RSA is pleased to announce the general availability of RSA NetWitness 11.0

Document created by RSA Product Team Employee on Oct 19, 2017Last modified by RSA Product Team Employee on Oct 19, 2017
Version 2Show Document
  • View in full screen mode


RSA is pleased to announce the general availability of RSA NetWitness 11.0. This release includes significant architectural improvements delivering additional flexibility for customer deployments and provides un-paralleled visibility from the endpoint to the cloud. The analyst experience has been completely redesigned with streamlined workflows; all within a new more intuitive user interface.


Some of the exciting new features and improvements include:


Advanced Threat Detection and Response from Endpoint to the Cloud

  • Secure cloud traffic
    • Secure public clouds AWS and Azure
      • Continued flexibility to deploy the RSA NetWitness stack completely in a virtual/cloud or in Hybrid configurations to assure that organizations can secure their traffic regardless of its location.
    • Open collection framework for securing and supporting 3rd-party and customer cloud infrastructures including Office 365.
  • Tighter integration with RSA NetWitness Endpoint
    • Integrated Endpoint metadata provides analysts the ability to seamlessly access Endpoint information and rapidly navigate across network, log and endpoint in a single view.
  • Visibility despite Encryption
    • The increased use of encryption is a double edge sword – helping secure organizations’ data in transit but also depriving security analysts of the visibility they need. New capabilities to determine the nature of encrypted traffic and reduce the opportunity for malicious actors hiding behind encryption.
      • Decrypt web traffic natively for inbound sessions
      • Introduction of Entropy measurements gives deeper insight into encrypted traffic activity.
      • The ability to decompress and parse through encrypted web pages provides the analyst valuable metadata otherwise missed during their investigations
  • Significant log parsing enhancements including new tools and workflows to facilitate automatic device identification and accurate parsing for log event sources.


A Force Multiplier for Security Analysts and Incident Responders

  • Prioritized Incident Triage and Response Workflows consolidating endpoint, network, log, and netflow events into a single incident with easy access to contextual information.
  • Chronological attack sequencing with Incident Storyline helps the analyst quickly gain insight into how an incident evolved
  • Dynamic nodal view reveals relationships so that an analyst can interact with and quickly see all elements of interest involved in an incident
  • Consolidated Views in Investigation workflows enable event analysis against multiple sources of data.
  • Quick insight for the advanced analyst into incident details within the raw data including options to decode as well as associate meta data with raw data.


Business-Driven Security with Business Context for Faster Triage and the Right Response

  • Additional Insight for the analyst into identity and relevant business risk information through integration with data sources to help the analyst can easily prioritize incidents.

Sources include:

    • Active Directory
    • RSA NetWitness Endpoint 
    • RSA Archer® a GRC business risk management suite.


More detail and a complete list of features can be found in the RSA NetWitness 11.0 Release Notes.


Affected Products:

  • RSA Security Analytics (SA) 10.5.x
  • RSA Security Analytics 10.6.x


Upgrade recommendations for current RSA NetWitness Suite Customers:

In order to assure the best upgrade experience possible RSA has provided tools and procedures to facilitate the process. The 11.0 upgrade includes various architecture enhancements as well as an update from CentOS6 to CentOS7. As a result, the upgrade will require either physical access to hosts being upgraded, or remote iDRAC console access.


To ensure uninterrupted operation during the upgrade, RSA has provided the ability to run in a mixed mode state allowing some hosts to run with version 11.0 and others with version 10.6.4.  This means customers can take their time when upgrading to RSA NetWitness 11.0.  To take advantage of the mixed mode deployment configuration, customers must first upgrade to SA 10.6.4 before upgrading to RSA NetWitness 11.0. It is required that all customers first upgrade their environments to SA 10.6.4 and run in mixed mode configuration to facilitate uninterrupted service and the best experience during the upgrade to RSA NetWitness 11.0.  


Customers will need to take into consideration how to stage the upgrade and allocate the appropriate amount of time to each stage of the upgrade. There are upgrade guides available on RSA Link to assist with planning.  In addition, RSA Professional Services experts are available to assist customers during the transition and will help with planning the upgrade, executing the upgrade and providing knowledge transfer around NetWitness 11.0.


For additional information or assistance, please contact Customer Support.


Recommendation for New Customers:

RSA recommends all new customers review the Release Notes and the User Guide for more details on RSA NetWitness 11.0.  


Thank You and Feedback

Thank you to all the customers who provided feedback and shared their security best practices with us so that we could deliver a new user interface which reflects how analysts think, hunt, and respond to incidents.  We look forward to your continued support and feedback as you upgrade and use the new features in RSA NetWitness 11.0.


For additional documentation, downloads, and more, visit the RSA NetWitness Platform page on RSA Link.


EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.