IBM Security QRadar Reviews

• Paradigm shift, security intelligence 2.0
• Contextual-based incident management
• Threat-based incident management
• A single management console to handle all the data
• Ease of use
• Existing integration capabilities
• Out-of-the-box reports
• Parser development

It has helped us in the reduction of VPN frauds via the active monitoring of various frauds.

• There is a scope of improvement in the orchestration layer, such as the SecOps from RSA. RSA Security Analytics bundles their offering with their SecOps (a subset of Archer - Risk Governance tool). This gives them a competitive edge.
• The reporting and dashboard capabilities require a bit of improvement in terms of fine tuning and bifurcation for the technical and management reports.

I have used this solution for four years.

There were no stability issues.

I would give technical support a rating of 9/10.

The setup was straightforward and the deployment was easy.

The pricing policy is a bit on the higher side. IBM offers discounts when applicable.

We looked at other solutions such as RSA enVision and HPE ArcSight.

Trust it, test it, and deploy it.

The most valuable features of this solution are analyzing who is saying what and in case of a threat, we can easily identify from where the threat is originating, based on the analysis.

We have implemented this QRadar solution to identify the data, whether it is being used at various parties including our trading partners, i.e., both the internal as well as external partners. Thus, by using this product, we can also come to the conclusion as to how the data is being applied best and we can decide what to link, i.e., if we need any infrastructure improvements and so on.

I am not currently responsible for this product. However, I did not hear any complaints from the other people in terms of its stability.

We are not directly managing this product. I am from the integration team and the QRadar solution is mostly used by our information security.

Initially, we were using another IBM product. With QRadar, we are getting better outputs such as the reports and other outputs.

The reason why we chose IBM is because we are using so many products from IBM today.

In general, the most important criteria that we look for while selecting a vendor are that there should be other proven solutions offered by the vendor and they need to be a type of investigator since we belong to a specific healthcare industry. So, we are very careful when we are choosing a vendor.

We were involved in the setup in terms of sending the information back and forth to QRadar. Other than that, I did not take part in the installation.

Definitely invest in the QRadar solution.

I have implemented QRadar in a big airline company, where they needed to get all their security information in one place. It helped in reducing the amount of time that was needed to evaluate the risk of every event. Configuring the alerts has never been easier; you just search for the event you think you need and start creating the rules that way. It is really straightforward and you don't need much IT knowledge for it. Of course, your experience with the product and a generalist view of the infrastructure, business and IT are strongly recommended, when using a tool similar to this.

In my understanding, the best features are:

• DSMs (Device Support Modules),
• Device auto-discovery, and
• Hundreds of rules and reports already created for you to mix up.

These features are keeping QRadar on top in Gartner. You can have it running in a few hours, then start collecting your logs and events in no time.

We never experienced any stability issues. The only problem that I had was related to the hardware and the high availability worked as expected.

Something to take into account is the IBM support; they really know their business and how to fix problems. I had the opportunity to talk with L2 Managers in the US, who told me that IBM is investing in research, documentation and training for all the people working with it. This is a very interesting thing to have in mind, when choosing this platform.

We never experienced any scalability issues. If you correctly estimate the amount of EPS (the license variable), then scalability is not a problem. They can run in a really big environment (100,000 EPS tested in production) and all the infrastructure will work as a charm.

The technical support is excellent. As I've mentioned, they know their business and have a really good team behind them.

I had the opportunity to use other SIEM solutions, but no one can provide what QRadar does, i.e., in terms of its simplicity, support or integration.

The setup was really straightforward. You simply need to put your ISO image in the hypervisor, follow the on-screen instructions and you have it running in one hour.

The pricing and licensing policies are really competitive. These solutions are not for a really small business, but having just one license variable is really good. You simple tell the partner or sales representative the number of EPS you want to receive in your appliance and that's it. Other solutions have a 'correlation' license, which is more like a trap than anything else.

I have tested Splunk and used a little bit of NitroSecurity (McAfee). I have also seen a little bit of HPE ArcSight.

You should ask the sales representative to give you the Excel sheet to calculate EPS. Keep in mind that the firewalls, proxies and networking devices such as those will consume lots of EPS, but they do provide really nice information and insight from your network.

On Gartner, this is one of the top 10 SIEM solutions in the market. It is robust and IBM is investing a lot of money to get it running even better than it is running right now. You feel secured when you use it.

This solution is being implemented around the world and every day, a new feature or add-on is created for it.

I think it has improved our organization by the speed at which I can run queries compared to other software that I've used in the past. It's a lot quicker and holds a lot more information. It helps keep a good cognitive overview of our environment from a security standpoint.

Some of the most valuable things that I get from QRadar are the custom parsers. A lot of the syslog items I get pushed to QRadar, instead of trying to build a custom parser to parse out the information that we need in order to do our investigations or to review that data. There's a ton of already defined ones in the application.

Plus, when you build rules, it's a really good user experience. It's like plug-and-play rules to flow out what you want, for whether what you want to look at has a certain level of severity or if you want real-time alerting on something that's happening right away in your environment that you want to investigate.

I'd like to see it being able to be integrated with more security products. I'm a big Guardian user; it's nice for the bidirectional. I can do some stuff, like a SQL injection, or if something is happening.

But if there were other security tools that it could better integrate with, like to go both ways; say it knows that a user is having heavy traffic, maybe it integrates with DOP to look at different sessions that they're doing. Something like that; like backwards compared to DOP, like reporting to it.

It's really good, but there's room for improvement; some more bidirectional integration with different security applications, especially some of the IBM Security ones like BigFix or something like that.

We haven't encountered any issues with stability.

We can scale it as big or as large as we want in our environment just by adding multiple sources. It's just, from a licensing standpoint, you hit a certain mark. You want to make sure you either ignore some of that, or you just have to get more licenses.

I've opened PMRs before. They're usually pretty responsive. The guys usually have pretty good knowledge, and they'll help you fix your issue pretty fast.

It was easy to know we needed a new solution; when you have Symantec's DLP that's really crappy and they end-of-life it, you've got to start looking for other products. That's why we changed.

The setup wasn't too complex. It was pretty straightforward. Basically, it's pretty much out of the box. You don't have to configure it much for your environment. It's built for many different types of companies. Once you start getting in all of your different log sources and using those custom parsers I mentioned, basically you've got to start looking at, What's white noise? What's not white noise? That's really what takes up a lot of your time, as to scaling it for your environment. The setup itself isn't very difficult.

We evaluated LogRhythm. LogRhythm is a really good product. It's close to QRadar, but, as I mentioned, those custom parsers. Also, LogRhythm's a little more difficult to install; we did the PoC for both leading SIEM solutions. Working with other IBM products, plus getting a discount for how much IBM stuff we already buy; it was easier for us to go with the QRadar route.

In general, when I go to work with a vendor, the important criteria I look for are how well they build relationships with you; how well they're willing to help you. Also, what are little things they're willing to do for free? Are they willing to, maybe, teach you how to do something a little bit here and there for free? Little things, give and take, here and there, make a good relationship with a vendor.

Make sure you understand how many log sources you have in your environment. Kind of get an idea of how many per second you're going to be getting. That way, you have a good idea for your licensing model to start out with. In the past, we had a certain set we thought we were going to have, and then we had to upgrade, and then upgrade again, for the license count.

Also, make sure you're doing correct tuning. Otherwise, you're just going to flood your SOC, and they're gonna' spend too much time sifting through white noise.

Maybe the best way it helped our organization is that QRadar is well prepared for PoCs. When you are doing PoCs, you just install the solution and you can show it to the customer.

It has great benefits because we don't spend a lot of time to set it up. There are a lot of features that are there out-of-the-box. It's great to do a PoC with customers and to reduce the money spent on the implementations.

The most valuable features are all the implementations, the plug-ins, and the User Behavior Analytics (UBA). All that stuff is really cool.

We are using the solution a lot on the customer side. We like the strength of the platform, basically. I know there is no other product like QRadar.

We thought about what was missing and it was the analysis of the user behavior. However, with the User Behavior Analytics (UBA), it's much less complicated.

I recently attended a conference presentation on machine learning, and it is a great plug-in to UBA. It will help us a lot because a lot of customers want to analyze their user behavior patterns.

Maybe there should be more custom rules in the exchange. Basically, we are using a lot of threat rules, so maybe they'll develop something like that. It will be better.

I would like to see improvement in the technical support. Sometimes, when we do patching or something like that, it creates some problems. Maybe they could test the patches and the OEM product better.

The stability is not bad. We had some problems with patching, but there are problems with all software.

We had the problem when we patched from Version 7.2 to Version 7.2.8. There were some problems with the authentication tokens. It didn’t go so well, but we solved it with the help of technical support and it was very quick. I think that's cool.

Sometimes, we have a problem with support. We are also using QVM (IBM Security QRadar Vulnerability Manager) and I think it is a little bit buggy for now. We have a lot of problems with it. It should be better.

In terms of scalability, there is no doubt about it: It is perfect.

The quality of technical support depends on the agent. Sometimes, it's hard to get the person who you need. Sometimes, it's better to create a ticket when the USA is working because I think they can help you better.

We had McAfee, but we are ending our use of it. There are only some small implementations that are running with it. We are no longer developing with it. I think in the future, we will switch to QRadar. This is because we don't want to have two separate platforms.

RSA enVision was being used with one of our banking customers. However, we transferred to QRadar last year.

We implemented the solution from the scratch with our customers. We have a lot of implementations that they can check.

The setup was very complex. We have integration with a customer service desk and a lot of customization. It's the best thing that we can create our own app and adapt it to QRadar.

We attended the IBM master class to help us with an SDK to develop our own apps. Some of our customers are banks and they have a lot of things to do. Sometimes the features they need are not in QRadar, so we have to customize the solution a little bit for them.

We have a security department in the Czech Republic. We are basically only implementing IBM security products.

Definitely try it. Do a PoC with a customer. You can get the value for the customer quickly. It's great.

It gives me insight and visibility, so I can detect a threat coming in and all the offenses are coming in from monitoring one spot.

We're centralizing all the logs in one location. So, if you have an incident, you can definitely discover it fairly quickly, as it's in one database. In general terms, if you have any botnets or malware, you identify and mitigate it fairly quickly.

The biggest challenge is in the upgrade, e.g., when it comes down to a new OS, you have to wipe it clean and reset everything. It takes time when you have 40-50 devices all over the place. It's impossible sometimes to go out and touch every single one of them. So, then, if it's an automatic process, you can upgrade to the new version in just point and click. However, that's not the case right now.

WinCollect is a challenge also, and I'd highly recommend that the Q1 team should build a lot of Windows-based collectors that simply work. Just like the competitor, Spunk, when you put it in, you don't have to do too much modifications. So, that's a challenge right now.

The environment is pretty stable. We just upgraded about a year ago, so it's pretty robust in the environment that we have. It's working really well for us, we've been using it for about 10+ years. We bought it before IBM purchased them.

We interact with IBM regularly, so we have a direct tie with them. We're almost like a partner, right now, and we are working very well together.

The technical support is pretty good, i.e., if you get the right person in, it moves pretty fast and issues are resolved fairly quickly. But, you just need to find the right person, which can be a little difficult sometimes.

The setup is very complex; it's not like somebody can walk in and build it. It requires many years of experience to manage and maintain it. You need to have at least an experienced and dedicated team, in order to maintain the environment that we have. It's nothing like a click-and-done type; it requires a lot of care and feeding to manage the environment.

It's a very solid product. However, there are a lot of things that can be improved.

Definitely get a team or hire a professional to install this product. Otherwise, I guarantee you're not going to be successful. There is a lot of filtering that needs to be done; otherwise, you are going to get overwhelmed with the events coming in and will have no idea, as to what is right and wrong. You definitely want to hire a trained team or some professionals.

The price is the most important criteria when selecting a vendor. Other factors such as the quality of the product, PoC, how well the team interacts and the support, are always important.

We have very large, distributed implementations. The best case that we get out of the solution is the rapid insight into security events and offenses in our environment.

The benefit of the solution is a combined view into all of our network events and flows from many log sources across our enterprise. This provides a single pane of glass in order to review what's going on in our environment.

I would like to see more APIs available in order to provide tighter integrations between other IBM products and third-party solutions. I would like to see new cognitive advisors, cognitive capabilities, and more integration capabilities.

I find it to be highly stable. It's one of those situations where you need to have high availability. We have a high availability implementation, so we never lose an environment.

Scalability has been very good. If you need to add to the environment at any given time, based on a merger or acquisition, a new office, or a new data center, you can simply forward events from those centers or add additional hardware. You can include it right into your implementation.

I would definitely recommend QRadar to anyone looking for an SIEM solution in their organization. This is especially the case for mid- to large-scale enterprise solutions, compared with the competitors.

I believe AQL is the most valuable feature. It allows me to extract data from the QRadar database directly using a very flexible language similar to SQL. So, if somebody has SQL experience, it is easy to learn.

My organization did not have SIEM at all. We had Log Manager only, but it was very slow and user-unfriendly. QRadar allowed us to concentrate two functions in one place: an extremely fast log manager with a very user-friendly web UI and the ability to correlate events from many different sources. Thanks to that, the efficiency of the security team has increased.

I think Risk Manager (one of the optional QRadar modules) is something that needs improvement.

I have been using QRadar for three years.

Sometimes, after a new release, we had issues with stability or some bug showed up. It is strongly recommended to have a DEV or UAT environment to test the release before going into production.

We have not really had scalability issues.

Technical support is at acceptable level, but sometimes a case is stuck on L1 too long.

We did not previously use a different solution.

Initial setup was straightforward, but as with all SIEMs, out-of-the-box configuration presents minimal value from a security standpoint. Furthermore, good analysis on where to put collectors is essential, especially when it comes to QFlows.

Put some efforts and evaluate what license (EPS) you need for which collector before making an order. It is worth hiring a professional to do it for you (somebody who has experience with QRadar sizing).

We evaluated HPE ArcSight.

Don't forget to hire the right people. They are expensive, but it is far more cost-effective to pay them now than to try to integrate SIEM without professional knowledge and break it (it is especially important in the architecture and integration phase). Because, then you will pay twice and your security monitoring program can be delayed months. In the operation phase, don't forget to invest in training for both analysts and SIEM administrator teams. It is very easy to use this tool the wrong way and then it will give you almost no value.