In another case, a network administrator at Harvard Medical School called up to complain that its network was under attack. The operators in the Network Operations Center logged in to the QRadar system and immediately saw that the medical school was experiencing a "smurf" denial-of-service attack. The team then put a few additional rules on the Harvard border routers and the attack ended.

"I've never come across a tool that has been able to give the pivot views of data as quickly as QRadar," says Tumas. The system lets Tumas quickly see the total levels of traffic and then break them down according to different categories, such as network protocol, administrative controls, geographical location, time or security severity.

The QRadar system runs on a dedicated dual-processor server running Linux. The packets and databases are stored on a 6-terabyte storage area network connected with fibre channel. When I spoke with Tumas the system was recording the first 64 bytes of every packet, which translated to roughly 30 days' worth of data. It turns out, though, that storing the first 64 bytes of each packet isn’t tremendously useful—you can't reassemble images or webpages, for example. The plans are to reconfigure the system so that it just keeps metadata about each network connection but discards each packet. With this change, the system should be able to keep six months' worth of forensic information.

Like many modern security appliances, QRadar is accessed over the Internet using a Java applet that runs inside a Web browser. The system at Harvard has been set up so that individual network managers can view the data associated with their own networks. This allows managers to solve their own problems without bothering the team at the network operations center. It also means that QRadar can be used for network debugging and even performance turning, rather than using it solely for security management.

Needs Improvement
For all of this power, there are at least two problems with the QRadar system that were evident to me during my tour—one that's currently a limitation with the system, and one that isn’t.

The annoying limitation with QRadar is that the system really doesn't understand how packets are routed on the Internet—it doesn't understand about Internet autonomous systems, peering relationships and the Border Gateway Protocol (BGP). When QRadar sees traffic leaving Harvard it knows the destination network, but it doesn't necessarily know the destination organization. If QRadar understood BGP, it could actually build a map of various networks that the leaving packet was due to traverse. The Harvard network operations group would like to see this deficiency addressed—and the sooner, the better.