IBM QRadar Review

No matter what technology you choose the technology area is 15% of the effort. Your process’s are 85%


Valuable Features

IBM Qradar is

  • Ease of install . Its effectively redhat6.5 with an app on top.
  • Automatic log source identification
  • Inbuilt rules and reports are comprehensive so out of the box the system does things
  • Recognises every log source we have added.
  • IBM supply a virtual image which makes the standing up of a system a small piece of work.

Improvements to My Organization

IBM Qradar has great data reduction. We have several hundred million log records arrive on various of the platforms daily and have been able to tune them to alert on important things well. Very few false positives.

Like any SIEM product at a very base level the system is a pattern matcher. Looking for patterns in single log messages or looking for patterns in multiple logs messages combined with flow data. It has a primary focus of Security Event Management but you can look for anything in the information flowing through the system and can alert on it. So it can be used - and we do - as a general IT event management/monitoring system.

Room for Improvement

Room for improvement - IBM Qradar:

  • Graphing on the system is a tad course. Analytics now requires really high quality graphing to assist in pinpointing anomalies.
  • Need for multiple Java versions for deployment setup is a pain.
  • There are areas you need to have Java 7 to be able to use.(Primary need for this is to access the Deployment area)
  • We need to be able to handle multiple overlapping ip address areas. That is coming we know. But slowly.
  • When you are building this in a virtualised environment you do have a bit of difficulty accessing the GUI.

Use of Solution

3.5 years

I have used several versions of the Qradar system. Both the IBM version and the Juniper STRM OEM version.

IBM I rate as 7.5/10

STRM at 7/10

Deployment Issues

No real issues with deploy. What it is doing is exactly what we expected. It does have a few wrinkles but that is more about where we are collecting logs from.

Stability Issues

No stability issues yet.

Scalability Issues

No scalability issues yet. We have sized the latest system to cope with up to 10000 eps and or only at about 4000 at the moment. Scaling is simply adding extra license as required at the moment. Easy.

Customer Service and Technical Support

Customer Service:

Generally excellent.

Technical Support:

Generally excellent.

Previous Solutions

  • We were using SPLUNK. Licensing does not allow you to expose Splunk screens to customers (we are an ISP and IT service provider).
  • Mcafee Nitro was too expensive
  • Arcsight takes too long to install and tune

Initial Setup

Simple:

  • Boot VM off ISO image.
  • Install license
  • Point logs at it
  • Done

Occasionally the documentation did not reflect what was happening so did need to access tech support a few times.

Implementation Team

We implemented it ourselves. Initial seat of pants approach. Worked. I got my Redhat builder to spin up the two VM servers off the supplied image, licensed them, gave them the appropriate IP addresses, created the deployment (the Java 7 bit) and the system started receiving logs from the 1200 CISCO routers.

ROI

We are fulfilling a government contract. Install and move to BAU has been done and it came in under the estimated budget…..so All Good.

Other Solutions Considered

  • Mcafee Nitro
  • Juniper STRM
  • AlienVault. Note. We would probably have used AlienVault but there was no representation in Asia Pacific at the time
  • TrustWave

Other Advice

  • First gather your requirements
  • From that build a business case.
  • Understand that no matter what technology you choose the technology area is 15% of the effort. Your processes are 85%. No process…then 5h1t in …5h1t out.
  • Make sure you know your business reasons for the implementation
Disclosure: I am a real user, and this review is based on my own experience and opinions.
2 visitors found this review helpful
Add a Comment
Guest

Sign Up with Email