This solution is deployed on-premise.
Presales Manager at a tech services company with 51-200 employees
Enables incident response team to correlate logs to identify any kind of problem, both for logs and packets
Pros and Cons
- "It gives the capability for the incident response team to correlate logs to identify any kind of problem like malware and incidents in a general sense, both for logs and packets."
- "If we have the ability to run a dynamic analysis through malware in the same suite, it would be great to have a sandbox solution to analyze malware through dynamic analysis."
What is our primary use case?
What is most valuable?
It gives the capability for the incident response team to correlate logs to identify any kind of problem like malware and incidents in a general sense, both for logs and packets. I think the most important thing was that it gives the customer the capability to discover and respond to an incident. It gives customers visibility about their most important servers and devices.
Regarding the packet model, the most important thing is how easy it is to rebuild the raw data. Through one click, you can see an email that was sent even without accessing the mailbox from the user. It's easy to rebuild the raw data, especially the packet.
What needs improvement?
If we have the ability to run a dynamic analysis through malware in the same suite, it would be great to have a sandbox solution to analyze malware through dynamic analysis.
NetWitness has a malware appliance, but in terms of dynamic analysis, we need to integrate with 30 vendors. It would be great to have a sandbox produced by the RSA and the SSL appliance also.
For how long have I used the solution?
I have been working with this solution for six years.
Buyer's Guide
NetWitness Platform
October 2024
Learn what your peers think about NetWitness Platform. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,649 professionals have used our research since 2012.
Which solution did I use previously and why did I switch?
I have worked with ArcSight from Micro Focus. One thing to be improved in NetWitness is the capability to correlate event logs in a general sense. We have less resources in the NetWitness correlation engine compared with ArcSight.
What other advice do I have?
I would rate this solution 8 out of 10.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Program Manager at EGYANAM TECH
Economical with good technical support and is easily scalable
Pros and Cons
- "It's quite economical compared to other solutions in the market."
- "The initial setup is complex. There are other solutions that are easier to implement."
What is our primary use case?
I'm primarily using the solution on my client's site.
This is a log event management tool. We are integrating this solution for the clients where it is required. Mostly we work with OEMs such as IBM, RSA, Splunk, and Micro Focus.
With the help of these tools, you can identify any attacks or phishing activity in your network. Most of the time you are able to identify these types of attacks or activity on your firewall. When the firewall will notify the SIEM tools, it will identify which needs to be acted on immediately - unlike when you are using automation tools. With the help of automated tools, you can block those suspicious IPS or you can hand it over back to your security analyst or analyst team to take action ASAP.
What is most valuable?
We have not evaluated this tool. It is evaluated by the client's company directly. That said, I have found it has good threat intel insights, comparatively speaking.
From the client-side, there are economical kinds of features. It's quite economical compared to other solutions in the market.
The solution is scalable.
The technical support is very good.
What needs improvement?
We are designing reports and automated rules and processes. We are defining them in relation to this product. With the help of automated rules and processes, this product will help the team when they go to production to do operations smoothly, as, most of the time, what happens when you put manual interference into such systems, it may be delayed. This can lead to vulnerabilities. Sometimes, if a hacker enters the system, he might only have a limited time where there is a window of access, however, in that time, he'll take what he can, and even if the vulnerability only lasted for a few minutes, in that time, items can get stolen.
Therefore, there needs to be more proactively to avoid any downtime. We're adding automating tools to help RSA Netwitness so that if anything happens, RSA can immediately shut anything down. We're in the process of configuring them and adding them in.
The initial setup is complex. There are solutions that are easier to implement.
For how long have I used the solution?
I've been using the solution for two and a half years.
What do I think about the stability of the solution?
The solution is reliable. I won't say great, due to the fact that, naturally, if you compare it to other products it is not that great. That said, for the operations, it is good as long as you do not violate your license. The moment you violate your license, this will cause a quite delayed reaction, at least, that is what I've seen compared to Splunk and QRadar.
What do I think about the scalability of the solution?
While the solution isn't necessarily for small organizations, it is good for medium and large organizations.
The solution scales easily.
How are customer service and technical support?
Technical support is very good. They try to resolve issues with the proper SLAs which are defined by them and they understand the client's requirements as well as the client's infrastructure in a better manner. I'm happy with the support.
How was the initial setup?
The solution is pretty complex to set up. Comparatively, I have worked on IBM QRadar and Splunk. They are much easier to set up. It also depends on the client's infrastructure. It just needs some time and understanding to be deployed.
Once it is deployed it requires maintenance. Whenever you work on such products, if you do not take the support or support services, it might take some time to work through some things. For some things, the documentation is not the best. Support is always recommended. If you do not buy support, it can be a disaster.
What's my experience with pricing, setup cost, and licensing?
It's my understanding that the pricing of the product is pretty good. Compared to other options on the market, it's reasonable.
I would say it's economical, as the licensing part is always a different ball game in the SIEM tools business, as everyone is running their business in a different manner. If you go to IBM, they will charge you in a different way, for example. RSA will charge you in a different way as well, and Splunk has its own unique licensing policies. I would say it's economical. I won't say it's cheap. It is in between.
Currently, there is only one license. There aren't different licensing models. Hardware is included in the price.
What other advice do I have?
I'm on the latest version of the solution. I tend to work on updated versions.
We are systems integrators. We have a partnership with RSA.
If a company decides to try out this product, they need to do the homework properly due to the fact that sometimes on the hardware side or on the software side, you may face some issues. It is better to study thoroughly the troubleshooting part and prepare properly. Only then you can go for implementation.
I'd rate the solution at an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Buyer's Guide
NetWitness Platform
October 2024
Learn what your peers think about NetWitness Platform. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,649 professionals have used our research since 2012.
Security Engineer/Architect at Telecom Italia
Offers good security, integrates well, and they have good technical support
Pros and Cons
- "The most valuable feature is the security that it provides."
- "It is not so easy to customize this product."
What is our primary use case?
We are a solution provider and RSA NetWitness is one of the products that we implement for our clients. We also use it ourselves, They primarily use it for threat protection.
What is most valuable?
The most valuable feature is the security that it provides.
The log-related capabilities are good.
It integrates well with other risk-assessment tools.
What needs improvement?
It is not so easy to customize this product.
This product would be improved with the addition of machine learning functionality.
For how long have I used the solution?
I have been working with this product for perhaps eight years.
What do I think about the stability of the solution?
Stability is not a problem with NetWitness.
What do I think about the scalability of the solution?
We have not heard any complaints about scalability. This is generally for enterprise-level companies.
How are customer service and technical support?
The technical support is good and our customers are satisfied with it.
Which solution did I use previously and why did I switch?
We use McAfee for internal purposes.
How was the initial setup?
The complexity of the initial setup depends on the environment, but overall, I would say that it is quite easy. It isn't the easiest product to install, although it is not difficult, either.
What other advice do I have?
They have just introduced an orchestration tool, although I don't know how it works yet.
Overall, this is a good product and I recommend it. However, I always suggest doing a proof of concept first, to make sure that it meets your needs.
I would rate this solution an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Information Technology Security Architect at a financial services firm with 5,001-10,000 employees
Provides accurate information, quick analysis from the endpoint perspective, and quick identification of any potential malware
Pros and Cons
- "It's fully scalable. There is no limit. Of course, the license limits per day the number of terabytes. In my opinion, it's very flexible."
- "They should implement algorithms to digest that data and produce additional, more advanced reporting, alerting and support of internal security teams."
What is our primary use case?
We use the on-premise deployment model of this solution. Our primary use case of this solution is for malware detection and for reconstruction during the incident and forensic analysis.
What needs improvement?
The web interface needs improvement because right now they have problems combining an older interface with a newer interface. They're in the middle of the process of combining the old and the new one. It sometimes confuses the user and sometimes you are not able to find the necessary information. You need to click the information and that is something that should be improved.
The data isn't a problem but you need to get used to it. You need to know where to click in order to get the results. Otherwise, you can encounter some problems.
I would be very happy if they would fix all the issues from 11.3 to the 11.4 version to have more advantages from the UEBA because the UEBA we have implemented will be the longest. If they will fully integrate the UEBA with the network data, this could be a very huge advantage and impact on the market. Right now, you have a solution like Darktrace which has the same capabilities as RSA NetWitness so NetWitness should implement the same things. They have UEBA, they have data. They should implement algorithms to digest that data and produce additional, more advanced reporting, alerting and support of internal security teams.
For how long have I used the solution?
I have been using this solution for almost three years.
What do I think about the stability of the solution?
It's very stable if you are talking about the old version. I don't like 11.3 and I don't know 11.4, it's not actually released. It provides accurate information, quick analysis from the endpoint perspective, and quick identification of any potential malware. But the 11.3 version is a complete disaster. You cannot analyze anything.
I am part of the maintenance team. It's me and a couple more staff members that don't work full-time on this solution. I would say around four employees are required for maintenance but not full-time.
What do I think about the scalability of the solution?
It's fully scalable. There is no limit. Of course, the license limits per day the number of terabytes. In my opinion, it's very flexible.
We have 10,000 users using this solution.
We do plan to increase the usage of this solution. We want to implement more monitoring of the internal traffic from specific places. We need to implement more decoders, more concentrators, and some kind of organization with the log archiving.
How are customer service and technical support?
Their customer service is excellent, one of the best.
Which solution did I use previously and why did I switch?
I have been using Fidelis and that works. It's all the same approach, but they only gather the metadata, not the full packet capture. If you want to compare those products together, I can safely say that RSA is much better because they offer full packet capture capability. It's more scalable and more flexible.
How was the initial setup?
The initial set up was not very complex. The problem is with the use cases. You need to be very careful to not become overwhelmed with unnecessary data. You need to very carefully decide what should be filtered, what you need to be taken from the network or from the logs. You need to decide whether you need YouTube traffic at all, for example, because it consumes storage. It's a huge amount of data and that data is useless. It is not relevant to malicious activity and if you want to fully get the picture of the user activity or the motor activity you can have with data without Facebook, for example.
What's my experience with pricing, setup cost, and licensing?
We have a perpetual license, so the total cost of ownership is not very expensive. It's a good investment.
Which other solutions did I evaluate?
We have looked through the Cisco solution to expand more devices from Fidelis to cover more areas of our network. I also evaluated Symantec and I have seen FireEye but it's hard to even compare those products to RSA.
What other advice do I have?
If it's possible, ask for help from primary support to help you implement at the very beginning with the fundamental alert or detection rules. This is my best advice for a customer regardless of the size and scope of the implementation. Use the support to help you with the implementation process.
I would rate it an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Cyber Security Specialist at a tech vendor with 10,001+ employees
Good support, powerful decoders and concentrator, but the dashboard is not reflecting events in real-time
Pros and Cons
- "The most valuable features are the packet decoder, log decoder, and concentrator."
- "Log aggregation is an issue with this solution because there are a huge number of alerts in a single instance."
What is our primary use case?
We are a service providing company and this is one of the products that we implement for our clients. The RSA NetWitness Logs and Packets solution is used for Event Stream Analysis (ESA), and we implement use cases based on our customers' needs. For example, suppose the security device is a Palo Alto device then at the policy level, we implement the use cases. These might be things like phishing attacks or a botnet. Most companies follow the GDPR regulations for compliance.
We have RSA NetWitness implemented in virtual appliances.
What is most valuable?
The most valuable features are the packet decoder, log decoder, and concentrator. The packet decoder is capable of collecting the flow, whereas the log decoder is capable of collecting the event. NetWitness offers a hybrid solution that collects both and also uses the concentrator.
What needs improvement?
The alert dashboard is not reflecting events in real-time. We have to refresh in order to view an alert in real-time.
Log aggregation is an issue with this solution because there are a huge number of alerts in a single instance. Compared to ArcSight or QRadar, this is a problem.
For how long have I used the solution?
We have been using RSA NetWitness for about a year and a half.
What do I think about the stability of the solution?
The stability of RSA NetWitness is good. It is used on a daily basis.
What do I think about the scalability of the solution?
The ability to scale varies from client to client, and what the client's requirements are. Sometimes the client will want to move to a lighter platform and you have to consider the many inputs related to the cloud.
We are supporting 10 to 15 clients for this solution.
How are customer service and technical support?
With regard to technical support, we have found that their diagnosis makes sense but in some cases, they are very late to reply. Our clients always want to resolve the issue through us, and sometimes the support takes a long time. Because RSA NetWitness is a new product, there are many things that they are trying to find out.
Overall, I would say that the support is good.
Which solution did I use previously and why did I switch?
We are using multiple tools including QRadar, RSA NetWitness, LogRhythm, and Micro
Focus ArcSight.
The QRadar setup gave us no issues, and it also works with logs and packets.
LogRhythm fulfills the GDPR compliance.
How was the initial setup?
The initial setup is good, and it is not complex.
The length of time it takes to deploy depends on the type and size of the organization. It takes two to three days to implement this solution, including all of the installation and configuration. Once the company provides the requirements then we implement as per the organizational policy.
What about the implementation team?
We implement this solution using our in-house team, although if an issue should occur during installation then we can raise a ticket with support. We have had issues with difficult deployments because of the database during installation, which has lead to using the support portal.
The number of people required for deployment and maintenance depends on how many logs are being integrated. Suppose there are 100 or 200 logs, then 10 people will be sufficient if they focus on deployment and troubleshooting. It also depends on the timeline. If the timeline is longer then five people are enough to complete the implementation.
What's my experience with pricing, setup cost, and licensing?
Many clients are not able to purchase the packet capability because there is a huge amount of data, and the cost depends on the number of EPS (Events per second), as well as the number of gigabytes of data per day.
What other advice do I have?
My advice to anybody who is researching this solution is to consider the differences between the hardware and the virtual solution. The hardware is okay, but if you have any issues and need to restart then it is easy to do this with the VM. My preference is using the VM, where they can easily increase the size of storage if necessary.
It is important to remember that ESA takes all of the main memory. The minimum requirement is 96 GB of RAM, and this is very easy to implement on a virtual machine. My advice is to implement ESA using the maximum eligibility criteria. Consider what the hardware requires are in terms of RAM and storage, and use the maximum available for ESA.
This solution has a very good dashboard with a separate tab for incidents and alerts. There is a ticketing tool as well. If the problems with the dashboard are corrected then we will not need to have any other tools. The dashboard is a very important feature for clients.
I would rate this solution a seven out of ten.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Team Leader & Head of MSSP at We Ankor
Good features for investigating network problems but it is pricey and lacking in usability
Pros and Cons
- "The most valuable feature is the ability to write rules and triggers for network communication, and then being able to investigate based on that."
- "The system looks like it is a mix of a bunch of different systems, and nothing looked like it was quite together."
What is our primary use case?
We are no longer using this solution, however, it was used mostly for network monitoring.
What is most valuable?
The most valuable feature is the ability to write rules and triggers for network communication and then being able to investigate based on that. You can see the payload and deconstruct the packets.
What needs improvement?
The solution would be greatly improved by unifying the management to one configuration option. One of the problems the system had is that you always have to choose the managed host. For example, if you want to write a rule, you have to duplicate it across your managed hosts. It should have centralized management. If you want to make a change then it should be configured automatically, so that you don't need to go one by one, changing it. That is really annoying.
Another problem is that the EPL (Event Processing Language) is not properly explained, and the expert could not even use it when they came to our site. It was causing the system to crash, so they should really consider using something else.
The system looks like it is a mix of a bunch of different systems, and nothing looked like it was quite together. I think that it could be better integrated, and it would be great for new customers or even existing customers.
For how long have I used the solution?
About one year, on and off.
What do I think about the stability of the solution?
I cannot say that the solution was stable because it tended to crash. We were using it before version 11, where some of the problems were supposed to be solved. I have heard from insiders that version 11 does not hold up to the hype and they're still facing some of the same problems.
What do I think about the scalability of the solution?
I think that the solution is scalable because you can easily add news hosts. This is one of the things that was really straightforward and we appreciated.
How are customer service and technical support?
The people that we spoke with from technical support were really professional. Some visited us on-site and did some training with our analysists. They are really good staff and we really liked it. The company that did the integration at the site where I was working was planning on re-hiring them for other customers, so they made a good impression.
The support is responsive by email, but initially, it is a little bit lacking. Beyond the initial emails, it is quite professional.
How was the initial setup?
I was not part of the initial setup, but I can tell you that managing the system, in general, is not straightforward. It is quite elusive and very confusing, even after calls to technical support.
What's my experience with pricing, setup cost, and licensing?
This is a pricey solution; it's not cheap.
Perhaps if the implementation is small then it is not bad, but if you have a global network or a security agency that needs to be segregated on the network, then it can be quite pricey.
What other advice do I have?
This solution has some good features, but it is lacking in usability. This means that I would rate it somewhere in the middle. I would rate this solution a five out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
RSA Specialist at a computer software company with 1,001-5,000 employees
A user-friendly solution that integrates well with our system
Pros and Cons
- "The most valuable features are the integration and ease of use."
- "The documentation is not as structured as I would like, personally, and I think that it can be improved and made much more user-friendly."
What is our primary use case?
Our customers are enterprise-level businesses.
What is most valuable?
The most valuable features are the integration and ease of use. It is a pretty simple platform that can integrate very well with our system.
What needs improvement?
The documentation is not as structured as I would like, personally, and I think that it can be improved and made much more user-friendly. I may see it differently than other people.
I would like to see a little question mark beside each button that you can click and find out what that button is for. It would make it much easier for people who are new to the solution. Like a pop-up appearing when hovering over the question mark, attached to each main action and split into branches.
For how long have I used the solution?
We began using RSA NetWitness Logs and Packets not long ago.
What do I think about the stability of the solution?
This is a very stable product.
How are customer service and technical support?
I have not been in contact with technical support.
I would say that RSA University is fair and square. It is a bit tricky because they have changed the learning platform and I had trouble enrolling in courses. I needed to contact Dell EMC support, which is the same support for RSA, and they assigned the courses to me in one or two hours. In the end, I was very satisfied. It is a bit expensive but the companies are paying for it.
How was the initial setup?
The initial setup is straightforward. I am also coding so it is easy for me to adapt.
What other advice do I have?
I have also worked with RSA SecurID and I can say that from the moment I touched it, it has been very easy for me to use.
The company is very active on the market and it is improving continuously. EMC/RSA are trying to approach a build such that it can meet every user's needs, but you can't satisfy everyone.
I recommend RSA NetWitness alongside other products, although I would suggest this first because of the user-friendly interface and easy-to-manipulate options. The only issue I have is with the documentation.
Overall, this is a good solution with suitable features and it very well fits our needs.
I would rate this solution a nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Associate Manager Human Resources at a financial services firm with 1,001-5,000 employees
Good packet inspection and automated incident response, but it needs to be more customizable
Pros and Cons
- "The most valuable features are the packet inspection and the automated incident response."
- "More customizability is required, which is something that they need to improve on."
What is our primary use case?
We are using this solution for security.
What is most valuable?
The most valuable features are the packet inspection and the automated incident response.
What needs improvement?
More customizability is required, which is something that they need to improve on.
When it comes to starting a log event, there are not many options available. It is very limited.
The log and event correlation need improvement.
The threat detection capability should be enhanced.
For how long have I used the solution?
I have been using this solution for one month.
What do I think about the stability of the solution?
We are using it on a daily basis and, so far, it has been stable.
What do I think about the scalability of the solution?
We have approximately 6000 employees, which means that we have 6000 endpoints that this product is working with. It is easy to scale it up to production.
How are customer service and technical support?
We have not had to contact technical support.
Which solution did I use previously and why did I switch?
In this company, they did not use a similar solution prior to this one. Personally, I used Splunk in my previous organization. Definitely, I prefer to use Splunk because there is more functionality, visibility, and options. You can do whatever you want with Splunk.
How was the initial setup?
The initial setup is not complex, and more on the simple side. Our deployment took almost five months in total.
What about the implementation team?
We had assistance from an integrator and the vendor for our deployment.
We have administrators in the company who take care of administration and maintenance. The vendor was only needed for the implementation.
What other advice do I have?
RSA is something that I can recommend.
I would rate this solution a six out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free NetWitness Platform Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Popular Comparisons
Netgate pfSense
Splunk Enterprise Security
Microsoft Sentinel
CyberArk Privileged Access Manager
IBM Security QRadar
Elastic Security
Palo Alto Networks WildFire
AWS Security Hub
LogRhythm SIEM
Cisco Secure Network Analytics
Rapid7 InsightIDR
Microsoft Defender for Identity
Arbor DDoS
Fortinet FortiSIEM
Buyer's Guide
Download our free NetWitness Platform Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- When evaluating Log Management tools and software, what aspect do you think is the most important to look for?
- Datadog vs ELK: which one is good in terms of performance, cost and efficiency?
- Which Windows event log monitoring tool do you recommend?
- What is the difference between log management and SIEM?
- Splunk vs. Elastic Stack
- How can Cloudtrail logs be used effectively to improve log monitoring?
- Why hot data and cold data differences in SIEM solutions are not discussed sufficiently?
- When evaluating Log Management solutions, what aspect do you think is the most important to look for?
- When evaluating Log Management solutions, what aspects do you think are the most important to look for?
- Why are Log Management tools important for companies?