IBM Security QRadar Reviews

Our primary use case of this solution is for our customer's operations. 

The ability to add extensions is the most valuable feature. For example, extensions that provide valuable test ports.

I don't think this is the best solution on the market because it takes much longer than ArcSight, for example, which provides more flexibility and capability to create much more complex use cases. Other tools provide more valuable things that you can do for the active channel. 

I would like for them to develop out of the box content that doesn't require too much customization. Most of the out of the box we get from it requires too much customization. I would also like to see dynamic filters and better cross-integration between functions.  

We've only been using it for eight months so we haven't scaled much during this time but it seems to be very scalable. We use it a minimum of eight hours a day.

We used ArcSight.

We did the integration ourselves. It was straightforward. 

It is cheaper than ArcSight. 

I would rate this solution a six out of ten. 

The primary use case for us is the plug and play implementation and it is pretty easy to set it up, and scale up the SIEM. It has a kind of a functionality to it. 

It is really helpful to us from the compliance point of view. Whenever we had an external lawyer come in, he used to ask us for the data retention and log retention. So, QRadar could put out reports that could audit for us within the log collections. It was very helpful for us to meet compliance requirements.

In addition, it is a helpful solution for forensic analysis. It will easily perform Google type searches and get the logs searched easily. This is really helpful for us, and gives us a quicker investigation.

The most valuable feature is that it is a one stop solution for many things. It is a manager for vulnerability, functionality, packet filtering, packet analysis and log analysis.

They have introduced a lot of different suite of products and functionalities and that sometimes leads to confusion among the customers. There are a lot of options to provided and then I need to decide, what is my requirement, and what is my desire. I may be tempted to have a particular feature, but I have to decide whether it is relevant or not.

The stability is very good. There is not a single point lacking in terms of stability. And, I have never faced technical issues.

The scalability is good, especially with the introduction of data nodes. As of now, it is not a problem.

The tech support is not that good. They often rely on their learned knowledge base, instead of getting their hands dirty upon the actual case issues. They just think of the traditional approach of "OK, try this, or that." Obviously, we already know which steps to follow, we need for them to come up with some out-of-the-box solutions. This delays the process of finding a solution to the problem. Unfortunately, this happens a lot.

I previously used Splunk. And, we considered Sumo Logic, which has a similar kind of functionality. But, they are still in a very premature stage in terms of the product development.

The initial setup was straightforward. It was not complex or difficult. It is not complicated.

The cost of this product is expensive.

If you are a medium to large size enterprise, you can surely consider IBM as one of the major contenders for your selection. If you are a small enterprise, QRadar may be too much for you, it may be too complex.

When deciding on a solution, we always consider:

• Cost-benefit
• Shelf-life of the solution
• Security of the solution

My primary use case is for security monitoring. We activated freeze, proxy and firewalls and we collect data from them. We receive alerts and customize that according to our customer environments.

It has improved my efficiency. It has also reduced the implementing time. So we have reduced the time we are getting it readily available and you can just do small customizations. We can also do automation, as well using QRadar.

QRadar has somewhat of a new structure recently from last gen. They have moved from the standard UI based infrastructure. There are multiple aspects coming in which are actually plugin and play kind of stuff, we don't have to write rules, we don't have to create dashboards and all. For example, on the dashboard we have user behavior analytics. And, it is very helpful for us to use customization and build from scratch.

There are other solutions out there that have made it app based. They have a lot of apps available and they are readily integrated with other tools, as well.

It is very stable. I've seen this product grow since it started. It initially started with another company and then it was bought by IBM.

This tool is very user friendly, and is scalable. But, we do use other products in tandem with it.  

There are three zones that make up the technical support team, one is Asia Pacific(where the people from India are IBM India they work in that particular region), there are Europe(people from the UK and the Netherlands) and America (the people from the US). When comparing these support teams, the Indian team is lacking.

There are an abundance of  customers in the market who are actually using QRadar for their security monitoring purposes. This is a real advantage of this solution.

We compared it to Splunk. The only difference between QRadar and Splunk is that Splunk works on the data analytics, This makes it easy to help create those data lakes and searches whereas QRadar does not focus on that. The SQL database on the back end, takes some time and it's not so flexible in data storage or data lake creation, so that is the only backfall of QRadar. 

Additionally, Splunk is app based, and QRadar is not app based.

There are new things that are coming up in QRadar, such as AI to IBM Watson. This is going to create a huge impact in these types of solutions, because we don't have an artificial intelligence coming in. There are other tools that have artificial intelligence, but IBM QRadar getting integrated with artificial intelligence is the next step.

It should be noted that the QRadar type products are actually changing their strategy. they will move on to the next stage that is called "Threat Hunting." Instead of waiting for some attack to happen and getting an alert, the new solutions will try to find out those suspicious activities in your network or environment and resolve it before it creates havoc.  

My primary use case for this solution is to monitor security events in our cloud environment.

They do have a way to pre-configure or have pre-configurations for companies that are starting and they don't know too much about SIEM or working with SIEMs. The solution uses SIEM to get the information to the managers so I will say that they have an ongoing boarding process that is very good if you are starting because it already has what you need to start up.

In addition, they have more HIPAA. It's a pre-order on QRadar, so when we go to the process of selecting our use cases, they go by building blocks. QRadar links it to building blocks so we don't have too much to cut on it.

It is not a user-friendly program. It is a very glorified Excel program. I would love to see a more user-friendly version in a future rollout. 

In addition, the management services team needs some improvement. They are, at times, confused with our requests.

Another problem with QRadar, is that they have a very big signal protection. This needs to be fixed. You can only see what you know.  Let me give you an example of how I feel. Here is an analogy for you. Let's say you are a cowboy and you're on wild on the plains. You go out there and get your cows back, right? So you have a noose, you have your hat, your boots, your spurs, you are a real cowboy, right? But you are working on a, this is my opinion right? But you are working on building cars. So how would you look being fully dressed in all your gear, selling cars? It's like you are ready and prepared, you have your tools, but you don't like those rulings. You feel like you are in the wrong place.

No, it has not improved the efficiency of our security team. They have an integrated mobile with Watson so what this means is when we have an event that has a high magnitude, Watson takes it and investigates, right? So every time I see an offense, I see Watson has gone and investigated this. What am I expecting from AI to do? I want to see location, what happened, what is it, sources, stuff like that. They just give you a routing chart of what I think was involved. I can do that with my bare hands, I don't need Watson to do that. So why am I paying for AI?

On a scale of one to four, I would rate it a four. We have had some issues. For example, the other day I wanted to add a new correlation. So I opened a ticket for that new correlation. I went to go change my correlation, but they took so long to get the correlations down. I had to go ahead and open the ticket before I got to change the management process.

I have used Splunk in the past. 

The initial setup was complex, and it took six months. 

It is a pricey product. It is very expensive. 

QRadar needs a lot of fine tuning. I had to schedule meetings with IBM for help. For example, one of the things that we were having difficulties with QRadar is that the detection rules are sent by IBM and we wanted those detection rules. In one case, I know there's new malware out there, BlackIce, but I am not able in QRadar, because it's a managed service, to go in and create a detection rule that say the malware is out.

It is under a non-disclosure agreement (NDA).

• It helps because you don't need an army to execute the project when you do the PoC, and when finally going to production. 

• The abundant out-of-the-box features which are operating wonderfully.
  

• It's easy to set up.
• There are a lot of great out-of-the-box features included.
• It's a state-of-the-art product for security information and event management (SIEM).

• Slow response sometimes and a not-so-helpful staff there. So make the support better, and you could succeed even more.
  
• The released patch quality is poor. IBM should test those patches on their side, not on the client's side. So, there are a lot of improvement to do. 
• I would appreciate if IBM could create another more intuitive, easier way (intuitive UI) to perform advanced searches rather that just counting on regular expressions.

The quality of technical support depends on the IBM support person. Sometimes, it's hard to get the right person on the other side. A ticket coordinator could be the key to better quality delivery.  

They are sometimes slow to respond and unhelpful.

I highly recommend this product.

• CRM and billing system
• 100 multiple technology servers: Windows AD, Linux, HP-UX, etc.
• 40 firewall multiple routers 
• Cisco Nexus switches

Log correlation is very useful for processing alerts. It serves to follow up alerts in real-time, building an entire workflow.

• DSM parsing
• Log correlation
• X-Force connectivity
• Ease of DSM customisation
• Multiple reports
  

• Data encryption
• Flow encryption
• Third-party compliance
• Its architecture is very complicated.
• Its hardware is Lenovo-based.
  

Almost every feature is useful. In particular:

• Sense and detect fraud, both insider and advanced threats.
• Sense, track, and link significant incidents and threats.

The tool is already automated in many ways, but there are some additional functions which should be automated, like sending an email, mobile notification, and integration of XFS.

Overall, I love this product.

Its primary use case is for people who want to manage all of their logs with analytics and correlate that between different security devices whose logs are related. 

This solution is performing well.

It saves a lot of time. We integrate the customer's firewall with all their networking devices. If there is an issue, it helps us do the proactive work before it becomes a bigger issue. We are able to pinpoint issues and solve them.

Additionally, it is very easy to figure out. In one dashboard, we can see all the issues. There is no need to login to every device. In one single pane of glass, we can see everything.

Watson, which is an artificial intelligence, is the most valuable feature. On the back-end, Watson helps me figure out an exact problem, sometimes giving me the result. I never would have imagined this before.

The architecture could be improved. I got stuck for a long time trying to understand the architecture, as it is quite challenging.

The stability is good.

It is a combination of multiple factors. The issues is from the customer side, not from QRadar. If you are able to get the right details from the customer, this solution is scalable.

I am not involved with technical support because I am in pre-sales.

Factors in switching were the console view, as well as Watson. IBM Watson makes a huge difference on the product side.

I do not have control over pricing, though I do help customers with their sizing.

I select the vendor based on the customer's requirements. On the customer side, pricing is very important. They also consider the support to be an important factor.

My present organization does mostly IBM business. We have a very good rapport with the IBM team. We have won a lot of cases against competitors. We get trained frequently, so if there is an update, then we are prepared. 

We are able to see the rapid growth of IBM through QRadar compared to the other SIEM tools.

I would rate it a seven out of 10. I have had some challenges integrating this solution.

Each organization is looking for security. If you have a SIEM tool, you can integrate it with all of your security devices, and get all your security logs. This console gives you the entire view, which makes life easier and allows you to take precautionary measures.

People who handle only four or five security devices spread across the globe should go with this SIEM tool.