IBM Security QRadar Reviews

Our primary use case is for monitoring global infrastructure.

The feature that I have found most valuable is how it monitors the real network. That is its leading security feature.

In terms of what could be improved, I'd say do nothing, in its current state it does quite okay for now.

The biggest problem was built on top of the QRadar in the executive operations center network. The integration was not using the network security specialist properly, and all the incidents were inferior with QRadar. Its compatibility is not really good

I have been using IBM QRadar for more than five years.

I'm using the latest version of QRadar.

The stability is very good. Its operation is very good.

We have less than five people using it.

For us, as a small security company, it is covering our needs and our growth.

Customer support is good. When an incident gets raised there is a 10 day response.

The initial setup was complex.

We use the vendor for everything. That is the style of the corporation. For these jobs the responsibility and knowledge is on the vendor's side.

Implementation is over time and the maintenance price for QRadar is competitive.

On a scale of one to ten, I would give IBM QRadar a seven.

Overall, I would of course recommend this product to others because of all its functionalities.

We primarily use the solution for breach management. We use it for identifying rogue IPs and picking up anomalies in terms of the network traffic coming in. We've seen a year of use cases in terms of breach management and incident management. We find IBM QRadar quite relevant in terms of protecting against potential malicious traffic coming into your organization. 

Obviously, it is evolved, and where we're utilizing IBM QRadar is to do other analytical capabilities, which include identity and access management. We've got a unique way where we use the platform to generate a view of all your identities and access that is granted within your environment and so forth. We are able to map that using IBM QRadar, which is not a use case that is normally thought about, however, we found from an analytical point of view, this is what we can do because we get all the information we need here.

IBM QRadar is phenomenal as a SIEM SOC solution. In terms of its capability, in terms of its usability, in terms of the SOC solutions or SIEM solutions out there, we find QRadar the most user-friendly. 

It gives you the right coverage as the analytical platform that's coupled with Watson is phenomenal.

From a deployment perspective, we found it very, very good.

What we like about QRadar and the models that IBM has, is it can go from a small-to-medium enterprise to a larger organization, and it gives you the same value.

It's easy to use if you go through the proper training. We find that the current IBM team in South Africa is not as good as the teams abroad, however, if you get the right support and the right training, which we have got, we find it very, very, very customizable and user-friendly. 

What we have done is we do not use a lot of level-one analysts. We use a lot of developers, so we constantly evolve the rule-set. Most of the organizations that have employed QRadar, what they do is they stack it up with level-one and level-two analysts, as opposed to having more security developers who enhance the rule-set, due to the fact that all of the same technologies work on rule-sets. If you can dynamically change the rule-set on the fly, you're good. We have got a different model in terms of the way we operate a SOC, where we have more developers amending the rules, you will lessen the number of false positives that you encounter. The biggest problem with most of the SIEM technologies out there is that you get too many false positives, and again, it impacts your operational SOC. We don't have that issue here. 

The only challenge with products like IBM is the EPS. You just have to be really on the events per second, as that's where the cost factor becomes a huge issue.

You do need proper training. Better training leads to better implementation. South Africa does not have the most knowledgeable technical support team. One challenge that you have in South Africa is the quality of the IBM resources. They're not up to the level companies need. I have to criticize IBM on that point - the skill level in South Africa and the South African franchise of IBM doesn't necessarily meet the quality of the product.

They can improve on the architecture. It's the way you deploy it. It's your enterprise architecture team that needs to understand it well. Again, due to our unique skillset on it, we deploy it in a very different way where we reduce the consumption of events per second, which reduces the overall cost of it. However, with the architecture, you need to get better guidance from IBM in terms of the way which the architecture is done. 

What I will say about IBM is that if you deploy it stock standard, it can be a very expensive tool, especially with your events per second, and where the way you deploy it architecturally will determine how much it costs you to manage it, as your events per second can be reduced through proper architecture. It's critical to an IBM install that a user understands the architecture and the deployment strategy. 

I've been dealing with the solution for a very long time. It's likely been about six years or so at this point. I've used it for a while.

We've got three customers on the solution currently. 

Technical support is lacking in South Africa and it doesn't meet the quality of the product. We're not quite satisfied with the level of service of knowledgeability on offer here. 

They need to be faster and more knowledgeable. If you log a ticket to South Africa, they can be quicker and more knowledgeable about issues. It's a problem within South Africa where the skill level of the IBM local team is not to the level it should be. Whether it's training or support, there's a problem. It's not the greatest.

The initial setup can be difficult if you don't have a good understanding of the product, for us, it's not too difficult. 

To do a small deployment takes us about two weeks.

When we did the deployment for one of our clients recently it took us four engineers from our side and four engineers from the outside to deploy it within two weeks. 

We handle deployments for our clients. Occasionally we need outside assistance. 

From a return on investment, the client sees in terms of its value from an IBM perspective, is a massive value from the deployment of QRadar.

On-premises is pretty expensive as opposed to the cloud. 

You do need to pay for a year subscription. You are charged at events per second as well. 

On QRadar, we look at the cloud-based uses as opposed to on-premise due to the cost factor. 

In terms of SIEM technologies, in terms of what you can get, I would rate it an eight out of ten. The QRadar platform is phenomenal in terms of what it does.

If you want to get the best out of IBM, spend more time on the rules generation and the modification of the rules.

We are using IBM QRadar for threat protection and management.

IBM QRadar could improve the plugins and threat detection.

I have been using IBM QRadar for approximately seven years.

The solution is stable.

I have found IBM QRadar to be scalable.

The price of this solution is reasonable.

I rate IBM QRadar a seven out of ten.

We use IBM QRadar to monitor security logs across the network.

One very useful feature is the plug-in offering that allows you to integrate it with other solutions, such as integrating it with plug-ins like ForeScout, Carbon Black, and the rest. Additionally, the ability of the agents to filter using XPath query to filter out the specific events you want to pick from, especially Windows log sources, is also very useful. That goes a long way in managing the EPS of the solution.

There are two ways you can pull logs: one way is where you can receive logs or send logs using the agents and previous transformation and the other way is where QRadar logs onto the servers using the admin account and then pulls the logs itself. The functionality that I would love to see with that remote pulling is to have the ability to also select what logs its pulling because when you use MSRPC now to receive loads from your log surface, it basically pulls all the events from that server. So even the noisy events that would overshoot your EPS, would also be pulled. So for particularly active or high servers that generate a whole lot of security events, let's say like your SFTP server that has a lot of devices on your network connecting to it, if you try to pull the logs remotely it would overshoot your EPS really quickly.

So if they could improve the functionality of the remote pull to also be able to select the logs that it is pulling from the log sources, that would be very, very effective. The reason for the pull is because the agents are not tamper-proof and any administrator can help shut down the service and uninstall the application and a whole lot of other things. Basically, your listening agent is at the mercy of the administrators, and for a security device or security software, that is a big vulnerability, because anybody can then go into the server, stop the agent, and then run any command or make any change they want to do, which would make your monitoring null and void. It would be good if the agent itself could be tamper-proof. And back to the first point, the reason why I prefer the remote pull is if there's no agent on the server and it's the console logging onto the server, your monitoring is much more secure. Regardless of what changes are being made on the server or what's going on the server, if the server is shut down and then a newer version is brought up with the same hostname and IP address, you would not need to go back in and re-install the agent. The console would just automatically connect back to that server once the IP address and the host are back up.

Additionally, I would like the rule creation interface to be much more user-friendly in the next release.

I have been using IBM QRadar every day for the last 12 months.

In terms of stability, it is very stable. In the almost two years in the environment, there has been only one issue. It was a disc failure and that was replaced within a week by the OEM.

Scalability might be an issue, but maybe it's because in our environment we do not use the application host. Since we use on-premise appliances we did notice that performance degraded a little when we added some plugins. So the recommendation was that we should have a separate application server that would host the application and then interface with the plugins and interface with the management console. But we do not have that within our environment so I can't speak to whether that would improve performance.

IBM tech support has been responsive.

I believe the initial setup was straightforward but I was not here for the setup, although I did not get any complaints.

The license is a yearly one.

I would recommend IBM QRadar. The user interface is really great and it simplifies the task of monitoring your environment.

On a scale of one to ten, I would give IBM QRadar an eight.

We use IBM QRadar for threat protection.

The most valuable features are log monitoring, easy-to-fix issues, and problem-solving.

There is a shortage of skilled individuals with knowledge about the solution. There should be more training programs to teach and enable users get familiar.

I have been using this solution for approximately one year.

The stability of the solution could improve.

We have approximately 20 people using this solution in my organization.

The technical support is great. Additionally, there are plenty of resources available to increase knowledge about the solution.

We have used other solutions in the past.

The installation is not very difficult, I did not have any problems.

We used consultants for the implementation. We have five engineers that do the maintenance of this solution.

There is a license required for this solution.

I would recommend this solution to others.

I rate IBM QRadar a seven out of ten.

We have a POC environment but have not onboard it to any of our clients.

The most valuable feature is the correlation function, which is flexible.

It is a bit easier to use than other products, such as Splunk or ELK Elasticsearch.

The technical support can be improved a little bit, and the price could be cheaper.

I have been using IMB QRadar for one year.

IBM QRadar is a stable solution.

Technical support needs improvement.

I know a little bit about Splunk and ELK Elasticsearch. We did not have a PoC with Splunk so it was just theoretical, but I did learn about it.

The initial setup is very easy.

IBM QRadar is a little bit expensive compared to other products.

I would recommend this solution to others who are looking for an on-premises solution. For a SIEM solution, it is the best one to go with. If they are interested in using the cloud, I would not recommend it. The cloud version of QRadar is QRoC and it is a bit complicated.

I would rate this solution an eight out of ten.

We are using the current version.

The solution supports MSSP models, which most service providers have. This means that a single system can be onboarded for all 200 existing customers for monitoring purposes. 

The implementation of the solution's technology needs to be simplified. It is overly complex. 

The integration also must be simplified. 

The licensing is also overly complex, as there is a need to buy the work load performance monitoring separately. These are the different modules we need to buy. 

IBM does not provide a combined, combo suitor solution which the customer can easily look at. The multiple functionalities are segmented and do not allow for an idea which is complete. It makes it difficult for us to do a realistic comparison with other products. I hope that others follow suit. 

We have been using IBM QRadar for almost eight-and-a-half years. 

No doubt about it, the solution is extremely stable. 

The solution needs to be redesigned to allow for scalability or for extending it to the existing one. There is a need to do long-term planning and migration from an existing to a new one and this cannot be easily accomplished. Storage cannot be added to the installation. One must completely migrate to the new storage to add additional terabytes. 

As such, the solution is not quite scalable. The scalability exists, but it requires migration. 

We are very happy with the technical support. 

The initial setup was extremely complex. 

We made use of an integrator. 

We have nearly two hundred customers making use of the solution.

We have direct contact with Ingram Micro or have a service partner relationship with it, but work directly with IBM as our ISP. 

We are a managed security service provider and wholesale customer of IBM QRadar

We buy a bulk license from IBM QRadar and host around 200 plus customers in a single integration so that all the customer events will be integrated in one solution. We are not integrators and do not resell their services.

As such, we don't buy the license or sell the tools to others. We will buy a license, inclusive of the services, host it with our private cloud and provide services to the end clients.

Our customer base of IBM users is limited. When it comes to a security operations center team, IBM will be looked to for providing security monitoring on an ongoing basis. We must see that it is working as it should be. 

I would recommend this solution to others. 

I rate IBM QRadar as an eight out of ten. 

Most valuable features include the granularity of information. Queries provide leads for finding information. We also deal with the Symantec team, which is a different one. 

The solution has definite room for improvement. There were certain bugs we had to deal with. Bigger issues involve the quantity of rules involved in its deployment. Also, false positives can be obtained and there is a need to fine tune the solution once every month or two until everything is correct. 

The stability and product support should also be addressed. 

When an offense occurs, the source IP will automatically provide a source username which is not correct. For reasons I don't understand, it uses the team or the name of the last user of the computer and this is not always accurate. This means that there are times that I obtain offenses that are ascribed to my boss and which serve him. The solution ensures that the host is vulnerable to another attack. The solution will estimate that the targeted host is vulnerable to certain attacks. 

Moreover, the solution may provide information of attacks that failed or that are irrelevant, such as vulnerabilities involving modems in which the target host is the Windows Server. This begs the question of why an offense that was and will always be blocked must be generated, such as that involving vulnerability from a modem. 

I have been using IBM QRadar for five years. 

When it comes to the scalability of the solution, it is possible to install many apps on top of IBM QRadar which can provide a host of views, such as those involving user behavior and analytics. There is no need to construct an SQL report, for example, as there are many free apps available which can be used to extend one's IBM QRadar functionalities. 

:
IBM technical support is always terrible. I have much experience with IBM, dating back 25 years in IT. I worked with IBM as a partner for almost 10 years. The organization is so big that it cannot tell one person from another. One can send an email and then get transferred from one support person to another, needing with the need to reiterate the issue anew with each one. In France they go on vacation and there is no one to whom one can address his issue. They also have problems with directing and redirecting phone calls. 

I found myself in charge of all hardware issues involving IBM. Whenever we had a case with IBM which was escalated, I managed to resolve the issue before them. I would find a solution while they would still be making queries about some version. Sometimes I feel they are buying time. At other times, they start by enquiring about what I did in an attempt to resolve the issue. There are times that they insist on the purchase of a subscription as a condition of benefiting from high level support and at these moments I'm inclined to tell them that they should be paying me for this. 

The initial setup is quite straitforward and not so difficult. 

The pricing is always fine. 

We use the solution with multiple customers on a daily basis. We have experience with its installation, configuration and use. 

I rate IBM QRadar as a six or seven out of ten.