Anda di halaman 1dari 15

IBM Qradar History

Began as University Project by Sandy Bird at University of New Brunswick

Network flow monitoring, nothing to do with SIEM

Commercial product in 2001 in the NBAD space (QVision)

Changed focus & moved into the SIM space around 2004-2005

Changed name from QVision to QRadar

Original QFlow product now part of QRadar SIEM

OEM relationships with Juniper and Enterasys

Purchased by IBM in October, 2011

You cant correlate what you cant collect


Event Source Support
Vendor supplied
3rd party partners
Custom Connectors
Time to build
Wizard-based
Regular expression
generator
Retention Defaults
Correlated alerts
Username history
Flow data

Retention Limits
Correlated/Offense alerts
All other retention
settings (events, flows,
etc.)
Real-time Views
Log and network history
Correlation/Offense
activity

HP ArcSight

IBM Qradar

~350
~45 (CEF)

~180
~14 (LEEF/AXIS)

Hours/Days
Yes
Yes

Weeks/Months
No, XML development required
No, must develop from scratch

Unlimited
Unlimited
Unlimited

3 Days
1 Week
1 Week

Unlimited
Unlimited

2,500 before rolling off


2 years maximum

Unlimited
Unlimited

Last 7 days
1 month

You cant correlate what you cant trust


HP ArcSight

Data

Loss
Product restarts
Network outage
Event spikes
License limits exceeded
Windows collection

Encryption
Encrypted transport
Research-based Reputation
Research intelligence
Bandwidth Management
Caching
Batching
Filtering
Aggregation
Compression

Events
Events
Events
Access

IBM Qradar

queued, not dropped


queued, not dropped
queued, not dropped
limited, events not
dropped
Events queued, not dropped

Events dropped
Events dropped
Short buffer, then events
dropped
Events dropped
Syslog/udp transport,
unreliable, events will drop

Yes, by default

Not by default, 50% performance


hit when enabled

Yes, know malicious hosts and


domains intelligence

Limited to your own analysis


within your own company

Yes, unlimited size


Yes
Supported by all Connectors
Unlimited
Yes, by default

Limited buffer size


No
Only a few event sources
Very limited, no customization
Optional, not by default

You cant correlate what you dont understand


HP ArcSight

IBM Qradar

~500, full normalization

~70, partial normalization

Yes; Active Directory, Oracle


Identity Manager,
FlexConnector; full attribute
support

No, only userid analysis and


limited historical analysis

Yes

No, dashboards, incidents and


events in separate views with
limited integration

Workflow
Integrated workflow

Yes

No

Case Management
Integrated case management

Yes

No

Normalization
Normalized collection

Identity-based activity
tracking
Identity Management (IdM)
integration
Analysis
Speed of thought drilldown

You cant correlate what you cant correlate


Historical correlation
Correlate on past
activity
Identity correlation
Identity Management (IdM)
integration

State-based, session
correlation
Ability to remove entries
Ability to age out
entries
Multiple fields tracked
Ability to view entries
Anomalous pattern detection
Anomaly correlation

Rules to detect new threats


Behavioral, threshold,
anomaly correlation

HP ArcSight

IBM Qradar

Yes

No

Yes; Active Directory, Oracle


Identity Manager,
FlexConnector; full attribute
support

No, only userid analysis and


limited historical analysis

Yes, by rule or manually


Yes
Yes, unlimited
Yes

No
No
Single field only
No

Yes, with automatic rule


creation

No

Unlimited

Activity must have already


occurred in your environment
to create rules

Comment from customers


-

Any custom log source their framework for getting non-standard logs (not syslog based) will

require a lot of internal working and configuration. Anything that is syslog based will require a lot of
messing around.
-

Sophisticated correlation their correlation engine is relatively simple so anything that is more than
simple aggregation will be relatively difficult for them.

Anything that leverages lists (active or session) will be a massive win for ArcSight. They have lists,

but they cannot update or add / remove from a list. So building sophisticated use cases will be VERY
difficult and they will rely on very complex logic (and time sequencing will be tough for them).

IBM Qradar is simple to use so they cannot do sophisticated use cases

Sophisticated Use Cases


Here is one use cases from a real customer and Qradar wasn't able to solve it
during a POC:

(1) open a case if there are more than 10 failed logins for an account within a day
(2) if there is at least one successful login before reaching 10 failed logins, then reset the "failed login"
counter and start again counting from zero

IBM Qradar is simple to use so they cannot do sophisticated use cases

About Gartner & Vendor


Research

Gartner Magic Quadrant

Gartner SIEM MQ 2011 - 2013

HP ArcSight has moved UP and to the RIGHT

The MOST visionary product in the Gartner MQ

A LEADER for 10 consecutive years, while others have appeared and disappeared

Gartner recognizes HPs vision through ops-analytics, integrating SIEM and IT Ops

Analyst Leadership: Gartner and IDC


Gartner MQ: Leader 7 Years

IDC: Share Leader 4 Years


HP, 23.6%

Other, 42.2%

IBM, 13.0%

McAfee, 3.4%

EMC, 9.3%
NetlQ, 8.5%

Source: IDC (December 2010)

11

IDC 2013 report: HPs revenue is


more than that of next two
vendors combined in worldwide
SIEM market

Effectiveness Matters
SANS, CERT, NIST, OSVDB, software, and reputation vendors
Ecosystem
partner

~3,000+ independent researchers

~3000 researchers

2000+ customers sharing data

7000+ managed networks globally


DVLabs Research & QA

Actionable security intelligence


HP Security
2,000+ Research
customers participating

ESS

Thought leadership

Automatically integrated into HP products

HP finds more vulnerabilities than the rest


of the market combined

Top security vulnerability research


organization for the past three years

- Frost & Sullivan

Note: All figures are rounded. The base year is 2012. Source: Frost & Sullivan

Industry Leading Security Intelligence


Business Application Vulnerabilities
35
30
25
20
15
10
5
0
HP
TippingPoint

Secunia

US-CERT

Verisign
iDefense

High-Tech
Bridge

IBM ISS

VUPEN Security

Public Vulnerability Research Market: Business Application Vulnerabilities by Reporting Source, Global,
2012

Definition - Zero-Day Exploit

Proactive Protection
t1
Vulnerability
Is found

t2
Exploit-Code is
In-The-Wild

t3
Software Vendor
releases Patch

t4
Patch Rollout

Our Zero-day Coverage Compared to


Competition
300
250
200
2013
150

2012
2011

100

2010
2009

50

2008
2007

Compiled from publicly verifiable data at http://www.microsoft.com/technet/security/current.aspx

2006