July 11, 2006

NetWitness is a network traffic security analyser that the vendor describes as a “security intelligence” tool. Setup is simplified by its new installation wizard, that worked correctly the first time, and was a breeze. We then fed it a set of snort packet logs, that it accepted without complaint, and were able to begin analysis within an hour.

NetWitness presents standard intrusion detection packet logs in a comprehensive format for analysis. But one of its most promising features, the packet miner, is only available for Cisco IPS 4200 sensors.

Basically, it helps to automate the IDS analysis process, a valuable function in an incident, and NetWitness should have it available for other IDS products. As it stands, the appliance can collect logs from other systems, but it is left to the analyst to make sense of them.

One additional key feature is the ability to identify such things as credit card numbers and social security numbers – a very strong feature in the area of compliance.

NetWitness behaved well in our test suite. We had no difficulty feeding it a set of pre-collected logs and we expect that it will also behave well in production.

While we did not test data throughput, based upon user comments we expect that volume of data flow is not likely to be a problem. But one challenge we see is the need to add additional storage for large enterprises. This scalability problem is matched by the apparent lack of an explicit distributed configuration for appliances in a large geographically disbursed enterprise.

Documentation, by all accounts significantly improved on the previous version, is divided into separate, focused manuals for administration, best practices, installation and user guide. But although very well produced, the manuals are a bit skimpy. They seem to assume best case for everything and, if one gets into trouble, offer only limited help.

Support is limited to web-based and email-based contact from registered users. Escalation to a live engineer on the phone is available, as is a training program, and there is also a registered user section of the website with a range of information.

However, we were surprised that the apparent level of support seems so limited.

NetWitness is appropriately priced for the market, but lacks some features that would make it a truly strong competitor in the very large enterprise arena. What it does, it does very well and, in fact, has one of the best user interfaces we saw.

Product title
Product info
Name: NetWitness Description: Price: $30,000
Easy to use; very good user interface.
Scalability and documentation.
A strong network forensics product that could be a winner with a little work.
prestitial ad