What is our primary use case?
SIEM solutions must be business driven. Utilizing a SIEM solution depends on your enterprise goals, from meeting compliance requirements to implementing security controls and identifying the absence of controls. A SIEM solution can also be used to improve your business and increase your sales. With QRadar, you can do all these, even if you are not a security expert. It comes with a set of default rules which makes your life easier, from ransomware attacks to DDoS attacks. Everything can be detected if your logs are properly integrated into QRadar.
It gets better with extensions and other rules you install from the IBM Security App Exchange, where you can detect malicious website access (with the intent of ransomware), P2P activity, or someone spamming everything. You can be notified, then you can run scripts to make QRadar take an action.
I am a security analyst working with QRadar.
How has it helped my organization?
It is always evolving with new patches, new UX/UI (such as 7.3), new rules, and new extensions. It lets you evolve your company accordingly.
The usage of QRadar or any SIEM solution depends on the company goals, but with QRadar, the user interface, the dashboards, reports, installing extensions, and playing with the rules are easier.
QRadar has helped our company a lot in evolving our security policy and taking care of weak controls. QRadar helped us in the blacklisting and whitelisting of applications. It helped us identify our security threats, and improve our firewalls. With the QRadar Vulnerability Manager, it helped us take care of vulnerable assets.
What is most valuable?
- Its default set of rules: It comes with many rules disabled. You can tune them and modify them according to your enterprise needs and avoid false positives.
- The extension management: There are more than 120 extensions in QRadar, which are easy to install and configure. These can improve your analysis of events.
- UBA 2.7: It can help you detect insider threats.
What needs improvement?
QRadar log integration of various applications can be a tough job at times. There may be occasions when you will not find any QRadar guide on adding logs of a particular application. Even if you come across one, adding a log process is not an easy one. Plus, it is also vulnerable because the ports used to integrate those log sources with QRadar are well-known and most of them are vulnerable ones.
For how long have I used the solution?
Three to five years.
What do I think about the scalability of the solution?
QRadar is easily scalable in many ways: vertical and horizontal.
- Horizontal: You can increase the QRadar processing power with QRadar App Node and Data Node.
- Vertical: You can always implement multiple QRadars: Event collectors and flow, collectors, and then you can route your offenses, such events and flows from one QRadar to the next one.
How is customer service and technical support?
Buying anything, an enterprise must look for troubleshooting and fixing its issues using its support. With QRadar, all those things are easily available and just a click away on the Internet. From IBM Fixlet to dW Answers, you can do a lot.