IBM Security QRadar Reviews

The most valuable feature that we found, especially this year, was the ability to build apps over it. Basically, the platform has opened up and we can now customize it, as per our needs and requirements. We can build interactive dashboards and other interesting things around it.

We are using QRadar to solve our business problems and the IT operation requirements. We are fine tuning the processes that are laid from the InfoSec perspective, such as to detect unauthorized changes happening across the IT environment or the business problems, namely the password sharing issues, which are not easy to detect otherwise.

In future versions, the various features that we would like to see are pretty much in line with what QRadar is coming up with, like this IBM QRadar UBA version 2.0 or support for STIX/TAXII. Basically, we have similar milestones there.

There are a few technical requirements that we have opened feature requests for, such as some of our complex use cases that need mathematical operators to be used within the reference maps. That's currently not available.

There were no stability issues.

There were no scalability issues. With this Event Processor and Data Node concept, I think it is highly scalable.

We have been facing a few technical issues and we are working with the technical support and the development team to resolve them.

Sometimes we get a really good response and at times, some of the issues have been floating around for a lot of time. But our IT resources have been assigned for the same and we hope that they should be resolved easily.

I was involved in the setup; it was pretty straightforward. Once you understand the overall architecture, it is pretty much easy to install and work upon.

It should be implemented by the best professionals available within IBM. It is really important to have a clean base installation, so that you can build things on the top of it.

When we are selecting a vendor, first and foremost, we look for the stability of the vendor, and what level of resources they are investing in their research and development. These are a couple of things that we look for while selecting a vendor and of course, the kind of resources we are looking for to get certain engagement and make sure those resources are aligned.

The SIEM features are what sell this product. Lately, it has been heavily expanded with others. For example vulnerability management, risk management, incident forensics, cognitive security, and user behavior analytics.

Basic SIEM features include log management, reporting, and correlations and alerting. All SIEM products started with those.

Modern SIEM solutions are expanded with additional components that i mentioned.

So today, you will rarely see RFP for only SIEM. It will usually include other requirements. To answer this, vendors started adding additional valuable features.

Lately, Qradar also opened their APIs to the development community, in order to confront Splunk, and that resulted in a large number of additional functionalities in the form of add-ons (Qradar apps).

We are an IBM business partner. In short, this tool helps our clients have visibility into the IT infrastructure, events, and network traffic.

Dashboards!!! Dashboards are one of the most frequent complaints I receive from customers. Customers are complaining about the limited set of graphs and the inability to change colors. Although this might seem trivial, a large number of the same complaints probably mean something.

A lot of bugs are reported for dashboard items. Also, I personally have found that it does not work as indicated by the documentation. The same methodology is used to produce different results for similar searches. Also, customers would like to see near real-time data on the dashboard, which is very hard to achieve according to the mentioned problems.

I have been using this since 2011, even before the IBM acquisition.

We have not had stability issues.

High availability deployments have serious upgrade issues.

Support is great, but sometimes they are a little slow.

We did not have any previous solution. We have used only QRadar for the last six years. Even at that time, it was leader in Gartner and so it remained. It is very user friendly.

The initial setup was very easy. Integrating the infrastructure configuration is the biggest problem for any SIEM project.

Licensing was simplified two months ago. I don’t have insight into pricing. But as with any software, the price can probably change depending on your negotiation skills :)

We didn’t evaluate other solutions. However, in my career, I saw Splunk, RSA, ArcSight, and AlienVault.

If you are a security officer who wants to protect his job, go for Splunk :) If you are a customer who wants to have an easy tool and save time and resources, definitely go for QRadar.

Log aggregation and event correlation did not occur in an enterprise fashion before this product. Troubleshooting more complex issues became much simpler with the addition of this product.

Search capabilities are sufficient for most tasks, although not as easy to use as some other products.

Search capability and indexing still lag behind competitors. We also need to see improved rule based access controls and rule/event tuning.

The search capabilities in QRadar are decent in their ability to be granular but the methodology of search prevents the rapid and easy modification of search parameters as an analyst works through the hunting process.

There are several examples of this. Let’s say you add two or three parameters to your search using various filter methods.

You can quickly change items like the scope of time for your search or the presentation of data, but you cannot quickly change the other parameters such as the IP address you are looking for. So you have a search of 10.0.1.1, the system processes that search, but then you realize you need to search for 10.1.1.2 instead.

You have to delete the old IP and recreate. At that point the search starts over from the beginning. In a system like Splunk if when using the filters the query string is written for you and can be easily modified/edited on the fly. While that may still result in a search restarting the manipulation of that search is faster and more efficient. This is just a single example.

I feel that some of the stability issues are attributed to our network. However, too many issues existed with the product and too many more appeared as they tried to fix different issues.

We never scaled the product before we decided to remove it from our network. From all appearances, scalability was not going to be an issue.

Technical support was OK at best due to the length of time before resolution.

I used ArcSight at a previous company. I would much rather have a correctly scoped and built QRadar to manage. However, as a consumer of ArcSight, it was a very good product.

I was not involved in the initial setup.

Do your due diligence. I found other solutions, with more features at the same cost or less. You don’t have to leave the Gartner Magic Quadrant to beat their price.

I did not choose this product.

Evaluate the product based on a full set of requirements and your security analyst workflow. Do not base your decision on the company name or promises of new abilities years down the line.

IBM Security's QRadar Security Intelligence is a multi-feature security monitoring platform that provides log management, SIEM, NetFlow, application monitoring, vulnerability scanning, full packet capture and risk analysis.

The platform is designed to be deployed as an all-in-one appliance, as discrete components that can be scaled horizontally for distributed and larger environments.

The SIEM solution is considered as a monitoring tool for the network but you can set routing roles and special actions for certain events.

• The vulnerability scanner is not accurate. It needs more vulnerability signature updates or more regulation templates to be added on.
• We urgently need to add more report templates.

Maybe the improvements could be achieved by adding some modules like IPS, IDS and a next generation firewall that is able to start from monitoring the events and processing, then takes actions not only based on signatures but smart intelligent monitoring which would make QRadar into a full SIEM security solution.

I have been using the solution for three years.

I didn't find any issues with stability of the product.

The scalability of this product is very flexible because of the way that it counts the events that exceed the threshold of licenses it handled with the queue and stores the data for 5 GB, dealing with the events in a first-in, first-out (FIFO) methodology.

I would rate the technical support as 9/10 for solving issues and 5/10 for responses.

I didn't previously use another product but I deal with some accounts that used to use other vendors, and they were facing many issues in performance and slowness in processing events.

The initial setup is very easy, just like when you install an operating system, and then you do the configuration needed for your environment.

The most valuable feature is the co-ordination of the data it has, such as getting all sorts of log files from different viewpoints and putting it together in one place, so that the incident responders can get all the data they need to see the bigger picture.

We get more insights into the company's assets and vulnerabilities.

It is hard to tell which areas have room from improvement because we always think of new features and inform them to IBM, which they include in the next patch.

We recently went to an IBM conference to look into the Watson feature and see what they could do for us.

I would like to see better support. Their support is good, but I would say, they could do better.

For us, it's kind of wonky because we always try to be bleeding edge and always try to do updates. So, we're always pushing the system to its limit. It's pretty stable, but we always have open issues with it, with IBM.

The scaling was done pretty well with IBM and the architecture teams. I think our system has scaled appropriately.

The technical support really depends on who you get, at the time you call. There are good guys and bad guys. I can't really say. On a scale of 1 to 5, I would give them a 4/5 rating from our experience. We have a pretty good relationship with them.

When I started out, this product was already bought and implemented by my company.

The setup was a mixture of both, i.e., simple and complex.

It was complex because I had never dealt with it before. I had never set up a system like that. At the end, it got better.

You should totally go for it. I've seen a couple systems out there, but I think IBM QRadar is one of the better solutions available.

Professionalism and to always be there when I call are the most important criteria when selecting a vendor. With IBM it's pretty good. We have our sales guy, who is always on top of everything.

The search capability (I've used other solutions) and data consolidation are some of the key features.

For this organization, it was the first log management solution. So, it definitely gave us the ability to search through the data when we had events. We could search based on the identity of the person, or the machine, or the IP address. We could do a lot of different searches. We could also do payload searches, and depending on how much capacity you have, you can do quite a lot with it.

I want to see a three-dimensional perspective of the data. I don't want to see just an event perspective of the data. I want to be able to identify a user, and within clicks, know all the activity of that user. I don't want to see it in events. I want to see it in relevant information.

There needs a little bit more investment into enhancing the user interface. That is the main thing; making it represent an actual incident response state-of-mind, similar to how you would troubleshoot an incident. That is the main issue. It was a major position by IBM when they bought it. But we see a lot of things being done around the Cognitive side, around the Watson side. But what we're not seeing the growth in, is the actual tools interface and usability. And that's what we wanted to see. We wanted to be able to see seamless identification of log sources, seamless categorization and normalizing of log sources, seamless alerts. In all those things, for the solution to mature, it has to be able to take data and make sense of it by itself, without a lot of input. And those are the areas that they can really improve it.

It's been stable. Stability hasn't been a problem, as long as you have enough capacity. It's all about sizing it right for the size of your environment. We do drop packets every day. So depending on how our log volume increases or reduces, you see the impact on the packets being dropped.

We've used technical support and it hasn't been great. It didn't seem like we could get the answers we needed without having to use professional services. For a solution like this, little things like how to tune it, how to upgrade it; there are things that as a customer we don't feel the need to use professional services for. We want to be able to just find a document on how to upgrade, and that has been difficult to find.

We didn't have a previous solution. We kind of inherited it as part of another acquisition from IBM, and then we scaled it up to meet our capacity.

We got the basic functionality working, which is not difficult. It's getting the full value out of the solution, which is harder.

From an analytics perspective, it's a good tool. But you have to have the resources to own it. It's not only about buying it. It's not only about capacity, but somebody has to care and feed it. It's not one of those things that you can put it in, walk away and just consume the data. If you don't take care of it and feed it, you won't get what you need out of it.

It's very helpful in meeting compliance monitoring and reporting (PCI DSS, PA DSS, ISO, SOX) requirements.

It captures and processes large volumes of event data, and scales to support hundreds of thousands of events in one unified database. 

It also offers high-availability and disaster-recovery options. 

There's very high quality in reporting suitable to all most all compliance requirements.

We use it mostly for purchases and regulatory requirements of that process. It would be good, therefore, if there was a standard configuration by default that was offered or proposed during install or configuration to meet PCI requirements, e.g. log archive duration set by default to one year for each device added. 

The event Information display might prioritize event ID, user, destination, source, and date/time as the first info gathered in the report.

We're only using the Log Manager.

I find that the dashboards are the most helpful to get an overview of traffic flow and issues.

We find that reviewing Q1 Radar is very helpful to pinpoint configuration issues, as well as go back and find traffic flows from comprimised hosts.

No.

None.

N/A

N/A

N/A