Sometimes, it gives me static when integrating Windows-based systems. It should produce a precise log of sorts as to where the problem is. For example, a few days ago because of the McAfee application firewall, I couldn't get access to the particular Windows machine.
So, my team and I had to figure out by ourselves that there was a virus responsible for the obstacle. This solution should trigger a meaningful log or message indicating the reason the user or implementer can't get into the machine.
The workflow is not smart enough. For example, if I'm monitoring or analyzing log events and alerts from the SIEM system, it has to be reviewed by the person responsible for this in the organization. So, the review should be automated and should be signed off per the FR-ISO 27001 control requirement. This is lacking in RSA NetWitness Logs and Packets (RSA SIEM). This is also the case with PCI-DSS compliance because we are in the banking industry.

The most iconic disadvantage of the solution is that I cannot tag my asset by my name. There should be a portal or a photo where I could check the applicant name. Whatever asset it discovers, it takes only the IP address. If it gets it from Active Directory, then it gets only the host name, which is not actually meaningful to an analyst. There should be a way to tag a name manually so that it can be mapped later to the actual machine, besides the machine I'm investigating on.

RSA NetWitness Logs and Packets (RSA SIEM) does not have SOAR, and we have to do it manually. SOAR is a new concept that is still in development.

They should improve the solution's user interface and make it easier to understand.

The solution should have more integration capabilities with different platforms. The API is nearly open and scalable, so the solution can integrate with many platforms. The solution has more than 200 log sources in the scalability to support, but this is its limit. 

Installation is pretty easy. However, there are a couple of modules involved, so it is not as easy as it could be. We are talking about a distributed module, not a single-module type. This is what makes things a bit complex, instead of easier. I rate it as a seven out of ten on its installation and configuration capabilities.

It is quite tedious to make changes in the playbooks. There could be an option to integrate or adapt AI and machine learning for our threat-hunting solution. It should have a monitoring feature. It would help us analyze the current state of attacks faster from a single platform.

The threat detection capability and centralizing and upgrading capability need to be improved. The threat alert capability needs to be improved as well because there is some lag time at present. They need to work on their database search too.

I would like to see log storage and threat intelligence features be included in the next release. I would like to see them automate the security incident response.

I believe they could improve their support, there are often delays. The price of the solution could be reduced, it's very costly. 

A big problem with the product is that we don't have much professional experience in Israel installing, implementing, and integrating this product. There is not enough of a knowledge base. There is no support for this product in this country, so problems have to be resolved through global technical teams. We like to work locally because of the language, and when the product is only supported outside the country, it's a little difficult to implement and use this product.

Moreover, AI is something that must be added immediately. Artificial intelligence is a part of the competitors' products, and it's not been implemented for us.

The log system is a bit complex and has room for improvement.

RSA NetWitness Logs and Packets can improve the threat level aspect, it is lacking compared to other solutions. Whenever any hacking activity or any other threat factor occurred they used to provide the coverages very fast when comparing RSA NetWitness Logs and Packets. I heard the other three solutions, from a discussion with my team members who had experience in other solutions, they used to say that. Whenever any issues happened across the globe RSA NetWitness Logs and Packets are a little bit slow improving those detection mechanisms.

The product's licensing models are complex to understand. This particular area needs improvement. 

From an improvement perspective, the NetWitness Platform needs to release new features and improve in areas like log correlation. The tool needs to have easier integrations with the cloud. Building a parser should be made easier in the tool.

The tool needs to have easier integrations. The tool needs to have the extra log-related suggestions. The platform and UI should be easier to use.

If we have the ability to run a dynamic analysis through malware in the same suite, it would be great to have a sandbox solution to analyze malware through dynamic analysis.

NetWitness has a malware appliance, but in terms of dynamic analysis, we need to integrate with 30 vendors. It would be great to have a sandbox produced by the RSA and the SSL appliance also.

We are designing reports and automated rules and processes. We are defining them in relation to this product. With the help of automated rules and processes, this product will help the team when they go to production to do operations smoothly, as, most of the time, what happens when you put manual interference into such systems, it may be delayed. This can lead to vulnerabilities. Sometimes, if a hacker enters the system, he might only have a limited time where there is a window of access, however, in that time, he'll take what he can, and even if the vulnerability only lasted for a few minutes, in that time, items can get stolen. 

Therefore, there needs to be more proactively to avoid any downtime. We're adding automating tools to help RSA Netwitness so that if anything happens, RSA can immediately shut anything down. We're in the process of configuring them and adding them in.

The initial setup is complex. There are solutions that are easier to implement.

I believe that integrating the solution with other products such as Oracle would be beneficial. However, I suggest that the integration process be streamlined and made more efficient to ensure a smooth experience.

It would be great to have the ability to customize reports in a more user-friendly manner.

The multi-tenant capabilities are lagging compared to IBM QRadar.

We want the OEM to support us when we add a partner. They have to come forward and be ready to give a POC to the customer. For example, if we are identifying any customer, and the customer wants to see the POC but at that time we do not have that resource to showcase the POC or the environment. At this time the OEM should come forward and showcase the POC to the customer. Once the customer is satisfied, we will be gaining the business, as a win-win situation.

The SOAR (security orchestration, automation, and response) component has areas for improvement.

Technical support needs to be improved.

Integration with third-party products for industries such as the banking sector, or telecommunications, presents challenges that require help from the OEM.

Lots of competing products have vulnerability protection built into their products, and this solution would be improved by including that support.

An area for improvement would be better automation and more inbuilt use cases. In the next release, RSA should include an inbuilt migration framework that can do remediation.

It is not so easy to customize this product.

This product would be improved with the addition of machine learning functionality.

The web interface needs improvement because right now they have problems combining an older interface with a newer interface. They're in the middle of the process of combining the old and the new one. It sometimes confuses the user and sometimes you are not able to find the necessary information. You need to click the information and that is something that should be improved.

The data isn't a problem but you need to get used to it. You need to know where to click in order to get the results. Otherwise, you can encounter some problems.

I would be very happy if they would fix all the issues from 11.3 to the 11.4 version to have more advantages from the UEBA because the UEBA we have implemented will be the longest. If they will fully integrate the UEBA with the network data, this could be a very huge advantage and impact on the market. Right now, you have a solution like Darktrace which has the same capabilities as RSA NetWitness so NetWitness should implement the same things. They have UEBA, they have data. They should implement algorithms to digest that data and produce additional, more advanced reporting, alerting and support of internal security teams.

The alert dashboard is not reflecting events in real-time. We have to refresh in order to view an alert in real-time.

Log aggregation is an issue with this solution because there are a huge number of alerts in a single instance. Compared to ArcSight or QRadar, this is a problem.

The documentation is not as structured as I would like, personally, and I think that it can be improved and made much more user-friendly. I may see it differently than other people.

I would like to see a little question mark beside each button that you can click and find out what that button is for. It would make it much easier for people who are new to the solution. Like a pop-up appearing when hovering over the question mark, attached to each main action and split into branches. 

More customizability is required, which is something that they need to improve on.

When it comes to starting a log event, there are not many options available. It is very limited.

The log and event correlation need improvement.

The threat detection capability should be enhanced.

The initial setup is very complex and should be simplified.

We had some trouble integrating with our Check Point firewall.

The solution would be greatly improved by unifying the management to one configuration option. One of the problems the system had is that you always have to choose the managed host. For example, if you want to write a rule, you have to duplicate it across your managed hosts. It should have centralized management. If you want to make a change then it should be configured automatically, so that you don't need to go one by one, changing it. That is really annoying.

Another problem is that the EPL (Event Processing Language) is not properly explained, and the expert could not even use it when they came to our site. It was causing the system to crash, so they should really consider using something else.

The system looks like it is a mix of a bunch of different systems, and nothing looked like it was quite together. I think that it could be better integrated, and it would be great for new customers or even existing customers.

• Out-of-the-box alerts and investigation rules
• Health monitoring of the event sources and devices
• Threat intelligence for data accuracy

Security needs improvement.

We would still like to know how the traffic is entering the organization. We can find out but it will take time before we know, leaving the organization vulnerable for attack.

There is no SIEM tool in the world that can provide 100% security.

The user interface is a little bit difficult for new users and it needs to be improved.

It takes a lot of time to register when compared to other solutions.

Advance monitoring and alerting feature is not stable (Event Stream Analysis). Does not allow certain use cases running parallel.

The reporting module: If only their dashboards resembled anything you would see on any BI reporting tools.

The reporting aspect could be improved. There are instances where you try to run the reports and then it does not give you the desired outcome. At times, it appears as if the reporting feature might be buggy.

You want to actually follow the trends and see how technology is advancing. I think they've done that with regard to security orchestration, automation, and response. However, I think that they could do better with the automation and response.

I'd like to see improvement in its ease of use. It's basically unusable. It's overly complex.

Integration with external tools should be built-in, such as an external sandbox for files.

We can import data using external feeds, using STIX or CVS files.

The REST API is poor

The system architecture is complex and sometimes it’s hard to troubleshoot potential problems.

RSA should improve backup options and High Availability architecture.

Data is stored on separate components without redundancy. It’s possible to have backup for data, but you have to use an external backup solution.

I would like for them to incorporate IPS. Only the monitoring detects abnormal behavior so we'd like to see IPS. 

I would like to see a dashboard include PAM so that it's a one-stop shop. 

The implementation needs assistance.