How has it helped my organization?
QRadar improved risk assessment and vulnerability, plus it has reduced some staff. It has also improved the training abilities of the people who use it, e.g., IR teams. It is the core of our entire SOX. Therefore, we use it for everything through training all the way up through management.
Due to the skills shortage, we are able to use it from the standpoint of bringing in a lower level employee or a person who may not have security knowledge. We can put them in front of the product and they will still have the information that they need and have them at a level where they can run the system. Also, products, like Watson, make it work better.
What needs improvement?
The overall workload automation should be built into it. Part of the efficiency side of it is the ability to take the information as it comes in and assign it into a group. Now, the team leader no longer needs to assign it manually. He manages the workflow as it comes in directly to the individuals. Then, the individuals respond on it. As it closes, it goes back to the workflow, recording the amount of time it took for them to close it. It should show:
- How long did it take to get assigned?
- How long did it take for the person to open it?
Then, you can show that a person may have issues opening network problems.
We have not suffered a network breach.
Efficiency of Security Team
The solution has improved the efficiency of our security team.
Events per Day
We are at 115,000 events per second.
For how long have I used the solution?
More than five years.
What do I think about the stability of the solution?
We run 65 servers with just two people: an engineering person and me.
What do I think about the scalability of the solution?
We have 65 servers globally, and I just got my own.
How is customer service and technical support?
The technical support is poor. Mostly because when I open a PMR for IBM, I am stuck with Level 1 staff. As an engineer, nothing that I am bringing them does not require Level 2 or Level 3 support. Most of the stuff that I open ends up code changes or bug fixes.
Our company is far more mature than most. Our issue is that the support is slow.
How was the initial setup?
It was a whole different product when we installed it.
What other advice do I have?
The most important criteria when selecting a vendor: stability. The security space is tough. Unlike a lot of other spaces, IBM will not be bought anytime soon as a 100 year-old company.