What is most valuable?
Full packet capture: A must in an SOC
Possibility to investigate incidents based on logs and raw packets, such as extracting files sent over the network
Built-in Incident Management module for small security/SOC teams
Advanced correlation engine based on metadata flow: Provides nearly real time correlation
Rich reporting options
How has it helped my organization?
We can monitor all traffic to/from our company.
It is possible to track end user behaviour.
With RSA NetWitness Endpoint, we are able to monitor not only the network, but also what’s happening on endpoints, i.e., behaviour analytics for processes inside the operating system.
Thanks to this tool, we have a small SOC running in our company.
What needs improvement?
Integration with external tools should be built-in, such as an external sandbox for files.
We can import data using external feeds, using STIX or CVS files.
The REST API is poor
The system architecture is complex and sometimes it’s hard to troubleshoot potential problems.
RSA should improve backup options and High Availability architecture.
Data is stored on separate components without redundancy. It’s possible to have backup for data, but you have to use an external backup solution.
For how long have I used the solution?
I have used this product for two and a half years.
What do I think about the stability of the solution?
The system is stable if you provide enough CPU, RAM, and HDD (IOPS). Sizing should be done by RSA Professional Services or by an experienced partner for Virtual Machines. The hardware is sized well.
What do I think about the scalability of the solution?
There were no scalability issues, but you have to know what you are doing. Proper network deployment is important. Metadata flows are quite big between internal system components. Of course, it depends on how many network packets and logs are logged into the system.
How is customer service and technical support?
I would give technical support a rating of 8/10. Sometimes you have to wait for an initial response, especially if it’s not a critical problem. But when they start investigating, they do it quite well.
Which solutions did we use previously?
For full packet capture, we had Blue Coat Security Analytics. We switched because in NetWitness, we have everything needed to run a small SOC in our company.(Packets, logs, endpoints, incident management module, correlation, reporting, and investigation available for analysts.)
How was the initial setup?
It’s a very easy product to install, when you know what you are doing. Customers without any experience should cooperate with RSA Professional Services or a partner company. It’s too complex of a product to deploy for someone without experience. It can be done, but the value coming from RSA or a partner is incomparable.
What's my experience with pricing, setup cost, and licensing?
Prepare use cases, i.e., what to do and how.
Collect information about EPS for logs and total bandwidth for packets. This will allow you to properly size the licensing.
Hardware is too expensive in my opinion (Eastern Europe). It’s cheaper to run virtual machines in a VMware environment. (Keep in mind that CPU, RAM, and especially HDD requirements must be matched.)
Which other solutions did I evaluate?
We had Blue Coat Security Analytics, but we’re an RSA partner so it was natural to use the technology available to us.
What other advice do I have?
- Don’t rush. Prepare use cases for packets and logs as it is a very important part of deployment and future use.
- Use RSA Professional Services or a partner. Don’t deploy alone.
- A basic administration course is a must for all administrators.
- System architecture may be very easy or very complex. Do sizing well with external help.
Disclosure: My company has a business relationship with this vendor other than being a customer: RSA Partner.
May 11 2017