Beyond SIM

The principal differentiator for QRadar over other SIM offerings is the correlation of Network Behavior Analysis(NBA) information with security event information. This provides network context. These key differentiators result from NBA integration and a flexible deployment architecture.

QRadar’s Differentiators

Anomaly Detection
Traditional SIM products miss whole categories of security threats. Integrating anomaly detection protects against zero-day attacks and application policy violations that the network and security devices we monitor either cannot yet detect or are incorrectly configured/located to detect.

Auto-Discovery
QRadar automatically learns the customer's environment in two ways:

Asset Discovery and Classification: QRadar uses its native network understanding to discover and classify all assets in the network.
Device Discovery: QRadar reduces the configuration time by automatically discovering devices that are sending security events or flow information and automatically parsing and correlating this data.

Auto Tuning
QRadar provides and activates rules that are specific to a customer's environment. It uses the information it learns from the network as building blocks that immediately become part of pre-configured security rules.

Creation of Asset Profiles
The passive knowledge derived from NBA enables QRadar to build and maintain asset profiles as IP addresses and hosts appear on the network. QRadar augments these real-time, passive profiles wit third-party VA scans, grouped and weighted by admins according to business importance, and then used as a key source for prioritizing threats as they occur.

Application Layer Network Knowledge
QRadar's ability to collect, visualize, and store application knowledge (including content capture) from the network (regardless of port) is a valuable standalone NBA capability. It is also an important source of validation and forensics when managing security threats. Administrators can immediately datamine security events for important network information that took place at the same time. This network knowledge can also be automatically appended to threats as part of QRadar's event processing.

Example: Events received indicate a DDoS attack and the target's asset profile indicates that the targeted port is open. QRadar performs network flow analysis for five minutes on all flows between the attacker and the target, as well as on other flows being sent out from the target. The event processor then delivers event information to the Judicial System Logic (JSL), which creates offenses and displays them in the QRadar console.

"Q1 Labs has integrated a SIM engine with its exiting anomaly-based detection technology. The result is a next-generation SIM that correlates and analyzes both security and live network information."

Hot Pick: Security Information Management
InformationSecurity Magazine

Dynamic Weighting of Information by Severity, Credibility, and Relevance
Using Judicial System Logic, QRadar weighs the severity, credibility, and relevance of events against targeted assets to ensure that it portrays the magnitude of an attack accurately. Thus, it minimizes the volume of alerts as it creates offenses in real time from multiple, seemingly disparate, events into a single actionable offense.

Remediation Directed Back to the Infrastructure
QRadar can send remediation actions to multi-vendor network and security infrastructures (Cisco, Junioper, Check Point, Enterasys. Network context enables the knowledge of which remediation device is the most logical or appropriate device to take action. Comprehensive auditing, white lists, and role-based access give administrators the tools to control resolution options.

Enterprise Scalability
QRadar was designed with the needs of a large, distributed enterprise in minds. All components of the system can be distributed to maximize performance and minimize overhead. All functionality, including real-time capabilities, has been built to exploit these capabilities.

Flexible Reporting
QRadar provides highly flexible reporting that allows the user to report on every aspect of the network being monitored. Users can configure reports to run against any asset for any time period. By leveraging flow and vulnerability data to support event log data, QRadar provides extensive trend, risk, and compliance reporting.

Traditional event management products require more complex setup and maintenance than QRadar.
This is true for two reasons:

A custom store eliminates the need for the secondary software costs and ongoing maintenance costs that plague other offerings. Designed originally for the real-time storage, retrieval, and analysis of network flow data and then extended to include security event data, the QRadar store is vastly more efficient than off-the-shelf SQL databases that are ill suited to the task of security event and network flow management.

Q1 Labs' deployment model emphasizes out-of-the box value with minimal tuning. QRadar is offered as a "SIM in a box" appliance family or as software that can be distributed across servers for larger enterprises. Auto-learning, pre-configured rules and automatic profiling deliver high value with minimal upfront work. The deployment models of other SIMs replicate the ERP business model with software sales matched by very high professional services costs and ongoing maintenance expenses.


	Beyond SIM The principal differentiator for QRadar over other SIM offerings is the correlation of Network Behavior Analysis(NBA) information with security event information. This provides network context. These key differentiators result from NBA integration and a flexible deployment architecture. QRadar’s Differentiators Anomaly Detection Traditional SIM products miss whole categories of security threats. Integrating anomaly detection protects against zero-day attacks and application policy violations that the network and security devices we monitor either cannot yet detect or are incorrectly configured/located to detect. Auto-Discovery QRadar automatically learns the customer's environment in two ways: Asset Discovery and Classification: QRadar uses its native network understanding to discover and classify all assets in the network. Device Discovery: QRadar reduces the configuration time by automatically discovering devices that are sending security events or flow information and automatically parsing and correlating this data. Auto Tuning QRadar provides and activates rules that are specific to a customer's environment. It uses the information it learns from the network as building blocks that immediately become part of pre-configured security rules. Creation of Asset Profiles The passive knowledge derived from NBA enables QRadar to build and maintain asset profiles as IP addresses and hosts appear on the network. QRadar augments these real-time, passive profiles wit third-party VA scans, grouped and weighted by admins according to business importance, and then used as a key source for prioritizing threats as they occur. Application Layer Network Knowledge QRadar's ability to collect, visualize, and store application knowledge (including content capture) from the network (regardless of port) is a valuable standalone NBA capability. It is also an important source of validation and forensics when managing security threats. Administrators can immediately datamine security events for important network information that took place at the same time. This network knowledge can also be automatically appended to threats as part of QRadar's event processing. Example: Events received indicate a DDoS attack and the target's asset profile indicates that the targeted port is open. QRadar performs network flow analysis for five minutes on all flows between the attacker and the target, as well as on other flows being sent out from the target. The event processor then delivers event information to the Judicial System Logic (JSL), which creates offenses and displays them in the QRadar console. "Q1 Labs has integrated a SIM engine with its exiting anomaly-based detection technology. The result is a next-generation SIM that correlates and analyzes both security and live network information." Hot Pick: Security Information Management InformationSecurity Magazine Dynamic Weighting of Information by Severity, Credibility, and Relevance Using Judicial System Logic, QRadar weighs the severity, credibility, and relevance of events against targeted assets to ensure that it portrays the magnitude of an attack accurately. Thus, it minimizes the volume of alerts as it creates offenses in real time from multiple, seemingly disparate, events into a single actionable offense. Remediation Directed Back to the Infrastructure QRadar can send remediation actions to multi-vendor network and security infrastructures (Cisco, Junioper, Check Point, Enterasys. Network context enables the knowledge of which remediation device is the most logical or appropriate device to take action. Comprehensive auditing, white lists, and role-based access give administrators the tools to control resolution options. Enterprise Scalability QRadar was designed with the needs of a large, distributed enterprise in minds. All components of the system can be distributed to maximize performance and minimize overhead. All functionality, including real-time capabilities, has been built to exploit these capabilities. Flexible Reporting QRadar provides highly flexible reporting that allows the user to report on every aspect of the network being monitored. Users can configure reports to run against any asset for any time period. By leveraging flow and vulnerability data to support event log data, QRadar provides extensive trend, risk, and compliance reporting. Traditional event management products require more complex setup and maintenance than QRadar. This is true for two reasons: A custom store eliminates the need for the secondary software costs and ongoing maintenance costs that plague other offerings. Designed originally for the real-time storage, retrieval, and analysis of network flow data and then extended to include security event data, the QRadar store is vastly more efficient than off-the-shelf SQL databases that are ill suited to the task of security event and network flow management. Q1 Labs' deployment model emphasizes out-of-the box value with minimal tuning. QRadar is offered as a "SIM in a box" appliance family or as software that can be distributed across servers for larger enterprises. Auto-learning, pre-configured rules and automatic profiling deliver high value with minimal upfront work. The deployment models of other SIMs replicate the ERP business model with software sales matched by very high professional services costs and ongoing maintenance expenses.
HOME \| COMPANY \| PRODUCTS \| SOLUTIONS \| PARTNERSHIPS \| RESOURCE LIBRARY \| IN THE NEWS \| SUPPORT \| CONTACT All content © 2008 Q1 Labs Inc.