IBM Security QRadar Reviews

We are users and implementers of this solution. 

I like the new dashboard which enables us to understand how many real threat attempts are made in a day. I also like the QRadar incident response, we installed the QIF last week. The solution has improved visibility so that we've been able to discover that some of our customers have not had any protection and were very vulnerable. It's an important area. I also find that the user behavior analysis is relatively simple. We are customers of QRadar. 

I think the user management model is very detailed but you really have to know what you're doing just to be able to manage things. I think the solution lacks some maturity. When you put it in a large organization as a security system or a cybersecurity system and you want to enable automation, it's difficult to get that level of maturity. 

We've been using this solution for about 18 months.

The solution is stable. 

The solution is scalable. We have a total of 19 users in the company. The solution is used extensively and we plan to increase the number of users. 

The technical support could be better. I'd rather work with my implementing expert and not the OEM. Although they have the expertise, the development guys are very slow.

We tested a few other solutions including AlienVault, Splunk, Micro Focus, and Outside. QRadar was the best of the breed for our needs and for a big system like ours, it's less complex than Splunk or Outside. 

The initial setup is complex. Theory is one thing and practice is another. We had to go back and forth with IBM just to find the relevant versions with the relevant operating system to sit on the relevant virtual environment. Then we found a few bugs. We are in a production system in a very big organization so deployment was carried out in stages. It took about a month in total to get things working and to start collecting logs. We had help from IBM Azure.
Maintenance is required, you have to watch it, and work on it on a daily basis. 

We pay an annual license fee. On top of that, every model adds to the cost. It's not just the license; the sales people want you to think you're only paying for certain things but we know how it works. 

The pre-design and the low-level design should be very, very, specific. It's important to check that the compatibility is there. If not, neither IBM nor OEM will support you.

I would rate the solution more highly but it's very expensive and given the high cost, I would expect quicker and better service from the OEM so I rate the solution seven out of 10. 

It is suitable for large companies with critical infrastructure. For our clients, robustness, availability at a high level, and the level of references and experiences connected to the solution are important. They need to know that other energy players are also using it.

There should be easier and wider integration opportunities. There should be more 
opportunities for integration with CTI info sharing areas. On platforms where you exchange CTI, there should be more visibility connected to what we share, what we can reach, or what options are connected to CTI info sharing. This is one area where they could add value because we cannot integrate it easily with QRadar. If a client has a legacy or already existing solutions for CTI, we cannot ask them to forget it because we cannot guarantee that QRadar is able to deliver everything connected to this area. 

I have been using this solution for three years.

We have five to ten customers of this solution. My impression is that it can cost a lot to scale upwards. It didn't bother us in most cases, but that could be a problem for SMEs at times.

Their support during the operation seems fine. I'm a consultant, and very often, I am offsite. I am not there when clients get into operating QRadar in the long run. So, I know more about implementation than the operation itself.

It requires expertise. If you have the right personnel, you can manage. It wouldn't be easy for a client and admins to set it up without proper support or support from QRadar itself.

Setting it up requires an assistant like us. QRadar plays a role there, but that's not enough. There is also the language barrier. Not every Hungarian company is good in English, and IBM naturally doesn't have full Hungarian support.

It requires cooperation between clients and us. Typically, we send a team of five people that includes tech guys, a project manager, and maybe one process guy, if needed. Generally, you don't have 360-degree professionals, so you have someone good in networking, someone good in log management or log analysis, and so on. Because of that, we need this kind of team. 

The client also has a few people. Typically, we send in more people than the client. These are not full-time people on our side and client-side. 

It could be cheaper, but the value itself is far more important for us than the price. Typically, our clients have yearly subscriptions.

I don't know what I would recommend for SMEs because we never worked with SMEs, but I would be very careful in recommending QRadar for SMEs. 

I would rate IBM QRadar a nine out of 10.

The solution is primarily used for threat detection and response. QRadar can be integrated with other services from IBM such as Watson, among others. The main need is for threat detection, incident response, and dealing with threats or hunting threats. 

What else? I mean, it's always you're looking for threats. Usually, whoever buys this SIM solution or buys QRadar, for example, is looking for hidden threats and they get the logs to see what's happening within their system. They want a solution that looks very deep inside in order to correlate those logs and see if there's any information that they can get out of those logs or even live packets that are spanning through their networks. Therefore, it's usually threat hunting. That's the main thing, Others might use it to understand the system, and how it's performing overall.  However, that's the lesser use case.

Inside IBM QRadar there are a lot of engines that actually work to help us to do the correlation and normalization as well for the logs that we're receiving from multiple devices. IBM is very powerful in that regard. 

QRadar, as a solution, can integrate with a lot of other applications. You can write your own custom rules if you want to. We can ask it to detect whatever we want it to, even with the devices that are not supported to send logs. IBM QRadar can understand these types of commands and we can still integrate and write our own rules to help us to detect those logs that are coming from, for example, IoT devices or from other devices that usually we don't understand.

It can handle really a huge number of logs with fewer false positives. We can use the artificial intelligence and the rules that IBM is providing to make it really smart. The solution can help you predict even the false positives when we are alerting the admin or the security admin about some offenses that we have seen from the logs.

Their product is very user-friendly.

Customer service is very good and very helpful.

The initial setup is quite straightforward.

The solution can scale.

The solution is very stable.

As per Gartner, maybe the price makes it so that the customers are not going for IBM QRadar. It's a little bit pricey compared to other solutions in the market. More or less that's the area that needs to be improved. That's usually the main concern that we receive from the customers - that it's a little bit pricey. That's the only thing I can say.

The custom rules could be simplified more or it should be possible to use a different language, other than the ones that the solution is already using. They should add other languages into the mix. You need some advanced customers in order to use the custom rules or to use their rules in order to configure the IBM QRadar in a proper way. Usually, they find it very difficult, especially if they don't have the experience.

Sometimes it works and catches whatever we want, however, sometimes it doesn't work. That's in rare cases, however, that's one thing that they need to maybe enhance.

I've been working with the solution for three years or so.

For stability, I'm not a customer who's using it on daily basis, however, from feedback that I'm getting from the customers who are attending to the solution, I've heard that this solution is stable. That's why it's in the leader area in Gartner. If you compare it to others in Gartner, it shows how their product is actually efficient. Whether I get QRadar, whether it's Splunk, whether it's LogRhythm, all of those products as a SIM are very good at that point. They're all quite reliable.

The scalability is very good. The product is scalable. A company shouldn't have trouble expanding it if they need to.

We typically work with banks and bigger organizations.

Technical support has been very good. They are helpful and responsive.

I've also learned a lot from the documentation, especially the online documentation. Due to the fact that I'm an official instructor for IBM, I have my other resources too, on the Learning Center from IBM. Documentation is not a problem. It's very helpful.

The initial setup is very straightforward. It's not overly complex. It's quite easy.

The deployment takes time, definitely. You've got to prepare for your solution so that it's going to work in spanning all the other devices too. That doesn't mean it's a complex process, it just means it takes a bit.

IBM QRadar is pricey, and therefore, usually small enterprises are not able to afford it. Usually, probably most of the customers are usually large enterprises.

I'm actually teaching IBM and some services such as IBM QRadar, as part of my work. I'm familiar with Splunk, however, I'm not working with it on a daily basis. I'm teaching that technology to others. I'm not a customer. I'm using it for teaching purposes. I'm working in a training center. I'm not dealing with it on a daily basis, however, I understand how the product works. We do sometimes help integrate it and work as consultants occasionally as well.

While 7.4 is out, we're currently working with version 7.3.

Overall, I would rate the product at an eight out of ten. There's more to be done on it, however, we are mostly pleased with its capabilities.

The primary use case of this solution is for monitoring an enterprise data center, globally for 12,000 devices.

It has improved the way that the organization functions.

The most valuable feature is the searching capability and real-time operational use.

Some of the cloud apps need improvement.

In the next release, I would like to see improving the stability of some of the add-on applications.

I have been using IBM QRadar for two years.

We are using the current version.

Stability is moderate.

We have 15 people using this solution in our organization. Their positions vary from Network Engineers, Security Engineers, and Security Analysts.

It's very scalable.

Technical support is good.

I would rate them a nine out of ten. Their response time is good.

Previously, I did not use another solution.

The initial setup is complex. It's just the nature of the CM tool.

I think that the price is fair, but we can always say that the price could be cheaper.

Like any complex enterprise CM tool, you have to have a strong support organization. People who are good at understanding Linux operating systems. You also need a strong technical support team in-house.

I would rate this solution an eight out of ten.

This is a security monitoring product and the primary use case is to detect strange behavior by users. For example, if we have a user that has not used the service for a long time and then all of a sudden, somebody logs in one night. This is not normal and the system will detect it. This is just one example of many use cases.

Integration is very easy and the reporting is good.

This is a good product, although it does require some fine-tuning.

The dashboard is pathetic and it takes a long time to perform a search.

The graphics need to be improved.

Providing good support is something that they need to work on.

It would be helpful if IBM published more use cases.

We have been using QRadar UBA since 2016.

The issue that I have with technical support is related to their large pool of resources. If you are lucky then you get good support, but sometimes you get pathetic support. Suppose you open a ticket, there are times where it will be very good, but the quality is intermittent.

I have experience working with Splunk and I find that the searching capabilities are better with it. Also, the processing time in Splunk is better. With QRadar UBA, when you have three, four, or five rules together, it takes more time to respond.

The complexity and length of time required for the initial setup depend on the requirements. There are some out-of-the-box features that can be implemented right away, but some equipment is not supported directly, so you need to write a DSM (device support module).

Implementing a DSM takes some time, although it will depend on the log source. If the log source is fully compatible then it will be very quick. However, if it is not compatible then you will need to do some scripting and other work.

The price of this product is high.

QRadar is not perfect. It's a good security monitoring product that can provide threat intelligence, but it cannot do it alone. You need to integrate with many other things, such as IBM Orchestrator. Also, you need to have X-Force. After these kinds of things are integrated, it works a little bit better.

I would rate this solution a six out of ten.

Our primary use for this solution is to collect and correlate our logs. We also create appropriate alarms based on the contents of the logs.

This solution provides me with various alarms, and I have found security issues with some of my other products. We also have some special correlation rules that give me information about mail servers, websites, and other user behavior.

The most valuable feature is user-behavior analytics, where it will create logs based on the users' behavior and report suspicious events or other anomalies. I am working with the data analytics so it is a very good one for what I am doing. 

There is a lot of manual configuration required in order for the product to run smoothly, and I think that it could be made more automatic. There is no need for so much manual configuration. For example, it should be able to automatically create at least some of the rules that are suitable for our environment.

The solution has a good user interface, but it could be further developed. I have used other products that are more user-friendly. I would rate the user interface a six out of ten.

We have not experienced any bugs or vulnerabilities, so the stability seems to be fine.

The scalability seems great.

We have five hundred people in our company. All of them are end-users, except for myself and one of my colleagues who are administrators. We have more that one hundred assets, such as databases, that are monitored by this solution.

I have never used technical support for this solution.

The initial setup for this solution is very easy. It is an image file, and we haven't had any difficulties in the setup. After installation, there are many things to do. Again, the difficult part is the configuration of the product.

The installation period was very short, at perhaps one or two weeks. The configuration takes six months or more.

We have a technology company, and we are working with them for deployment and maintenance. They spend one or two hours per week maintaining this solution.

We have not calculated ROI.

I am familiar with products from other vendors, such as McAfee. We specifically evaluated Splunk, which is a good solution but there is no local partner in Turkey for support. Having a local partner is very important to us.

We chose this solution because we have a good relationship with IBM, and they are able to provide us with local support.

There are many good products and solutions on the market, but for implementation and maintenance, I can say that the most important thing is local support.

We do not have any issues with this product, and we have seen the benefits of it. It is easily configured and installed, and we have a local team to support it. It does have issues in terms of user experience, however.

I would rate this solution an eight out of ten.

The primary use case for us is the plug and play implementation and it is pretty easy to set it up, and scale up the SIEM. It has a kind of a functionality to it. 

It is really helpful to us from the compliance point of view. Whenever we had an external lawyer come in, he used to ask us for the data retention and log retention. So, QRadar could put out reports that could audit for us within the log collections. It was very helpful for us to meet compliance requirements.

In addition, it is a helpful solution for forensic analysis. It will easily perform Google type searches and get the logs searched easily. This is really helpful for us, and gives us a quicker investigation.

The most valuable feature is that it is a one stop solution for many things. It is a manager for vulnerability, functionality, packet filtering, packet analysis and log analysis.

They have introduced a lot of different suite of products and functionalities and that sometimes leads to confusion among the customers. There are a lot of options to provided and then I need to decide, what is my requirement, and what is my desire. I may be tempted to have a particular feature, but I have to decide whether it is relevant or not.

The stability is very good. There is not a single point lacking in terms of stability. And, I have never faced technical issues.

The scalability is good, especially with the introduction of data nodes. As of now, it is not a problem.

The tech support is not that good. They often rely on their learned knowledge base, instead of getting their hands dirty upon the actual case issues. They just think of the traditional approach of "OK, try this, or that." Obviously, we already know which steps to follow, we need for them to come up with some out-of-the-box solutions. This delays the process of finding a solution to the problem. Unfortunately, this happens a lot.

I previously used Splunk. And, we considered Sumo Logic, which has a similar kind of functionality. But, they are still in a very premature stage in terms of the product development.

The initial setup was straightforward. It was not complex or difficult. It is not complicated.

The cost of this product is expensive.

If you are a medium to large size enterprise, you can surely consider IBM as one of the major contenders for your selection. If you are a small enterprise, QRadar may be too much for you, it may be too complex.

When deciding on a solution, we always consider:

• Cost-benefit
• Shelf-life of the solution
• Security of the solution

It has improved our ability to research and detect anomalous behavior and activity within our network. It has really helped us in our ability to research active threats. We saw the threats when we implemented it, and we saw that we had all kinds of deficiencies in our network infrastructure that we were unaware of previously.

It has the ability to summarize all the other security products and give us a one-stop-shop dashboard.

IBM has added a new UBA (User Behavior Analytics) app to QRadar that uses the cognitive abilities of Watson to detect and prioritize user activity and risks on the network. It analyzes log activity already recorded so it can begin providing insights quickly after installation.

I'm anxious to see the Watson integration. We just finished an upgrade of our appliance so that we can be eligible to do the Watson integration. I'm anxious to see how that works.

It works well. We've been using it for a year now. It's helped us greatly to cut down on the time it takes to research a problem or to actually find the problem.

In terms of scalability, so far, so good. What we've purchased so far is well with the infrastructure that we have. I know there are options to buy additional components should I need them.

We use a business partner for implementation and support. They are always involved with it. They are not IBM.

We weren't previously using a different solution. As security becomes more and more important, we added different security components from IBM, with QRadar being the last one. We needed some way to see all the data, all the information, and get it together in one single source of truth.

I was involved as far as picking and approving the solution. I was not involved in the installation.

We try to do everything all at once.

Find the right partner to help you do the implementation.

When picking a vendor, we look for the support, the ease of the installation, and the future of the product.