NetWitness® Cloud SIEM is a cloud-delivered log management, retention, and analytics solution that provides high-performance SIEM (Security Information Event and Management) capabilities without the need for customer managed deployment and platform administration.
NetWitness Cloud SIEM provides enterprises with the same rich log management, retention, reporting, and analytics services long utilized by NetWitness customers for threat detection and response, but in a cloud-delivered form. This new deployment option makes it easy for new or existing NetWitness customers to take advantage of Evolved SIEM without the resources associated with planning, sizing, deploying, updating, and administering the platform in a traditional data center or self-managed cloud format.
The NetWitness Platform is a leader in enterprise-grade threat detection and response. Businesses and government agencies around the globe use NetWitness to address their demanding security requirements. Skilled threat hunters choose NetWitness as their go-to solution, due to its ability to rapidly analyze and process large volumes of information from many different sources.
Security compliance teams have long depended on NetWitness to help meet stringent compliance needs by providing retention of large amounts of data while being able to provide fast, reliable access for compliance activities.
NetWitness Cloud SIEM provides the same software and technical capabilities as a customer-managed instance of NetWitness Logs. NetWitness Cloud SIEM is a SaaS, cloud-hosted offering of NetWitness Logs, running the latest version of NetWitness Platform software in Microsoft Azure.
NetWitness Cloud SIEM provides defined retention periods for log data (subject to data limits), based on the offering Tier selected by a Customer. Cloud SIEM is also fully managed, administered, and updated by RSA, which is uniquely different then a customer-managed NetWitness Logs deployment.
As a result of Cloud SIEM being a cloud service there are certain administrative controls and limitations in place with the product to ensure availability and service level agreements for Customers. Specific limitations are outlined in this document and additional details are available upon request.
NetWitness Cloud SIEM is generally available for data residency in the following Microsoft Azure regions:
Support for additional Azure regions may be added as new regions are made available.
NetWitness Cloud SIEM enables seamless and secure methodologies for collecting log data from hundreds of event sources, extensively outlined in product documentation. Customers are responsible for configuring Cloud SIEM event sources after their tenant is provisioned. Many event sources are easily configured, including on-premise, virtual, hybrid, IaaS, PaaS, SaaS, and non-traditional sources, as outlined in documentation.
RSA Professional Services is also available to assist Customers with event source onboarding on a paid basis.
Log Collection Deployment
Log collection by NetWitness Cloud SIEM requires deployment of a Log Collector / Virtual Log Collector. When deploying a Log Collector, you must configure it to collect log events from various event sources and deliver these events both reliably and securely to the Cloud SIEM Log Decoder. Events are parsed and stored for subsequent analysis by the Log Decoder. Please note that each Cloud SIEM environment is self-contained within a single instance.
Details on Log Collection Methods
Log Collector services are deployed across multiple locations to collect log data from varying sets of event sources by setting up an On Prem Log Collector which will collect the logs locally and then transfer them to the NetWitness Cloud Instance via an encrypted and compressed transport. All Current NetWitness Collection methods are supported in the NetWitness Cloud Instance.
For additional information regarding configuration and management of data sources, please refer to:
The Communication between the on prem local collector and the NetWitness Cloud instance uses data compression to minimize the bandwidth required for data transmission to the NetWitness Cloud Instance. In addition to data compression, the data is transmitted over an encrypted channel.
OpenVPN Tunnel Configuration
For secure communication between the on-premise Virtual Log Collector (VLC) and the cloud Log Decoder and NetWitness Server, you must configure a VPN tunnel. During the Cloud SIEM onboarding process, a download link will be provided with instructions on how to setup the communication link between the VLC and the Cloud SIEM infrastructure.
The NetWitness Cloud SIEM offering is licensed based on the amount of log data throughput ingested daily, measured in gigabytes (GB) per day of collected data. Data ingest monitors against the customers specified subscription entitlement (in GB/Day) and can be increased to a higher level of ingestion to account for any increase in the amount of data being collected. You can view current and past data ingestion information within the NetWitness UI licensing page.
NetWitness Cloud SIEM customers may experience performance degradation and reduced data retention periods when log data throughput exceeds the contracted subscription capacity. NetWitness will be monitoring customers storage capacity and will inform them if additional ingestion or storage capacity is required. Customers are encouraged to contact NetWitness Sales to purchase an appropriate subscription plan to handle the required capacity.
All communication between customer-deployed Log Collectors/Virtual Log Collectors and the NetWitness cloud environment is encrypted. Connectivity to the NetWitness UI from the Customer location is limited by Azure specified firewall rules. Communication between various internal NetWitness services deployed in Azure are based on trusted certificates and are encrypted. To reduce bandwidth, data is compressed between various log collection sources and the NetWitness cloud environment.
Customers are responsible for all event source configuration, VLC setup, and initial connectivity to Azure cloud through Open VPN. For more information on data collection, please refer to the Log Data Collection section above.
Cloud SIEM Resiliency & Redundancy
Compute / Virtual Machines:
Virtual Machines utilize a single instance per virtual machine while utilizing Premium Solid State Storage drives for all operating system disks. Additional details on Azure VM guidelines are available here: azure.microsoft.com
Storage disks (OS and Data) utilize locally redundant storage (LRS) which replicates Customer data three times within the same Azure Availability Region. This prevents a failure from a failing SSD, failing server, and or failing network equipment.
The NetWitness Cloud SIEM creates configuration, OS, and VM backups (configuration data) of Customer hosts on a weekly basis which are retained for a period of two weeks. Prior to a NetWitness Cloud SIEM upgrade, two configuration backups are taken.
Backups within scope include:
Backups do not include any raw log data or metadata that is stored on independent solid-state drives (SSDs) which are not part of configuration, OS, or VM backups.
Service Level Agreement
NetWitness provides 24x7 infrastructure and product monitoring to meet an uptime SLA for the NetWitness Cloud SIEM offering. The NetWitness Cloud SIEM offering environment is considered available when users can:
The NetWitness Cloud SIEM service subscription provides routine management, maintenance, and updating to enable a high-performance experience with access to current features and functionality for all product users. There are maintenance and administrative activities also required by NetWitness Cloud SIEM product customers. NetWitness and customer-driven maintenance activities and restrictions are outlined in this section.
NetWitness Maintenance And Administration Responsibilities
Maintenance And Upgrade Experience
NetWitness Cloud SIEM is centrally maintained and upgraded by NetWitness to ensure that all customers are provided with a high-performance solution inclusive of the latest features and functionality.
Each NetWitness Cloud SIEM instance will be upgraded to the previous minor release within 30 days of the most recent minor release. For example, NetWitness Cloud SIEM environments will be upgraded to v11.5.1 within 30 days of the release of NetWitness Platform v. 11.5.2. NetWitness Cloud SIEM end-user environments are purposefully maintained at the most recent previous minor release to ensure a high-quality experience and for any relevant bug-fixes to applied prior to upgrading.
Routine maintenance and upgrade activities require planned downtime during which the NetWitness Cloud SIEM platform will be unavailable. End users will be notified of the planned service outage at least 14 days prior to the event, and will be provided with an option to elect a secondary window in the event of a potential conflict. NetWitness makes a best effort to schedule planned downtime for maintenance and upgrades outside of normal business hours to minimize operational disruption.
If unscheduled emergency maintenance is required, NetWitness will make reasonable efforts to notify customer contacts of a downtime event.
Customer Maintenance And Administration Responsibilities
As you consider and evaluate NetWitness Cloud SIEM services, it’s critical to understand the shared responsibility model and which deployment and administration tasks are handled by NetWitness and which tasks are handled by you.
To meet the outlined Service Level Agreements for the NetWitness Cloud SIEM offering, the below Customer Restrictions are in place for the Cloud SIEM environment. These restrictions ensure the appropriate SLA is delivered to the Customer.
All NetWitness Cloud SIEM subscriptions include access to NetWitness enhanced technical support plan. Enhanced Support delivers 24 x 7 around-the-clock remote support and access to RSA’s global network of support centers for troubleshooting.
Leverage our Secure Remote Support to ensure your issues are proactively managed in our Global Support Centers.
Please visit Support Plans and Options page for more information.
NetWitness Personalized Support Options
NetWitness Personalized Support Options are designed to complement NetWitness service contracts with access to technical experts any time, day or night, and provide customers with a strategic personalized support relationship. With NetWitness Personalized Support Options, organizations can enjoy a support relationship with NetWitness that encompasses the entire product life cycle—from initial product integration to ongoing utilization.
The following Personalized Support Options offer supplemental services that can be added to any new or existing RSA support contract:
Please visit the Support Plans and Options page for additional information regarding NetWitness Technical Support and Personalized Support options.
Each NetWitness Cloud SIEM instance is allocated dedicated cloud compute resources to enable effective utilization of the product.
If performance degradation is suspected, customers should engage NetWitness Customer Support to determine options for remediation.
The base subscription offering for NetWitness Cloud SIEM includes adequate high-performance solid-state storage to enable retention of 90 days of log data at the license limit purchased. In addition to the primary allocation of high-performance storage included with each NetWitness Cloud SIEM subscription, customers may purchase storage add-ons enabling extended retention periods.
The NetWitness Cloud SIEM offering enables storage of log data to suit a variety of security and compliance use cases.
Storage allocations are dedicated to each NetWitness instance/tenant.
Customers should monitor storage utilization to ensure achievement of their desired retention period. If retention periods are falling below Customers’ required retention periods they should contact NetWitness Customer Support to discuss options.
There is no incremental cost for transporting data into the NetWitness Cloud SIEM offering, beyond the agreed subscription pricing. Each NetWitness Cloud SIEM instance is provisioned with a monthly data egress allowance of 2 TB/month to enable an effective product experience for most use-cases.
Data egressed or exported from Customer’s Netwitness Cloud SIEM but remains within the same Azure Availability Zone is exempt from limitations and additional costs.
Bulk data export is not included in the Customer’s data egress allowance. If additional data egress capacity is required for any circumstance, customers must engage a NetWitness Sales, Services, or Support representative to explore suitable options.
NetWitness Cloud SIEM is metered based on the amount of log data throughput ingested daily, measured in gigabytes (GB) per day. The throughput-based subscription measures data ingest against a subscription entitlement and can always be increased to a higher rate to account for any increase in the amount of data being collected.
Customers may evaluate current and past daily data ingestion information on the licensing page within the NetWitness Cloud SIEM user interface.
The Storage add-ons presently available across all supported regions are as follows:
Customers interested in growing their utilization of the NetWitness Cloud SIEM offering may pursue expansion of their relationship at any point during the subscription term. Expansions can coincide with the remainder of the subscription term, be applied for a limited duration, or for a single instance. Expansion of the NetWitness Cloud SIEM offering may be pursued via the purchase of:
NetWitness Cloud SIEM customers will receive a renewal notification within 90 days of subscription expiration.
Contact your NetWitness Account Manager at any point during your subscription period with questions regarding renewal policies or processes.
On the date of Subscription Expiration, all functionality of the NetWitness Cloud SIEM product is suspended. The Cloud SIEM product will cease standard operational functionality including ingestion of log data upon subscription expiration.
Contact your NetWitness Account Representative if access to the Cloud SIEM service is required beyond the date of expiration.
After expiration, an image of the NetWitness Cloud SIEM product configuration and data will be retained for 30 days to enable reinstatement of the service. Log data will be retained for 30 days following expiration to support download or migration to another data-store as needed.
The NetWitness Cloud SIEM dedicated instance, configurations, and log data are fully destroyed following 30 days of subscription expiration using industry standard best practices for data destruction.