How has it helped my organization?
I have implemented QRadar in a big airline company, where they needed to get all their security information in one place. It helped in reducing the amount of time that was needed to evaluate the risk of every event. Configuring the alerts has never been easier; you just search for the event you think you need and start creating the rules that way. It is really straightforward and you don't need much IT knowledge for it. Of course, your experience with the product and a generalist view of the infrastructure, business and IT are strongly recommended, when using a tool similar to this.
What is most valuable?
In my understanding, the best features are:
- DSMs (Device Support Modules),
- Device auto-discovery, and
- Hundreds of rules and reports already created for you to mix up.
These features are keeping QRadar on top in Gartner. You can have it running in a few hours, then start collecting your logs and events in no time.
What do I think about the stability of the solution?
We never experienced any stability issues. The only problem that I had was related to the hardware and the high availability worked as expected.
Something to take into account is the IBM support; they really know their business and how to fix problems. I had the opportunity to talk with L2 Managers in the US, who told me that IBM is investing in research, documentation and training for all the people working with it. This is a very interesting thing to have in mind, when choosing this platform.
What do I think about the scalability of the solution?
We never experienced any scalability issues. If you correctly estimate the amount of EPS (the license variable), then scalability is not a problem. They can run in a really big environment (100,000 EPS tested in production) and all the infrastructure will work as a charm.
How is customer service and technical support?
The technical support is excellent. As I've mentioned, they know their business and have a really good team behind them.
Which solutions did we use previously?
I had the opportunity to use other SIEM solutions, but no one can provide what QRadar does, i.e., in terms of its simplicity, support or integration.
How was the initial setup?
The setup was really straightforward. You simply need to put your ISO image in the hypervisor, follow the on-screen instructions and you have it running in one hour.
What's my experience with pricing, setup cost, and licensing?
The pricing and licensing policies are really competitive. These solutions are not for a really small business, but having just one license variable is really good. You simple tell the partner or sales representative the number of EPS you want to receive in your appliance and that's it. Other solutions have a 'correlation' license, which is more like a trap than anything else.
Which other solutions did I evaluate?
I have tested Splunk and used a little bit of NitroSecurity (McAfee). I have also seen a little bit of HPE ArcSight.
What other advice do I have?
You should ask the sales representative to give you the Excel sheet to calculate EPS. Keep in mind that the firewalls, proxies and networking devices such as those will consume lots of EPS, but they do provide really nice information and insight from your network.
On Gartner, this is one of the top 10 SIEM solutions in the market. It is robust and IBM is investing a lot of money to get it running even better than it is running right now. You feel secured when you use it.
This solution is being implemented around the world and every day, a new feature or add-on is created for it.
Disclosure: My company has a business relationship with this vendor other than being a customer: We are business partners and have a really good relationship with IBM.
Apr 13 2017