IBM Security QRadar Reviews

I use IBM Security QRadar in my company for authentication of users and to block the access of a user to the internet. In my company, we have only used the basic version of the solution, and currently, we don't have a license for the product since we didn't renew it. The basic version of the solution fits my company's basic requirements.

IBM Security QRadar is not hard to implement and administrate. To serve new use cases or do the tuning and allow correlation rules, you may need training since it is necessary to know the solution. With IBM solutions, you need training to know how to use the different features of the solution. IBM needs to provide training to its users to teach them how to use the case manager and how to tune rules.

I have been using IBM Security QRadar since 2020, so I have experience with it for three years. I am a customer of IBM.

It is a scalable solution.

With IBM Security QRadar, my company faced issues with the support we received for the product. Basically, my company faced problems due to the delays or mistakes made by IBM's support team.

I rate the technical support a six out of ten.

Neutral

The solution is deployed on an on-premises model.

For the product's implementation, my company took two months. To implement all log sources, my company took somewhere between three to five months.

IBM Security QRadar is a very expensive tool.

In the future, my company would want the cloud version of the solution and not its on-prem version.

I rate the overall tool a seven out of ten.

The primary use case of this solution is to help customize the workflows and dashboards for our clients in a secure manner.

The solution has helped improve our organization by providing the comfort and visibility that we are, meeting compliance, and doing our due diligence in analyzing events from multiple sources and correlating threat activity. 

The most valuable features are the AI assistant, which is good at detecting known types of behavior. The solution can analyze different logged events, and network activity and create a correlation. The solution is easy to customize and tune compared to other products.

The solution can be improved by lowering the cost and bettering their technical support.

I have been using the solution for three and a half years.

The stability of this solution is rock solid, a ten out of ten.

The solution appears to be scalable. I have used the solution in organizations with users ranging from 2000 to 10,000.

The technical support eventually gets the job done.

Positive

Depending on what the client is looking for I have used and recommended ArcSight, Splunk, and Cisco.

The initial setup is in-between straightforward and complex. Any SIEM solution is complex, but compared to other products, it is the middle of the road. It's not as difficult or cumbersome, especially when you compare it to ArcSight being the most difficult where you require a whole team of people to really derive any value.

Most of our clients have seen a return on investment because compared to other solutions it does not require a busload of people to operate it and it is reasonably priced.

The solution is costly and the price differs depending on the vendor you use.

I give the solution an eight out of ten.

The solution is fairly easy to maintain and the learning curve is reasonable compared to other products to customize the workflow dashboards and get meaningful insight as far as what is happening within our organization. The solution is also fairly straightforward to integrate with different data log sources.

The solution requires three to five people to maintain including one analyst, an engineer, and an architect.

I suggest before using the solution you know what your process is, know what your logging sources are, and plan well because It's really a leadership challenge. The solution is better deployed than other models.

Our company includes 20 senior engineers and analysts who use the solution to detect viruses on Windows servers and critical assets.

We also track user activity such as connections during travel. 

We have many use cases and playbooks in our portfolio. 

Our company uses the solution as our main CM to detect malicious activity. There are many campaigns targeting Europe and other countries so it is important that we remain vigilant about suspicious activity inside our organization. 

The solution uses rules to identify suspicious activity that needs to be investigated. We conduct advanced forensic investigations based on the solution's output, including collecting logs from devices and correlating them for processing by a security analyst. 

Blocks of predefined conditions can be used to configure detection rules without having to write complicated script. 

Real-time detection is quite efficient and valuable. Other products such as Splunk focus only on running searches to detect a particular behavior.

The Vulnerability Manager module is useful and quite efficient. 

The dashboard and reports are not user-friendly or efficient so are of little help with threat hunting activity. We deal with large data sets so need to have great visibility for detection of malicious activity and indicators for cybersecurity. 

For example, the dashboards for Power BI and Splunk are very efficient and it is easy to observe suspicious activity. 

I have been using the solution for five years.

The solution is stable and easy to use if deployed well.

On occasion, you might get an error when running advanced analytics but reboots are not needed. 

The solution is scalable and it is easy to add appliances or expand your license. 

Engineers used technical support regularly between 2016 and 2019 and found them to be very helpful and responsive. If a situation was urgent, technical support intervened immediately. 

I rate technical support an eight out of ten. 

Positive

I used the solution, switched to Splunk, then switched back to the solution. 

The ease of setup is based on the complexity of your environment and network architecture.

The initial setup is not complicated and should go smoothly if you set all predefined requirements prior to installing the solution.  

It took us two weeks to prepare all requirements and a few hours to deploy which included installing all resources. 

Documentation for the installation process is pretty straightforward. 

An in-house team that handles integrations was responsible for implementing the solution. Myself and other cybersecurity analysts participated with the team.

A team of three engineers handle ongoing maintenance for our large environment. 

The solution has a licensing model that is based on events per second so it scales to need and budget. 

At the time of deployment, we were premium partners with IBM so received advantageous pricing. 

The on-premises solution and its license are not impacted by the number of users so it is easy to add staff. 

In my experience, Splunk is efficient because it is customizable. You can create scripts to detect multiple behaviors based on scheduled jobs. 

I rate the solution a seven out of ten because it is difficult to write script for advanced detection cases and the dashboard is insufficient. 

The UBA component is something that is there. However, it's something that honestly hasn't been leveraged as much. It's probably not a UBA feature like the ones we’ve used in the past. In any case, the UBA feature is there. You can look at the users and look at any risky activity or use cases. I tend to look at it. However, it's not my main source in terms of leveraging it as a UBA.

I equate QRadar to a robust solution. You get all the live sources. If you have someone there fine-tuning the solution and creating rules for the team to ensure the fence is alert. It's a robust solution.

In the past, I've heard the term that it's like a Cadillac, a trusted Cadillac. It'll get you from point A to B. It does what integration is supposed to do.

It needs a little bit perhaps more fine-tuning on the SIM aspect of it. Out of the box, it's just not one of those things that I leverage as a single source of truth regarding the user behavior analytics aspect of it.

With QRadar, IBM has had ample time to innovate, make changes to the interface, and keep up with some of the competitors. Yet, IBM delays innovating QRadar, since, once people are tied into it, they stick to the SIM as that's what they're used to. Right now, you have many other players in the market, like Datadog, Sumo Logic, and Splunk. Splunk has a ton of connectors as well, which is making it more appealing for other people to look at other solutions, especially when they're trying to look at a cloud-native solution.

There should be more opportunity for community kind of distribution where, for example, if there was a zero-day threat targeting companies. I know that many other solutions now provide ease of use in terms of sharing rules and for identifying and tracking some of these zero-day vulnerabilities out there. Radar needs to do the same.

I’ve been using the solution for about four years or so.

The stability's great. The solution is robust. It's trusted. Depending on how you have it deployed if it's a standalone appliance or it's high availability paired so that you have redundancy, the solution is reliable.

Anywhere from 25 to 50 users are using it. The primary users are security operations. However, then you do have some folks on the infrastructure side that also leverage QRadar. It wasn't always the case. That said, once we provided access to the infrastructure team, they enjoy using QRadar for looking at logs, and troubleshooting. That would involve the networking team and the server team. They also leverage it as well.

Overall, the IBM team is responsive in regards to ticketing. Obviously, you have to create a ticket with IBM and they will get someone to get on a WebEx with you within a reasonable amount of time depending on the urgency.

They will help resolve issues and create cases. The support is there in terms of having any issues or QRadar is generating errors. Support will guide you and record the session and help remove any issues or obstacles that you have, so I definitely would rate them high on the support aspect of it.

I didn't set it up. Probably part of the engineering team set it up.

I do not know the exact cost. It's a bit tricky as some of it is tied into pre-contracts that we have. Some parts of the company do prepaid funds for certain solutions. It's different. It varies.

While I use QRadar, I'm in a managerial role, so I'm not living in it every single day as my team members are.

Every situation is different. I know a lot of organizations or a lot of C-suite executives all go to the same kind of conferences each year. Then they all come back singing the same song: "We all have to go to the Cloud."

I’d rate the solution six out of ten.

We analyze all our authentication traffic in QRadar UBA using the solution's AI module to detect and understand uncommon authentication patterns. There is also the rule logic, but we don't use that much. Instead, we mostly rely on AI to do that. In that respect, I wouldn't say we are using the product to the fullest extent because we only have the AI and what the CM is providing. We have a suite of security products, and QRadar UBA is only one source of information that we rely on.

QRadar UBA collects information on 16,000 employees in the company, including when they log in and out or when they launch applications. We have a team of 10 security analysts who go into the solution to check the alarms. IBM has set the solution up so that we only need to react to the alarms. The UBA will flag it if someone does something weird, and our security team will investigate the anomaly to see if that was valid or malicious. 

We are currently on QRoC — short for QRadar for Cloud — so it's the latest and greatest solution. It was originally on a private cloud, but we moved to the public cloud three years ago.

It's hard for me to pinpoint any one feature that's most valuable because it is all about consuming logs and analyzing them. We started using QRadar UBA because we needed something that could analyze Linux authentication information. Other products take care of the Windows platform.

Better algorithms or AI would always be appreciated, but this product does what it's supposed to do. And maybe there is something behind the scenes that could be improved, but I don't know. 

UBA is a plugin for QRadar SIEM. If we're talking about the SIEM solution as a whole, there is a lot I can talk about, but there isn't much to say about UBA as a standalone. I'm not in a position to criticize or comment on the underlying code.

I have been using QRadar UBA for six years.

I haven't had any problems. We have never needed to add more memory or CPU. 

IBM technical support is excellent. 10 out of 10. IBM is highly professional when it comes to security support. IBM's support for other types of solutions isn't quite as good, but the security domain is a different world. I've worked with IBM in other areas, and it's different. Security support is on a tier by itself inside IBM. 

Positive

We are also using a Microsoft solution called Azure Advanced Threat Protection. It provides similar UBA features but only for a Microsoft environment.  Most UBA products do exactly the same thing. I haven't tried many other solutions besides QRadar, Microsoft, and Splunk.

Splunk is brilliant. It does the same thing, but it's slightly more expensive, so we selected IBM. Microsoft's solution is a little cheaper, but it lacks Linux support currently. There are minor differences, but we went with IBM in this case because it has the best support.

IBM did the setup. I called them to ask for UBA, and it was available the next day. They handled all the deployment and maintenance. 

I have not calculated ROI for this product. QRadar UBA is a tiny part of the entire security portfolio. In the context of the SIEM as a whole, the cost is so low that it's hard to defend not doing it.

I have no idea what QRadar UBA costs as a standalone solution because it is bundled with the QRoC security operation center and several other modules that we pay for in a big lump sum. However, I don't think that part is too expensive. It's a plugin to the QRadar SIEM that feeds off the same data. We have X-Force Threat Exchange, so IBM is operating the SIEM for us. I say to them, "I want UBA," and there it is.

I rate QRadar UBA eight out of 10. It's a small product doing exactly what it's supposed to do as an integrated part of our SIEM. It looks good and works well. I don't give it a 10 because it is something we have to request. I would love it if UBA was included out of the box like Microsoft.

Regardless of which solution you use, I recommend user behavior analytics. It provides valuable information to the security team. It doesn't matter whether you use Splunk or Microsoft— you should use a UBA solution. 

We will probably stick with QRadar for the foreseeable future. It depends on the developments in the SIEM market. We will probably continue with IBM because changing SIEM is not something you do lightly. As long as we keep the IBM SIEM, we will continue to use QRadar UBA.

I use IBM Security QRadar in my company as it provides features like SIEM, SOAR, and QNI.

The most valuable feature of IBM Security QRadar stems from the fact that it is a product that is like a complete suite.

The price of IBM Security QRadar is an area of concern where improvements are required. IBM is never known to provide products at a cheap price.

IBM Security QRadar's UI is an area with certain shortcomings where improvements are needed.

In the future, I would like IBM Security QRadar to have a library of adapters or APIs.

The area around recovery time is an aspect of IBM's technical support where improvements are required.

I have been using IBM Security QRadar for more than a year. I use the solution's latest version. My company is in the process of being declared as a golden partner of IBM.

It is a stable solution. Stability-wise, I rate the solution a ten out of ten.

It is a scalable solution. Scalability-wise, I rate the solution a ten out of ten.

My company currently deals with around four to five organizations comprising medium to large companies where IBM Security QRadar is used.

The solution's technical support is responsive. The only area where I don't agree with IBM Security QRadar's technical support stems from the lack of proper or defined recovery time, even though their response time is good.

I rate the technical support a seven out of ten.

Neutral

I have experience with Splunk. My company deals with Splunk since we had no choice owing to the fact that one or two customers wanted it.

In the past, I was using open-source products, including solutions like Elastic Security and Wazuh.

My company decided to switch from Wazuh to IBM Security QRadar.

The product's deployment phase can be described as an average one.

I rate the deployment process of IBM Security QRadar a seven on a scale of one to ten, where one is difficult, and ten is easy.

The solution is deployed on an on-premises model.

On a scale of one to ten, I rate the price a one, where one is an extremely expensive product, and ten is a cheap product. IBM Security QRadar is an expensive product. A customer gets discounts only when they ask for them from IBM.

The challenge is that if someone submits a request or proposal and finds that the prices of the products our company deals with are too high, we may not even be shortlisted for negotiations. If my company gets shortlisted for the next round, then we get questioned over the high prices.

My company takes care of the maintenance part of the solution for our clients who use IBM Security QRadar in their environments. Nine engineers and one manager take care of the maintenance process of IBM Security QRadar. My company has a lot of certified employees to take care of IBM Security QRadar's maintenance. My company can be considered a powerhouse when it comes to products from IBM.

I recommend the solution to those who plan to use it.

Splunk and IBM are leaders as per Gartner Magic Quadrant. I believe that IBM Security QRadar should be fairly priced for SMEs.

I rate the overall tool an eight out of ten.

Our primary use case is in the banking industry in two banks here in Egypt. We generally are monitoring the user behavior of the employees, For example, working after working hours, and signing into the machines after working hours.

The most valuable feature is the machine learning module.

I would like to see the interface improved along with the tuning and any adjustments when it comes to maintenance. It is not straightforward. I would also like to see some artificial intelligence and alternative solutions.

I have been using IBM QRadar User Behavior Analytics for almost five years now.

I would give stability an eight on a scale of one to ten.

The scalability is not a problem and we have above three thousand in our organization.

The initial setup is extremely easy and straightforward.

The deployment took around two to three days and we did it ourselves in-house. We simply downloaded the application and went from there following the deployment process.

We are seeing a return on investment when it comes to profiling the employees.

The pricing is higher but cheaper than others and there are no additional costs.

We looked at ArcSight but the cost is more expensive than IBM. ArcSight did have the artificial intelligence model.

I would recommend tuning it to the maximum before going live. I would rate IBM QRadar User Behavior Analytics a seven on a scale of one to ten.

We use the blocking mode and spam mode for the IPS - XGS 5000 series and use of QRadar as a SIEM Solution for logging and monitoring network security, security analysis, and monitoring for network-related attacks. 

The playbook is defined with identified use cases. IPS acted as an inline to the firewall. It helped to track and sniff the packet and match the details. It helped to reduce the insider and outsider attacks. The traffic is analyzed and helped users to know the patters and access level in the network and resource being used.

It helped our organization to identify and prevent security attacks.

We need to come with new releases and understand what will happen and how the customer will be able to manage and update the system what are ways in which user behavior and access to various resources in the network could be tracked and alerted in more robust manner. 

There needs to be proper patch management which is done in a controlled environment with a proper newsletter update. The new releases from the company in terms of product and services needs to be updated to product managers in organization.

The monitoring and dashboards are great. 

The user behavior analysis could be better. The playbook guide which specifies the rules for security use cases needs to be provided to support in case the organization needs help. The security playbook needs more help when it comes to QRadar. The QRadar implementation guide, especially in cluster environment, is complicated to deploy in an enterprise level. The support of SIEM of QRadar is complicated and when we encounter implementation issues it needs quick response. The skilled resources are really important for support.

I have deployed the solution for 230 sites across globe using for past seven years.