IBM Security QRadar Reviews

I am a Product Manager. I am managing the inventory and the logs. For R&D purposes, we downloaded various SIEM solutions from the internet to analyze their performance, and QRadar was one of them. I downloaded the Community Edition of QRadar to check its capabilities and see how to integrate various log sources in our network. It is in my lab, and I have tested it with a few hardware devices and a few computers and servers.

What I like the most about it is that you can very easily install and configure it. As compared to other SIEM solutions, for which you need to know and do a lot more to prepare your SIEM environment, QRadar is much simpler to install and configure. There are various options in the Admin console. In the Admin tab, you can design dashboards and view various graphs. It has a lot of attractive features, and you don't need to configure everything on your own.

I have noticed a few things while working on this. After the restart of the server, sometimes, the services misbehave, and you need to manually start or restart the service. I have seen that specifically with the Tomcat service. 

Sometimes, when you click on log sources, instead of opening the log source extension, it redirects you over the internet. 

There are two types of dashboards in QRadar. One is the conventional or old one, and the other one is Pulse. The Pulse dashboard is better, but we would like to have more options in the dashboard.

Additionally, if possible, there should be a single product for SIEM and SOAR. Instead of having QRadar and Resilient separately, there should be a combined solution to benefit from both. Furthermore, there should be a built-in mechanism to configure it in the cluster mode and high availability mode.

I tested this product in the last two, three months. It is not implemented in our company.

Its installation is very simple. You can install it and configure it very easily.

We are looking at implementing a SIEM solution, and currently, we're comparing various commercial and open-source SIEM solutions. We have tested Wazuh, which is an open-source SIEM solution, but we have not finalized anything.

I would rate it a seven out of 10. It is good, but when a product doesn't behave in a good manner, it creates confusion. Its behavior isn't consistent.

QRadar is our SIEM solution. Our use cases include authentication between logins, database security, monitoring, and user behavior analytics.

QRadar is helping us to identify ongoing, day-to-day threats. We use it to analyze the risk in our environment, including user behaviors. We can easily monitor many things using this tool.

All of the features offered by this product are useful for analysis. Essentially, everything that it offers is critical and we use it.

Several things need to be improved.

We have been struggling with the QRadar support team for quite a long time. There are things that they can reproduce in their lab environment and can fix, yet we struggled with them trying to get this done. These issues included things like custom logs. There are many things that they need to improve upon.

This product should support multiple log sources.

They need to improve their threat intelligence feed and they need to improve their user behavior analytics modules.

The risk manager module needs to be improved.

It's not a very user-friendly interface.

I have been working with IBM QRadar for seven years.

IBM QRadar is quite stable.

We have approximately 50 users and we keep expanding its usage. It is growing on the infrastructure level, as well as the EPS level.

Three or four administrators are all that is required for the maintenance.

I recommend this product for large enterprises.

We have had a lot of trouble with technical support. As of late, they take too long to respond to our issues. For 99% of our issues, they take too long to respond. It's not instant.

I do not have any experience with other SIEM solutions. QRadar is the first one for me.

The initial setup is complex because it is not managed properly.

Our implementation strategy is based on it being a distributed environment.

We completed the implementation and deployment ourselves.

We did not evaluate other options prior to selecting QRadar.

This is a good product for large enterprises. Smaller companies should implement an open-source solution but for a large enterprise, QRadar is a good product.

I would rate this solution a seven out of ten.

IBM QRadar is used to help our customers collect information. It collects the information from other tools on the firewall, network devices, cyber tools with both Carbon Black, Cortex, Cynet, and Darktrace.

It's a complete platform.

The interface is good.

They have more than 100 features.

It is not easy to use.

The updates are not very easy. It is very complex. I would like to see the update process simplified.

When I said "it is not easy to use", I mean that QRadar is not for beginners.
Needs high competence and skyll to use it in a satisfactory way to really help customers.
The complexity is not a flaw, but it si a necessary quality for QRadar to be a truly effective tool in a Cyber environement.

We have used IBM QRadar within the last twelve months.

IBM QRadar is a stable solution.

It's a scalable platform.

Technical support is good.

Positive

Pricing is good.

I would rate IBM QRadar an eight out of ten.

From a sales perspective, IBM QRadar is very competitive when it comes to prices. It's a flexible and valuable product. It has a good edge in the region and good references as well. You can easily capitalize and upsell on whatever you sold previously.  It's a modular product, so you can set up a roadmap and plan for your customers. This is one of the main advantages of QRadar.

Right now, there are a lot of solutions in the market that consider themselves next-gen SIEM solutions, like AzureVM. IBM QRadar can be revised considering the competition, market segment, references, and the maintenance of the landscape.

Some modules can be shared as embedded within the same solution because this would be a compelling edge versus others. When it comes to other products, like LogRhythm for example, they can consider the SOAR and the threat Intel embedded with the SIEM Solution licenses. However, when it comes to IBM, they consider each module as a separate license with a separate cost. So it doesn't make sense to compete if the customer isn't convinced with IBM, because you'd have tough competition when it comes to financials.

I have been using QRadar for more than five to six years.

IBM QRadar is a stable product.

I would rate it an eight out of ten. 

We are users and implementers of this solution. 

I like the new dashboard which enables us to understand how many real threat attempts are made in a day. I also like the QRadar incident response, we installed the QIF last week. The solution has improved visibility so that we've been able to discover that some of our customers have not had any protection and were very vulnerable. It's an important area. I also find that the user behavior analysis is relatively simple. We are customers of QRadar. 

I think the user management model is very detailed but you really have to know what you're doing just to be able to manage things. I think the solution lacks some maturity. When you put it in a large organization as a security system or a cybersecurity system and you want to enable automation, it's difficult to get that level of maturity. 

We've been using this solution for about 18 months.

The solution is stable. 

The solution is scalable. We have a total of 19 users in the company. The solution is used extensively and we plan to increase the number of users. 

The technical support could be better. I'd rather work with my implementing expert and not the OEM. Although they have the expertise, the development guys are very slow.

We tested a few other solutions including AlienVault, Splunk, Micro Focus, and Outside. QRadar was the best of the breed for our needs and for a big system like ours, it's less complex than Splunk or Outside. 

The initial setup is complex. Theory is one thing and practice is another. We had to go back and forth with IBM just to find the relevant versions with the relevant operating system to sit on the relevant virtual environment. Then we found a few bugs. We are in a production system in a very big organization so deployment was carried out in stages. It took about a month in total to get things working and to start collecting logs. We had help from IBM Azure.
Maintenance is required, you have to watch it, and work on it on a daily basis. 

We pay an annual license fee. On top of that, every model adds to the cost. It's not just the license; the sales people want you to think you're only paying for certain things but we know how it works. 

The pre-design and the low-level design should be very, very, specific. It's important to check that the compatibility is there. If not, neither IBM nor OEM will support you.

I would rate the solution more highly but it's very expensive and given the high cost, I would expect quicker and better service from the OEM so I rate the solution seven out of 10. 

I was initially a reseller before selling the solution from within IBM. I'm currently a freelance security sales consultant. 

A valuable feature is the detection capability. I like that the solution can use data other than log data which means that things like vulnerability data, network data and the like, are part of the correlation and detection.

I think they could change their pricing model to be more cost effective. It currently relies on data ingestion. I'd like to see IBM extend their capability with the solution to include more than just fault finding, features such as predictive identification of threads. Having better support for things like MITRE and the ATT&CK chain, and using all of the known attacks that are out there when they're actually spotting events and correlations. 

I've used this solution for 10 years. 

The solution is very scalable. 

Technical support is pretty good, but sometimes when the problems are complex they can be slow to respond. 

The initial setup is very easy. I think it's one of the easiest SIMs to use. 

IBM has recently come out with a new version called Cloud Pak for Security but I haven't used it yet. It contains not just QRadar, but also IBM's resilience incident response products. 

I recommend the solution but because of the issues with pricing and technical support, I rate the solution seven out of 10. 

We're a customer, partner, or reseller. We use QRadar on our own internal SOC. We are also a reseller of QRadar for some of the projects. So, we sell QRadar to customers, and we're also a partner because we have different models. We roll the product out to a customer as part of our service where we own it, but the customer is paying. We also do a full deployment that a customer owns. So, we are actually fulfilling all three roles.

The most valuable thing about QRadar is that you have a single window into your network, SIEM, network flows, and risk management of your assets. If you use Splunk, for instance, then you still need a full packet capture solution, whereas the full packet capture solution is integrated within QRadar. Its application ecosystem makes it very powerful in terms of doing analysis.

In terms of the GUI, they need to improve the consistency. It has been written by different teams at different times. So, when you go around the interface, you'll find a lot of inconsistencies in terms of the way it works.

I'd like them to improve the offense. When QRadar detects something, it creates what it calls offenses. So, it has a rudimentary ticketing system inside of it. This is the same interface that was there when I started using it 12 years ago. It just has not been improved. They do allow integration with IBM Resilient, but IBM Resilient is grotesquely expensive. The most effective integration that IBM offers today is with IBM Resilient, which is an instant response platform. It is a very good platform, but it is very expensive. They really should do something with the offense handling because it is very difficult to scale, and it has limitations. The maximum number of offenses that it can carry is 16K. After 16K, you have to flush your offenses out. So, it is all or nothing. You lose all your offenses up until that point in time, and you don't have any history within the offense list of older events. If you're dealing with multiple customers, this becomes problematic. That's why you need to use another product to do the actual ticketing. If you wanted the ticket existence, you would normally interface with ServiceNow, SolarWinds, or some other product like that. 

Their support should also be improved. Their support is very slow, and it is very difficult to find knowledgeable people within IBM.

Its price and licensing should be improved. It is overly expensive and overly complex in terms of licensing. 

I have been using this solution for 12 years.

Their support is very slow. it is very difficult to find knowledgeable people within IBM. I'm an expert in the use of QRadar, and I know the technical insights of QRadar very well, but it is sometimes very painful to deal with IBM's support and actually get them to do something. Their support is very difficult to work with for some customers.

I work with Prelude, which is by a French company. It is a basic beginner's SIEM. If you never had a SIEM before and you wanted to experiment, this is where you would start, but it is probably that you would leave very quickly. I've also worked with ArcSight and Splunk.

My recommendation would depend upon your technical appetite or your technical capability. QRadar is essentially a Linux-based Red Hat appliance. Unfortunately, you still need some Linux knowledge to work with this effectively. Not everything is through the GUI. 

Comparing it with Splunk, in terms of licensing, IBM's model is simpler than Splunk's model. Splunk has two models. One is volume metrics, so you pay for the number of bytes that are transmitted daily. The other one is based upon the number of events per second, which they introduced relatively recently. Splunk can be more expensive than QRadar when you start to get into adding what they call indexes. So, basically, you create specific indexes to hold, for instance, logs related to Cisco. This is implicit within QRadar, and it is designed that way, but within Splunk, if you want to get that performance and you have large volumes of logs, you need to create indexes. This is where the cost of Splunk can escalate.

Installing QRadar is very simple. You insert a DVD, boot the system, and it runs the installation after asking you a few questions. It runs pretty much automatically, and then you're up and going. From an installation point of view, it is very easy.

The only thing that you have to get right before you do the installation is your architecture because it has event collectors, event processes, flow collectors, flow processes, and a number of other components. You need to understand where they should be placed. If you want more storage, then you need to place data nodes on the ends of the processes. All this is something that you need to have in mind when you design and deploy.

It is overly expensive and overly complex in terms of licensing. They have many different appliances, which makes it extremely difficult to choose the technology. It is very difficult to choose the technology or QRadar components that you should be deploying. 

They have improved some of it in the last few years. They have made it slightly easy with the fact that you can now buy virtual versions of all the appliances, which is good, but it is still very fragmented. For instance, on some of the smaller appliances, there is no upgrade path. So, if you exceed the capacity of the appliance, you have to buy a bigger appliance, which is not helpful because it is quite a major cost. If you want to add more disks to the system, they'll say that you can't. If they ship a disk with 2 terabytes that the older appliances have, and you say to them that you can commercially get 10 terabyte disks, they will say this is not possible, even though there is no technical reason why it cannot be done. So, they're not very flexible from that point of view. For IBM, it is good because you basically have to buy new appliances, but from a customer's point of view, it is a very expensive investment.

Make sure that you have the buy-in from different teams in the company because you will need help from the network teams. You will potentially need help from IT. 

You need to have a strategy of how you onboard logs into SIEM. Do you take a risk-based approach or do you onboard everything? You should take the time to understand the architecture and the implications of design choices. For instance, QRadar Components communicate with each other using SSH tunnels. The normal practice in security is that if I put a device in a DMZ, then communication between the device on the normal network, which is a higher security zone, and the DMZ, which is a lower security zone, will be initiated from the high-security zone. You would not expect the device in the DMZ to initiate communication back into the normal network. In the case of QRadar, if you put your processes in the DMZ, then it has to communicate with the console, which means that you have to allow the processor to communicate. This has consequences. If you have remote sites or you plan to use cloud-based processes, collectors, etc, and have an internal console, the same communication channels have to exist. So, it requires some careful planning. That's the main thing.

I would rate QRadar an eight out of 10 as compared to other products.

It is suitable for large companies with critical infrastructure. For our clients, robustness, availability at a high level, and the level of references and experiences connected to the solution are important. They need to know that other energy players are also using it.

There should be easier and wider integration opportunities. There should be more 
opportunities for integration with CTI info sharing areas. On platforms where you exchange CTI, there should be more visibility connected to what we share, what we can reach, or what options are connected to CTI info sharing. This is one area where they could add value because we cannot integrate it easily with QRadar. If a client has a legacy or already existing solutions for CTI, we cannot ask them to forget it because we cannot guarantee that QRadar is able to deliver everything connected to this area. 

I have been using this solution for three years.

We have five to ten customers of this solution. My impression is that it can cost a lot to scale upwards. It didn't bother us in most cases, but that could be a problem for SMEs at times.

Their support during the operation seems fine. I'm a consultant, and very often, I am offsite. I am not there when clients get into operating QRadar in the long run. So, I know more about implementation than the operation itself.

It requires expertise. If you have the right personnel, you can manage. It wouldn't be easy for a client and admins to set it up without proper support or support from QRadar itself.

Setting it up requires an assistant like us. QRadar plays a role there, but that's not enough. There is also the language barrier. Not every Hungarian company is good in English, and IBM naturally doesn't have full Hungarian support.

It requires cooperation between clients and us. Typically, we send a team of five people that includes tech guys, a project manager, and maybe one process guy, if needed. Generally, you don't have 360-degree professionals, so you have someone good in networking, someone good in log management or log analysis, and so on. Because of that, we need this kind of team. 

The client also has a few people. Typically, we send in more people than the client. These are not full-time people on our side and client-side. 

It could be cheaper, but the value itself is far more important for us than the price. Typically, our clients have yearly subscriptions.

I don't know what I would recommend for SMEs because we never worked with SMEs, but I would be very careful in recommending QRadar for SMEs. 

I would rate IBM QRadar a nine out of 10.