When network managers are tracking down the source of a security breach, the search often stops cold at the IP address

For instance, a remote user logging on to the network via a VPN connection could have been assigned the same IP address that a traveling user had tapped earlier in the day. After learning the IP address on which the event occurred, the network manager would have to check Windows logs or other identity databases manually to determine which user had been using that IP address at the time of the breach.

That's why Q1 Labs next week is making available an updated version of its QRadar network- and security-management product that relates user identities to specific network and security events and speeds the process of pinpointing the source of a policy, compliance or security breach.

QRadar, which is packaged as an appliance, monitors network flow data and collects events from network and security devices. Now the product relates user identity data from RADIUS and Active Directory servers and from firewalls to IP addresses and security events. The product maps the user identity to asset profiles in numerous ways, including host name to IP address; DNS to IP; group name; user name to IP; media-access-control (MAC) address to IP; and switch port, switch and location.

"This will let network managers not only see the IP address associated with the threat, but also the user ID associated with that IP address and at the time of the threat. QRadar can also keep a history of who that user is and past threats or events associated with the user," says Tom Turner, vice president of marketing at Q1 Labs. "The goal is to answer the questions, 'Who is attacking my network?' or 'Who is out of compliance?' without having to do additional manual forensics."

Turner says QRadar combines network behavior-analysis features with security event management (SEM) capabilities and user identity tracking, making it prime competition for Cisco's MARS (Monitoring Analysis and Response System) product. Q1 Labs also competes with SEM vendor ArcSight and Arbor Networks in the network behavior-analysis market.

Also in this release the company added a bit of network access control (NAC) technology to integrate with customers' NAC efforts. By conforming with Trusted Computing Group's Trusted Network Connect open standards, QRadar performs postadmission monitoring of user IDs on the network and alerts a policy server or gateway, such as Juniper Networks' Infranet Controller, to the policy-violating behavior. From there, policy creators and enforcers may decide to update the user profile or employ stricter enforcement policies.