IBM Security QRadar Reviews

It is under a non-disclosure agreement (NDA).

• It helps because you don't need an army to execute the project when you do the PoC, and when finally going to production. 

• The abundant out-of-the-box features which are operating wonderfully.
  

• It's easy to set up.
• There are a lot of great out-of-the-box features included.
• It's a state-of-the-art product for security information and event management (SIEM).

• Slow response sometimes and a not-so-helpful staff there. So make the support better, and you could succeed even more.
  
• The released patch quality is poor. IBM should test those patches on their side, not on the client's side. So, there are a lot of improvement to do. 
• I would appreciate if IBM could create another more intuitive, easier way (intuitive UI) to perform advanced searches rather that just counting on regular expressions.

The quality of technical support depends on the IBM support person. Sometimes, it's hard to get the right person on the other side. A ticket coordinator could be the key to better quality delivery.  

They are sometimes slow to respond and unhelpful.

I highly recommend this product.

• CRM and billing system
• 100 multiple technology servers: Windows AD, Linux, HP-UX, etc.
• 40 firewall multiple routers 
• Cisco Nexus switches

Log correlation is very useful for processing alerts. It serves to follow up alerts in real-time, building an entire workflow.

• DSM parsing
• Log correlation
• X-Force connectivity
• Ease of DSM customisation
• Multiple reports
  

• Data encryption
• Flow encryption
• Third-party compliance
• Its architecture is very complicated.
• Its hardware is Lenovo-based.
  

Almost every feature is useful. In particular:

• Sense and detect fraud, both insider and advanced threats.
• Sense, track, and link significant incidents and threats.

The tool is already automated in many ways, but there are some additional functions which should be automated, like sending an email, mobile notification, and integration of XFS.

Overall, I love this product.

Its primary use case is for people who want to manage all of their logs with analytics and correlate that between different security devices whose logs are related. 

This solution is performing well.

It saves a lot of time. We integrate the customer's firewall with all their networking devices. If there is an issue, it helps us do the proactive work before it becomes a bigger issue. We are able to pinpoint issues and solve them.

Additionally, it is very easy to figure out. In one dashboard, we can see all the issues. There is no need to login to every device. In one single pane of glass, we can see everything.

Watson, which is an artificial intelligence, is the most valuable feature. On the back-end, Watson helps me figure out an exact problem, sometimes giving me the result. I never would have imagined this before.

The architecture could be improved. I got stuck for a long time trying to understand the architecture, as it is quite challenging.

The stability is good.

It is a combination of multiple factors. The issues is from the customer side, not from QRadar. If you are able to get the right details from the customer, this solution is scalable.

I am not involved with technical support because I am in pre-sales.

Factors in switching were the console view, as well as Watson. IBM Watson makes a huge difference on the product side.

I do not have control over pricing, though I do help customers with their sizing.

I select the vendor based on the customer's requirements. On the customer side, pricing is very important. They also consider the support to be an important factor.

My present organization does mostly IBM business. We have a very good rapport with the IBM team. We have won a lot of cases against competitors. We get trained frequently, so if there is an update, then we are prepared. 

We are able to see the rapid growth of IBM through QRadar compared to the other SIEM tools.

I would rate it a seven out of 10. I have had some challenges integrating this solution.

Each organization is looking for security. If you have a SIEM tool, you can integrate it with all of your security devices, and get all your security logs. This console gives you the entire view, which makes life easier and allows you to take precautionary measures.

People who handle only four or five security devices spread across the globe should go with this SIEM tool.

QRadar improved risk assessment and vulnerability, plus it has reduced some staff. It has also improved the training abilities of the people who use it, e.g., IR teams. It is the core of our entire SOX. Therefore, we use it for everything through training all the way up through management. 

Due to the skills shortage, we are able to use it from the standpoint of bringing in a lower level employee or a person who may not have security knowledge. We can put them in front of the product and they will still have the information that they need and have them at a level where they can run the system. Also, products, like Watson, make it work better.

The overall workload automation should be built into it. Part of the efficiency side of it is the ability to take the information as it comes in and assign it into a group. Now, the team leader no longer needs to assign it manually. He manages the workflow as it comes in directly to the individuals. Then, the individuals respond on it. As it closes, it goes back to the workflow, recording the amount of time it took for them to close it. It should show: 

• How long did it take to get assigned?
• How long did it take for the person to open it?

Then, you can show that a person may have issues opening network problems.

We have not suffered a network breach.

The solution has improved the efficiency of our security team.

We are at 115,000 events per second.

We run 65 servers with just two people: an engineering person and me.

We have 65 servers globally, and I just got my own.

The technical support is poor. Mostly because when I open a PMR for IBM, I am stuck with Level 1 staff. As an engineer, nothing that I am bringing them does not require Level 2 or Level 3 support. Most of the stuff that I open ends up code changes or bug fixes.

Our company is far more mature than most. Our issue is that the support is slow.

It was a whole different product when we installed it.

The most important criteria when selecting a vendor: stability. The security space is tough. Unlike a lot of other spaces, IBM will not be bought anytime soon as a 100 year-old company.

QRadar improved risk assessment and vulnerability, plus reduced staff.

The threat protection integration with other vendors.

The user interface needs improvement.

We have not suffered a network breach.

Our deployment collects nearly a 100 events a day. We often wield a backlog.

Stability is great.

The scalability is awesome, because QRadar includes other solutions in the same console.

I have not used technical support.

I was not involved in the initial setup.

We evaluated Check Point, but went with IBM because of price.

Most important criteria when selecting a vendor: Our customers need a cross of different units which make up a better solution for them.

It has helped us with our response time to threats. It also showed us where weaknesses were in our environment, so we could actively target those patches first.

It works well with IBM products.

QRadar's issue is it needs to add behavioral analytics. The product's behavioral engine is weak. It just uses algorithms. It should an equation that is cursively applied. This will provide true behavior.

I have only once experienced a network breach with QRadar. QRadar detected the breach within an hour and the triage investigation took another four hours. Overall, it took about six hours to remediate everything. 

With QRadar, everything runs better.

It is a very stable product. I cannot say anything bad about it.

It is very scalable. It does a good job.

Their Level 1 support is weak, but the support that we worked with to set up our feature sets is good. Their Level 2 and 3 support are good to work with overall, like most companies.

We contacted their technical support about adding more feature sets. We worked with their engineers to set up the feature sets that we wanted to expand upon and deliver the product, which they did.

We originally used ArcSight, which got cumbersome and expensive. Also, HPE ruins everything that it touches. Therefore, we moved to QRadar.

It is a pain to set up; basically it is not that easy.

We evaluated LogRhythm and Splunk. 

• LogRhythm had limitations.
• Splunk was never designed to be a SIEM.

Do your research before implementing it, because it is tough to implement.

Most important criteria when selecting a vendor: support. I say this to every vendor.

It is not always about pricing, which is nice when we start, but when the crap hits the fan. I want the vendor to be there with me. 

In recent years, our focus has been the third-party integrations. Like most companies, we have several security products. (I hope most other companies are not relying on a single product). The challenge with a SIEM is taking the data produced by a log source and presenting it in a readable manner for technical and non-technical staff. That can be done with custom-built reports or in dashboards. With the IBM Security App Exchange you add a new extension (i.e. download from the App Exchange site) and configure it.

Since IBM opened up the API for third-party app integration it has made it increasingly easy to add other tools into the dashboards.

Currently, the App Exchange offers over 192 applications that allow QRadar to integrate with some of the top security programs on the market, along with extension add-ons provided by QRadar. Some third-party apps include (but not limited to) Splunk, McAfee, Cisco, Carbon Black, Palo Alto, ObservIT, Exabeam, Gigamon, PhishMe. Extension add-ons by QRadar include report extensions, MS AD extensions, user behavior analytics, etc.

We have a very small team and anytime I can integrate with our other tools, and save time doing so, that is a plus for my company.

Keep up with more apps. They need to continue working with other companies to develop apps for integrations. Yes, they currently have 192 apps, but that number is nowhere near the number of security products on the market. That means if your company has a product that is not in the application list then you just have to work a little harder to pull the data you need from the log source.

I'm not against hard work, I'm just trying to work smarter and faster. Time is money, so saving time without compromising the end product is a win for everyone. It would reflect well for IBM because it would show they understand the customers’ needs and it would reflect well internally because we would be able to present cleaner dashboards and reports without hours or days devoted to building them.

We experienced some memory usage issues with a user behavior app.

We haven't really had any scalability issues. You are always limited to your EPS/FPM licensing, so you have to make sure you don’t exceed those limits.

Tech support is excellent.

The initial setup is straightforward.

We do a SIEM solutions review every few years. Other options we have evaluated: LogRhythm, Splunk, AlienVault.

Research, and don’t be afraid to do a few PoCs. Also, make sure you have a team for the tool. Most solutions require a team, so if you cannot apply a team towards the tool then hopefully you can use one of the managed SIEM options.