Q1 Labs QRadar provides effective security event correlation

Editor's note: This is a summary of our testing of this product, for a full rundown of how it fared in our testing across SIEM categories, please see our full coverage.

Q1 Labs' QRadar is a well-rounded security information and event management platform that became our "go-to product" for validating most of our findings. It earned this status for two primary reasons. First it offers the most amount of functional flexibility. And, second it provides the most effective correlation rule set right out of the box. The Q1 Labs' product simply offered the greatest amount of visibility into our environment with the least amount of headache.

Q1 Labs shipped us an appliance version of its QRadar product which is a beefy Intel-based system running its proprietary applications, proprietary data storage technology, and a version of Linux under the hood. The user interface is HTTP/HTML-based, worked fine in both IE and Firefox, and requires no deployment of "fat" clients. Despite our inherent dislike of most Web-based user interfaces, we found QRadar's user interface responsiveness acceptable.

Q1 Labs originally started off in the network security monitoring or Network Behavior Anomaly Detection (NBAD) space and has branched out into SIEM over the past five years. It did not completely abandon its NBAD roots, however, and the product still comes with both the ability to receive network flow data via Cisco's NetFlow and sFlow, the more generic protocol that collects information from a variety of network switches. For example, one of the Ethernet ports on the back of our appliance could be configured as a flow receiver. The NetFlow and sFlow data can help provide additional context when analyzing events such as providing more detailed target and victim traffic profiles, better visibility into follow-on sessions after attacks, and an additional method of asset discovery.

QRadar also has a rudimentary ticketing system built into the product under the label "offense management" that allowed us to delegate investigative tasks to various team members. It only provided the most basic of features (such as open, close, assign, add notes) but was enough for us to get the basics of event handling working from the SIEM system.

QRadar's reporting engine was fairly comprehensive and comes with dozens of predefined reports. It was a little overwhelming at first but fortunately QRadar also comes with a basic report designer. After a little work we were able to build a few custom reports that were sufficient, and the customizable dashboard provided us most of the real-time data we wanted. Our only big complaint with the reporting engine is that it was really hard to get a definitive failed login report because of the mess that is Windows authentication logging, but to be fair, no product seemed capable of sorting out Microsoft's logging nightmare. The product is not without its short comings.

Our biggest complaints with QRadar are that we struggled when performing certain tasks and felt a number of things simply weren't intuitive from within the user interface. For example, the designers are not consistent with their use of "right clicking", which makes it difficult to know when to double-click on an event, when to right-click, and when to simply choose a different menu item. It was also hard to drill-down on certain items. For example, when we spotted the login attempts from an account that had been disabled days earlier we wanted to validate the alert by examining the raw event log. It took us several attempts to "drill down" into that exact event and some attempts led us to seemingly endless loops of queries. It was also a little confusing concerning what needed configuring through the main menu and what was editable via a separate configuration tool. Once we got used to these minor annoyances, life got easier, but Q1 Labs would do well by upgrading the user interface for consistent behavior throughout.