Category Archives: Head 2 Head

Punching Hard – QRadar Security Intelligence Platform


Off late, at Infosecnirvana, we have been looking beyond ArcSight Enterprise Security Platform (ESP) to see if there are any other SIEM products that either challenge or match up or exceed the capability of ArcSight ESP. One of the products that has caught our attention in recent times is the IBM acquisition – Q1 Labs offering – QRadar Security Intelligence Platform. IBM completed this buy in 2011 and jump started their Security Systems Division providing a platform to compete against HP who jump started their Enterprise Security Products group with the buying of ArcSight in 2010. Both of them are competing hard in the market place and are vying for the top spot as evidenced in numerous SIEM vendor analysis and reports.

Gartner reports are something that every company looks before investing in a SIEM solution. The interesting thing about QRadar that caught our attention is how consistently it has climbed the ladder of the SIEM Leaders Quadrant. Lets take a look at the last 3 years of the Gartner Magic Q to get an idea of the rapid climb of QRadar against ArcSight.


Looking at the graph more closely, even McAfee Nitro and Splunk are catching up in the leaders Q. However, in this post we will concentrate on Q1 Labs QRadar only as they are by and large the biggest threat to ArcSight in terms of technology and capability, not to mention Market share.

First things First:

The QRadar Integrated Security Solutions (QRadar) Platform is an integrated set of products for collecting, analysing, and managing enterprise Security Event information. The various components that are part of this Platform are:

  • QRadar Log Manager – log management solution for Event log collection & storage.
  • QRadar SIEM – Correlation engine
  • QRadar VM – Vulnerability scanner and management tool set available to integrate Event data to Vulnerability data. This provides on demand scans, rescans and vulnerability tracking.
  • QRadar QFlowNetwork Behaviour Analysis & Anomaly detection using network flow data. QFlow provides payload information (up to Layer 7) in every detected event which is a great value addition to Netflow data. 
  • QRadar vFlow – Application Layer monitoring for both Physical & Virtual environment.

Key Strengths of QRadar: Few of the things that blew us away when we played around with IBM QRadar was:

  • Easy Setup – It was a breeze to install the product. There are very few or no moving parts in the installation process. The console is also Web based and is a full functional console. From a deployment and operations perspective, this comes across as a super easy, super quick solution to SIEM needs.
  • Value Out of the Box – QRadar comes packed with a lot of content Out of the box to get up and running. The Dashboards are already built for you, more than 1500 reports are waiting for you to just click and run, rules are categorized nicely under various Threat sections and immediately start firing “Offenses” (Correlation rule triggers are called so in IBM world), Network Flow and Packet data are available instantly under the same unified console when triggers are analysed and so on and so forth. We have never seen such quick turnaround times with any other SIEM product in recent times.
  • Completely Replicated Architecture – Full replication is available in the product and can be enabled with a click. This is something which we were really impressed with. In major organisations, this is non-negotiable and such a easy set up really builds up a story.

Key Weakness of the Product: Now being ArcSight users for several years now, this section is something which is right down our alley. Some of the key weakness we saw with the product are:

  • Scale: In spite of all the ease of set up and value Out of the box, when compared against ArcSight, scaling up with multiple tiers is a problem. One of the caveats we see here is that QRadar is an appliance based model. You can have several collector appliances, but to query them you can have only only Manager or Console Appliance. This will severely impact the scalability in a multi-tier set up.
  • Multi-Tenancy: ArcSight has always been best suited for a Managed service implementation with its Customer tagging, zoning and overall multi-tenancy architecture. However, this is a big problem when it comes to QRadar. They don’t have such a capability today. However, we believe their product road map does talk about such features in the future, but we will have to bite our nails in anticipation.
  • Customization: One of the things which propelled ArcSight to land major defence and government contracts was its capability to customize almost everything except the core source code. When creating Content like Use Cases, Rules, Reports, Third party integration etc. this customization capability comes in handy. Such customization & flexibility is seldom seen in any SIEM product out there. QRadar offers some of these customization, but the moment you take it along that route, you will be disappointed on what it lets you do – Read NO API.
  • Workflow: Other impressive thing about ArcSight is its wonderful content management workflow. It has a full blow case management workflow, event handling workflow, Use Cases workflow etc. whereas QRadar falls short as it does not have any such powerful workflow capabilities. Hopefully IBM will address it in future product releases.

Overall Comparison with ArcSight: ArcSight ESP by far has been the oldest and supposedly the most mature SIEM offering in the market but honestly they are losing ground because, they have not been seriously challenged so far. QRadar does that exactly. Based on the key Strengths and Weaknesses of the product, you should have got an idea of where the product stands.

  • Most of the customers would love to get QRadar in their environment just for the ease of set up and Out of the box value. ArcSight is still a pain to set up and generate value. Most of the implementations of ArcSight have failed for the simple reason – Complexity
  • QRadar put a lot of emphasis on Network security based monitoring approach, where as ArcSight takes an Identity based Security monitoring approach. This is an interesting because the Cyber security world is still split about what is key – “Identity based or Network Security based”. In our humble opinion, a mix of both is what really works.

In Conclusion: QRadar definitely is a wonderful product and a worthy competitor to ArcSight as the battle for the top prize plays out. As technology enthusiasts, we are eager to see how the market plays out, but one thing is for sure

“QRadar Security Intelligence Platform is definitely Punching Hard”.

There you have it!!! Let me know what you guys think about these two products and which one do you prefer and why? Comment on below.

ArcSight CORR 6.0 – Install and Migration

ArcSight (now HP) Enterprise Security Manager (ESM) is the premiere security event manager that analyzes and correlates every other event in order to support the Security Team or analysts in every aspect of security event monitoring, from compliance and risk management to security intelligence and operations. There have been several versions of ArcSight ESM released over a period in time. Their latest version is ArcSight CORR 6.0. At we have got a copy of the latest version and we will be writing a multi-part post on how to Install, Migrate from Older versions to 6.0 and some basic walk around.

In this Part 1 post, we shall cover about the installation of ArcSight CORR (Correlation Optimized Retention and Retrieval), a proprietary data storage and retrieval framework that receives and processes events at high rates, and performs high-speed searches; the latest ArcSight ESM by HP. With the ArcSight CORR, Oracle database is now eliminated.

CORR components:

  • ArcSight Manager
  • CORR Engine
  • ArcSight Console
  • ArcSight Web
  • Management Console
  • Smart Connectors


System: This completely depends on the EPS that you expect to receive. InfoSecNirvana has been working on getting a PoC for this and the below configuration was used:
A VMWare box with 8 cores, 32GB Ram, 256GB SSD HDD, 2TB WD 7200 RPM SATA HDD (Note: for production, there might be/recommend a higher configuration. Check with ArcSight manuals on the same)

OS: Red Hat Enterprise Linux Server release 6.2 x64, installed with xfsprogs-3.1.1-6.el6.x86_64 rpm; this is required to convert some of the ext4 file systems to xfs filesystems. XFS Partition is the most apt format for us to fully utilize the performance enhancements coming with CORR. Typically, I would recommend /opt/ to be formatted with XFS and maximum storage can be allocated to this partition. This is crucial because, the very first step of installation would verify whether the entire /opt/ directory is in XFS. When using VMWare with LVM, we faced some issues during the installation and ArcSight Support could not help us with this. However, when raw devices were mounted as /OPT/ we did not face any issues.

Storage: Please allocate the required storage (calculate based on Number of Devices, Events per second, Average Event Size and Retention period). Remember, CORR is like an ESM with a built in Logger. You can still use a Logger for long term retention if that is what you prefer so that ESM will be lean and mean.

Permissions: The installation has to be done using a Non-Root account. This account can be a service account named”arcsight”. This account should have RWX permissions on the /opt/ directory. Make sure this is satisfied.

Misc: /TMP/ partition should have at least 3GB space. /home/arcsight also should have a minimum of 5GB free space. This is crucial again because, the INSTALL DIR log files are written in these location and if sufficient space is not allocated the installation fails.

The CORR package: Get the CORR installation package and the license from HP ArcSight. This can be obtained from your sales representative with HP/ArcSight.

CORR Installation:
The installation is pretty straightforward and is just a series of clicks. I have given most of the screenshots below just as a reference. Obviously, if you have already installed ArcSight Software, you would not even need this. Once done, you would be able to install the Console to access CORR and play around.

Once the installation is completed, we would want to test the following before we call the install as complete:

  1. Validate the Log Files in the Manager Install Logs and find out if there are any warnings and errors. Generally, this is a best practice to ensure valid installation.
  2. Install the Console and try to connect to ESM, with the default user name and password (mentioned in the install guide). First time when you connect, A certificate import of the Manager happens. If you use a self-signed certificate make sure you note down the parameters used to create cause this will help in future migrations, troubleshooting or recovery.
  3. After connecting to the console, you are ready to go.

Migrations from Existing Installs – Migrating from earlier versions to this CORR instance is tricky, because you are migrating from a DB back end to a NON-DB back end. I will be posting a followup of this post in PART 2 that will detail the migration procedure from 4.X to 5.X.

Stay Tuned to for more!!!

SIEM – The Good, The Bad and The Ugly – Part 2

In Part 1 of the post, we discussed about the several shortcomings of SIEM that has risen over the years. These problems need to be addressed if we need to progress further in our maturity with SIEM technology. Let me start with the main capability required for a SIEM to function – Log Management. This is where majority of the problems are.

Log Management: The problems plaguing Log Management in a Client/Server model are way too many to comprehend. Centralized log Management is the solution, however we don’t have a sound Log Management solution today that addresses these needs. Let us see what problems are there in Log Management and how we could solve this. Log Management is broadly divided into four parts:

  1. Log Collection
  2. Log Categorization
  3. Log Storage
  4. Log Management (Making it easily searchable across large sets)

Log Collection – Client-less and Standardized: In my view, ideal solution would be that, the source devices should not have any clients installed on them, should not need special formatting, should not be taxed in terms of processing. Standard method of data collection should be set as the norm. From a higher order, an RFC or a Standard should be floated that standardizes all the Log Data from every IT device. This standardization would help in two things – One to improve the Overall Logging and Auditing capabilities of devices (Client Less – Out Of Box) in a standard format and the other is to Improve the Security Consciousness of the Application development teams. Think in terms of Logging being a part of standard protocol suite. What this would do is help interoperability between devices, be it Log Sources, Log Collectors, Log Managers etc along with bringing together all the fragmented parts of the existing log management under one umbrella. For example, Every IDS vendor today supports SNORT formatting. Similarly, all SIEM vendors should support a standard log Collection and processing so that interoperability, migration between vendors etc becomes more easy. I know CEF is one of the standards, but I am not sure everyone adopts that today.

Log Categorization – Security and Non-Security: When large volumes of Log data comes in, there is a need to separate the list of Security events from normal Non-Security events. The Log Standard also should specify categorization of Events clearly as Security and Non-Security. For every device class, the Security Events should be listed out and only those logs should be collected by SIEM for correlation and incident management. Many organizations collect way too much Log data (up to 100K) but effectively use only 10% of it for Security purposes. That means the remaining 80-90% is Non-Security related Logs. And this junk is the one eating up Terra bytes of space. There is a huge disparity between the Log Management tier and the SIEM tier. Data Collection is always more and more, however SIEM processing is more focussed. This is where the categorization helps so that SIEM receives only Security events to process.

Log Storage and Log Management – Streamlined and consistent data sets: The moment we start collecting standard data and properly categorizing them, the storage, indexing and retrieval becomes easier. This space we are good at and should continue to improve. Things like using Big Data Storage technologies instead of relying on Oracle or SQL or MySQL as the backend limits the capabilities when handling big data sets. Storage has to be streamlined and new indexing and searching capabilities should be thrown into the future development of Log Management tools and solutions.

Security Incident and Event Management (SIEM) – Once the Log Management problems are sorted out, the SIEM problems become easier to solve. One of the major pain points in using SIEM was the client-server architecture. When Log Collection becomes Client-less, the SIEM solutions need not focus on building Log Collection clients and instead focus their energies on better correlation and intelligence data mining. Some sweeping changes that can be brought into SIEM world are as below:

  • SIEM should be an inference engine, a correlation engine and a Data mining engine only. This will bring more value in the intelligence piece of Log Data Mining rather than just parsing and doing some basic alerting defined. Remember, as I always say, Security is an Intelligence Function and not an Operations Functions
  • SIEM should be able to focus only on Security events for Alerting, reporting and investigation. This is where the Log Standardization and Categorization plays a big role. If SIEM were to process only Security Data, we would never be hitting more than 5K in most enterprises.
  • SIEM should be a fast and agile product and not rely on backend DB queries, reports and stats usually driven using Oracle or SQL. This is something that some vendors are starting to explore. I know Novell e-Sentinel has this capability for a long time, HP is now trying to do similar thing with CORR. This is in my opinion the right way forward
  • The SIEM should also become a more Active tool instead of being a Passive tool as it is today. What I mean by this is, a SIEM should be able to respond to threats in a comprehensive way. It should be able to alert, do basic ITIL Service Management Integration out of the box and also if need be, execute boxed responses for alerts. This is helpful because, many a times the rules written in SIEM are basic and over a period of time become repetitive. Such repeatable alert responses can be automated into a Workflow and the system should be capable of becoming self-sufficient.
  • SIEM should get better at Large Data Set Mining. Today, SIEM Management consoles are “code heavy” in the front end and “CPU heavy” on the backend. This kinda reduces the efficiency of SIEM technologies in perform real-time correlation. A radical change is needed in the way SIEM applications are developed to make the application lightning fast.
  • SIEM should also provide flexibility in terms of customization of Incident Detection and Response templates, writing visualization rules (where you are able to chart Attack Vectors, Vulnerable points, Network Maps etc), trending Historical Data in a way where the system automatically detects a pattern of similar issues in the past and so on and so forth. In short, add “Intelligence as well as Learning Capabilities” to SIEM.

Again, I am not sure I have covered everything in terms of possible improvements to existing problems, but at least grazed on a few.

What else do you think can help improve the SIEM capabilities? Comment on below.