Improvements to My Organization
Normally, an offense comes in and an offense is something negative, it triggers when certain events don't comply with the rules, to put it plainly, it is something that will have impacted your environment very negatively. Once it comes through, you can then see from the QRadar log sources, who or what triggered the offense.
For example, if an IP is browsing somewhere where it shouldn't be browsing. Let's say that one of your log sources reported it back to QRadar. You can see if the IP that browsed on certain websites where it shouldn't be browsing. When you right-click and go to the threat protection network, that will normally show you who is browsing, where that IP is coming from, what type of website it is browsing, and if it is good or bad. If it's bad, it will give you recommendations on how to resolve the issue.
The threat protection network is the most valuable feature, because when you get an offense, you can actually trace it back to where it originated from, how it originated, and why.
Room for Improvement
I would like to see a more user-friendly product. I would like them to make it more user-friendly. At this stage, you need to use a lot of regular expressions to do your searches.
Use of Solution
Three to five years.
In the first year I used it, there were a few stability problems. In the previous three years, there haven’t been any major stability issues.
I've seen no scalability issues in any of the environments where I am working at the moment. I've seen how it handles a lot of load. I'm talking about a 5,000-user environment. It can handle a lot of logs and events coming through simultaneously.
If you spec it properly, with the proper hardware requirements, then it doesn’t crash. I've seen how people give it way less specs than it should have, then it does crash. But that was the fault on the users’ side, and not the fault of the product.
Customer Service and Technical Support
I would give technical support a rating of an eight out of 10. When they help you with a call for a problem with the product, which I've had twice, the next day, they roll out an update worldwide for all their products to be patched on that problem.
They lose too much time, in my opinion. Normally, you struggle a bit to get a hold of them and get to the correct person to assist you. Even though this isn't a very big delay, it usually takes about an hour. However, in my company, an hour can make a very big difference in my life. For example, it will take me about an hour to an hour and a half to get support from them. I'm a person who loves to get it done now. So if you don't mind waiting about an hour, then it can be very good support. When you log a call with IBM, it takes them about an hour to start working on the problem.
The setup was very straightforward. It's basically, "next, next, type in machine details and next”, then you are finished.
Pricing, Setup Cost and Licensing
IBM's Qradar is not for small companie. Unfortunately, it would be 'overkill' to place it plainly. The pricing would be too much.
Other Solutions Considered
I wasn't completely part of the whole process when they chose a product. I know they evaluated AlienVault, which unfortunately, I do not have any experience with, neither was I part of the whole processes. I'm not able to provide pointers as to why the company chose IBM QRadar. I believe it's because we are a partner with them.
Just spec it correctly and it will do its job for you. It has an active community. IBM patches the product regularly when problems are picked up. I haven’t heard about a lot of problems from other people using the product.
Disclosure: My company has a business relationship with this vendor other than being a customer: We are a Partner.
Jul 05 2017