I just wanted to say how cool 10.5 is. I was using SA since beta till 10.3 (and since envision+NW times) and 10.5 is a leap forward
What I liked the most:
- interface is not laggy at all even with 16Gb RAM!
- setup is straightforward and clean, deploying and integrating 8 modules took only a couple of hours (I remember in previous versions I had to install some modules by hand, getting rpms from support, etc...)
- New licensing model is great! You get all modules except MA and pay only for packet/EPS throughput.
- a lot of new features added, I didn't go deep enough, but health and wellness and ESA interface are great! BTW what features do any of you liked the most?
I think SA still lacks module for SSL insight (clients forced to buy DPI/proxy solutions only for SSL decryption, and they do not need many of other perks they give as relevant solutions are already in place) and DLP module (even a basic one with identifying fingerprinted docs in traffic would be great for investigations). And IPDB extractor service setup is still not automated. What features or modules would other users like to see?
Keep up the good work!
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
This is great feedback (thanks!). As for other modules that I'd like to see:
1) A robust way to visually represent topology or activity flows for a session or group of sessions. Think about what has been already been demonstrated using 3rd party solutions such as Maltego integrated with NetWitness. Management / potential customers and most importantly Analysts would surely appreciate having a better way to visualize an investigation or custom traffic sets.
2) More emphasis on Data Science. The architecture of the platform allows for a plethora of data to be parsed, stored, and analyzed - thereby providing opportunity for the system to to capitalize on the data by performing analysis and identification of anomalous traffic (as opposed to users having to implement use cases). For example, having a queue of system generated anomalies for an Analyst to review and interact with such as 'this is the first time that traffic has been seen on this tcp.dstport from this host" or any variety of use cases. Again, this is something that has already been demonstrated to work within the product (for those of you who may remember a demo from the Product Management team at one of the NetWitness User Con's a couple of years back). Why has this not been implemented yet?
3) Visualize. This legacy component has unfortunately gone by the way side - despite all of the positive buzz around it when it was released - and it definitely showcased one of the many great capabilities of the product design. Visualize should be resurrected and continued to be improved upon - and could also dually address the DLP integration request that was mentioned in the prior post.
Surely there are other modules or enhancements that others would like to see, so please continue to share your ideas!
Also, within the core Investigation module it seems appropriate to consider adding capability for users to interact with the meta data in the same manner currently available within the Malware Analysis component - as seen with the 'Meta Treemap', sample image below:
As it relates, and specific to the above image, please do not limit the meta types within that first drop-down box. A number of use cases can be drummed up for interacting with other meta keys outside of what RSA has provided by default.
Yes, I totally agree on your points:
1) I saw that NW-Maltego integration, but didn't have time to try it out, but the vidz seem reallly nice (for anyone interested search for nwmaltego on github), indeed it would be very handy in complex investigations.
2) Just finished a course on Apache Spark btw, so I can confirm that data science totally rocks It would be very handy to have a recommender system in place (based on global intelligence + local data + prior investigations), also to have some mathematical model with self learning algorithm, like the one in RSA Adaptive Authenticaiton, would be epic.
3) I really miss Visualize too, combining it with DLP/recommender/modeling capabilities would shift it from "Wow" effect sales tool to really handy module.
Really liked your comparison to Adaptive Authentication data models ! as I think that the progress the industry had and still doing in fighting fraud is the right path to take, and something I expect the infosec industry to follow as well. While there is still a lot more to accomplish, I think that we are on the right track embedding data science as an out of the box product offering.
I personally don't know feel like there were major changes between 10.4 and 10.5.
Although, 10.5 did seem a faster to use and the layout seemed a bit cleaner.
But going from 10.3 to 10.4 was a HUGE difference in speed.
Well, I missed 10.4(as I didn't have any SA projects while 10.4 was actual, was working mostly on SSL decryptors then), so you can imagine how heavily impressed I was with the 10.5 after 10.3