We just raised a $30M Series A: Read our story
ChrisMcAndrew
Security Operations Manager at a comms service provider with 501-1,000 employees
Real User
Flexible and very scalable with a straightforward setup

Pros and Cons

  • "The solution is quite flexible."
  • "Technical support really needs to be improved. Right now, they aren't where they need to be at all."

What is our primary use case?

We mostly use the product for PCI compliance.

What is most valuable?

We pay a little bit extra for Watson, and the Watson feature enables the analyst to go through and triage things much faster. It's quite useful for us and worth the smaller extra bit of money.

The solution is quite flexible.

We enjoy the fact that it is cloud-based.

The initial setup was very straightforward.

The solution is very scalable.

We've found the stability to be mostly very good.

What needs improvement?

Technical support really needs to be improved. Right now, they aren't where they need to be at all.

The solution is very expensive. We'd appreciate the product more if it came at a lower price point.

What do I think about the stability of the solution?

It is generally very stable. We've had odd little breakages, however, generally, nothing major has gone wrong. The performance is good. It's a reliable product.

What do I think about the scalability of the solution?

The scalability aspect of the product is very good. That was one of the reasons that we bought it. If a company needs to expand it, it can do so with relative ease. It's not hard.

Currently, all the members of the tech ops team use the product, and there are five of them.

We may not increase usage; we may switch to something else. That has yet to be determined. It's not set in stone.

How are customer service and technical support?

We've used technical support in the past and we haven't been satisfied with the level of service on offer.

Trying to get answers out of IBM is like trying to get blood out of a stone. They need to be more helpful and responsive. Right now, they aren't either of those things.

How was the initial setup?

The initial setup was not difficult or complex. It was very straightforward. A company should have too much trouble with the process.

The deployment process was very, very quick as well. There is a collector deployed on our network. We spun that out. You point your log sources at it, you point it at some IP addresses that IBM gives you, and it just works.

What about the implementation team?

We did not use an integrator or consultant for the deployment. We handled it ourselves, with our own staff. Everything was done in-house.

What's my experience with pricing, setup cost, and licensing?

The product is not a cheap solution. it's quite expensive.

We do also pay more in order to use Watson.

Which other solutions did I evaluate?

We're currently evaluating other options to see if we want to switch off of this product in the future. Nothing has been decided. I'm currently doing some preliminary research. We're always looking for solutions that are better or cheaper.

What other advice do I have?

We are just a customer and end-users. We don't have a business relationship with IBM.

We are using the latest version of the solution, as we have the cloud version of the product. Whatever the latest version is, IBM upgrades it automatically. We don't need to worry about that on our end.

In general, I would rate the solution at a seven out of ten. If it were cheaper it might rate a bit higher, however, for the most part, it does what we need it to do.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Abbasi Poonawala
Vice President Derivatives Ops IT at a financial services firm with 10,001+ employees
Real User
Top 5Leaderboard
It has good integrations, easy scalability, and strong technical support, but needs better pricing and more AI features

Pros and Cons

  • "Integrations are quite a useful and key feature of this solution. It has integration with the CVSS score, which is a central point for all the data and scores about the threats. There is an IBM Bluemix dashboard that is integrated with the CVSS score."
  • "I don't look at only the features and benefits; I also look at the price. It is a bit expensive when compared with other solutions. It is expensive for specific deployment topologies, and the decision-makers go for alternatives like ArcSight. It should also have more AI features or capabilities for better threat intelligence. The more it uses machine learning, the better would be the dashboard, analytics, and other things."

What is our primary use case?

It is used to dive deep into threat analysis. It is a SIEM solution that can be hooked up with some of the endpoint security or threat discovery solutions such as Forescout, Qualys, Sophos, and MDM. After the endpoint security or threat discovery solution discovers the threat, QRadar takes it further from that point onwards and allows you to go deep into the threat analysis. It has a lot of integrations, such as with CMDB, and it can do the asset classification. It can also tell the CVSS score. These are the capabilities or use cases. 

What is most valuable?

Integrations are quite a useful and key feature of this solution. It has integration with the CVSS score, which is a central point for all the data and scores about the threats. There is an IBM Bluemix dashboard that is integrated with the CVSS score.

What needs improvement?

I don't look at only the features and benefits; I also look at the price. It is a bit expensive when compared with other solutions. It is expensive for specific deployment topologies, and the decision-makers go for alternatives like ArcSight. 

It should also have more AI features or capabilities for better threat intelligence. The more it uses machine learning, the better would be the dashboard, analytics, and other things.

For how long have I used the solution?

I have been using this solution for five years. 

What do I think about the scalability of the solution?

You can scale it easily in the cloud with a given deployment topology. We have somewhere around 50 plus users.

How are customer service and technical support?

IBM is very strong on the technical support side. They have proper support available across different regions. After the implementation is done, the admin within the organization is in touch with IBM technical support for any day-to-day support requirements.

Which solution did I use previously and why did I switch?

We have been switching for some time between Micro Focus ArcSight and IBM QRadar.

How was the initial setup?

For cloud deployment, you need to go for IBM Bluemix Cloud, and you can deploy easily on a private cloud. You create the stack and use the Bluemix Cloud formation template. If you have the IBM Bluemix Cloud subscription, you can deploy it easily within maybe half a day or one day. You can create all the resources by using the Bluemix Cloud formation template.

For deployment, you need a small team of two or three because it just needs the team to provision the resources on the IBM Bluemix Cloud. For support, we need a bigger team of around 10 plus people.

What's my experience with pricing, setup cost, and licensing?

It is costlier as compared to the other alternatives available in the market.

What other advice do I have?

I would definitely recommend this solution. It is a good solution with good capabilities like integration with CMDB and CVSS score. The dashboard is also really nice. It can help with threat intelligence, and it also has artificial intelligence. It is a futuristic kind of technology because the more AI-driven a product is, the better are the results. We plan to keep using this solution.

I would rate IBM QRadar a seven out of ten.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Learn what your peers think about IBM QRadar. Get advice and tips from experienced pros sharing their opinions. Updated: November 2021.
554,586 professionals have used our research since 2012.
JJ
Managed Security Product at a comms service provider with 1,001-5,000 employees
Real User
Top 20
Excellent artificial intelligence component with tricky licensing fees

Pros and Cons

  • "The feature that I have found most valuable is its artificial intelligence component, Watson. Its contribution is pretty good from a machine-learning artificial intelligence perspective. This compliments the orchestration automation component, as well."
  • "The features that could be improved include the licensing model and the dashboards and all those presentations. Overall, the user experience part can be improved."

What is our primary use case?

IBM QRadar is a FIM component within the security operation center we were deploying in the customer environment. We are managing their cyber defense capability.

What is most valuable?

The feature that I have found most valuable is its artificial intelligence component, Watson. Its contribution is pretty good from a machine-learning artificial intelligence perspective. This compliments the orchestration automation component, as well.

What needs improvement?

The features that could be improved include the licensing model and the dashboards and all those presentations. Overall, the user experience part can be improved.

Additionally, the coverage, the connectors, and the flex connectors for legacy systems and other aspects could be improved. This is something they can work on and improve.

For how long have I used the solution?

I have been using IBM QRadar for more than two years.

What do I think about the stability of the solution?

It is a stable product.

It takes two to three people for its management, but it purely depends on the scope of the security operations center, the SOC.

What do I think about the scalability of the solution?

It is scalable. 

It's kind of non-direct user component. It sits under the security operations center, so it won't be visible to the user, but it will be covering devices and users. It can support 100 to 10,000 devices. So it's kind of a back instance.

In terms of plans to increase usage, I'm currently in a management level, so I'm no longer into the directly technical part. But if there is a requirement, IBM QRadar is definitely one of my preferences.

How are customer service and technical support?

IBM technical support is good.

Which solution did I use previously and why did I switch?

We were using ArcSight from Micro Focus, but we were having some challenges integrating with the systems, with the APIs, and with the connectors. That's why we moved to IBM.

How was the initial setup?

The initial setup is at an intermediate, medium level. It's not that straightforward, but not that complex either. The only thing is that their licensing model is a bit complex because they charge for a couple of components like EPS and NetFlow, so that kind of licensing charging is a bit tricky. But all in all, it's a medium, not that complex.

I think it was set up within a month. But use-case finalization and other configurations took another month. It's kind of a two to three month project to move to production completely.

What's my experience with pricing, setup cost, and licensing?

Our licensing is yearly. But it's based on Event Per Second, which is one of the models. Storage capacity for log management is also considered with the fees. Licensing is a bit complex in IBM, as well. Different aspects needs to be considered.

What other advice do I have?

I would recommend IBM to others who want to start using it.

On a scale from one to 10, I would rate IBM QRadar a seven.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Attila Mate Kovacs
Senior Cyber Security Expert at a security firm with 11-50 employees
Real User
Top 5Leaderboard
Robust and suitable for large companies with critical infrastructure

Pros and Cons

  • "It is suitable for large companies with critical infrastructure. For our clients, robustness, availability at a high level, and the level of references and experiences connected to the solution are important."
  • "There should be easier and wider integration opportunities. There should be more opportunities for integration with CTI info sharing areas. On platforms where you exchange CTI, there should be more visibility connected to what we share, what we can reach, or what options are connected to CTI info sharing. This is one area where they could add value because we cannot integrate it easily with QRadar. If a client has a legacy or already existing solutions for CTI, we cannot ask them to forget it because we cannot guarantee that QRadar is able to deliver everything connected to this area."

What is most valuable?

It is suitable for large companies with critical infrastructure. For our clients, robustness, availability at a high level, and the level of references and experiences connected to the solution are important. They need to know that other energy players are also using it.

What needs improvement?

There should be easier and wider integration opportunities. There should be more 
opportunities for integration with CTI info sharing areas. On platforms where you exchange CTI, there should be more visibility connected to what we share, what we can reach, or what options are connected to CTI info sharing. This is one area where they could add value because we cannot integrate it easily with QRadar. If a client has a legacy or already existing solutions for CTI, we cannot ask them to forget it because we cannot guarantee that QRadar is able to deliver everything connected to this area. 

For how long have I used the solution?

I have been using this solution for three years.

What do I think about the scalability of the solution?

We have five to ten customers of this solution. My impression is that it can cost a lot to scale upwards. It didn't bother us in most cases, but that could be a problem for SMEs at times.

How are customer service and technical support?

Their support during the operation seems fine. I'm a consultant, and very often, I am offsite. I am not there when clients get into operating QRadar in the long run. So, I know more about implementation than the operation itself.

How was the initial setup?

It requires expertise. If you have the right personnel, you can manage. It wouldn't be easy for a client and admins to set it up without proper support or support from QRadar itself.

What about the implementation team?

Setting it up requires an assistant like us. QRadar plays a role there, but that's not enough. There is also the language barrier. Not every Hungarian company is good in English, and IBM naturally doesn't have full Hungarian support.

It requires cooperation between clients and us. Typically, we send a team of five people that includes tech guys, a project manager, and maybe one process guy, if needed. Generally, you don't have 360-degree professionals, so you have someone good in networking, someone good in log management or log analysis, and so on. Because of that, we need this kind of team. 

The client also has a few people. Typically, we send in more people than the client. These are not full-time people on our side and client-side. 

What's my experience with pricing, setup cost, and licensing?

It could be cheaper, but the value itself is far more important for us than the price. Typically, our clients have yearly subscriptions.

What other advice do I have?

I don't know what I would recommend for SMEs because we never worked with SMEs, but I would be very careful in recommending QRadar for SMEs. 

I would rate IBM QRadar a nine out of 10.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
VijayKumar4
AVP - Cyber Secuirty at Cloud4C Services
MSP
Top 5Leaderboard
A stable solution which allows a single system to be onboarded for all 200 existing customers for monitoring purposes.

Pros and Cons

  • "No doubt about it, the solution is extremely stable."
  • "The implementation of the solution's technology needs to be simplified."

What is our primary use case?

We are using the current version.

What is most valuable?

The solution supports MSSP models, which most service providers have. This means that a single system can be onboarded for all 200 existing customers for monitoring purposes. 

What needs improvement?

The implementation of the solution's technology needs to be simplified. It is overly complex. 

The integration also must be simplified. 

The licensing is also overly complex, as there is a need to buy the work load performance monitoring separately. These are the different modules we need to buy. 

IBM does not provide a combined, combo suitor solution which the customer can easily look at. The multiple functionalities are segmented and do not allow for an idea which is complete. It makes it difficult for us to do a realistic comparison with other products. I hope that others follow suit. 

For how long have I used the solution?

We have been using IBM QRadar for almost eight-and-a-half years. 

What do I think about the stability of the solution?

No doubt about it, the solution is extremely stable. 

What do I think about the scalability of the solution?

The solution needs to be redesigned to allow for scalability or for extending it to the existing one. There is a need to do long-term planning and migration from an existing to a new one and this cannot be easily accomplished. Storage cannot be added to the installation. One must completely migrate to the new storage to add additional terabytes. 

As such, the solution is not quite scalable. The scalability exists, but it requires migration. 

How are customer service and technical support?

We are very happy with the technical support. 

How was the initial setup?

The initial setup was extremely complex. 

What about the implementation team?

We made use of an integrator. 

What other advice do I have?

We have nearly two hundred customers making use of the solution.

We have direct contact with Ingram Micro or have a service partner relationship with it, but work directly with IBM as our ISP. 

We are a managed security service provider and wholesale customer of IBM QRadar

We buy a bulk license from IBM QRadar and host around 200 plus customers in a single integration so that all the customer events will be integrated in one solution. We are not integrators and do not resell their services.

As such, we don't buy the license or sell the tools to others. We will buy a license, inclusive of the services, host it with our private cloud and provide services to the end clients.

Our customer base of IBM users is limited. When it comes to a security operations center team, IBM will be looked to for providing security monitoring on an ongoing basis. We must see that it is working as it should be. 

I would recommend this solution to others. 

I rate IBM QRadar as an eight out of ten. 

Which deployment model are you using for this solution?

Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PK
Solution Architect Cybersecurity at a tech services company with 501-1,000 employees
Real User
Protects our network from various threats

Pros and Cons

  • "The threat hunting capabilities in general are great."

    What is our primary use case?

    We use this solution for advanced threat detection, insider threat monitoring, risk and vulnerability management, and unauthorized traffic detection regarding our network. We can monitor and detect web attacks with it as well. 

    Within our organization, there are roughly 2,000 to 3,000 employees using this solution. As of now, we don't have any plans to increase our usage of IBM QRadar.

    How has it helped my organization?

    The basic use case of this solution is to identify insider threats. Insider threats are the most dangerous kind of threat for any type of organization to secure. This solution identifies who the insider threats are, and also determines if there are any malicious activities taking place inside of an organization itself. In short, it provides us with real-time visibility so we can identify who the insider threats and what malicious activities are occurring inside of our own network. It also protects our web applications from DNS attacks.

    What is most valuable?

    The threat hunting capabilities in general are great. 

    What needs improvement?

    I was going to say that the reporting could be improved, but IBM recently introduced a new cloud-based security service that integrates with QRadar. Now, reporting is much easier than before. I personally can't think of an area for improvement.

    For how long have I used the solution?

    I have been using this solution for two and a half years. 

    What do I think about the stability of the solution?

    This solution is quite stable. 

    How are customer service and technical support?

    We receive 24/7 support via email; however, we don't have to contact support often because we have our own trained team. They handle most issues.

    Which solution did I use previously and why did I switch?

    We used to use Splunk.

    How was the initial setup?

    How complex the initial setup is completely depends on the customer's infrastructure. If there are lots of tools that need to be integrated, then the setup is going to be really complex. I wouldn't say that the initial setup is complex, it's more moderate than anything. 

    Deployment took two to three weeks from beginning to end.

    What's my experience with pricing, setup cost, and licensing?

    The price of this solution is a little high.

    What other advice do I have?

    Before implementing a new solution, you need to understand your network infrastructure completely. You need to determine if third-party integration is supported or not. IBM Qradar supports a lot of third-party integration because third-party tool integration is often required. 

    Storage also needs to be defined properly as logs need to be kept for a certain amount of time. If you have to store logs for three to six months, then you'll need to ensure that you've evaluated the storage capacity properly.

    Overall, on a scale from one to ten, I would give this solution a rating of eight. We're very satisfied with it. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    Daniel Sichel
    User at a healthcare company with 5,001-10,000 employees
    Real User
    Top 5
    Good visibility of network and endpoints, correlate events to specific point-in-time

    Pros and Cons

    • "The ability to transition from microscopic to macroscopic view, instantly, is very good."
    • "I would like to see a better GUI."

    What is our primary use case?

    Our primary use case is intrusion prevention and detection. We also use this solution for compliance and assisting in network troubleshooting for IT.

    How has it helped my organization?

    This has been indispensable in detecting intrusion attempts and many forms of malicious activity. 

    What is most valuable?

    This solution provides amazing visibility into the network and endpoints. The ability to correlate point in time and things happening over time is priceless in today's threat environment.

    The rules can look for things both from log sources and from data traversing your network which is unique in the SIEM world and makes QRadar a consistent magic quadrant leader.

    The QNI file hash in-flight search is helpful.

    The ability to transition from microscopic to macroscopic view, instantly, is very good.

    What needs improvement?

    I would still  like to see a better GUI. improvements have been made but there still a way to go.

    There are pretty annoyances like clicking out of a rule setup and instead of going back to search results in the rules, with the rule you selected still highlighted, you get the whole list without your search. Start again.  In the new lig source management app if you have a large number of log sources typing a name to filter them by is Java Hell, the high overhead of JIT compiled code means that even two fingered  carpal tunnel afflicted users can outpace the type ahead buffer, leaving random intermediate characters on the floor. Needless to say that makes managing log sources sometimes annoying. You can always cut and paste to go around this, but hey for  5 or 6 figures in hardware  and software, it aught to keep up with my typing. 

    But to be fair, these kinds of things are dwarfed by it's awesome ability to ingest and correlate tortured use cases of mind boggling complexity, which is what you REALLY need your SIEM to do. That, QRadar does better than anyone else.

    For how long have I used the solution?

    I have been using IBM QRadar for more about five years.

    What do I think about the scalability of the solution?

    Scalability is very good.

    What's my experience with pricing, setup cost, and licensing?

    This is not a trivial undertaking. You will need at least one experienced user and considerable infrastructure to support this if you use the on-prem version which we did. The cloud version has less overhead but there are some limitations so choose carefully.

    Which other solutions did I evaluate?

    Other solutions were investigated but none none came close to QRadar's capability.

    What other advice do I have?

    If you absolutely positively have to catch the bad guys, and you have a heterogeneous environment QRadar is a great choice.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Oscar Orellana
    Founder at a university with 11-50 employees
    Real User
    Top 10
    A stable, scalable, and easy-to-use solution that lets you view users' activities

    Pros and Cons

    • "The UBA feature is the most valuable because you can see everything about users' activities."
    • "The threat intelligence functionality can be better. In addition, it can have more monitoring capabilities."

    What is most valuable?

    The UBA feature is the most valuable because you can see everything about users' activities. 

    What needs improvement?

    The threat intelligence functionality can be better. In addition, it can have more monitoring capabilities.

    For how long have I used the solution?

    I started to use it two to three years ago.

    What do I think about the stability of the solution?

    Its stability is very good. I don't have any problem with it.

    What do I think about the scalability of the solution?

    It has good scalability. It is easy to scale, but it is a little bit expensive to scale because you have to pay a lot for everything.

    How are customer service and technical support?

    Their technical support is good.

    Which solution did I use previously and why did I switch?

    I have also used Kibana. It is a good tool. The biggest difference between Kibana and QRadar is that Kibana is an open-source SIEM integration solution. So, you need more professionals, and you have to do everything by yourself, whereas in the case of QRadar, you get everything. You are paying not only for QRadar but also for other things like support and integration. In an open-source SIEM integration solution like KIbana, you don't get these things.

    How was the initial setup?

    It is an easy tool for me, so the initial setup was easy for me, but it might not be easy for everyone. If you compare it with Kibana, QRadar is easier to implement.

    The implementation strategy was to follow the users, collect the logs, and then implement QRadar.

    What about the implementation team?

    We implemented it ourselves.

    What's my experience with pricing, setup cost, and licensing?

    Its price is good in terms of efficiency and the number of people required for implementing various things. You might pay more in terms of money, but you might save on the number of people. For example, if you are using Kibana, you have to pay more for people or experts, which is not the case with IBM QRadar.

    What other advice do I have?

    When you go for this solution, you are paying not only for the product but also for integration, good staff to help you, scalability, and many other things. There are many things that you can use in QRadar. It is easy to use.

    I would rate IBM QRadar a nine out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Buyer's Guide
    Download our free IBM QRadar Report and get advice and tips from experienced pros sharing their opinions.