RSA NetWitness Platform
Threat Detection and Response
The Most Advanced Threat Detection and Response Platform
RSA NetWitness Platform Evolved SIEM
The RSA NetWitness Platform applies the most advanced technology to enable security teams to work more efficiently and effectively. It uses behavioral analysis, data science techniques and threat intelligence to help analysts detect and resolve both known and unknown attacks BEFORE they disrupt your business. And it uses machine learning to automate and orchestrate the entire incident response lifecycle. Because the RSA NetWitness Platform does all of this—and more—on a single platform, it allows security teams to collapse disparate security tools and the data they generate into a single, powerful and blazingly fast user interface.
Accelerated Threat Detection for Today's Targeted Attacks
Your attack surface is expanding. Can your analysts keep up?
Organizations across industries face a Catch-22 with technology: The very technologies they need to compete—cloud applications, virtual infrastructure, mobile devices, etc.—provide attackers with more vulnerabilities to exploit and more ways to evade detection. Meanwhile, attackers have more resources than ever for surveilling organizations’ infrastructure and launching their attacks, while security teams struggle with a talent shortage and an ever-expanding list of alerts.
The RSA NetWitness Platform was designed with these challenges in mind. It brings together evolved SIEM and threat defense solutions that deliver unsurpassed visibility, analytics and automated response capabilities to help security teams detect, prioritize and investigate threats across their organization’s entire infrastructure.
The visibility and insight to detect the threats that matter most
The capabilities to speed analysts' response
RSA NetWitness Platform Evolved SIEM
Get the most complete visibility—across logs, network data and endpoint—to detect, prioritize and investigate threats.
RSA NetWitness Platform for Threat Defense
Detect the threats that have bypassed preventative controls and expose the full scope of these attacks to improve response.
RSA NetWitness Logs
Get the details on the features and benefits that differentiate RSA NetWitness Logs from other log management and monitoring solutions.
RSA NetWitness Network
Find out what differentiates RSA NetWitness Network as a network security monitoring tool and how it provides immediate, deep visibility to accelerate threat detection, investigation and network forensics.
RSA NetWitness Endpoint
Explore what distinguishes RSA NetWitness Endpoint from traditional endpoint security and endpoint detection and response tools.
RSA NetWitness Orchestrator
Find out how RSA NetWitness Orchestrator can make your security operations center more efficient and effective.
Benefits
Incorporates contextual information about your business to help prioritize alerts and drive a response aligned with your organization’s strategic goals.
Speeds threat detection and investigation by enriching log, network and endpoint data at capture time with threat intelligence and business context.
Collects data across more capture points (logs, packet, netflow and endpoint), computing platforms (physical, virtual and cloud) and threat intelligence sources than other SIEM solutions.
Arms analysts with automation and orchestration capabilities so they can follow consistent, transparent and documented processes for threat hunting and investigation.
Banish attackers before they own you
The RSA NetWitness Platform is the only threat detection and response solution that provides you with the end-to-end visibility — across your entire infrastructure — that you need to spot and stop attacks in their earliest stages. Get the combined capabilities you need to banish attackers before they own you.
RSA NetWitness Platform
The RSA NetWitness Platform provides pervasive visibility across a modern IT infrastructure, enabling better and faster detection of security incidents, with full automation and orchestration capabilities to investigate and respond efficiently. RSA NetWitness Platform takes security “beyond SIEM,” extending the traditional log-centric, compliance-focused approach to security to include state-of-the-art threat analytics, including user and entity behavior analytics (UEBA), and visibility into cloud, network and endpoints.
Figure 1: RSA NetWitness Platform Architecture
RSA Cybersecurity Services
In addition to market-leading security technology, RSA offers advanced professional services to help organizations design effective security systems and processes, and to respond to security incidents including data breaches.
RSA services utilize RSA NetWitness Platform (and other) tools when performing customer engagements. While RSA NetWitness Platform provides a powerful toolset for RSA professional services, their use of the platform creates a virtuous feedback loop, where continuous encounters with real-world threats inform both product development and threat intelligence activities.
RSA Advanced Cyber Defense (ACD) Practice
RSA Advanced Cyber Defense (ACD) Practice provides services to assess, design and implement an organization’s SOC strategy. ACD services focus on readiness and resilience, helping customers implement world-class security
RSA Incident Response (IR) Practice
RSA Incident Response (IR) Practice provides services to help organizations detect and investigate incidents and breaches. IR services are designed to identify root causes and guide customers in developing containment and remediation plans.
Visibility, Productivity and Business-Driven Security
What makes RSA NetWitness Platform different from other security platforms? There are several factors, including RSA’s 36 years of leadership as a technology security company.
The power of RSA NetWitness Platform delivers advantages in three critical areas:
Visibility
To effectively combat sophisticated attacks, you need pervasive visibility across both data sources (packets, NetFlow and logs) and threat vectors (endpoint, network and virtualized/cloud-based infrastructure). Modern IT infrastructures simply don’t follow the classic data center model. Virtualization and cloud strategies create real benefits, including lower costs and higher flexibility. Unfortunately, these things tend to make security much more challenging. It’s a dynamic tension that falls upon the SOC to manage. RSA NetWitness provides the needed visibility into all components of your IT infrastructure, not just the traditional parts. Unlike companies that focus on logs, or network, or endpoints, or cloud, RSA NetWitness sees the full environment.
Why is this so important? Modern sophisticated threats are designed precisely to defeat traditional, perimeter-based defenses. They attack different resources and hide among normal traffic. Even if a risk event is triggered in one control, it’s increasingly likely that an attack features the use of multiple data sources and threat vectors.
Pervasive visibility is the raw material for effective threat hunting. This allows analysts to see the full scope of an attack, and to respond decisively.
Productivity
RSA NetWitness Platform is designed to optimize the productivity of SOC personnel of all skill levels, from new security analysts to the most experienced threat hunters. It starts with the pervasive visibility discussed above; that’s the raw material upon which a world-class SOC is based. The paradox is that collecting so much data exacerbates a primary problem of modern IT: the ever-increasing amount of data generated by applications and security controls makes it nearly impossible to find the threats hiding within.
RSA NetWitness Platform solves this problem with powerful analytic capabilities. Its modular architecture handles massive amounts of raw data, enriching it with security context at time of capture. It then applies a set of sophisticated analysis tools, including machine learning, UEBA and public as well as RSA community threat intelligence. This process correlates disparate events and alerts into discrete investigations, automatically scoring each according to the likelihood that they represent an attack or exploit. This empowers security analysts to do their jobs better and faster. Level one analysts can quickly work through the prioritized investigation queue, distinguishing between benign alerts and true threats. They can tune the system to ignore alerts and processes that generate false positives, greatly increasing productivity.
Figure 2: RSA NetWitness Platform “Respond” Visualization Screen
Threat hunters become much more productive as well, with a rich toolset and an intuitive user experience that presents the information visually, and lets them drill down or pivot on any data point. In this manner, threat hunters can quickly evaluate and understand the full scope of an attack, and respond with confidence.
As a byproduct of its threat detection and response capabilities, RSA NetWitness Platform enables security personnel to report on all security activity, both in the form of standard compliance reports as well as incident response outcomes. With governments worldwide enacting laws requiring breach notification and risk evaluation, having the power to show exactly what an attack exposed can be the difference between a public breach announcement and a contained incident.
RSA NetWitness Orchestrator is a force multiplier for SOCs to standardize, scale, measure and continuously adopt security operations in an everexpanding threat landscape environment. It automates repetitive incident response tasks, adds context-rich metadata and empowers security analysts to respond faster with higher efficiency and reduce MTTR to a compromise.
Business-Driven Security
The focus on visibility and productivity makes RSA NetWitness Platform a great choice for any organization looking to deploy a world-class threat detection and response capability. Business context is the third major differentiator. The constant drumbeat of publicly exposed exploits and breaches makes it clear how expensive and damaging they can be. Business leaders now understand that IT risk is one of the most critical risks to be managed.
RSA believes that the most effective security strategy is business-driven. RSA NetWitness Platform reflects this by uniting business risk and IT risk with a common language and framework, and integrating business risk data into the threat detection process.
For example, RSA NetWitness Platform features the ability to integrate asset criticality data from various sources including RSA Archer®. Good risk management leverages the fact that a CISO’s laptop is more critical to an organization than a web server that hosts a company’s cafeteria menus. By integrating this type of risk-based assessment into the data being fed through the analytics engine, risk scores can reflect both the threat being seen and its effect on the organization if it succeeds.
This approach provides the bridge to the long-standing problem that IT and risk teams don’t typically collaborate closely. RSA NetWitness Platform automates the process and puts focus on the threats that carry real business risk. There are additional benefits to a business-driven approach, because it opens up the threat detection and response data set to drive other IT controls. For example, RSA NetWitness Platform can use data to trigger identity platforms such as RSA SecurID. If unusual login or data transfer activity is detected from a particular user account, indicating possible credential compromise, RSA NetWitness Platform will be able to command the identity platform to activate step-up authentication. Any malicious activity is stopped in its tracks, while legitimate use is not affected.
Summary
Organizations are experiencing a rapidly changing threat environment, and they need tools and services that can keep up with the changes. RSA NetWitness Platform is designed to offer the maximum amount of visibility, with automated analysis and prioritization, and in context of the real business risk of a threat. In this way, RSA NetWitness users can be sure they are seeing, and responding to, the threats that matter to their organizations.