Information security can be fundamentally described in terms of protection, detection, and response. One can say a system is secure if it takes an attacker a very long time to break the protection. For example, in encryption, cryptanalysts claim it will take thousands of years to break certain ciphers with large keys. By the time the protection is cracked, the information is no longer relevant or worthwhile. Time is an important benchmark. InfoSec professionals spend a lot of time bolstering protection mechanisms.
For an attack to be prevented, the time protection provides has to be longer than the value of the information, or the time it takes to detect and respond to the attack. Take this month’s indictment of the computer criminals who stole some 41 million debit and credit cards from computer systems at TJX, Office Max, Boston Market, Barnes & Nobles and others. If retailers had detected the attack in less time and responded, the loss of information would have been much less.
In fact, detection within 24 hours of the attacker’s initial reconnaissance and appropriate response can stop information from being stolen at all. Thus we should spend as much time on detection as we spend on prevention. However, that is often not the case because detecting means watching what is going on in the system. For any sizeable network today, there is always more going on that one person (or even a team) can watch.
This is the need that security information management (SIM) consoles fill. They watch the network and boil down the information into the key statistics and events. Source data comes from event logs, network flow, and sensors. Performance is important here as networks get rather busy (a typical 100 computer network sees about 20 events and 200 packets per second). SIM consoles then correlate these events and report on suspicious and irregular activities. Hence the criteria for SIMs are ease of use, log and network performance, correlation and detection abilities, and reporting depth and clarity. I recently had an opportunity to evaluate a product in this space: Q1 Labs QRadar.
The breadth of their offering immediately got my attention. QRadar provides all the detection of my personal patchwork of tools. I use a C# app with a SQL database for Windows log management. There is a Syslog system for the Unix/Linux logs. On the network side, Compuware’s NetworkVantage is running for top-level reports. Yet this does not allow me to drill down into the details, which is important for doing forensics, so I have another system that captures network traffic and dumps into Wireshark for analysis. Neither provide real-time alerting. For that, I have deployed Snort and some other off-brand intrusion detection system (the name escapes me at the moment.) During investigations, I have to manually pull information out of all these systems and correlate it with pencil and Excel.
QRadar does this all automatically. The time savings is a real boost in productivity. Yet for all the functionality packed into the product, somehow Q1 Labs has managed to keep the interface clean and uncluttered. The main page is a dashboard I can customize with the feeds that matter to me. These feeds might be hosts at risk, number of attacks, top talkers, et cetera. The UI was very straightforward.
Performance is also up to snuff. QRadars pedigree includes Q1 Labs’ earlier network anomaly detection and monitoring tools, so that technology is rather mature. There are two options: netflow (switch taps) and qflow (software sniffers). If your equipment supports netflow, use it, because this option provides the best performance. Both options perform within the 200 packets per second range, and scale up to thousands of packets.
QRadar’s correlation engine is equally well developed. Forget doing analysis with a stack of printed logs and a sharpened pencil. This tool identifies known attacks quickly and has few false positives with the regular network traffic. There is also an ad hoc capability in the interface. I can specify specific content to look for, like somebody’s name, or a regular expression to match, like a credit card number. Then I can tell QRadar to look for events and packets that match, and pull back a report. QRadar can also return a packet capture that I can view in tools like Wireshark. This is handy for forensics after the attack has been detected and contained.
Of course, sometimes it is quicker to use the built-in reports. There are dozens to choose from. Each report can be ran on demand or scheduled. The output can be sent to the dashboard, saved as a file, or emailed out. This is very flexible and another time saver. Imagine, for example, running a report on failed logons every morning. This report then appears in your inbox. It can also be sent to a ticket tracking system for auditing purposes. It is very straight forward.
QRadar still has some rough spots. The product has a chimera feel produced from integrating log management and network management. The UI is inconsistent: some objects require clicks, some double-clicks, and others right-clicks. Which click is it? You often have to try all three to get the right result. The flexibility in reporting also leads to some odd results, as it is very easy to set up circular loops as you click thru reports for details. Yet these are minor details that will surely work themselves out as it evolves.
With TJX and co in the news, most security vendors that come calling this month will speak of how their solutions could have curbed the damage. The real acid test is time. How much longer will the information be protected? Alternatively, how much quicker will an attack be detected? Protection mechanisms can only provide partial security. Further, once breached, the exposure goes up dramatically with the amount of time an attacker has on your system. Detection tools are required to compensate for chinks in the armor and contain attacks. So ask the vendor the question, and check out their response.
The best response I have heard comes from Q1 Labs. If there is attack occurring on your systems, it will show up in QRadar first. Detection time drops significantly when network and host-based information is consolidated and correlated. Combining both the top-level overview, necessary for day-to-day management, with the deep-dive details, necessary for incident response and forensics, puts QRadar ahead of the pack. QRadar is an excellent tool and its reporting and digital forensics capabilities will definitely improve an organization’s security posture.