What is our primary use case?
We are a service providing company and this is one of the products that we implement for our clients. The RSA NetWitness Logs and Packets solution is used for Event Stream Analysis (ESA), and we implement use cases based on our customers' needs. For example, suppose the security device is a Palo Alto device then at the policy level, we implement the use cases. These might be things like phishing attacks or a botnet. Most companies follow the GDPR regulations for compliance.
We have RSA NetWitness implemented in virtual appliances.
What is most valuable?
The most valuable features are the packet decoder, log decoder, and concentrator. The packet decoder is capable of collecting the flow, whereas the log decoder is capable of collecting the event. NetWitness offers a hybrid solution that collects both and also uses the concentrator.
What needs improvement?
The alert dashboard is not reflecting events in real-time. We have to refresh in order to view an alert in real-time.
Log aggregation is an issue with this solution because there are a huge number of alerts in a single instance. Compared to ArcSight or QRadar, this is a problem.
For how long have I used the solution?
We have been using RSA NetWitness for about a year and a half.
What do I think about the stability of the solution?
The stability of RSA NetWitness is good. It is used on a daily basis.
What do I think about the scalability of the solution?
The ability to scale varies from client to client, and what the client's requirements are. Sometimes the client will want to move to a lighter platform and you have to consider the many inputs related to the cloud.
We are supporting 10 to 15 clients for this solution.
How are customer service and technical support?
With regard to technical support, we have found that their diagnosis makes sense but in some cases, they are very late to reply. Our clients always want to resolve the issue through us, and sometimes the support takes a long time. Because RSA NetWitness is a new product, there are many things that they are trying to find out.
Overall, I would say that the support is good.
Which solution did I use previously and why did I switch?
We are using multiple tools including QRadar, RSA NetWitness, LogRhythm, and Micro
The QRadar setup gave us no issues, and it also works with logs and packets.
LogRhythm fulfills the GDPR compliance.
How was the initial setup?
The initial setup is good, and it is not complex.
The length of time it takes to deploy depends on the type and size of the organization. It takes two to three days to implement this solution, including all of the installation and configuration. Once the company provides the requirements then we implement as per the organizational policy.
What about the implementation team?
We implement this solution using our in-house team, although if an issue should occur during installation then we can raise a ticket with support. We have had issues with difficult deployments because of the database during installation, which has lead to using the support portal.
The number of people required for deployment and maintenance depends on how many logs are being integrated. Suppose there are 100 or 200 logs, then 10 people will be sufficient if they focus on deployment and troubleshooting. It also depends on the timeline. If the timeline is longer then five people are enough to complete the implementation.
What's my experience with pricing, setup cost, and licensing?
Many clients are not able to purchase the packet capability because there is a huge amount of data, and the cost depends on the number of EPS (Events per second), as well as the number of gigabytes of data per day.
What other advice do I have?
My advice to anybody who is researching this solution is to consider the differences between the hardware and the virtual solution. The hardware is okay, but if you have any issues and need to restart then it is easy to do this with the VM. My preference is using the VM, where they can easily increase the size of storage if necessary.
It is important to remember that ESA takes all of the main memory. The minimum requirement is 96 GB of RAM, and this is very easy to implement on a virtual machine. My advice is to implement ESA using the maximum eligibility criteria. Consider what the hardware requires are in terms of RAM and storage, and use the maximum available for ESA.
This solution has a very good dashboard with a separate tab for incidents and alerts. There is a ticketing tool as well. If the problems with the dashboard are corrected then we will not need to have any other tools. The dashboard is a very important feature for clients.
I would rate this solution a seven out of ten.
Which deployment model are you using for this solution?
Which version of this solution are you currently using?