Security intelligence for protecting assets and information from advanced threats.
patricia mwai 31st July 2015

IBM Security QRadar SIEM

The QRadar Integrated Security Solutions(SIEM) it is an integrated set of products for collecting, analyzing, and managing enterprise Security Event information. The various components that are part of this Platform are:

  • QRadar Log Manager– log management solution for Event log collection & storage.
  • QRadar SIEM– Correlation engine
  • QRadar VM– Vulnerability scanner and management tool set available to integrate Event data to Vulnerability data. This provides on demand scans, rescans and vulnerability tracking.
  • QRadar Q Flow – Network Behavior Analysis & Anomaly detection using network flow data. Q Flow provides payload information in every detected event which is a great value addition to Net flow data.
  • QRadar vs. Flow– Application Layer monitoring for both Physical & Virtual environment.

Pros of QRadar:

  • Easy Setup– It is easy to install the product. There are very few or no moving parts in the installation process. It is also Web based and is a fully functional console. From a deployment and operations perspective, this comes across as a super easy, super quick solution to SIEM needs.
  • Value Out of the Box – QRadar comes packed with a lot of content Out of the box to get up and running. The Dashboards are already built for you, more than 1500 reports are waiting for you to just click and run, rules are categorized nicely under various Threat sections and immediately start firing, Network Flow and Packet data are available instantly under the same unified console when triggers are analyzed.
  • Completely Replicated Architecture – Full replication is available in the product and can be enabled with a click. In major organizations, this is non-negotiable and such an easy set up really builds up a story.

CONS:

  • Scale: In spite of all the ease of set up and value when compared against Arc Sight, scaling up with multiple tiers is a problem. What see here is that QRadar is an appliance based model. You can have several collector appliances, but to query them you can have only Manager.
  • Multi-Tenancy: Arc Sight has always been best suited for a Managed service implementation with its Customer tagging, zoning and overall multi-tenancy architecture. However, this is a big problem when it comes to QRadar. They don’t have such a capability today. Their product road map does talk about such features in the future.
  • Customization: One of the things which propelled Arc Sight to land major defense and government contracts was its capability to customize almost everything except the core source code. When creating Content like Use Cases, Rules, Reports, Third party integration etc. this customization capability comes in handy. Such customization & flexibility is seldom seen in any SIEM product out there. QRadar offers some of these customization, but the moment you take it along that route.
  • Workflow: Other impressive thing about Arc Sight is its wonderful content management workflow. It has a full blow case management workflow, event handling workflow.

 Despite its cons this family of products provides consolidated architecture for IT to integrate SIEM, incident forensics, log management, detection of anomalies, and vulnerability and configuration management. Your business will experience a decreased overall cost of ownership, an improved detection of threats, and will enjoy a solution that is easy to deploy and use.