Comments on: Solving puzzles and mysteries http://gsandahl.net/2007/05/24/206/ Random rants on Defensive Security Fri, 21 Nov 2008 23:39:06 +0000 http://wordpress.org/?v=2.2.2 By: goran http://gsandahl.net/2007/05/24/206/#comment-5246 goran Fri, 25 May 2007 11:21:53 +0000 http://gsandahl.net/2007/05/24/206/#comment-5246 QRadar is a great product, which I have tested rather extensively in lab environement. In contrast with other similar products, our results indicated that its built in correlation engine is very accurate. However, all this boils down to the quality of the log sources of course. But having a fine tuned IDS/IPS, a firewall log, service logs etc allows the device to very accurately detect and describe attack patterns. I'll say most of the fine tuning would still be necessary on the IDS/IPS. And as with any product that can base-line, its a matter of it getting to know the environent and baseline. It has also a built in NBAD feature, where it can do traffic anomaly detection using for instance netflow data. That is a feature most SIEM-products doesn't have, yet. I plan to blog about QRadar sometime in the future. QRadar is a great product, which I have tested rather extensively in lab environement. In contrast with other similar products, our results indicated that its built in correlation engine is very accurate.

However, all this boils down to the quality of the log sources of course. But having a fine tuned IDS/IPS, a firewall log, service logs etc allows the device to very accurately detect and describe attack patterns. I’ll say most of the fine tuning would still be necessary on the IDS/IPS. And as with any product that can base-line, its a matter of it getting to know the environent and baseline.

It has also a built in NBAD feature, where it can do traffic anomaly detection using for instance netflow data. That is a feature most SIEM-products doesn’t have, yet.

I plan to blog about QRadar sometime in the future.

]]> By: Tomas http://gsandahl.net/2007/05/24/206/#comment-5235 Tomas Fri, 25 May 2007 08:16:56 +0000 http://gsandahl.net/2007/05/24/206/#comment-5235 Göran, how easy is actually the "doctor-like" product from http://www.q1labs.com to use? From their product page it seams just to plug it in and it almost automatically works but since I am skeptical I think it require a lot of fine tuning as any other product. Maybe it needs less...? Göran, how easy is actually the “doctor-like” product from http://www.q1labs.com to use? From their product page it seams just to plug it in and it almost automatically works but since I am skeptical I think it require a lot of fine tuning as any other product. Maybe it needs less…?

]]>