IBM Security QRadar Reviews

QRadar improved risk assessment and vulnerability, plus it has reduced some staff. It has also improved the training abilities of the people who use it, e.g., IR teams. It is the core of our entire SOX. Therefore, we use it for everything through training all the way up through management. 

Due to the skills shortage, we are able to use it from the standpoint of bringing in a lower level employee or a person who may not have security knowledge. We can put them in front of the product and they will still have the information that they need and have them at a level where they can run the system. Also, products, like Watson, make it work better.

The overall workload automation should be built into it. Part of the efficiency side of it is the ability to take the information as it comes in and assign it into a group. Now, the team leader no longer needs to assign it manually. He manages the workflow as it comes in directly to the individuals. Then, the individuals respond on it. As it closes, it goes back to the workflow, recording the amount of time it took for them to close it. It should show: 

• How long did it take to get assigned?
• How long did it take for the person to open it?

Then, you can show that a person may have issues opening network problems.

We have not suffered a network breach.

The solution has improved the efficiency of our security team.

We are at 115,000 events per second.

We run 65 servers with just two people: an engineering person and me.

We have 65 servers globally, and I just got my own.

The technical support is poor. Mostly because when I open a PMR for IBM, I am stuck with Level 1 staff. As an engineer, nothing that I am bringing them does not require Level 2 or Level 3 support. Most of the stuff that I open ends up code changes or bug fixes.

Our company is far more mature than most. Our issue is that the support is slow.

It was a whole different product when we installed it.

The most important criteria when selecting a vendor: stability. The security space is tough. Unlike a lot of other spaces, IBM will not be bought anytime soon as a 100 year-old company.

QRadar improved risk assessment and vulnerability, plus reduced staff.

The threat protection integration with other vendors.

The user interface needs improvement.

We have not suffered a network breach.

Our deployment collects nearly a 100 events a day. We often wield a backlog.

Stability is great.

The scalability is awesome, because QRadar includes other solutions in the same console.

I have not used technical support.

I was not involved in the initial setup.

We evaluated Check Point, but went with IBM because of price.

Most important criteria when selecting a vendor: Our customers need a cross of different units which make up a better solution for them.

It has helped us with our response time to threats. It also showed us where weaknesses were in our environment, so we could actively target those patches first.

It works well with IBM products.

QRadar's issue is it needs to add behavioral analytics. The product's behavioral engine is weak. It just uses algorithms. It should an equation that is cursively applied. This will provide true behavior.

I have only once experienced a network breach with QRadar. QRadar detected the breach within an hour and the triage investigation took another four hours. Overall, it took about six hours to remediate everything. 

With QRadar, everything runs better.

It is a very stable product. I cannot say anything bad about it.

It is very scalable. It does a good job.

Their Level 1 support is weak, but the support that we worked with to set up our feature sets is good. Their Level 2 and 3 support are good to work with overall, like most companies.

We contacted their technical support about adding more feature sets. We worked with their engineers to set up the feature sets that we wanted to expand upon and deliver the product, which they did.

We originally used ArcSight, which got cumbersome and expensive. Also, HPE ruins everything that it touches. Therefore, we moved to QRadar.

It is a pain to set up; basically it is not that easy.

We evaluated LogRhythm and Splunk. 

• LogRhythm had limitations.
• Splunk was never designed to be a SIEM.

Do your research before implementing it, because it is tough to implement.

Most important criteria when selecting a vendor: support. I say this to every vendor.

It is not always about pricing, which is nice when we start, but when the crap hits the fan. I want the vendor to be there with me. 

In recent years, our focus has been the third-party integrations. Like most companies, we have several security products. (I hope most other companies are not relying on a single product). The challenge with a SIEM is taking the data produced by a log source and presenting it in a readable manner for technical and non-technical staff. That can be done with custom-built reports or in dashboards. With the IBM Security App Exchange you add a new extension (i.e. download from the App Exchange site) and configure it.

Since IBM opened up the API for third-party app integration it has made it increasingly easy to add other tools into the dashboards.

Currently, the App Exchange offers over 192 applications that allow QRadar to integrate with some of the top security programs on the market, along with extension add-ons provided by QRadar. Some third-party apps include (but not limited to) Splunk, McAfee, Cisco, Carbon Black, Palo Alto, ObservIT, Exabeam, Gigamon, PhishMe. Extension add-ons by QRadar include report extensions, MS AD extensions, user behavior analytics, etc.

We have a very small team and anytime I can integrate with our other tools, and save time doing so, that is a plus for my company.

Keep up with more apps. They need to continue working with other companies to develop apps for integrations. Yes, they currently have 192 apps, but that number is nowhere near the number of security products on the market. That means if your company has a product that is not in the application list then you just have to work a little harder to pull the data you need from the log source.

I'm not against hard work, I'm just trying to work smarter and faster. Time is money, so saving time without compromising the end product is a win for everyone. It would reflect well for IBM because it would show they understand the customers’ needs and it would reflect well internally because we would be able to present cleaner dashboards and reports without hours or days devoted to building them.

We experienced some memory usage issues with a user behavior app.

We haven't really had any scalability issues. You are always limited to your EPS/FPM licensing, so you have to make sure you don’t exceed those limits.

Tech support is excellent.

The initial setup is straightforward.

We do a SIEM solutions review every few years. Other options we have evaluated: LogRhythm, Splunk, AlienVault.

Research, and don’t be afraid to do a few PoCs. Also, make sure you have a team for the tool. Most solutions require a team, so if you cannot apply a team towards the tool then hopefully you can use one of the managed SIEM options.

• Origination process in banks.
• Insurance claims on insurance companies.
  

We are a consulting company, but our clients use it to ensure that the process has been followed. We have the abilities to monitor each instance which originates on the process along with the performance of each department. In addition, clients can enter detail in at the instance level.

• UI capabilities
• High degree of interconnection with other systems.
• The business activity monitoring on the part of the solution.

For the common needs of clients to fulfill requirements, a real integration with Blueworks Live (BPA modeling tool also from IBM) and a more suitable BPM on cloud solution for midsize customers.

No stability issues.

No scalability issues.

The technical support is good enough.

We previously used Oracle BPM. We switched for a BPM project with IBM, because it has a better tool at the same price level range.

Always the sizing on any BPM project is challenging, as with any BPM tool.

IBM is a Ferrari if you are beginning with a concept. If it will be a pilot project, take a look at Red Hat Process Automation Manager or jBPM. Be realistic about the users' quantity. A good approach would be to begin with an On Cloud subscription, then later on do a more exact sizing.

We evaluated Red Hat and Bonita. We now prefer Red Hat for the price.

Ensure you have the functional skills on BPM and the technical skills on IBM BPM.

We used to be IBM partners, but are not anymore. Now, we are Red Hat partners.

It has provided support for several log sources, which has historically been problematic/unsupported by competitors. It is easy to make changes on the fly to default parsers to customize fields/mappings to our use cases.

• Ease of use
• Time to value in implementation
• Single pane of glass for analysts and SIEM administrators

• User/identity modeling needs improvement. However, it seems that they are already focusing on that. 
• Needs better visualization options beyond the time series charts and a few other options that they have.

We have definitely not encountered any issues with stability.

We have definitely not encountered any issues with scalability.

Better than average versus their competitors.

We previously used McAfee and ArcSight. We made the switch to IBM QRadar for scalability, ease of administration and use.

It is incredibly easy to deploy. All the appliances are flexible in the roles that they serve and are all managed the in the same way. Adding log sources is very straightforward, along with device updates, etc., which are all centrally managed.

Pricing and licensing are competitive. Their new licensing options allow logs to bypass the correlation engine for a flat rate, which is also appealing for log data that is compliance-driven for a small amount of money.

We evaluated  ArcSight, LogRhythm, Splunk, etc.

Understand how your analysts need to use SIEM to execute use cases. This platform can collect and normalize data better than just about anything (if you want it to), but it will not be useful if it is not presented in a useful way.

Normally, an offense comes in and an offense is something negative, to put it plainly, that impacted your environment. Once it comes through, you can then see from the QRadar log sources, who or what triggered the offense. For example, if an IP is browsing somewhere where it shouldn't be browsing. Let's say that one of your log sources reported it back to QRadar. You can see if the IP that browsed on certain websites where it shouldn't be browsing. When you right-click and go to the threat protection network, that will normally show you who is browsing, where that IP is coming from, what type of website it is browsing, and if it is good or bad. If it's bad, it will give you recommendations on how to resolve the issue.

The threat protection network is the most valuable feature because when you get an offense, you can actually trace it back to where it originated from, how it originated, and why.

I would like to see a more user-friendly product. I would like them to make it much more user-friendly. At this stage, you need to use a lot of widgets to do your searches.

To advance searches, you must do a lot of Regex expressions.

In the first year I used it, there were a few stability problems. In the previous three years, there haven’t been any stability issues.

I've seen no scalability issues in any of the environments where I am working at the moment. I've seen how it handles lot of load. I'm talking about a 5,000-user environment. It can handle a lot of logs and events coming through simultaneously.

If you spec it properly, with the proper hardware requirements, then it doesn’t crash. I've seen how people give it way less specs then it should have, and then it does crash. But that was the fault on the users’ side, and not the fault of the product.

I would give technical support a rating of 8/10. When they help you with a call for a problem with the product, which I've had twice, the next day, they roll out an update worldwide for all their products to be patched on that problem.

They lose too much time, in my opinion. Normally, you struggle a bit to get a hold of them and get to the correct person to assist you. Even though this isn't a very big delay, it usually takes about an hour. However, in my company, an hour can make a very big difference in my life. For example, it will take me about an hour to an hour and a half to get support from them. I'm a person who loves to get it done now. So if you don't mind waiting about an hour, then it can be very good support. When you log a call with IBM, it takes them about an hour to start working on the problem.

We used Splunk in the past and we are using both products at the same time.

The setup was very straightforward. It's basically, "next, next, and next”, and then you are finished.

I wasn't completely part of the whole process when they chose a product. I know they evaluated AlienVault, which unfortunately I do not have any experience with. I'm not able to provide pointers as to why the company chose IBM QRadar. I believe it's because we are a partner with them.

Just spec it correctly and it will do its job for you. It has an active community. IBM patches the product regularly when problems are picked up. I haven’t heard about a lot of problems from other people using the product. When we only have four hours to respond, an hour can make a difference in waiting for support.

SIEM solutions must be business driven. Utilizing a SIEM solution depends on your enterprise goals, from meeting compliance requirements to implementing security controls and identifying the absence of controls. A SIEM solution can also be used to improve your business and increase your sales. With QRadar, you can do all these, even if you are not a security expert. It comes with a set of default rules which makes your life easier, from ransomware attacks to DDoS attacks. Everything can be detected if your logs are properly integrated into QRadar. 

It gets better with extensions and other rules you install from the IBM Security App Exchange, where you can detect malicious website access (with the intent of ransomware), P2P activity, or someone spamming everything. You can be notified, then you can run scripts to make QRadar take an action. 

I am a security analyst working with QRadar.

It is always evolving with new patches, new UX/UI (such as 7.3), new rules, and new extensions. It lets you evolve your company accordingly.

The usage of QRadar or any SIEM solution depends on the company goals, but with QRadar, the user interface, the dashboards, reports, installing extensions, and playing with the rules are easier. 

QRadar has helped our company a lot in evolving our security policy and taking care of weak controls. QRadar helped us in the blacklisting and whitelisting of applications. It helped us identify our security threats, and improve our firewalls. With the QRadar Vulnerability Manager, it helped us take care of vulnerable assets. 

• Its default set of rules: It comes with many rules disabled. You can tune them and modify them according to your enterprise needs and avoid false positives.
• The extension management: There are more than 120 extensions in QRadar, which are easy to install and configure. These can improve your analysis of events. 
• UBA 2.7: It can help you detect insider threats. 
  

QRadar log integration of various applications can be a tough job at times. There may be occasions when you will not find any QRadar guide on adding logs of a particular application. Even if you come across one, adding a log process is not an easy one. Plus, it is also vulnerable because the ports used to integrate those log sources with QRadar are well-known and most of them are vulnerable ones. 

QRadar is easily scalable in many ways: vertical and horizontal.

• Horizontal: You can increase the QRadar processing power with QRadar App Node and Data Node.
• Vertical: You can always implement multiple QRadars: Event collectors and flow, collectors, and then you can route your offenses, such events and flows from one QRadar to the next one.

Buying anything, an enterprise must look for troubleshooting and fixing its issues using its support. With QRadar, all those things are easily available and just a click away on the Internet. From IBM Fixlet to dW Answers, you can do a lot.