NetWitness Platform Reviews

Full packet capture: A must in an SOC

Possibility to investigate incidents based on logs and raw packets, such as extracting files sent over the network

Built-in Incident Management module for small security/SOC teams

Advanced correlation engine based on metadata flow: Provides nearly real time correlation

Rich reporting options

We can monitor all traffic to/from our company.

It is possible to track end user behaviour.

With RSA NetWitness Endpoint, we are able to monitor not only the network, but also what’s happening on endpoints, i.e., behaviour analytics for processes inside the operating system.

Thanks to this tool, we have a small SOC running in our company.

Integration with external tools should be built-in, such as an external sandbox for files.

We can import data using external feeds, using STIX or CVS files.

The REST API is poor

The system architecture is complex and sometimes it’s hard to troubleshoot potential problems.

RSA should improve backup options and High Availability architecture.

Data is stored on separate components without redundancy. It’s possible to have backup for data, but you have to use an external backup solution.

I have used this product for two and a half years.

The system is stable if you provide enough CPU, RAM, and HDD (IOPS). Sizing should be done by RSA Professional Services or by an experienced partner for Virtual Machines. The hardware is sized well.

There were no scalability issues, but you have to know what you are doing. Proper network deployment is important. Metadata flows are quite big between internal system components. Of course, it depends on how many network packets and logs are logged into the system.

I would give technical support a rating of 8/10. Sometimes you have to wait for an initial response, especially if it’s not a critical problem. But when they start investigating, they do it quite well.

For full packet capture, we had Blue Coat Security Analytics. We switched because in NetWitness, we have everything needed to run a small SOC in our company.(Packets, logs, endpoints, incident management module, correlation, reporting, and investigation available for analysts.)

It’s a very easy product to install, when you know what you are doing. Customers without any experience should cooperate with RSA Professional Services or a partner company. It’s too complex of a product to deploy for someone without experience. It can be done, but the value coming from RSA or a partner is incomparable.

Prepare use cases, i.e., what to do and how.

Collect information about EPS for logs and total bandwidth for packets. This will allow you to properly size the licensing.

Hardware is too expensive in my opinion (Eastern Europe). It’s cheaper to run virtual machines in a VMware environment. (Keep in mind that CPU, RAM, and especially HDD requirements must be matched.)

We had Blue Coat Security Analytics, but we’re an RSA partner so it was natural to use the technology available to us.

• Don’t rush. Prepare use cases for packets and logs as it is a very important part of deployment and future use.
• Use RSA Professional Services or a partner. Don’t deploy alone.
• A basic administration course is a must for all administrators.
• System architecture may be very easy or very complex. Do sizing well with external help.

Our primary use case is for the administration of the internal network.

The detection of ransomware in the internal network has benefited my organization.

The protection that we get from the firewall is the most valuable aspect that we get from this solution.

I would like for them to incorporate IPS. Only the monitoring detects abnormal behavior so we'd like to see IPS. 

I would like to see a dashboard include PAM so that it's a one-stop shop. 

Three to five years.

We were using Splunk. We switched because it's difficult to configure and it demanded too many network resources. 

The initial setup was complex because it took a lot of time to complete the implementation. The deployment took three to six months. We require four people for maintenance.

We have eight users using this solution and plan to increase usage. 

The licenses are good but the cost is very expensive. 

We also looked at IBM QRadar.

I would recommend this solution to somebody considering it. 

I would rate it a nine out of ten.

Our primary use case is for detecting or monitoring the process that we use in devices, servers, or databases.

The manner in which we can manage logs and information is very important for our organization. 

The most valuable feature is the correlation. It can report in real-time and monitor the management. 

The implementation needs assistance.

One to three years.

The stability of this solution is good. 

This solution meets our scalability needs. 

The technical support is good. 

I was not involved in the initial setup of this solution. 

I like to say it has the trifecta:

• Good
• Beautiful
• Cheap.

It is a cheap solution. 

I have found the Security Intelligence most valuable.

Adding Threat Globe and SA(Analytics).

Cross Platform Integration could be improved.

I have been using the solution for more than 8 Years.

No issues with deployment.

No issues with stability.

Yes.

Customer Service: It's good for Enterprise Customer’s.Technical Support: It's good for Enterprise Customer’s.

Since the solution has been under way we have seen a large decrease of threats and proactive reactions to incidents.

This purely is an Enterprise Product and one has to have a defined budget and plan; it’s good to fit Business requirements first, and then go for products.