Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Amy Blackshaw

RSA NetWitness Platform

6 Posts authored by: Amy Blackshaw Employee

We are excited to announce the latest version of the RSA NetWitness Platform! 

For those of you at RSA Conference, come to the RSA Booth to see first hand the new capabilities of the platform. RSA NetWitness Platform 11.3 is also being used by the RSA Conference SOC team as they monitor the traffic in and around the Moscone Center.


New Features in RSA NetWitness Platform

New capabilities in RSA NetWitness Platform 11.3 provide distinct value and are further enhanced when leveraged across a single platform.


  • Threat-Aware Authentication with RSA SecurID Access:  RSA NetWitness Platform now fuels threat-aware authentication to enable continuous authentication and the ability to block insider threats and malicious actors in the act of an attack while reducing the time and effort by overworked security operations teams.


  • RSA NetWitness UEBA: RSA NetWitness Platform introduces the first machine learning models based on deep endpoint process data collected by RSA’s EDR Solution, RSA NetWitness Endpoint. This advanced analytics capability can rapidly detect anomalies in user’s behavior and uncover unknown, abnormal, and complex evolving threats that will be otherwise missed by analyzing logs alone.


  • RSA NetWitness Endpoint 11.3: The only fully native endpoint detection and response solution within an evolved SIEM, to equip security analysts with industry-leading detection, investigation, and incident response capabilities. This Endpoint Detection and Response (EDR) solution is an integrated product offering within the RSA NetWitness Platform.

We are extremely proud to announce that RSA has been positioned as a “Leader” by Gartner®, Inc. in the 2018 Magic Quadrant for Security Information and Event Management research report for its RSA NetWitness® Platform.


The RSA NetWitness Platform pulls together SIEM, network monitoring and analysis, endpoint threat detection, UEBA and orchestrated response capabilities into a single, evolved SIEM solution. Our significant investments in our platform over the past 18 months make us the go-to platform for security teams to rapidly detect and respond to threats across their entire environment.


The 2018 Gartner Magic Quadrant for SIEM evaluates 17 vendors on the basis of the completeness of their vision and ability to execute. The report provides an overview of each vendor’s SIEM offering, along with what Gartner sees as strengths and cautions for each vendor. The report also includes vendor selection tips, guidance on how to define requirements for SIEM deployments, and details on its rigorous inclusion, exclusion and evaluation criteria. Download the report and learn more about RSA NetWitness Platform.

If you haven’t seen the new RSA NetWitness Platform, you are missing out. Over the past 12 months, we have released new innovative capabilities, redesigned the user experience and invested in our core functionality to ultimately increase the speed of detection and response to threats.  We believe that we not only have to enable organizations to detect incidents earlier – before there is business impact, but that we must focus on the precious time of the human analysts – no matter what their skill level is.


That is why the RSA NetWitness Platform evolved SIEM provides security monitoring, detection and investigation tools under a single unified platform – across logs, network and endpoint data, with our new orchestration and automation capabilities to aggregate, standardize and normalize alerts from your entire stack of security technologies. And, we are excited to announce we are now offering user and entity behavior analytics as part of the RSA NetWitness Platform. In addition, because we believe it is absolutely critical to have end to end visibility, we are offering free endpoint insights to RSA NetWitness Platform customers.


I’ve only shared 4 of the 11 reasons so far (UEBA, Free Endpoint Insights, Orchestration & Automation and a redesigned and intuitive UI) – but there is so much more! Read more about the significant functionality the RSA NetWitness Platform 11.x provides to enable rapid detection and response.

The threat landscape continues to be aggressive, with the advantage on the side of threat actors. Attackers use ever evolving tools and techniques that evade signature based intrusion detection technology. We are no longer dealing with simple script kiddies that can be thwarted by a traditional, preventative control based approach. The deep inspection of network traffic and endpoint behaviors for signs of intrusion –yes, based on signatures for known attacks, but also based on more than just rules and policies to detect unknown threats is needed in today’s landscape to tip the advantage to the good guys. 

IPS/IDS has always promised to stop or detect intrusion at the front door by using a signature based approach, which blocks based on known indicators – but we all realize that no matter how high of a wall the security team builds, some attacks will still get over (or through it).  Today, preventing intrusions mean stopping the attackers from taking (or destroying) your data – and you can’t rely only on rules, like traditional IDS.  Whether that is through malware analytics, user behavior analytics, advanced correlation or endpoint analytics – true intrusion detection must be enabled by visibility across the network and down to the endpoint. One size does not fit all here.

Detecting intrusions has to begin with understanding network traffic, and using it to detect anomalies that may signal an intrusion. This is exactly what RSA NetWitness Suite does – it quickly detects any intrusion or attack as they are happening by performing multiple types of analysis on enriched network metadata – not based on rules, like a traditional IDS.  With out-of-the-box threat content to better detect known and unknown threats such as malicious webshells, DNS tunneling, custom protocols, lateral movements, and data exfiltration, analysts can easily deploy the same detection rules used by the experienced RSA Incident Response Team. Real-time enrichment with threat intelligence - from industry experts, third party providers and crowd sourced from our customer base – as well as business context provides for better prioritization of alerting and helps analysts during forensics and hunting. In addition, we can utilize this intelligent metadata to detect any anomalies across your network, suspicious activity of machines and users, as well as abnormal activities across your applications – no matter where they reside: on premise, virtual machines or 3rd party cloud and within both north-south and east-west communications. 

Let’s take a look at an example – detecting intrusions based on Webshells – and how RSA NetWitness Suite can give early indicators of an intrusion.

A Typical Attack Scenario

A common method of attack leverages vulnerabilities in a website (e.g. SQL Injection, Remote File Inclusion) to remotely generate or install a file that will act as a WebShell. Once the WebShell is successfully installed, the remote attacker may then craft an HTTP POST request directly to the WebShell with embedded commands that will be executed as if the attacker had local (shell) access to the web server.


Attackers who successfully use WebShells take advantage of the fact that many organizations do not have complete visibility into HTTP sessions. Traditional tools rely on signatures and are easily left blind by intentional obfuscation of payloads and commands. In order to effectively respond to WebShell attacks, defenders must maximize visibility into each stage of the attack lifecycle. The following chart contrasts the visibility by attack stage into an attacker’s tools, tactics, and procedures (TTPs) provided by traditional tools with RSA NetWitness solution:


Detecting possible WebShell activity involves understanding what an HTTP session with an embedded command typically looks like. There are a few notable features often seen with this attack:

  • Request sent directly to a web server with the HTTP POST method to send data without populating commands in the URL string: This method ensures typical web access logs do not include the command (vs. HTTP GET which would include the commands within the URL)
  • No HTTP GET will have been seen before the POST (Normal human-based web traffic would have seen a GET before a POST is issued)
  • (Usually) No Referrer header since the request is sent directly to the server and is not a result of click-through browsing
  • Posted data includes obfuscated shell commands to be executed by the WebShell


By reconstructing the entire HTTP session upon capture and immediately generating and extracting rich metadata, RSA NetWitness Suite makes it simple to alert on the features indicative of a WebShell attack, or a very early sign of an intrusion.


RSA NetWitness Suite is a critical component to any security organization’s capability to detect and intrusions that bypass security controls and other monitoring capabilities. The Suite utilizes multiple types of analytics – not just static rules – to find the broadest set of both known and unknown threats.

To read more about how RSA NetWitness Suite can detect early in the lifecycle of an intrusion attempt, check out the Remote Access: Webshells solution brief.

RSA Charge 2017: Time is Running Out; Take Advantage of Several Registration Discounts That Expire EOD Friday, September 15


This year’s RSA Charge event is definitely one not to miss. If you have not yet registered please do so today to secure the Discount Rate of $745, saving you $200 through September 15. Registration on the RSA Charge 2017 website couldn’t be easier.


Still on the fence? Check out the Full Agenda with over 90 sessions, 35 hands-on labs, and 140+ thought leader industry experts you’ll agree this is the premier event on RSA Business-Driven Security™ solutions. You can also take this opportunity to build your own personal business-driven security experience for Charge.


Another way to save: Friends with Benefits! They say sharing is caring, so ‘already registered’ RSA Charge attendees can now share the love by forwarding this code to a peer or colleague and he/she will receive $100 off the current $745 registration fee by using this code from you: FRIENDS17. This code too expires on Sept. 15, so share the love today!


And, finally, in case there are still some doubters amongst you, watch these two RSA Charge videos – you’ll be convinced that RSA Charge 2017 is the place to be seen and heard, Oct. 17-19 @ Hilton Hotel Anatole, Dallas. See you soon!


RSA President Rohit Ghai

RSA NetWitness Amy Blackshaw


RSA Charge 2017, the premier event on RSA® Business-Driven Security™ solutions, unites an elite community of customers, partners and industry experts dedicated to tackling the most pressing issues across cybersecurity and business risk management. Through a powerful combination of keynote speeches, break-out sessions and hands-on demos, you’ll discover how to implement a Business-Driven Security strategy to help your organization thrive in an increasingly uncertain, high-risk world. Join us October 17 – 19 at the Hilton Anatole in Dallas, Texas.

Despite increasing investments in security, breaches are still occurring at an alarming rate. Whether the result of cyber criminals sending phishing or malware attacks through company emails, nation states targeting organization’s IP, or insiders misusing sensitive data, we live in a world where prevention of breaches has become impossible. Given the speed at which cyber criminals are able to create new security threats, companies must change their approach to security.  It is time for the centerpiece of our security operation to evolve – for SIEM to finally deliver what it has promised for decades.


We are thrilled to announce, that is exactly what we are delivering. We’ve redefined modern security operations with a new kind of SIEM: the RSA NetWitness® Suite. 


Of course, we have all the traditional SIEM requirements like compliance; but it is built to be laser focused on security – to rapidly detect and respond to today’s known and unknown threats – before they do damage.


The latest release of the RSA NetWitness Suite delivers end to end visibility across the organization – from logs, network, endpoints and threat intelligence - in a brand new, highly intuitive and blazing fast user interface. The new user interface was designed from the ground up after 100s of hours of security analyst interviewing and testing. The new Respond and Investigate workflows make it easy for security analysts to triage information rapidly because they have all the information they need in one screen - and will make threat hunters even more impactful by providing them insights and drills into all the data, business context and threat intelligence they need. From novice to hunter – these workflows will make any security analyst better at defending their networks. 


                                                                                 RESPOND: Interactive Nodal

We continue to focus on improving the efficiency and effectiveness of security analysts of all levels, by providing out of the box machine learning and behavior analytics for alerting and detection and by prioritizing the most important incidents based on business risk – from identity and asset criticality data. The new RSA NetWitness Suite is a force multiplier for security analysts and incident responders.


Ultimately, the RSA NetWitness Suite enables analysts to detect and investigate the full scope of an attack and more rapidly respond to those threats that matter the most to an organization.


You need to see it for yourself. You can learn more by visiting:

Filter Blog

By date: By tag: