Detection in the dark

Q1 Labs Inc.'s QRadar is one of several entries in a new class of products called network-based anomaly detection software. Because of its real-time views of network activity, QRadar also could compete with network-monitoring and capacity-planning products such as NetQos Inc.'s SuperAgent and ReporterAnalyzer.

But QRadar's main job is to report anomalies based on a statistical analysis of network traffic. QRadar's name stands for Q1 Labs Real-time Anomaly Detection and Resolution. (In previous versions it was named QVision.) As the acronym implies, the product is intended not only to track network activity but also to provide quick analysis and resolution of potential problems, such as worms, Web server compromise, zero-day attacks, which target unannounced vulnerabilities before a patch is available, and all those other things that lurk in the dark places of your network.

QRadar is sold as software that is sensibly arranged into three components: a flow collector to gather the data, a classification engine to analyze it and a console to manage everything. You can install all components on one box or place them on separate servers.

For our testing, we used the recommended configuration of a Dell Inc. 2650 dual-processor server with 4G of RAM running Red Hat Inc. Linux. To increase performance, we configured two physical disks to hold the flow logs and database files. A flow is basically a communication between two applications on the network. We minimized the database's size by keeping the default of four weeks to maintain flow data, but you may want to extend this time period if your organization experiences longer business

cycles.

We placed our server behind the firewall at the perimeter of our network to monitor the traffic. In enterprise deployments, multiple flow collectors will be strategically placed networkwide to capture data flows and forward them to the classification engine.

After the installation was complete, we browsed the console. But before we could do anything, we had to give information about our network to QRadar so that it could make sense of the traffic. To our relief, the new version has an auto-discovery tool that helps map the network. We then proceeded to the main console, where it took us several minutes to get comfortable with the utilitarian interface and its series of right clicks and submenus.

Looking at a graphical representation of the global network traffic, we noticed a small spike in inbound packets. We were able to track down what was happening by applying different views to the pattern. Alternating views from port to application and then to IP address identifies the source and type of data transfer. This particular transaction was a large file copy via a Microsoft Corp. Windows file-sharing program.

We liked the directional information the view showed of types of flows because of its value in tracking down suspicious traffic, such as worms or denial-of-service attacks, where conversations are typically one-sided. Everywhere unusual traffic would show up, we were presented with graphs.

You will spend most of your time in QRadar configuring sentries, which are little computer program robots that you construct to detect unusual behavior and send alerts when that behavior occurs.

The product comes with 15 useful, predefined sentries. We created more, including some alerting us to data transfers from Windows file shares. For fun, we created a sentry to alert us to Internet Control Message Protocol traffic on a small subnet. ICMP supports packets containing error, control and informational messages. We were pleasantly surprised that our logs did not overflow with ICMP alerts. Instead, QRadar logged only one error per node and then recorded increments of the infraction count for subsequent offenses.

The interface is not for network neophytes, but once mastered, it is easy to create the four types of sentries. Two types detect threshold exceeders and traffic that violates your organization's policies.

Behavioral sentries require more work but are a powerful way to generate alerts from sudden spikes in host connections or packet counts. Anomaly sentries are similar, but they generate alerts about abnormal traffic. It takes at least a couple of weeks for QRadar to learn what is normal.

What we liked

By changing views, we could isolate and identify problem areas quickly. QRadar shines in monitoring application traffic. Being able to identify a problem and immediately associate it with an application is a big time saver. Application information also can catch the processes that are gnawing away at your bandwidth. When you need to dig deeper in any view, the data-mining feature allows you to drill down to perform audit and forensic functions.

We were impressed that QRadar accepts information from a long list of third-party external systems. These include Internet Security Systems Inc.'s RealSecure, Enterasys Networks Inc.'s Dragon, the Snort open-source network intrusion-detection system, and Cisco Systems Inc.'s and Check Point Software Technologies Ltd.'s firewalls. If you use Cisco and have locations where flow collectors are impractical, you can still expand your horizons by opening up a port on QRadar to accept data from Cisco's NetFlow.

What we didn't like

Not all features are configurable via the interface. We tried to create custom application detectors through the Applications View menu but found that we were in the wrong place. After rechecking the User Guide, we discovered that to define our own application, we would have to break out of the current application, go to the system console, launch a text editor and then manually create our configuration file.

Because the last "r" in QRadar stands for resolution, we are tempted to criticize the product's resolution features. Competitors such as Arbor Networks Inc., Captus Networks Corp. and Top Layer Networks Inc. emphasize automated resolution in their advertisements. QRadar can do automated remediation, but only an expert network analyst would be able to set up the required scripting.

However, our experience has been that administrators are reluctant to enable automated network remediation features. Perhaps they have seen what happened in the movie "I, Robot" when machines were given the authority to make decisions.

This may change. During the past year, administrators have become aware that human reaction time is not fast enough to stop a network worm. Perhaps only a law-abiding robot can catch a rogue robot.

The bottom line

The best thing about QRadar is that it can identify unauthorized or malicious activity that traditional intrusion-detection systems, intrusion-prevention systems or firewalls cannot. If you manage networks with large user bases or busy server farms, QRadar can sort through a mountain of traffic data and quickly present information that you can actually use.

At the bottom end of pricing for network-based anomaly detection products, we rate QRadar as an excellent value for the cost.

Greer is a network security consultant. Brown is a network analyst at a large Texas state agency. They can be reached at egreer@thecourageequation.com.

NEXT STORY: Navy posts tech transfer site

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.