RSA NetWitness Logs and Packets: Security analytics product overview

Expert Dan Sullivan examines RSA's NetWitness Logs and Packets, security analytics tools that collect and review logs, packets and behavior to detect enterprise threats.

The state of information security is succinctly stated with the adage "InfoSec professionals have to be right all the time, and attackers only have to be right once." The idea behind this sentiment is that attackers can take their time to probe networks, assess security controls in place and find weaknesses to exploit. Meanwhile, security professionals have to constantly watch for unusual activity, assess vulnerabilities, and prepare to respond to a wide array of attack types.  security analytics tools such as the RSA NetWitness suite are designed to reduce the information overload burden on InfoSec professionals.

RSA NetWitness Logs and Packets

It is no longer a viable option in large enterprises to expect targeted controls, such centralized logging and Vulnerability scanning, to provide information fast enough or sufficient enough to counter advanced threats. security analytics emerged in response for the need to collect and integrate data from multiple sources and evaluate that data looking for patterns of potentially malicious activity.

RSA this summer introduced its latest security, RSA NetWitness Suite, which builds on the company's previous offering, RSA Security Analytics. The suite includes NetWitness Logs and NetWitness Packets, which provide the bulk of the analytics capabilities for the suite -- the RSA NetWitness suite also includes EndPoint, SecOps Manager and other products.

The NetWitness Logs and Packets platform is designed to deliver advanced analytics, including real-time behavioral analysis, and visibility across enterprise endpoints, networks and cloud resources. This includes full packet capture and NetFlow logs, which allows the security analytics products to detect and reconstruct attacks.

Monitoring and forensics

RSA NetWitness Logs and Packets have several components for specialized operations, including a decoder, concentrator and broker.

The RSA NetWitness decoder is responsible for the real-time collection of network data. The decode captures data in real time and can normalize and reconstruct data for full session analysis. In addition, the decoder can collect flow and endpoint data. The concentrator collects information from multiple decoders and provides the mechanisms needed to support the distributed decoders. There is a hybrid decoder/concentrator, specific to RSA NetWitness Logs and Packets, that comes in a single appliance designed for branch location monitoring.

The broker supports analytic services by enabling federated querying across the distributed system. The broker allows system administrators to work with a single device to collect information from across the network. Other components of the security analytics suite include an archiver for long-term storage and compression of log data for any compliance requirements, a virtual log collector or VLC for remote sites to send logs to the decoder and a security analytics server.

Behavior analytics

One of the key features of the RSA NetWitness suite is the advanced analytics engine's behavior analytics capability. Shortly before the RSA NetWitness suite was introduced, the company added real-time behavior analytics capabilities to the RSA Security Analytics platform, a feature that was then included in the NetWitness suite. The behavior analytics component uses machine learning to spot anomalous activities and behaviors of both users as well as systems. According to RSA, the behavior analytics engine is designed to detect lateral movements of threat actors.

Data enrichment

In addition to collecting data, the RSA NetWitness platform also performs data enrichment and event stream analysis. Enrichment includes adding tags to highlight threat indicators or other relevant characteristics so analysts do not have to spend as much time on such low level data analysis tasks. This kind of analysis is the foundation for building real-time alerting mechanisms. RSA NetWitness includes tools to sift through large volumes of data to triage events and prioritize responses.

The suite also comes with an Event Stream Analysis (ESA) module, an analytics and alert engine designed to correlate data from a range of different events. The ESA module can take metadata from logs, NetFlow, packets and other sources and correlate the information. In addition, enterprises can create customer rules via the rule builder wizard for collecting and processing the data.

For customers already using other RSA products, you may be able to integrate those systems into RSA NetWitness Logs and Packets. For example, security managers can easily link RSA NetWitness Endpoint to NetWitness Logs and Packets. As with many enterprise applications, pricing is available through custom quotes. Customers can contact RSA for more information on licensing, support and free demos for RSA NetWitness Logs and Packets.


The RSA NetWitness Logs and Packets products are designed as federated, distributed tools that can scale to large networks and complex topologies. Analytic modules can perform real time analysis and well as incident analysis after the fact. Integration with the RSA security operations center is useful when consolidating and coordinating security monitoring and response around that platform.

The RSA NetWitness platform is well suited for enterprises with specialized information security teams that can take full advantage of the platforms capabilities. Smaller organizations may want to consider another security analytics platform.

Next Steps

Part one of this series explains the basics of security analytics products

Part two examines the use cases for security analytics

Part three looks at how to procure security analytics products

Part four compares the best security analytics products on the market

Dig Deeper on Security analytics and automation

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing