What is our primary use case?
We are using it from the compliance perspective. We need this solution to comply with HIPAA and PCI because our clients require HIPAA and PCI DSS compliance. We also use it for log management, primarily security logs, and to some extent, for operational activities, even though this tool is actually not meant for operational tasks. We do keep track of errors in our appliances like hardware, storage, and network switches through QRadar.
The main or core solution is on-premises. There is an extended arm, which is in the cloud as well for cloud integration.
How has it helped my organization?
Security incident and event management are actually the core functionalities of this solution. We receive security logs on this product and based on the received logs, we can create offense tickets that are forwarded to Netcool, which is another solution that we have. I don't have experience with that, but our integration is there so that any offense or security event is forwarded to Netcool, and a ticket is automatically generated in ServiceNow for that offense. This level of automation that we have for security-related events is done through this solution. There's no manual work involved, which obviously takes away a lot of load from the individuals who are managing the security side of it.
What is most valuable?
It is a pretty solid product for the type that it is representing i.e. SIEM. It can do automatic correlation based on the traffic that you are receiving to some extent. It has plethora of options available for third party application integration. For e.g CISCO Firepower, Palo Alto Dashboard for CISCO and Palo Alto Firewall respectively. Integration with Cloud based Log Sources is also supported via. parsers that support API Connect. This is helpful when pulling in Logs from AWS, Azure, GCP or other Cloud Based Solution like Carbon Black, Imperva etc.
What needs improvement?
A lot of information that we receive for the devices is IP-based, but it would help if we could have a default dashboard in which we can add more details about the assets for which we are receiving the information. For example, if it is a Windows or Linux device, we only get the IP for that particular device. We don't really get the name and other details of that particular device. For that, you have to drill down into your own asset management system. It would be good to have a place where we can probably add this information so that we don't have to look into other tools.
For how long have I used the solution?
I have been using this solution for about six months.
What do I think about the stability of the solution?
It is very stable. As long as you have the proper connectivity availability, it is pretty stable.
What do I think about the scalability of the solution?
Our deployment covers North America, South America and part of Europe. The product is easy to deploy and scale. Almost everyone in our organization is using this solution because most of our projects rely on this. Because of the compliance requirement, most of our projects have to be integrated with QRadar. Each business unit or each program that we have in another environment has independent access to the solutions. They might not be the end users, of course, but at least every admin team of every program unit has access to this tool so that they can see what's happening in their environment.
It also supports multi-tenancy. So, if you have multiple clients or multiple tenants in your environment, you can create logical containers for them. From a logical point of view, you can create separate disconnected containers for each client so that they can only see their data.
How are customer service and technical support?
Their technical support is quite good. I would rate them a nine out of ten.
Which solution did I use previously and why did I switch?
Yes, we switched over from NNT to QRardar. This product is more detailed. Expensive but definitely more detailed! :)
How was the initial setup?
It was pretty straightforward. These are hardware appliances. So, you need to rack and stack them. If the rack space, cabling, and other things are already done, which would typically be the responsibility of a data center team, it essentially takes three to five days. But this is only the core deployment. The fine tuning on top of it would take extra time based on the environment and how complex it is.
What about the implementation team?
It was implemented by team that included me. We have an external team for its maintenance.
What's my experience with pricing, setup cost, and licensing?
The IBM QRadar Licensing for the core Events(EPS) and Flows(FPS) is per second based. The licensing is perpetual and surely expensive but the output of the Product makes it worth your money.
What other advice do I have?
I would absolutely recommend this solution. I am pretty okay with it, and I don't have any issues with it. It has some competitors like Splunk and LogRhythm. Symantec has its own SIEM solution. ArcSight, LogRhythm, and Splunk are in the first quadrant for the Gartner research. They are leaders in their products, and they know what they're doing. It also comes down to what your company is into, how does it fit into a particular environment, and how compatible it is with a particular environment. I could have gone on the Splunk path and probably said the same thing for it as well.
I would rate IBM QRadar a nine out of ten. It is a pretty solid product.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Which version of this solution are you currently using?