Prior to releasing the QRadar SEM (security event manager), Q1 Labs was one of a handful of vendors actively competing in
the NBAD (Network Based Anomaly Detection) market. NBAD works by maintaining service profiles on every network device. Policies
are configured to define normal operations for a given type of network host; anything beyond those profiles is noted as an
anomaly.
Q1 Labs QRadar 5.01 and QRadar-2102 appliance
Q1 Labs, q1labs.com
|
 Good 7.0 |
|
| criteria |
score |
weight |
| Reporting |
9 |
25% |
 |
| Scalability |
6 |
25% |
|
| Interoperability |
6 |
20% |
|
| Manageability |
7 |
10% |
|
| Security |
7 |
10% |
|
| Value |
6 |
10% |
|
|
|
Cost:
$56,000 as tested
Bottom Line:
QRadar’s interface is great to look at and boasts network-based anomaly detection support, but this product lacks support
from many common data sources. It also has some problems scaling to larger deployments without trashing your existing QRadar
appliance.
|
|
About our Reviews and Scoring Methodology
|
|
|
|
The QRadar appliance and software take advantage of Q1’s NBAD expertise, using the technology to develop a baseline of network
service and traffic utilization. To cover the holes in NBAD, QRadar also taps into other, more conventional detection mechanisms,
such as event logs and IDS (intrusion detection systems) events. With its NBAD background, this is a good SEM with strong
reporting capabilities, but its limited compatibility and scalability holds it back.
Profiles and protocols
We tested the QRadar-2102 appliance, which sports version 5.01 of the QRadar software. The box plugs into your network and
builds host profiles by using traffic sampling protocols such as sFlow, NetFlow, JFlow, or Q1’s proprietary QFlow.
After the data is available to QRadar, rulesets perform the logic; the same logic used in an incident investigation can be
“taught” to the engine. Profile information is used to detect infections as well as inappropriate network use and misconfigurations.
In our testing, we used sFlow data from more than 30 network switches; QRadar’s profiling allowed us to see users playing
multiplayer games within the same network segment and detect a misconfigured e-mail server.
Although QRadar does a good job of cataloging flow data, it has not yet incorporated anti-virus logging into its solution.
We would like to see this type of event log correlation accomplished by the SEM, rather than having to depend on outside analyses.
QRadar does, however, integrate IDS/IPS logs into its solution. The list of ported data sources is not long, but it covers
most major IDS/IPS systems, and Q1 Labs says it is constantly adding new connectors. QRadar is also able to pull firewall
logs from systems such as Cisco, CheckPoint, CyberGuard, Netscreen, and Linux iptables.
The SEM’s final data source is vulnerability scanners. This data is used in determining whether an inbound attack will (or
has) affected the target machine. Vulnerability assessment sources are currently limited to nCircle, Nessus, and, NMAP, so
QRadar will need to embrace other systems before becoming a solid enterprise solution.
Digging into the details
Most of QRadar’s startup configuration was conventional and intuitive. Adding data sources, however, wasn’t as simple. Some
of the device’s settings were confusing, and the data sources and mitigating responses were all treated as objects, so you
need to understand the attributes and behavior of the new objects. Without the half-hour of training on the advanced configuration
tools, we would have been hard-pressed to get the solution functioning properly. Thankfully, the embedded help was informative
and detailed.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
