Detection in the dark
- By Earl Greer, John Brown
- Aug 16, 2004
Q1 Labs Inc.'s QRadar is one of several entries in a new class of products called network-based anomaly detection software. Because of its real-time views of network activity, QRadar also could compete with network-monitoring and capacity-planning products such as NetQos Inc.'s SuperAgent and ReporterAnalyzer.
But QRadar's main job is to report anomalies based on a statistical analysis of network traffic. QRadar's name stands for Q1 Labs Real-time Anomaly Detection and Resolution. (In previous versions it was named QVision.) As the acronym implies, the product is intended not only to track network activity but also to provide quick analysis and resolution of potential problems, such as worms, Web server compromise, zero-day attacks, which target unannounced vulnerabilities before a patch is available, and all those other things that lurk in the dark places of your network.
QRadar is sold as software that is sensibly arranged into three components: a flow collector to gather the data, a classification engine to analyze it and a console to manage everything. You can install all components on one box or place them on separate servers.
For our testing, we used the recommended configuration of a Dell Inc. 2650 dual-processor server with 4G of RAM running Red Hat Inc. Linux. To increase performance, we configured two physical disks to hold the flow logs and database files. A flow is basically a communication between two applications on the network. We minimized the database's size by keeping the default of four weeks to maintain flow data, but you may want to extend this time period if your organization experiences longer business
We placed our server behind the firewall at the perimeter of our network to monitor the traffic. In enterprise deployments, multiple flow collectors will be strategically placed networkwide to capture data flows and forward them to the classification engine.
After the installation was complete, we browsed the console. But before we could do anything, we had to give information about our network to QRadar so that it could make sense of the traffic. To our relief, the new version has an auto-discovery tool that helps map the network. We then proceeded to the main console, where it took us several minutes to get comfortable with the utilitarian interface and its series of right clicks and submenus.
Looking at a graphical representation of the global network traffic, we noticed a small spike in inbound packets. We were able to track down what was happening by applying different views to the pattern. Alternating views from port to application and then to IP address identifies the source and type of data transfer. This particular transaction was a large file copy via a Microsoft Corp. Windows file-sharing program.
We liked the directional information the view showed of types of flows because of its value in tracking down suspicious traffic, such as worms or denial-of-service attacks, where conversations are typically one-sided. Everywhere unusual traffic would show up, we were presented with graphs.
You will spend most of your time in QRadar configuring sentries, which are little computer program robots that you construct to detect unusual behavior and send alerts when that behavior occurs.
The product comes with 15 useful, predefined sentries. We created more, including some alerting us to data transfers from Windows file shares. For fun, we created a sentry to alert us to Internet Control Message Protocol traffic on a small subnet. ICMP supports packets containing error, control and informational messages. We were pleasantly surprised that our logs did not overflow with ICMP alerts. Instead, QRadar logged only one error per node and then recorded increments of the infraction count for subsequent offenses.
The interface is not for network neophytes, but once mastered, it is easy to create the four types of sentries. Two types detect threshold exceeders and traffic that violates your organization's policies.
Behavioral sentries require more work but are a powerful way to generate alerts from sudden spikes in host connections or packet counts. Anomaly sentries are similar, but they generate alerts about abnormal traffic. It takes at least a couple of weeks for QRadar to learn what is normal.
What we liked
By changing views, we could isolate and identify problem areas quickly. QRadar shines in monitoring application traffic. Being able to identify a problem and immediately associate it with an application is a big time saver. Application information also can catch the processes that are gnawing away at your bandwidth. When you need to dig deeper in any view, the data-mining feature allows you to drill down to perform audit and forensic functions.
We were impressed that QRadar accepts information from a long list of third-party external systems. These include Internet Security Systems Inc.'s RealSecure, Enterasys Networks Inc.'s Dragon, the Snort open-source network intrusion-detection system, and Cisco Systems Inc.'s and Check Point Software Technologies Ltd.'s firewalls. If you use Cisco and have locations where flow collectors are impractical, you can still expand your horizons by opening up a port on QRadar to accept data from Cisco's NetFlow.
What we didn't like
Not all features are configurable via the interface. We tried to create custom application detectors through the Applications View menu but found that we were in the wrong place. After rechecking the User Guide, we discovered that to define our own application, we would have to break out of the current application, go to the system console, launch a text editor and then manually create our configuration file.
Because the last "r" in QRadar stands for resolution, we are tempted to criticize the product's resolution features. Competitors such as Arbor Networks Inc., Captus Networks Corp. and Top Layer Networks Inc. emphasize automated resolution in their advertisements. QRadar can do automated remediation, but only an expert network analyst would be able to set up the required scripting.
However, our experience has been that administrators are reluctant to enable automated network remediation features. Perhaps they have seen what happened in the movie "I, Robot" when machines were given the authority to make decisions.
This may change. During the past year, administrators have become aware that human reaction time is not fast enough to stop a network worm. Perhaps only a law-abiding robot can catch a rogue robot.
The bottom line
The best thing about QRadar is that it can identify unauthorized or malicious activity that traditional intrusion-detection systems, intrusion-prevention systems or firewalls cannot. If you manage networks with large user bases or busy server farms, QRadar can sort through a mountain of traffic data and quickly present information that you can actually use.
At the bottom end of pricing for network-based anomaly detection products, we rate QRadar as an excellent value for the cost.
Greer is a network security consultant. Brown is a network analyst at a large Texas state agency. They can be reached at [email protected]