Arista NDR vs. NetWitness
An RSA NetWitness comparison with Arista NDR's advanced network traffic analysis highlights the huge strides in artificial intelligence and cognitive automation made over the last few years. NetWitness is a complex and expensive series of legacy modules that require the customer to write extensive rules and complex search queries before any results are delivered. The complicated manual configuration and integration labor associated with NetWitness deployments drives high costs, long deployments, constrains usability and delivers error-prone results.
In comparison to NetWitness, Arista NDR delivers an easy to deploy platform that shows value in hours rather than months. Moreover, the Arista NDR Platform is designed to be used by analysts of all skill levels—from the junior analyst simply looking to perform triage to the expert threat hunter. Analyst firm EMA conducted an independent competitive review of network traffic analysis solutions and named Arista NDR the "Value Leader", ranking it #1 for time to value because of its frictionless approach that delivers answers rather than alerts.
Download a comprehensive breakdown in the NetWitness vs. Arista NDR Security guide.
| Data | Arista NDR | NetWitness |
|---|---|---|
| . Richness of Data Sources | L2 - L7 network data | L2 - L7 network data |
| . Visibility | Devices, Users, Applications, External Networks, Organizations & Domains |
IP Addresses |
| Data Science | Arista NDR | NetWitness |
| . Automated Entity Correlation | . Yes | . Limited |
| . Extracted Detection Features | ~1200 . | Manual . |
| . Security Knowledge Graph | . Yes | . Limited |
| . Behavioral Analytics | . Yes | . Limited |
| . Machine Learning | . Yes | . Limited |
| . Training Period | Hours | 28 days+ |
| Use Cases | Arista NDR | NetWitness |
| . Detect Known Attacker TTPs | . Yes | Manual . |
| . Retrospective Detection | . Yes | . Limited |
| . Encrypted Traffic Visibility | . Yes | . Limited |
| . Automated Campaign Analysis | . Yes | . Limited |
| . Query Language & Threat Hunting | . Yes | Outsourced . |
| . Full Digital Forensics | . Yes | Manual & Error Prone . |
| Deployment & Extensibility | Arista NDR | NetWitness |
| . Deployment Considerations | Minimal . | Extensive . |
| . Integrations with other Security Tools | . Yes | Optional . |
| . Supported Deployments | Sensors: Physical, Virtual, and Cloud Analytics: Physical, Cloud |
Sensors: Physical, Virtual, and Cloud Analytics: Physical (On-Premise Only) |
| . Threat Intelligence Integration | Yes | Optional . |
| . API | . Yes | Yes |
| . Performance | 10 Gbps sustained | < 10 Gbps sustained . |
| Corporate Background | Arista NDR | NetWitness |
| . Corporate Focus | Advanced Network Security Analytics | RSA Ecosystem Focus |
Conclusion
Customers looking for NetWitness alternatives, or a replacement, would do well to consider a solution that has been built on the latest technology. The NetWitness Network module is a reactive system based on user defined rules which are inherently focused on past behavior and are unable to detect new or novel approaches developed by threat actors.
NetWitness provides minimal correlation of threats across the kill chain. Arista NDR's entity tracking capability allows the platform to automatically correlate complex attacker activities, identifying all of the devices, protocols, and threats that are a part of the overall campaign. This, in turn, helps reduce alert fatigue and makes the information more actionable and easily consumable for the security team.
The NetWitness UEBA Essentials module uses unsupervised learning to ascertain a device's normal behavior. This approach is noisy since "normal behaviors" change often for very legitimate business purposes–e.g. new software deployments, etc. In addition, this approach also fails when devices are already compromised before the baseline is established. Arista NDR's ensemble approach to machine learning compares against past behaviors, but also to similar entities and across the rest of the organization. This helps eliminate both the false positives and negatives that are rampant with solutions like NetWitness.
The anomaly detection approach has another significant drawback. NetWitness delivers detections with very little context and explainability, which presents a challenge for a security analyst to then understand why something is being detected or what to do about it. The UEBA Essentials product also does not provide the ability for the security analyst to tweak the detection model. Arista NDR offers every customer the ability to create their own detection models as well as view and modify Arista NDR's models.
All product names, logos, and brands are the property of their respective owners. All company, product, and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.