What NetWitness Means for RSA

Okay, let me start this blog by saying that I am only going to look at the NetWitness acquisition and not equate it to the recent security breach at RSA. I’ve blogged on that a bunch and want to focus on the security market here.First, I was certain that someone would buy NetWitness soon but I really thought it would be HP. Why? The feds refer to a “security sandwich” made up of NetWitness and ArcSight that seems to be implemented at every federal agency. Given the acquisition of ArcSight by HP, NetWitness seemed like a no-brainer to me. Regardless, NetWitness is a pretty unique offering in the security realm. As company executives often state, NetWitness products are like a VCR of networking activity. It’s security tools capture everything that’s going on from Layer 3-7, perform analysis, look for anomalies, and offer very concise reports. What’s interesting here is that NetWitness can look at networking in a security context. You get a picture of who did something, what they did, what happened on the network, and where the packets ended up. Sort of network flow meets situational awareness. The feds love NetWitness as it aligns with the Einstein project and provides killer forensic capabilities.As for RSA, it gets another enterprise-class tool with tremendous upside, but also grabs a new piece of the burgeoning enterprise security and risk management puzzle. Combined with EnVision and Archer, RSA gets another data source and another way to analyze security data. Sprinkle in Greenplum for analysis and you find yourself at the junction of “big data” and GRC — an intersection that gets busier each day.So from a strategy perspective this is a good move, but EMC/RSA has some work ahead. To maximize value here, EMC/RSA must:1. Add EMC marketing magic to NetWitness immediately. Many people don’t get NetWitness so it is constantly miscategorized as a SIEM, IDS/IPS, or network analytics tool. This means that NetWitness spends a good deal of time explaining what it does and doesn’t do. EMC needs to get its marketing gurus to simplify the story.2. Bolster its networking chops. EMC is a big diverse technology company but it has always tended to defer networking to equipment vendors and telecommunications carriers. Now that it owns NetWitness, it too needs deep L2-7 skills. Hiring and training a team of network security field technicians (beyond the NetWitness team) will be a key to growing revenue and moving beyond the federal market. Additionally, NetWitness technology can move beyond network security monitoring into an active IDS/IPS role. This could give RSA an opportunity to displace McAfee, Juniper, and Sourcefire, but it will need a strong network security bench to do so. 3. Roadmap the security management story. I like the vision of unifying NetWitness, EnVision, and Archer into some uber security management architecture, but where should users start? As it stands today, these three pillars are purchased and operated by different groups for different purposes. RSA has to have a unification story that gives it the flexibility to build the architecture regardless of the starting point. This will require deep knowledge of network security, security operations, and GRC as well as a technology integration roadmap. RSA will also need to establish flexible security management best practices expertise so it can help customers with people and processes — not just technology.NetWitness should do well on its own so RSA should see incremental revenue no matter what. The integration story has the potential to add value and launch RSA into a new level of security industry leadership if it can execute on technical integration, customer-facing communications, and security management/operations best practice leadership. A tall order but not impossible.