RSA NetWitness Logs and Packets (RSA SIEM) Review

Advance monitoring and alerting feature is not stable, though it is easy to integrate common data sources


How has it helped my organization?

Reliable in terms of no data loss. Plays a huge role in device health checks (Event Source Monitor). Provides FSEs relevant information prior to end user problem solutions (if data sources are integrated and parsed properly).

What is most valuable?

  • Packet Solution: Allows analyst proactive hunting and alerting on daily sophisticated APTs.
  • Broker service: Aggregate multiple concentrator devices deployed in various sites which accelerates analyst’s duties.
  • Archiver – Does log retention for three to five years for forensics purposes or targeted investigations in the future.

What needs improvement?

Advance monitoring and alerting feature is not stable (Event Stream Analysis). Does not allow certain use cases running parallel.

The reporting module: If only their dashboards resembled anything you would see on any BI reporting tools.

What do I think about the stability of the solution?

More than once with fine tuning use cases (ESA feature) for real-time monitoring.

Reporting feature suddenly limits the amount of log extraction over certain cycles.

What do I think about the scalability of the solution?

Never.

How is customer service and technical support?

An eight out of 10. RSA tech support is awesome.

Sometimes they face huge challenges when an unknown bug hits their system and tech support must take their cases to engineering.

Which solutions did we use previously?

None in production other than RSA. However, I will be using IBM QRadar towards the end of this year.

How was the initial setup?

I was never involved in setting up the solution with any of my employers. I get to learn the architecture and see the environment once it's complete.

What's my experience with pricing, setup cost, and licensing?

RSA licensing ranges per core devices and services.

An additional Designated Support Engineer can be acquired at quite a pricy cost. They are reliable as your system and will be given a higher priority than any other support case(s).

Which other solutions did I evaluate?

Our partnership with RSA was already in place. No room for evaluation.

Top SIEM tools such as HP Arcsight, McAfee ESM, and IBM QRadar.

What other advice do I have?

Either operating this solution in-house or reselling. First, outline all your data sources. Give more priority to the assets you want to protect.

Event source type and versions will be key.

Additional useful features:

  • Easy to integrate common data sources.
  • User friendly GUI.
  • Basic SQL rule syntax.

We are using RSA Security analytics version 10.6.3.2 and upgrading to 10.6.4 in mid-September. NetWitness suite v11 is due in October as a major upgrade.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner and reseller.
Add a Comment
Guest
Sign Up with Email