Spotlight on NetWitness

by Rocky DeStefano in

In a press release this morning EMC  (NYSE: EMC) announced that the acquisition of NetWitness.  The deal closed on 1 April 2011 and NetWitness will operatate as a part of RSA (The Security Division of EMC).  Of course RSA has been furiously working on their own security and according to Avivah Latan of Gartner, EMC has acknowledged the critical role that NetWitness played in detecting that recent incident further illustrating the need for complete visibility and flexible / detailed analytics no matter who you are in the industry!

About NetWitness
NetWitness comes to the table with incredible network security platform technology in its NextGen Infrastructure and very forward looking technology with Visualize and then they just annihilate the competitive field with the recently announced Spectrum product.  On the business side consistant profitability, great leadership, absolutely brilliant employees, complete market dominance, stellar innovation/proven execution on vision, and aggressively pushing a few petabytes of enterprise class storage a quarter never hurt a valuation either.   

From my experience no enterprise buys NetWitness for a “compliance check box” they buy NetWitness because they care about security and having complete visibility into what happens on their network and they are willing to go the next step and dedicate resources to remediate risks to the enterprise that are discovered.  In short they care about security and are willing to make the investment across the board.

EMC Product Impact:  RSA/EMC has a new crown jewel in the enterprise security market and should be able to quickly capitalize on this deal.  The move not only shores up some gaping holes in current products (Yes I’m looking at you enVision) The addition of NetWitness advances security analytics beyond that of any other major player in the field.  HP, Cisco, Symantec, CA none of them currently have the ability to solve the same problems and enable analytic teams so intuitively or completely.  I’m liking the ideas swirling around in my head of full Archer integration with NetWitness too!  My advice to EMC is very simple.  Let NetWitness run wild.  It’s a family that can deliver you to greatness if you allow them to lead the way.  Amit Yoran, Tim Belcher and the entire team at NetWitness deserve your complete attention and support.  NetWitness has accomplished amazing things because from day one they understood the simple fact that the data is important but being able to understand and interact with the data is crucial.  


EMC Staff Impact:  EMC has gained not only a top of the line suite of products but a consulting organization that ranks amongst the top in the world for Incident Response and Enterprise Security Operations.  This team is one of maybe three commercially available teams in the world that if you have a serious intrusion you want by your side.  There is an immediate and nearly limitless opportunity to create an elite IR Capability for all EMC customers by thinking outside the box and leaning on the strengths of this team.

Potential Market Impact:  

Enterprise Visibility (Network Monitoring/Analysis):  This deal sets up a few other players for some interesting conversations in the months ahead.  Companies like Solera, Niksun and a few others all have certain pieces of what NetWitness has, at least in terms of Collection.  The more meaningful attributes of the equation (analysis, context, market execution, etc) leave a lot to be desired but still make for interesting conversation with the right partners.  

Emerging Markets:  The market space that Spectrum created/entered is currently only partially addressed by malware analysis companies like Fireeye and maybe a few others.  Spectrum is really much more than watching malware running in a VM it is the consolidation of your entire IR and Malware analysis teams efforts into one simple system.  All the work that normally would be done is considered and presented to you with context that is unavailable anywhere else because of the rest of the platform available to NetWitness.  Having the sandbox information, threat intel, community input, vendor input and of course all of the behavior, file, system and network attributes available to add context to the information you’re looking at is exactly what is necessary to completely comprehend the data and understand the threat (and therefore the risk we face).  Currently that functionality is impossible to match with any other single technology on the market.

Overall: I think the valuations of those companies listed above likely will rise because of this deal, but only because of the exposure to the marketplace that this deal will bring.  I would expect at least one of these to be gobbled up this year as others keep try and pace by providing solutions that help illuminate the evolving threats we all face.   I’m closely watching Enterprise companies like HP, SourceFire, CA, Cisco, IBM, Symantec and smaller players like Fireeye, Solera, NitroSecurity, Mandiant, Q1Labs and even Splunk in the coming months to see how their product direction (or partnerships) evolve to include offerings to compete more directly with what NetWitness can do with a big brother like EMC pushing them into the market.  

In short I think this is a brilliant purchase by EMC.

Silly Question:  How does this announcement affect the commitment to the extensive freeware community NetWitness has cultivated (45K or more users)?  

Silly Quote:  Now we can all agree that EMC/RSA is eating their own dogfood!  Really how ridiculous is that statement?  Of course if you’re a large enterprise (even a security company) you’re going to need layers of visibility and you might have to rely on tech outside your own development staff.  Even Doctors have to go the the ER once in a while.


For more information see: (For Direct Link to Amit’s letter to customers see or the EMC press release here.

Disclaimer:   None of the information above is confidential nor is anything presented here anything but common sense.   My standard disclaimer applies - “The views and opinions expressed in my blog are my personal thoughts and do not represent anyone that does not share space inside my head.”  In other words nothing I stated here was vetted by nor approved by EMC, RSA or NetWitness.

Shortened Link to post: