What is our primary use case?
We use this solution to detect indicators of compromise, where incidents that occur are analyzed and given risk scores. For example, if the endpoint is of high risk then it will be indicated in red. By contrast, if it's of low risk then it will be indicated in green. The scoring criteria are what we call the Indicators of Compromise.
The overall goal is to detect malware that is affecting the endpoints and then provide a response. It is often used by banks and telecom companies.
What is most valuable?
The incident response is very good.
When you are searching for malware, you can easily decrease the endpoints to narrow the search and find it. Examples of endpoints can be servers or laptops, each with different operating systems. This solution allows us to locate the malware in real-time.
I like the performance. It can detect signatureless malware, which many perimeter control and antivirus solutions cannot do. It is helpful for discovering unknown malware and it is so lightweight that you don't even notice that it is installed in your environment. It doesn't load the network and it uses less bandwidth than some other products.
The reporting is perfect and I haven't seen any problems with it.
RSA can easily integrate with third-party applications like Rapid7. All of the documentation for integration with other platforms and other vendors is available. The API makes integration even easier.
What needs improvement?
I would like to see Security Orchestration and Response Automation (SOAR) integration. This way, if there is an endpoint that has been compromised, you don't have to go about repairing or blacklisting it manually. Ideally, the system can have its own intelligence so that it can perform automated tasks without human intervention.
One of the drawbacks of using this product is that when you deploy, you have to create MSI files. These files have to be created for different operating systems, which means that you have to be conscious of which ones exist in your environment. For example, if you have Linux, MacBooks, and Windows machines, then you have to have MSI files created for each of them. Ideally, a single MSI file would be created to support deployment on any of the supported operating systems.
For how long have I used the solution?
I have been working with RSA for more than four years.
What do I think about the stability of the solution?
This product is very stable. It gives you real-time data if there's an endpoint being compromised. It is not a heavy platform.
What do I think about the scalability of the solution?
NetWitness Endpoint is very scalable.
How are customer service and technical support?
The technical support from RSA is 100%. They are available 24/7 and I am very satisfied with them.
How was the initial setup?
The initial setup is straightforward.
What about the implementation team?
I was working with another technical consultant and the two of us made up the team that implemented this solution. The last project that I was working on was larger in size and spanned over a two-month period. For the RSA NetWitness Endpoint component, it took between five and ten days to deploy, which included documentation.
One consultant is all that is needed to deploy it, as long as they understand the expectations held by the customer.
What's my experience with pricing, setup cost, and licensing?
This is not an expensive product. The cost depends on the number of endpoints that you want to monitor, but it is not expensive.
Which other solutions did I evaluate?
There are several SIEM technologies that are available but one advantage of using RSA NetWitness is that you don't have to outsource the EDR component. It comes as part of the platform. This is in contrast to solutions like IBM QRadar, where you have to outsource the EDR.
In a further comparison with QRadar, it doesn't give accurate results because there are a lot of false positives.
What other advice do I have?
This is a product that I recommend. My advice for anybody who is implementing it is to make sure that they have somebody who understands it very well. Having somebody who will configure it properly is the right way to have it generate the output that you want.
Also, you have to make sure that all of the endpoints are up to date. They have to be online all of the time so that you're able to have visibility on any compromises that may happen. If an endpoint is instead offline, it becomes difficult to investigate or to monitor compromises or malware.
I would also suggest deploying a virtual environment. By doing so, it can be cloud-based, and what you need to do is called Event Source Onboarding. This is the process whereby you are providing the consultant with the events that you want to collect data from.
In my opinion, this is the best platform, world-wide, and I am happy with it.
I would rate this solution a ten out of ten.
Which deployment model are you using for this solution?