What is most valuable?
IBM Qradar is
- Ease of install . Its effectively redhat6.5 with an app on top.
- Automatic log source identification
- Inbuilt rules and reports are comprehensive so out of the box the system does things
- Recognises every log source we have added.
- IBM supply a virtual image which makes the standing up of a system a small piece of work.
How has it helped my organization?
IBM Qradar has great data reduction. We have several hundred million log records arrive on various of the platforms daily and have been able to tune them to alert on important things well. Very few false positives.
Like any SIEM product at a very base level the system is a pattern matcher. Looking for patterns in single log messages or looking for patterns in multiple logs messages combined with flow data. It has a primary focus of Security Event Management but you can look for anything in the information flowing through the system and can alert on it. So it can be used - and we do - as a general IT event management/monitoring system.
What needs improvement?
Room for improvement - IBM Qradar:
- Graphing on the system is a tad course. Analytics now requires really high quality graphing to assist in pinpointing anomalies.
- Need for multiple Java versions for deployment setup is a pain.
- There are areas you need to have Java 7 to be able to use.(Primary need for this is to access the Deployment area)
- We need to be able to handle multiple overlapping ip address areas. That is coming we know. But slowly.
- When you are building this in a virtualised environment you do have a bit of difficulty accessing the GUI.
For how long have I used the solution?
I have used several versions of the Qradar system. Both the IBM version and the Juniper STRM OEM version.
IBM I rate as 7.5/10
STRM at 7/10
What was my experience with deployment of the solution?
No real issues with deploy. What it is doing is exactly what we expected. It does have a few wrinkles but that is more about where we are collecting logs from.
What do I think about the stability of the solution?
What do I think about the scalability of the solution?
No scalability issues yet. We have sized the latest system to cope with up to 10000 eps and or only at about 4000 at the moment. Scaling is simply adding extra license as required at the moment. Easy.
How are customer service and technical support?
Generally excellent. Technical Support
Which solution did I use previously and why did I switch?
- We were using SPLUNK. Licensing does not allow you to expose Splunk screens to customers (we are an ISP and IT service provider).
- Mcafee Nitro was too expensive
- Arcsight takes too long to install and tune
How was the initial setup?
- Boot VM off ISO image.
- Install license
- Point logs at it
Occasionally the documentation did not reflect what was happening so did need to access tech support a few times.
What about the implementation team?
We implemented it ourselves. Initial seat of pants approach. Worked. I got my Redhat builder to spin up the two VM servers off the supplied image, licensed them, gave them the appropriate IP addresses, created the deployment (the Java 7 bit) and the system started receiving logs from the 1200 CISCO routers.
What was our ROI?
We are fulfilling a government contract. Install and move to BAU has been done and it came in under the estimated budget…..so All Good.
Which other solutions did I evaluate?
- Mcafee Nitro
- Juniper STRM
- AlienVault. Note. We would probably have used AlienVault but there was no representation in Asia Pacific at the time
What other advice do I have?
- First gather your requirements
- From that build a business case.
- Understand that no matter what technology you choose the technology area is 15% of the effort. Your processes are 85%. No process…then 5h1t in …5h1t out.
- Make sure you know your business reasons for the implementation