dcsimg

RSA NetWitness Suite: SIEM Product Overview and Insight

SHARE
Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
Email  

See our complete list of Top 10 SIEM Products.
See user reviews for RSA NetWitness Suite.

Bottom Line

RSA remains in the Challengers section in Gartner's latest SIEM Magic Quadrant, but the company has an edge in existing RSA, Dell and EMC shops. The number of elements and implementation complexity may limit it to larger organizations with well-trained, veteran IT security teams. Top industry verticals are financial institutions, governments, oil & gas, energy and telcos.

Company Description

Security leader RSA was founded in 1982 and became a Dell Technologies business after the acquisition of EMC by Dell in September 2016.

Product Description

The RSA NetWitness Platform addresses SIEM and threat defense. It integrates logs, network data and endpoints, applying threat intelligence and behavioral analytics to detect, prioritize, investigate and automate response to threats. It features machine learning, behavioral analytics, automation and orchestration, and workflow and playbooks. It supports monitoring, event correlation and posture assessment, alert and incident handling, breach analysis and automated response.

The RSA NetWitness Suite is composed of:

·       RSA NetWitness Logs and Packets

·       RSA NetWitness Endpoint

·       RSA NetWitness Security Operations (SecOps) Manager

RSA SIEM Features Rated

Threats Blocked: Good. NetWitness blocks a wide range of threats.

Breadth of sources: Good. Out-of-the-box threat intelligence includes access to over two dozen threat feeds, including intelligence from RSA's FirstWatch research team, and incident response activities. RSA Live provides crowdsourced threat intelligence from RSA NetWitness customers.

Performance: Very good. It is rated to sustain log ingest of 30,000 EPS per system, to sustain packet ingest up to 10Gbps per system, and to support up to 100,000 endpoints per system. Each of these systems can be scaled out. Some of RSA NetWitness Platform's largest customers average over 150,000 events per second (EPS) and experience peaks of 600,000 EPS and ingest hundreds of TBs of data per day.

Value: Good. Users are largely happy with the product and the value they receive.

Implementation: Good. Most users have a good implementation experience but need plenty of help from the vendor. The complexity in implementation may limit it to larger organizations with well-trained, veteran IT security teams. One user called it "a potent solution for those with the resolve to match."

Management: Good, if complicated. RSA NetWitness SecOps Manager, a module in the RSA Archer solution, adds advanced incident management workflow, operational playbooks, management dashboards and reporting.

Support: Very good. RSA gets high marks for support from users, making the challenges easier.

Scalability: Very good. Gartner said both vertical and horizontal scaling is supported by adding additional components.

RSA NetWitness

Security Qualifications

RSA NetWitness is CC EAL2+, accredited by the U.S. government, supports FIPS-approved crypto algorithms and methods, and is certified for U.S. Department of Defense Information Network UC APL.

Intelligence

The RSA NetWitness Platform leverages intelligence, automation in analytics and response, along with machine learning behavioral analytics. It can record every network connection and every process executing in the enterprise. A streaming analytics engine known as RSA Event Stream Analysis (ESA) can customize profile-based alerts utilizing input from network sessions and logs. Other intelligence features include event source automatic monitoring, anomaly detection and entropy scores to generate alerts. RSA NetWitness Orchestrator is a security operation and automation technology that combines full case management, intelligent automation and orchestration, and collaborative investigation capabilities.

Delivery

RSA NetWitness can be installed as software, physical and virtual appliances, and in hybrid configurations.

Agents

RSA's SIEM is agentless.

Pricing

The primary pricing model on RSA NetWitness Platform is throughput-based. Pricing is structured in tiers, with lower per-unit prices at higher throughput volumes. RSA NetWitness Platform is available as both a term license (monthly entitlement with support/subscription included) and perpetual (perpetual entitlement with separate support/subscription). Starting retail prices for a typical enterprise is $857/month on a term license. For customers preferring a physical deployment, matched Dell hardware is available from RSA at market prices, or may be acquired separately by the customer to RSA NetWitness specifications. For customers who prefer an appliance-based purchase (primarily existing customers who have not yet converted to a throughput-based purchase model), an appliance-based pricing model for RSA NetWitness Platform remains available.

RSA NetWitness Orchestration & Automation pricing is based on the number of analysts using the software, and is only sold as a term license. Starting retail prices for a typical enterprise would be $8200/month. RSA NetWitness UEBA is priced based on the total number of employees in a customer's organization that have corporate network access. Pricing is structured in tiers, with lower per-user prices as the number of employees increases. Both term and perpetual license options are available. Starting retail prices for a typical enterprise would be $1.50/user/month on a term license.