Try our new research platform with insights from 80,000+ expert users
IT Security Head with 1,001-5,000 employees
Real User
Has a simple dashboard and you can develop connectors for any application, but it is difficult to set up
Pros and Cons
  • "The most valuable feature is that we can create our own connectors for any application, and NetWitness provides the training and tools to do it."
  • "The initial setup is very complex and should be simplified."

What is our primary use case?

The RSA NetWitness Logs and Packets solution was set up as part of the SOC. It is set up on two sides. One is for the Data Center (DC) side, and the other is for the Disaster Recovery (DR) side.

What is most valuable?

The most valuable feature is that we can create our own connectors for any application, and NetWitness provides the training and tools to do it. With some other solutions, creating custom connectors is very costly.

The dashboard is very simple to use.

What needs improvement?

The initial setup is very complex and should be simplified.

We had some trouble integrating with our Check Point firewall.

For how long have I used the solution?

I used RSA NetWitness for a couple of months in my previous company.

Buyer's Guide
NetWitness Platform
December 2024
Learn what your peers think about NetWitness Platform. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.

What do I think about the stability of the solution?

It was too early to say whether this solution was stable because you need at least a year to determine that. In the initial stages, we were still getting a lot of alerts because there was no time to fine-tune it. Maybe after six or eight months, we would have been able to say whether the product was stable. Just before reaching that point, I left the organization.

What I can say is that for the time I was there, we did not experience any bugs, crashes, or glitches.

What do I think about the scalability of the solution?

This solution is scalable. We had between 20 and 25 users, although, on a daily basis, I would say that 13 to 16 people used it.

How are customer service and support?

We did not interact with technical support because we were working with the vendor, and the vendor was working with them.

Which solution did I use previously and why did I switch?

We tried to implement Paladion but we were not about to complete our PoC because of problems.

How was the initial setup?

The initial setup is very complex. It requires having knowledge of what components do and which go where. An example is knowing which component will fetch data and where it goes. This is very difficult for somebody new and a person should have a minimum of one to two years of work experience.

Our deployment of the two solutions and having them work simultaneously took between four and five months.

What about the implementation team?

We have an in-house team, but the vendor gave us support as well. The initial setup was very tough, which is why it took four or five months to implement everything and make sure that it was configured as per our requirements.

There were six people involved in the deployment. Three from the vendor's team and three from my team. They were working day and night to make sure that things worked well.

The number of people required for maintenance depends on the hours of operation. If the business hours are 24/7 for the entire year then two people are required for maintenance.

Which other solutions did I evaluate?

We did not evaluate other options.

What other advice do I have?

My advice for anybody who is implementing this solution is to make sure that the team handling the deployment is skilled. Without support, they will not be able to do it at all.

Also, if somebody wants to make their own connectors then they will need to have a development team. Without knowledge of scripting, it is not possible to make connectors. So, I would say that at an early point there needs to be somebody specialized in the use of this product.

I would rate this solution a six out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user365328 - PeerSpot reviewer
Founder & CEO at a tech services company with 11-50 employees
Consultant
The Alerting Module provides real-time event processing language on the logs/packets stream.
Pros and Cons
  • "Alerting Module: It provides real-time event processing language on all the logs/packets stream for advanced alerting, i.e., using SQL LIKE statements."
  • "Health monitoring of the event sources and devices."

How has it helped my organization?

As mentioned elsewhere, this product provides full visibility for the activities in the networks and systems. For example, it provides detection of the attacks in early stages (brute-force attacks), by which the attackers try to gain access to the systems, by trying to log in using different usernames and passwords (might be in a dictionary).

What is most valuable?

RSA NetWitness is a SIEM and real-time network traffic solution. It collects logs/packets and applies a set of alerting, reporting and analysis rules on them. Thus, it provides the enterprise with a full visibility of the networks and activities of the systems.

Its main features/components are:

  • Investigation Module: It is the location where the SOC analysts can find all logs/packets captured in a time-frame, that are related/non-related and have drill-down/filtration capabilities all in one table, for investigation and analysis.
  • Alerting Module: It provides real-time event processing language on all the logs/packets stream for advanced alerting, i.e., using SQL LIKE statements.
  • Reporting Module: It provides advanced reporting capabilities.
  • Dashboard Module: It provides dashboards for specific activities on the systems and networks.
  • Command and Control Detection: In additional to identifying the C&C IPs through threat intelligence, NetWitness investigates the packets to determine any type of suspicious C&C communication, by using a feature called Automated Threat Detection.
  • Threat Hunting Package: By using this advanced technique, NetWitness automatically investigates all the service sessions, files/packets and then it identifies any IoCs, BoCs and EoCs.
  • Context Lookup: In order to give an overview during investigation, this feature highlights any value related to the previous alert, incident, RSA ECAT feed mentioned or even if it had any comment from the RSA community, that leads to detecting any recent attack (even if it is still not announced on threat intelligence).
  • Incident Module: It provides an automated incident handling utility to ensure that right actions have been taken to close the incident.
  • Malware Analysis Module: It provides a file analysis environment including sandboxing, community etc., so as to investigate more of the files captured through the environment traffic.

What needs improvement?

  • Out-of-the-box alerts and investigation rules
  • Health monitoring of the event sources and devices
  • Threat intelligence for data accuracy

What do I think about the stability of the solution?

We encountered stability issues in the earlier versions, and much fewer in the newer versions.

What do I think about the scalability of the solution?

There were no scalability issues.

What's my experience with pricing, setup cost, and licensing?

The new pricing and licensing mechanisms are fair. I would advise always to get the full solution (i.e., not only Logs).

Which other solutions did I evaluate?

I did not evaluate other solutions.

What other advice do I have?

The only thing I advise others is to spend enough time for fine-tuning and the initial rule development.

You should also develop a plan for the ongoing development and fine-tuning, as found in all the other leading SIEM solutions.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are a sub-contractor.
PeerSpot user
it_user698622 - PeerSpot reviewer
it_user698622Advisory Consultant at SCIS SECURITY
Top 20MSP

I agree, with Alireza's comment. It's always best practice regardless of the SIEM. Traditionally, we've used the Netwitness platform mainly for full packet capture and basic alerting. To make better use as a full SIEM, it's important for others to note that customers need to buy additional modules and hardware including ESA. The additional content out of the box requires subscriptions to their RSA live and threat intel feeds as well in many cases. It's not the usage that is too difficult; it's the administration that makes it a bear. I advise, like many other solutions to get vendor formal training if you intend to self-administrate or create your own content

See all 2 comments
Buyer's Guide
NetWitness Platform
December 2024
Learn what your peers think about NetWitness Platform. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
Analyst at Microland Limited
Real User
Easy to set up with good UEBA functionality
Pros and Cons
  • "What we are mainly using are the RSA concentrator, RSA Decoder, Archiver, Broker, and Log Decoder."
  • "Security needs improvement."

What is our primary use case?

The primary use case of this solution is for security.

We use the UEBA tool.

What is most valuable?

What we are mainly using are the RSA Concentrator, RSA Decoder, Archiver, Broker, and Log Decoder.

What needs improvement?

Security needs improvement.

We would still like to know how the traffic is entering the organization. We can find out but it will take time before we know, leaving the organization vulnerable for attack.

There is no SIEM tool in the world that can provide 100% security.

For how long have I used the solution?

I have been using this solution for five months.

What do I think about the stability of the solution?

Stability has not been an issue with this product.

What do I think about the scalability of the solution?

It's a scalable solution.

How was the initial setup?

The initial setup was straightforward, not at all complex.

There are approximately 1,400 devices that are integrated into RSA in my organization. While I was not a part of the integration, from my knowledge, it would take a week.

Which other solutions did I evaluate?

We have looked at similar systems and find that the architecture is somewhat different, yet the functionality is similar.

What other advice do I have?

This is a product that I recommend.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer1308300 - PeerSpot reviewer
Information Securuty Analyst at a tech services company with 11-50 employees
Real User
Good performance, reporting, and log archiving capability
Pros and Cons
  • "Performance and reporting are very good."
  • "The user interface is a little bit difficult for new users and it needs to be improved."

What is our primary use case?

I am currently working in a security operations center and RSA NetWitness Log and Packets is part of our security solution. We use it for log management and anomaly identification. It is used for compliance as well because it has a log archiving capability that will span at least a couple of years.

We are also using it to facilitate monitoring and research.

What is most valuable?

Performance and reporting are very good. 

What needs improvement?

The user interface is a little bit difficult for new users and it needs to be improved.

It takes a lot of time to register when compared to other solutions.

For how long have I used the solution?

I have been using this solution for about one year, although it has been in the company for a couple of years.

What do I think about the stability of the solution?

We did have some issues before our upgrade from version 10.6., although they were not major. Since the upgrade, I have noticed that some of these things have gotten better.

I would say that this is a stable solution, although there are some minor issues that need to be settled. Currently, they are being investigated.

What do I think about the scalability of the solution?

We have never had issues with scalability. We can reduce the usage as per our requirement and we increased our capacity in 2019. We are planning to further increase, either this year or next year. Scalability overall is quite easy.

How are customer service and technical support?

When we started finding problems, we got in touch with technical support and opened tickets. They worked with us to resolve them. I would rate them good, although not great. At times, I felt that they were being really short with me.

How was the initial setup?

I was not part of the initial setup but my understanding is that there were no issues and everything was good. I was part of the upgrade from version 10.6 to 11.3 and it was smooth, with no major issues.

What about the implementation team?

The deployment was done by my manager a couple of years ago.

What other advice do I have?

My advice to anybody who is considering this solution is that it is a relatively good program, but you want to take some time to get used to it. Once it is deployed and you are used to it, you can do whatever you want. Orchestration is another element that is there.

I would recommend this solution for large organizations that need to be compliant with these types of things. My main complaint is about the user interface.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
ACD - Level 3 Analyst at a tech services company with 10,001+ employees
Real User
Advance monitoring and alerting feature is not stable, though it is easy to integrate common data sources

How has it helped my organization?

Reliable in terms of no data loss. Plays a huge role in device health checks (Event Source Monitor). Provides FSEs relevant information prior to end user problem solutions (if data sources are integrated and parsed properly).

What is most valuable?

  • Packet Solution: Allows analyst proactive hunting and alerting on daily sophisticated APTs.
  • Broker service: Aggregate multiple concentrator devices deployed in various sites which accelerates analyst’s duties.
  • Archiver – Does log retention for three to five years for forensics purposes or targeted investigations in the future.

What needs improvement?

Advance monitoring and alerting feature is not stable (Event Stream Analysis). Does not allow certain use cases running parallel.

The reporting module: If only their dashboards resembled anything you would see on any BI reporting tools.

What do I think about the stability of the solution?

More than once with fine tuning use cases (ESA feature) for real-time monitoring.

Reporting feature suddenly limits the amount of log extraction over certain cycles.

What do I think about the scalability of the solution?

Never.

How are customer service and technical support?

An eight out of 10. RSA tech support is awesome.

Sometimes they face huge challenges when an unknown bug hits their system and tech support must take their cases to engineering.

Which solution did I use previously and why did I switch?

None in production other than RSA. However, I will be using IBM QRadar towards the end of this year.

How was the initial setup?

I was never involved in setting up the solution with any of my employers. I get to learn the architecture and see the environment once it's complete.

What's my experience with pricing, setup cost, and licensing?

RSA licensing ranges per core devices and services.

An additional Designated Support Engineer can be acquired at quite a pricy cost. They are reliable as your system and will be given a higher priority than any other support case(s).

Which other solutions did I evaluate?

Our partnership with RSA was already in place. No room for evaluation.

Top SIEM tools such as HP Arcsight, McAfee ESM, and IBM QRadar.

What other advice do I have?

Either operating this solution in-house or reselling. First, outline all your data sources. Give more priority to the assets you want to protect.

Event source type and versions will be key.

Additional useful features:

  • Easy to integrate common data sources.
  • User friendly GUI.
  • Basic SQL rule syntax.

We are using RSA Security analytics version 10.6.3.2 and upgrading to 10.6.4 in mid-September. NetWitness suite v11 is due in October as a major upgrade.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner and reseller.
PeerSpot user
SrManagee3c6 - PeerSpot reviewer
Sr Manager InfoSecurity at a healthcare company with 10,001+ employees
Real User
Overly complex and requires an army of people to keep it going
Pros and Cons
  • "The most valuable features are its ingestion of logs and raising of alerts based on those logs."
  • "I'd like to see improvement in its ease of use. It's basically unusable. It's overly complex."

What is our primary use case?

We don't have a primary use case. There are many use cases that we have defined based on business needs.

What is most valuable?

The most valuable features are its

  • ingestion of logs 
  • raising of alerts based on those logs.

What needs improvement?

I'd like to see improvement in its ease of use. It's basically unusable. It's overly complex.

What about the implementation team?

We used RSA as our consultants. Our experience with them wasn't the most productive. We also have various other consultants in to help as well. Their ability to configure this particular platform is limited because it's such a complex product. There are so many classes you need to take in order to be proficient at it. There are so few people on the planet who can do it. You need an army of people to keep this thing going.

What other advice do I have?

It's supposed to help our security program maturity. Has it? I think that's another question.

I rate this product at three out of ten. It is overly complicated. It has taken years to implement and the return on investment just isn't there.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Team Leader & Head of MSSP at We Ankor
Real User
It alerts anomalies on the network. But, we have encountered issues with unresolved crashes.
Pros and Cons
  • "It gives the ability to investigate into network traffic in the Net and the organization what we couldn't do before."
  • "We have encountered issues with unresolved crashes."

What is our primary use case?

We use it as a network tool to alert any anomalies on the network.

What is most valuable?

It gives the ability to investigate into network traffic in the Net and the organization what we couldn't do before.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

The product continues to crash. Even with tech support help, it does not resolve itself.

How are customer service and technical support?

Yes, we have had extensive use of tech support and they have not been as helpful as we would have liked. We had the crashing issue, and we had special sessions with tech support. The UAE representative and the IR response team were both on our site, and they could not understand why the system crashes. They configured the rules and then it crashed again. It is quite frustrating.

Which solution did I use previously and why did I switch?

The packet has a model that is called the extracting and it doesn't really work that well. Usually, it crashes and the re-issue improves it because it is one of the main functions that we use and it doesn't work properly.

How was the initial setup?

It was very hard to implement. After implementation, we found e had to revise everything. With help of support, we eventually managed to stabilize it. But, it took a full year to do so.

Which other solutions did I evaluate?

The only other solution similar to this is Solera and I do not think our organization will be switching to that. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer1591461 - PeerSpot reviewer
Product Manager at a tech services company with 11-50 employees
Reseller
Top 5
Provides a comprehensive trace investigation with the packet capture feature
Pros and Cons
  • "The packet capture aspect of it is a valuable feature because it is quite different from a traditional SIEM solution that only carries out investigations based on captured logs."
  • "There are instances where you try to run the reports and then it does not give you the desired outcome."

What is our primary use case?

The customer that we work with uses it to gather logs from all the devices in their enterprise so that they have that single point of visibility into trace information in the environment.

What is most valuable?

The packet capture aspect of it is a valuable feature because it is quite different from a traditional SIEM solution that only carries out investigations based on captured logs. So, the capture packet also gives you specific insight into what's going on in the network, and it makes your trace investigation much more comprehensive.

The user interface is fine.

What needs improvement?

The reporting aspect could be improved. There are instances where you try to run the reports and then it does not give you the desired outcome. At times, it appears as if the reporting feature might be buggy.

You want to actually follow the trends and see how technology is advancing. I think they've done that with regard to security orchestration, automation, and response. However, I think that they could do better with the automation and response.

For how long have I used the solution?

We have been selling RSA NetWitness Logs and Packets (RSA SIEM) for 18 months now.

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

This solution is scalable.

How are customer service and technical support?

Technical support has been quite a challenge. There are instances where you reach out to support, and the initial response is fast. When they get to experience what the problem is, we would expect them to be able to fix it on time, but then, we'd notice that there could be quite a lot of back and forth with customers in trying to get an issue resolved.

This is a situation where you have other solutions plugging into this one, so there are times when the issue being experienced has to do with another solution. So there are problems with accepting responsibility.

In general, I would rate them at 70% on technical support.

How was the initial setup?

I've not been involved in initial setup, but I've seen upgrades. I think it's quite straightforward.

What's my experience with pricing, setup cost, and licensing?

From a pricing perspective, I wouldn't say it's too expensive because recently, they came up with a good plan that would also work for small enterprises.

At the early stage, it was quite appliance-based, but now you have virtual machines that take away the appliance cost for customers. So, price wise, it is fair compared to the cost of other SIEM solutions.

What other advice do I have?

It's a comprehensive SIEM solution. The packet capture feature is one thing that will be very beneficial for all accounts because it gives you that general visibility into what's going on even on your network. It's a great product, and I would rate it at eight on a scale from one to ten. It's way ahead of the others. 

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
Buyer's Guide
Download our free NetWitness Platform Report and get advice and tips from experienced pros sharing their opinions.
Updated: December 2024
Buyer's Guide
Download our free NetWitness Platform Report and get advice and tips from experienced pros sharing their opinions.