What is our primary use case?
As a PS consultant on projects where the customer is transitioning from a competitor's SIEM to QRadar, they are very pleased when they see the number of quality offenses being caught soon after implementation and integration of log sources just from the out-of-the box rules enabled by default.
How has it helped my organization?
As a Professional Services consultant, I have heard many reports of how QRadar SIEM has quickly identified offenses which the users were unaware of previously. In addition to giving CISO’s gained visibility and increasing security posture, QRadar adheres to an organization's regulatory compliance across a number of industries (i.e. Healthcare, Financial, Retail, Energy and Government)
What is most valuable?
- Correlation Rule Engine, built-in use cases: QRadar has the highest number of built-in use cases among any SIEM on the market. There are many built-in rules that are enabled by default and easily tunable to meet the specific needs of each organization. The correlation engine automates what is a manual process for many SIEM platforms.
- Network-Based Anomaly Detection (NBAD): Using NetFlow, JFlow, SFlow, or QFlow (all 7 layers), offenses are detected as a response when a rule is triggered.
- QRadar Vulnerability Management: Built-in vulnerability scanner or leverage for other supported scanners to either schedule a scan and/or import the results from a scan. Importing the results enriches the assets profile database to quickly identify assets that have known vulnerabilities.
X-Force Threat Intelligence: Threat intelligence IP reputation feed which leverages a series of international data centers to collect tens of thousands of malware samples, to analyze web pages and URLs, and to run analysis to categorize potentially malicious IP addresses and URLs.
- App Exchange: Many vendors have written apps to enhance QRadar. The apps are free and enhance your SIEM experience by adding rules and custom event properties. In some cases a new tab. You will need to have purchased the third party solution. For example, if you have Palo Alto or Blue Coat, there's a free app for better integration.
What needs improvement?
Some UI enhancements would be nice, such as exporting custom event properties and the ability to export rules.
For how long have I used the solution?
More than five years.
What do I think about the stability of the solution?
We did not encounter any issues with stability.
What do I think about the scalability of the solution?
We did not encounter any issues with scalability.
How is customer service and technical support?
The technical support is very good.
Which solutions did we use previously?
We had limited experience with RSA enVision, LogRhythm, and HPE ArcSight. QRadar is much easier and takes less time to implement and maintain.
How was the initial setup?
The initial setup was straightforward.
What's my experience with pricing, setup cost, and licensing?
Go through a vulnerability assessment review for price breaks. A virtualized solution will also cut down on cost.
Which other solutions did I evaluate?
We did not evaluate any other options.
What other advice do I have?
All SIEMs have a certain degree of complexity, especially where use cases and rules are concerned. I advise using Professional Services so your SIEM is configured by trained professionals.
Disclosure: My company has a business relationship with this vendor other than being a customer: We are a business partner of IBM.
Jan 29 2018