Information Technology Security and Infrastructure Expert at a government with 201-500 employees
Real User
Top 20
2024-03-14T12:54:04Z
Mar 14, 2024
From an improvement perspective, the NetWitness Platform needs to release new features and improve in areas like log correlation. The tool needs to have easier integrations with the cloud. Building a parser should be made easier in the tool. The tool needs to have easier integrations. The tool needs to have the extra log-related suggestions. The platform and UI should be easier to use.
It is quite tedious to make changes in the playbooks. There could be an option to integrate or adapt AI and machine learning for our threat-hunting solution. It should have a monitoring feature. It would help us analyze the current state of attacks faster from a single platform.
Head of Information Security, Cyber Defense and IT Risk Management at HCT. at a transportation company with 201-500 employees
Real User
Top 20
2023-08-21T14:57:14Z
Aug 21, 2023
A big problem with the product is that we don't have much professional experience in Israel installing, implementing, and integrating this product. There is not enough of a knowledge base. There is no support for this product in this country, so problems have to be resolved through global technical teams. We like to work locally because of the language, and when the product is only supported outside the country, it's a little difficult to implement and use this product. Moreover, AI is something that must be added immediately. Artificial intelligence is a part of the competitors' products, and it's not been implemented for us.
Senior Assistant Vice President at a financial services firm with 1,001-5,000 employees
Real User
2022-07-27T13:36:00Z
Jul 27, 2022
Sometimes, it gives me static when integrating Windows-based systems. It should produce a precise log of sorts as to where the problem is. For example, a few days ago because of the McAfee application firewall, I couldn't get access to the particular Windows machine. So, my team and I had to figure out by ourselves that there was a virus responsible for the obstacle. This solution should trigger a meaningful log or message indicating the reason the user or implementer can't get into the machine. The workflow is not smart enough. For example, if I'm monitoring or analyzing log events and alerts from the SIEM system, it has to be reviewed by the person responsible for this in the organization. So, the review should be automated and should be signed off per the FR-ISO 27001 control requirement. This is lacking in RSA NetWitness Logs and Packets (RSA SIEM). This is also the case with PCI-DSS compliance because we are in the banking industry. The most iconic disadvantage of the solution is that I cannot tag my asset by my name. There should be a portal or a photo where I could check the applicant name. Whatever asset it discovers, it takes only the IP address. If it gets it from Active Directory, then it gets only the host name, which is not actually meaningful to an analyst. There should be a way to tag a name manually so that it can be mapped later to the actual machine, besides the machine I'm investigating on. RSA NetWitness Logs and Packets (RSA SIEM) does not have SOAR, and we have to do it manually. SOAR is a new concept that is still in development.
Manager at a comms service provider with 10,001+ employees
Real User
2022-06-23T13:07:12Z
Jun 23, 2022
RSA NetWitness Logs and Packets can improve the threat level aspect, it is lacking compared to other solutions. Whenever any hacking activity or any other threat factor occurred they used to provide the coverages very fast when comparing RSA NetWitness Logs and Packets. I heard the other three solutions, from a discussion with my team members who had experience in other solutions, they used to say that. Whenever any issues happened across the globe RSA NetWitness Logs and Packets are a little bit slow improving those detection mechanisms.
Presales Manager at a tech services company with 51-200 employees
Real User
2022-05-15T16:58:14Z
May 15, 2022
If we have the ability to run a dynamic analysis through malware in the same suite, it would be great to have a sandbox solution to analyze malware through dynamic analysis. NetWitness has a malware appliance, but in terms of dynamic analysis, we need to integrate with 30 vendors. It would be great to have a sandbox produced by the RSA and the SSL appliance also.
IT manager at a agriculture with 10,001+ employees
Real User
Top 10
2021-10-22T10:54:03Z
Oct 22, 2021
The solution should have more integration capabilities with different platforms. The API is nearly open and scalable, so the solution can integrate with many platforms. The solution has more than 200 log sources in the scalability to support, but this is its limit. Installation is pretty easy. However, there are a couple of modules involved, so it is not as easy as it could be. We are talking about a distributed module, not a single-module type. This is what makes things a bit complex, instead of easier. I rate it as a seven out of ten on its installation and configuration capabilities.
We are designing reports and automated rules and processes. We are defining them in relation to this product. With the help of automated rules and processes, this product will help the team when they go to production to do operations smoothly, as, most of the time, what happens when you put manual interference into such systems, it may be delayed. This can lead to vulnerabilities. Sometimes, if a hacker enters the system, he might only have a limited time where there is a window of access, however, in that time, he'll take what he can, and even if the vulnerability only lasted for a few minutes, in that time, items can get stolen. Therefore, there needs to be more proactively to avoid any downtime. We're adding automating tools to help RSA Netwitness so that if anything happens, RSA can immediately shut anything down. We're in the process of configuring them and adding them in. The initial setup is complex. There are solutions that are easier to implement.
Solution Specialist at a tech services company with 11-50 employees
Reseller
Top 20
2021-06-02T19:36:43Z
Jun 2, 2021
The reporting aspect could be improved. There are instances where you try to run the reports and then it does not give you the desired outcome. At times, it appears as if the reporting feature might be buggy. You want to actually follow the trends and see how technology is advancing. I think they've done that with regard to security orchestration, automation, and response. However, I think that they could do better with the automation and response.
Associate Manager Human Resources at a financial services firm with 1,001-5,000 employees
Real User
2020-10-30T14:43:26Z
Oct 30, 2020
More customizability is required, which is something that they need to improve on. When it comes to starting a log event, there are not many options available. It is very limited. The log and event correlation need improvement. The threat detection capability should be enhanced.
Security needs improvement. We would still like to know how the traffic is entering the organization. We can find out but it will take time before we know, leaving the organization vulnerable for attack. There is no SIEM tool in the world that can provide 100% security.
IT and Cybersecurity Professional at a financial services firm
Real User
2020-06-18T05:17:44Z
Jun 18, 2020
The SOAR (security orchestration, automation, and response) component has areas for improvement. Technical support needs to be improved. Integration with third-party products for industries such as the banking sector, or telecommunications, presents challenges that require help from the OEM. Lots of competing products have vulnerability protection built into their products, and this solution would be improved by including that support.
Information Securuty Analyst at a tech services company with 11-50 employees
Real User
2020-03-19T13:00:53Z
Mar 19, 2020
The user interface is a little bit difficult for new users and it needs to be improved. It takes a lot of time to register when compared to other solutions.
RSA Specialist at a computer software company with 1,001-5,000 employees
Real User
2020-01-12T07:22:00Z
Jan 12, 2020
The documentation is not as structured as I would like, personally, and I think that it can be improved and made much more user-friendly. I may see it differently than other people. I would like to see a little question mark beside each button that you can click and find out what that button is for. It would make it much easier for people who are new to the solution. Like a pop-up appearing when hovering over the question mark, attached to each main action and split into branches.
Senior Cyber Security Specialist at HCL Technologies
Real User
2020-01-09T06:15:00Z
Jan 9, 2020
The alert dashboard is not reflecting events in real-time. We have to refresh in order to view an alert in real-time. Log aggregation is an issue with this solution because there are a huge number of alerts in a single instance. Compared to ArcSight or QRadar, this is a problem.
Information Technology Security Architect at a financial services firm with 5,001-10,000 employees
Real User
2019-08-25T05:17:00Z
Aug 25, 2019
The web interface needs improvement because right now they have problems combining an older interface with a newer interface. They're in the middle of the process of combining the old and the new one. It sometimes confuses the user and sometimes you are not able to find the necessary information. You need to click the information and that is something that should be improved. The data isn't a problem but you need to get used to it. You need to know where to click in order to get the results. Otherwise, you can encounter some problems. I would be very happy if they would fix all the issues from 11.3 to the 11.4 version to have more advantages from the UEBA because the UEBA we have implemented will be the longest. If they will fully integrate the UEBA with the network data, this could be a very huge advantage and impact on the market. Right now, you have a solution like Darktrace which has the same capabilities as RSA NetWitness so NetWitness should implement the same things. They have UEBA, they have data. They should implement algorithms to digest that data and produce additional, more advanced reporting, alerting and support of internal security teams.
The solution would be greatly improved by unifying the management to one configuration option. One of the problems the system had is that you always have to choose the managed host. For example, if you want to write a rule, you have to duplicate it across your managed hosts. It should have centralized management. If you want to make a change then it should be configured automatically, so that you don't need to go one by one, changing it. That is really annoying. Another problem is that the EPL (Event Processing Language) is not properly explained, and the expert could not even use it when they came to our site. It was causing the system to crash, so they should really consider using something else. The system looks like it is a mix of a bunch of different systems, and nothing looked like it was quite together. I think that it could be better integrated, and it would be great for new customers or even existing customers.
IT security specialist at a comms service provider with 201-500 employees
Real User
2019-02-11T08:11:00Z
Feb 11, 2019
I would like for them to incorporate IPS. Only the monitoring detects abnormal behavior so we'd like to see IPS. I would like to see a dashboard include PAM so that it's a one-stop shop.
NetWitness Platform is an evolved SIEM and threat detection and response solution that functions as a single, unified platform for ALL your security data. It features an advanced analyst workbench for triaging alerts and incidents, and it orchestrates security operations programs end to end. In short: NetWitness Platform is all you need to run an intelligent SOC.
From an improvement perspective, the NetWitness Platform needs to release new features and improve in areas like log correlation. The tool needs to have easier integrations with the cloud. Building a parser should be made easier in the tool. The tool needs to have easier integrations. The tool needs to have the extra log-related suggestions. The platform and UI should be easier to use.
It is quite tedious to make changes in the playbooks. There could be an option to integrate or adapt AI and machine learning for our threat-hunting solution. It should have a monitoring feature. It would help us analyze the current state of attacks faster from a single platform.
A big problem with the product is that we don't have much professional experience in Israel installing, implementing, and integrating this product. There is not enough of a knowledge base. There is no support for this product in this country, so problems have to be resolved through global technical teams. We like to work locally because of the language, and when the product is only supported outside the country, it's a little difficult to implement and use this product. Moreover, AI is something that must be added immediately. Artificial intelligence is a part of the competitors' products, and it's not been implemented for us.
They should improve the solution's user interface and make it easier to understand.
The log system is a bit complex and has room for improvement.
Sometimes, it gives me static when integrating Windows-based systems. It should produce a precise log of sorts as to where the problem is. For example, a few days ago because of the McAfee application firewall, I couldn't get access to the particular Windows machine. So, my team and I had to figure out by ourselves that there was a virus responsible for the obstacle. This solution should trigger a meaningful log or message indicating the reason the user or implementer can't get into the machine. The workflow is not smart enough. For example, if I'm monitoring or analyzing log events and alerts from the SIEM system, it has to be reviewed by the person responsible for this in the organization. So, the review should be automated and should be signed off per the FR-ISO 27001 control requirement. This is lacking in RSA NetWitness Logs and Packets (RSA SIEM). This is also the case with PCI-DSS compliance because we are in the banking industry. The most iconic disadvantage of the solution is that I cannot tag my asset by my name. There should be a portal or a photo where I could check the applicant name. Whatever asset it discovers, it takes only the IP address. If it gets it from Active Directory, then it gets only the host name, which is not actually meaningful to an analyst. There should be a way to tag a name manually so that it can be mapped later to the actual machine, besides the machine I'm investigating on. RSA NetWitness Logs and Packets (RSA SIEM) does not have SOAR, and we have to do it manually. SOAR is a new concept that is still in development.
RSA NetWitness Logs and Packets can improve the threat level aspect, it is lacking compared to other solutions. Whenever any hacking activity or any other threat factor occurred they used to provide the coverages very fast when comparing RSA NetWitness Logs and Packets. I heard the other three solutions, from a discussion with my team members who had experience in other solutions, they used to say that. Whenever any issues happened across the globe RSA NetWitness Logs and Packets are a little bit slow improving those detection mechanisms.
If we have the ability to run a dynamic analysis through malware in the same suite, it would be great to have a sandbox solution to analyze malware through dynamic analysis. NetWitness has a malware appliance, but in terms of dynamic analysis, we need to integrate with 30 vendors. It would be great to have a sandbox produced by the RSA and the SSL appliance also.
The solution should have more integration capabilities with different platforms. The API is nearly open and scalable, so the solution can integrate with many platforms. The solution has more than 200 log sources in the scalability to support, but this is its limit. Installation is pretty easy. However, there are a couple of modules involved, so it is not as easy as it could be. We are talking about a distributed module, not a single-module type. This is what makes things a bit complex, instead of easier. I rate it as a seven out of ten on its installation and configuration capabilities.
We are designing reports and automated rules and processes. We are defining them in relation to this product. With the help of automated rules and processes, this product will help the team when they go to production to do operations smoothly, as, most of the time, what happens when you put manual interference into such systems, it may be delayed. This can lead to vulnerabilities. Sometimes, if a hacker enters the system, he might only have a limited time where there is a window of access, however, in that time, he'll take what he can, and even if the vulnerability only lasted for a few minutes, in that time, items can get stolen. Therefore, there needs to be more proactively to avoid any downtime. We're adding automating tools to help RSA Netwitness so that if anything happens, RSA can immediately shut anything down. We're in the process of configuring them and adding them in. The initial setup is complex. There are solutions that are easier to implement.
The reporting aspect could be improved. There are instances where you try to run the reports and then it does not give you the desired outcome. At times, it appears as if the reporting feature might be buggy. You want to actually follow the trends and see how technology is advancing. I think they've done that with regard to security orchestration, automation, and response. However, I think that they could do better with the automation and response.
I believe they could improve their support, there are often delays. The price of the solution could be reduced, it's very costly.
More customizability is required, which is something that they need to improve on. When it comes to starting a log event, there are not many options available. It is very limited. The log and event correlation need improvement. The threat detection capability should be enhanced.
Security needs improvement. We would still like to know how the traffic is entering the organization. We can find out but it will take time before we know, leaving the organization vulnerable for attack. There is no SIEM tool in the world that can provide 100% security.
It is not so easy to customize this product. This product would be improved with the addition of machine learning functionality.
The SOAR (security orchestration, automation, and response) component has areas for improvement. Technical support needs to be improved. Integration with third-party products for industries such as the banking sector, or telecommunications, presents challenges that require help from the OEM. Lots of competing products have vulnerability protection built into their products, and this solution would be improved by including that support.
The user interface is a little bit difficult for new users and it needs to be improved. It takes a lot of time to register when compared to other solutions.
The initial setup is very complex and should be simplified. We had some trouble integrating with our Check Point firewall.
The documentation is not as structured as I would like, personally, and I think that it can be improved and made much more user-friendly. I may see it differently than other people. I would like to see a little question mark beside each button that you can click and find out what that button is for. It would make it much easier for people who are new to the solution. Like a pop-up appearing when hovering over the question mark, attached to each main action and split into branches.
The alert dashboard is not reflecting events in real-time. We have to refresh in order to view an alert in real-time. Log aggregation is an issue with this solution because there are a huge number of alerts in a single instance. Compared to ArcSight or QRadar, this is a problem.
The web interface needs improvement because right now they have problems combining an older interface with a newer interface. They're in the middle of the process of combining the old and the new one. It sometimes confuses the user and sometimes you are not able to find the necessary information. You need to click the information and that is something that should be improved. The data isn't a problem but you need to get used to it. You need to know where to click in order to get the results. Otherwise, you can encounter some problems. I would be very happy if they would fix all the issues from 11.3 to the 11.4 version to have more advantages from the UEBA because the UEBA we have implemented will be the longest. If they will fully integrate the UEBA with the network data, this could be a very huge advantage and impact on the market. Right now, you have a solution like Darktrace which has the same capabilities as RSA NetWitness so NetWitness should implement the same things. They have UEBA, they have data. They should implement algorithms to digest that data and produce additional, more advanced reporting, alerting and support of internal security teams.
The solution would be greatly improved by unifying the management to one configuration option. One of the problems the system had is that you always have to choose the managed host. For example, if you want to write a rule, you have to duplicate it across your managed hosts. It should have centralized management. If you want to make a change then it should be configured automatically, so that you don't need to go one by one, changing it. That is really annoying. Another problem is that the EPL (Event Processing Language) is not properly explained, and the expert could not even use it when they came to our site. It was causing the system to crash, so they should really consider using something else. The system looks like it is a mix of a bunch of different systems, and nothing looked like it was quite together. I think that it could be better integrated, and it would be great for new customers or even existing customers.
I'd like to see improvement in its ease of use. It's basically unusable. It's overly complex.
I would like for them to incorporate IPS. Only the monitoring detects abnormal behavior so we'd like to see IPS. I would like to see a dashboard include PAM so that it's a one-stop shop.
The implementation needs assistance.