Only a decade ago, there really was no such thing as security management systems. Some very large organizations built their own tools or took advantage of freeware Syslog collectors, but these were the exceptions to the rule. The majority of companies’ security safeguards were made up of firewalls, IDSs, and desktop antivirus software. [3] Times have certainly changed, today; most large organizations have security management technologies deployed for security event collection and correlation, threat management, and compliance controls monitoring. The broader marketplace is likewise now being driven by compliance and a global, institutional threat. [9]</p> <p style="line-height:150%">Recent economic troubles might have something to do with the fact that many organizations today seek to establish only the bare minimum level of security. [5] In fact, their belief that security “due diligence” can be reduced to the level prescribed by regulations such as the Payment Card Industry Data Security Standard (PCI DSS) is more common than ever. Unfortunately, the results of this flawed thinking include security breaches and other damaging events. [1]</p> <p style="line-height:150%">Security professionals have had to defend organizations against numerous threats for years: viruses, Trojans, malware, script kiddies and more. But in the past few years, threats to security have become more insidious, and the results of breaches more severe. [4] These threats have come from three sources: criminal gangs, nation-states and ‘insiders’. Where once the idea of robbing a bank seemed the quickest route to money for criminals, many gangs with increasing technological awareness, and with the help of other gangs around the world, have turned their attention to the internet and IT security. [2]</p> <p style="line-height:150%">When taking security and threat management seriously, it is essential to understand the benefits of security information and event management (SIEM) technology and making the decision to implement. [6] A robust SIEM integration effort provides security operations teams with a strong knowledge base, preparing them to react to possible threats to the organization. [13] As the security "nerve center" of an organization, a security information and event management (SIEM) implementation, when done well, gives an enterprise a holistic view of the security events that originate from a whole multitude of devices, applications and activities across the enterprise. The advantage of such a view is that correlation of events can be conducted and patterns can be identified in ways not possible without such a consolidation of security information. [4]</p> <p style="line-height:150%">In more recent years, several different trends, namely, changes in the regulatory landscape and a shift of attacks to the application level have led to the evolution of the SIEM and log management space. [10] These tools are now used for overall compliance management, user tracking, application security monitoring, and compliance auditing and even fraud detection. They also continue to be used for operational monitoring and issue troubleshooting. [8] Let’s define what SIEM and log management tools are and what they do. Security information and event management covers relevant log collection, aggregation, normalization and retention, context data collection, alerting, analysis (correlation and prioritization), presentation (reporting and visualization), security-related workflow, and relevant security content. Typical uses for SIEM tools center on network security, data security and regulatory compliance. [1]</p> <p style="line-height:150%">The selection of the most effective IT technology is a major concern for companies of all sizes and across every industry. In the current economic climate, organizations face the difficult task of prioritizing where to best spend their limited budgets so that they emerge from these uncertain times as strong, viable companies. [7] As organizations face complex security, regulatory and operational issues, the tools that help them address those issues have grown in complexity. As a result, companies sometimes have trouble planning, deploying and then using SIEM. [1]</p> <p style="line-height:150%">As technology goes through a multi-phased evolution, many vendors peak in one phase and then quickly fade away through transitions and their associated new user requirements. Still other vendors tend to peak when user needs come around to their product design and focus. [3] As the security management market enters the business operational phase of its evolution, one vendor worth watching is Q1 Labs, a provider of cost-effective, high value security management products based in Waltham, Massachusetts. Unlike some of its competitors, Q1 Labs has been able to “cross the chasm” through each phase of the security management evolution, improving its products and overall company value over time. [9] Qlabs is the provider of the highly acclaimed cost effective security information and event management product – Qradar SIEM.</p> <p style="line-height:150%">QRadar SIEM delivers the industry's only SIEM system solution that gives security professionals the visibility they need to protect their networks. QRadar's advanced SIEM technology protects IT assets from a growing landscape of advanced threats as well as meets current and emerging compliance mandates. [8]</p>

Functions & Applications of Qradar SIEMEdit

<p style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto; line-height:150%">QRadar's Next-Generation SIEM is the most intelligent, integrated and automated SIEM system in the industry. Various SIEM products are very strong from an event management perspective and play a particularly important role in threat detection. [9] What sets Qradar SIEM apart is its unrivaled platform architecture that delivers [13]: </p>

  • Unified, turnkey deployments and more efficient administration and management
  • Distributed correlation that allows for billions of logs and records to be monitored per day
  • Single log archival capacity ensures seamless reporting and comprehensive searching within SIEM system
  • Centralized command and control reduces security management solution acquisition costs and improves IT efficiency
  • Advanced threat and security incident detection that both reduces the number of false positives and detects threats that other solutions miss
  • Compliance-centric workflow that enables the delivery of IT best practices that support compliance initiatives
  • Distributed appliance architecture scales to provide log management in any enterprise network.


<p style="line-height:150%">Companies today are under growing executive pressure to comply with mandates such as Sarbanes-Oxley, GPG-13, FSA, Garante, HIPAA, FISMA, GLBA, PCI, NERC. The massive amounts of data and events being generated in an organization provide the keys to the audit trail.[12] QRadar’s collection correlation and integration of all surveillance feeds yields more accurate data for an operator, more granular forensics for an incident response manager, and more complete reporting for auditors. QRadar SIEM brings the transparency, accountability and measurability critical to the success of meeting regulatory mandates and reporting on compliance. [11]</p>


<p style="line-height:150%">The QRadar Security Intelligence Platform provides a unified architecture for collecting, storing, analyzing and querying log, threat, vulnerability and risk related data. [14] Because QRadar is a highly intelligent, integrated and automated solution, organizations benefit by having several departments and staff with a variety of roles (operators, analysts, auditors, etc) and needs seamlessly using different QRadar modules. [12] Qradar SIEM can efficiently and effectively deploy security and protection measures in a variety of threat scenarios.</p>

Targeted attackEdit

<p style="line-height:150%">These ‘advanced persistent threats’, or targeted attacks, have been the concern of major companies for years. RSA last year had its systems breached and information on its secure authentication tokens stolen as the result of targeted attacks, while research has shown that attacks have gone on for as long as five years in some cases. [6] And as many as 31 per cent of IT security professionals say their organizations suffered at least one cyber-attack between 2010 and 2011. [2] With more data under surveillance and more intelligent analytic techniques, QRadar will help to detect threats that others will miss; it will provide visibility that others can’t. [12]</p>

Insider Threat and Insider FraudEdit

<p style="line-height:150%">Information security is a matter of both trust and risk. [4] Because outsiders are likely to be untrusted and therefore seen to be a greater risk to the organization, they are scrutinized more than insiders, and given less or no access to corporate resources. However, employees and other ‘insiders’ such as outsourced personnel and business partners are almost invariably shown greater trust, either because they’re assumed to have the best interests of their employers at heart or because they need access to corporate resources to perform their jobs. [9] Recent surveys have shown that 26 percent of IT security professionals know of staff abusing privileged logins to access sensitive information; 51 per cent of cyber-crimes were committed by insiders, with up to 98 per cent having ‘an insider connection’; and some organizations even cite the percentage of company financial losses resulting from insider damage at anywhere between 20 per cent and 80 per cent. [2] The QRadar Security Intelligence Platform’s threat management features bridge the gap between network and security operations and deliver the requisite surveillance on the network to detect today’s more complex and sinister IT-based threats.[11] QRadar's SIEM provides value before, during and after an attack because it incorporates behavior and context. This means better security profiling, advanced detection and complete forensics. [10]</p>

Unauthorized configuration changesEdit

<p style="line-height:150%">Ultimately, what any attackers, external or internal, want to do when attacking an organization’s IT infrastructure is gain control of as many systems as they can. Once they have control, they can reconfigure a system to do what they want, no matter what security controls you have in place. [6] Identifying unauthorized configuration changes is not only important for preventing breaches, it’s also critical for maintaining the reliability and availability of key business applications and systems, since unauthorized changes account for nearly 80 per cent of all IT service outages. [2] The Qradar Security Intelligence Platform helps reduce costs and provides multiple areas of operational improvement by delivering the most integrated, intelligent and automated solution available for threat of any kind. [7]</p>

The Significance of Qradar SIEMEdit

<p style="line-height:150%">QRadar's flexible architecture allows organizations to scale their security intelligence infrastructure with seamlessly integrated appliances accessible through a single user interface, called "One Console Security". [10] This highly integrated, architecturally elegant approach improves operational efficiencies and helps network security teams better protect their organization's IT assets from a growing landscape of Cyber-war and Cyber-crime driven threats.[8]</p>

Total Intelligence & Visibility for Todays Security ChallengesEdit

<p style="line-height:150%">SIEM technology was designed to monitor traditional security telemetry and reduce the data collected to a subset of suspected security incidents through rules and data correlation. This traditional approach to a SIEM system delivers visibility into servers, hosts and security systems but lacks the ability to collect from all possible sources or efficiently distinguish between true threats and false alarms. [10] As the most intelligent, integrated and automated SIEM solution in the industry, QRadar® SIEM delivers deep visibility into network, user and application activity providing organizations with intelligence into potential and existing threats across their entire network.[9] Built on the highly flexible QRadar Security Intelligence Platform, QRadar SIEM provides a next-generation solution that can mature with an organization, scale to support a growing infrastructure and deliver a common user experience to many groups across the organization. [7] With log management, advanced threat detection, and policy-aware compliance management all combined in QRadar SIEM, organizations benefit with a tightly integrated solution that quickly and easily delivers corporate-wide security intelligence. [11]</p>

Real Time Visibility for Threat & ComplianceEdit

<p style="line-height:150%">Internet-based threats and fraud continue to proliferate in today’s complex networks. [14] Compounding this problem is a steady rise in insider theft of valuable corporate information. QRadar SIEM consolidates soloed information to more effectively detect and manage complex threats. The information is normalized and correlated to quickly deliver intelligence that allows organizations to detect, notify and respond to threats missed by other security solutions with isolated visibility and timeliness. [13] QRadar SIEM provides contextual and actionable surveillance across an entire IT infrastructure allowing an organization to detect and remediate threats such as: inappropriate use of applications, insider fraud, threats that could be lost in the noise of millions of events, and more. [11]</p>

Managing ThreatsEdit

<p style="line-height:150%">Security teams need to understand: Who is attacking? What is being attacked? What is the business impact? Where do I investigate? [6] QRadar SIEM tracks significant incidents and threats and builds a history of supporting and relevant information. Information such as point in time, offending users or targets, attacker profiles, vulnerability state, asset value, active threats and records of previous offenses all help provide security teams with the intelligence they need to act regardless of where they are. [11]</p>

Highly intuitive One Console SecurityEdit

<p style="line-height:150%">QRadar's Next-Generation SIEM provides value before, during and after an attack because it incorporates behavior and context. This means better security profiling, advanced detection and complete forensics. [9] First-generation SIEM solutions rely on bringing multiple products together and attempt to deploy them in as a single SIEM solution. The result is an segmented solution that is unnecessarily complex, difficult to manage and even harder to scale. [7] QRadar SIEM provides a solid foundation for an organization’s Security Operations Center by providing a centralized user interface that offers role-based access by function and a global view to access real-time analysis, incident management and reporting. [10] Default dashboards are available by function and users can create and customize their own workspaces. This drill down capability makes it easier to identify and select a spike of events or network flows relative to an offense. 3,500 report templates relevant to specific roles, devices, compliance regulations and vertical industry are available out of the box. [11]</p>

Scalability & High AvailabilityEdit

<p style="line-height:150%">QRadar SIEM was designed from the ground up to work as a complete, integrated solution.[10] QRadar SIEM provides a solution that offers a common platform and user interface for all security intelligence tasks. [8] Additionally, QRadar SIEM comes as an all-in-one solution for small and medium sized businesses or an enterprise-level solution that is immensely scalable for medium to large deployments. [7] For organizations looking for business resiliency, QRadar High Availability (HA) delivers highly integrated automatic failover and full disk synchronization between systems. QRadar HA provides high availability of data storage and analysis is easily deployed through architecturally-elegant plug-and-play appliances, and there is no need to add additional third-party fault management products. [11]</p>

Interview: The Value of Qradar SiemEdit

<p style="line-height:150%">Phil Neray, security intelligence strategist and head of marketing at Q1 Labs, now part of the new IBM Security Systems division, discusses the advantages of enterprise SIEM and The value of SIEM: [2]</p>

What are the benefits of SIEM?Edit

<p style="line-height:150%">Quite simply, it gives organizations much more visibility and intelligence about what’s going on in their physical or virtual IT infrastructures – continuously and in real time. Of course, many organizations already have network security devices such as firewalls and IPS/IDS, and may already be collecting event and activity logs from their servers – but they have no easy way to correlate events and activities with each other, or with asset information about which systems are unpatched and vulnerable, in order to rapidly determine what’s most important and distinguish a real attack from a false positive </p>

<p style="line-height:150%">So the biggest value proposition for SIEM today is to be able to sift all this data in real time using advanced security analytics, in order to find the virtual needle in the haystack and discover exactly what happened and when, and to proactively prevent things that are potentially going to be problems. This is required to address a range of threats, whether it’s targeted attacks, insider threats or simply unauthorized configuration changes – people doing things they’re not supposed to, perhaps not out of malicious intent but because they’re simply bypassing your corporate change control procedures in order to get their jobs done faster. </p>

What is the future for SIEM technologies?Edit

<p style="line-height:150%">The next generation of SIEM should provide what we call real-time security intelligence. Again, we believe this is best accomplished by integrating security analytics and a scalable ‘Big Data’ SIEM platform with information from a range of security technologies, in order to provide additional context – and hence insight – for all the security event and log information you’re collecting. For example, integration with IAM systems allows you to quickly determine if the monitored actions of a particular individual are commensurate with their role in the organization. Integration with database activity monitoring technologies helps prevent data leakage by correlating unauthorized activity at the database tier – such as an outsourced DBA accessing sensitive data during off-hours – with network activity such as exfiltration to a questionable site. Integration with IDS/IPS systems plus application scanning technologies can determine if an unpatched web application server is being attacked using a known SQL injection vulnerability. And integration with end-point management technology can detect when a botnet has infected a laptop or smartphone via spear-phishing and is now communicating with a remote command-and control server. These are all examples of what we call security intelligence. </p>

Many people say that SIEM is only useful to larger enterprisesEdit

<p style="line-height:150%">That’s not really true. After all, any-sized business can be the victim of a targeted attack – and attackers may be even more likely to compromise smaller businesses because of their relative lack of defenses and security personnel. One of the reasons for this perception is that first-generation SIEM and log management systems were complex and needed lots of professional services to help configure and run them.</p>

<p style="line-height:150%">But QRadar was developed as a next-generation SIEM, with capabilities designed to speed deployment whilst requiring minimal professional services. For example, QRadar provides pre-built security analytics with correlation rules that can be easily customized, without requiring DBA skills; automation features such as auto-discovery of log sources; and a single unified console for log management, SIEM, configuration management, network anomaly detection, and monitoring network flow data with application-layer visibility (social media, P2P, etc).We are also integrating QRadar with a number of technologies, such as real-time threat intelligence from IBM X-Force. This allows you to create correlation rules that identify outbound traffic to malicious IP addresses identified by IBM’s security research team and by monitoring 13 billion security events daily, on a global basis, for our managed security services client.</p>


<p style="margin-bottom:0in;margin-bottom:.0001pt;line-height: 150%;mso-layout-grid-align:none;text-autospace:none">Forward-thinking organizations have recognized and embraced the value of business intelligence technology, as their success is predicated on the ability to analyze and act upon the essential information derived from staggering volumes of data. [9] The Qradar Security Intelligence Platform is used across the world by healthcare providers, energy firms, retail organizations, utility companies, financial institutions, government agencies, and universities, among others. [11] QRadar SIEM as an important component of QRadar has significant meanings for every organization, ranging from small business to big company. QRadar SIEM can help to protect their entire network environment. [4] QRadar SIEM helps security teams, IT operations, auditing and lines of business to detect threats others miss, exceed regulation mandates, predict risks against their business, detect insider fraud, and consolidate data silos. [8] According to Jeff Dalton, technical operations officer for Regulus, “Our primary goal for deploying a SIEM was to meet compliance mandates, but we wanted to go above and beyond what the various regulations required of us, and use the additional information captured by QRadar to really make our network, and the services and applications it delivers, secure. We want our customers to have faith that we’re keeping their personal information well-protected, and QRadar enables us to do that.” [8]</p>

<p style="margin-bottom:0in;margin-bottom:.0001pt;line-height: 150%;mso-layout-grid-align:none;text-autospace:none">Security intelligence is essential because information security is integral to doing business in the 21st century.[3] Powerful, automated analytics of centralized data from sources that cover the entire spectrum of the IT infrastructure make a high level of cost effective security not only possible, but indispensable. [6] In regards to this, from the review of the literature above it is possible to conclude that QRadar SIEM and its development team has done a great job of developing a reliable and efficient security product. QRadar SIEM is widely used in many organizations, supported by over 200 devices. It is safe to say that QRadar SIEM have created a new generation of security product.</p>

<p style="margin-bottom:0in;margin-bottom:.0001pt;line-height: 150%;mso-layout-grid-align:none;text-autospace:none"> </p>

<p style="margin-bottom:0in;margin-bottom:.0001pt;line-height: 150%;mso-layout-grid-align:none;text-autospace:none"> </p>

<p style="margin-bottom:0in;margin-bottom:.0001pt;line-height: 150%;mso-layout-grid-align:none;text-autospace:none"> </p>


<p style="margin-left:.25in;mso-add-space:auto; text-indent:-.25in;line-height:150%;mso-list:l0 level2 lfo1">1. Chuvakin, A. (2010). A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security. Tripwire . Retrieved from</p>

<p style="margin-left:.25in;mso-add-space: auto;text-indent:-.25in;line-height:150%;mso-list:l0 level2 lfo1">2. Fisher, P. (2011). The Secret Life of SIEM in the Enterprise. E-book magazine. Qlabs. Retrieved from</p>

<p style="margin-left:.25in;mso-add-space: auto;text-indent:-.25in;line-height:150%;mso-list:l0 level2 lfo1">3. Grance, (2003). Guide to Selecting Information Technology Security Products. NIST. Retrieved from</p>

<p style="margin-left:.25in;mso-add-space: auto;text-indent:-.25in;line-height:150%;mso-list:l0 level2 lfo1">4. Hutichinson, A. (2011). Why Focus on SIEM integration, coverage maximizes anomaly detection. Search Security: TechTarget. Retrieved from</p>

<p style="margin-left:.25in;mso-add-space: auto;text-indent:-.25in;line-height:150%;mso-list:l0 level2 lfo1">5. IBM (2011). Continuous Monitoring, Remediation &Cyber reporting: IBM Tivoli. Retrieved from</p>

<p style="margin-left:.25in;mso-add-space: auto;text-indent:-.25in;line-height:150%;mso-list:l0 level2 lfo1">6. Oltsik, J.(2009). Security management Evolution. White Paper, Enterprise Strategy group. Retrieved from</p>

<p style="margin-left:.25in;mso-add-space: auto;text-indent:-.25in;line-height:150%;mso-list:l0 level2 lfo1"> 7. Qlabs (2011). The Business Case for a Next-Generation SIEM: Delivering Oprational Efficiency and Lower Cost through an integrated approach to network Security Intelligence. Retrieved from</p><p style="margin-top:0in;margin-right:0in; margin-bottom:0in;margin-left:.25in;margin-bottom:.0001pt;mso-add-space:auto; text-indent:-.25in;line-height:150%;mso-list:l0 level2 lfo1;mso-layout-grid-align: none;text-autospace:none">

8. QLabs (2011). QRadar SIEM Datasheet. Retrieved from</p><p style="margin-left:.25in;mso-add-space: auto;text-indent:-.25in;line-height:150%;mso-list:l0 level2 lfo1">

9. Qlabs (2012). Executive Guide to Security Intelligence. Transitioning from log Management and to Security Intelligence. Retrieved from</p><p style="margin-left:.25in;mso-add-space: auto;text-indent:-.25in;line-height:150%;mso-list:l0 level2 lfo1">

10. Qlabs (2012). Qradar SIEM. A SIEM Technology breakthrough. Retrieved from </p><p style="margin-left:.25in;mso-add-space: auto;text-indent:-.25in;line-height:150%;mso-list:l0 level2 lfo1">

11. QRadar (2012). Providing the Security Intelligence needed to Protect IT Networks and Assest. Qlabs Total Security Intelligence. Retrieved from</p><p style="margin-left:.25in;mso-add-space: auto;text-indent:-.25in;line-height:150%;mso-list:l0 level2 lfo1">

12. Qlabs (n.d). Qradar Intelligence Security Platform. Retrieved from</p><p style="margin-left:.25in;mso-add-space: auto;text-indent:-.25in;line-height:150%;mso-list:l0 level2 lfo1">

13. Qlabs (2012). Qradar SIEM. A SIEM Technology Breakthrough. Retrieved from</p>

<p style="margin-left:.25in;mso-add-space:auto; text-indent:-.25in;line-height:150%;mso-list:l0 level2 lfo1">14. Tripwire (2012). Log Management & SIEM for security and Compliance. Retrieved from </p>

Community content is available under CC-BY-SA unless otherwise noted.