NetWitness Platform Reviews

It is an SIEM solution used regularly as a part of the SOC to collect data from all the security environments in my company.

NetWitness Platform is valuable for creating rules that the solution must detect.

A big problem with the product is that we don't have much professional experience in Israel installing, implementing, and integrating this product. There is not enough of a knowledge base. There is no support for this product in this country, so problems have to be resolved through global technical teams. We like to work locally because of the language, and when the product is only supported outside the country, it's a little difficult to implement and use this product.

Moreover, AI is something that must be added immediately. Artificial intelligence is a part of the competitors' products, and it's not been implemented for us.

I've worked with NetWitness Platform for two years.

I rate NetWitness Platform's stability an eight or nine out of ten.

I rate NetWitness Platform's scalability a six out of ten.

Technical support is not available locally in Israel. We're using support from outside. It's global technical support from the vendor and is available 24 hours a day. However, the escalation is very slow. It's dependent on the kind of situation we're in. If it's a full dimension where we have malfunctions that stop processes, the issue can be escalated very fast. We can get support immediately with the service-level agreement we have. But if we have any questions about using the technical support for systems for feature requests or some knowledge. It can take a lot of time, and It's not something we can get from the vendor.

Neutral

I rate the initial setup a five out of ten since the solution had to be implemented twice. It took more than half a year to deploy the solution. Some of the processes were set up with the first implementation very fast. However, the implementation was insufficient to use the solution with all the needed coverage. All the customizations and integrations can take a few months, and it's a long process.

The steps taken to deploy NetWitness Platform are like with any other product. We had to plan whether it was a low-level or high-level design. We had to see the scope of work for implementation, including all the integration processes and data connections.

The supplier's knowledge base was less on the integration side, so the solution had to be done twice.

The number of people needed to deploy the solution depends on whether the person has the needed experience, knowledge, or skill sets. If they do, the setup will be fast. But sometimes, people have limited information or knowledge from something special they focused on, so the number of people needed for deployment depends on the situation. By design, the solution can be implemented by one person.

The tool is very expensive, so I rate the pricing a ten out of ten. The solution has an annual subscription.

NetWitness is a part of the cybersecurity solutions we use today, but it's not the only one. We use many different solutions, such as Splunk and QRadar. The product is an SIEM solution, and we use SIEM solutions from different vendors for different needs on different sites.

We don't have all the features we thought were a part of the solution. We need to do many things manually to customize the solution for the customer's needs. By the book, we don't have enough to connect the product to all the systems with some inputs based on machine learning or all the new algorithms like artificial intelligence. The customer must know all these before installing this product. We need community knowledge for new products that tell us what has to be added after a few installations. The setup, then, can be very fast, and all the knowledge for integration with other components and the company's infrastructure can also be very fast because the solution is best-of-breed and third-party. It's not proprietary for special companies and corporations. In the context of product implementation, everything is very slow and must be done manually and not integrated automatically into the product. We need to know what we will do, how we will monitor the overall system, what kind of events we want to collect from the system, and what type of layout we want to provide through the system to alert about incidents or some type of situation. The customer manually processes all this. It's not like we deploy the product and get all this information and all these capabilities in one coverage of the solution.

Before choosing the NetWitness Platform, find the best integrators with professional experience implementing and deploying this product in other companies. The product has many features and coverage but needs professional integration and implementation.

I would rate NetWitness Platform an eight, but since it depends on the installation, I rate the solution a seven out of ten.

I use the solution in my company for packets mainly and log analytics.

I don't really see any valuable features in the product. I feel that it is time to move away from NetWitness Platform. All SIEM tools have to deal with advanced use cases, and many of them are getting upgrades, but this is not the case with NetWitness Platform. NetWitness Platform has remained the same for almost four to five years. The support and RMAs offered by the product in our region have also become very bad.

From an improvement perspective, the NetWitness Platform needs to release new features and improve in areas like log correlation. The tool needs to have easier integrations with the cloud. Building a parser should be made easier in the tool.

The tool needs to have easier integrations. The tool needs to have the extra log-related suggestions. The platform and UI should be easier to use.

I have been using NetWitness Platform for eight years. My company is a customer of the tool.

I rate the technical support a six out of ten.

Neutral

The product's initial setup phase was not at all difficult. The tool's upgrades and moving from old hardware to new hardware are difficult and time-consuming. If you have any hardware failures, as per the RMA offered by the tool, it takes a very long time to get some after-service. The product has not been working well in my region recently.

The product price was reasonable for my region and the market.

My company has a hybrid environment. I have looked at other products like Splunk and Sentinel. I am still looking around for other solutions in the market. In my company, we are having discussions to move to some other solution.

My company has had many benefits from the use of the product in the last eight years.

The tool has streamlined our company's incident response process since it serves as a log repository, which allows us to correlate events and access different technology stacks. In our company, we were able to actually find some potential attacks, so it has been very helpful.

The tool's integration capability isn't so great. In my company, we managed to integrate it with our Microsoft Azure Subscription, after which we managed to integrate it with other tools. You will face a lot of difficulties if you want to integrate it with your database monitoring tool, PAM solutions, or IAM products.

The product has done well overall for my company's teams to deal with their workflow efficiency.

I would not recommend the product to others.

I rate the tool a seven out of ten.

The product has a user-friendly interface and a valuable feature for threat intelligence integration.

It is quite tedious to make changes in the playbooks. There could be an option to integrate or adapt AI and machine learning for our threat-hunting solution. It should have a monitoring feature. It would help us analyze the current state of attacks faster from a single platform.

I have been using NetWitness Platform as a partner for two years.

The product is stable. I rate its stability a seven out of ten.

We have ten end users as our customers, including small & medium enterprises using NetWitness Platform. I rate its scalability a five out of ten.

The deployment takes around two weeks to complete. Fine-tuning takes a longer time. I rate the initial setup a six out of ten.

The product is expensive. I rate its pricing a seven out of ten.

For small to medium-sized organizations, NetWitness Platform will be a suitable option. Most enterprises or larger organizations will likely choose a different platform because NetWitness Platform is no longer listed in Gartner. Additionally, the pricing is too high and is not competitive with Splunk and other products. It is relevant, but they need to set up or hire someone to help them compete with similar products like Slack, QRadar, or Palo Alto. Overall, I rate it a seven out of ten.

We use the solution for incident management. We are working on making the incident workflow smarter. So, the solution helps us there.

The solution's most valuable feature is incident management.

They should improve the solution's user interface and make it easier to understand.

We have been using the solution for a year.

It is a stable solution, and I rate its stability as a seven.

We are four to five users of the solution in our organization. It is scalable but depends on the storage capacity of the servers it is deployed on. I rate its scalability as a seven out of ten.

The solution's technical support could be better. We still have many issues, including database management issues, unresolved.

Neutral

The solution's initial setup takes work. We have to organize multiple paths and many features.

The deployment process takes less than a week. But it takes a month to complete if we want to make the solution smarter by integrating it with various devices. I rate the process as a six out of ten.

We implement the solution with the help of our in-house team and vendor. The integration and maintenance processes require four executives to complete them. They include an admin executive, a security analyst, and engineering managers.

I rate the solution as a six out of ten.

Overall, it is easy to implement.

I can have enterprise security, email security, next generation firewall security logs, HIDS and NIDS logs, etc. all on the same dashboard. It makes it easy to pinpoint or correlate our server to this. I can find out if there is lateral movement. This is the biggest advantage of this solution.

Sometimes, it gives me static when integrating Windows-based systems. It should produce a precise log of sorts as to where the problem is. For example, a few days ago because of the McAfee application firewall, I couldn't get access to the particular Windows machine.
So, my team and I had to figure out by ourselves that there was a virus responsible for the obstacle. This solution should trigger a meaningful log or message indicating the reason the user or implementer can't get into the machine.
The workflow is not smart enough. For example, if I'm monitoring or analyzing log events and alerts from the SIEM system, it has to be reviewed by the person responsible for this in the organization. So, the review should be automated and should be signed off per the FR-ISO 27001 control requirement. This is lacking in RSA NetWitness Logs and Packets (RSA SIEM). This is also the case with PCI-DSS compliance because we are in the banking industry.

The most iconic disadvantage of the solution is that I cannot tag my asset by my name. There should be a portal or a photo where I could check the applicant name. Whatever asset it discovers, it takes only the IP address. If it gets it from Active Directory, then it gets only the host name, which is not actually meaningful to an analyst. There should be a way to tag a name manually so that it can be mapped later to the actual machine, besides the machine I'm investigating on.

RSA NetWitness Logs and Packets (RSA SIEM) does not have SOAR, and we have to do it manually. SOAR is a new concept that is still in development.

I've been using this solution for less than a year.

There are a few issues with stability when integrating with Windows-based systems.

It is scalable if the developer wants to scale the solution.

They're prompt enough, but I have seen better technical support. We are still under our local partner. I would give them a rating of six out of ten.

Neutral

Overall, it is easy to implement.

We have yearly licensing costs. The license fee can be based on the volume of EPS. Some organizations may have, as a gentlemanly gesture, 10,000 EPS and get a 3,000 EPS license but actually use 5,000 EPS.

We had LogRhythm in a POC environment. I did not like it because I experienced a lot of issues with it, and so, I chose RSA NetWitness instead.

There are lots of opportunities to expand this functionality, and it is a wonderful solution. It can compete with Splunk and LogRhythm.

I would recommend RSA NetWitness and rate it at five on a scale from one to ten.

RSA NetWitness Logs and Packets are used exclusively for monitoring scenarios, insider threat analysis, and log retention.

The most valuable feature of RSA NetWitness Logs and Packets are the alerts and correlations tools.

RSA NetWitness Logs and Packets can improve the threat level aspect, it is lacking compared to other solutions. Whenever any hacking activity or any other threat factor occurred they used to provide the coverages very fast when comparing RSA NetWitness Logs and Packets. I heard the other three solutions, from a discussion with my team members who had experience in other solutions, they used to say that. Whenever any issues happened across the globe RSA NetWitness Logs and Packets are a little bit slow improving those detection mechanisms.

I have been using RSA NetWitness Logs and Packets for six years.

Some of the RSA NetWitness Logs and Packets versions are not stable. Whenever they are releasing upgrades we were facing some issues.

The scalability could improve. RSA NetWitness Logs and Packets have some limitations in the on-premise sizing. It requires more workers to procure the hardware. It is time-consuming.

The solution is only being used by our security operations team of approximately 10 to 15 people.

When we have any critical issues we escalate them to the support of RSA NetWitness Logs and Packets.

I rate the support from RSA NetWitness Logs and Packets a four out of five.

We were using RSA Ticket Analytics and now we are using RSA NetWitness Logs and Packets.

The initial setup of RSA NetWitness Logs and Packets is not complicated, it is easy for us. However, there are some sizing limitations.

We did the implementation of RSA NetWitness Logs and Packets in-house. We have not had any issues with maintenance. 

RSA NetWitness Logs and Packets do not have a subscription model, it's a one-time purchase. There is only a perpetual license.

When comparing the cloud security solutions, RSA feels outdated. I would advise others before choosing RSA NetWitness Logs and Packets, to do a POC process and later they can do the purchase if it fits their needs.

I rate RSA NetWitness Logs and Packets an eight out of ten.

The primary use case for the NetWitness Platform is within large companies, particularly in their internal security operation centers (SOCs). They utilize the platform for block collections from the entire company, including subsidiaries, enabling comprehensive security monitoring and analysis. It supports functions such as collections and correlation. Additionally, some licenses may include XDR capabilities. NetWitness stood out for many customers as it was one of the first solutions to collect blocks from endpoints, networks, and logs simultaneously, providing a unified view of security events.

The most valuable feature of the NetWitness Platform, as I've found through occasional engagements, is its Total Customer Ownership (TOC) approach. It encompasses having a unified engine and database where all collected information, including logs, network traffic, and endpoint data, is correlated and analyzed. This centralized database enables efficient analysis and correlation of security events aided by artificial intelligence algorithms. Additionally, customers can develop custom parsers to integrate new data sources into the database, enhancing its speed and reliability.

The product's licensing models are complex to understand. This particular area needs improvement. 

I have been using NetWitness Platform for seven years.

My experience with customer service and support for RSA NetWitness has been positive overall. I know individuals who are specialists in the field and attend meetings organized by RSA. These specialists support customers, including those whose partners or companies sell and implement NetWitness at their sites. Despite the cost, it has a strong reputation. I have received helpful assistance from technical support when needed, such as accessing restricted areas on their website or technology database. Even in complex cases, the support team has been attentive and supportive, ensuring I am not left alone with any issues.

Licensing models can be complex and subject to change over time. It provides tools to assist in selecting the appropriate license and usage scenarios. The trend is shifting towards subscription-based models rather than one-time payments.

I previously prepared comparisons between solutions such as IBM QRadar and RSA NetWitness. Having worked for several large vendors, including IBM, I have insights into various security platforms. IBM QRadar, while mature and feature-rich, was behind RSA NetWitness in certain aspects. RSA was among the first to collect data from multiple sources, including live network traffic, endpoints, and logs, offering a more comprehensive approach to threat detection. Both vendors eventually incorporated Extended Detection and Response (XDR) capabilities into their solutions, but RSA was an early adopter. Nowadays, it's challenging to pinpoint significant differences in functionalities among various vendors, as most deliver similar capabilities. Performance and cost considerations may vary depending on the specific use case and hardware infrastructure. Thus, a thorough evaluation is essential when choosing a security platform.

NetWitness can be highly beneficial for incident detection and response. RSA has incorporated Extended Detection and Response (XDR) functionality through collaborations and licensing agreements with other companies.

It integrates well with other tools, boasting over 600 integrations on its website. The list is continuously updated and readily accessible.

Security improvements will vary depending on the combination of integrations. It's essential to carefully assess both the list of available integrations and each customer's specific needs.

I rate it a ten out of ten.

Our solution is utilized by customers to monitor security alerts by ingesting logs from all their assets. 

They create correlation rules to identify any potential breaches or hacking attempts and receive notifications through the dashboard.

Customers can use additional features to investigate the incident and take the necessary actions.

Prior to implementing the solution, the customers had no visibility of their assets. However, after adopting the solution, they have gained complete visibility over all their assets, including a comprehensive understanding of the network and attack symptoms. With this knowledge, they can respond to any attack and take necessary actions. Essentially, this case has empowered them with comprehensive network visibility.

In my opinion, the solution's most valuable feature is its capacity to monitor network traffic, logs from devices within the network, and network captures.

This capability extends beyond logs to include full network capturing.

I believe that integrating the solution with other products such as Oracle would be beneficial. However, I suggest that the integration process be streamlined and made more efficient to ensure a smooth experience.

It would be great to have the ability to customize reports in a more user-friendly manner.

We are resellers for the NetWitness Platform.

We have not had any issues with the stability of the NetWitness Platform, it is a stable solution.

This solution is very scalable.

We have contacted technical support. They are available. They have around-the-clock support, and they're very helpful.

I would rate them a nine out of ten. There is always room for improvement.

I have worked with Zscaler and Cisco for four or five years.

I am familiar with Elasticsearch, but I prefer NetWitness Platform as it is specifically designed as a security solution for logs, packets, and endpoints rather than a SIEM-only only tool.

The initial setup is complex. It requires some knowledge in order to set it up.

If one is the most difficult and ten is the easiest, I would rate it a three out of ten. It's quite complex.

Initially, we need to prepare the hardware boxes, whether they are physical or virtual or offered as a service. This involves imaging them with the appropriate functions for the module. Then, for network packet capture, the mirror ports must be connected to the packet capture box. Regarding logs, the configuration process involves making NetWitness boxes communicate with each other through the appropriate protocols and ports.

Following this, the next step involves configuring the log sources to send logs to the log box. This process requires the appropriate rules to be configured to initiate log transmission and generate metadata by appropriate parsers on NetWitness. After the setup, the focus shifts to building correlation rules, alerts, and other monitoring activities. These rules and alerts are crucial components for effective monitoring.

The deployment process can vary based on the specific environment and requirements, but typically it takes about one to two weeks to complete.

Maintaining the solution doesn't require a large number of resources. Typically, one or two capable resources are sufficient to maintain the solution effectively.

It's important to continuously monitor and ensure the health and proper functioning of the solution. This involves regularly checking the log sources to ensure that the logs are being ingested correctly and there are no issues such as overutilization or spikes in network traffic.

It is not a cheap product.

The NetWitness Platform may be affordable only for enterprise-level customers, as it may not be within the budget of small and medium-sized businesses.

I would advise taking your time to understand the architecture of the solution, including how the modules communicate with each other and the role of each module. It is recommended to start slowly after gaining this understanding.

I would rate NetWitness Platform an eight out of ten.

We have been using the RSA SIEM with the NetWitness Platform for a long time.

The most valuable feature is the hunting ability to work in a CERT.

The log system is a bit complex and has room for improvement.

I have been using the solution for a few years.

The solution is stable and is able to work with a lot of complex data.

Using the software is straightforward, but configuring it is complex. To achieve the best results, we need to set up the log system. We have an RSA team to integrate the log system with the SIEM.

In comparison to other SIEM solutions such as Splunk, NetWitness is less costly.

I give the solution a nine out of ten.

I recommend the solution to others.

It's a log management solution where we have logs from different sources, like network devices, firewalls, load balancers, IT, application servers, and database servers. We also use it for compliance and governance. Our cyber security team uses it to monitor malicious activity across our IT infrastructure.

The development of use cases on the SSA console is quite user friendly. This means that the security analyst or the researcher does not have to learn another language.

The threat detection capability and centralizing and upgrading capability need to be improved. The threat alert capability needs to be improved as well because there is some lag time at present. They need to work on their database search too.

I would like to see log storage and threat intelligence features be included in the next release. I would like to see them automate the security incident response.

I've been using it for the past five years.

Overall, RSA NetWitness Logs and Packets (RSA SIEM) is a stable product, but it is very unstable when you have do updates and upgrades.

It is a scalable solution. Our cyber security team of 15 people uses this solution.

Technical support staff were responsive, but they were not always knowledgeable about the project. They didn't have the expertise. They need to be more knowledgeable about their products. Because of this, I would rate technical support at six on a scale from one to ten.

Neutral

Implementation is quite easy, and it takes about a week to deploy the solution. On a scale from one to five, with one being the worst and five being the best, I would give the setup process a four.

Compared to the competition, the is price is not that high.

I've been using Sentinel and IBM QRadar. They are far better than RSA SIEM from a graphic user point of view and in terms of log integration. Everything is enhanced in these solutions compared to that in RSA.

RSA NetWitness Logs and Packets is far behind the competition. Initially, RSA was the only company focusing on decentralization and automation, but now, Microsoft and Google are also in the picture and are investing a lot of money to make their product user friendly and good for the customers from a cybersecurity point of view.

Overall, I would rate RSA NetWitness Logs and Packets (RSA SIEM) at six on a scale from one to ten.