What is our primary use case?
We are service providers, and we are always exploring tools to accompany existing tools. I am always searching for the best products to meet my clients' requirements. I always look to understand the technology first, learn what benefits we can get from the product, how competitive is it with other tools such as DarkTrace, and Palo Alto.
We are working with this solution, but it is being managed by another vendor.
We are service providers. We are providing SOC service and MSSP services for our clients.
We are working on various products, not one specific product. We can provide services for any product, in fact, any security solution.
What is most valuable?
There have been many advancements made in the most recent year. There are many add-ons included in the licenses that I have yet to explore.
There have been many improvements. When I worked with this solution at the core technical level, it was a SIEM solution. Many attributes have been added, such as threat intelligence, SO solutions, automation, and OT security. Many other platforms have been included as part of IBM QRadar.
The flexibility is good in terms of pulling log files.
What needs improvement?
Automation is an area that people are looking for. IBM does have the SO solutions platform, but it would be more useful if they could have predefined use cases rather than using more generic ones. It would be much better if they could customize their use cases.
The IBM QRadar team has to be proactive and they have to be informative about the product.
They don't want to spend too much money on the SIEM because it is obviously resource-intensive. But the SIEM is a very useful product when you have good resources and good software.
For large organizations, that want to integrate all of the log sources, the pricing will be too expensive. This is the main reason that clients are not interested in SIEM solutions.
For how long have I used the solution?
I have been working with IBM QRadar for approximately four years.
I moved into consulting, at the architectural level. I'm not working at the core level but I know the basics of QRadar and how exactly it functions.
How are customer service and technical support?
Technical support is good.
My personal experience was fantastic. They are always good and we have never had any problems.
There are a lot of online resources available.
What's my experience with pricing, setup cost, and licensing?
When compared with other SIEM solutions, QRadar is considerably less expensive. I would like to compare it with Elasticsearch because they have different pricing strategies.
QRadar is events per second, EPS-based, whereas Elasticsearch is resource-based. You have to estimate based on how many resources will be used in the infrastructure, irrespective of log resources and log volumes.
They are charging based on the resources.
Which other solutions did I evaluate?
I'm exploring the Elastic Stack Elasticsearch currently. Splunk is out of scope for us right now, we're not interested in that. Sentinel is one that we are interested in.
What other advice do I have?
There are many competitive tools that are emerging regarding XDR solutions or SO solutions, which are capabilities that QRadar offers.
The competition is very different from the geographical locations.
For the Indian market, locally, they are still working on the old SIEM structure. It is a very generic SIEM model. Western countries, especially North American clients, are advanced in terms of moving the infrastructure to the cloud. Some have OT security and they're also doing some Office 365 advancements and several advanced search engines for endpoint detection.
They are expecting that nothing is left behind without using any licenses. Microsoft provides part of the security services if you go with the EFI license.
As vendors, we need to counter with the important visibility areas, and the critical access, which needs to be monitored as part of security.
I would rate IBM QRadar a seven out of ten.