RSA NetWitness Orchestrator
Security Automation and Orchestration
RSA NetWitness Orchestrator is a comprehensive security automation and orchestration solution designed to improve the efficiency and effectiveness of your security operations center. Key differentiating features include:
- Hundreds of preconfigured and customizable playbooks to streamline and automate incident management and response
- Auto-documentation capabilities that record every action taken during an investigation
- Chat-Ops powered "war room" that facilitates collaboration among SOC staff
What Is Security Automation and Orchestration?
Security automation and orchestration tools, also known as O&A or SOAR solutions, are designed to improve the productivity, efficiency and effectiveness of security operations centers and the analysts who work in them. As the term suggests, these tools automate routine, often time-consuming tasks, such as gathering and correlating data from disparate security systems, and they help orchestrate the incident management and incident response lifecycles. In the process, they help security teams address the staffing shortage; bring consistency, discipline and predictability to security operations; and help reduce the time it takes to detect and respond to incidents.
RSA NetWitness Orchestrator facilitates collaborative, “conversation-driven” investigations—both among analysts and between analysts and an intelligent chat bot—in a virtual, ChatOps-powered war room (a key differentiator of the product). The ChatOps interface records entire investigations and indexes them for future learning and knowledge retention. It also features a rich tool kit for investigating related incidents.
Intelligent Chat Bot
The machine learning-powered chat bot learns from all the interactive commands, playbook executions and other incident actions to help analysts with their investigations. It learns and executes common commands, matches incidents to the appropriate analyst, offers to automate a wide variety of tasks, and recommends actions for incident owners to take.
Complete Incident Management
RSA NetWitness Orchestrator manages all aspects of the incident lifecycle on a common platform, including documentation, evidence collection and journaling; SLA tracking; regulatory compliance activities and more. The incident management capabilities are highly customizable and allow you to bring much more data (including host data) into each case, both of which further set the product apart.
Another differentiating feature of RSA NetWitness Orchestrator is its command-line interface, which lets analysts run commands directly from the central console. Combined with the chat bot, the command-line interface facilitates quick investigational pivots and real-time, secured execution of actions right within the console, dramatically decreasing screen-switching and documentation times.
Auto-documentation of all investigation actions provides a comprehensive audit trail to support regulatory compliance. It also yields powerful knowledge management benefits: Because activities are automatically documented, a sudden personnel loss no longer leads to a permanent loss of expertise.
Extensible Integration Framework
Meaningful, Prioritized Alerts
RSA NetWitness Orchestrator aggregates, standardizes and normalizes alerts from your entire stack of security technologies. It enriches these alerts with threat intelligence and other data about your business so that analysts at all levels can more quickly see the full scope of an attack and act decisively on the incidents that matter most.
Up-Level Analysts’ Skills
Preconfigured playbooks transform ad-hoc incident management and response processes into consistent, repeatable and guided workflows that are easy for L1 analysts to execute, allowing them to function more like L3 analysts. The visual playbook editor makes it easy to build and customize your own workflows based on 500+ security actions.
More Efficient Security Operations Center
Orchestration, automation and machine learning capabilities help your SOC run more efficiently and effectively. In addition, RSA NetWitness Orchestrator provides SOC managers and CISOs with insight into their organization’s cyber risk profile and posture, and includes capabilities for measuring SOC efficiency and ROI.
Detect Threats Faster. Reduce Dwell Time. Automate Response.
In an era of ever-expanding attack surfaces, protecting against threat actors—from commodity malware, insider threats and crimeware to state-sponsored exploits, hacktivists and terrorists—has become an increasingly complex activity. Not all threats are created equal, yet disconnected silos of prevention, monitoring or investigation technologies continue to fall short in empowering security operations centers (SOCs) to rapidly weed out false positives and eliminate manual, repetitive actions. What’s needed is a comprehensive solution that enables security analysts to detect and respond to threats that really matter to the organization.
RSA NetWitness Orchestrator is a comprehensive security operation and automation technology that combines full case management, intelligent automation and orchestration, and collaborative investigation capabilities. RSA NetWitness Orchestrator enables SOC analysts to have consistent, transparent and documented threat investigation and threat-hunting capabilities by leveraging playbook-driven automated response actions, automatic detection and machinelearning powered insights for quicker resolution and better SOC efficiency. RSA NetWitness Orchestrator acts as the connective tissue—not only for the RSA NetWitness Platform but across a SOC’s entire security arsenal.
- Intelligent automation
- Collaborative investigation
- ChatOps powered war room
- Machine learning powered security bot
- Evidence collection and journaling
- Threat intelligence hub
- Variety of integrations including SIEM, firewalls, EDR, sandboxes, forensics, and more
- Robust command line interface
- Customizable map of related incidents across time
- Customizable visualizations of reports and dashboards
- Comprehensive SLA tracking and metrics
- Regulatory compliance features
- Flexible deployment
- Enhance team performance
- Reduce MTTR
- Faster response
- Fewer errors
- Higher analyst productivity
- Automated threat hunting
A force multiplier for SOCs to standardize, scale, measure and continuously adapt their security operations, by automating repetitive tasks and empowering security analysts to respond faster.
- Physical or virtual server
- Linux OS: Ubuntu 14.04 and 16.04, CentOS 7.x
- 8GB RAM minimum (16GB desired)
- 8 CPU cores minimum (16GB desired)
Engine Proxy (Optional)
- Linux OS: Ubuntu 14.04 and 16.04, CentOS 7.x, Windows
- 4GB RAM minimum
- Dual core CPU minimum
Redefine Incident Management
RSA NetWitness Orchestrator enables SOC teams to collect isolated alerts from the organization’s security arsenal and transform them into a context-rich, correlated incident containing critical data, including user reputation, system, IP, network, related incidents, repeat offenders, threat intel and many more customizable, outof-the-box indicators. RSA NetWitness Orchestrator’s Incident Management is the foundation for security operation decision, bridging orchestration, correlation and enrichment of security alerts across the entire incident management lifecycle, featuring a well-structured, consistent and automatically documented incident management process.
Detect Unknown Threats. Automate the Known.
With visibility being the key to effective threat detection, RSA NetWitness Orchestrator features 160+ integrations and 500+ security actions. This empowers security analysts to accelerate enterprise-wide threat detection and response with comprehensive data across logs, network, endpoint, security and non-security solutions.
Up-level your SOC.
Boost the productivity of all your analysts—from hunters to less skilled security staff—with joint, transparent investigations that reduce resolution time per incident. Gain maximum value from your entire SOC analysts’ skill set.
Go beyond automation.
Execute incident response processes and procedures with consistency and precision by leveraging a rich, preconfigured playbook portfolio. RSA NetWitness Orchestrator enables automated handling of known and/or low-risk threats, allowing swift containment and eradication. This frees and better positions analysts to investigate unknown threats that pose greater risk to the organization, across the entire IT infrastructure.
Machine Learning Powered Engine
RSA NetWitness Orchestrator leverages the power of machine learning through an integrated “security chatbot” that primes SOCs for the future. RSA NetWitness Orchestrator learns from all interactive commands, playbook executions and secured execution of other actions to better position the analyst in future investigations. A real-time command-line execution interface alongside incident owner recommendations and task-analyst matching assists SOC analysts and precludes the need for tiresome documentation exercises.
Machine learning cuts across all three pillars: incident management, intelligent automation and orchestration, and interactive investigation. As both the security bot and analysts grow smarter with each incident, the marginal time to predict, contain and respond to threats decreases.
Flexible and Scalable Deployment
Deployed either on-premises or in cloud environments, RSA NetWitness Orchestrator was built from the ground up as a multi-tenant environment with data segregation, completely isolated both in execution and at-rest containers, for a superior adaptive and scalable architecture. The dedicated engine proxy better governs segmented networks in a secured fashion for ease of deployment and management.
Download the RSA NetWitness Orchestrator Datasheet (.PDF)