IBM Security QRadar Reviews

Its technology is quite new and it has a predefined set of templates that can be readily used for our business, so we don't have to innovate much. These are some unique features about this tool.

Security: We do have cloud services. It's very difficult to control cloud vendors, when it is for security. But this tool conducts an independent audit and makes sure that security, identity and governance are in check every time.

This tool is more suited for the technical industries or it's more specific for technical security. However, now since new laws are coming out such as the GDP in Europe and the biometric laws, in order to secure patient data, IBM may have to innovate more and incorporate certain legislation / regulations into their tool. It should be readily available to the pharma companies, so that they don't need to struggle to make more templates and thus don't have to tailor it to our needs. It should be a custom off-the-shelf solution, i.e., COTS. So, they're looking for more innovations in that area.

We're just the earlier adoptors of this tool for now. We are in the pharma industry, so we have started doing pilots across different functions in the organization. It will take us around one or two years to come to a conclusion in regards to the stability of this solution.

It is a little bit too premature for me to comment on scalability but it is quite good, because they have already identified 10-11 projects that we we'll be using with this tool. So, we don't think scalability is going to be an issue.

We do use technical support. We are IBM customers and IBM controls our infrastructure for the company. We do use their technical and business analysts. They were very helpful and knowledgeable. They are prepared for the pharma industry. That is very important for us.

We were not previously using a different solution. IBM approached us with best practices and they conducted a survey. They control our infrastructure and security; they advised us in regards to the product. After a series of discussions, our management decided to go ahead with certain pilots, so as to see the efficiency and then finally decided on this solution.

We are a grounded manufacturing and pharma organization, thus we are looking for vendors with proven skill sets in that arena. We are bound by more regulations than any other industry, so we look for certain certifications that the vendor should have. They should be compliant with the USFDA guidelines, before we select a vendor. After we start evaluating vendors, it does depend on the versatility and the scalability of the solutions.

Currently, there are a couple of vendors in the shortlist. After we complete our pilot, we will be choosing one single vendor. We are a SAP shop for ERP, so we did have some discussions about the interoperability within IBM and SAP. I think both of them are good partners in that area. At this point, we are not looking for any other vendors.

The solution seems to be very promising on paper, i.e., in theory, some things look good but practically, after we apply the solution in the next one or two years, we'll come to know more.

You should first conduct an assessment from IBM and the system should follow the selection of the tool. You should not just go by what you want, but instead by what you need. Most of the companies don't know what they need in terms of the security.

It gives us more visibility in terms of the threat surface and to proactively look at mitigation measurements, in terms of managing our risks. As our side business is increasing, it gives us a better way to handle of things.

We are using this SIEM solution, which is pretty good in terms of detecting threats and managing the intelligence for us.

In the next release, I obviously would want to see more integration to the cloud-based services such as Microsoft Azure and the other line of business applications, so that we have a comprehensive view on a hybrid cloud stack.

The stability of this product is pretty good. It's helping us a lot and they keep on adding new features. Thus, as a platform, it's quite stable.

Scalability is good because it is a cloud-based offering and a managed services offering solution. The scalability is left for IBM to manage, so it's not a headache for us to manage.

We have used the technical support on and off. Since it's on a 24/7 SLA, it gets managed well. It is pretty good. On a scale of 1-10, I would give it an eight.

The setup was a bit complex. But as a project team, we pulled it through. It was complex because you need to understand the product and they need to understand our business requirements, as all of this is in the setup. So, it's not a straightforward payoff by just putting us off way there.

The SIEM solutions list we looked from included IBM, Cisco and Check Point.

The most important criteria while selecting a vendor are that it is a future-proof and tabulating solution. Also, the other factors involved are being a global leader and getting us up there as well.

The primary reason as to why we chose IBM is because we had a significant local presence. Also, QRadar's portfolio and its features on the Gartner's website were pretty much at the top end, i.e., as a leader in the leadership aspect.

This is quite an established solution so, I will have no hesitations in recommending it.

The most valuable features are its ease of use and that it provides good return on investments. It's the best solution out there, in my opinion.

It brings down the time for our incident handlers to find incidents within our environment, to track down new threats and to keep them gainfully employed, by finding the new problems that we see.

I'm not really sure in regards to any additional features, because everything I've seen on the roadmap looks good. So, I'm pretty happy with that.

There is always scope for improvement. The QRadar WinCollect feature needs to be improved. The Windows Log collection is sort of problematic and needs to work better.

A little bit more improvement needs to be brought about in the Watson integration and I still need to see how that works. A little more improvement can be brought about in the User Behavior Analytics and Network Analytics. That would be great.

We've had no issues with its stability or scalability.

The technical support is very good. After the Q1 Labs integration into IBM, they kept the same people. I'm a long-time user and I keep talking to the same people year after year.

It's worth the cost. There are a lot of other options out there that are way more expensive, and that may be better in certain areas, but in my opinion, the overall best solution is QRadar.

First, make sure that it's sized right and read all the manuals, before you do it.

Interoperability with other products is what I look for in a vendor. An open API is the big thing. I want be able to make sure that if I buy something, it will be able to talk with other products. I won't need to keep going down the same path, i.e., if I buy company X, I have to buy company X products all the way; otherwise, they won't talk to each other. Being able to talk with other products really makes a difference.

• User behavior analytics.
• Alert features on any suspicious activities.
• It contributes a lot of knowledge towards your network environment.

You can add value once you connect a lot of syslogs of a lot of applications to the actual SIEM product. It pretty much does the monitoring of our network, so just having the tool secures the environment itself.

I don't have any particular suggestions at the moment, but giving the ability to their business users to leverage the functionality well is important. Right now, the way we use it internally is mainly just for our security team, but other products, like Splunk, for instance, do monitoring on not only the network but also monitoring of system performance.

Server performance is important, whether or not the application is up or down or things of that nature.

The product is very stable.

The product is very scalable.

Technical support is good. It's not great, it's good. When you leverage the tier 1 folks just to do some troubleshooting, it takes a bit of time to transition a case over. They could improve that turnaround time, especially when the first level guy doesn't know exactly what's going on or doesn't know the answers to the questions.

I wasn't directly involved in the initial implementation. I wouldn't say it's complex, but I mean just by enabling different data sources, you can go crazy with it and enabling them all in one shot is just too much.

Taking your time is probably a better approach so, that way, things operate smoothly and you can fine-tune things as you start seeing the network activity.

Ensure that it's scalable and that you have good customer support. Also, take your time doing the implementation.

The ability to correlate large amounts of data into rules that provide real-time alerting is the most valuable feature.

It has provided us with quicker mitigation to threats. We used to do everything manually, so it automated a lot of workflows that in the past, we weren't able to do from an automation perspective.

We are still two versions behind, so I don't know specifically what could be improved. I've told all the executives and staff we met at a recent IBM conference that integration with other solutions is important so that we don't have to do a bunch of different things to consider.

We are the largest user of QRadar, so the stability is average. There are several vulnerabilities that IBM is working with us on. They don't have a test environment big enough to imitate the stress we put on it. Stability is probably OK for the normal customers, but we break everybody's apps just because of our size.

There are some vulnerabilities that may be further exasperated at our size, so they are trying to fix some of those issues and bring stability, but it's really product issues that don't scale right now.

It was functionality which drove us to change. QRadar had better functionality than what we were getting out of the previous solution. Scale was probably also a factor at that time. It was right after IBM bought Q1 Labs, so it was an industry leader along with some others. We did an evaluation and QRadar came out on top.

Initial setup was pretty straightforward. It's a complex solution, but it was straightforward for a large environment.

The two big options we evaluated would be IBM and HP. What we understood was that QRadar would be a more simplistic implementation, taking up less time.

Make sure you really understand all the requirements before you implement. I think the group that did this implementation didn't necessarily understand fully what we were going to use it for, so it was maybe designed for smaller things. So, you should really understand the requirements prior to stepping into it. 

If QRadar is going to be a central sort of hub for IBM's security solutions, make sure that the other tools integrate very easily into it. That would probably be the biggest task.

The most valuable feature for us is probably the intelligence we get out of the product.

The organizational value we derive from it is that it helps us track down where we have problems.

We appreciate ease of use in the product, so I suppose they could bring the cost down. I haven't really thought about possible improvements. They've added a lot of good features to the apps. I'm still exploring those and there are a lot of good features there.

I have used the solution for about 15 years.

Overall I'd say the stability is pretty good. I have noticed some issues with the patch and updates recently, especially version 72A. There have been some problems where a patch would come out and a few days later another patch would have to come out to fix issues that weren't encountered so that's caused some issues for us.

Scalability is good.

The initial technical support to call is less than adequate. I usually know more than the level one or level two, again because I've been a customer for 15 years. I worked with the original QRadar guys to help develop their SIEM solutions so I know quite a bit about it. Usually when we call in it's a real problem because we fix most of our own problems.

Fifteen years ago it was very complex because of the linking of different flow collectors. Being processed together, upgrading them was painful. That part has improved greatly as you can just put the update process in the console and push Yes. That's a lot better.

It's a great product. They're obviously an industry leader right now in this field, if you're looking for SIEM, I would recommend it.

The most valuable features are:

• Auto update: QRadar will download new logs from the database on the supported security device, so that it will automatically normalize the new log format and you will not need to rewrite all your rules/offenses again.
• X-Force/TAXII feed: QRadar can collect different types of security feeds and correlate them in real-time with your logs.

• Search engine: QRadar is like Excel, i.e., you can add rows and filter like your daily office work, without writing any scripts. So level 1 support also can handle this type of jobs.

You will learn something that you don't know on the user/machine behaviour.

The dashboards and reports may need to improve. We need to export the CSV results to create a report by Excel.

I have used this solution for three years.

It will slow down, when there are too many people doing a search at the same time, but that depends on your hardware and design.

I did not encounter any scalability issues.

You may need to allow remote support for them to help you, for troubleshooting the issues.

The setup is complex, i.e., for the first setup. SIEM is not easy so as to enable logs without any performance issues and the deployment advisor is the key for the project.

You only need to worry about the number of events per second and the number of flows per minute. Storage size is not an issue with QRadar.

We did evaluate other options. I think Splunk is the second-best option.

If you have an experienced group of security members, then you may not at all need the advisor for the product. If not, then you will have to find the path to build your team, so as to become more knowledgeable.

What is valuable is that we're using it through IBM's MSS services, and that they're doing a really good job of keeping us alerted of what events are hitting, and adapting for it.

It benefits us from a standpoint that we're very immature in our review of how security should be approached, and it's really helped us move up to modern awareness of what's going on on the internet.

I'd like to see, and they're getting there, is more integration; tighter integration with some of the other IBM Security products. They're moving a lot tighter to BigFix. BigFix has a lot of power in it, and MaaS360 also has a lot of power in it. I'd like to see those more tightly integrated.

We have not had any stability or scalability issues. We're a little concerned about the latest version and the fact that it cannot be upgraded, that it requires a clean install.

We have not really used technical support, because it's a managed service, so we call the SOC and they help us. They are very helpful.

We just really sold our CIO and CTO on the fact that we need to do better than we are, where we're at today. We had a lot of virus challenges, like most companies, and malware, so we had to figure out how to reduce that.

I was involved in the initial setup. Well, IBM did it, since it was a managed service. It was pretty straightforward.

We looked at numerous other players. We chose IBM because it has a lot of power, and you can grow it as much as and however you want it to.

When I am looking for a vendor, I don't look for a VAR, I look for a partner.

If you're going to implement it, implement it using managed services, because it's too complex of a product to try to do yourself.