IBM Security QRadar Reviews

We provide cloud services to the users, and we have our own cloud setup over here. The major use case is when clients require the SOC to be set up.

Setting up the SOC itself is a huge investment. A customer has to invest a lot to build up the whole SOC environment, so, rather than the customer investing in the SOC environment and building up the SOC, we provide it as a service. Customers don't need to do any up-front investment. They use our service. We manage their security tools and security environment as per the compliance guidelines that come from the Indian government. We follow all those practices, and we help them procure more for their network and infrastructure.

QRadar, Splunk, and ArcSight are SIEM solutions with built-in AI/ML features. They can do the complete investigation and alert the admin about what is happening. They can also do the root cause analysis. 

There are many other features that come with QRadar. It has a more granular log, so you can integrate with various non-IT as well as IT-based components. You can get unstructured data to the SIEM data, and you can identify more what is happening in the network or what is happening in the central head office. You can also identify what is happening between your remote offices. You can also use it to identify what the users in the field are doing on their devices and how things are moving.

From the integration point of view, it is very centric. It gives complete control centrally. If a user is not connected to the system, whenever he comes online, we can see the policy updates over the Internet, and we can ensure that the data that is supposed to be protected is protected.

When it comes to what could be better, it is always what others are trying to do and what is the roadmap. It can have more integration. It should have more flexible RESTful APIs for integration with applications. These are the things that are always in demand for any of the SIEM solutions, not only for QRadar. 

Integration is ever-evolving. Nowadays, different versions of mobile handsets are there and data is getting scattered. Users are using their personal handsets to keep the data of the organization. So, it should have a more flexible integration, irrespective of the flavor of the firmware and iOS or Android version. It should have an API that can seamlessly get integrated. It should also provide more flexible control and a more advanced or analytical view to see what exactly is happening across the globe or network. From wherever a user is connecting and accessing the enterprise data, it should give real-time visibility and predictive visibility about what exactly is happening. These things are already there, but there should be more advanced control in terms of managing the security.

I have been using this solution for five years.

It is absolutely stable. It depends upon how the implementation has been done. We definitely have the skills to do this kind of implementation. We ensure that a customer's environment is absolutely protected.

It is very scalable, but it also depends upon how the implementation was done. We are providing services to one of the major brands in India. They have somewhere around 30,000 devices. We are currently managing more than 1 lakh QRadar users.

QRadar has a good technical team. They provide timely support whenever a ticket is raised.

Deployment of such solutions always takes time because these solutions are not simple. You should have the expertise and you should understand what is really needed for the business. We understand the real business need, and accordingly, we implement the policies.

We have been managing some of the security tools for the past 11 years. We have expert engineers who can help our customers with installation, configuration, planning, designing, and other things.

If you have an environment of 5,000 or 10,000 devices, three to five people should be enough to manage it.

Customers have to purchase a license based on the number of users, devices, and applications they want to protect. It allows you to take a license on a subscription basis for three years or five years.

I would recommend this solution. If you are looking for a SIEM solution, IBM QRadar is one that you should ideally look for.

I would rate IBM QRadar a nine out of ten.

We are using QRadar as a managed service.

This product helps us to find security incidents before they become a problem to the business. We are able to attend to them quicker and we can put protection in place so that should they occur again, we are able to deal with them more easily.

The most valuable feature is the ease of use.

The modularity could be improved.

We have been using IBM QRadar for three years.

This is a very stable product.

We have had no issues with scalability and we have approximately 1,500 users. We are not using its full capabilities at the moment because we are still growing. In the next year or two, we will see.

I don't deal with IBM directly. Rather, I deal with our service provider and they deal with IBM.

The initial set was very easy for us because we just bought what we were looking for, and not the entire infrastructure.

The company that we subscribe to for this service takes care of the installation, maintenance, and management of it. They give us updates that concern the features we use, so the maintenance doesn't affect us much.

We use QRadar as a managed service and we pay licensing fees to the partner.

This is a good tool to have because it gives you the ability to track what is currently happening in your environment. Otherwise, if you did not have that, you'd only react to an event or an incident that has already caused problems. The proactiveness goes a long way because it saves your environment and your business from being negatively affected.

In summary, this is a good product but there is always room for improvement.

I would rate this solution a nine out of ten.

I am a system integrator. We have installed it on-premises, on the cloud, in distributed environments, and all other environments for our clients.

We have worked with other solutions, such as LogRhythm and Splunk. Compared to others, IBM QRadar has the best price-performance ratio so that you are able to reserve minimum costs. It starts settling in fast and gets the first results very quickly. It is also very scalable.

There are a lot of things they are working on and a lot of technologies that are not yet there. They should probably work out a better reserve with their ecosystem of business partners and create wider and more in-depth qualities, third-party tools, and add-ons. These things really give immediate business value. For instance, there are many limitations in using SAP, EBS, or Micro-Dynamics. A lot of things that are happening in those platforms could also be monitored and allowed from the cybersecurity risks perspective. IBM might be leaving this gap or empty space for business partners. Some larger organizations might already be doing this.

It would be very nice if IBM can make some artificial intelligence part free of charge for all current QRadar users. This would be a big advantage as compared to other competitors.

There are companies that are going in different directions. Of course, you can't do everything inside QRadar. In general, it might be very good for all players to provide more use cases, especially regarding data protection and leakage prevention. There are some who are already doing some kind of file integrity or gathering some more information from all possible technologies for building anything related to the user and data analysis, content analysis, and management regarding the data protection.

I have been using this solution since 2011.

If the engineers are missing some technical knowledge from IBM documentation, then it might get interesting, but you can always rollback. Usually, when you are implementing innovations, as a system integrator, you usually do less on the test environment, and then you check if this works. If bigger organizations and customers want to do it by themselves, they should really stick to this approach and use a lot of material, community pages, and channels.

There is absolutely no problem with scalability. It works very fine, especially when you are running just clients. It doesn't matter how many variants you have all across the culture. You can practically have different continents. It doesn't matter how many collectors are running. You can easily distribute the current license to multiple users, and all the collectors can upload it without any restrictions.

We have worked with other solutions. Splunk is a long-term trap because it is very expensive, and it gets more and more expensive. It has different times, and it is integrated with different products. When you combine that together with licensing, it obviously fails. You are paying a lot more than QRadar.

LogRhythm has some problems with stability. We were the first partner to do some integrations with LogRhythm, but we had some problems. ArcSight was smaller at the time but not anymore. It is now a competitor. Fortinet is very good for those who are already using some software products from them.

It usually happens within two or three hours, but it also depends on the preparation. If good homework is done, then the initial setup is totally flawless. It is ready very soon. We then try it and wait for maybe a couple of days more. After that, we start fine-tuning, and then we do advanced installations.

For us, such projects usually don't start without any experience with technology and the concepts. When you are buying it, you need to know all the information systems, create a list of tasks and priorities, and understand the use case better. 

A lot of such innovations or implementations initially can be done by one person, two persons, or maybe a team of five dedicated administrators who later on will be using this technology or solution. You need to understand that there are different roles of people who are working with cybersecurity and threat management, such as an analyst, a simple technical maintenance performer, an administrator, a user behavior analyst, etc.

It is not something like a next-generation firewall, next-generation intrusion prevention, or the most complex tool that you have got, which you can install and configure and then see if it runs smoothly. It is a completely different story in QRadar or any similar technology. These solutions or technologies have to be managed continuously. 

The biggest mistake that innovations people usually make is that they don't plan the total cost of the technology tools for a period of five years, especially because they don't know what kind of new threats are coming out. Despite that, IBM is very early in doing some kind of new content packs and including data enforcement, etc. When new threats are coming in, you effectively need to adjust. The more complex use cases you have, the more complex the responses will be. You might have different systems or you might be working in different time zones.

When buying, people think that 70% to 80% percent of the initial purchase is the total they are going to spend within next year at this time, and then every next year, they will spend like 20% or 25% on the technical support, maintenance, development of the system, etc. When you are talking about a huge, complex, and central cybersecurity threat management system, it is more likely that you are implementing a document management system and some complex CIP systems, etc. The cost of the license and the cost of the hardware initially can make up around 20%, 30%, or less percent of the total budget that is needed for quality management of such solutions for a longer period of time. 

Some people think that if they buy this for 100,000 pounds or euros, the next year, they can buy just annual subscriptions for 25,000 or 20,000. You may have some internal costs for the license, etc. If you are buying for, let's say, 100,000, you might have to make your budget for 200,000 more, because it needs to have certain people who are doing everything with the solution. You need to train them and send them to the IBM international technology academies and events such as Visor to know about its management and maintenance. You probably also need to do some certification, so you need to go for a course for implementation. A lot of internal work should be done to adjust the solution with other departments, and those other departments usually don't like such central, overseeing, and controlled solution. They, later on, learn that they can get a lot of different, useful reports out of it without doing additional work. 

I would rate IBM QRadar an eight out of ten. Every technology has some weaknesses and strengths. It has a lot of points to improve, but based on everything that we have seen in the market and from other customers, this is, so far, at least in Europe, the best solution.

The primary use case of this solution is for monitoring an enterprise data center, globally for 12,000 devices.

It has improved the way that the organization functions.

The most valuable feature is the searching capability and real-time operational use.

Some of the cloud apps need improvement.

In the next release, I would like to see improving the stability of some of the add-on applications.

I have been using IBM QRadar for two years.

We are using the current version.

Stability is moderate.

We have 15 people using this solution in our organization. Their positions vary from Network Engineers, Security Engineers, and Security Analysts.

It's very scalable.

Technical support is good.

I would rate them a nine out of ten. Their response time is good.

Previously, I did not use another solution.

The initial setup is complex. It's just the nature of the CM tool.

I think that the price is fair, but we can always say that the price could be cheaper.

Like any complex enterprise CM tool, you have to have a strong support organization. People who are good at understanding Linux operating systems. You also need a strong technical support team in-house.

I would rate this solution an eight out of ten.

It is used to dive deep into threat analysis. It is a SIEM solution that can be hooked up with some of the endpoint security or threat discovery solutions such as Forescout, Qualys, Sophos, and MDM. After the endpoint security or threat discovery solution discovers the threat, QRadar takes it further from that point onwards and allows you to go deep into the threat analysis. It has a lot of integrations, such as with CMDB, and it can do the asset classification. It can also tell the CVSS score. These are the capabilities or use cases. 

Integrations are quite a useful and key feature of this solution. It has integration with the CVSS score, which is a central point for all the data and scores about the threats. There is an IBM Bluemix dashboard that is integrated with the CVSS score.

I don't look at only the features and benefits; I also look at the price. It is a bit expensive when compared with other solutions. It is expensive for specific deployment topologies, and the decision-makers go for alternatives like ArcSight. 

It should also have more AI features or capabilities for better threat intelligence. The more it uses machine learning, the better would be the dashboard, analytics, and other things.

I have been using this solution for five years. 

You can scale it easily in the cloud with a given deployment topology. We have somewhere around 50 plus users.

IBM is very strong on the technical support side. They have proper support available across different regions. After the implementation is done, the admin within the organization is in touch with IBM technical support for any day-to-day support requirements.

We have been switching for some time between Micro Focus ArcSight and IBM QRadar.

For cloud deployment, you need to go for IBM Bluemix Cloud, and you can deploy easily on a private cloud. You create the stack and use the Bluemix Cloud formation template. If you have the IBM Bluemix Cloud subscription, you can deploy it easily within maybe half a day or one day. You can create all the resources by using the Bluemix Cloud formation template.

For deployment, you need a small team of two or three because it just needs the team to provision the resources on the IBM Bluemix Cloud. For support, we need a bigger team of around 10 plus people.

It is costlier as compared to the other alternatives available in the market.

I would definitely recommend this solution. It is a good solution with good capabilities like integration with CMDB and CVSS score. The dashboard is also really nice. It can help with threat intelligence, and it also has artificial intelligence. It is a futuristic kind of technology because the more AI-driven a product is, the better are the results. We plan to keep using this solution.

I would rate IBM QRadar a seven out of ten.

We use the solution for a variety of tasks. We use it, for example, for authentication, network-related authentication, user-related tasks, and Windows UNIX servers. It's a lot. There's a ton of use cases. I really can't sync right now about every single use case, however, the main things are authentication and network-related systems and all flavors of UNIX Windows. 

It helped our organization in the sense that having it was better than nothing. However, I did not enjoy the product overall and I advised we switch to something else.

The user behavior analytics as part of our deployment was okay, even though it was clunky.

The solution can scale.

I really didn't like QRadar to be honest. I inherited it. I was part of the reason that we moved over to LogRhythm. The solution just isn't user friendly.

The solution is clunky. 

The interface could be much better.

The integration capabilities within the product are not that great.

I've been using the solution for about two years at this point. My team has been using it for two to three years, so we have a total of about five years of experience in all.

I wouldn't describe the solution as stable. 

It was really buggy. Like other app integrations, it wasn't straightforward. It was pretty clunky. We tried to integrate Qualys with it and it wasn't effective. To integrate anything took quite a bit of time and energy. It wasn't easy. When it did, it didn't work properly. It wasn't really pulling in the data correctly.

Scalability was hard as it was on-prem. We needed to add more modules, and had to add more of the servers to stack it. It wasn't that a simple task at all. I wouldn't say that it scales well, although technically, you can scale it.

When we were using the solution, we had ten to 15 users on it. They were anyone from Information Security Engineers to regular IT admins.

Technical support was awful. We often didn't even have any assistance available to us. On a scale from one to ten, I'd rate them at a three. We were very unsatisfied with the level of support we received. They just simply weren't helpful when it came down to it.

The organization didn't previously use a different solution before choosing QRadar.

We actually switched to LogRhythm as I didn't like how the solution was working for the organization.

I didn't handle the initial setup. It was handled before I arrived at the organization.

I'm not sure of which version of the solution we're using.

I wouldn't recommend the solution. I'd probably tell others to shy away and look at other products like possibly Splunk, however, it's a pricey option. LogRhythm is pretty good. We're having some issues with it. That said, for the most part, it's okay. 

Exabeam also seems like it might be a good option. I haven't worked with it personally, however, I've had some experience with a POC.

Overall, I would rate the solution at a three out of ten. We didn't have a good experience with it. If it offered, for example, easier behavior analytics, easier integrations, better interface, supported model integration, and a good user interface to perform analysis I might rate it higher. Basically, it just needs to be much more user-friendly.

We use this solution for deploying and integrating log sources and use cases.

We use it to generate offensives based on normal behavior and suspicious behavior from our security tools, firewalls, and other solutions.

We have applied a set of old and new rules to QRAdar that aim to detect persistent abnormalities in our environments.

Within our organization, our security operations center and users from our local security team — roughly 10 to 12 users — use QRadar. We plan to expand to other areas of the company so that other people can use QRadar for different use cases. But right now only the security teams use it.

It's more of what it has provided for our company. We have much better visibility into our environment now. It has become much easier to create an alert for suspicious behavior, to operate on security incidents when they happen, and to drill down on specific events and figure out exactly which machines and users were involved.

I think the log search is pretty good. It's very easy to create complex searches and aggregate results and create graphics, etc. 

The rule engine is very easy to use — very flexible. We can create rules based on whatever behavior we want. It's very easy to use compared to Splunk. 

When we analyzed Splunk, that was the criteria that we looked at. Splunk was a lot more difficult to use and to create rules.

The standard rules they have are very comprehensive. There are many content packs in the apps that enrich those rules. We are still using the native rules from QRadar because there are many useful rules there. I think we're going to have a very good experience with them.

One thing one has to be aware is that qRadar doesn't have a standard UI style, but older (clunkier) and newer (more modern and easy to use) screens. The QRadar UI involves a lot of clicks and pop-ups to get where you want, which is certainly not the best UX, but isn't totally a pain also. Although it's a bit difficult to navigate through screens at first, the UX is pretty good once you learn the "qRadar way", which takes about a few weeks to master.

I have been using this solution for the last three months.

We had some bugs and we had to handle them. They impacted our deployment timeline, but all of the bugs that we had were quickly solved by engineers from IBM. Currently, we are not fully satisfied with the stability, but the support from IBM is very good and they can solve our problems very, very quickly.

There seems to be a cap-limit regarding scalability. IBM limits the amount of data you can send into the collectors so scalability-wise, it's not that optimum because sometimes we have a resource or a machine that tends to think it gets more events per second than it actually gets. Because of how the solution is made, If we send a large number of events to these event collectors, then they will start dropping events because we can't queue them. That seems to be by design — we aren't entirely satisfied with that. In this way, IBM kind of forces their customers to buy a larger license.

IBM's customer support is very good. 

We don't have any comments about community support because we don't know any communities that we can use to look up information about QRadar; however, in general, we have used IBM's documentation extensively — I think it's very useful, it's very complete, but sometimes it's a bit outdated. 

We used to use ArcSight. I can't even begin to compare these two products because ArcSight was a solution managed entirely by our security operations center team. We didn't have full knowledge of what the solution was capable of. Now we're seeing a much larger universe with QRadar — I think it's a completely different thing. QRadar is much more capable than ArcSight.

Deployment-wise it's pretty easy already; it took us one hour to get QRadar running, and then a couple of days later, we had full deployment. We then began onboarding log sources — the process of onboarding log sources has been almost painless for 90% of our log sources, which are from different vendors and different tools, and within a month we had about 70% of all of our relevant security logs in qRadar, generating many interesting offenses on a daily basis. So that has been very positive.

We had little interaction with qRadar during the process of onboarding log sources — most log sources were automatically discovered, their events were mapped correctly and parsed to extract relevant fields. A few log sources required manual intervention or installation of content packs, and some of IBM's DSMs were a bit outdated, but these issues were rather quick to fix within qRadar itself.

We used a partner company here called IT.eam, which helped us with the deployment. They are very capable and professional and it's been overall a great experience.

It's very expensive but it fits our budget. Because it's very expensive, we had to come up with ways of filtering our logs before they get into QRadar because otherwise, we'd have to buy a much greater amount of events per second, and that would be very expensive.

Splunk is virtually the same price.

I'd recommend QRadar for security teams that are more from the IT world and not so much from the development or data-science world. I think other tools, such as Splunk, are really great too, but QRadar is natively concerned with providing security rules and use cases. If you're looking for a reliable solution for security purposes only, QRadar is probably the way to go.

Overall, on a scale from one to ten, I would give this solution a rating of eight.

This is a security monitoring product and the primary use case is to detect strange behavior by users. For example, if we have a user that has not used the service for a long time and then all of a sudden, somebody logs in one night. This is not normal and the system will detect it. This is just one example of many use cases.

Integration is very easy and the reporting is good.

This is a good product, although it does require some fine-tuning.

The dashboard is pathetic and it takes a long time to perform a search.

The graphics need to be improved.

Providing good support is something that they need to work on.

It would be helpful if IBM published more use cases.

We have been using QRadar UBA since 2016.

The issue that I have with technical support is related to their large pool of resources. If you are lucky then you get good support, but sometimes you get pathetic support. Suppose you open a ticket, there are times where it will be very good, but the quality is intermittent.

I have experience working with Splunk and I find that the searching capabilities are better with it. Also, the processing time in Splunk is better. With QRadar UBA, when you have three, four, or five rules together, it takes more time to respond.

The complexity and length of time required for the initial setup depend on the requirements. There are some out-of-the-box features that can be implemented right away, but some equipment is not supported directly, so you need to write a DSM (device support module).

Implementing a DSM takes some time, although it will depend on the log source. If the log source is fully compatible then it will be very quick. However, if it is not compatible then you will need to do some scripting and other work.

The price of this product is high.

QRadar is not perfect. It's a good security monitoring product that can provide threat intelligence, but it cannot do it alone. You need to integrate with many other things, such as IBM Orchestrator. Also, you need to have X-Force. After these kinds of things are integrated, it works a little bit better.

I would rate this solution a six out of ten.