We just raised a $30M Series A: Read our story

RSA NetWitness Endpoint OverviewUNIXBusinessApplication

RSA NetWitness Endpoint is the #15 ranked solution in our list of EDR tools. It is most often compared to CrowdStrike Falcon: RSA NetWitness Endpoint vs CrowdStrike Falcon

What is RSA NetWitness Endpoint?
RSA NetWitness Endpoint is an endpoint detection and response solution that employs a combination of live memory analysis, continuous behavioral monitoring, and advanced machine learning to detect known, new, unknown, and non-malware threats that other solutions miss entirely. RSA NetWitness Endpoint helps focus investigations amid thousands of alerts and offers 3X the impact for security teams by considerably reducing attacker dwelltime and accelerating threat response.

RSA NetWitness Endpoint is also known as RSA ECAT.

Buyer's Guide

Download the Endpoint Protection for Business (EPP) Buyer's Guide including reviews and more. Updated: October 2021

RSA NetWitness Endpoint Customers
ADP, Ameritas, Partners Healthcare
RSA NetWitness Endpoint Video

Pricing Advice

What users are saying about RSA NetWitness Endpoint pricing:
  • "The cost depends on the number of endpoints that you want to monitor, but it is not expensive."
  • "The price of the solution depends on the environment. If the environment is large then it will cost more. However, the larger the environment with more endpoints, you will receive an increased discount. If the environment is very small, then you might think it is expensive. It is always better to buy in bulk to receive a discount. The minimum number of assets is usually 500, with discounts on 1000 and 2000."

RSA NetWitness Endpoint Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Dr Trust Tshepo Mapoka
Senior Cybersecurity Consultant at CIA Botswana
Real User
Top 5
Good performance and reporting, and can discover unknown malware using signatureless detection methods

Pros and Cons

  • "This solution allows us to locate the malware in real-time."
  • "I would like to see Security Orchestration and Response Automation (SOAR) integration."

What is our primary use case?

We use this solution to detect indicators of compromise, where incidents that occur are analyzed and given risk scores. For example, if the endpoint is of high risk then it will be indicated in red. By contrast, if it's of low risk then it will be indicated in green. The scoring criteria are what we call the Indicators of Compromise.

The overall goal is to detect malware that is affecting the endpoints and then provide a response. It is often used by banks and telecom companies.

What is most valuable?

The incident response is very good.

When you are searching for malware, you can easily decrease the endpoints to narrow the search and find it. Examples of endpoints can be servers or laptops, each with different operating systems. This solution allows us to locate the malware in real-time.

I like the performance. It can detect signatureless malware, which many perimeter control and antivirus solutions cannot do. It is helpful for discovering unknown malware and it is so lightweight that you don't even notice that it is installed in your environment. It doesn't load the network and it uses less bandwidth than some other products.

The reporting is perfect and I haven't seen any problems with it.

RSA can easily integrate with third-party applications like Rapid7. All of the documentation for integration with other platforms and other vendors is available. The API makes integration even easier.

What needs improvement?

I would like to see Security Orchestration and Response Automation (SOAR) integration. This way, if there is an endpoint that has been compromised, you don't have to go about repairing or blacklisting it manually. Ideally, the system can have its own intelligence so that it can perform automated tasks without human intervention.

One of the drawbacks of using this product is that when you deploy, you have to create MSI files. These files have to be created for different operating systems, which means that you have to be conscious of which ones exist in your environment. For example, if you have Linux, MacBooks, and Windows machines, then you have to have MSI files created for each of them. Ideally, a single MSI file would be created to support deployment on any of the supported operating systems.

For how long have I used the solution?

I have been working with RSA for more than four years.

What do I think about the stability of the solution?

This product is very stable. It gives you real-time data if there's an endpoint being compromised. It is not a heavy platform.

What do I think about the scalability of the solution?

NetWitness Endpoint is very scalable.

How are customer service and technical support?

The technical support from RSA is 100%. They are available 24/7 and I am very satisfied with them.

How was the initial setup?

The initial setup is straightforward.

What about the implementation team?

I was working with another technical consultant and the two of us made up the team that implemented this solution. The last project that I was working on was larger in size and spanned over a two-month period. For the RSA NetWitness Endpoint component, it took between five and ten days to deploy, which included documentation.

One consultant is all that is needed to deploy it, as long as they understand the expectations held by the customer.

What's my experience with pricing, setup cost, and licensing?

This is not an expensive product. The cost depends on the number of endpoints that you want to monitor, but it is not expensive.

Which other solutions did I evaluate?

There are several SIEM technologies that are available but one advantage of using RSA NetWitness is that you don't have to outsource the EDR component. It comes as part of the platform. This is in contrast to solutions like IBM QRadar, where you have to outsource the EDR.

In a further comparison with QRadar, it doesn't give accurate results because there are a lot of false positives.

What other advice do I have?

This is a product that I recommend. My advice for anybody who is implementing it is to make sure that they have somebody who understands it very well. Having somebody who will configure it properly is the right way to have it generate the output that you want.

Also, you have to make sure that all of the endpoints are up to date. They have to be online all of the time so that you're able to have visibility on any compromises that may happen. If an endpoint is instead offline, it becomes difficult to investigate or to monitor compromises or malware.

I would also suggest deploying a virtual environment. By doing so, it can be cloud-based, and what you need to do is called Event Source Onboarding. This is the process whereby you are providing the consultant with the events that you want to collect data from.

In my opinion, this is the best platform, world-wide, and I am happy with it.

I would rate this solution a ten out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Dr Trust Tshepo Mapoka
Senior Cybersecurity Consultant at CIA Botswana
Real User
Top 5
Overall great feature functionality, simple installation, and helpful technical support

Pros and Cons

  • "They have recently updated the features and the most valuable ones are the instant threat response, ease of use, web interface, integration, and easy access. RSA NetWitness Endpoint is very compatible with other solutions and technologies. However, they do not rely on third-party solutions and have most features built-in."

    What is our primary use case?

    RSA NetWitness Endpoint is used to get an instant detection response from network threats. Additionally, it has the capability to do malware analysis and investigations.

    How has it helped my organization?

    RSA NetWitness Endpoint has helped our organization from its many advantages and because it provides overall visibility of all of our endpoints within the enterprise network. You are able to see what exactly is going on and it provides real-time incident reports, instant management, and investigations.

    What is most valuable?

    They have recently updated the features and the most valuable ones are the instant threat response, ease of use, web interface, integration, and easy access. RSA NetWitness Endpoint is very compatible with other solutions and technologies. However, they do not rely on third-party solutions and have most features built-in.

    For how long have I used the solution?

    I have been using RSA NetWitness Endpoint for approximately six years.

    What do I think about the stability of the solution?

    The solution is very stable and does not overwhelm the network.

    What do I think about the scalability of the solution?

    The solution is highly scalable and is easy to scale.

    When comparing RSA NetWitness Endpoint to Splunk, we have found Splunk is missing some features. For example, the user identity and analytics capabilities are not available with Splunk. You will have to depends on third-party tools to provide those features. What makes Splunk very good is that it is dependent on third parties but all those third parties have to integrate together. Splunk should have someone who is very good at API integration to be able to integrate all the third-party tools, otherwise, the solution will not work well.

    We have approximately six people using this solution in my organization.

    How are customer service and technical support?

    The annual license comes with free online support and all you do is open a ticket through the 24/7 support. The support is very good and they provide different levels of incident priority, such as level one and high priority level, they typically respond within 24 hours.

    How was the initial setup?

    The installation was simple.

    What about the implementation team?

    We did the implementation of the solution ourselves. The vendor provides the datasheet manuals which are readily available online. They are easy to follow to complete the implementation.

    We have a license for the vendor to do maintenance.

    What's my experience with pricing, setup cost, and licensing?

    There are different licenses available for the use of this solution. The license that comes with support is more expensive than the basic license. 

    The price of the solution depends on the environment. If the environment is large then it will cost more. However, the larger the environment with more endpoints, you will receive an increased discount. If the environment is very small, then you might think it is expensive. It is always better to buy in bulk to receive a discount. The minimum number of assets is usually 500, with discounts on 1000 and 2000.

    The perpetual license is not good because it does not cover maintenance, you have to pay maintenance separately. However, they are slowly moving away from perpetual licenses and there will only be annual licensing for your subscription.

    Which other solutions did I evaluate?

    I have evaluated Splunk.

    What other advice do I have?

    Those looking to implement RSA NetWitness Endpoint should do a comprehensive assessment of their environment to check whether they really need the solution. Sometimes you buy the solution and you do not have the right people to use it. Ensure that you invest in the right expertise to use it because after you invest in people, then you invest also in the processes and technologies. If you have the technology but and you do not have the expertise to operate the solution it will not be useful.

    I rate RSA NetWitness Endpoint a ten out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    Find out what your peers are saying about RSA, Carbon Black, CrowdStrike and others in Endpoint Protection for Business (EPP). Updated: October 2021.
    540,984 professionals have used our research since 2012.
    HS
    Senior Cyber Security Analyst (SAFe Agile) at a transportation company with 1,001-5,000 employees
    Real User
    Top 10
    Good detection rate and tracking features but triaging of incidents needs improvement

    Pros and Cons

    • "We've contacted technical support several times. They've been very good. They have been able to help us resolve our issues."
    • "The contamination feature could be improved."

    What is our primary use case?

    We use the solution for the contamination. We detect the incidents and then proceed for the contamination and error notification. For example, there's some intrusion history to the endpoint and there's a partial command that detects the code imbalance. We're able to find it and deal with it.

    What is most valuable?

    The detection rate and tracking features including historical tracking, tracking of the fires on the desk, and tracking of the file last monitored are all quite valuable for us.

    What needs improvement?

    The contamination feature could be improved.

    For how long have I used the solution?

    I've been using the solution for six years now.

    What do I think about the stability of the solution?

    The stability of the solution is good. I'd rate it seven out of ten overall. We've had minor technical issues.

    What do I think about the scalability of the solution?

    The solution is highly scalable. Users just need to install the agent on the products. Right now, we have about 1,000 users. We use the solution daily.

    How are customer service and technical support?

    We've contacted technical support several times. They've been very good. They have been able to help us resolve our issues.

    Which solution did I use previously and why did I switch?

    We didn't previously use another solution.

    How was the initial setup?

    The initial setup was pretty straightforward. We didn't run into any issues. I can't recall how long it took to deploy.

    What about the implementation team?

    We had a professional service assist us with the initial setup.

    What other advice do I have?

    We use the on-premises deployment model.

    The contamination should be improved. If a new user needs better contamination capabilities, they should use something else.

    I'd rate the solution seven out of ten. If it offered better triaging of incidents, I'd rate it higher.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Buyer's Guide
    Download our free Endpoint Protection for Business (EPP) Report and find out what your peers are saying about RSA, Carbon Black, CrowdStrike, and more!