Q1 hones in on network events

QRadar SEM has beautiful interface and reporting but lacks comprehensive data source support

Prior to releasing the QRadar SEM (security event manager), Q1 Labs was one of a handful of vendors actively competing in the NBAD (Network Based Anomaly Detection) market. NBAD works by maintaining service profiles on every network device. Policies are configured to define normal operations for a given type of network host; anything beyond those profiles is noted as an anomaly.

The QRadar appliance and software take advantage of Q1’s NBAD expertise, using the technology to develop a baseline of network service and traffic utilization. To cover the holes in NBAD, QRadar also taps into other, more conventional detection mechanisms, such as event logs and IDS (intrusion detection systems) events. With its NBAD background, this is a good SEM with strong reporting capabilities, but its limited compatibility and scalability holds it back.

Profiles and protocols

We tested the QRadar-2102 appliance, which sports version 5.01 of the QRadar software. The box plugs into your network and builds host profiles by using traffic sampling protocols such as sFlow, NetFlow, JFlow, or Q1’s proprietary QFlow.

After the data is available to QRadar, rulesets perform the logic; the same logic used in an incident investigation can be “taught” to the engine. Profile information is used to detect infections as well as inappropriate network use and misconfigurations. In our testing, we used sFlow data from more than 30 network switches; QRadar’s profiling allowed us to see users playing multiplayer games within the same network segment and detect a misconfigured e-mail server.

Although QRadar does a good job of cataloging flow data, it has not yet incorporated anti-virus logging into its solution. We would like to see this type of event log correlation accomplished by the SEM, rather than having to depend on outside analyses.

QRadar does, however, integrate IDS/IPS logs into its solution. The list of ported data sources is not long, but it covers most major IDS/IPS systems, and Q1 Labs says it is constantly adding new connectors. QRadar is also able to pull firewall logs from systems such as Cisco, CheckPoint, CyberGuard, Netscreen, and Linux iptables.

The SEM’s final data source is vulnerability scanners. This data is used in determining whether an inbound attack will (or has) affected the target machine. Vulnerability assessment sources are currently limited to nCircle, Nessus, and, NMAP, so QRadar will need to embrace other systems before becoming a solid enterprise solution.

Digging into the details

Most of QRadar’s startup configuration was conventional and intuitive. Adding data sources, however, wasn’t as simple. Some of the device’s settings were confusing, and the data sources and mitigating responses were all treated as objects, so you need to understand the attributes and behavior of the new objects. Without the half-hour of training on the advanced configuration tools, we would have been hard-pressed to get the solution functioning properly. Thankfully, the embedded help was informative and detailed.

While data is fed into the manager, the QRadar interface will return a security analyst’s sanity. The beautiful, customizable dashboard design starts you out with a 10,000-foot view of the network; you can click down to individual events and flows. (The interface is run from a Java Server Page hosted by the QRadar device.)

Scheduled reports can be e-mailed to appropriate managers, administrators, or technicians. Report options range from “Top Attackers” to “Internal VoIP Usage,” thanks to the breadth of information available. This is some of the richest security reporting we’ve used -- it’s equally good for network management, network security, and incident response.

QRadar comes with a handful of preconfigured rules for dealing with the incoming data, as well as controlling dashboard displays and actions. Rules can dismiss events, assign a specific “magnitude” score, perform vulnerability scans, or even reconfigure network devices to close vulnerabilities. Although new rules are easy to build, we would like to have seen more available out-of-the-box.

To rate threats, QRadar assigns every data source a confidence score; an untuned Snort IDS may get a very low score, whereas an IDS that rarely gives false positives gets a high rating. Different alarm types are also assigned criticality scores. QRadar’s processing engine uses the rules and scores to roll related events into offenses, which are assigned a score of magnitude based on a combination of confidence, risk, and criticality. The threat remediation module can then block attackers, quarantine infected hosts, or throttle bandwidth utilization as necessary.

Of course, the system is only as good as the rules: The more time spent improving the rules, the better the results. QRadar’s default rules did a very good job, raising all of our attack attempts to the top of the queue with virtually no “noise” or false positives.

The 2102 device handles up to 50,000 flows per second and 500 events per second, and did fine with the Snort, Nessus, and sFlow inputs covering more than 4,000 hosts on our test network. Unfortunately, you can’t scale up the device we tested; instead, you must move to a new box (the high-end 3102 box supports as many as 200,000 flows per second and 2,500 events per second).

Upgrades on the way

We tested QRadar version 5.01, but version 5.1 is set to arrive shortly with some interesting enhancements, including an upgraded Linux kernel, the capability to have a FIPS 140-2 certified secure tunnel between sensor and server with OpenSSH support, additional flow support for Packeteer and NetFlow 9, and several search enhancements for the management UI.

QRadar possesses a solid methodology for correlating network data, combining flow, NBAD, vulnerability, and IDS/IPS technologies with a stellar interface for an almost omniscient view of ever-growing infrastructure. The only real limitations are the short list of compatible data sources and potential scalability issues; we hope those will be addressed in part by the forthcoming 5.1 version.

InfoWorld Scorecard
Value (10.0%)
Scalability (25.0%)
Interoperability (20.0%)
Security (10.0%)
Reporting (25.0%)
Manageability (10.0%)
Overall Score (100%)
Q1 Labs QRadar 5.01 and QRadar-2102 appliance 6.0 6.0 6.0 7.0 9.0 7.0 7.0

Copyright © 2006 IDG Communications, Inc.

How to choose a low-code development platform