NetWitness Platform Reviews

It is an SIEM solution used regularly as a part of the SOC to collect data from all the security environments in my company.

NetWitness Platform is valuable for creating rules that the solution must detect.

A big problem with the product is that we don't have much professional experience in Israel installing, implementing, and integrating this product. There is not enough of a knowledge base. There is no support for this product in this country, so problems have to be resolved through global technical teams. We like to work locally because of the language, and when the product is only supported outside the country, it's a little difficult to implement and use this product.

Moreover, AI is something that must be added immediately. Artificial intelligence is a part of the competitors' products, and it's not been implemented for us.

I've worked with NetWitness Platform for two years.

I rate NetWitness Platform's stability an eight or nine out of ten.

I rate NetWitness Platform's scalability a six out of ten.

Technical support is not available locally in Israel. We're using support from outside. It's global technical support from the vendor and is available 24 hours a day. However, the escalation is very slow. It's dependent on the kind of situation we're in. If it's a full dimension where we have malfunctions that stop processes, the issue can be escalated very fast. We can get support immediately with the service-level agreement we have. But if we have any questions about using the technical support for systems for feature requests or some knowledge. It can take a lot of time, and It's not something we can get from the vendor.

Neutral

I rate the initial setup a five out of ten since the solution had to be implemented twice. It took more than half a year to deploy the solution. Some of the processes were set up with the first implementation very fast. However, the implementation was insufficient to use the solution with all the needed coverage. All the customizations and integrations can take a few months, and it's a long process.

The steps taken to deploy NetWitness Platform are like with any other product. We had to plan whether it was a low-level or high-level design. We had to see the scope of work for implementation, including all the integration processes and data connections.

The supplier's knowledge base was less on the integration side, so the solution had to be done twice.

The number of people needed to deploy the solution depends on whether the person has the needed experience, knowledge, or skill sets. If they do, the setup will be fast. But sometimes, people have limited information or knowledge from something special they focused on, so the number of people needed for deployment depends on the situation. By design, the solution can be implemented by one person.

The tool is very expensive, so I rate the pricing a ten out of ten. The solution has an annual subscription.

NetWitness is a part of the cybersecurity solutions we use today, but it's not the only one. We use many different solutions, such as Splunk and QRadar. The product is an SIEM solution, and we use SIEM solutions from different vendors for different needs on different sites.

We don't have all the features we thought were a part of the solution. We need to do many things manually to customize the solution for the customer's needs. By the book, we don't have enough to connect the product to all the systems with some inputs based on machine learning or all the new algorithms like artificial intelligence. The customer must know all these before installing this product. We need community knowledge for new products that tell us what has to be added after a few installations. The setup, then, can be very fast, and all the knowledge for integration with other components and the company's infrastructure can also be very fast because the solution is best-of-breed and third-party. It's not proprietary for special companies and corporations. In the context of product implementation, everything is very slow and must be done manually and not integrated automatically into the product. We need to know what we will do, how we will monitor the overall system, what kind of events we want to collect from the system, and what type of layout we want to provide through the system to alert about incidents or some type of situation. The customer manually processes all this. It's not like we deploy the product and get all this information and all these capabilities in one coverage of the solution.

Before choosing the NetWitness Platform, find the best integrators with professional experience implementing and deploying this product in other companies. The product has many features and coverage but needs professional integration and implementation.

I would rate NetWitness Platform an eight, but since it depends on the installation, I rate the solution a seven out of ten.

We have been using the RSA SIEM with the NetWitness Platform for a long time.

The most valuable feature is the hunting ability to work in a CERT.

The log system is a bit complex and has room for improvement.

I have been using the solution for a few years.

The solution is stable and is able to work with a lot of complex data.

Using the software is straightforward, but configuring it is complex. To achieve the best results, we need to set up the log system. We have an RSA team to integrate the log system with the SIEM.

In comparison to other SIEM solutions such as Splunk, NetWitness is less costly.

I give the solution a nine out of ten.

I recommend the solution to others.

RSA NetWitness Logs and Packets are used exclusively for monitoring scenarios, insider threat analysis, and log retention.

The most valuable feature of RSA NetWitness Logs and Packets are the alerts and correlations tools.

RSA NetWitness Logs and Packets can improve the threat level aspect, it is lacking compared to other solutions. Whenever any hacking activity or any other threat factor occurred they used to provide the coverages very fast when comparing RSA NetWitness Logs and Packets. I heard the other three solutions, from a discussion with my team members who had experience in other solutions, they used to say that. Whenever any issues happened across the globe RSA NetWitness Logs and Packets are a little bit slow improving those detection mechanisms.

I have been using RSA NetWitness Logs and Packets for six years.

Some of the RSA NetWitness Logs and Packets versions are not stable. Whenever they are releasing upgrades we were facing some issues.

The scalability could improve. RSA NetWitness Logs and Packets have some limitations in the on-premise sizing. It requires more workers to procure the hardware. It is time-consuming.

The solution is only being used by our security operations team of approximately 10 to 15 people.

When we have any critical issues we escalate them to the support of RSA NetWitness Logs and Packets.

I rate the support from RSA NetWitness Logs and Packets a four out of five.

We were using RSA Ticket Analytics and now we are using RSA NetWitness Logs and Packets.

The initial setup of RSA NetWitness Logs and Packets is not complicated, it is easy for us. However, there are some sizing limitations.

We did the implementation of RSA NetWitness Logs and Packets in-house. We have not had any issues with maintenance. 

RSA NetWitness Logs and Packets do not have a subscription model, it's a one-time purchase. There is only a perpetual license.

When comparing the cloud security solutions, RSA feels outdated. I would advise others before choosing RSA NetWitness Logs and Packets, to do a POC process and later they can do the purchase if it fits their needs.

I rate RSA NetWitness Logs and Packets an eight out of ten.

We provide NetWitness along with Archer, and multiple sites. We are managing their security operations using this other station and Archer. A collector can work in two different ways. It can collect the logs, and it can aggregate the traffic tools from different net flow logs. When I saying "logs," I mean a log collector and when I say "packet," that means the packet or log connector. 

The stability all depends upon how well the site is set up. All these solutions are good, but the CPU and OS are the major portion of undoing the correlations. If you have a poor correlation, then you need to have less than 70 percent utilization. Then that may not be good performance. 

NetWitness is scalable. You can scale, but you cannot assume that if you are deploying it today, you could use the same hardware setup as before. You only have two or three connectors. It is not at all possible. However, 20 percent scalability is always there with Odyssey.

Nowadays, their support is a little subpar compared to other solutions. I rate RSA support six out of 10. 

Setting up NetWitness is straightforward. There are multiple connectors, including standard and specialized connectors. One purpose of the connectors is the enhanced capability integrate the custom applications. NetWitness comes with E6 appliances and application images that we use for the initial configurations and for the OS stack information. From there, you can consider the correlation rules, integrate the different log sources, and easily create correlation rules and backlog reports.

The complexity of the deployment depends on the amount and type of log sources. Are there any custom home-grown log sources for which you need to create the custom parsers? How many different logs or log lines in a home grown application? These factors might make your parser development a bit cumbersome.

The licenses are based on the ETS.

I rate RSA NetWitness Logs and Packets eight out of 10. Aside from ETS, it is the second-most important solution for maintaining compliance and how much data you need in the online logs or the offline archival logs.

Our solution is utilized by customers to monitor security alerts by ingesting logs from all their assets. 

They create correlation rules to identify any potential breaches or hacking attempts and receive notifications through the dashboard.

Customers can use additional features to investigate the incident and take the necessary actions.

Prior to implementing the solution, the customers had no visibility of their assets. However, after adopting the solution, they have gained complete visibility over all their assets, including a comprehensive understanding of the network and attack symptoms. With this knowledge, they can respond to any attack and take necessary actions. Essentially, this case has empowered them with comprehensive network visibility.

In my opinion, the solution's most valuable feature is its capacity to monitor network traffic, logs from devices within the network, and network captures.

This capability extends beyond logs to include full network capturing.

I believe that integrating the solution with other products such as Oracle would be beneficial. However, I suggest that the integration process be streamlined and made more efficient to ensure a smooth experience.

It would be great to have the ability to customize reports in a more user-friendly manner.

We are resellers for the NetWitness Platform.

We have not had any issues with the stability of the NetWitness Platform, it is a stable solution.

This solution is very scalable.

We have contacted technical support. They are available. They have around-the-clock support, and they're very helpful.

I would rate them a nine out of ten. There is always room for improvement.

I have worked with Zscaler and Cisco for four or five years.

I am familiar with Elasticsearch, but I prefer NetWitness Platform as it is specifically designed as a security solution for logs, packets, and endpoints rather than a SIEM-only only tool.

The initial setup is complex. It requires some knowledge in order to set it up.

If one is the most difficult and ten is the easiest, I would rate it a three out of ten. It's quite complex.

Initially, we need to prepare the hardware boxes, whether they are physical or virtual or offered as a service. This involves imaging them with the appropriate functions for the module. Then, for network packet capture, the mirror ports must be connected to the packet capture box. Regarding logs, the configuration process involves making NetWitness boxes communicate with each other through the appropriate protocols and ports.

Following this, the next step involves configuring the log sources to send logs to the log box. This process requires the appropriate rules to be configured to initiate log transmission and generate metadata by appropriate parsers on NetWitness. After the setup, the focus shifts to building correlation rules, alerts, and other monitoring activities. These rules and alerts are crucial components for effective monitoring.

The deployment process can vary based on the specific environment and requirements, but typically it takes about one to two weeks to complete.

Maintaining the solution doesn't require a large number of resources. Typically, one or two capable resources are sufficient to maintain the solution effectively.

It's important to continuously monitor and ensure the health and proper functioning of the solution. This involves regularly checking the log sources to ensure that the logs are being ingested correctly and there are no issues such as overutilization or spikes in network traffic.

It is not a cheap product.

The NetWitness Platform may be affordable only for enterprise-level customers, as it may not be within the budget of small and medium-sized businesses.

I would advise taking your time to understand the architecture of the solution, including how the modules communicate with each other and the role of each module. It is recommended to start slowly after gaining this understanding.

I would rate NetWitness Platform an eight out of ten.

We have two customers using this solution and one of them is a banking business. We are collecting some of the security log sources. In the main use case, we are correlating rules and we are using the endpoint detection capabilities. We are utilizing RSA NetWitness Logs and Packets, to have more insights on an endpoint level.

The newer 11.5 version that my team is using has found it to have good mapping.

The multi-tenant capabilities are lagging compared to IBM QRadar.

We want the OEM to support us when we add a partner. They have to come forward and be ready to give a POC to the customer. For example, if we are identifying any customer, and the customer wants to see the POC but at that time we do not have that resource to showcase the POC or the environment. At this time the OEM should come forward and showcase the POC to the customer. Once the customer is satisfied, we will be gaining the business, as a win-win situation.

I have been using RSA NetWitness Logs and Packets (RSA SIEM) for approximately two years.

The solution is reliable.

I have not tried to expand the solution.

The technical support is responsive. Professional service when it is required is expensive. I wasn't able to compare with other professional services, because we have only one tool we are using at the moment. I am not able to tell you how much other OEM professional services cost. We have heard from the support that it is expensive.

I have previously used IBM QRadar.

The installation is somewhat straightforward. For example, if they want a UBA or SOAR type of platform, then I don't have experience in integrating or installing the SOAR or UPA. If that kind of opportunity comes or a customer requests it, then we have to see. As it is now, RSA NetWitness Logs and Packets (RSA SIEM) installation is straightforward.

We are on an annual license for the use of the solution.

I would recommend version 11.5, it looks good. However, we are looking for an alternative solution.

I rate RSA NetWitness Logs and Packets (RSA SIEM) version 11.4 a seven out of ten.

Primarily, I use this solution to integrate with applications and systems like firewalls and routers. For example, if somebody is trying to log on from two different locations simultaneously, we can catch that.

Over time, NetWitness Logs and Packets has matured from a boxed solution with multiple parts to the current, more streamlined version for which we only need the software license to put it up on our own cloud and deliver it to multiple clients.

An area for improvement would be better automation and more inbuilt use cases. In the next release, RSA should include an inbuilt migration framework that can do remediation.

I've been using this solution since 2011.

This is a stable solution.

The software is scalable to whatever is required, and you can also put a lot of resources in the cloud.

The initial setup isn't much of a challenge and can be completed in under twelve hours.

Our license price is updated yearly, and there are no additional costs.

I would rate NetWitness Logs and Packets as eight out of ten.

Our primary use case is real-time threat prediction so that we can minimize the person-hours of IT security analysts.

The most valuable features are the threat prediction and network forensics. For example, if there is any malware on the network, I am able to see who received it and who clicked on it. I like this functionality the most.

The deployment of the appliance is easy, where even a non-technical person can configure it.

The SOAR (security orchestration, automation, and response) component has areas for improvement.

Technical support needs to be improved.

Integration with third-party products for industries such as the banking sector, or telecommunications, presents challenges that require help from the OEM.

Lots of competing products have vulnerability protection built into their products, and this solution would be improved by including that support.

We have been using RSA NetWitness for about 10 years.

There are no issues in terms of stability.

This solution is pretty scalable, as I am using the VM infrastructure. It can scale to whatever you need.

I am not happy with the RSA support. Sometimes they can be really annoying because it takes so long to get the support that you need.

I have used RSA enVision and ArcSight in the past. We migrated from RSA enVision because they had declared the product end-of-life and upgraded to the NetWitness platform.

The Logs component is similar to what other competitors, such as IBM, ArcSight, and LogRhythm have. What distinguishes this solution is the Packets component. It is critical and something that people should make use of.

It is easy to deploy the appliance. Anyone can mount and configure it. There is a simple, pre-built OS that they just need to mount in the VM infrastructure, and that is clearly mentioned in the documentation. It will take two or three days to deploy, at most.

The challenge comes with trying to integrate with third-party application servers. 

We deployed this solution with our in-house team.

The number of people required for maintenance depends on your use case. If you are only using it to maintain the infrastructure then two staff is sufficient. However, if you want to implement a full-fledged SOC then you will need at least four or five people.

My advice for anybody who is implementing this solution is to look at both their endpoints and circuit paths. The two components, Logs and Packets, should definitely both be considered. Even if there is an on-premises SIEM log, they can integrate it.

Overall, I feel that the product is very good and my biggest complaint is about their support.

I would rate this solution an eight out of ten.