IBM Security’s QRadar SIEM technology provides log management, event management, reporting and
behavioral analysis for networks and applications. QRadar can be deployed as appliance or software
(running on Red Hat Enterprise Linux Server appliances) in an allinone solution for smaller
environments, or it can be horizontally scaled in larger environments using specialized event collection,
processing and console appliances. A distinguishing characteristic of the technology is the collection and
processing of NetFlow data, DPI, full packet capture, and behavior analysis for all supported event
Enhancements to QRadar during the past 12 months included the introduction of QRadar Incident
Forensics, which extends flow analysis, adding DPI and full packet capture capabilities. In addition, IBM
Security introduced integrated vulnerability scanning via QRadar Vulnerability Manager (using technology
licensed from Critical Watch), as well as new graphing/charting capabilities, improved search performance
and API enhancements. IBM has developed twoway integration between QRadar and IBM’s InfoSphere
BigInsights, and also with IBM’s analytics and data visualization technologies. IBM also provides additional
connectors to Hadoop instances.
IBM offers a comanaged service option for QRadar, which combines an onpremises QRadar deployment
with remote monitoring from IBM’s managed security services operations centers. QRadar is a good fit for
midsize and large enterprises that need general SIEM capabilities, and also for use cases that require
behavior analysis, NetFlow analysis and full packet capture.
QRadar provides an integrated view of the threat environment using NetFlow DPI and full packet
capture in combination with log data, configuration data and vulnerability data from monitored
Customer feedback indicates that the technology is relatively straightforward to deploy and maintain
in both modest and large environments.
QRadar provides behavior analysis capabilities for NetFlow and log events.
QRadar provides lessgranular role definitions for workflow assignment compared with competitors’
QRadar’s multitenant support requires a master console in combination with distributed QRadar
instances. The number of thirdparty service providers that offer QRadarbased monitoring services
is limited when compared with vendors that lead in this area.
- Security information and event management (SIEM)technology supports threat detection and security incident response through the real-time collection and historical analysis of security events from a wide variety of event and contextual data sources. It also supports compliance reporting and incident investigation through analysis of historical data from these sources. The core capabilities of SIEM technology are a broad scope of event collection and the ability to correlate and analyze events across disparate sources.
- The Five Pillars of Information Security