Competitive Battlecard
RSA NetWitness® Platform Splunk® Enterprise Security and related products
RSA strengths
Leverages native or third-party security data:
RSA NetWitness Platform leverages native data, including network data,
endpoint data and user behavior data, as well as data from third-party
security products. This reduces complexity for customers because many
of the data ingestion processes are already built in to the solution.
Single platform for all security needs:
RSA NetWitness Platform is a comprehensive, integrated solution for
network security, endpoint security, threat intelligence, threat detection
and response, security operations, user behavior analytics and security
orchestration and automation.
Integrated remediation capabilities:
RSA NetWitness platform has many remediation and mitigation
capabilities, including blocking protocols/traffic/processes,
quarantining/isolating endpoints directly, and increasing authentication
requirements to block suspect users/requests.
Portfolio of high-quality reports:
RSA NetWitness Platform includes a broad array of pre-built reports,
including compliance reports.
RSA Confidential For RSA partners only and subject to non-disclosure agreement
Splunk Weaknesses
Splunk's Enterprise, Enterprise Security (ES), and User Behavior Analytics
(UBA) products are data aggregators and analysis tools require customers to
buy other solutions to create the source data. Splunk has limited native
support for different log and alert formats for data ingestion. In many cases,
customers must deploy, manage, and maintain separate products, which can
lengthen the time to ROI and increase management overhead and product
maintenance costs.
Splunk’s security products -- ES, Splunk UBA, and the recently acquired
Phantom -- are still separate products with different code bases. This makes
acquisition and operation of the Splunk products more complex for
customers.
Splunk Enterprise, ES, and UBA products provide no native threat mitigation
functions. All mitigation is done through integration partners, such as Cisco or
Palo Alto Networks, or by purchasing the Phantom solution. Currently, the
seamlessness of handoffs between the products varies and could be a
hindrance to shutting down a threat or stopping exfiltration of critical data.
Splunk has a relatively smaller set of reports. Instead, Splunk encourages
customers to create their own reports or use reports that have been shared
by other users in its customer community, which may have varying levels of
quality and consistency.
Last updated: November 26, 2018
 Background on Splunk RSA NetWitness Splunk
Capability comparison
Platform ES
Security is just a portion of Splunk’s business. Its portfolio
consists of: Native data integration Yes Not applicable
Core platform: Third-party data integration Yes Yes
• Splunk Enterprise
Event correlation, classification, enrichment Yes Yes
Enterprise is a perquisite purchase for the other Splunk
products. Machine-learning based event analytics Yes Yes
Security products: Threat indicators weighted Yes Yes
• Splunk for Enterprise Security (ES) Age of collected data affects overall threat
No Yes
• Splunk User Behavior Analytics (UBA) risk score
• Splunk Insights for Ransomware Threat model is adjusted continuously Yes Yes
• Splunk Phantom
Other products: Ad hoc searches Yes Yes
• Splunk Insights for Infrastructure Native threat mitigation Yes No
• VictorOps (devOps management) On-premise deployment Yes Yes
• Splunk for IT Service Intelligence
• Splunk Insights for AWS Cloud Monitoring SaaS model No Yes

What you should know

Both RSA and Splunk base product prices, in part, on the volume of data that the customer needs to have indexed. However, according to
independent research commissioned by RSA Product Marketing in October 2018, Splunk’s prices relatively higher than RSA’s, especially at the
higher level volume tiers.
Splunk’s query language, based on its prerequisite product Splunk Enterprise, can be fast, but it can also be complex to use . It’s important to
keep in mind that any query tool for security analytics is only effective if the customer’s analyst staff finds the tool easy to use and, perhaps even
more importantly, knows what they’re looking for in the first place.
Splunk’s product can process petabytes of data, compared to terabytes for RSA and other competing brands. However, few customers actually
have petabytes of data to be processed. Moreover, because Splunk’s prices are based on data volumes, customers with large volumes of data
may turn to pre-processors to reduce the amount of data they send to Splunk’s cloud for indexing.
RSA Confidential For RSA partners only and subject to non-disclosure agreement Last updated: November 26, 2018