Beyond NBAD

QRadar combines network activity and security events in one command-and-control console with multiple functions. It also improves the analysis of network behavior. QRadar ties anomalies to critical or vulnerable assets. For example: A seemingly innocuous file transfer from a critical server may go unnoticed by flow analysis alone but would be of significant concern if the file transfer was followed by a Web exploit (signaled by an IDS/IPS). QRadar would flag that anomaly. QRadar's anomaly detection is different in several key ways.

QRadar's Differentiators

QRadar uses application-layer, flow-based data sources
QRadar has the broadest set of data sources in the industry. It starts with native flow sources (Netflow, cflowd, sflow, JFlow) and adds proprietary QFlow collectors for layer 7 information on application-level behavior. For example: QFlow sees if SSH is tunneled over Port 80 or if a peer-to-peer application is running, where other flow formats see only web traffic. Bottom line: QRadar does behavioral analysis at the application level in addition to detecting basic protocol and port anomalies.

QRadar optimizes standard flow formats for security applications
QRadar minimizes the network impact of DoS and worm attacks by creating superflows and flow bundles. It retains critical information but reduces significantly the number of individual flows that are transferred. For example: With the superflows caused by a denial-of-service attacks, QRadar replaces thousands of similar flow records with a single record that notes the changes. It also compresses web traffic. These benefits work where Netflow is used as well because QFlow collectors aggregate Netflow records to create superflows.

Reliable flow transport protects security data
Netflow and other flow formats use UDP for transport. While suitable for performance or DoS detection, this approach can lose critical information, such as a backdoor flow, for other security applications. QRadar collectors protect data by aggregating Netflow information and sending that traffic over the WAN using TCP/IP.

Content capture provides detailed forensics
QRadar collectors capture a portion of the content for each flow and store a configurable amount of content from the start of each flow. This provides unrivaled forensic capabilities for investigating an anomaly, such as when FTP administrators see a file name transferred.

Remediation options for security and network infrastructures
QRadar's resolution module directs remediation to the most logical components of the security and network infrastructures. It supports the following remediation protocols:

Session Killer: Blocks TCP-based applications

VLAN Quarantine: Blocks all protocols from isolated hosts from being routed to other subnets, CIDRs and VLANs

Device Management: Blocks network devices from forwarding all protocols or specific protocols for isolated hosts

3-tier architecture for system-wide view:
Separating a distributed storage and analysis layer from the collection and presentation layers presents you with a system-wide view of network behavior. This architecture also correlates other external threat, security, and vulnerability data effectively.

Real-time network and security pivots speed diagnosis:
A fully interactive GUI pivots easily between network and security views for drilling down quickly into traffic information without losing context.

Security event correlation:
QRadar collects security events from a heterogeneous set of sources that includes network infrastructure, security devices, servers, and applications. It normalizes all events for automatic out-of-the-box correlation with other events and network flows. QRadar also gathers vulnerability data and incorporates it in asset profiles that are maintained for each business asset.

Asset profiles give a complete picture:
QRadar builds asset profiles for each network resource based on passive scanning of the network. Asset profiles capture what services are active now and were active historically to establish how severe and relevant threats are to a network. The asset profile also incorporates active VA scanning knowledge from third-party products for a more complete picture of the asset.


	Beyond NBAD QRadar combines network activity and security events in one command-and-control console with multiple functions. It also improves the analysis of network behavior. QRadar ties anomalies to critical or vulnerable assets. For example: A seemingly innocuous file transfer from a critical server may go unnoticed by flow analysis alone but would be of significant concern if the file transfer was followed by a Web exploit (signaled by an IDS/IPS). QRadar would flag that anomaly. QRadar's anomaly detection is different in several key ways. QRadar's Differentiators QRadar uses application-layer, flow-based data sources QRadar has the broadest set of data sources in the industry. It starts with native flow sources (Netflow, cflowd, sflow, JFlow) and adds proprietary QFlow collectors for layer 7 information on application-level behavior. For example: QFlow sees if SSH is tunneled over Port 80 or if a peer-to-peer application is running, where other flow formats see only web traffic. Bottom line: QRadar does behavioral analysis at the application level in addition to detecting basic protocol and port anomalies. QRadar optimizes standard flow formats for security applications QRadar minimizes the network impact of DoS and worm attacks by creating superflows and flow bundles. It retains critical information but reduces significantly the number of individual flows that are transferred. For example: With the superflows caused by a denial-of-service attacks, QRadar replaces thousands of similar flow records with a single record that notes the changes. It also compresses web traffic. These benefits work where Netflow is used as well because QFlow collectors aggregate Netflow records to create superflows. Reliable flow transport protects security data Netflow and other flow formats use UDP for transport. While suitable for performance or DoS detection, this approach can lose critical information, such as a backdoor flow, for other security applications. QRadar collectors protect data by aggregating Netflow information and sending that traffic over the WAN using TCP/IP. Content capture provides detailed forensics QRadar collectors capture a portion of the content for each flow and store a configurable amount of content from the start of each flow. This provides unrivaled forensic capabilities for investigating an anomaly, such as when FTP administrators see a file name transferred. Remediation options for security and network infrastructures QRadar's resolution module directs remediation to the most logical components of the security and network infrastructures. It supports the following remediation protocols: Session Killer: Blocks TCP-based applications VLAN Quarantine: Blocks all protocols from isolated hosts from being routed to other subnets, CIDRs and VLANs Device Management: Blocks network devices from forwarding all protocols or specific protocols for isolated hosts 3-tier architecture for system-wide view: Separating a distributed storage and analysis layer from the collection and presentation layers presents you with a system-wide view of network behavior. This architecture also correlates other external threat, security, and vulnerability data effectively. Real-time network and security pivots speed diagnosis: A fully interactive GUI pivots easily between network and security views for drilling down quickly into traffic information without losing context. Security event correlation: QRadar collects security events from a heterogeneous set of sources that includes network infrastructure, security devices, servers, and applications. It normalizes all events for automatic out-of-the-box correlation with other events and network flows. QRadar also gathers vulnerability data and incorporates it in asset profiles that are maintained for each business asset. Asset profiles give a complete picture: QRadar builds asset profiles for each network resource based on passive scanning of the network. Asset profiles capture what services are active now and were active historically to establish how severe and relevant threats are to a network. The asset profile also incorporates active VA scanning knowledge from third-party products for a more complete picture of the asset.
HOME \| COMPANY \| PRODUCTS \| SOLUTIONS \| PARTNERSHIPS \| RESOURCE LIBRARY \| IN THE NEWS \| SUPPORT \| CONTACT All content © 2008 Q1 Labs Inc.