IBM QRadar Room for Improvement
There are a lot of things they are working on and a lot of technologies that are not yet there. They should probably work out a better reserve with their ecosystem of business partners and create wider and more in-depth qualities, third-party tools, and add-ons. These things really give immediate business value. For instance, there are many limitations in using SAP, EBS, or Micro-Dynamics. A lot of things that are happening in those platforms could also be monitored and allowed from the cybersecurity risks perspective. IBM might be leaving this gap or empty space for business partners. Some larger organizations might already be doing this.
It would be very nice if IBM can make some artificial intelligence part free of charge for all current QRadar users. This would be a big advantage as compared to other competitors.
There are companies that are going in different directions. Of course, you can't do everything inside QRadar. In general, it might be very good for all players to provide more use cases, especially regarding data protection and leakage prevention. There are some who are already doing some kind of file integrity or gathering some more information from all possible technologies for building anything related to the user and data analysis, content analysis, and management regarding the data protection.View full review »
Security Analyst at a hospitality company with 10,001+ employees
One thing one has to be aware is that qRadar doesn't have a standard UI style, but older (clunkier) and newer (more modern and easy to use) screens. The QRadar UI involves a lot of clicks and pop-ups to get where you want, which is certainly not the best UX, but isn't totally a pain also. Although it's a bit difficult to navigate through screens at first, the UX is pretty good once you learn the "qRadar way", which takes about a few weeks to master.
Senior IT Technical Support at a training & coaching company with 1,001-5,000 employees
As per Gartner, maybe the price makes it so that the customers are not going for IBM QRadar. It's a little bit pricey compared to other solutions in the market. More or less that's the area that needs to be improved. That's usually the main concern that we receive from the customers - that it's a little bit pricey. That's the only thing I can say.
The custom rules could be simplified more or it should be possible to use a different language, other than the ones that the solution is already using. They should add other languages into the mix. You need some advanced customers in order to use the custom rules or to use their rules in order to configure the IBM QRadar in a proper way. Usually, they find it very difficult, especially if they don't have the experience.
Sometimes it works and catches whatever we want, however, sometimes it doesn't work. That's in rare cases, however, that's one thing that they need to maybe enhance.
A lot of information that we receive for the devices is IP-based, but it would help if we could have a default dashboard in which we can add more details about the assets for which we are receiving the information. For example, if it is a Windows or Linux device, we only get the IP for that particular device. We don't really get the name and other details of that particular device. For that, you have to drill down into your own asset management system. It would be good to have a place where we can probably add this information so that we don't have to look into other tools.View full review »
Right now, if you look at the compatibility, if you need to deploy QRadar in a physical appliance you have only two choices of server, their own or a Lenovo server. In today's world, you cannot keep something tied to such a big brand. Clients want to be able to use whatever type of server they want. It's very limiting for many. You need that flexibility to deploy on any Intel platform.
IBM doesn't have people in every corner of the world. Oracle, for example, is actively training and certifying people so that companies will have access to local connections. IBM is lacking this, and therefore it can be difficult to get qualified support when a customer needs it. They should try to replicate the Oracle approach to training and certifications.View full review »
The performance of the solution could be improved. Right now, it's the weakest aspect. I wish it was better.
Technical support could be improved by a bit.View full review »
Senior Solutions Architect at a manufacturing company with 51-200 employees
When it comes to what could be better, it is always what others are trying to do and what is the roadmap. It can have more integration. It should have more flexible RESTful APIs for integration with applications. These are the things that are always in demand for any of the SIEM solutions, not only for QRadar.
Integration is ever-evolving. Nowadays, different versions of mobile handsets are there and data is getting scattered. Users are using their personal handsets to keep the data of the organization. So, it should have a more flexible integration, irrespective of the flavor of the firmware and iOS or Android version. It should have an API that can seamlessly get integrated. It should also provide more flexible control and a more advanced or analytical view to see what exactly is happening across the globe or network. From wherever a user is connecting and accessing the enterprise data, it should give real-time visibility and predictive visibility about what exactly is happening. These things are already there, but there should be more advanced control in terms of managing the security.View full review »
Analyst at a tech services company with 501-1,000 employees
There are two ways you can pull logs: one way is were you can receive logs or send logs using the agents and previous transformation and the other way is where QRadar logs onto the servers using the admin account and then pulls the logs itself. The functionality that I would love to see with that remote pulling is to have the ability to also select what logs its pulling, because when you use MSR PC now to receive loads from your log surface, it basically pulls all the events from that server. So there are even the noisy events that would overshoot your EPS. It would also pull that. So for particularly active or high servers that generate a whole lot of security events, let's say like your SFTP server that has a lot of devices on your network connecting to it, if you try to pull the logs remotely it would overshoot your EPS really quickly.
So if there was a function where they could improve the functionality of the remote pull to also be able to select the logs that it is pulling from the log sources, that would be very, very effective. The reason for the pull is because the the agents are not tamper-proof and any administrator can help shut down the service and uninstall the application and a whole lot of other things. Basically your listening agent is at the mercy of the administrators, and for a security device or a security software, that is a big vulnerability, because anybody can then go into the server, stop the agent, and then run any command or make any change they want to do. That includes switching the agent back on, which would make your monitoring null and void. It would be good if the agent itself could be tamper-proof. And back to the first point, the reason why I prefer the remote pull, is if there's no agent on the server and it's the console logging onto the server, your monitoring is much more secure. Regardless of what changes are being made on the server or what's going on the server, if the server is shut down and then a newer version is brought up with the same host name and IP address, you would not need to go back in and re-install the agent. The console would just automatically connect back to that server once the IP address and the host are back up.
Additionally, I would like the rule creation interface to be much more user-friendly in the next release.
SOAR is what is expected the most from QRadar. They have something called SOAR Resilient, and it would be great if that gets induced in SIEM. IBM QRadar (as well as McAfee ESM) should have analytics platform integration. Currently, SIEMs don't have full-fledged integration with analytics where we are able to dump our data in SIEM, and the same data can be called from different analytics applications. We should be able to bring this data to a platform like Hadoop for big data and run the analytics there. Currently, people are seeing the past data and taking some actions in the present, but when it comes to analytics, there should be futuristic data where you can predict something out of your present and past data. Apart from that, I would like to see a full-fledged ITSM tool in QRadar.
It sometimes has some technical issues that need to be checked. It requires a dedicated QRadar engineer to completely manage it. It has different module sets, such as event collector and event processor, and some technical glitches come in between. It takes the log but doesn't exactly process it in the way we want.
If its pricing can be reduced, it would help a lot of customers in bringing in a new SIEM environment.View full review »
Head of Project office
In terms of the government sector, sometimes they do not have enough money to buy a full SIEM. That's why they ask about some parts of the SIEM system or core. It can be expensive.
It would be ideal if they offered a barebone setup alongside an appliance. It's very interesting for different kinds of customers. Most of them prefer the core appliance, yet some of them prefer barebone.
It would be ideal if the solution offered new connectors to other systems.
The reporting system could use some upgrading.View full review »
Rama Krishna Bhaskarayani
Founder at Halainfosec
Automation is an area that people are looking for. IBM does have the SO solutions platform, but it would be more useful if they could have predefined use cases rather than using more generic ones. It would be much better if they could customize their use cases.
The IBM QRadar team has to be proactive and they have to be informative about the product.
They don't want to spend too much money on the SIEM because it is obviously resource-intensive. But the SIEM is a very useful product when you have good resources and good software.
For large organizations, that want to integrate all of the log sources, the pricing will be too expensive. This is the main reason that clients are not interested in SIEM solutions.View full review »
Information Security Specialist at a comms service provider with 501-1,000 employees
I really didn't like QRadar to be honest. I inherited it. I was part of the reason that we moved over to LogRhythm. The solution just isn't user friendly.
The solution is clunky.
The interface could be much better.
The integration capabilities within the product are not that great.
IT Security Analyst at a manufacturing company with 10,001+ employees
In terms of where it could be improved, this includes its forensics, incident response, and security operation center features. Additionally, some also struggle with the rules. We need more features in order to create rules to detect or to meet some requirements for other areas, such as catching the event from other authentication tools, like in Okta, for example.
In some cases, I have issues because some tools are not integrated in QRadar, such as other tools similar to DLP (Data Loss Prevention). We need to create all the integrations manually because they are not integrated in QRadar. We have a problem, for example, because they have Symantec DLP integrated in QRadar, however, it is not working because it's not detected automatically. It is not converting all the columns, but we do have the option to create manually. This is not difficult because it's very clear in the procedures.
Security Analyst at a tech services company with 51-200 employees
The solution has definite room for improvement. There were certain bugs we had to deal with. Bigger issues involve the quantity of rules involved in its deployment. Also, false positives can be obtained and there is a need to fine tune the solution once every month or two until everything is correct.
The stability and product support should also be addressed.
When an offense occurs, the source IP will automatically provide a source username which is not correct. For reasons I don't understand, it uses the team or the name of the last user of the computer and this is not always accurate. This means that there are times that I obtain offenses that are ascribed to my boss and which serve him. The solution ensures that the host is vulnerable to another attack. The solution will estimate that the targeted host is vulnerable to certain attacks.
Moreover, the solution may provide information of attacks that failed or that are irrelevant, such as vulnerabilities involving modems in which the target host is the Windows Server. This begs the question of why an offense that was and will always be blocked must be generated, such as that involving vulnerability from a modem.View full review »
Technical support really needs to be improved. Right now, they aren't where they need to be at all.
The solution is very expensive. We'd appreciate the product more if it came at a lower price point.View full review »
I don't look at only the features and benefits; I also look at the price. It is a bit expensive when compared with other solutions. It is expensive for specific deployment topologies, and the decision-makers go for alternatives like ArcSight.
It should also have more AI features or capabilities for better threat intelligence. The more it uses machine learning, the better would be the dashboard, analytics, and other things.View full review »
Managed Security Product at a comms service provider with 1,001-5,000 employees
The features that could be improved include the licensing model and the dashboards and all those presentations. Overall, the user experience part can be improved.
Additionally, the coverage, the connectors, and the flex connectors for legacy systems and other aspects could be improved. This is something they can work on and improve.View full review »
The implementation of the solution's technology needs to be simplified. It is overly complex.
The integration also must be simplified.
The licensing is also overly complex, as there is a need to buy the work load performance monitoring separately. These are the different modules we need to buy.
IBM does not provide a combined, combo suitor solution which the customer can easily look at. The multiple functionalities are segmented and do not allow for an idea which is complete. It makes it difficult for us to do a realistic comparison with other products. I hope that others follow suit.View full review »
Solution Architect Cybersecurity at a tech services company with 501-1,000 employees
I was going to say that the reporting could be improved, but IBM recently introduced a new cloud-based security service that integrates with QRadar. Now, reporting is much easier than before. I personally can't think of an area for improvement.View full review »
I would still like to see a better GUI. improvements have been made but there still a way to go.
There are pretty annoyances like clicking out of a rule setup and instead of going back to search results in the rules, with the rule you selected still highlighted, you get the whole list without your search. Start again. In the new lig source management app if you have a large number of log sources typing a name to filter them by is Java Hell, the high overhead of JIT compiled code means that even two fingered carpal tunnel afflicted users can outpace the type ahead buffer, leaving random intermediate characters on the floor. Needless to say that makes managing log sources sometimes annoying. You can always cut and paste to go around this, but hey for 5 or 6 figures in hardware and software, it aught to keep up with my typing.
But to be fair, these kinds of things are dwarfed by it's awesome ability to ingest and correlate tortured use cases of mind boggling complexity, which is what you REALLY need your SIEM to do. That, QRadar does better than anyone else.View full review »
The threat intelligence functionality can be better. In addition, it can have more monitoring capabilities.View full review »
In terms of what could be improved, I would say the script which we have to create for custom actions. QRadar needs to improve that feature. Additionally, QRadar has to provide the playbooks designing features.View full review »
Information Security Manager at a comms service provider with 1,001-5,000 employees
Head of IT Security, Governance and Compliance at a consumer goods company with 10,001+ employees
The modularity could be improved.View full review »
General manager at a tech services company with 201-500 employees
They should speed up the incident response and also, at the same time, reduce the amount of manual effort that is required.
A nice enhancement would be the incorporation of more artificial intelligence and machine learning capabilities.View full review »
Ingénieur d'étude R&D at DOGA
I'm not sure if there are any features missing from the solution. It's pretty complete.
The pricing of the solution is a bit high. If they could lower it, that would be ideal.View full review »
Queretaro at a tech services company with 1-10 employees
The initial setup requires that you have somebody with the proper skill set, and it would help if the configuration were easier.
SOC Team Lead at a financial services firm with 1,001-5,000 employees
There could be better integration with the solution.View full review »
Deputy General Manager at a comms service provider with 5,001-10,000 employees
Since we have not used the solution very long my information is limited when it comes to improvements. I have noticed the interface has room for improvement.View full review »
The product needs to improve its GUI. The dashboard which they facilitate needs to be modernized. They could make it a lot better and a lot easier to navigate.View full review »
Director of Information Security at a financial services firm with 501-1,000 employees
Some of the cloud apps need improvement.
In the next release, I would like to see improving the stability of some of the add-on applications.
Sr.Network Engineer at a computer software company with 10,001+ employees
I am looking for a solution to replace IBM QRadar. We use it for incident reporting, but I need one for behavior analytics. I need one which will send alerts in the event of any behavior.
The solution is fine for analyzing logs. We already have basic modules. We require more modules for getting so that we may obtain further details. We essentially use IBM QRadar for analyzing particular logs.
There are no additional features which should be added or upgraded in the next release.View full review »
Sr. Information Security Analyst at a insurance company with 51-200 employees
The user interface is a bit difficult to get used to. Once you do, it's not difficult.View full review »
Vice President at a financial services firm with 10,001+ employees
The solution should enhance its capabilities of UEBA and AI/ML tech modeling.
QRadar needs to be more specialized, along the lines of what other SIEM solutions are. It needs to be more detailed.
Incorporating an AI component is needed, where the learning feature identifies malicious activities coming into the network.
The GUI and reporting need to be improved.
The footprint needs to be optimized because the application footprint is too heavy. The machine requires a very high amount of resources.View full review »
The solution is highly used here in Pakistan and in many sectors, they could improve it by having more SIEM connectors.View full review »
Professional Services at a tech services company with 51-200 employees
The support process needs to be improved.
Every SIEM solution has issues with plugins, as they have to connect to different log systems. It can affect security, infrastructure, and other things. IBM should continue to expand its database and cover as many systems as possible.View full review »
Shaikh Jamal Uddin
Cybersecurity Architecture and Technology Lead at Appxone
Artificial Intelligence is superb, QRadar correlate the events smartly and remove the same events but need improvements.View full review »
Regional Director, Customer Success (GTM Solutions & Services) at a tech services company with 51-200 employees
IBM is going through some problems with its resources currently making its support response time slow.View full review »
Practice Head at a tech services company with 51-200 employees
The technical support can be improved a little bit, and the price could be cheaper.View full review »
There is a shortage of skilled individuals with knowledge about the solution. There should be more training programs to teach and enable users get familiar.View full review »
The biggest drawback of this solution is the price.
The threat detection needs improvement, they have many false positives.
It is important to have good architecture. If you have problems and you don't have a strong architecture you, will have trouble with this solution.View full review »
AVP - Security at a tech services company with 501-1,000 employees
This solution is on-premise and many customers are moving to the cloud base solution.View full review »
Senior Security Engineer at a wholesaler/distributor with 10,001+ employees
In a future release, the solution could provide malware analysis.View full review »
Cybersecurity Business Development Manager at a comms service provider with 10,001+ employees
There needs to be better integration with other applications.View full review »
Pre-Sale Consultant (Technical) at a tech services company with 51-200 employees
We have had problems with networking.View full review »
President, Consultant, Trainer at MEI Security
We would like to see better instrumentation for debugging changes in the log flow.View full review »