IBM Security QRadar Reviews

We have very large, distributed implementations. The best case that we get out of the solution is the rapid insight into security events and offenses in our environment.

The benefit of the solution is a combined view into all of our network events and flows from many log sources across our enterprise. This provides a single pane of glass in order to review what's going on in our environment.

I would like to see more APIs available in order to provide tighter integrations between other IBM products and third-party solutions. I would like to see new cognitive advisors, cognitive capabilities, and more integration capabilities.

I find it to be highly stable. It's one of those situations where you need to have high availability. We have a high availability implementation, so we never lose an environment.

Scalability has been very good. If you need to add to the environment at any given time, based on a merger or acquisition, a new office, or a new data center, you can simply forward events from those centers or add additional hardware. You can include it right into your implementation.

I would definitely recommend QRadar to anyone looking for an SIEM solution in their organization. This is especially the case for mid- to large-scale enterprise solutions, compared with the competitors.

I believe AQL is the most valuable feature. It allows me to extract data from the QRadar database directly using a very flexible language similar to SQL. So, if somebody has SQL experience, it is easy to learn.

My organization did not have SIEM at all. We had Log Manager only, but it was very slow and user-unfriendly. QRadar allowed us to concentrate two functions in one place: an extremely fast log manager with a very user-friendly web UI and the ability to correlate events from many different sources. Thanks to that, the efficiency of the security team has increased.

I think Risk Manager (one of the optional QRadar modules) is something that needs improvement.

I have been using QRadar for three years.

Sometimes, after a new release, we had issues with stability or some bug showed up. It is strongly recommended to have a DEV or UAT environment to test the release before going into production.

We have not really had scalability issues.

Technical support is at acceptable level, but sometimes a case is stuck on L1 too long.

We did not previously use a different solution.

Initial setup was straightforward, but as with all SIEMs, out-of-the-box configuration presents minimal value from a security standpoint. Furthermore, good analysis on where to put collectors is essential, especially when it comes to QFlows.

Put some efforts and evaluate what license (EPS) you need for which collector before making an order. It is worth hiring a professional to do it for you (somebody who has experience with QRadar sizing).

We evaluated HPE ArcSight.

Don't forget to hire the right people. They are expensive, but it is far more cost-effective to pay them now than to try to integrate SIEM without professional knowledge and break it (it is especially important in the architecture and integration phase). Because, then you will pay twice and your security monitoring program can be delayed months. In the operation phase, don't forget to invest in training for both analysts and SIEM administrator teams. It is very easy to use this tool the wrong way and then it will give you almost no value.

These features make it easy to operate the application:

• Integration with multiple platforms
• Ease of rule making
• Manufacturer support (IBM)

We use QRadar for application security, generating customized rules of correlation according to the operation of our business. It extends the security of our most critical assets.

From my point of view, they should improve the backup procedures. QRadar does not allow sending backups by FTP or SFTP, limiting the tool. I had to make a script but it is a manual process. It would be great to have it automated.

I have used it for approximately five years.

We did have stability issues. Some errors were generated when applying updates.

We have not needed to scale the solution.

It has taken a long time for support to respond to our request regarding AIX.

We didn’t have a previous solution. We have always used QRadar.

The initial configuration is simple; the maturation of the application is complex. Not because of the application of QRadar, but because they include many factors, such as the identification of critical assets and how we can secure them, with the application.

QRadar is a very expensive application but it is a good product. My advice is to validate with other correlator solutions and validate which product is right for the organization.

We did evaluate other similar products that are good, such as McAfee ESM and HPE ArcSight.

First, identify the most critical assets to be included in SIEM and then the most critical events of my organization. With that, you avoid bringing unnecessary events into SIEM.

It's a very good and versatile correlator.

The most valuable feature is the ability to get the logs and analyze them. These logs help us in terms of analyzing and actually using Watson on them. It's a pretty great tool for intelligence. I think it is really a great product.

To be able to get the logs and analyze them has improved the way my organization functions. You can see where the source destination is coming from. You can actually see the data and pause the dashboard. It actually helps you to analyze the data the way you are supposed to. Nobody else is doing that right now.

I don't have any problems with the solution right now. As I play with the tools, then I will actually come up with different ideas.

I was able to help out with IBM Guardium version 10. I was helping out with a couple of developers who actually developed the application itself.

I want to see more integration between QRadar and other applications like BigFix and a couple of other tools and applications out there. There are a lot of applications out there. QRadar security intelligence might be one of the best right now.

There were no stability issues with QRadar. We've had a couple of stability issues with all the applications that I run. I don't want to mention names.

I’ve used technical support, and they were OK. I used to work for IBM.

I was involved in the initial setup. It was straightforward and not complex.

I work as security engineer for the Department of Justice. We test hundreds of applications. I actually see which ones work best for the infrastructure.

I would suggest QRadar. The security intelligence is one of the best right now.

When looking for a vendor, I want to be able to win them. I want them to accept the fact that I’m looking for a product for what I am doing and I have a couple of requirements.

From there, I can actually tell them what they need to do, or what I need to do, in the environment.

The most valuable feature of this product is the nice UI. It is easy and quick to get the information you're looking for.

The benefits are that it's easy to navigate the UI and to get the information as quickly as possible. We're able to resolve problems quicker, so that we get to the solution in an easier manner.

It would probably be better to get more access to the APIs.

The product is very stable. I don't have any issues with stability at all.

Scalability is nice, as well. We have a distributed environment and it's real easy to both manage and upgrade. Anything we need to do, we can do it from the console.

On a scale of 1-10, probably seven; I would rate the technical support team a 7/10.

We were previously using a different solution that just wasn't getting the job done. It was taking too long to get where we needed to get to.

The setup was very straightforward. The special services team gave us insight and helped out to resolve any issues.

QRadar was at the top our list. We also looked at other solutions such as HPE ArcSight and Splunk. The reason we went with QRadar is because we could bring it on-prem, which made it nice, and we also use other IBM products as well.

In general, when selecting a vendor, support is probably going to be the number one criteria. Then, the second criteria is the availability of the product; the product is not very good if it's not available, it's broken, etc.

Make sure you try them all and then, pick the one that you think would work the best. It's nice to value other people's opinions, but it's better to test all the products and choose what you think would be best, for whatever your need is.

It's very easy and initiative. It's just a good overall solution, compared to the other ones I've used.

• The ability to correlate data across our global enterprise in near real time
• The ability to integrate a lot of third-party solutions
• The machine learning pieces with Watson, indicators of compromise, and utilizing that across the value stream

I look at the solution as the best-of-the-breed product. The fact that it can work with what everybody else is doing in the cyber landscape is really what gives it the edge.

The solution has improved the efficiency of our security team. These improvements prevent the need for more proactive security activities.

The improvements did not reduce our staff. It's funny, because IBM keeps on having this conversation about staff headcount. It probably sounds good to senior leadership, like to a CIO. The reality is that nobody's looking to decrease the number of staff who they are hiring.

We're looking at refocusing those resources and energy on being able to do additional, higher-value activities. It's more of the case that I don't need as many junior resources. I can focus on some of the things that are a little bit more important.

Our equipment collects billions of pieces of data. We're 100,000-plus EPS per second. The daily list of required investigations for the offenses is manageable.

We've had incidents in our environment. How long it takes QRadar to detect them is always a function of the rules being correlated, the people watching them, and pieces of that nature. I'd say it's in real time. The question is, when it comes to tuning, we want to know if it was tuned appropriately, so it's not lost in the pile of needles.

Room for improvement is more in relation to a lot of the features, the automation of incidents themselves, and being able to automate workflow responses.

Overall, I love the product. IBM usually puts good resources and talent behind things. What they fail to do is to bring all the security together and make sure everything inter-operates and creates one pane of glass.

Actually, I don’t want to say "one pane of glass" because we have seen other vendors do that. They fail miserably because they do not understand where people are coming from.

In terms of some of the right-click functionality that is within QRadar, it should work automatically for all the other IBM products. It shouldn't be something that customers develop. There are pieces in which they have to step back and get some of the foundational pieces.

There are pieces that I feel that IBM should do better. They own Guardium, they own AppScan, and they own some of these other pieces of the security infrastructure that need to relate to QRadar or to Watson. It's the foundational pieces that I feel they need some focus on.

Let's do some of the basics really well. I'm looking at it from owning 50 or 60 different security products across a global organization.

They keep on adding products based on a simple feature set that they can do real well, but they can't integrate them into the rest of the security economy. It doesn't make sense to keep on buying products like that. Whether it's IBM or others, there are companies in the endpoint space that are taking over because they're saying, "Hey, we're going to do everything across your gamut of security needs."

IBM needs to look at that and how they are going to integrate across all of the security products and have them work together.

We have been using this solution for four years.

The stability is good.

The scalability is great.

We don't really use technical support. We're part of some of the engineering and development behind it and we work with a lot of the backend engineers.

Once in a while, we may put something in PMR but most of the time, we are working with the engineers themselves to figure out a solution. They are not really tech support issues.

We have used other solutions, but that was years ago. We've had QRadar for four years. Before that, it was the Symantec solution. The landscape for SIEM has changed progressively over the years.

You're not even talking about the same set of requirements around those things. We just needed to upgrade. We needed the speed, the flexibility, and we needed the correlation building block pieces of it.

I was involved in the initial setup. We are an advanced user of QRadar. While the initial setup was not hard for us, it is a lot more complex where we are right now. It works with integrating some of other IBM products into QRadar, and there's work that needs to be done there to make it seamless.

We were able to be operational in a matter of weeks or months, which is not a long time.

When picking a vendor, the most important thing is partnership.

I honestly have nothing but good things to say about the IBM relationship that we have related to QRadar.

Partnership is going be important. Having the right skillset from an engineering standpoint is important to ensure that you don't set up things backwards. You have a high probability of doing it. This is one of those pieces where IBM doesn't “dummify” the solution for you.

On one side for my senior engineers, they don't want it “dummified” because they need to do it. On the other side of it, there are some aspects that don’t need to be this complex.

For the SMB market, those are some of the areas where I counsel people and say they need to get these types of solutions and do these types of processes. Selling something like QRadar to them becomes a little bit more of a burden because of that complexity. It's like a compliance check mark.

It's easy for us to see what's happening in the environment. It's very good to see the logs and the analytic stuff.

We can see the vulnerabilities much easier with the product. You see a popup on the screen. We do not have to look for it. It is pushed to us.

It is very expensive; very expensive.

The solution is very stable.

I think it is scalable.

We have used technical support. They are very good and very nice.

We didn't evaluate any alternatives. We have yearly talks with the IBM consulting team. We look at the trends.

When choosing a vendor, we look for a stable and trustworthy company. I think QRadar is the best solution you can get.

We are using it for monitoring different systems, and we are monitoring the logs with QRadar. This is one of the good tools which we have identified, and we are using it for monitoring the application.

Any issues regarding monitoring, if we feel that there is anything going on in the application, QRadar collects the logs, we monitor those logs, and we get alerts for those logs.

Reporting should be very good, and a proper integration with cloud, not only the IBM cloud, but with other clouds also.

The stability is good. I never got a complaint, but sometimes we have difficulty in configuring new applications. Since it is going into the cloud, we have a big challenge how we are going to monitor those applications which are sitting in Bluemix.

The scalability is good. We have been using and increasing the applications most of the time.

I think my team has used technical support. They are responsive, I can say it is 8-9/10.

We were using a different solution, and we moved to QRadar. It has some more benefits than our previous solution. We have totally transferred to QRadar now.

I was not involved in the initial setup.

We have evaluated only the large vendors. As we have a long-standing relationship with IBM, that's why we moved to QRadar. I don't know which other vendors were on the shortlist for evaluation.

If you have the budget, go for QRadar. It depends on the company size. It's expensive.