RSA NetWitness Network could improve on integration with non-native application integration.

NetWitness Endpoint's blocking feature does not work properly - if there's a malicious process, it's not possible to kill it via a custom rule unless and until it's flagged as malicious. For example, if you put IOCs in the form of hashes, it's not possible to block those IOCs - the system will alert you, but they can't be blocked. In the next release, NetWitness Endpoint should include regular expressions for blocking processes and sub-processes, the ability to block IPs, and scalability and integration with the ServiceNow platform or other ticketing solutions.

I have no real complaints about the solution. 

Threat detection could be better. They need to enhance their threat intelligence feeds.

We would like to have more IOCs or more trade intelligence to not only rely on the intelligence of the engineer in charge but to have some threat intelligence and some seeds of IOCs and to have the host have some artificial intelligence to reduce the number of false positives.

I don't see this solution being very scalable. 

The solution is pricey.

The integration of the solution needs to be improved. The dashboard needs lots of updates as well.

In the next release, we would like to see advanced fraud detection features.

The threat intelligence could improve in RSA NetWitness Endpoint.

I would like to see Security Orchestration and Response Automation (SOAR) integration. This way, if there is an endpoint that has been compromised, you don't have to go about repairing or blacklisting it manually. Ideally, the system can have its own intelligence so that it can perform automated tasks without human intervention.

One of the drawbacks of using this product is that when you deploy, you have to create MSI files. These files have to be created for different operating systems, which means that you have to be conscious of which ones exist in your environment. For example, if you have Linux, MacBooks, and Windows machines, then you have to have MSI files created for each of them. Ideally, a single MSI file would be created to support deployment on any of the supported operating systems.

We would like to see the hunting and investigation features of this solution improved, in order to provide better visibility of issues.

The problem with this product is that it's a bit slow. I am not very happy with this product. In the past, I have worked with a different tool, which was only maintaining a log, but I found that solution much better than NetWitness. It is not properly configured yet.

One part of this product that needs to be improved is the log passing. Often, it doesn't work or logs go missing. There are many licensing complications as well.

The solution doesn't have a reporting engine which would be helpful. I've also found that the UI times out too quickly and you have to close and reopen. It should allow for a longer session time.

The contamination feature could be improved.

Its price could be improved. It is an expensive product. Its training is also too expensive. It would be great if they can have a better pricing scheme for the training.

The solution is modular, for example you can buy the RSA ePack, which you buy as a module is not part of the conduit solution. They could include it and have it as an all-in-one solution. However, customers understand the model, so they buy them in modules and put them together.

When analyzing something, you have to click several times. It requires a lot of effort to find something. The sole purpose of NetWitness is to find text easily, so this is an area that needs to be improved.

The scalability needs improvement, but I think that it is technically difficult.

This is a complex tool to use.

In the next release, if they could include a detection feature or improve the detection then I would like it better.

This solution needs an upgrade in reporting. I have heard from RSA that they are working on this, but as of yet it is not available.