RSA NetWitness Logs and Packets (RSA SIEM) Review

The Alerting Module provides real-time event processing language on the logs/packets stream.


How has it helped my organization?

As mentioned elsewhere, this product provides full visibility for the activities in the networks and systems. For example, it provides detection of the attacks in early stages (brute-force attacks), by which the attackers try to gain access to the systems, by trying to log in using different usernames and passwords (might be in a dictionary).

What is most valuable?

RSA NetWitness is a SIEM and real-time network traffic solution. It collects logs/packets and applies a set of alerting, reporting and analysis rules on them. Thus, it provides the enterprise with a full visibility of the networks and activities of the systems.

Its main features/components are:

  • Investigation Module: It is the location where the SOC analysts can find all logs/packets captured in a time-frame, that are related/non-related and have drill-down/filtration capabilities all in one table, for investigation and analysis.
  • Alerting Module: It provides real-time event processing language on all the logs/packets stream for advanced alerting, i.e., using SQL LIKE statements.
  • Reporting Module: It provides advanced reporting capabilities.
  • Dashboard Module: It provides dashboards for specific activities on the systems and networks.
  • Command and Control Detection: In additional to identifying the C&C IPs through threat intelligence, NetWitness investigates the packets to determine any type of suspicious C&C communication, by using a feature called Automated Threat Detection.
  • Threat Hunting Package: By using this advanced technique, NetWitness automatically investigates all the service sessions, files/packets and then it identifies any IoCs, BoCs and EoCs.
  • Context Lookup: In order to give an overview during investigation, this feature highlights any value related to the previous alert, incident, RSA ECAT feed mentioned or even if it had any comment from the RSA community, that leads to detecting any recent attack (even if it is still not announced on threat intelligence).
  • Incident Module: It provides an automated incident handling utility to ensure that right actions have been taken to close the incident.
  • Malware Analysis Module: It provides a file analysis environment including sandboxing, community etc., so as to investigate more of the files captured through the environment traffic.

What needs improvement?

  • Out-of-the-box alerts and investigation rules
  • Health monitoring of the event sources and devices
  • Threat intelligence for data accuracy

What do I think about the stability of the solution?

We encountered stability issues in the earlier versions, and much fewer in the newer versions.

What do I think about the scalability of the solution?

There were no scalability issues.

What's my experience with pricing, setup cost, and licensing?

The new pricing and licensing mechanisms are fair. I would advise always to get the full solution (i.e., not only Logs).

Which other solutions did I evaluate?

I did not evaluate other solutions.

What other advice do I have?

The only thing I advise others is to spend enough time for fine-tuning and the initial rule development.

You should also develop a plan for the ongoing development and fine-tuning, as found in all the other leading SIEM solutions.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are a sub-contractor.
1 visitor found this review helpful
2 Comments
Alireza GhahroodReal UserTOP 5LEADERBOARD

The only thing I advise others is to spend enough time for fine-tuning and the initial rule development.

You should also develop a plan for the ongoing development and fine-tuning, as found in all the other SIEM solutions.

17 June 17
Dennis Chow, MBAConsultant

I agree, with Alireza's comment. It's always best practice regardless of the SIEM. Traditionally, we've used the Netwitness platform mainly for full packet capture and basic alerting. To make better use as a full SIEM, it's important for others to note that customers need to buy additional modules and hardware including ESA. The additional content out of the box requires subscriptions to their RSA live and threat intel feeds as well in many cases. It's not the usage that is too difficult; it's the administration that makes it a bear. I advise, like many other solutions to get vendor formal training if you intend to self-administrate or create your own content

12 July 17
Guest

Sign Up with Email