How has it helped my organization?
I think it has improved our organization by the speed at which I can run queries compared to other software that I've used in the past. It's a lot quicker and holds a lot more information. It helps keep a good cognitive overview of our environment from a security standpoint.
What is most valuable?
Some of the most valuable things that I get from QRadar are the custom parsers. A lot of the syslog items I get pushed to QRadar, instead of trying to build a custom parser to parse out the information that we need in order to do our investigations or to review that data. There's a ton of already defined ones in the application.
Plus, when you build rules, it's a really good user experience. It's like plug-and-play rules to flow out what you want, for whether what you want to look at has a certain level of severity or if you want real-time alerting on something that's happening right away in your environment that you want to investigate.
What needs improvement?
I'd like to see it being able to be integrated with more security products. I'm a big Guardian user; it's nice for the bidirectional. I can do some stuff, like a SQL injection, or if something is happening.
But if there were other security tools that it could better integrate with, like to go both ways; say it knows that a user is having heavy traffic, maybe it integrates with DOP to look at different sessions that they're doing. Something like that; like backwards compared to DOP, like reporting to it.
It's really good, but there's room for improvement; some more bidirectional integration with different security applications, especially some of the IBM Security ones like BigFix or something like that.
What do I think about the stability of the solution?
We haven't encountered any issues with stability.
What do I think about the scalability of the solution?
We can scale it as big or as large as we want in our environment just by adding multiple sources. It's just, from a licensing standpoint, you hit a certain mark. You want to make sure you either ignore some of that, or you just have to get more licenses.
How are customer service and technical support?
I've opened PMRs before. They're usually pretty responsive. The guys usually have pretty good knowledge, and they'll help you fix your issue pretty fast.
Which solution did I use previously and why did I switch?
It was easy to know we needed a new solution; when you have Symantec's DLP that's really crappy and they end-of-life it, you've got to start looking for other products. That's why we changed.
How was the initial setup?
The setup wasn't too complex. It was pretty straightforward. Basically, it's pretty much out of the box. You don't have to configure it much for your environment. It's built for many different types of companies. Once you start getting in all of your different log sources and using those custom parsers I mentioned, basically you've got to start looking at, What's white noise? What's not white noise? That's really what takes up a lot of your time, as to scaling it for your environment. The setup itself isn't very difficult.
Which other solutions did I evaluate?
We evaluated LogRhythm. LogRhythm is a really good product. It's close to QRadar, but, as I mentioned, those custom parsers. Also, LogRhythm's a little more difficult to install; we did the PoC for both leading SIEM solutions. Working with other IBM products, plus getting a discount for how much IBM stuff we already buy; it was easier for us to go with the QRadar route.
In general, when I go to work with a vendor, the important criteria I look for are how well they build relationships with you; how well they're willing to help you. Also, what are little things they're willing to do for free? Are they willing to, maybe, teach you how to do something a little bit here and there for free? Little things, give and take, here and there, make a good relationship with a vendor.
What other advice do I have?
Make sure you understand how many log sources you have in your environment. Kind of get an idea of how many per second you're going to be getting. That way, you have a good idea for your licensing model to start out with. In the past, we had a certain set we thought we were going to have, and then we had to upgrade, and then upgrade again, for the license count.
Also, make sure you're doing correct tuning. Otherwise, you're just going to flood your SOC, and they're gonna' spend too much time sifting through white noise.