetual licenses and there will only be annual licensing for your subscription.
I have evaluated Splunk.
Those looking to implement RSA NetWitness Endpoint should do a comprehensive assessment of their environment to check whether they really need the solution. Sometimes you buy the solution and you do not have the right people to use it. Ensure that you invest in the right expertise to use it because after you invest in people, then you invest also in the processes and technologies. If you have the technology but and you do not have the expertise to operate the solution it will not be useful.
I rate RSA NetWitness Endpoint a ten out of ten.
I primarily use NetWitness Endpoint to detect anomalies like the presence of web shields that are not detected by traditional antivirus solutions. I also use it for digital forensics and containment.
NetWitness Endpoint has enabled us to detect attacks that bypass the first stage of cybersecurity, like zero-day and advanced attacks.
NetWitness Endpoint's most valuable features are its interoperability across many different operating systems and the ease of pivoting from network to endpoint via a single console.
NetWitness Endpoint's blocking feature does not work properly - if there's a malicious process, it's not possible to kill it via a custom rule unless and until it's flagged as malicious. For example, if you put IOCs in the form of hashes, it's not possible to block those IOCs - the system will alert you, but they can't be blocked. In the next release, NetWitness Endpoint should include regular expressions for blocking processes and sub-processes, the ability to block IPs, and scalability and integration with the ServiceNow platform or other ticketing solutions.
I've been using NetWitness Endpoint for seven to eight years.
NetWitness Endpoint is stable, but there are times when the RSA agents installed on the endpoint don't respond, and they don't have proper health checkups for this, so you don't get any notification of what's happening.
NetWitness Endpoint scales well.
NetWitness Endpoint's technical support is very good and fast. Their system allows us to raise tickets with various levels of severity, so cases are dealt with per those levels.
Positive
The initial setup isn't too complex, and deployment can be completed in a day. I would rate the setup experience as four out of five.
We used a third-party team.
NetWitness Endpoint has provided an ROI in terms of increased threat detection and containment, allowing us to perform deep-dive digital forensics on assets.
NetWitness Endpoint is less costly than its competitors, but it offers fewer features. Its licensing is per installation, and there are additional costs for the RSA NetWitness NDR solution and extra bandwidth requirements.
I would give NetWitness Endpoint a rating of seven out of ten because it's missing the features of modern EDR solutions.
We primarily use the solution for NDR.
We like the solution doesn't have to be managed by an IT department. It's easy to use. You can still check the machine without the IT department being involved.
The solution is stable.
Technical support is knowledgeable.
I have no real complaints about the solution.
Threat detection could be better. They need to enhance their threat intelligence feeds.
We would like to have more IOCs or more trade intelligence to not only rely on the intelligence of the engineer in charge but to have some threat intelligence and some seeds of IOCs and to have the host have some artificial intelligence to reduce the number of false positives.
I don't see this solution being very scalable.
The solution is pricey.
I've been using the solution for five years.
It's pretty stable. It's reliable. There are no bugs or glitches. It doesn't crash or freeze.
It's not a very scalable product.
We have three engineers that work on the solution. They use it regularly, yet not necessarily on a daily basis.
Technical support is good. They are knowledgeable and responsive. We are satisfied with the support on offer.
Positive
The setup is neither easy nor difficult. It's moderate. I'd rate it four out of five in terms of the deployment process. It wasn't challenging, yet had some complications so wasn't completely straightforward.
The solution is expensive. I'd rate it at a one or two out of five. They need to adjust it to keep up with the competition.
I cannot speak to the exact pricing of the product.
I'd rate the solution a six out of ten.
The most valuable feature of RSA NetWitness Network is the single unified dashboard from which you can manage all the different products of RSA. Additionally, the integration with native applications is good.
RSA NetWitness Network could improve on integration with non-native application integration.
I have been using RSA NetWitness Network for approximately three years.
RSA NetWitness Network on-premise is stable. I have not used the version to compare.
RSA NetWitness Network could improve scalability. The process is simple you can stack on devices. It can scale horizontally and vertically.
The technical support from RSA NetWitness Network is good because the response time is fast. Whenever you raise a request, we receive a response. It's not immediately but based on the priority, and on the server, we have a response.
The initial setup of the RSA NetWitness Network is fine. The device setup is easy. However, we need professional services for creating dashboards and other aspects.
We used professional service for some of the implementation aspects.
We have seen a return on investment using RSA NetWitness Network.
We are on a three-year contract to use RSA NetWitness Network.
My advice to those wanting to implement RSA NetWitness Network is they have to first do a little due diligence, such as the exact requirement based on their needs. That will give them a direction for their investment because otherwise, the bill of material or bill of quantity (BOQ) may be higher side. It is important to do good due intelligence on the environment, see the exact requirement, and then go ahead with the solution. The solution is perfectly stable.
I rate RSA NetWitness Network a nine out of ten.
The threat intelligence could improve in RSA NetWitness Endpoint.
I have been using RSA NetWitness Endpoint for approximately seven years.
The stability of the RSA NetWitness Endpoint is very good.
RSA NetWitness Endpoint is a scalable solution. However, the problem which we normally face is in terms of the migration of the solution. This solution has hard-coded IP addresses in its agents. When somebody wants to migrate from one data center to another data center, they have to reinstall all the agents. They can't change the hard-coded IP address to allow communication with the target server. That is the largest problem of the solution. Otherwise, in terms of scalability, it's fine.
If they are able to provide provisioning of the IP address change in the agents only when somebody migrates the hardware appliances from one data center to another data center. It would be a great improvement for those who want to migrate.
I would recommend others to use RSA NetWitness Endpoint at this time because they have evolved from an MD to an EDR solution to an XDR solution. They have a single solution in which they can pivot from the NetWitness to the endpoint. Everything is combined in a single pane of glass.
Earlier, they used to have distinct solutions. The NetWitness EDI used another pane of glass and then the EDR used a different one. Now the EDR and MDR have been combined into a single solution. That is an advantage from the security perspective. They can use a lateral movement and see all aspects in a single pane of glass. It's an easy investigation for everyone. I would definitely recommend this solution.
I rate RSA NetWitness Endpoint an eight out of ten.
We use it for IT security purposes. This is our central log management solution. So we incorporate all of our servers and PCs to this software, and we can monitor the logs from there.
I like the user behavior analytics feature.
The integration of the solution needs to be improved. The dashboard needs lots of updates as well.
In the next release, we would like to see advanced fraud detection features.
I've been using this software for the last three years.
It is stable.
It's a scalable solution. We have around five to eight customers using RSA NetWitness Endpoint, and we hope to increase the number of users.
The technical support staff are quite responsive, and I'd give them an eight out of ten.
Positive
We have both McAfee and NetWitness, but NetWitness has much better options than McAfee does.
The initial setup is complex. On a scale from one to five with one being the worst and five being the best, I would rate the initial setup at four.
It took a couple of hours to set up. The deployment and maintenance can be done by one person, such as a technician.
We implemented it in-house.
I recommend RSA NetWitness Endpoint and would give it a rating of eight on a scale from one to ten.
We are customers of RSA.
The valuable feature is being able to isolate the machine when there are malicious files.
The solution doesn't have a reporting engine which would be helpful. I've also found that the UI times out too quickly and you have to close and reopen. It should allow for a longer session time.
I've been using this solution for four years.
The solution is stable.
The solution is scalable in terms of coverage. We have more than 2500 endpoints with different levels of users and operating systems.
Custome support is very good in terms of the knowledge base but the response time is too long. It can sometimes take two days before you get a reply.
The initial setup was relatively straightforward because we only had to provision the SQL server and then run the setup. We deployed in-house with a DBA and the deployment took a day. We have an external maintenance contract.
We've seen a good ROI.
I rate this solution eight out of 10.