It is an SIEM solution used regularly as a part of the SOC to collect data from all the security environments in my company.
Head of Information Security, Cyber Defense and IT Risk Management at HCT. at a transportation company with 201-500 employees
A solid SIEM solution that should improve technical support and online resources to be easier to use
Pros and Cons
- "NetWitness Platform is valuable for creating rules that the solution must detect."
- "There is no support for this product in this country, so problems have to be resolved through global technical teams."
What is our primary use case?
What is most valuable?
NetWitness Platform is valuable for creating rules that the solution must detect.
What needs improvement?
A big problem with the product is that we don't have much professional experience in Israel installing, implementing, and integrating this product. There is not enough of a knowledge base. There is no support for this product in this country, so problems have to be resolved through global technical teams. We like to work locally because of the language, and when the product is only supported outside the country, it's a little difficult to implement and use this product.
Moreover, AI is something that must be added immediately. Artificial intelligence is a part of the competitors' products, and it's not been implemented for us.
For how long have I used the solution?
I've worked with NetWitness Platform for two years.
Buyer's Guide
NetWitness Platform
December 2024
Learn what your peers think about NetWitness Platform. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,053 professionals have used our research since 2012.
What do I think about the stability of the solution?
I rate NetWitness Platform's stability an eight or nine out of ten.
What do I think about the scalability of the solution?
I rate NetWitness Platform's scalability a six out of ten.
How are customer service and support?
Technical support is not available locally in Israel. We're using support from outside. It's global technical support from the vendor and is available 24 hours a day. However, the escalation is very slow. It's dependent on the kind of situation we're in. If it's a full dimension where we have malfunctions that stop processes, the issue can be escalated very fast. We can get support immediately with the service-level agreement we have. But if we have any questions about using the technical support for systems for feature requests or some knowledge. It can take a lot of time, and It's not something we can get from the vendor.
How would you rate customer service and support?
Neutral
How was the initial setup?
I rate the initial setup a five out of ten since the solution had to be implemented twice. It took more than half a year to deploy the solution. Some of the processes were set up with the first implementation very fast. However, the implementation was insufficient to use the solution with all the needed coverage. All the customizations and integrations can take a few months, and it's a long process.
The steps taken to deploy NetWitness Platform are like with any other product. We had to plan whether it was a low-level or high-level design. We had to see the scope of work for implementation, including all the integration processes and data connections.
What about the implementation team?
The supplier's knowledge base was less on the integration side, so the solution had to be done twice.
The number of people needed to deploy the solution depends on whether the person has the needed experience, knowledge, or skill sets. If they do, the setup will be fast. But sometimes, people have limited information or knowledge from something special they focused on, so the number of people needed for deployment depends on the situation. By design, the solution can be implemented by one person.
What's my experience with pricing, setup cost, and licensing?
The tool is very expensive, so I rate the pricing a ten out of ten. The solution has an annual subscription.
What other advice do I have?
NetWitness is a part of the cybersecurity solutions we use today, but it's not the only one. We use many different solutions, such as Splunk and QRadar. The product is an SIEM solution, and we use SIEM solutions from different vendors for different needs on different sites.
We don't have all the features we thought were a part of the solution. We need to do many things manually to customize the solution for the customer's needs. By the book, we don't have enough to connect the product to all the systems with some inputs based on machine learning or all the new algorithms like artificial intelligence. The customer must know all these before installing this product. We need community knowledge for new products that tell us what has to be added after a few installations. The setup, then, can be very fast, and all the knowledge for integration with other components and the company's infrastructure can also be very fast because the solution is best-of-breed and third-party. It's not proprietary for special companies and corporations. In the context of product implementation, everything is very slow and must be done manually and not integrated automatically into the product. We need to know what we will do, how we will monitor the overall system, what kind of events we want to collect from the system, and what type of layout we want to provide through the system to alert about incidents or some type of situation. The customer manually processes all this. It's not like we deploy the product and get all this information and all these capabilities in one coverage of the solution.
Before choosing the NetWitness Platform, find the best integrators with professional experience implementing and deploying this product in other companies. The product has many features and coverage but needs professional integration and implementation.
I would rate NetWitness Platform an eight, but since it depends on the installation, I rate the solution a seven out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Analyst at Sogei
Cost-effective and stable
Pros and Cons
- "The most valuable feature is the hunting ability to work in a CERT."
- "The log system is a bit complex and has room for improvement."
What is our primary use case?
We have been using the RSA SIEM with the NetWitness Platform for a long time.
What is most valuable?
The most valuable feature is the hunting ability to work in a CERT.
What needs improvement?
The log system is a bit complex and has room for improvement.
For how long have I used the solution?
I have been using the solution for a few years.
What do I think about the stability of the solution?
The solution is stable and is able to work with a lot of complex data.
How was the initial setup?
Using the software is straightforward, but configuring it is complex. To achieve the best results, we need to set up the log system. We have an RSA team to integrate the log system with the SIEM.
What's my experience with pricing, setup cost, and licensing?
In comparison to other SIEM solutions such as Splunk, NetWitness is less costly.
What other advice do I have?
I give the solution a nine out of ten.
I recommend the solution to others.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
NetWitness Platform
December 2024
Learn what your peers think about NetWitness Platform. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,053 professionals have used our research since 2012.
Manager at a comms service provider with 10,001+ employees
Useful correlations tools, simple initial setup, and helpful support
Pros and Cons
- "The most valuable feature of RSA NetWitness Logs and Packets are the alerts and correlations tools."
- "RSA NetWitness Logs and Packets can improve the threat level aspect, it is lacking compared to other solutions. Whenever any hacking activity or any other threat factor occurred they used to provide the coverages very fast when comparing RSA NetWitness Logs and Packets. I heard the other three solutions, from a discussion with my team members who had experience in other solutions, they used to say that. Whenever any issues happened across the globe RSA NetWitness Logs and Packets are a little bit slow improving those detection mechanisms."
What is our primary use case?
RSA NetWitness Logs and Packets are used exclusively for monitoring scenarios, insider threat analysis, and log retention.
What is most valuable?
The most valuable feature of RSA NetWitness Logs and Packets are the alerts and correlations tools.
What needs improvement?
RSA NetWitness Logs and Packets can improve the threat level aspect, it is lacking compared to other solutions. Whenever any hacking activity or any other threat factor occurred they used to provide the coverages very fast when comparing RSA NetWitness Logs and Packets. I heard the other three solutions, from a discussion with my team members who had experience in other solutions, they used to say that. Whenever any issues happened across the globe RSA NetWitness Logs and Packets are a little bit slow improving those detection mechanisms.
For how long have I used the solution?
I have been using RSA NetWitness Logs and Packets for six years.
What do I think about the stability of the solution?
Some of the RSA NetWitness Logs and Packets versions are not stable. Whenever they are releasing upgrades we were facing some issues.
What do I think about the scalability of the solution?
The scalability could improve. RSA NetWitness Logs and Packets have some limitations in the on-premise sizing. It requires more workers to procure the hardware. It is time-consuming.
The solution is only being used by our security operations team of approximately 10 to 15 people.
How are customer service and support?
When we have any critical issues we escalate them to the support of RSA NetWitness Logs and Packets.
I rate the support from RSA NetWitness Logs and Packets a four out of five.
Which solution did I use previously and why did I switch?
We were using RSA Ticket Analytics and now we are using RSA NetWitness Logs and Packets.
How was the initial setup?
The initial setup of RSA NetWitness Logs and Packets is not complicated, it is easy for us. However, there are some sizing limitations.
What about the implementation team?
We did the implementation of RSA NetWitness Logs and Packets in-house. We have not had any issues with maintenance.
What's my experience with pricing, setup cost, and licensing?
RSA NetWitness Logs and Packets do not have a subscription model, it's a one-time purchase. There is only a perpetual license.
What other advice do I have?
When comparing the cloud security solutions, RSA feels outdated. I would advise others before choosing RSA NetWitness Logs and Packets, to do a POC process and later they can do the purchase if it fits their needs.
I rate RSA NetWitness Logs and Packets an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Information Technology Security Consultant at Sify Technologies
The setup is straightforward and there are multiple connectors to help you integrate
Pros and Cons
- "Setting up NetWitness is straightforward. There are multiple connectors, including standard and specialized connectors. One purpose of the connectors is the enhanced capability integrate the custom applications. NetWitness comes with E6 appliances and application images that we use for the initial configurations and for the OS stack information. From there, you can consider the correlation rules, integrate the different log sources, and easily create correlation rules and backlog reports."
- "Nowadays, their support is a little subpar compared to other solutions. I rate RSA support six out of 10."
What is our primary use case?
We provide NetWitness along with Archer, and multiple sites. We are managing their security operations using this other station and Archer. A collector can work in two different ways. It can collect the logs, and it can aggregate the traffic tools from different net flow logs. When I saying "logs," I mean a log collector and when I say "packet," that means the packet or log connector.
What do I think about the stability of the solution?
The stability all depends upon how well the site is set up. All these solutions are good, but the CPU and OS are the major portion of undoing the correlations. If you have a poor correlation, then you need to have less than 70 percent utilization. Then that may not be good performance.
What do I think about the scalability of the solution?
NetWitness is scalable. You can scale, but you cannot assume that if you are deploying it today, you could use the same hardware setup as before. You only have two or three connectors. It is not at all possible. However, 20 percent scalability is always there with Odyssey.
How are customer service and support?
Nowadays, their support is a little subpar compared to other solutions. I rate RSA support six out of 10.
How was the initial setup?
Setting up NetWitness is straightforward. There are multiple connectors, including standard and specialized connectors. One purpose of the connectors is the enhanced capability integrate the custom applications. NetWitness comes with E6 appliances and application images that we use for the initial configurations and for the OS stack information. From there, you can consider the correlation rules, integrate the different log sources, and easily create correlation rules and backlog reports.
The complexity of the deployment depends on the amount and type of log sources. Are there any custom home-grown log sources for which you need to create the custom parsers? How many different logs or log lines in a home grown application? These factors might make your parser development a bit cumbersome.
What's my experience with pricing, setup cost, and licensing?
The licenses are based on the ETS.
What other advice do I have?
I rate RSA NetWitness Logs and Packets eight out of 10. Aside from ETS, it is the second-most important solution for maintaining compliance and how much data you need in the online logs or the offline archival logs.
Disclosure: My company has a business relationship with this vendor other than being a customer: Integrator
Director at ST
Provides comprehensive network visibility, and has available helpful support
Pros and Cons
- "In my opinion, the solution's most valuable feature is its capacity to monitor network traffic, logs from devices within the network, and network captures. This capability extends beyond logs to include full network capturing."
- "I believe that integrating the solution with other products such as Oracle would be beneficial."
What is our primary use case?
Our solution is utilized by customers to monitor security alerts by ingesting logs from all their assets.
They create correlation rules to identify any potential breaches or hacking attempts and receive notifications through the dashboard.
Customers can use additional features to investigate the incident and take the necessary actions.
How has it helped my organization?
Prior to implementing the solution, the customers had no visibility of their assets. However, after adopting the solution, they have gained complete visibility over all their assets, including a comprehensive understanding of the network and attack symptoms. With this knowledge, they can respond to any attack and take necessary actions. Essentially, this case has empowered them with comprehensive network visibility.
What is most valuable?
In my opinion, the solution's most valuable feature is its capacity to monitor network traffic, logs from devices within the network, and network captures.
This capability extends beyond logs to include full network capturing.
What needs improvement?
I believe that integrating the solution with other products such as Oracle would be beneficial. However, I suggest that the integration process be streamlined and made more efficient to ensure a smooth experience.
It would be great to have the ability to customize reports in a more user-friendly manner.
For how long have I used the solution?
We are resellers for the NetWitness Platform.
What do I think about the stability of the solution?
We have not had any issues with the stability of the NetWitness Platform, it is a stable solution.
What do I think about the scalability of the solution?
This solution is very scalable.
How are customer service and support?
We have contacted technical support. They are available. They have around-the-clock support, and they're very helpful.
I would rate them a nine out of ten. There is always room for improvement.
Which solution did I use previously and why did I switch?
I have worked with Zscaler and Cisco for four or five years.
I am familiar with Elasticsearch, but I prefer NetWitness Platform as it is specifically designed as a security solution for logs, packets, and endpoints rather than a SIEM-only only tool.
How was the initial setup?
The initial setup is complex. It requires some knowledge in order to set it up.
If one is the most difficult and ten is the easiest, I would rate it a three out of ten. It's quite complex.
Initially, we need to prepare the hardware boxes, whether they are physical or virtual or offered as a service. This involves imaging them with the appropriate functions for the module. Then, for network packet capture, the mirror ports must be connected to the packet capture box. Regarding logs, the configuration process involves making NetWitness boxes communicate with each other through the appropriate protocols and ports.
Following this, the next step involves configuring the log sources to send logs to the log box. This process requires the appropriate rules to be configured to initiate log transmission and generate metadata by appropriate parsers on NetWitness. After the setup, the focus shifts to building correlation rules, alerts, and other monitoring activities. These rules and alerts are crucial components for effective monitoring.
The deployment process can vary based on the specific environment and requirements, but typically it takes about one to two weeks to complete.
Maintaining the solution doesn't require a large number of resources. Typically, one or two capable resources are sufficient to maintain the solution effectively.
It's important to continuously monitor and ensure the health and proper functioning of the solution. This involves regularly checking the log sources to ensure that the logs are being ingested correctly and there are no issues such as overutilization or spikes in network traffic.
What's my experience with pricing, setup cost, and licensing?
It is not a cheap product.
The NetWitness Platform may be affordable only for enterprise-level customers, as it may not be within the budget of small and medium-sized businesses.
What other advice do I have?
I would advise taking your time to understand the architecture of the solution, including how the modules communicate with each other and the role of each module. It is recommended to start slowly after gaining this understanding.
I would rate NetWitness Platform an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Reliable, straightforward installation, but lacking multi-tenant capabilities
Pros and Cons
- "The newer 11.5 version that my team is using has found it to have good mapping."
- "The multi-tenant capabilities are lagging compared to IBM QRadar."
What is our primary use case?
We have two customers using this solution and one of them is a banking business. We are collecting some of the security log sources. In the main use case, we are correlating rules and we are using the endpoint detection capabilities. We are utilizing RSA NetWitness Logs and Packets, to have more insights on an endpoint level.
What is most valuable?
The newer 11.5 version that my team is using has found it to have good mapping.
What needs improvement?
The multi-tenant capabilities are lagging compared to IBM QRadar.
We want the OEM to support us when we add a partner. They have to come forward and be ready to give a POC to the customer. For example, if we are identifying any customer, and the customer wants to see the POC but at that time we do not have that resource to showcase the POC or the environment. At this time the OEM should come forward and showcase the POC to the customer. Once the customer is satisfied, we will be gaining the business, as a win-win situation.
For how long have I used the solution?
I have been using RSA NetWitness Logs and Packets (RSA SIEM) for approximately two years.
What do I think about the stability of the solution?
The solution is reliable.
What do I think about the scalability of the solution?
I have not tried to expand the solution.
How are customer service and support?
The technical support is responsive. Professional service when it is required is expensive. I wasn't able to compare with other professional services, because we have only one tool we are using at the moment. I am not able to tell you how much other OEM professional services cost. We have heard from the support that it is expensive.
Which solution did I use previously and why did I switch?
I have previously used IBM QRadar.
How was the initial setup?
The installation is somewhat straightforward. For example, if they want a UBA or SOAR type of platform, then I don't have experience in integrating or installing the SOAR or UPA. If that kind of opportunity comes or a customer requests it, then we have to see. As it is now, RSA NetWitness Logs and Packets (RSA SIEM) installation is straightforward.
What's my experience with pricing, setup cost, and licensing?
We are on an annual license for the use of the solution.
What other advice do I have?
I would recommend version 11.5, it looks good. However, we are looking for an alternative solution.
I rate RSA NetWitness Logs and Packets (RSA SIEM) version 11.4 a seven out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Delivery Partner APAC and MEA at Tata Consultancy
Streamlined solution that's easy to implement
Pros and Cons
- "The software is scalable to whatever is required, and you can also put a lot of resources in the cloud."
- "An area for improvement would be better automation and more inbuilt use cases."
What is our primary use case?
Primarily, I use this solution to integrate with applications and systems like firewalls and routers. For example, if somebody is trying to log on from two different locations simultaneously, we can catch that.
How has it helped my organization?
Over time, NetWitness Logs and Packets has matured from a boxed solution with multiple parts to the current, more streamlined version for which we only need the software license to put it up on our own cloud and deliver it to multiple clients.
What needs improvement?
An area for improvement would be better automation and more inbuilt use cases. In the next release, RSA should include an inbuilt migration framework that can do remediation.
For how long have I used the solution?
I've been using this solution since 2011.
What do I think about the stability of the solution?
This is a stable solution.
What do I think about the scalability of the solution?
The software is scalable to whatever is required, and you can also put a lot of resources in the cloud.
How was the initial setup?
The initial setup isn't much of a challenge and can be completed in under twelve hours.
What's my experience with pricing, setup cost, and licensing?
Our license price is updated yearly, and there are no additional costs.
What other advice do I have?
I would rate NetWitness Logs and Packets as eight out of ten.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Presales Manager at a tech services company with 51-200 employees
Enables incident response team to correlate logs to identify any kind of problem, both for logs and packets
Pros and Cons
- "It gives the capability for the incident response team to correlate logs to identify any kind of problem like malware and incidents in a general sense, both for logs and packets."
- "If we have the ability to run a dynamic analysis through malware in the same suite, it would be great to have a sandbox solution to analyze malware through dynamic analysis."
What is our primary use case?
This solution is deployed on-premise.
What is most valuable?
It gives the capability for the incident response team to correlate logs to identify any kind of problem like malware and incidents in a general sense, both for logs and packets. I think the most important thing was that it gives the customer the capability to discover and respond to an incident. It gives customers visibility about their most important servers and devices.
Regarding the packet model, the most important thing is how easy it is to rebuild the raw data. Through one click, you can see an email that was sent even without accessing the mailbox from the user. It's easy to rebuild the raw data, especially the packet.
What needs improvement?
If we have the ability to run a dynamic analysis through malware in the same suite, it would be great to have a sandbox solution to analyze malware through dynamic analysis.
NetWitness has a malware appliance, but in terms of dynamic analysis, we need to integrate with 30 vendors. It would be great to have a sandbox produced by the RSA and the SSL appliance also.
For how long have I used the solution?
I have been working with this solution for six years.
Which solution did I use previously and why did I switch?
I have worked with ArcSight from Micro Focus. One thing to be improved in NetWitness is the capability to correlate event logs in a general sense. We have less resources in the NetWitness correlation engine compared with ArcSight.
What other advice do I have?
I would rate this solution 8 out of 10.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free NetWitness Platform Report and get advice and tips from experienced pros
sharing their opinions.
Updated: December 2024
Popular Comparisons
Splunk Enterprise Security
IBM Security QRadar
Elastic Security
LogRhythm SIEM
Security Onion
USM Anywhere
DNIF HYPERCLOUD
Buyer's Guide
Download our free NetWitness Platform Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- When evaluating Log Management tools and software, what aspect do you think is the most important to look for?
- Datadog vs ELK: which one is good in terms of performance, cost and efficiency?
- Which Windows event log monitoring tool do you recommend?
- What is the difference between log management and SIEM?
- Splunk vs. Elastic Stack
- How can Cloudtrail logs be used effectively to improve log monitoring?
- Why hot data and cold data differences in SIEM solutions are not discussed sufficiently?
- When evaluating Log Management solutions, what aspect do you think is the most important to look for?
- When evaluating Log Management solutions, what aspects do you think are the most important to look for?
- Why are Log Management tools important for companies?