RSA NetWitness Logs and Packets (RSA SIEM) Review

Good features for investigating network problems but it is pricey and lacking in usability


What is our primary use case?

We are no longer using this solution, however, it was used mostly for network monitoring. 

What is most valuable?

The most valuable feature is the ability to write rules and triggers for network communication and then being able to investigate based on that. You can see the payload and deconstruct the packets.

What needs improvement?

The solution would be greatly improved by unifying the management to one configuration option. One of the problems the system had is that you always have to choose the managed host. For example, if you want to write a rule, you have to duplicate it across your managed hosts. It should have centralized management. If you want to make a change then it should be configured automatically, so that you don't need to go one by one, changing it. That is really annoying.

Another problem is that the EPL (Event Processing Language) is not properly explained, and the expert could not even use it when they came to our site. It was causing the system to crash, so they should really consider using something else.

The system looks like it is a mix of a bunch of different systems, and nothing looked like it was quite together. I think that it could be better integrated, and it would be great for new customers or even existing customers.

For how long have I used the solution?

About one year, on and off.

What do I think about the stability of the solution?

I cannot say that the solution was stable because it tended to crash. We were using it before version 11, where some of the problems were supposed to be solved. I have heard from insiders that version 11 does not hold up to the hype and they're still facing some of the same problems.

What do I think about the scalability of the solution?

I think that the solution is scalable because you can easily add news hosts. This is one of the things that was really straightforward and we appreciated. 

How are customer service and technical support?

The people that we spoke with from technical support were really professional. Some visited us on-site and did some training with our analysists. They are really good staff and we really liked it. The company that did the integration at the site where I was working was planning on re-hiring them for other customers, so they made a good impression.

The support is responsive by email, but initially, it is a little bit lacking. Beyond the initial emails, it is quite professional.

How was the initial setup?

I was not part of the initial setup, but I can tell you that managing the system, in general, is not straightforward. It is quite elusive and very confusing, even after calls to technical support.

What's my experience with pricing, setup cost, and licensing?

This is a pricey solution; it's not cheap.

Perhaps if the implementation is small then it is not bad, but if you have a global network or a security agency that needs to be segregated on the network, then it can be quite pricey.

What other advice do I have?

This solution has some good features, but it is lacking in usability. This means that I would rate it somewhere in the middle. I would rate this solution a five out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
Add a Comment
Guest
Sign Up with Email