RSA NetWitness Suite and its threat intelligence capabilities

Expert Ed Tittel examines the RSA NetWitness Suite threat intelligence platform, which offers network forensic and analytics tools for investigating incidents and analyzing data.

RSA Security LLC was co-founded in 1982 by well-known cryptographers Ron Rivest, Adi Shamir and Leonard Adleman. Since its 2006 acquisition by EMC Corp., RSA has served as the security division of EMC.

RSA NetWitness Suite (formerly RSA Security Analytics) is a monitoring platform built on NetWitness Investigator architecture. The platform provides network forensic and analytics tools for investigating incidents, analyzing data packets and working with endpoint data and logs.

Essentially, the RSA NetWitness Suite engine captures, inspects and analyzes data, which is then tagged with threat indicators and attributes. The platform alerts administrators to unusual network behavior and anomalies, and provides configured rule sets and prepackaged reports for ease of use and quick implementation.

Using RSA NetWitness Suite, customers can detect and take action on emerging and advanced threats that other security defenses may miss, and do so within minutes, rather than hours or days. They can also use the platform to generate reports that meet regulatory compliance requirements for the Sarbanes-Oxley Act, HIPAA, Payment Card Industry Data Security Standard and others.

RSA Live is the web-based threat intelligence delivery system used by RSA NetWitness Suite customers. RSA Live is not available as a stand-alone product; it's integrated with RSA NetWitness Suite. Access to RSA Live data feeds enables customers to combine intelligence information from the service with their own data within RSA NetWitness Suite, enabling them to apply current, relevant threat intelligence to their environment. How RSA Live data is operationalized is a key differentiator in the industry. RSA Live data is converted into clickable metadata within the product, enabling open source and other intelligence to be merged with the customer's own data, making it more valuable.

An RSA NetWitness Suite subscription includes threat reports and alerts, open source community intelligence, common protocols and command-and-control reports, exploit kit identification, zero-day and compromise indicators, and prioritized risk levels. It also includes a number of RSA FirstWatch features -- a threat blacklist, advanced persistent threat tagged domains, suspicious proxies and malicious networks -- as well as Active Directory integration.

RSA NetWitness Suite data feeds

RSA Live feeds contain a mixture of RSA in-house research (through RSA FirstWatch, the RSA FraudAction team and others), open source information, paid intelligence and partner intelligence. The data is aggregated and scrubbed to eliminate noise and repetition.

Feed updates are pushed and pulled from the cloud, and most customers subscribe to specific intelligence feeds that are automatically updated.

RSA NetWitness Suite typical customer

RSA typically supports large global corporations and other enterprises across different industries, as well as government agencies. However, an RSA rep pointed out that the company can also accommodate small and midsize businesses.

RSA can scale and deploy RSA NetWitness Suite according to an organization's needs and security priorities, from a single appliance scenario to dozens of appliances, which may be partially or fully virtualized.

RSA NetWitness Suite pricing and licensing

RSA does not disclose costs for the RSA NetWitness Suite. Potential customers must request a quote for an RSA NetWitness Suite that's customized to their environments.


Because RSA Live is part of RSA NetWitness Suite, customers have access to RSA's global support organization, which offers several support plans: Basic, Enhanced and Personalized.

The Basic plan offers telephone and email support during ordinary business hours, Monday through Friday (excluding holidays), access to RSA SecurCare Online, and patches and upgrades to RSA software. Enhanced support adds 24/7 year-round telephone support. The Personalized support plan includes an RSA Technical Account Manager, a designated contact for issue escalation, an on-site support engineer and other more advanced support services.

Next Steps

Learn the five key criteria for evaluating threat intelligence services

See how the top threat intelligence services stack up against each other

This was last published in April 2017

Dig Deeper on Risk management