RSA NetWitness Logs and Packets (RSA SIEM) Review

Provides accurate information, quick analysis from the endpoint perspective, and quick identification of any potential malware


What is our primary use case?

We use the on-premise deployment model of this solution. Our primary use case of this solution is for malware detection and for reconstruction during the incident and forensic analysis.

What needs improvement?

The web interface needs improvement because right now they have problems combining an older interface with a newer interface. They're in the middle of the process of combining the old and the new one. It sometimes confuses the user and sometimes you are not able to find the necessary information. You need to click the information and that is something that should be improved.

The data isn't a problem but you need to get used to it. You need to know where to click in order to get the results. Otherwise, you can encounter some problems.

I would be very happy if they would fix all the issues from 11.3 to the 11.4 version to have more advantages from the UEBA because the UEBA we have implemented will be the longest. If they will fully integrate the UEBA with the network data, this could be a very huge advantage and impact on the market. Right now, you have a solution like Darktrace which has the same capabilities as RSA NetWitness so NetWitness should implement the same things. They have UEBA, they have data. They should implement algorithms to digest that data and produce additional, more advanced reporting, alerting and support of internal security teams.

For how long have I used the solution?

I have been using this solution for almost three years.

What do I think about the stability of the solution?

It's very stable if you are talking about the old version. I don't like 11.3 and I don't know 11.4, it's not actually released. It provides accurate information, quick analysis from the endpoint perspective, and quick identification of any potential malware. But the 11.3 version is a complete disaster. You cannot analyze anything. 

I am part of the maintenance team. It's me and a couple more staff members that don't work full-time on this solution. I would say around four employees are required for maintenance but not full-time. 

What do I think about the scalability of the solution?

It's fully scalable. There is no limit. Of course, the license limits per day the number of terabytes. In my opinion, it's very flexible.

We have 10,000 users using this solution.

We do plan to increase the usage of this solution. We want to implement more monitoring of the internal traffic from specific places. We need to implement more decoders, more concentrators, and some kind of organization with the log archiving. 

How are customer service and technical support?

Their customer service is excellent, one of the best.

If you previously used a different solution, which one did you use and why did you switch?

I have been using Fidelis and that works. It's all the same approach, but they only gather the metadata, not the full packet capture. If you want to compare those products together, I can safely say that RSA is much better because they offer full packet capture capability. It's more scalable and more flexible.

How was the initial setup?

The initial set up was not very complex. The problem is with the use cases. You need to be very careful to not become overwhelmed with unnecessary data. You need to very carefully decide what should be filtered, what you need to be taken from the network or from the logs. You need to decide whether you need YouTube traffic at all, for example, because it consumes storage. It's a huge amount of data and that data is useless. It is not relevant to malicious activity and if you want to fully get the picture of the user activity or the motor activity you can have with data without Facebook, for example.

What's my experience with pricing, setup cost, and licensing?

We have a perpetual license, so the total cost of ownership is not very expensive. It's a good investment.

Which other solutions did I evaluate?

We have looked through the Cisco solution to expand more devices from Fidelis to cover more areas of our network. I also evaluated Symantec and I have seen FireEye but it's hard to even compare those products to RSA.

What other advice do I have?

If it's possible, ask for help from primary support to help you implement at the very beginning with the fundamental alert or detection rules. This is my best advice for a customer regardless of the size and scope of the implementation. Use the support to help you with the implementation process.

I would rate it an eight out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Guest
Sign Up with Email