IBM Security QRadar Reviews

The features make my work easier.

The most valuable feature is the DSM Editor. The custom parsing tool is very nice, outstanding. I have used McAfee's SIEM and LogRhythm as well, but because of this feature of QRadar, I don't think their solutions are good.

Customizing it is very easy and it has a user-friendly interface. 

The product is good, but one feature they should have is an Elasticsearch. Currently, in QRadar, there are no Elasticsearch criteria. Elasticsearch is a very fast search engine. IBM should consider it as part of QRadar. Currently, QRadar has a very slow search. If I search previous months' data it stops.

The scalability is good. I'm quite satisfied with it.

Technical support is the area IBM should work on. Support is not that responsive. If I open a support ticket, it takes three to four days for them to respond. They take that much time.

I have used different solutions in the organization, but the main reason for switching is the customization. QRadar very much supports customization. Another reason is that, in the market, we can easily get QRadar resources, like an analyst or engineer, as compared to other products. This is a reason that organizations move towards QRadar.

The initial setup was very straightforward. I didn't have to do anything once I installed it and configured it. It was very simple. Other solutions I have worked on, such as McAfee and LogRhythm, are a bit complex. This one is very easy to install and configure.

The deployment takes one to two months, max. The implementation strategy is totally dependent on the number of EPS, the requirements, and the types of log sources. We collect this information and then create our strategy.

I have been an engineer in many firms. I have deployed it by myself. One expert can deploy it. If there are 100,000 EPS you'll need more resources. If you have 5,000 to 10,000 EPS, one person can do it.

IBM has subscriptions plans that run for one year.

Overall, it's much better than other products.

In terms of increasing its usage, I have suggested to my organization that it tell customers to use it, its capacity and capabilities, with other tools like Watson.

Our primary use case of this solution is to identify threats. 

We do R&D for IBM QRadar and we are also a cybersecurity solution based company. We provide solutions for our clients like banking, government agencies, and other non-government organizations. Our clients test in our labs and we try to understand how a product works and how a product will help our clients. I have more than three years experience with AlienVault and I use AlienVault a lot and I have already deployed it in a few banks. I am now trying to understand how IBM QRadar works and what the difference between IBM QRadar and AlienVault is. 

This solution has many valuable features but I especially like the Log Manager feature.

I think QRadar is very complex. It's a distributed system and IBM QRadar has an all-in-one solution which is not like that distributed solution but it's a good product. IBM needs to consider the user interface because if we compare it with AlienVault, the AlienVault user interface is fantastic but the IBM QRadar user interface is very complex. They should focus on how to make it easier for the client.

IBM has everything you need in a cybersecurity solution. If you want to build a cybersecurity operation center version then I think QRadar is a perfect solution.

IBM QRadar is stable and scalable. 

Scalability is good. If you use APS 25 GPS license you can change to 3000 EPS anytime. Also, you can integrate a distributed solution with the all-in-one deployment. If you have a very small organization, you don't need model 5000 EPS license so you can deploy all-in-one and then one day if your organization grows bigger, you can deploy a distributed system.

We have our own system and network experts, forensic experts, and database expert so until now, we haven't had any issues that required us to contact their support. 

The initial setup was complex. When it comes to the deployment, you can get it done in a day but if you want to fine-tune it can take a very long time. This isn't only for QRadar, but this applies to most solutions. 

It takes two or three people to deploy this product but if you want to do custom configuration then you need each and every part's expert. You need a network expert, forensic expert, and system expert. If you want an advanced system configuration you need many more people. If you only want to integrate this solution in your organization then two or three people is more than enough for the deployment.

We deploy it for our clients.

Licensing is very expensive, IBM QRadar is a very expensive solution. If you want to minimize costs then IBM QRadar is not for you.

I would rate it an eight out of ten. Not a ten because of the complex interface. 

I use it to analyze incidents. 

I like the API and it's easy to use. 

They should provide more manual examples online so that I can learn it myself. The dashboard also needs improvement. 

We require eight staff members for the maintenance. 

It's too expensive. 

I would rate it an eight out of ten. 

It is a requirement for all of the banks to have a security solution in Pakistan. That is the reason most of the banks are using it. In the last one and a half years, Pakistani companies are taking security very seriously, so for that reason, they evaluate these solutions. All in all, it's a good solution. 

I would like for them to develop a detection management solution. It does not have a detection management solution in it, you have to buy it as it is, on top of the extended solution. 

It's quite scalable. We have upgraded some solutions from 1000 APS up to 3500 APS to 5000 APS. It's a good solution, they have no scalability issues.

The initial setup was straightforward. The deployment time depends on each customer. We have customers who have different infrastructures and their deployments are quite different. If we rack and stack it, around two, three days, maximum a week, but configuration and optimization take up to somewhere between six months and one year.

I would rate it an eight out of ten. 

Our primary use case of this solution is for our customer's operations. 

The ability to add extensions is the most valuable feature. For example, extensions that provide valuable test ports.

I don't think this is the best solution on the market because it takes much longer than ArcSight, for example, which provides more flexibility and capability to create much more complex use cases. Other tools provide more valuable things that you can do for the active channel. 

I would like for them to develop out of the box content that doesn't require too much customization. Most of the out of the box we get from it requires too much customization. I would also like to see dynamic filters and better cross-integration between functions.  

We've only been using it for eight months so we haven't scaled much during this time but it seems to be very scalable. We use it a minimum of eight hours a day.

We used ArcSight.

We did the integration ourselves. It was straightforward. 

It is cheaper than ArcSight. 

I would rate this solution a six out of ten. 

The primary use case for us is the plug and play implementation and it is pretty easy to set it up, and scale up the SIEM. It has a kind of a functionality to it. 

It is really helpful to us from the compliance point of view. Whenever we had an external lawyer come in, he used to ask us for the data retention and log retention. So, QRadar could put out reports that could audit for us within the log collections. It was very helpful for us to meet compliance requirements.

In addition, it is a helpful solution for forensic analysis. It will easily perform Google type searches and get the logs searched easily. This is really helpful for us, and gives us a quicker investigation.

The most valuable feature is that it is a one stop solution for many things. It is a manager for vulnerability, functionality, packet filtering, packet analysis and log analysis.

They have introduced a lot of different suite of products and functionalities and that sometimes leads to confusion among the customers. There are a lot of options to provided and then I need to decide, what is my requirement, and what is my desire. I may be tempted to have a particular feature, but I have to decide whether it is relevant or not.

The stability is very good. There is not a single point lacking in terms of stability. And, I have never faced technical issues.

The scalability is good, especially with the introduction of data nodes. As of now, it is not a problem.

The tech support is not that good. They often rely on their learned knowledge base, instead of getting their hands dirty upon the actual case issues. They just think of the traditional approach of "OK, try this, or that." Obviously, we already know which steps to follow, we need for them to come up with some out-of-the-box solutions. This delays the process of finding a solution to the problem. Unfortunately, this happens a lot.

I previously used Splunk. And, we considered Sumo Logic, which has a similar kind of functionality. But, they are still in a very premature stage in terms of the product development.

The initial setup was straightforward. It was not complex or difficult. It is not complicated.

The cost of this product is expensive.

If you are a medium to large size enterprise, you can surely consider IBM as one of the major contenders for your selection. If you are a small enterprise, QRadar may be too much for you, it may be too complex.

When deciding on a solution, we always consider:

• Cost-benefit
• Shelf-life of the solution
• Security of the solution

My primary use case is for security monitoring. We activated freeze, proxy and firewalls and we collect data from them. We receive alerts and customize that according to our customer environments.

It has improved my efficiency. It has also reduced the implementing time. So we have reduced the time we are getting it readily available and you can just do small customizations. We can also do automation, as well using QRadar.

QRadar has somewhat of a new structure recently from last gen. They have moved from the standard UI based infrastructure. There are multiple aspects coming in which are actually plugin and play kind of stuff, we don't have to write rules, we don't have to create dashboards and all. For example, on the dashboard we have user behavior analytics. And, it is very helpful for us to use customization and build from scratch.

There are other solutions out there that have made it app based. They have a lot of apps available and they are readily integrated with other tools, as well.

It is very stable. I've seen this product grow since it started. It initially started with another company and then it was bought by IBM.

This tool is very user friendly, and is scalable. But, we do use other products in tandem with it.  

There are three zones that make up the technical support team, one is Asia Pacific(where the people from India are IBM India they work in that particular region), there are Europe(people from the UK and the Netherlands) and America (the people from the US). When comparing these support teams, the Indian team is lacking.

There are an abundance of  customers in the market who are actually using QRadar for their security monitoring purposes. This is a real advantage of this solution.

We compared it to Splunk. The only difference between QRadar and Splunk is that Splunk works on the data analytics, This makes it easy to help create those data lakes and searches whereas QRadar does not focus on that. The SQL database on the back end, takes some time and it's not so flexible in data storage or data lake creation, so that is the only backfall of QRadar. 

Additionally, Splunk is app based, and QRadar is not app based.

There are new things that are coming up in QRadar, such as AI to IBM Watson. This is going to create a huge impact in these types of solutions, because we don't have an artificial intelligence coming in. There are other tools that have artificial intelligence, but IBM QRadar getting integrated with artificial intelligence is the next step.

It should be noted that the QRadar type products are actually changing their strategy. they will move on to the next stage that is called "Threat Hunting." Instead of waiting for some attack to happen and getting an alert, the new solutions will try to find out those suspicious activities in your network or environment and resolve it before it creates havoc.  

My primary use case for this solution is to monitor security events in our cloud environment.

They do have a way to pre-configure or have pre-configurations for companies that are starting and they don't know too much about SIEM or working with SIEMs. The solution uses SIEM to get the information to the managers so I will say that they have an ongoing boarding process that is very good if you are starting because it already has what you need to start up.

In addition, they have more HIPAA. It's a pre-order on QRadar, so when we go to the process of selecting our use cases, they go by building blocks. QRadar links it to building blocks so we don't have too much to cut on it.

It is not a user-friendly program. It is a very glorified Excel program. I would love to see a more user-friendly version in a future rollout. 

In addition, the management services team needs some improvement. They are, at times, confused with our requests.

Another problem with QRadar, is that they have a very big signal protection. This needs to be fixed. You can only see what you know.  Let me give you an example of how I feel. Here is an analogy for you. Let's say you are a cowboy and you're on wild on the plains. You go out there and get your cows back, right? So you have a noose, you have your hat, your boots, your spurs, you are a real cowboy, right? But you are working on a, this is my opinion right? But you are working on building cars. So how would you look being fully dressed in all your gear, selling cars? It's like you are ready and prepared, you have your tools, but you don't like those rulings. You feel like you are in the wrong place.

No, it has not improved the efficiency of our security team. They have an integrated mobile with Watson so what this means is when we have an event that has a high magnitude, Watson takes it and investigates, right? So every time I see an offense, I see Watson has gone and investigated this. What am I expecting from AI to do? I want to see location, what happened, what is it, sources, stuff like that. They just give you a routing chart of what I think was involved. I can do that with my bare hands, I don't need Watson to do that. So why am I paying for AI?

On a scale of one to four, I would rate it a four. We have had some issues. For example, the other day I wanted to add a new correlation. So I opened a ticket for that new correlation. I went to go change my correlation, but they took so long to get the correlations down. I had to go ahead and open the ticket before I got to change the management process.

I have used Splunk in the past. 

The initial setup was complex, and it took six months. 

It is a pricey product. It is very expensive. 

QRadar needs a lot of fine tuning. I had to schedule meetings with IBM for help. For example, one of the things that we were having difficulties with QRadar is that the detection rules are sent by IBM and we wanted those detection rules. In one case, I know there's new malware out there, BlackIce, but I am not able in QRadar, because it's a managed service, to go in and create a detection rule that say the malware is out.