Price: Starts at $37,000
There are many ways to assess threats to your enterprise--IDSes, vulnerability assessment tools and logs from every security and network device you have. Monitoring each of these and culling useful data from the sheer volume of information is a daunting task.
Security information management systems (SIMs) address this growing problem by normalizing, correlating and analyzing the hodge-podge of data to produce actionable intelligence.
SIMs are maturing to a level where they are practical and effective, and Q1 Labs has moved to the forefront with its innovative QRadar 5.0. This version marks a major overhaul of the product, as Q1 Labs has integrated a SIM engine with its existing anomaly-based detection technology. The result is a next-generation SIM that correlates and analyzes both security and live network information.
QRadar starts by collecting data from a variety of sources. Event data from devices like firewalls, IDSes, system logs, routers and switches allows QRadar to detect and track emerging threats. Vulnerability data can be collected from several different assessment tools, including Nessus, allowing QRadar to identify known threats.
It's a robust SIM, with support for almost any device, but what sets QRadar apart is its ability to correlate event data with anomaly detection based on its traffic inspection. QRadar natively learns network flows using its proprietary QFlow. Unlike other traffic-monitoring systems, QFlow performs deep-packet inspection to identify applications rather than relying on port numbers for application detection. This gives QRadar a more accurate look at the network and the ability to detect anomalous traffic.
All of this data is churned through its Judicial System Logic, which analyzes and judges the data to create offenses that provide a clear view of network threats. The result is an accurate picture of threats and the over-all state of network security. False positives are sharply re-duced as SIM logic is overlaid with network activity.
QRadar 5.0 is available in three appliance models (we tested the 2101 All-in-One Appliance), depending on network size, or as a software package for large enterprises. QRadar is configured and displayed through a rich GUI. The Web- and Java-based console allows you to use any system that supports Java to administer the device.
The user-friendly dashboard is highly flexible and easy to navigate. You can configure different views for each user, providing a real-time view of the data giving you a clear picture of your network security. The myriad options available for viewing and drilling down into the dashboard information may be overwhelming at first, and it will take a while to be comfortable enough to get the most out of QRadar. However, its extensive help pages will guide you through the learning curve.
The reporting module provides a number of built-in reports for viewing security risks. Reports can be customized, delivered and exported.
Q1 Labs has delivered an innovative product to meet the demand for effective enterprise network security management. QRadar is a powerful package, and, after learning the ropes, is easy to use. With diligent use, it will help any enterprise rein in and analyze all of the data from point security devices on the network.
This product review originally appeared in the May 2006 issue of Information Security magazine.