Punching Hard – QRadar Security Intelligence Platform


QRadarLogo

Off late, at Infosecnirvana, we have been looking beyond ArcSight Enterprise Security Platform (ESP) to see if there are any other SIEM products that either challenge or match up or exceed the capability of ArcSight ESP. One of the products that has caught our attention in recent times is the IBM acquisition – Q1 Labs offering – QRadar Security Intelligence Platform. IBM completed this buy in 2011 and jump started their Security Systems Division providing a platform to compete against HP who jump started their Enterprise Security Products group with the buying of ArcSight in 2010. Both of them are competing hard in the market place and are vying for the top spot as evidenced in numerous SIEM vendor analysis and reports.

Gartner reports are something that every company looks before investing in a SIEM solution. The interesting thing about QRadar that caught our attention is how consistently it has climbed the ladder of the SIEM Leaders Quadrant. Lets take a look at the last 3 years of the Gartner Magic Q to get an idea of the rapid climb of QRadar against ArcSight.

Picture1

Looking at the graph more closely, even McAfee Nitro and Splunk are catching up in the leaders Q. However, in this post we will concentrate on Q1 Labs QRadar only as they are by and large the biggest threat to ArcSight in terms of technology and capability, not to mention Market share.

First things First:

The QRadar Integrated Security Solutions (QRadar) Platform is an integrated set of products for collecting, analysing, and managing enterprise Security Event information. The various components that are part of this Platform are:

  • QRadar Log Manager – log management solution for Event log collection & storage.
  • QRadar SIEM – Correlation engine
  • QRadar VM – Vulnerability scanner and management tool set available to integrate Event data to Vulnerability data. This provides on demand scans, rescans and vulnerability tracking.
  • QRadar QFlowNetwork Behaviour Analysis & Anomaly detection using network flow data. QFlow provides payload information (up to Layer 7) in every detected event which is a great value addition to Netflow data. 
  • QRadar vFlow – Application Layer monitoring for both Physical & Virtual environment.

Key Strengths of QRadar: Few of the things that blew us away when we played around with IBM QRadar was:

  • Easy Setup – It was a breeze to install the product. There are very few or no moving parts in the installation process. The console is also Web based and is a full functional console. From a deployment and operations perspective, this comes across as a super easy, super quick solution to SIEM needs.
  • Value Out of the Box – QRadar comes packed with a lot of content Out of the box to get up and running. The Dashboards are already built for you, more than 1500 reports are waiting for you to just click and run, rules are categorized nicely under various Threat sections and immediately start firing “Offenses” (Correlation rule triggers are called so in IBM world), Network Flow and Packet data are available instantly under the same unified console when triggers are analysed and so on and so forth. We have never seen such quick turnaround times with any other SIEM product in recent times.
  • Completely Replicated Architecture – Full replication is available in the product and can be enabled with a click. This is something which we were really impressed with. In major organisations, this is non-negotiable and such a easy set up really builds up a story.

Key Weakness of the Product: Now being ArcSight users for several years now, this section is something which is right down our alley. Some of the key weakness we saw with the product are:

  • Scale: In spite of all the ease of set up and value Out of the box, when compared against ArcSight, scaling up with multiple tiers is a problem. One of the caveats we see here is that QRadar is an appliance based model. You can have several collector appliances, but to query them you can have only only Manager or Console Appliance. This will severely impact the scalability in a multi-tier set up.
  • Multi-Tenancy: ArcSight has always been best suited for a Managed service implementation with its Customer tagging, zoning and overall multi-tenancy architecture. However, this is a big problem when it comes to QRadar. They don’t have such a capability today. However, we believe their product road map does talk about such features in the future, but we will have to bite our nails in anticipation.
  • Customization: One of the things which propelled ArcSight to land major defence and government contracts was its capability to customize almost everything except the core source code. When creating Content like Use Cases, Rules, Reports, Third party integration etc. this customization capability comes in handy. Such customization & flexibility is seldom seen in any SIEM product out there. QRadar offers some of these customization, but the moment you take it along that route, you will be disappointed on what it lets you do – Read NO API.
  • Workflow: Other impressive thing about ArcSight is its wonderful content management workflow. It has a full blow case management workflow, event handling workflow, Use Cases workflow etc. whereas QRadar falls short as it does not have any such powerful workflow capabilities. Hopefully IBM will address it in future product releases.

Overall Comparison with ArcSight: ArcSight ESP by far has been the oldest and supposedly the most mature SIEM offering in the market but honestly they are losing ground because, they have not been seriously challenged so far. QRadar does that exactly. Based on the key Strengths and Weaknesses of the product, you should have got an idea of where the product stands.

  • Most of the customers would love to get QRadar in their environment just for the ease of set up and Out of the box value. ArcSight is still a pain to set up and generate value. Most of the implementations of ArcSight have failed for the simple reason – Complexity
  • QRadar put a lot of emphasis on Network security based monitoring approach, where as ArcSight takes an Identity based Security monitoring approach. This is an interesting because the Cyber security world is still split about what is key – “Identity based or Network Security based”. In our humble opinion, a mix of both is what really works.

In Conclusion: QRadar definitely is a wonderful product and a worthy competitor to ArcSight as the battle for the top prize plays out. As technology enthusiasts, we are eager to see how the market plays out, but one thing is for sure

“QRadar Security Intelligence Platform is definitely Punching Hard”.

There you have it!!! Let me know what you guys think about these two products and which one do you prefer and why? Comment on below.

24 thoughts on “Punching Hard – QRadar Security Intelligence Platform”

  1. Very very interesting comparison. Maybe interesting also know what the SIEM market out of gartner offer and do a little comparison.
    You write in the end: …..”In our humble opinion, a mix of both is what really works.” Correct, in fact some product presents on the market, but not still in the Gartner quadrant, have other interesting capabilities integrated in the solution.
    En example see: http://www.araknos.it/en.html.

    1. It would really be interesting to see how the other products are performing, outside of the Gartner Q. We would definitely be interested to know more about your product and how it scales up to the traditional ones. Can you help with the demo?

      1. Hi misnomer, if interested to do demo on line, you can write to info@araknos.it or tech@araknos.it. I think that they will be available. Their system is used by Italy government entities, and collaborate in interesting international environment. Araknos develop itself the solution and customize the solution directly on customer needs. But they have a standard product line to normal market. If you interested to have directly a little book review about, I can try to do.
        I know the Gartner environment, very interesting, but I believe that the real evolution in this domain grows also in the underground and little anonymous research center.

          1. What type of material intend you? All data sheet and brochures are available on the site. I can share whit you my personal impression about Akab2 and a distributed installation. I signal you that Araknos work on SIEM solutions from 2002, and that ArcSight sorted on market after 2008. Juste this year Araknos changed completely her WebUI that come directly from experiences in Military and Telecommunication sectors. The high level of customizations possibilities on hard distributed and HA solution implemented on very large and geographic environment have made impression to me! And also this solution was integrated with TSOM (IBM before) now QRadar, and RSA enVision. I think that you will find more interesting discussion points with Araknos people.
            I m available, write me to my email please.

  2. Don’t like your comments about scale. Obviously you don’t understand Q1 architecture and the huge benefits that actually make Q1 solution more scalable. You also need to speak with Q1 CTP’s to learn how to leverage Q1 API’s. Also last but not least you can buy ‎a “full blown” Case Management System and still have plenty of cash to burn before nearing the PS cost to get ArcSight up and running.

    1. Thanks for your comments Jacek. If you read my points on scale, I talk only about issues with QRadar multi-tier support. What I mean by that is, I can have multiple ArcSight managers in different regions for autonomous event monitoring and then have a global master Manager to perform overall correlated event monitoring. Also, MSSP based multi-customer event monitoring and management is not possible in QRadar as of now. It is in the road map however. PS for ArcSight is expensive agreed!!! Also, this entire post is to say that QRadar can and will easily overtake ArcSight if innovations don’t come out of the ArcSight stable.

  3. Regarding multi-tenancy, what I can tell you Qradar today offers some lite capability. The full spectrum will be available in August, so stay tuned.

  4. Curious on your comment of scale in a multi-tier architecture. I always thought this was a weakness of ArcSight ESM which could not correlate 100k+ ESP hence the need for logger. The QRadar console just coordinates the processors doing much higher EPS so I don’t think there would be a bottleneck.

    Other than that good write up.

    1. Thanks for the comment Mike. QRadar appliances don’t do 100K EPS. The highest Event processor models can do 10K only. Also the same limitation applies to a console box. So if I need 100K, QRadar would need 10 boxes as compared to 1 or 2 in Arcsight.
      Also, all of QRadar is available as appliance wherein Arcsight is Software + Appliance

  5. Great comparison in general but some things to this:
    a) when talking about EPS in QRadar you have to consider that these are correlated events, not the insertion rate into the database
    b) a single QRadar Evenprocessor can handle 20K EPS correlated, burst EPS rate is 50K EPS
    c) QRadar is available as hardware appliance, software to run on your own sever and virtual appliance on VMWare
    d) there is also the concept of a master console, where offenses form multiple consoles CAN be forwarded to a single console. So a multi-tier architecture is no problem with in QRadar

    1. e) QRadar does not have collectors but processors. This means that the complete work, collection, storage, analysis and correlation is done on the processor. As events reside on the event processor, QRadar scales linear with additional event processors, no central database, no bottleneck regarding correlation

    2. Hey. It was interesting to read your comments and counter-comments 🙂 What we were stroke several times already with licensing model in Q1 which is based on peak EPS (not average as in ArcSight). The drawback that we have experianced is that even with throtling applied in Q1 we still faced situations where event rates had hit the license roof… Even having 60% of spare capacities didn’t help us in number of times. For that reason it means that you always need to purchase quite an extensive ammount of licenses so that you can handle the environement.

      1. With the QRadar model high event rates are an issue, agreed. But Event Log Filtering is sometimes necessary to control the rates in any solution for that matter. The more junk you throw at SIEM, the more Search Query performance gets hits. However, in QRadar, filtering cannot be done in a controlled way in the Appliance, rather this has to be done on the Event Source itself. This is a double edged sword because, if you apply granular filtering at source, you save on device performance, however performing consistent audit logging policy changes in Event source is a management nightmare. That way ArcSight, McAfee and other SIEM products give you the flexibility of Event Filtering at the Log Collection layer and at the SIEM layer.
        From a pricing perspective, I believe that HP ArcSight turns out to be more expensive for the same Event volumes as compared to QRadar.

      2. The key to solving this is Filtering. However, QRadar does not allow you to filter at their end. Instead, you will have to do that at the log source end.

  6. Folks, on Qradar the box can handle up to 20K EPS / when you want to reach 100KEPS you need 5 boxes…. the availability is in 3 versions. Appliance, SW only or VMware

  7. Arcsight 5.5 ESM’s Servers Stacked so one for ingest, correlations, trends, one for query only/annotations, and both attached VIA IB network to the Database.

    Oracle Exadata changed partitions to be hourly interval managed, 12.1.0.2 In-Memory enabled, all queries satisfied via NVMe Flash with over 4M/read and 4M/write when not in columnar RDRAM cache so. All writes with a constant stream of 100K EPS with less than 20ms. 280 analysts, TB’s of data all online compressed and available…performance of queries with active channels scanning over 200B rows, 2 seconds!

    DB1/2 nodes (ingest service). DB3,4,5,6 (query service), DB7,8 doing backup service). ESM1 binds to db1/2. ESM2 binds to query service. Needless to say we have the largest Arcsight system in the world.

    1. Wow, that is one of the most complex implementations I have seen with ArcSight and Oracle.
      If HP did not buy ArcSight, Oracle would still have been around I guess.

  8. It’s actually not that complex from Oracle DB perspective. Most of the issues we overcome is from Arcsight design flaws. Oracle scales very well as we achieved 90TB/hr ingest with queries using a custom OCI loader in our testing with one rack.

    We were operational from delivery in one week. Full HA and doing analytical queries that were never achievable in the past. ie. 1000+ rules, 100KEPS sustained/160K peak, 280 analysts, show me all the top bandwith users, by protocol, application, for the last 1yr across my enterprise. Comes back in a few seconds!!!

    So it’s 8 node RAC DB cluster with two nodes doing ingest from ESM1 server. Then four nodes for query from ESM2 server. Two nodes doing backup of the database at night. We have an ILM feature that auto compresses the data after 1hr from 3x to 20X while still available for queries. We move older partitions to cheaper storage cells. Right now we have over 1.5yrs online (600TB). So if someone wanted a smaller system to achieve these results it’s very simple. Just buy a two servers (20K) for ESM and connect to a 1/8 Exadata for around 200K dollars. In fact, the newer Exadata systems take out the Flash vendors with a new architecture we were told. So buy storage cells of all flash (not SSD’s) disk, another rack of just normal cells, and lastly a rack of ZFSA and have the ILM manager move the data to the respective ASM diskgroups based on policy.

    Regarding the use of Oracle, they also have BigSQL which I look for them to leverage in their own LogAnalytics play soon.

Leave a Reply to Markus Cancel reply