Risk management from another perspective

OK. So, you've got your security information and event management (SIEM) tool and you've got your log manager and you've got some risk management software that might be vulnerability-aware. You're all set to keep the enterprise safe and percolating along, right? Well, maybe. As you probably have noticed in some of our earlier reviews, these pieces and a bit of overlap between them are pretty common. However, there are those – us included – who think that the whole shebang should be in a single appliance. It also would be nice if we could have some network analysis and a bit of forensics thrown in for good measure. A pretty large order? Not really.

Q1 Labs has come up with a product called QRadar Risk Manager (QRRM) that covers most, if not all, of these bases. It includes risk management, SIEM functionality, log management, network behavior analysis and automated compliance auditing – with more than 100 compliance templates provided. This is a lot to put in one box, but Q1 has done it, and their solution to the risk management challenge is quite comprehensive.

QRRM recognizes that most vulnerabilities involve either patching, poor coding practices or configuration errors. The product addresses all three of these. This is part of what Q1 calls pre-exploit analysis. Pre-exploit time exists between the appearance (or identification) of a vulnerability and the point where the vulnerabilities are exploited on one of your targets. By assessing configuration, compliance, vulnerabilities and risk, QRRM provides a roadmap for pre-exploit remediation.

For post-exploit time, this assumes that for whatever reason an exploit succeeded, QRRM provides log management, SIEM and network behavior analysis. The post-exploit analysis provides a solid basis for forensics.

Some interesting procedural thinking has gone into this tool. For example, we typically prioritize vulnerabilities based on factors that have more to do with the vulnerability itself. That is the old red/yellow/green approach. That really does not tell us much about how the vulnerability impacts our enterprise. To get that we need to add context. QRRM does that for us. It also lets us normalize vulnerabilities. This can be very important, especially if you use more than one vulnerability assessment (VA) tool (Q1 does not have its own VA tool, but it does support 10 VA vendors).

The heart of the product is the policy monitor. It considers topology (important for many reasons – one of which is attack simulation), vulnerabilities and assets. Writing policies is a snap, as it should be these days. However, the approach is a bit different than I'm used to seeing. To create a policy, you simply formulate a question you want answered, build the policy and run an assessment to answer your question. You can pre-build policies or you can work from compliance templates.

Further, the tool can run assessments or it can run in monitor mode and alert on policy violations. One of my favorite features is its ability to run an attack simulation. An attack source can be assumed and traffic types can be added, along with the range of destinations, protocols and types of vulnerabilities that are bothering the user. The simulation runs and tells us what would happen in our enterprise under these simulated conditions.

Policies can be written to a significant level of granularity without becoming too challenging to produce. Results of assessments can be shown on the network topology and data can be aggregated to show conversations. Known bad networks and country connections add to the richness of available data for use in analyses. Overall the tool offers four primary data models: connections, configuration, topology and policy. These, and the way they function together, make one powerful risk management tool.


Product: QRadar Risk ManagerCompany: Q1 Labs
Price: From $30,000
What it does: This is a comprehensive, well-integrated solution to the challenge of risk, threat and fraud management, with a healthy dose of compliance reporting thrown in for good measure.
What we liked: The comprehensive nature of the product. It goes beyond integration of functions and presents a single, well-designed tool with lots of capabilities. The distinction is subtle, but very important.
What we didn't like: While it is good that QRRM supports 10 vulnerability assessment products, we wish that Q1 had built in their own. This is the only part of the system where the only solution is to use someone else's product.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.