RSA NetWitness Logs and Packets (RSA SIEM) Review

Has a simple dashboard and you can develop connectors for any application, but it is difficult to set up


What is our primary use case?

The RSA NetWitness Logs and Packets solution was set up as part of the SOC. It is set up on two sides. One is for the Data Center (DC) side, and the other is for the Disaster Recovery (DR) side.

What is most valuable?

The most valuable feature is that we can create our own connectors for any application, and NetWitness provides the training and tools to do it. With some other solutions, creating custom connectors is very costly.

The dashboard is very simple to use.

What needs improvement?

The initial setup is very complex and should be simplified.

We had some trouble integrating with our Check Point firewall.

For how long have I used the solution?

I used RSA NetWitness for a couple of months in my previous company.

What do I think about the stability of the solution?

It was too early to say whether this solution was stable because you need at least a year to determine that. In the initial stages, we were still getting a lot of alerts because there was no time to fine-tune it. Maybe after six or eight months, we would have been able to say whether the product was stable. Just before reaching that point, I left the organization.

What I can say is that for the time I was there, we did not experience any bugs, crashes, or glitches.

What do I think about the scalability of the solution?

This solution is scalable. We had between 20 and 25 users, although, on a daily basis, I would say that 13 to 16 people used it.

How are customer service and technical support?

We did not interact with technical support because we were working with the vendor, and the vendor was working with them.

Which solution did I use previously and why did I switch?

We tried to implement Paladion but we were not about to complete our PoC because of problems.

How was the initial setup?

The initial setup is very complex. It requires having knowledge of what components do and which go where. An example is knowing which component will fetch data and where it goes. This is very difficult for somebody new and a person should have a minimum of one to two years of work experience.

Our deployment of the two solutions and having them work simultaneously took between four and five months.

What about the implementation team?

We have an in-house team, but the vendor gave us support as well. The initial setup was very tough, which is why it took four or five months to implement everything and make sure that it was configured as per our requirements.

There were six people involved in the deployment. Three from the vendor's team and three from my team. They were working day and night to make sure that things worked well.

The number of people required for maintenance depends on the hours of operation. If the business hours are 24/7 for the entire year then two people are required for maintenance.

Which other solutions did I evaluate?

We did not evaluate other options.

What other advice do I have?

My advice for anybody who is implementing this solution is to make sure that the team handling the deployment is skilled. Without support, they will not be able to do it at all.

Also, if somebody wants to make their own connectors then they will need to have a development team. Without knowledge of scripting, it is not possible to make connectors. So, I would say that at an early point there needs to be somebody specialized in the use of this product.

I would rate this solution a six out of ten.

Which deployment model are you using for this solution?

On-premises
**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More RSA NetWitness Logs and Packets (RSA SIEM) reviews from users
...who work at a Comms Service Provider
...who compared it with ArcSight
Add a Comment
Guest