Past Winners

RSA for RSA NetWitness 9.6 Winner Winner

By performing full packet capture and session recreation, RSA NetWitness provides comprehensive network forensics and situational awareness for organizations. The information security market faces two major problems. First, the vast majority of innovation is narrowly focused on chasing the latest threats, not broader risk profiles – essentially treating symptoms, not the disease. Second, merger and acquisition and threat research plug together disparate, proprietary systems and sources, perpetuating a closed model, while the criminal community benefits from widely shared technologies, techniques and resources. Additionally, with nearly 100,000 new malware samples discovered daily, the ability for cyber adversaries to quickly adapt has rendered signature-dependent malware defenses obsolete. It also severely challenges the efficacy of newer approaches that still look exclusively for "bad," based on previous attacks. This leaves a world of activity with little scrutiny – which malicious actors exploit with great success. NetWitness changes the game by allowing organizations to know everything.

Numerous security software makers have realized the significant financial value of the software solution produced at NetWitness, and are attempting to retool their traditional products to compete. Although these vendors may have the ability to capture network traffic, none have demonstrated any capability whatsoever to perform in-depth application-layer analysis, particularly of an automated and real-time nature. Ultimate value to an enterprise requires pervasive adoption of a solution – not just the purchase of one or two network appliances – as seen with some offerings in this category.

RSA NetWitness closes gaps in existing security defenses that allow breaches to go undetected for as much as years at a time. Instead of searching for a needle in a haystack, NetWitness deconstructs the entire haystack until all that's left are the needles. It also provides the ability to detect both advanced intrusions and understand lateral movements and additional infections that are derived from the original. NetWitness fuses real-time threat intelligence with the context and continuous monitoring of every packet on the network, providing an unprecedented view of network threats across a continuous timeline. For past events, full-packet capture, retention and end-to-end analysis enables "replaying" and analysis of events from any perspective. For present attacks, continuous monitoring, total visibility and open integration with major threat services and traditional security products delivers situational awareness. And, for future possibilities, comprehensive network visibility and no signature tunnel vision provides agility for any evolving threat.

Unlike point solutions requiring an appliance for every new threat, NetWitness provides a single platform for detection of emerging adversaries and advanced threats. By providing visibility into all network traffic, NetWitness offers a complete record of everything that is happening across the enterprise. Once NetWitness records the data, it is reused for a variety of purposes, permitting economy of scale and efficiency of operations (e.g., analysts in the SOC obtain unique alerts about advanced malware and data leakage). They also perform detailed forensic analysis of any alert from traditional security or IT tools. Security practitioners concerned about the protection of IP from criminals or APTs, or measuring compliance, leverage NetWitness for deep insight into problematic activity. This "big data" aggregation and data re-use model, and central analytics on an N-tier architecture, differs from current models where security investments become obsolete or lack the agility to scale across numerous environmental factors.

NetWitness provides both tangible and intangible ROI to organizations. It helps organizations drive a greater return on security investments and, in some cases, remove and replace the need for isolated investments in constrained technologies, such as botnet detection, intrusion prevention or data leakage prevention. NetWitness helps organizations shorten the detection time and kill chain associated with advanced threats. Although these benefits may be intangible at times, for most NetWitness clients, the ability to detect an advanced attack or APT in progress has been the actual difference between successful security operations and a catastrophic loss of intellectual property or national secrets, and can greatly reduce data breach costs and impact. For example, one of the top five U.S. banks experienced 1,000 percent return on investment in the first three months of ownership of NetWitness simply based on the reduction in losses from complex online banking fraud from cyber criminal groups.

NetWitness held 24.3 percent of the network forensics market in 2010, based on Gartner's market projections published March 26, 2010.


Category description:

Products in this category fall into two sub-categories: network and media. The network tools must be exclusively intended for forensic analysis of network events/data. If the product is a SIEM with forensic capabilities, it should be placed in the SIEM category. Media tools cover just about all other non-network forensic tools, including those tools that collect data from media over the network and live forensics tools. This also includes specialized forensic tools that are not intended to analyze network data.