Skip Links

Network World

  • Social Web 
  • Email 
  • Close

Clear Choice Test

Security Information and Event Management

Introduction|Are SIEM and log management the same thing?|Scorecard|How we did it|Slideshow|Test archive

Q1 Labs QRadar provides effective security event correlation

By Greg Shipley , Network World , 06/30/2008

Editor's note: This is a summary of our testing of this product, for a full rundown of how it fared in our testing across SIEM categories, please see our full coverage.

Q1 Labs' QRadar is a well-rounded security information and event management platform that became our "go-to product" for validating most of our findings. It earned this status for two primary reasons. First it offers the most amount of functional flexibility. And, second it provides the most effective correlation rule set right out of the box. The Q1 Labs' product simply offered the greatest amount of visibility into our environment with the least amount of headache.

Q1 Labs shipped us an appliance version of its QRadar product which is a beefy Intel-based system running its proprietary applications, proprietary data storage technology, and a version of Linux under the hood. The user interface is HTTP/HTML-based, worked fine in both IE and Firefox, and requires no deployment of "fat" clients. Despite our inherent dislike of most Web-based user interfaces, we found QRadar's user interface responsiveness acceptable.

Q1 Labs originally started off in the network security monitoring or Network Behavior Anomaly Detection (NBAD) space and has branched out into SIEM over the past five years. It did not completely abandon its NBAD roots, however, and the product still comes with both the ability to receive network flow data via Cisco's NetFlow and sFlow, the more generic protocol that collects information from a variety of network switches. For example, one of the Ethernet ports on the back of our appliance could be configured as a flow receiver. The NetFlow and sFlow data can help provide additional context when analyzing events such as providing more detailed target and victim traffic profiles, better visibility into follow-on sessions after attacks, and an additional method of asset discovery.

QRadar also has a rudimentary ticketing system built into the product under the label "offense management" that allowed us to delegate investigative tasks to various team members. It only provided the most basic of features (such as open, close, assign, add notes) but was enough for us to get the basics of event handling working from the SIEM system.

QRadar's reporting engine was fairly comprehensive and comes with dozens of predefined reports. It was a little overwhelming at first but fortunately QRadar also comes with a basic report designer. After a little work we were able to build a few custom reports that were sufficient, and the customizable dashboard provided us most of the real-time data we wanted. Our only big complaint with the reporting engine is that it was really hard to get a definitive failed login report because of the mess that is Windows authentication logging, but to be fair, no product seemed capable of sorting out Microsoft's logging nightmare. The product is not without its short comings.

Partner Content

Brilliantly simple security and control solutions for email, web and endpoint

www.sophos.com

Stopping data leakage

Learn how to exploit your current security investment to control the information that flows into, through and out of your network.

Download the white paper.

Why detection rates aren't enough

Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.

Download the white paper.

Applications: taking back control

Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.

Learn more today.

Comment
Login
Forgot your account info?
Add comment
Anonymous comments subject to approval. Register here for member benefits.
Have a NetworkWorld account? Log in here. Register now for a free account.

Videos

rssRss Feed

Whitepapers

Magic Quadrant for Application Delivery Controllers

Gartner summarizes its view on Application Delivery Controllers, evaluates strengths and weaknesses...

Vulnerability Management For Dummies

Download this concise book "Vulnerability Management for Dummies," to learn about the simple steps...

The ROI and TCO Benefits of Data Deduplication for Data Protection in the Enterprise

This paper examines and quantifies the costs and benefits of backup with deduplication storage as...

Webcasts

Transforming the Enterprise WAN Edge: Video from Cisco

Life on the edge of your WAN has changed dramatically. With the need to deliver advanced services,...

PoE Plus: Impact on the PoE Market

The standard for Power over Ethernet (PoE), IEEE Std. 802.3af(tm)-2003, advanced networking,...

Harnessing the power of communications to increase workplace performance

Due to the convergence of IT and telecommunications technologies, the business workplace has been...

Special Reports

The Evolution of Network Security

We have so many holes punched in our firewalls today that many industry insiders question the value...

The self-managed network

We aren't there yet, but advances in network and systems management tools are making it possible to...

Get instant email notification when white papers, webcasts, executive guides are added to our library. Stay informed and up-to-date with the latest on IT Technologies with Network World's Resource Alerts.