Manager, IT Security Operations at a non-profit with 11-50 employees
Real User
2022-09-23T08:47:44Z
Sep 23, 2022
I have no real complaints about the solution. Threat detection could be better. They need to enhance their threat intelligence feeds. We would like to have more IOCs or more trade intelligence to not only rely on the intelligence of the engineer in charge but to have some threat intelligence and some seeds of IOCs and to have the host have some artificial intelligence to reduce the number of false positives. I don't see this solution being very scalable. The solution is pricey.
Senior Cyber Security Analyst (SAFe Agile) at a transportation company with 1,001-5,000 employees
Real User
2022-08-11T09:05:54Z
Aug 11, 2022
NetWitness Endpoint's blocking feature does not work properly - if there's a malicious process, it's not possible to kill it via a custom rule unless and until it's flagged as malicious. For example, if you put IOCs in the form of hashes, it's not possible to block those IOCs - the system will alert you, but they can't be blocked. In the next release, NetWitness Endpoint should include regular expressions for blocking processes and sub-processes, the ability to block IPs, and scalability and integration with the ServiceNow platform or other ticketing solutions.
Security information and incident handling. at a financial services firm with 501-1,000 employees
Real User
2022-05-21T05:03:16Z
May 21, 2022
The solution doesn't have a reporting engine which would be helpful. I've also found that the UI times out too quickly and you have to close and reopen. It should allow for a longer session time.
The problem with this product is that it's a bit slow. I am not very happy with this product. In the past, I have worked with a different tool, which was only maintaining a log, but I found that solution much better than NetWitness. It is not properly configured yet. One part of this product that needs to be improved is the log passing. Often, it doesn't work or logs go missing. There are many licensing complications as well.
Its price could be improved. It is an expensive product. Its training is also too expensive. It would be great if they can have a better pricing scheme for the training.
I would like to see Security Orchestration and Response Automation (SOAR) integration. This way, if there is an endpoint that has been compromised, you don't have to go about repairing or blacklisting it manually. Ideally, the system can have its own intelligence so that it can perform automated tasks without human intervention. One of the drawbacks of using this product is that when you deploy, you have to create MSI files. These files have to be created for different operating systems, which means that you have to be conscious of which ones exist in your environment. For example, if you have Linux, MacBooks, and Windows machines, then you have to have MSI files created for each of them. Ideally, a single MSI file would be created to support deployment on any of the supported operating systems.
CEO & Founder at a tech services company with 1-10 employees
Real User
2020-02-02T10:42:05Z
Feb 2, 2020
When analyzing something, you have to click several times. It requires a lot of effort to find something. The sole purpose of NetWitness is to find text easily, so this is an area that needs to be improved. The scalability needs improvement, but I think that it is technically difficult. This is a complex tool to use. In the next release, if they could include a detection feature or improve the detection then I would like it better.
At the moment the solution is working perfectly. I would, however, like to see an improvement in the interface. The only challenge that I see is when you access it through the VPN, you can't always use the interface because it's slow to respond. When you're on-site, however, it works perfectly. I also think that they should adopt multiple identifications in the long run, as well as a web-based graphical interface for the data.
Account Manager at a tech services company with 11-50 employees
Real User
2018-07-04T06:10:00Z
Jul 4, 2018
The solution is modular, for example you can buy the RSA ePack, which you buy as a module is not part of the conduit solution. They could include it and have it as an all-in-one solution. However, customers understand the model, so they buy them in modules and put them together.
Using a centralized combination of network and endpoint analysis, behavioral analysis, data science techniques and threat intelligence, NetWitness NDR helps analysts detect and resolve known and unknown attacks while automating and orchestrating the incident response lifecycle. With these capabilities on one platform, security teams can collapse disparate tools and data into a powerful, blazingly fast user interface.
I have no real complaints about the solution. Threat detection could be better. They need to enhance their threat intelligence feeds. We would like to have more IOCs or more trade intelligence to not only rely on the intelligence of the engineer in charge but to have some threat intelligence and some seeds of IOCs and to have the host have some artificial intelligence to reduce the number of false positives. I don't see this solution being very scalable. The solution is pricey.
We would like to see the hunting and investigation features of this solution improved, in order to provide better visibility of issues.
NetWitness Endpoint's blocking feature does not work properly - if there's a malicious process, it's not possible to kill it via a custom rule unless and until it's flagged as malicious. For example, if you put IOCs in the form of hashes, it's not possible to block those IOCs - the system will alert you, but they can't be blocked. In the next release, NetWitness Endpoint should include regular expressions for blocking processes and sub-processes, the ability to block IPs, and scalability and integration with the ServiceNow platform or other ticketing solutions.
RSA NetWitness Network could improve on integration with non-native application integration.
The solution doesn't have a reporting engine which would be helpful. I've also found that the UI times out too quickly and you have to close and reopen. It should allow for a longer session time.
The threat intelligence could improve in RSA NetWitness Endpoint.
The problem with this product is that it's a bit slow. I am not very happy with this product. In the past, I have worked with a different tool, which was only maintaining a log, but I found that solution much better than NetWitness. It is not properly configured yet. One part of this product that needs to be improved is the log passing. Often, it doesn't work or logs go missing. There are many licensing complications as well.
Its price could be improved. It is an expensive product. Its training is also too expensive. It would be great if they can have a better pricing scheme for the training.
I would like to see Security Orchestration and Response Automation (SOAR) integration. This way, if there is an endpoint that has been compromised, you don't have to go about repairing or blacklisting it manually. Ideally, the system can have its own intelligence so that it can perform automated tasks without human intervention. One of the drawbacks of using this product is that when you deploy, you have to create MSI files. These files have to be created for different operating systems, which means that you have to be conscious of which ones exist in your environment. For example, if you have Linux, MacBooks, and Windows machines, then you have to have MSI files created for each of them. Ideally, a single MSI file would be created to support deployment on any of the supported operating systems.
When analyzing something, you have to click several times. It requires a lot of effort to find something. The sole purpose of NetWitness is to find text easily, so this is an area that needs to be improved. The scalability needs improvement, but I think that it is technically difficult. This is a complex tool to use. In the next release, if they could include a detection feature or improve the detection then I would like it better.
The contamination feature could be improved.
At the moment the solution is working perfectly. I would, however, like to see an improvement in the interface. The only challenge that I see is when you access it through the VPN, you can't always use the interface because it's slow to respond. When you're on-site, however, it works perfectly. I also think that they should adopt multiple identifications in the long run, as well as a web-based graphical interface for the data.
This solution needs an upgrade in reporting. I have heard from RSA that they are working on this, but as of yet it is not available.
The solution is modular, for example you can buy the RSA ePack, which you buy as a module is not part of the conduit solution. They could include it and have it as an all-in-one solution. However, customers understand the model, so they buy them in modules and put them together.