Products and Solutions

NetWitness – A Brief History of an Iconic Threat Detection & Response Platform

Apr 14, 2021 | by Arthur Fontaine |
RSA blog post

NetWitness’ transition to become an independent business unit marks another step in its remarkable journey.  Started nearly a quarter-century ago as a U.S. intelligence research project to perform security analysis of network traffic, today NetWitness is recognized for its leadership position in both the Evolved SIEM and XDR markets.

NetWitness customers include many of the world’s largest, most complex and most security-conscious organizations. The depth and richness of the NetWitness investigative toolkit, with comprehensive visibility, advanced AI analytics, and incident orchestration and automation features empower NetWitness customers to defend against advanced cyber threats.

Through its long and storied existence, NetWitness has fought for the good side in one of history’s most dynamic contests: the war between the black hats and the defenders. This is the story of that evolution.

The Early Years

NetWitness originated in 1997 as a U.S. Intelligence Agency research project managed by CTX Corporation, a Vienna, VA-based consultancy where most employees held Top Secret security clearance. NetWitness was custom-built to help analysts understand large volumes of captured network data. CTX saw the value of the technology across broad use cases and obtained permission to sell it in other engagements.

In 2002 CTX was acquired by ManTech International Corporation, which further developed the technology to aid federal law enforcement agencies in criminal investigations.

In 2006, ManTech launched NetWitness as a privately-held spinout to bring its network analysis technology to the worldwide commercial market. NetWitness was offered as a packaged software solution and adopted by some of the world’s premier organizations, many of which still rely on NetWitness to this day. As a private company, NetWitness redirected development to create an enterprise solution. 

RSA Investments & The Advent of SIEM

In 2011, RSA acquired NetWitness and paired it with the RSA enVision SIEM in a combined security message. During this period, enVision was a leader in a SIEM market in transition. Originally compliance-focused, SIEM logs were increasingly being utilized for security analytics. Harnessing this trend, RSA combined enVision and NetWitness to give NetWitness even greater enterprise reach, deep packet inspection, and log parsing in a common metadata language.

Staying true to its consultancy-based origins, RSA Professional Services introduced Incident Response (IR) services based on NetWitness. RSA expert threat hunters still deliver IR on retainer or on-demand, standing shoulder to shoulder with customers around the globe. Because NetWitness is used continually for real-world investigations in complex environments, the data it captures provides RSA with constant and important input to shape NetWitness product development; this feedback loop has been a critical factor in NetWitness retaining leadership and relevance for decades.

RSA’s investments delivered tightly integrated network and log analytics capabilities, augmented with rich threat detection and forensic tools, and in 2014 the new combination was rebranded as RSA Security Analytics, then rebranded once more in 2016 as RSA NetWitness Suite.

In 2012, NetWitness acquired Silicium Security and its flagship Enterprise Compromise Assessment Tool (ECAT). Integrated with NetWitness, ECAT – later rebranded NetWitness Endpoint – gives threat hunters a powerful tool to detect endpoint-based anomalies that other solutions miss.

Evolved SIEM

In 2018 NetWitness acquired Fortscale, a pioneer in User Behavior & Entity Analytics (UEBA). Security Orchestration, Automation & Response was added with NetWitness Orchestrator. Building atop the strong foundation of NetWitness, the UEBA and SOAR evolution introduced RSA NetWitness Platform, a comprehensive Threat Detection & Response and Evolved SIEM solution.

In 2020, NetWitness released IoT Security Monitor, a cloud service to monitor and alert on Internet of Things devices and systems. Integration with NetWitness adds an important visibility vector for IP-based devices.

XDR Futures

The evolution of NetWitness has aligned squarely with the next major market evolution: XDR, or eXtended Detection & Response. XDR embraces all of the existing Evolved SIEM capabilities – visibility, integration, analytics, and automation – but emphasizes single-vendor integration and support, as old models of mix-and-match security are unable to keep up with sophisticated and emerging challenges.

Cloud support is key to XDR. Recently, NetWitness launched Detect AI, a pure cloud SaaS analytics component for NetWitness Platform. Next up is NetWitness Cloud SIEM, a SaaS (Software as a Service) offering that encompasses both software and infrastructure. In the pipeline is Big Bang, a big data analytics module for NetWitness that will provide asset discovery, characterization, and prioritization, with continuous analytics that detect new assets as well as changes to asset importance.

NetWitness: The Next Era

In 2006, RSA Security, independent since its 1982 founding by legendary encryption scientists Ron Rivest, Adi Shamir and Leonard Adleman, was acquired by EMC. It operated as RSA, the Security Division of EMC until 2016, when Dell and EMC merged to form Dell EMC.

RSA operated as an independent unit of Dell Technologies until 2020 when it was spun out as an independent organization in a sale to a consortium led by Symphony Technology Group (STG). Reformulated as an independent business unit, NetWitness is reorienting to focus exclusively on XDR market opportunities and requirements. This evolution is technically and logically consistent with the heritage of NetWitness, from its genesis as an intelligence agency research project, to its current and future role protecting the world’s most security-conscious organizations. The new logo honors that heritage, introduces the next generation of NetWitness to serve our customers, and marks the next chapter in this solution’s long and storied legacy.