IBM QRadar Review

Enables us to handle the most critical attacks and integrates well with other solutions

What is our primary use case?

We are using it for SIEM, for Security Information and Event Management. We're gathering the logs and doing analytics on how we are going to react to security incidents.

How has it helped my organization?

With QRadar we managed to focus on the more critical incidents that we have experienced. As a result, we have managed to decrease the most critical incidents, most critical attacks. Now we're focusing on the ones that are not too heavy, not too critical. As of the moment, we are more secure than before.

What is most valuable?

One of the most valuable features is its ability to integrate with other solutions. In our current setup, we need a holistic view of our network to provide better service. Therefore, integration with our security tools and infrastructure is a must. We managed to get our NGFW, Endpoint Security, network servers, compliance tools and others to integrate with QRadar which enables our team to better understand what is happening in our network and respond accordingly.

What needs improvement?

The first area for improvement is the cost. It's a little bit too expensive for us. 

Also, initially it was difficult to understand or to grasp, but once you get the hang of it is easier to understand and to analyze. So the main problems are its cost, the maintenance cost, and the fact that it takes some time to learn how to use it.

In terms of additional features, a mobile app would be nice. Also, the reporting is definitely okay, but you have to make sure that everybody with different roles can understand it. There is room for improvement in the reporting.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It's very robust. If it fails it does not really harm the network. It just gathers information and that's the important part. It has not failed, it's been working since day one so there is no problem. As long as the server that you install it on is working fine, it's very reliable. It's very stable.

What do I think about the scalability of the solution?

It's also scalable yes. You can adjust the number of devices it communicates with so there is no problem with scalability.

How are customer service and technical support?

I have not yet contacted technical support. I have not encountered any problems. So far, we have had no need for them. We have just fixed things ourselves.

Which solution did I use previously and why did I switch?

We did not use any solutions before QRadar.

How was the initial setup?

It's straightforward. We just had to connect it to our servers, to our security solutions, and that was it. Everything was already communicating.

We are just a small company, so the deployment did not take that long, about a month to a month-and-a-half. It didn't involve too much downtime since we're just monitoring a few servers and a couple of security tools.

What about the implementation team?

We are directly in touch with IBM and we have an IBM security specialist. He usually gives us pointers and he's the one who also gave us a little bit of training and knowledge transfer.

What's my experience with pricing, setup cost, and licensing?

It's too expensive. The licensing is also a little bit difficult to understand because you have to license it per event and per number of flows. So you have to understand the difference between a flow and an event, and then you have to forward that to the resellers, the distributors, and to IBM. That part took a long time for us. Now we're adjusted to the process.

Which other solutions did I evaluate?

We did evaluate some, like LogRhythm. We found that LogRhythm was more difficult to understand because it was a little bit too static. I believe they have already improved but, as of the moment, we are still happy with QRadar.

What other advice do I have?

My advice is to take your time. It depends on your network, on what you want to gather information from. Make sure that the networking and the cybersecurity teams are working towards a common goal. The solution is very much worth it. You can gather all the information that you need as long as you know first what you need.

This solution is mainly for the Security Operations Center, so there are just three or four users. But it's one of the key tools for us to identify threats and attacks. The users are security operations analysts and threat hunters.

In our case, deployment and maintenance requires just a few people. They are the network administrators and our cybersecurity engineers.

At the moment we have no plans to increase usage. If the company grows, usage should grow as well. The company is growing but, as of the moment, we are planning for expansion. That's why the solutions that we carry are already built for expansion for the next three to five years.

I would rate QRadar at eight out of ten. It's not perfect and the big issues would be the price and it that it takes some time to understand it. But so far, it's one of the best solutions out there.

**Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
Add a Comment