Q1 hones in on network events
QRadar SEM has beautiful interface and reporting but lacks comprehensive data source supportFollow @infoworld
Prior to releasing the QRadar SEM (security event manager), Q1 Labs was one of a handful of vendors actively competing in the NBAD (Network Based Anomaly Detection) market. NBAD works by maintaining service profiles on every network device. Policies are configured to define normal operations for a given type of network host; anything beyond those profiles is noted as an anomaly.
The QRadar appliance and software take advantage of Q1’s NBAD expertise, using the technology to develop a baseline of network service and traffic utilization. To cover the holes in NBAD, QRadar also taps into other, more conventional detection mechanisms, such as event logs and IDS (intrusion detection systems) events. With its NBAD background, this is a good SEM with strong reporting capabilities, but its limited compatibility and scalability holds it back.
Profiles and protocols
We tested the QRadar-2102 appliance, which sports version 5.01 of the QRadar software. The box plugs into your network and builds host profiles by using traffic sampling protocols such as sFlow, NetFlow, JFlow, or Q1’s proprietary QFlow.
After the data is available to QRadar, rulesets perform the logic; the same logic used in an incident investigation can be “taught” to the engine. Profile information is used to detect infections as well as inappropriate network use and misconfigurations. In our testing, we used sFlow data from more than 30 network switches; QRadar’s profiling allowed us to see users playing multiplayer games within the same network segment and detect a misconfigured e-mail server.
Although QRadar does a good job of cataloging flow data, it has not yet incorporated anti-virus logging into its solution. We would like to see this type of event log correlation accomplished by the SEM, rather than having to depend on outside analyses.
QRadar does, however, integrate IDS/IPS logs into its solution. The list of ported data sources is not long, but it covers most major IDS/IPS systems, and Q1 Labs says it is constantly adding new connectors. QRadar is also able to pull firewall logs from systems such as Cisco, CheckPoint, CyberGuard, Netscreen, and Linux iptables.
The SEM’s final data source is vulnerability scanners. This data is used in determining whether an inbound attack will (or has) affected the target machine. Vulnerability assessment sources are currently limited to nCircle, Nessus, and, NMAP, so QRadar will need to embrace other systems before becoming a solid enterprise solution.
Digging into the details
Most of QRadar’s startup configuration was conventional and intuitive. Adding data sources, however, wasn’t as simple. Some of the device’s settings were confusing, and the data sources and mitigating responses were all treated as objects, so you need to understand the attributes and behavior of the new objects. Without the half-hour of training on the advanced configuration tools, we would have been hard-pressed to get the solution functioning properly. Thankfully, the embedded help was informative and detailed.
While data is fed into the manager, the QRadar interface will return a security analyst’s sanity. The beautiful, customizable dashboard design starts you out with a 10,000-foot view of the network; you can click down to individual events and flows. (The interface is run from a Java Server Page hosted by the QRadar device.)