IBM QRadar Room for Improvement
In terms of the GUI, they need to improve the consistency. It has been written by different teams at different times. So, when you go around the interface, you'll find a lot of inconsistencies in terms of the way it works.
I'd like them to improve the offense. When QRadar detects something, it creates what it calls offenses. So, it has a rudimentary ticketing system inside of it. This is the same interface that was there when I started using it 12 years ago. It just has not been improved. They do allow integration with IBM Resilient, but IBM Resilient is grotesquely expensive. The most effective integration that IBM offers today is with IBM Resilient, which is an instant response platform. It is a very good platform, but it is very expensive. They really should do something with the offense handling because it is very difficult to scale, and it has limitations. The maximum number of offenses that it can carry is 16K. After 16K, you have to flush your offenses out. So, it is all or nothing. You lose all your offenses up until that point in time, and you don't have any history within the offense list of older events. If you're dealing with multiple customers, this becomes problematic. That's why you need to use another product to do the actual ticketing. If you wanted the ticket existence, you would normally interface with ServiceNow, SolarWinds, or some other product like that.
Their support should also be improved. Their support is very slow, and it is very difficult to find knowledgeable people within IBM.
Its price and licensing should be improved. It is overly expensive and overly complex in terms of licensing.View full review »
There are a lot of things they are working on and a lot of technologies that are not yet there. They should probably work out a better reserve with their ecosystem of business partners and create wider and more in-depth qualities, third-party tools, and add-ons. These things really give immediate business value. For instance, there are many limitations in using SAP, EBS, or Micro-Dynamics. A lot of things that are happening in those platforms could also be monitored and allowed from the cybersecurity risks perspective. IBM might be leaving this gap or empty space for business partners. Some larger organizations might already be doing this.
It would be very nice if IBM can make some artificial intelligence part free of charge for all current QRadar users. This would be a big advantage as compared to other competitors.
There are companies that are going in different directions. Of course, you can't do everything inside QRadar. In general, it might be very good for all players to provide more use cases, especially regarding data protection and leakage prevention. There are some who are already doing some kind of file integrity or gathering some more information from all possible technologies for building anything related to the user and data analysis, content analysis, and management regarding the data protection.View full review »
Management Executive at a security firm with 11-50 employees
The only challenge with products like IBM is the EPS. You just have to be really on the events per second, as that's where the cost factor becomes a huge issue.
You do need proper training. Better training leads to better implementation. South Africa does not have the most knowledgeable technical support team. One challenge that you have in South Africa is the quality of the IBM resources. They're not up to the level companies need. I have to criticize IBM on that point - the skill level in South Africa and the South African franchise of IBM doesn't necessarily meet the quality of the product.
They can improve on the architecture. It's the way you deploy it. It's your enterprise architecture team that needs to understand it well. Again, due to our unique skillset on it, we deploy it in a very different way where we reduce the consumption of events per second, which reduces the overall cost of it. However, with the architecture, you need to get better guidance from IBM in terms of the way which the architecture is done.
What I will say about IBM is that if you deploy it stock standard, it can be a very expensive tool, especially with your events per second, and where the way you deploy it architecturally will determine how much it costs you to manage it, as your events per second can be reduced through proper architecture. It's critical to an IBM install that a user understands the architecture and the deployment strategy.
One thing one has to be aware is that qRadar doesn't have a standard UI style, but older (clunkier) and newer (more modern and easy to use) screens. The QRadar UI involves a lot of clicks and pop-ups to get where you want, which is certainly not the best UX, but isn't totally a pain also. Although it's a bit difficult to navigate through screens at first, the UX is pretty good once you learn the "qRadar way", which takes about a few weeks to master.
Senior IT Technical Support at a training & coaching company with 1,001-5,000 employees
As per Gartner, maybe the price makes it so that the customers are not going for IBM QRadar. It's a little bit pricey compared to other solutions in the market. More or less that's the area that needs to be improved. That's usually the main concern that we receive from the customers - that it's a little bit pricey. That's the only thing I can say.
The custom rules could be simplified more or it should be possible to use a different language, other than the ones that the solution is already using. They should add other languages into the mix. You need some advanced customers in order to use the custom rules or to use their rules in order to configure the IBM QRadar in a proper way. Usually, they find it very difficult, especially if they don't have the experience.
Sometimes it works and catches whatever we want, however, sometimes it doesn't work. That's in rare cases, however, that's one thing that they need to maybe enhance.
A lot of information that we receive for the devices is IP-based, but it would help if we could have a default dashboard in which we can add more details about the assets for which we are receiving the information. For example, if it is a Windows or Linux device, we only get the IP for that particular device. We don't really get the name and other details of that particular device. For that, you have to drill down into your own asset management system. It would be good to have a place where we can probably add this information so that we don't have to look into other tools.View full review »
Right now, if you look at the compatibility, if you need to deploy QRadar in a physical appliance you have only two choices of server, their own or a Lenovo server. In today's world, you cannot keep something tied to such a big brand. Clients want to be able to use whatever type of server they want. It's very limiting for many. You need that flexibility to deploy on any Intel platform.
IBM doesn't have people in every corner of the world. Oracle, for example, is actively training and certifying people so that companies will have access to local connections. IBM is lacking this, and therefore it can be difficult to get qualified support when a customer needs it. They should try to replicate the Oracle approach to training and certifications.View full review »
The performance of the solution could be improved. Right now, it's the weakest aspect. I wish it was better.
Technical support could be improved by a bit.View full review »
Senior Solutions Architect at a manufacturing company with 51-200 employees
When it comes to what could be better, it is always what others are trying to do and what is the roadmap. It can have more integration. It should have more flexible RESTful APIs for integration with applications. These are the things that are always in demand for any of the SIEM solutions, not only for QRadar.
Integration is ever-evolving. Nowadays, different versions of mobile handsets are there and data is getting scattered. Users are using their personal handsets to keep the data of the organization. So, it should have a more flexible integration, irrespective of the flavor of the firmware and iOS or Android version. It should have an API that can seamlessly get integrated. It should also provide more flexible control and a more advanced or analytical view to see what exactly is happening across the globe or network. From wherever a user is connecting and accessing the enterprise data, it should give real-time visibility and predictive visibility about what exactly is happening. These things are already there, but there should be more advanced control in terms of managing the security.View full review »
Analyst at a tech services company with 501-1,000 employees
There are two ways you can pull logs: one way is where you can receive logs or send logs using the agents and previous transformation and the other way is where QRadar logs onto the servers using the admin account and then pulls the logs itself. The functionality that I would love to see with that remote pulling is to have the ability to also select what logs its pulling because when you use MSRPC now to receive loads from your log surface, it basically pulls all the events from that server. So even the noisy events that would overshoot your EPS, would also be pulled. So for particularly active or high servers that generate a whole lot of security events, let's say like your SFTP server that has a lot of devices on your network connecting to it, if you try to pull the logs remotely it would overshoot your EPS really quickly.
So if they could improve the functionality of the remote pull to also be able to select the logs that it is pulling from the log sources, that would be very, very effective. The reason for the pull is because the agents are not tamper-proof and any administrator can help shut down the service and uninstall the application and a whole lot of other things. Basically, your listening agent is at the mercy of the administrators, and for a security device or security software, that is a big vulnerability, because anybody can then go into the server, stop the agent, and then run any command or make any change they want to do, which would make your monitoring null and void. It would be good if the agent itself could be tamper-proof. And back to the first point, the reason why I prefer the remote pull is if there's no agent on the server and it's the console logging onto the server, your monitoring is much more secure. Regardless of what changes are being made on the server or what's going on the server, if the server is shut down and then a newer version is brought up with the same hostname and IP address, you would not need to go back in and re-install the agent. The console would just automatically connect back to that server once the IP address and the host are back up.
Additionally, I would like the rule creation interface to be much more user-friendly in the next release.
SOAR is what is expected the most from QRadar. They have something called SOAR Resilient, and it would be great if that gets induced in SIEM. IBM QRadar (as well as McAfee ESM) should have analytics platform integration. Currently, SIEMs don't have full-fledged integration with analytics where we are able to dump our data in SIEM, and the same data can be called from different analytics applications. We should be able to bring this data to a platform like Hadoop for big data and run the analytics there. Currently, people are seeing the past data and taking some actions in the present, but when it comes to analytics, there should be futuristic data where you can predict something out of your present and past data. Apart from that, I would like to see a full-fledged ITSM tool in QRadar.
It sometimes has some technical issues that need to be checked. It requires a dedicated QRadar engineer to completely manage it. It has different module sets, such as event collector and event processor, and some technical glitches come in between. It takes the log but doesn't exactly process it in the way we want.
If its pricing can be reduced, it would help a lot of customers in bringing in a new SIEM environment.View full review »
In terms of the government sector, sometimes they do not have enough money to buy a full SIEM. That's why they ask about some parts of the SIEM system or core. It can be expensive.
It would be ideal if they offered a barebone setup alongside an appliance. It's very interesting for different kinds of customers. Most of them prefer the core appliance, yet some of them prefer barebone.
It would be ideal if the solution offered new connectors to other systems.
The reporting system could use some upgrading.View full review »
Rama Krishna Bhaskarayani
Founder at Halainfosec
Automation is an area that people are looking for. IBM does have the SO solutions platform, but it would be more useful if they could have predefined use cases rather than using more generic ones. It would be much better if they could customize their use cases.
The IBM QRadar team has to be proactive and they have to be informative about the product.
They don't want to spend too much money on the SIEM because it is obviously resource-intensive. But the SIEM is a very useful product when you have good resources and good software.
For large organizations, that want to integrate all of the log sources, the pricing will be too expensive. This is the main reason that clients are not interested in SIEM solutions.View full review »
Information Security Specialist at a comms service provider with 501-1,000 employees
I really didn't like QRadar to be honest. I inherited it. I was part of the reason that we moved over to LogRhythm. The solution just isn't user friendly.
The solution is clunky.
The interface could be much better.
The integration capabilities within the product are not that great.
It doesn't have a SOAR system by default. You need to purchase it additionally, which is the main problem with QRadar.
Its reporting can be improved.View full review »
IT Security Analyst at a manufacturing company with 10,001+ employees
In terms of where it could be improved, this includes its forensics, incident response, and security operation center features. Additionally, some also struggle with the rules. We need more features in order to create rules to detect or to meet some requirements for other areas, such as catching the event from other authentication tools, like in Okta, for example.
In some cases, I have issues because some tools are not integrated in QRadar, such as other tools similar to DLP (Data Loss Prevention). We need to create all the integrations manually because they are not integrated in QRadar. We have a problem, for example, because they have Symantec DLP integrated in QRadar, however, it is not working because it's not detected automatically. It is not converting all the columns, but we do have the option to create manually. This is not difficult because it's very clear in the procedures.
Security Analyst at a tech services company with 51-200 employees
The solution has definite room for improvement. There were certain bugs we had to deal with. Bigger issues involve the quantity of rules involved in its deployment. Also, false positives can be obtained and there is a need to fine tune the solution once every month or two until everything is correct.
The stability and product support should also be addressed.
When an offense occurs, the source IP will automatically provide a source username which is not correct. For reasons I don't understand, it uses the team or the name of the last user of the computer and this is not always accurate. This means that there are times that I obtain offenses that are ascribed to my boss and which serve him. The solution ensures that the host is vulnerable to another attack. The solution will estimate that the targeted host is vulnerable to certain attacks.
Moreover, the solution may provide information of attacks that failed or that are irrelevant, such as vulnerabilities involving modems in which the target host is the Windows Server. This begs the question of why an offense that was and will always be blocked must be generated, such as that involving vulnerability from a modem.View full review »
I would like to see QRadar add more integration and interoperability. For instance, we are not able to send logs from Windows servers. We can send logs to the QRadar server from network devices and other types of servers. However, we have more than a hundred Windows servers that still don't use QRadar.
Technical support really needs to be improved. Right now, they aren't where they need to be at all.
The solution is very expensive. We'd appreciate the product more if it came at a lower price point.View full review »
IBM QRadar has outdated technology, and this is its area for improvement. When you try to implement an analytic expression, it's not updated. The solution doesn't support newer technologies, and it doesn't update regularly. For example, around the world, others implement new technologies, while IBM updates later than others.
There isn't any additional feature I'd like added to IBM QRadar at this point because it's sufficient for visualizing the logs.View full review »
I don't look at only the features and benefits; I also look at the price. It is a bit expensive when compared with other solutions. It is expensive for specific deployment topologies, and the decision-makers go for alternatives like ArcSight.
It should also have more AI features or capabilities for better threat intelligence. The more it uses machine learning, the better would be the dashboard, analytics, and other things.View full review »
Chief Technology Officer at a tech services company with 51-200 employees
I think the user management model is very detailed but you really have to know what you're doing just to be able to manage things. I think the solution lacks some maturity. When you put it in a large organization as a security system or a cybersecurity system and you want to enable automation, it's difficult to get that level of maturity.
IM Operations Manager at a tech services company with 1,001-5,000 employees
IBM Qradar could improve the reporting. The tool is not designed to report. It's a great operational monitoring tool. You put it on a screen and you watch it. If you want to have analytics out of it, that's a whole different story. You're going to need more people and tools. What should be added is reporting and integration into Power BI, into some capability that produces analytical reports from the source data. IBM does not seem to care to add these features.View full review »
Managed Security Product at a comms service provider with 1,001-5,000 employees
The features that could be improved include the licensing model and the dashboards and all those presentations. Overall, the user experience part can be improved.
Additionally, the coverage, the connectors, and the flex connectors for legacy systems and other aspects could be improved. This is something they can work on and improve.View full review »
There should be easier and wider integration opportunities. There should be more
opportunities for integration with CTI info sharing areas. On platforms where you exchange CTI, there should be more visibility connected to what we share, what we can reach, or what options are connected to CTI info sharing. This is one area where they could add value because we cannot integrate it easily with QRadar. If a client has a legacy or already existing solutions for CTI, we cannot ask them to forget it because we cannot guarantee that QRadar is able to deliver everything connected to this area.
The implementation of the solution's technology needs to be simplified. It is overly complex.
The integration also must be simplified.
The licensing is also overly complex, as there is a need to buy the work load performance monitoring separately. These are the different modules we need to buy.
IBM does not provide a combined, combo suitor solution which the customer can easily look at. The multiple functionalities are segmented and do not allow for an idea which is complete. It makes it difficult for us to do a realistic comparison with other products. I hope that others follow suit.View full review »
Solution Architect Cybersecurity at a tech services company with 501-1,000 employees
I was going to say that the reporting could be improved, but IBM recently introduced a new cloud-based security service that integrates with QRadar. Now, reporting is much easier than before. I personally can't think of an area for improvement.View full review »
Senior Cyber Security Engineer at a logistics company with 10,001+ employees
When it sends the log source, QRadar generates a lot of noise and false positives. LogRhythm logs when the alarm rules are disabled, so it doesn't generate any noise when sending the log source. I think LogRhythm's one, this one too. QRadar, we have to cure it all the time. It's only this advantage with QRadar.
I would also like to see more integration with other vendors. IBM doesn't integrate well with products from China, like Huawei. Many Middle Eastern customers are switching to Huawei from American vendors like Cisco because of the price. In most RFPs, Huawei wins because it costs less.
IBM needs to integrate better with Huawei. I opened one case with IBM, and they told me to submit a request for enhancement so they could write the correct DSMs to integrate with Huawei. We were very disappointed. Customers who want to implement QRadar or LogRhythm need to consider all the other components. The environment needs to be homogenous to avoid problems due to a lack of integration.View full review »
Several things need to be improved.
We have been struggling with the QRadar support team for quite a long time. There are things that they can reproduce in their lab environment and can fix, yet we struggled with them trying to get this done. These issues included things like custom logs. There are many things that they need to improve upon.
This product should support multiple log sources.
They need to improve their threat intelligence feed and they need to improve their user behavior analytics modules.
The risk manager module needs to be improved.
It's not a very user-friendly interface.View full review »
IT Solutions Product Manager at SMTSTECH
I have noticed a few things while working on this. After the restart of the server, sometimes, the services misbehave, and you need to manually start or restart the service. I have seen that specifically with the Tomcat service.
Sometimes, when you click on log sources, instead of opening the log source extension, it redirects you over the internet.
There are two types of dashboards in QRadar. One is the conventional or old one, and the other one is Pulse. The Pulse dashboard is better, but we would like to have more options in the dashboard.
Additionally, if possible, there should be a single product for SIEM and SOAR. Instead of having QRadar and Resilient separately, there should be a combined solution to benefit from both. Furthermore, there should be a built-in mechanism to configure it in the cluster mode and high availability mode.View full review »
The threat intelligence functionality can be better. In addition, it can have more monitoring capabilities.View full review »
Senior Security Engineer at a tech services company with 1,001-5,000 employees
In terms of what could be improved, I would say the script which we have to create for custom actions. QRadar needs to improve that feature. Additionally, QRadar has to provide the playbooks designing features.View full review »
Manager SOC at a comms service provider with 10,001+ employees
I have also been working with other SIEM solutions, and I have observed that they have extensive Linux-based and Unix-based integrations. They have been able to support some of the Linux-based agents, which is useful to investigate and process the information on the Linux and Unix side.
It could have pre-defined automation and integration of all those device parameters that analysts have to share manually.View full review »
Head of IT Security, Governance and Compliance at a consumer goods company with 10,001+ employees
The modularity could be improved.View full review »
They should speed up the incident response and also, at the same time, reduce the amount of manual effort that is required.
A nice enhancement would be the incorporation of more artificial intelligence and machine learning capabilities.View full review »
Team Lead & Principal Software Engineer at a tech services company with 51-200 employees
I would like for Yara to be supported by all components.View full review »
Solution Security Architect at PT. Sinergy Informasi Pratama
The concern with QRadar is that there are so many features in the dashboard, too many menus that require going to two or three sub-monitors to enter the QRadar. The user interface is good but there are so many features that can be confusing for the administrator. It could be simplified.
Ingénieur d'étude R&D at DOGA
I'm not sure if there are any features missing from the solution. It's pretty complete.
The pricing of the solution is a bit high. If they could lower it, that would be ideal.View full review »
The advanced planning management (APM) features should be included. We are facing an issue where many of the software houses in Pakistan have developed their own in-house. They have integrated the APM tool with their monitoring solution. This feature is attracting clients and I think that it should be included.View full review »
Queretaro at a tech services company with 1-10 employees
The initial setup requires that you have somebody with the proper skill set, and it would help if the configuration were easier.
The user behavior analysis could be better. The playbook guide which specifies the rules for security use cases needs to be provided to support in case the organization needs help. The security playbook needs more help when it comes to QRadar. The QRadar implementation guide, especially in cluster environment, is complicated to deploy in an enterprise level. The support of SIEM of QRadar is complicated and when we encounter implementation issues it needs quick response. The skilled resources are really important for support.View full review »
IBM QRadar has a margin for development, for out-of-the-box use cases. It can be enhanced with better support and automate the use cases for that.View full review »
SOC Team Lead at a financial services firm with 1,001-5,000 employees
There could be better integration with the solution.View full review »
Deputy General Manager at a comms service provider with 5,001-10,000 employees
Since we have not used the solution very long my information is limited when it comes to improvements. I have noticed the interface has room for improvement.View full review »
The product needs to improve its GUI. The dashboard which they facilitate needs to be modernized. They could make it a lot better and a lot easier to navigate.View full review »
Director of Information Security at a financial services firm with 501-1,000 employees
Some of the cloud apps need improvement.
In the next release, I would like to see improving the stability of some of the add-on applications.
IT Security Manager at a tech services company with 201-500 employees
In terms of what could be improved, I'd say do nothing, in its current state it does quite okay for now.
The biggest problem was built on top of the QRadar in the executive operations center network. The integration was not using the network security specialist properly, and all the incidents were inferior with QRadar. Its compatibility is not really good
Sr.Network Engineer at NTT Security
I am looking for a solution to replace IBM QRadar. We use it for incident reporting, but I need one for behavior analytics. I need one which will send alerts in the event of any behavior.
The solution is fine for analyzing logs. We already have basic modules. We require more modules for getting so that we may obtain further details. We essentially use IBM QRadar for analyzing particular logs.
There are no additional features which should be added or upgraded in the next release.View full review »
Security Sales Consultant at Google, LLC
I think they could change their pricing model to be more cost effective. It currently relies on data ingestion. I'd like to see IBM extend their capability with the solution to include more than just fault finding, features such as predictive identification of threads. Having better support for things like MITRE and the ATT&CK chain, and using all of the known attacks that are out there when they're actually spotting events and correlations.
Sr. Information Security Analyst at a insurance company with 51-200 employees
The user interface is a bit difficult to get used to. Once you do, it's not difficult.View full review »
Vice President at a financial services firm with 10,001+ employees
The solution should enhance its capabilities of UEBA and AI/ML tech modeling.
IBM QRadar User Behavior Analytics is good, but I think the functionality should be much more integrated. You should have easy access to the artifacts if you are doing a particular investigation. It's good, but other team solutions like LogRhythm are actually merging the functionality. So, I think that is something IBM can work on.View full review »
QRadar needs to be more specialized, along the lines of what other SIEM solutions are. It needs to be more detailed.
Incorporating an AI component is needed, where the learning feature identifies malicious activities coming into the network.
The GUI and reporting need to be improved.
The footprint needs to be optimized because the application footprint is too heavy. The machine requires a very high amount of resources.View full review »
The solution is highly used here in Pakistan and in many sectors, they could improve it by having more SIEM connectors.View full review »
Assistant IT Manager at a insurance company with 1,001-5,000 employees
It would be better if it were more stable and more secure. The price for maintenance could be better. It's too high. In the next release, I think they should focus on the price and the operation.View full review »
Professional Services at a tech services company with 51-200 employees
The support process needs to be improved.
Every SIEM solution has issues with plugins, as they have to connect to different log systems. It can affect security, infrastructure, and other things. IBM should continue to expand its database and cover as many systems as possible.View full review »
Head Of Sales at Cascade Solutions Inc
Right now, there are a lot of solutions in the market that consider themselves next-gen SIEM solutions, like AzureVM. IBM QRadar can be revised considering the competition, market segment, references, and the maintenance of the landscape.
Some modules can be shared as embedded within the same solution because this would be a compelling edge versus others. When it comes to other products, like LogRhythm for example, they can consider the SOAR and the threat Intel embedded with the SIEM Solution licenses. However, when it comes to IBM, they consider each module as a separate license with a separate cost. So it doesn't make sense to compete if the customer isn't convinced with IBM, because you'd have tough competition when it comes to financials.View full review »
Regional Director, Customer Success (GTM Solutions & Services) at a tech services company with 51-200 employees
IBM is going through some problems with its resources currently making its support response time slow.View full review »
Practice Head at a tech services company with 51-200 employees
The technical support can be improved a little bit, and the price could be cheaper.View full review »
There is a shortage of skilled individuals with knowledge about the solution. There should be more training programs to teach and enable users get familiar.View full review »
It is not easy to use.
The updates are not very easy. It is very complex. I would like to see the update process simplified.
When I said "it is not easy to use", I mean that QRadar is not for beginners.
Needs high competence and skyll to use it in a satisfactory way to really help customers.
The complexity is not a flaw, but it si a necessary quality for QRadar to be a truly effective tool in a Cyber environement.
Certified AIX I.T Manager at a financial services firm with 10,001+ employees
The GUI of QRadar should be improved.View full review »
The biggest drawback of this solution is the price.
The threat detection needs improvement, they have many false positives.
It is important to have good architecture. If you have problems and you don't have a strong architecture you, will have trouble with this solution.View full review »
AVP - Security at a tech services company with 501-1,000 employees
This solution is on-premise and many customers are moving to the cloud base solution.View full review »
Information Security Leader at a computer software company with 1,001-5,000 employees
The only problem is that if you have too many events that occur, then the storage capacity becomes a problem. We would need to increase the storage capacity.View full review »
If you have too many events that occur, then the storage capacity becomes a problem. You need to have more storage.View full review »
Senior Security Engineer at a wholesaler/distributor with 10,001+ employees
In a future release, the solution could provide malware analysis.View full review »
The usability of interfaces could be improved and the solution could have better correlation services, as well as faster and updated intelligence interfaces.View full review »
There needs to be better integration with other applications.View full review »
Pre-Sale Consultant (Technical) at a tech services company with 51-200 employees
We have had problems with networking.View full review »
Technical Presales at a tech services company with 1,001-5,000 employees
I think that the search speed of this solution could be improved.View full review »
Network Security Engineer at a computer software company with 51-200 employees
IBM QRadar could improve the plugins and threat detection.View full review »