This week Q1 Labs released version 7.0 of QRadar. The software combines security event and information management (SIEM) with network behavior anomaly detection (NBAD) to help IT detect unwanted or malicious activity on the network. The latest version gives administrators visibility into social media use in the enterprise, where such use raises concerns around security, compliance and productivity. QRadar monitors and reports on user activity on hundreds of social media sites, such as Facebook, LinkedIn, Gmail and Twitter.
QRadar's proprietary Qflow traffic monitoring technology uses deep packet inspection to identify applications rather than relying on port numbers for application detection. This, in addition to network telemetry from sources such as netflow and sFlow, and SIEM log correlation and analysis, lets QRadar produce not only high-level information about social media usage but what individual users are actually doing on those sites. For example, admins can see which sites are generating the most traffic among users. Going deeper, IT can identify the users who spend the most time on particular sites. Administrators can also configure QRadar 7.0 to capture network traffic, allowing IT to see if employees are divulging sensitive corporate information.
F.W. Webb, a plumbing supply retailer, uses QRadar to spot network issues, particularly those that might be caused by user activity. "We have very basic users, and the most common complaint is that the network is slow," says Laurence McCall, the company's chief architect IT/security. The company has 70 stores in seven states, plus its headquarters in Bedford, MA. All the production servers are in Bedford, while users on 1,500 PCs communicate via legacy SSH connections. "We put QRadar in and found, for example, that a user was sending pictures of his daughter's wedding to all users. That can saturate the network," says McCall. He says QRadar has enabled him to be proactive about network issues and reduce complaints calls to about two per week, taking a lot of strain off the company's small support staff.
Q1 Labs straddles the SEIM and NBAD markets, which puts them into contention with a variety of other players. The NBAD market, including vendors such as Arbor Networks, Enterasys, Lancope and Sourcefire, has shifted focus somewhat in recent years, emphasizing network monitoring on the operations side in addition to security. Meanwhile, SIEM, featuring companies like RSA, Netforensics, LogLogic, Sensage and Arcsight (just acquired by HP), has gained traction largely because of regulatory compliance, particularly log collection and monitoring requirements for PCI DSS, among other mandates. For more on monitoring networks for security issues, our exclusive InformationWeek Analytics report, "What's Going On?" offers tips and tools to help you get the job done. The report is available here (registration required).
The 7.0 release also marks the integration of Risk Manager into QRadar, Q1's network risk assessment tool, first announced last March. Risk Manager lets enterprises to model potential threats to vulnerable clients across the network. Risk Manager imports vulnerability information from VA scanning tools such as Nessus or Retina and uses its knowledge of network topology, event and activity correlation to identify problems. This capability puts Q1 in yet another market with a handful of network risk assessment vendors including Red Seal Systems and Skybox Security. QRadar pricing starts at under $50,000. The software will be available in the fourth quarter of 2010.
