This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."
Download it now to read this article plus other related content.
Price: Starts at $37,000
|Q1 Labs QRadar 5.0|
Q1 Labs' major upgrade, adding full SIM capability on its existing deep packet inspection technology, gives it unique detection capabilities.
There are many ways to assess threats to your enterprise--IDSes, vulnerability assessment tools and logs from every security and network device you have. Monitoring each of these and culling useful data from the sheer volume of information is a daunting task. Security information management systems (SIMs) address this growing problem by normalizing, correlating and analyzing the hodge-podge of data to produce actionable intelligence.
SIMs are maturing to a level where they are practical and effective, and Q1 Labs has moved to the forefront with its innovative QRadar 5.0. This version marks a major overhaul of the product, as Q1 Labs has integrated a SIM engine with its existing anomaly-based detection technology. The result is a next-generation SIM that correlates and analyzes both security and live network information.
QRadar starts by collecting data from a variety of sources. Event data from devices like firewalls, IDSes, system logs, routers and switches allows QRadar to detect and track emerging threats. Vulnerability data can be collected from several different assessment tools, including Nessus, allowing QRadar to identify known threats.
It's a robust SIM, with support for almost any device, but what sets QRadar apart is its ability to correlate event data with anomaly detection based on its traffic inspection. QRadar natively learns network flows using its proprietary QFlow. Unlike other traffic-monitoring systems, QFlow performs deep-packet inspection to identify applications rather than relying on port numbers for application detection. This gives QRadar a more accurate look at the network and the ability to detect anomalous traffic.
All of this data is churned through its Judicial System Logic, which analyzes and judges the data to create offenses that provide a clear view of network threats.
The result is an accurate picture of threats and the over-all state of network security. False positives are sharply re-duced as SIM logic is overlaid with network activity.
QRadar 5.0 is available in three appliance models (we tested the 2101 All-in-One Appliance), depending on network size, or as a software package for large enterprises.
QRadar is configured and displayed through a rich GUI. The Web- and Java-based console allows you to use any system that supports Java to administer the device.
This was first published in May 2006