Islam Rashad

RSA NetWitness Evolved SIEM and Gartner SOC Visibility Triad

Blog Post created by Islam Rashad Employee on Sep 3, 2020

Before I jump into explaining what is the relation between RSA NetWitness as an evolved SIEM and Threat Defense platform and Gartner’s SOC Visibility triad, I’m going to start by talking about Gartner for a minute. I expect everyone knows who Gartner are. They are a worldwide IT leading research and advisory organization and one of the most trusted and reputable ones in addition to being active within the Cyber Security field for SOC Threat Detection and Response tools such as: SIEM, NTA, EDR, UEBA, SOAR..etc. The reason we are mentioning Gartner today is that they did a piece of great work last year that sought to simplify complex views of modern security toolset requirements into a single picture of what good looks like.


They called it the SOC visibility triad and it calls out the three pillars of security, being your traditional log-centric SIEM, network-orientated and endpoint security detection and response tools.

Combining all these 3 technologies together helps in filling gaps among them to provide full security visibility. That combined approach significantly reduces the chances of an (internal or external) bad actor  to evade your deployed systems for a prolonged period of time which ultimately enables you to effectively meet the required SOC Metrics in terms of MTTD/MTTR and cut down the dwell time of a bad actor. 


The reason we like it is that Gartner, arguably the most respected of today’s analysts, has essentially drawn the core of RSA NetWitness.


RSA NetWitness brings together the breadth of coverage of log management solutions with the detailed, intelligence and forensic  worlds of endpoint and network into a single, modular and powerful  security platform.                                                                


Cyber security has always been a battleground so there has always been evolution of the tools used to attack and the tools used to defend. More recently we’ve seen huge rises in the use of automation by attackers, massive ransomware campaigns, huge data breaches and some pretty big fines being handed out through regulation like GDPR. Of course, most recently, the Covid-19 pandemic has seen huge numbers of businesses suddenly alter the way of doing business and consequently their security posture by rapidly allowing remote access to their corporate resources from anywhere.


All these cyber security pressures combined with most businesses thirst for technology adoption and digitization created huge change. At the heart of the change are security teams trying to build or maintain adequate protections, trying to be business enablers and not blockers.


To succeed, security teams need to move from the conventional approach of multi-layered, disjointed security tooling that uses old detection methods like rules and signatures to something more valuable. Modern security tooling needs to be able to consume all data sources, not just logs, and use the latest analysis techniques like machine learning to find important security insights and reduce the alert noise created by traditional approaches. Full visibility is important and by that we don’t just mean having visibility across the whole estate. We also mean combining intelligence from those data sources to undercover threats the individual tools wouldn’t notice.


As you’d expect, Gartner name us as a leader in their MQ reporting for this very reason.



Using a mixed approach in detection using a large library of out-of-the-box rule-sets combined with the latest in machine learning, RSA NetWitness as a modular and a platform-anywhere solution can automatically classify alerts based on their risk score across all data sources fully aligned with MITRE ATT&CK framework and Gartner agreed that as a single platform RSA NetWitness shines.


 For the traditional log centric SIEM space, we have a comprehensive integration coverage (see this URL RSA NetWitness Platform Integrations Catalog ) , intuitive/interactive UI ( ),

toolset with advanced query and advanced correlation capabilities. Where we can consume log data from  350+ log sources and get all this data filtered, normalized and enriched at capture time. Then applying real-time correlation-based analytics and reporting to provide real time alerts and dashboards visibility into any spotted threat.  NetWitness also extends this with a fully unsupervised, multi-model, machine learning UEBA (User and Entity Behavioral Analytics) engine. This engine forms a picture of normal user and entity (endpoint, network) activity and finds anomalies automatically, for example, a malicious insider, credentials theft, brute-force, process injections ..etc (further details on UEBA use cases and indicators can be found here UEBA: NetWitness UEBA Indicators)


The network detection space is really where RSA NetWitness was born and is unbeaten. RSA NetWitness can perform a continuous full-packet capture while providing a real time OSI stack "layer 2" to "layer 7" network threat detection. Like with log data this data is normalized and enriched alongside all other data sources. Specifically, with packet data we can reconstruct entire network sessions and extract malicious payloads, digital artefacts and the likes for further analysis.


At the endpoint, RSA NetWitness provides further security intelligence data by tracking system and user space processes and further enhancing the UEBA engine. With our lightweight agent we can directly perform remediation measures on endpoints from simple process shutdowns or protocol blocks to full endpoint isolation to stop compromise at the source (How to Isolate a Host from the Network ). Also, as with network detection, we can pull interesting assets such as malicious programs, MFT, system/process dump files from the endpoint for deeper analysis.


All of this analysed security data gathered and generated can be enriched with our threat intelligence engine which provides yet more insight, confidence, risk scoring into known threats like compromised IP addresses, malicious code or actors. This all provides huge amounts of insight for use in threat remediation or incident response activities. These threat responses can be tracked or automated through the main analyst interface (Respond: Responding to Incidents ) , or, through our security orchestration and automation (SOAR) engine called NetWitness Orchestrator (Security Automation and Orchestration ) .


We describe RSA NetWitness as a reliable evolved SIEM and threat defense SOC platform because of this ability to produce high-fidelity alerts across all data sources, lower false positives through the depth of its insight and detect threats faster. It can also act as your storyteller, allowing you to go back in time and pick through an attack blow by blow. It goes beyond a single indicator-of-compromise type detection to a malicious log/network/endpoint/user based behavior and TTP (tactics, Techniques and Procedures) detection,  to getting you a step ahead of the threat and ultimately improve your overall digital immunity across your estate in the face of known and unknown threats on a proactive manner. 


Importantly, it gives you the best possible information to answer the burning questions during any attack:

When and how did it happen?

What systems were affected?

What’s the magnitude and impact of it?


Special Thanks to Russel Ridgley RSA's UKI CTO, who contributed and helped me in writing this article. Please feel free to leave a comment if you have any question or interest to understand more on the RSA NetWitness solution. Thank you!.