Test Run: Q1Labs' QRadar 5.0

The much matured QRadar from Q1 Labs integrates data collection, correlation and analysis from multiple network devices and applications, making it an all-around security-incident manager.

New to QRadar is the Offense Manager view, which shows network violations and behavioral anomalies requiring attention. The software also offers a customizable, real-time dashboard that displays network traffic and assets; an enhanced reporting engine; a custom rules engine; and a flow-context analysis that compares correlated events to real-time traffic flows.

I downloaded a license key and beta version of QRadar 5.0 in our Syracuse University Real-World Labs®. We already have version 4.0 collecting and archiving data traffic flows from various products, so rather than upgrade, I installed 5.0 on another server to compare versions. Installation was easy--I just inserted the CD and let the software load.

Like version 4.0, 5.0 employs a flow collector to gather data, a classification engine to perform data analysis and a centralized console for simplified management. QRadar's configuration process now includes a client-based admin application, but you still must feed network information to the software so it can make sense of the traffic.

QRadar Administration Console, found under "Config" on the dashboard, provides tabular and menu views and intuitively designed icons to configure the QRadar system, database and sentry settings (version 4.0 used text editors to create configuration files). From the admin console, I defined our internal network by adding a group and the network IP address range to associate with the group. I kept the default database size of four weeks. In addition, I used our existing 4.0 server as a flow processor and added it as an off-site flow source.

Analyze This

QRadar has added what it calls the Judicial System Logic (JSL)--a security engine that collates and analyzes information triggered by events, vulnerabilities and traffic flows--to predict the possibility of network threats.

On our network, QRadar found Trojans, suspicious file names, a backdoor entry and numerous buffer overflows. The software lets you drill down into each offense to validate its relevance, credibility and severity and decide whether to take action. Considering our network setup and use of network-scanning apps, I deemed the overflow messages false positives.

Another handy new feature is the custom-rules option. Still working within the Offense Manager display, I selected Configuration/Rules to create and customize event- and offense-based rules to work in conjunction with the JSL. I added a rule test to the BB Noisy Events building block (a group of tests for use with other tests). I then added BB Noisy Events to the Drop Unwanted Events rule, which meant I wouldn't see the suppressed rule but QRadar would still log those events. The QRadar rules wizard is similar to the rules wizard found in Microsoft Outlook.

The dashboard is one of QRadar's more noticeable improvements, with its user-friendly design and display of real-time network traffic information.

Q1 Labs has added a reporting module that includes a good selection of built-in reports regarding security and network risks. Reports can still be scheduled, delivered, customized and created using built-in templates and a report wizard.

Joanne VanAuken is a technology editor for Secure Enterprise. She has 14 years' experience in computer operations and systems administration. Write to her at