IBM Security QRadar Reviews

Our primary use case if for security analytics. We do investigation and security analytics, so we collect events and after collecting events we give positive security analytics to clients.

Most of our clients are interested in automation. The automation part is good because they are able to detect threats and vulnerabilities in real time. It's very fast. 

The vulnerability management aspect is the most valuable feature. IBM QRadar is the only SIEM solution with integrated vulnerability management. That's why most clients are flocking to it. API integration is very easy.

The API integration for AD is a problem when it comes to vulnerability management. If you want to incorporate multiple factor authentication it becomes a problem with the AD. It doesn't integrate well. That needs to be improved.

The configuration steps are not easy to follow compared to NetWitness.

Scalability is good. I have plans to increase usage it just depends on the contracts. If I get more contracts I get more people. Most clients want to manage security and so they would want to outsource their expertise. If they outsource their expertise that means I have to recruit more people.

Their technical support is pretty good. 

The initial setup was easy. It usually takes around three months or so. In terms of the implementation strategy, once we get the correct events sorted, the strategy is to connect enough events sources so that they give you an efficient solution. 

We require five to ten people for setup and maintenance. 

I'm the consultant so we do the implementation ourselves. 

The licensing depends on the customer. The pricing is good.

I would rate it an eight out of ten. Not a ten because the configuration part of it should be easier. They tried to integrate everything together to be all in one, but it's not easy to configure.

We use it to detect security incidents.

• IBM Resilient Incident
• IBM Threat Intelligence
• IBM QRadar is easy to use.

The user guide is not readily available. I would suggest the support or technical team release a PDF guide, like Splunk, SolarWinds, or ArcSight. This will be good for consultants or whomever is using QRadar. This would be really helpful. I have searched on a lot on sites, but I have not found a single PDF containing everything. Our consultants are taking too much time understanding the product's technical aspects.

They could arrange a demo on their website so user who register may use WebEx or any type of meeting invitation, and the support team could give a demo. Having hands-on technology is important. We lost a few clients, because they asked us, "Do you have hands-on QRadar?" At that time, we said, "No, but we will cover it." Due to this, we didn't get the project. Clients wants consultants who are certified in QRadar. Even after completing the certification as a QRadar deployment professional, I would suggest QRadar release any documentation or give an online demo, like videos on YouTube. It would increase publicity and public appeal. 

The stability is good.

The scalability is good.

I haven't contact the technical support yet.

We have a security consultant for our deployments. 

We haven't deployed yet, but our client has deployed IBM QRadar. We have been monitoring it, creating rules, and fine tuning it. These are my responsibility with respect to QRadar. 

I did not get opportunity or experience to deploy the QRadar into the client's environment.

We are recommending IBM QRadar, SolarWinds, and ArcSight to our clients.

The features make my work easier.

The most valuable feature is the DSM Editor. The custom parsing tool is very nice, outstanding. I have used McAfee's SIEM and LogRhythm as well, but because of this feature of QRadar, I don't think their solutions are good.

Customizing it is very easy and it has a user-friendly interface. 

The product is good, but one feature they should have is an Elasticsearch. Currently, in QRadar, there are no Elasticsearch criteria. Elasticsearch is a very fast search engine. IBM should consider it as part of QRadar. Currently, QRadar has a very slow search. If I search previous months' data it stops.

The scalability is good. I'm quite satisfied with it.

Technical support is the area IBM should work on. Support is not that responsive. If I open a support ticket, it takes three to four days for them to respond. They take that much time.

I have used different solutions in the organization, but the main reason for switching is the customization. QRadar very much supports customization. Another reason is that, in the market, we can easily get QRadar resources, like an analyst or engineer, as compared to other products. This is a reason that organizations move towards QRadar.

The initial setup was very straightforward. I didn't have to do anything once I installed it and configured it. It was very simple. Other solutions I have worked on, such as McAfee and LogRhythm, are a bit complex. This one is very easy to install and configure.

The deployment takes one to two months, max. The implementation strategy is totally dependent on the number of EPS, the requirements, and the types of log sources. We collect this information and then create our strategy.

I have been an engineer in many firms. I have deployed it by myself. One expert can deploy it. If there are 100,000 EPS you'll need more resources. If you have 5,000 to 10,000 EPS, one person can do it.

IBM has subscriptions plans that run for one year.

Overall, it's much better than other products.

In terms of increasing its usage, I have suggested to my organization that it tell customers to use it, its capacity and capabilities, with other tools like Watson.

Our primary use case of this solution is to identify threats. 

We do R&D for IBM QRadar and we are also a cybersecurity solution based company. We provide solutions for our clients like banking, government agencies, and other non-government organizations. Our clients test in our labs and we try to understand how a product works and how a product will help our clients. I have more than three years experience with AlienVault and I use AlienVault a lot and I have already deployed it in a few banks. I am now trying to understand how IBM QRadar works and what the difference between IBM QRadar and AlienVault is. 

This solution has many valuable features but I especially like the Log Manager feature.

I think QRadar is very complex. It's a distributed system and IBM QRadar has an all-in-one solution which is not like that distributed solution but it's a good product. IBM needs to consider the user interface because if we compare it with AlienVault, the AlienVault user interface is fantastic but the IBM QRadar user interface is very complex. They should focus on how to make it easier for the client.

IBM has everything you need in a cybersecurity solution. If you want to build a cybersecurity operation center version then I think QRadar is a perfect solution.

IBM QRadar is stable and scalable. 

Scalability is good. If you use APS 25 GPS license you can change to 3000 EPS anytime. Also, you can integrate a distributed solution with the all-in-one deployment. If you have a very small organization, you don't need model 5000 EPS license so you can deploy all-in-one and then one day if your organization grows bigger, you can deploy a distributed system.

We have our own system and network experts, forensic experts, and database expert so until now, we haven't had any issues that required us to contact their support. 

The initial setup was complex. When it comes to the deployment, you can get it done in a day but if you want to fine-tune it can take a very long time. This isn't only for QRadar, but this applies to most solutions. 

It takes two or three people to deploy this product but if you want to do custom configuration then you need each and every part's expert. You need a network expert, forensic expert, and system expert. If you want an advanced system configuration you need many more people. If you only want to integrate this solution in your organization then two or three people is more than enough for the deployment.

We deploy it for our clients.

Licensing is very expensive, IBM QRadar is a very expensive solution. If you want to minimize costs then IBM QRadar is not for you.

I would rate it an eight out of ten. Not a ten because of the complex interface. 

I use it to analyze incidents. 

I like the API and it's easy to use. 

They should provide more manual examples online so that I can learn it myself. The dashboard also needs improvement. 

We require eight staff members for the maintenance. 

It's too expensive. 

I would rate it an eight out of ten. 

It is a requirement for all of the banks to have a security solution in Pakistan. That is the reason most of the banks are using it. In the last one and a half years, Pakistani companies are taking security very seriously, so for that reason, they evaluate these solutions. All in all, it's a good solution. 

I would like for them to develop a detection management solution. It does not have a detection management solution in it, you have to buy it as it is, on top of the extended solution. 

It's quite scalable. We have upgraded some solutions from 1000 APS up to 3500 APS to 5000 APS. It's a good solution, they have no scalability issues.

The initial setup was straightforward. The deployment time depends on each customer. We have customers who have different infrastructures and their deployments are quite different. If we rack and stack it, around two, three days, maximum a week, but configuration and optimization take up to somewhere between six months and one year.

I would rate it an eight out of ten. 

Our primary use case of this solution is for our customer's operations. 

The ability to add extensions is the most valuable feature. For example, extensions that provide valuable test ports.

I don't think this is the best solution on the market because it takes much longer than ArcSight, for example, which provides more flexibility and capability to create much more complex use cases. Other tools provide more valuable things that you can do for the active channel. 

I would like for them to develop out of the box content that doesn't require too much customization. Most of the out of the box we get from it requires too much customization. I would also like to see dynamic filters and better cross-integration between functions.  

We've only been using it for eight months so we haven't scaled much during this time but it seems to be very scalable. We use it a minimum of eight hours a day.

We used ArcSight.

We did the integration ourselves. It was straightforward. 

It is cheaper than ArcSight. 

I would rate this solution a six out of ten. 

The primary use case for us is the plug and play implementation and it is pretty easy to set it up, and scale up the SIEM. It has a kind of a functionality to it. 

It is really helpful to us from the compliance point of view. Whenever we had an external lawyer come in, he used to ask us for the data retention and log retention. So, QRadar could put out reports that could audit for us within the log collections. It was very helpful for us to meet compliance requirements.

In addition, it is a helpful solution for forensic analysis. It will easily perform Google type searches and get the logs searched easily. This is really helpful for us, and gives us a quicker investigation.

The most valuable feature is that it is a one stop solution for many things. It is a manager for vulnerability, functionality, packet filtering, packet analysis and log analysis.

They have introduced a lot of different suite of products and functionalities and that sometimes leads to confusion among the customers. There are a lot of options to provided and then I need to decide, what is my requirement, and what is my desire. I may be tempted to have a particular feature, but I have to decide whether it is relevant or not.

The stability is very good. There is not a single point lacking in terms of stability. And, I have never faced technical issues.

The scalability is good, especially with the introduction of data nodes. As of now, it is not a problem.

The tech support is not that good. They often rely on their learned knowledge base, instead of getting their hands dirty upon the actual case issues. They just think of the traditional approach of "OK, try this, or that." Obviously, we already know which steps to follow, we need for them to come up with some out-of-the-box solutions. This delays the process of finding a solution to the problem. Unfortunately, this happens a lot.

I previously used Splunk. And, we considered Sumo Logic, which has a similar kind of functionality. But, they are still in a very premature stage in terms of the product development.

The initial setup was straightforward. It was not complex or difficult. It is not complicated.

The cost of this product is expensive.

If you are a medium to large size enterprise, you can surely consider IBM as one of the major contenders for your selection. If you are a small enterprise, QRadar may be too much for you, it may be too complex.

When deciding on a solution, we always consider:

• Cost-benefit
• Shelf-life of the solution
• Security of the solution