We just raised a $30M Series A: Read our story

IBM QRadar OverviewUNIXBusinessApplication

IBM QRadar is #2 ranked solution in Log Management Software and top Security Information and Event Management (SIEM) tools. IT Central Station users give IBM QRadar an average rating of 8 out of 10. IBM QRadar is most commonly compared to Splunk:IBM QRadar vs Splunk. IBM QRadar is popular among the large enterprise segment, accounting for 46% of users researching this solution on IT Central Station. The top industry researching this solution are professionals from a computer software company, accounting for 29% of all views.
What is IBM QRadar?

The IBM QRadar security and analytics platform is a lead offering in IBM Security's portfolio. This family of products provides consolidated flexible architecture for security teams to quickly adopt log management, SIEM, user behavior analytics, incident forensics, and threat intelligence and more. As an integrated analytics platform, QRadar streamlines critical capabilities into a common workflow, with tools such as the IBM Security App Exchange ecosystem and Watson for Cyber Security cognitive capability.

With QRadar, you can decrease your overall cost of ownership with an improved detection of threats and enjoy the flexibility of on-premise or cloud deployment, and optional managed security monitoring services.

IBM QRadar is also known as QRadar SIEM, QRadar UBA, QRadar on Cloud, QRadar.

IBM QRadar Buyer's Guide

Download the IBM QRadar Buyer's Guide including reviews and more. Updated: November 2021

IBM QRadar Customers

Clients across multiple industries, such as energy, financial, retail, healthcare, government, communications, and education use QRadar.

IBM QRadar Video

Archived IBM QRadar Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
MA
Information Security Manager at a comms service provider with 1,001-5,000 employees
Real User
Top 20
It is very stable. We have not faced interruptions in the past four and a half years.

Pros and Cons

  • "It is very stable. We have not faced interruptions in the past four and a half years."
  • "It has improved comprehensive visibility for what is going on in the perimeters, and on the inside, as well."
  • "Technical support is good, but not great."

What is our primary use case?

We are a telecom company, and we use it for IT systems, for telecom systems and on various different levels of applications. We use it for web servers, routers, firewalls, and other security components. Our SIEM solution serves technical and non technical business units including customer care, engineering, revenue assurance, and anti fraud. 

How has it helped my organization?

Instant continuous monitoring so that we can take action immediately and be proactive as much as possible with handling hacking and attacking attempts. Also, It has improved comprehensive visibility for what is going on in the perimeters, and on the inside, as well. We also use it for testing our controls if it is performing well or not. We can say that the visibility, monitoring, testing and reliability of our controls is all assisted by this solution. The most important benefit we get is from the SIEM solution.

What is most valuable?

The most valuable features are the diversity of logs type that enable us to monitors what is going on from different perspectives and reduces the likelihood that we will miss important attempts. There are different events and flows, and there is diversity from getting the information from different sources. We can also see that there are no false positives. It is well-tuned and the rules are covering everything that we need.

What needs improvement?

There are some weaknesses with the QRadar Risk Manager. It has some weaknesses because of the connectivity with other vendors. It is limited. There are some vendors that you cannot connect QRadar Risk Manager with, so we you cannot get the maximum benefit of the product.

For how long have I used the solution?

Five years.

What do I think about the stability of the solution?

It is very stable. We have not faced interruptions in the past four and a half years.

What do I think about the scalability of the solution?

It's great! This is one of the major features of the solution.

How are customer service and technical support?

Technical support is good, but not great. 

How was the initial setup?

It was straightforward, but we had to do some customization. 

What about the implementation team?

When choosing a vendor, we always consider:

  • Scalability
  • Diversity of Connecting Systems
  • Storage

Which other solutions did I evaluate?

We considered another solution from HP and ArcSight.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
VS
President, Consultant, Trainer at MEI Security
Real User
Useful searching capability for multiple, correlated logs

What is our primary use case?

We use this solution for log correlation and alerting.

How has it helped my organization?

This solution has allowed us to correlate logs from multiple sources.

What is most valuable?

The searching capability is good.

What needs improvement?

We would like to see better instrumentation for debugging changes in the log flow.

For how long have I used the solution?

We have been using this solution for four years.

What is our primary use case?

We use this solution for log correlation and alerting.

How has it helped my organization?

This solution has allowed us to correlate logs from multiple sources.

What is most valuable?

The searching capability is good.

What needs improvement?

We would like to see better instrumentation for debugging changes in the log flow.

For how long have I used the solution?

We have been using this solution for four years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Learn what your peers think about IBM QRadar. Get advice and tips from experienced pros sharing their opinions. Updated: November 2021.
552,407 professionals have used our research since 2012.
Larbi Belmiloud
Security Engineer at a tech services company with 11-50 employees
Real User
Enables us to stop and detect vulnerabilities

Pros and Cons

  • "We get events and make the correlation, or rules. In IBM, we can implement our customer's rules. We can have very clear status threats and severity of antigens."
  • "The interface is very old. IBM should remake it into a more modern interface."

What is our primary use case?

The primary use of the solution in our deployment was for threat detection. 

What is most valuable?

The first feature that I love to demonstrate for my customers is the fact that the vulnerability manager is integrated in QRadar SIEM. This lets us stop and detect vulnerability. The reports provide many methods to fix it. The circumvention method and the patch method is perfected very well in the QRadar area. 

The second valuable feature is when we get events and make the correlation or rules. In IBM, we can implement our customer's rules. We can have very clear status threats and severity of antigens. The other fact I love about IBM is that we can integrate many other tiers solutions, such as Carbon Black and other plans.

What needs improvement?

The interface is very old. IBM should remake it into a more modern interface. I think this is the only thing they should improve on.

Another feature that would be nice is if it's possible to integrate some of the application style and configuration that is currently not easy to set up in the product. If it's possible to do that, it would be a major improvement.

In fact, I never got a road map to bring you from zero to the end. There should be information everywhere, from YouTube to any other places. It was very complicated to organize all the information in my head.

For how long have I used the solution?

We've been using IBM QRadar for one and half years.

What do I think about the stability of the solution?

It's very stable. The only issue we can report about is a system issue. When the partition is full, the whole system shuts down. If some partition of the logs is not in QRadar, maybe we can't find any solution to do this from QRadar.
In fact, we observed that sometimes the systems are going down when a partition is up to 90%. This issue is related to Red Hat, also we observed this issue relating to logs TOMCAT, the /var/log be up to 100% quickly.

What do I think about the scalability of the solution?

In my experience the upgrade, it could lead to some misconfiguration. We had this experience of disruption when upgrading the 7.2.7 to 7.2.9 and then 7.3.0.

We observed that some application and configuration needs to be redone. The scalability at this moment, because it's an older version, has some issues. Otherwise, I think scalability is excellent.

How are customer service and technical support?

We don't use IBM Support. We communicate with Morocco Teams about this. When I have an issue, I post it and ask for the community, because I have an account in the IBM Community. The community is very, very knowledgeable and strong.

How was the initial setup?

The setup is really very easy. It takes a few hours. The integration, orchestrating all the components to send logs to, etc., is very, very complicated. In the last setup we did for our customer, it took us four months to integrate. The setup, on the other hand, took only half a day.

What other advice do I have?

The first advice I give my customers before buying SIEM is: "You should understand the solution well before starting the implementation." If they don't understand the solution, they will never be able to use it correctly. This is the first piece. The second point is that they will resist the change made to the setup installation. If they look for the solution, QRadar ATM is the best.

I would rate this solution as nine out of ten. I think there is no perfect product; maybe there will never be a perfect product. When I started to learn IBM QRadar, it was complicated to me in the beginning, because we did the installation for the customer. It is complicated, and the meaning and training were not very clear.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
ITCS user
Chief Technology Officer at a tech services company with 51-200 employees
Real User
Helpful and presentable reports, but the ticketing system needs to be more automated

Pros and Cons

  • "Provided that the report is prebuilt and I can find what I am looking for, the reporting is the most valuable feature in this solution."
  • "There are reports that I would like to generate that are either not included, or I cannot find."

What is our primary use case?

We are a cybersecurity service provider, and I manage the QRadar service for my customers.

What is most valuable?

Provided that the report is prebuilt and I can find what I am looking for, the reporting is the most valuable feature in this solution. The reports are very good and very presentable.

What needs improvement?

There are reports that I would like to generate that are either not included, or I cannot find. If there is no report for information that needs to be presented then it is one of the biggest issues for the customer.

The ticketing system is not fully automated and needs to be improved.

There should be an easier permission level that basic users can use to create reports. The users include both end-customers and the technical team.  

The pricing needs to be such that they are more competitive with other vendors.

For how long have I used the solution?

More than one year.

What do I think about the stability of the solution?

This is a very stable solution and I don't think that we have lost it once. This is good compared to our other system that had gone down three times.

What do I think about the scalability of the solution?

I would say that it is ok. I can buy licenses when I need to scale the solution.

How are customer service and technical support?

Our experience with technical support has not been smooth. There is a lot of bureaucracy to get to the technical team. In fact, in some cases, we resolved the issues ourselves and then explained to their technical team how it should be done for other customers.

How was the initial setup?

The initial setup for this solution is complex. There are many different components, and only the IBM technicians have the permission, or credentials, to modify the system online. As a customer, I cannot go in and install it myself. Rather, I am dependent on the IBM professionals.

What about the implementation team?

We used a consultant to assist with the installation of this solution.

Which other solutions did I evaluate?

I have used several other products including ArcSight, AlienVault, and Splunk. Some of these solutions are on-premises or in-house.

I do not like Splunk, but I think that ArcSight is a good solution. ArcSight is complicated, but it is a more mature solution with much greater options than IBM is offering in QRadar.

What other advice do I have?

This is a good solution, but I am familiar with the capabilities of the other products and IBM needs to make some improvements.

I would rate this solution a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ÖO
B.T. Güvenlik Yöneticisi at a recruiting/HR firm with 10,001+ employees
Real User
Analytics and reporting of user behavior helps to find anomalies and suspicious events

Pros and Cons

  • "This solution provides me with various alarms, and I have found security issues with some of my other products."
  • "There is a lot of manual configuration required in order for the product to run smoothly, and I think that it could be made more automatic."

What is our primary use case?

Our primary use for this solution is to collect and correlate our logs. We also create appropriate alarms based on the contents of the logs.

How has it helped my organization?

This solution provides me with various alarms, and I have found security issues with some of my other products. We also have some special correlation rules that give me information about mail servers, websites, and other user behavior.

What is most valuable?

The most valuable feature is user-behavior analytics, where it will create logs based on the users' behavior and report suspicious events or other anomalies. I am working with the data analytics so it is a very good one for what I am doing. 

What needs improvement?

There is a lot of manual configuration required in order for the product to run smoothly, and I think that it could be made more automatic. There is no need for so much manual configuration. For example, it should be able to automatically create at least some of the rules that are suitable for our environment.

The solution has a good user interface, but it could be further developed. I have used other products that are more user-friendly. I would rate the user interface a six out of ten.

For how long have I used the solution?

Between three and five years.

What do I think about the stability of the solution?

We have not experienced any bugs or vulnerabilities, so the stability seems to be fine.

What do I think about the scalability of the solution?

The scalability seems great.

We have five hundred people in our company. All of them are end-users, except for myself and one of my colleagues who are administrators. We have more that one hundred assets, such as databases, that are monitored by this solution.

How are customer service and technical support?

I have never used technical support for this solution.

How was the initial setup?

The initial setup for this solution is very easy. It is an image file, and we haven't had any difficulties in the setup. After installation, there are many things to do. Again, the difficult part is the configuration of the product.

The installation period was very short, at perhaps one or two weeks. The configuration takes six months or more.

What about the implementation team?

We have a technology company, and we are working with them for deployment and maintenance. They spend one or two hours per week maintaining this solution.

What was our ROI?

We have not calculated ROI.

Which other solutions did I evaluate?

I am familiar with products from other vendors, such as McAfee. We specifically evaluated Splunk, which is a good solution but there is no local partner in Turkey for support. Having a local partner is very important to us.

We chose this solution because we have a good relationship with IBM, and they are able to provide us with local support.

What other advice do I have?

There are many good products and solutions on the market, but for implementation and maintenance, I can say that the most important thing is local support.

We do not have any issues with this product, and we have seen the benefits of it. It is easily configured and installed, and we have a local team to support it. It does have issues in terms of user experience, however.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
MohamedAfeilal
General Manager at New System Engineering
Real User
Top 20
A straightforward solution that minimizes the number of false positive errors

Pros and Cons

  • "It is a very optimized engine."
  • "It is very difficult to activate all of the network equipment, and it would help if it were made easier."

What is our primary use case?

We are a partner and provide this solution to our customers.

What is most valuable?

The most valuable feature is that it reports a very small number of false positives. It is a very optimized engine.

What needs improvement?

It is very difficult to activate all of the network equipment, and it would help if it were made easier. I would also like to see more integration with new devices.

For how long have I used the solution?

Ten years.

What do I think about the stability of the solution?

This is a very stable solution.

How are customer service and technical support?

The quality of technical support depends on the level. Level One support is very good, but if you have Level Two or Level Three then the support is not very reactive.

How was the initial setup?

The initial setup of this solution is not complex.

Deployment normally takes between one and three months.

What about the implementation team?

We have two engineers that are proficient in QRadar, and we handle the implementation for our customers.

Which other solutions did I evaluate?

One of my customers is a McAfee user and is in the process of replacing the solution with IBM QRadar.

What other advice do I have?

I would recommend this product. It is very simple to install, and not a complicated solution. IBM supplies regular software updates.

I would rate this solution an eight out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
GO
Marketing Director at a aerospace/defense firm with 1-10 employees
Real User
Enables us to collect information from different devices, detect, and analyze various threats or attacks to protect our system

Pros and Cons

  • "Vulnerability detection is the most valuable feature. It's the tool that finds the threats."
  • "The tool is very complicated. One place for improvement would be to have a more user-friendly interface. Having better support in Spanish would be cool."

What is our primary use case?

We don't have a business relationship with IBM QRadar, our relationship is a customer relationship. We use IBM QRadar as our primary security solution.

How has it helped my organization?

QRadar is the primary tool in our security center. We use it to collect information from different devices, detect, and analyze various threats or attacks to protect our system.

What is most valuable?

Vulnerability detection is the most valuable feature. It's the tool that finds the threats.

What needs improvement?

The tool is very complicated. One place for improvement would be to have a more user-friendly interface. Having better support in Spanish would be cool.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?






What do I think about the scalability of the solution?

The solution is scalable. Currently, wehave between 50 to 70 users working with this solution.
We have plans to increase the usage of the product in the future.

How are customer service and technical support?

My experience with technical support has not been so good because I would prefer support in Spanish which I haven't gotten.

How was the initial setup?

The initial setup was very complex.

We are planning to take at least one year for the complete setup. Deployment went fast, between six and three hours.

What about the implementation team?

We used an integrator for the deployment. The experience was excellent, outstanding.

What other advice do I have?

This kind of solution is essential. The communication network functions very well.

On a scale of one to 10, ten being the best, I would give this product a rating of nine.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
AF
Cyber Security Specialist at AEC
Real User
Alerts and correlates the aggregate events or offenses we receive through all the applications we use

Pros and Cons

  • "IBM QRadar has improved my organization by introducing many functions. It collects logs from all of our systems in the organization and has functioned very well. It alerts and correlates the aggregate events or offenses we receive through all the applications we use."
  • "There is one problem with QRadar in regards to the add-on apps. The apps can be frustrating. For example, when I add a big app like one of the add-ons for resiliency, add-on applications for QRadar, these applications require different hardware to implement and to deploy. The resiliency connector because there's a considerable amount of data scanning, operates for these apps correctly."

What is our primary use case?

We are a reseller of this solution. We have numerous uses cases all dependant on the needs of our customers.

How has it helped my organization?

IBM QRadar has improved my organization by introducing many functions. It collects logs from all of our systems in the organization and has functioned very well. It alerts and correlates the aggregate events or offenses we receive through all the applications we use.

With other solutions, you collect the logs from different sources but you still have to finetune it, and you still have to match them a lot of the time to figure out the correct association to sort out the false positives. QRadar is much easier to use and detect false positives. It can do it by itself, and it allows you to finetune the filtering and check the false positives. There is some backend that protects but it's the best among all in the market.  

What needs improvement?

There is one problem with QRadar in regards to the add-on apps. The apps can be frustrating. For example, when I add a big app like one of the add-ons for resiliency, add-on applications for QRadar, these applications require different hardware to implement and to deploy. The resiliency connector because there's a considerable amount of data scanning, operates for these apps correctly. 

Acquiring these add-on apps for QRadar is very expensive. This is one of the difficulties that we are facing with the QRadar.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

It's very stable.

What do I think about the scalability of the solution?

The solution is very scalable.

How are customer service and technical support?

Technical support hasn't been bad, but sometimes it's inadequate, sometimes it is good. It depends on the case. We've had bad experiences in the past because we didn't get onsite support when we needed it.

They do have onsite support but only for third-party partners working directly with IBM. And sometimes the support is too slow.

Which solution did I use previously and why did I switch?

I've used Alien Vault, McAfee, and Splunk.

How was the initial setup?

The initial set up was a bit hectic the first time because, it's not about the QRadar application itself, it's about defining or configuring the data sources or the traffic sources to QRadar. We are going to use a small file through literally all of the traffic sources. We found it was difficult to merge with QRadar due to different IPs, different sources delaying the process and just technical issues. It's not an issue with the QRadar solution itself.

What about the implementation team?

We implemented through a vendor. I am one of the integrators.

Our requirements are dependent on the size of the deployment and maintenance case, depending on how large of an enterprise solution we are speaking about. The size of the architecture, or for example if the architecture is all in one including the processor, including the QNI and the connector all with one box. A deployment of this type would only require one guy for it if the architecting dissipating these items comes from the all in one box.

What's my experience with pricing, setup cost, and licensing?

The licensing is every year.

There are additional costs, such as the cost associated with the different hardware required for implementation and deployment. Along with the add-on apps, these are all additional costs, and they require licensing as well.

What other advice do I have?

The solution functions very well. It is amazing but there are some bugs with it. The unknown bugs can just come up with the adaptor with the data stored in Qradar. 

On a scale from one to 10, ten being the best, I would rate this product an eight out of 10.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Onyegbule Uche
Technical Consultant at Activedge Technologies
Consultant
Enchances Security Through Vulnerability Management and Increased Visibility

Pros and Cons

  • "The most valuable features would have to be the products' ability to customize vulnerability management settings."
  • "There could be improvements made to the UI, the user interface. Though the newer version, 7.3.2, might already have this improvement in place."

What is our primary use case?

I'm the technical consultant here at ActivEdge Technologies. Our primary use case for this solution is for Security Intelligence and Event Monitoring (SIEM) p. We provide protection services models for an organization's networks through a sophisticated technology which permits a proactive security posture. We have a business relationship with IBM QRadar as well as being a partner. We are a partner and we also use this feature. It's an integrated solution. We design it to be compatible with our client's network devices to maintain real-time monitoring through a centralized console. Our clients rely on us to create value.

How has it helped my organization?

QRadar has significantly improved our security. It has reduced threats considerably. The solution provides increased visibility along with actionable intelligence. We are looking into implementing it to proactively take steps to prevent or reduce the attacks.

What is most valuable?

The most valuable features would have to be the products' ability to customize vulnerability management settings and the ability to customize integration functions.

What needs improvement?

I can't see any need for service improvements because I feel it's easy to use and very functional as it is. There could be improvements made to the UI, the user interface. Though the newer version, 7.3.2, might already have this improvement in place.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It's very stable. We never need much help with that.

What do I think about the scalability of the solution?

The solution is very scalable; it's designed to be, it's distributed architecture. It's entirely scalable.

Currently, there are five domain users working with this solution. We don't have visibility on our end user count due to the fact that end users don't need to log on to the application.

Our maintenance needs require just one experienced QRadar analyst to moderate.

How are customer service and technical support?

Technical support has proven to be very helpful.

How was the initial setup?

The initial setup wasn't straightforward. The setup is situation specific.

The deployment for us took about 3 months.

What about the implementation team?

Implementation was done in-house.

What was our ROI?


What other advice do I have?

I think this product adds significant value to organizations seeking a scalable, security integration tool. It does a great job of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities. It's a good solution

On a scale of 1 - 10, 10 being the best, I give this product a rating of 9.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
BK
Program Manager at a tech services company
Real User
Highly customizable and provides a single dashboard for global device monitoring

Pros and Cons

  • "There is a single dashboard that gives us a complete overview of what is happening around the globe."
  • "Ideally we would like a mobile version so that any alert that comes in will notify us in a mobile app, or by using SMS integration."

What is our primary use case?

Our primary use case for this solution is compliance. 

How has it helped my organization?

This solution has improved our organization by allowing us to promote vertical security as an added service for our customers.

It has also improved our integration with other applications. Previously we used to have challenges in terms of application integration. I think that it is slowly changing; for example, Oracle Hyperion and these kinds of products integrate more easily because they have the proper plugins. It is important to know that they are properly integrated with your solution.

What is most valuable?

First, the dashboard is a valuable feature. There is a single dashboard that gives us a complete overview of what is happening around the globe. We are able to follow the devices that are connected to the network. 

The second thing is the customization that we have done. For example, if there is an account login made in Tokyo then we will immediately get an alert.

What needs improvement?

With the transition to a modern IT operation center, I think that many of the devices are going to be mobile. Somebody may not be at the NOC (Network Operations Center), data center, or SOC (Security Operations Center). If anybody from the non-security team or the NOC team has to receive an active alert, it should be enabled in multiple channels.

Ideally, we would like a mobile version so that any alert that comes in will notify us in a mobile app, or by using SMS integration. We are working on these things internally, but I think that these are some of the things that you're expecting from this product.

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

The stability of this product is pretty good.

What do I think about the scalability of the solution?

The solution is highly scalable. It is one of the reasons that we have chosen this product.

Currently, our network has more than thirteen countries deployed. A roadmap is in place for a total of forty countries, so twenty-six more will be added. Deployment is a continuous exercise for us in terms of increasing the number of devices and applications.

The EPS (Event Per second Licensing) is adjusted based on scale. At this time we have close to three or four hundred events per week. As we grow, we are expecting at least fifteen-hundred events per week.

How are customer service and technical support?

The support is very important during the implementation and initial stages.

I think that the turnaround time has to improve. If we raise a ticket then we have to wait for a patch. After this, the patch will probably have to be applied within our test environment. After testing it has to be promoted to production. Overall, the turnaround time is slow. 

How was the initial setup?

Choosing the cloud platform gives a significant advantage in terms of the setup. I have been deploying the same solution across enterprise organizations from day one, and previously it used to take a month for implementation. Now, I think that it has been reduced to two weeks.

The challenge with the old model is that you normally need to work with the hardware vendors to ensure the right patches or data is available. We used to install the physical hardware, but with the cloud version, you can just start your service and add devices. You can start populating and getting reports on alerts and such in a week's time.

The implementation team is about three or four members. It has not yet grown to an operational stage because we are still implementing the solution. 

What about the implementation team?

We do the implementation in-house. I am the program manager and I lead the model from inception to completion. That said, we have to connect with the IBM team to assist with integrating the solution. We're getting pretty good support from them.

What's my experience with pricing, setup cost, and licensing?

The solution is a subscription-based model. It is a yearly subscription from my understanding.

In terms of additional costs, it depends on the subscription that you choose. There are plenty of options to choose from.

There is the EPS licensing cost (Event per second licensing), which is a parameter that you choose. By adding countries to our solution, we have to increase the EPS.

Which other solutions did I evaluate?

Yes, for each project we discuss which product to choose, and decide depending on what suits our needs.

SolarWinds is one of the solutions that we use for our NOC operations. We had internal discussions and considered many parameters, but later we decided to move to IBM.

What other advice do I have?

I would rate this solution eight and a half out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Rossella Falcone
Sr. Security Engineer at OmnitechIT
Real User
Stable security both in-house and for our customers

What is our primary use case?

Our primary use case for this solution for the management of our security services, and our NOC (Network Operations Center) services.

How has it helped my organization?

In addition to using this solution for our security operations center, we are using it for our other customers.

What needs improvement?

It needs more resilience and functionality. 

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

My impressions of the stability is that it is good.

What do I think about the scalability of the solution?

The scalability is good. Internally we have many customers, but we offer this as a specific consultancy service. I do not know with certainty the number of users for this product…

What is our primary use case?

Our primary use case for this solution for the management of our security services, and our NOC (Network Operations Center) services.

How has it helped my organization?

In addition to using this solution for our security operations center, we are using it for our other customers.

What needs improvement?

It needs more resilience and functionality. 

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

My impressions of the stability is that it is good.

What do I think about the scalability of the solution?

The scalability is good. Internally we have many customers, but we offer this as a specific consultancy service. I do not know with certainty the number of users for this product in our customer environment.

What about the implementation team?

We used a consultant to assist us with the implementation of this solution.

What's my experience with pricing, setup cost, and licensing?

Our licensing costs for this solution is on a yearly basis.

What other advice do I have?

I would rate this product eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Dameer Siddiqui
User at a tech services company with 11-50 employees
Real User
Top 20
Alerts us about events in our network environment and has superb functionality

Pros and Cons

  • "IBM QRadar is easy to scale, it doesn't affect the environment. In our office, we have around 40 - 50 users, but our clients have more users on their networks. Our organization has staff in the software department that manages IBM QRadar for us."
  • "The quoting and the dashboard session could be improved. It should be more user-friendly."

What is our primary use case?

We are partners with IBM. We do simulations for our clients. Then we resolve the issue that they're facing using IBM QRadar.

How has it helped my organization?

We have integrated IBM QRadar with our firewall and some services that we use. When the logs are about to get full of SQL, IBM QRadar makes a notification. The admin knows that they're about to get full so he just goes and clears them out. That is when we usually use IBM QRadar. On our firewall, when the issue notifications are generated, we don't usually open the firewall but QRadar alerts us about what went down in our environment.

What is most valuable?

The most valuable feature of IBM QRadar is its slow control and even activation. I also like the post notifications on the screen.

What needs improvement?

The quoting and the dashboard session could be improved. It should be more user-friendly.

Otherwise, the overall functionality of IBM QRadar is superb. A better GUI and reporting both would be good additions to the product.

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

IBM QRadar is very stable. It doesn't have many errors.

What do I think about the scalability of the solution?

IBM QRadar is easy to scale. We can integrate other devices if we want to. We could go to distributed architecture instead, but we like this product. It doesn't affect the environment. In our office, we have around 40 - 50 users, but our clients have more users on their networks. 

Our organization has staff in the software department that manages IBM QRadar for us. The security division just manages the login. Overall, only two to three staff are required for the management of IBM QRadar. They are more than enough to control the situation because most of it is easy. We definitely have plans to increase our current usage of the solution in the future.

How are customer service and technical support?

Technical support from IBM is not that good here in this region. It's quite helpful to have local support. They don't have much expertise in this product. 

We usually have to go to IBM to resolve the issues if we have them because the overall product is a bit complex. There are not many local resources here in this region with expertise in IBM QRadar.

How was the initial setup?

The initial setup is straightforward. It's very easy. I think anyone can install it within minutes. The deployment of IBM QRadar takes around 20 to 25 minutes if you have a good hard drive.

What about the implementation team?

We deployed IBM QRadar ourselves. We have technicians. We bill the client and do the installation on our own, along with other IBM products

What's my experience with pricing, setup cost, and licensing?

We do licensing on a yearly basis. It's for deployment. If the client wants more services, we support the license. There are no other costs for the product.

Which other solutions did I evaluate?

When I joined the company we were already partners with IBM. I didn't have much experience with other products.

What other advice do I have?

I would recommend IBM QRadar because of the security features and the organization. I can recommend the security. Security is nowadays an essential part of IBM QRadar. 

IBM QRadar is probably the best possible solution in the market. I would rate it an eight out of 10.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
DAX Paulino
Cybersecurity Practice Lead at a tech services company with 201-500 employees
Real User
Enables us to handle the most critical attacks and integrates well with other solutions

Pros and Cons

  • "One of the most valuable features is its ability to integrate with other solutions. IBM has a lot of solutions and we have managed to make it work with IBM BigFix and MaaS360, and even Microsoft."
  • "In terms of additional features, a mobile app would be nice. Also, the reporting is definitely okay, but you have to make sure that everybody with different roles can understand it. There is room for improvement in the reporting."

What is our primary use case?

We are using it for SIEM, for Security Information and Event Management. We're gathering the logs and doing analytics on how we are going to react to security incidents.

How has it helped my organization?

With QRadar we managed to focus on the more critical incidents that we have experienced. As a result, we have managed to decrease the most critical incidents, most critical attacks. Now we're focusing on the ones that are not too heavy, not too critical. As of the moment, we are more secure than before.

What is most valuable?

One of the most valuable features is its ability to integrate with other solutions. In our current setup, we need a holistic view of our network to provide better service. Therefore, integration with our security tools and infrastructure is a must. We managed to get our NGFW, Endpoint Security, network servers, compliance tools and others to integrate with QRadar which enables our team to better understand what is happening in our network and respond accordingly.

What needs improvement?

The first area for improvement is the cost. It's a little bit too expensive for us. 

Also, initially it was difficult to understand or to grasp, but once you get the hang of it is easier to understand and to analyze. So the main problems are its cost, the maintenance cost, and the fact that it takes some time to learn how to use it.

In terms of additional features, a mobile app would be nice. Also, the reporting is definitely okay, but you have to make sure that everybody with different roles can understand it. There is room for improvement in the reporting.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It's very robust. If it fails it does not really harm the network. It just gathers information and that's the important part. It has not failed, it's been working since day one so there is no problem. As long as the server that you install it on is working fine, it's very reliable. It's very stable.

What do I think about the scalability of the solution?

It's also scalable yes. You can adjust the number of devices it communicates with so there is no problem with scalability.

How are customer service and technical support?

I have not yet contacted technical support. I have not encountered any problems. So far, we have had no need for them. We have just fixed things ourselves.

Which solution did I use previously and why did I switch?

We did not use any solutions before QRadar.

How was the initial setup?

It's straightforward. We just had to connect it to our servers, to our security solutions, and that was it. Everything was already communicating.

We are just a small company, so the deployment did not take that long, about a month to a month-and-a-half. It didn't involve too much downtime since we're just monitoring a few servers and a couple of security tools.

What about the implementation team?

We are directly in touch with IBM and we have an IBM security specialist. He usually gives us pointers and he's the one who also gave us a little bit of training and knowledge transfer.

What's my experience with pricing, setup cost, and licensing?

It's too expensive. The licensing is also a little bit difficult to understand because you have to license it per event and per number of flows. So you have to understand the difference between a flow and an event, and then you have to forward that to the resellers, the distributors, and to IBM. That part took a long time for us. Now we're adjusted to the process.

Which other solutions did I evaluate?

We did evaluate some, like LogRhythm. We found that LogRhythm was more difficult to understand because it was a little bit too static. I believe they have already improved but, as of the moment, we are still happy with QRadar.

What other advice do I have?

My advice is to take your time. It depends on your network, on what you want to gather information from. Make sure that the networking and the cybersecurity teams are working towards a common goal. The solution is very much worth it. You can gather all the information that you need as long as you know first what you need.

This solution is mainly for the Security Operations Center, so there are just three or four users. But it's one of the key tools for us to identify threats and attacks. The users are security operations analysts and threat hunters.

In our case, deployment and maintenance requires just a few people. They are the network administrators and our cybersecurity engineers.

At the moment we have no plans to increase usage. If the company grows, usage should grow as well. The company is growing but, as of the moment, we are planning for expansion. That's why the solutions that we carry are already built for expansion for the next three to five years.

I would rate QRadar at eight out of ten. It's not perfect and the big issues would be the price and it that it takes some time to understand it. But so far, it's one of the best solutions out there.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
ITCS user
Vulnerability Manager at a tech services company with 51-200 employees
Reseller
Scanning by the Vulnerability Manager and alert-generation are key features for us

Pros and Cons

  • "The most valuable feature is the QRadar Vulnerability Manager which provides vulnerability scans. In addition, I like the way QRadar generates alerts."
  • "It would be good if the program allowed certain profiles to only see certain customer information."

What is our primary use case?

Our primary use case is to get logs mainly from firewalls, although you can also get logs from anything that can forward syslogs. We use it to sort events.

How has it helped my organization?

Instead of logging in to multiple devices and checking the logs, QRadar gives us one centralized point for comparing data against each other and rules to make sure that you don't miss anything. It tells you where all the detections happened. It provides easier access and we pick up things way quicker than in the past.

What is most valuable?

The most valuable feature is the QRadar Vulnerability Manager which provides vulnerability scans. In addition, I like the way QRadar generates alerts.

What needs improvement?

It would be good if the program allowed certain profiles to only see certain customer information.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

If you're running the latest version under recommended specifications, it is very stable thus far.

What do I think about the scalability of the solution?

It's scalable.

How are customer service and technical support?

The technical support has definitely improved. In 2016-17 it took me about ten hours to get a reply from IBM. It now takes an hour to two hours for them to reply to me.

Which solution did I use previously and why did I switch?

We went with QRadar because it's a more well-known product. I was only using the AlienVault Community Edition, a free version. It wasn't a fully-paid version I was using at the time. IBM QRadar was just the product the company was using.

How was the initial setup?

The setup is straightforward. The last one I did took me about three days. It only takes half an hour to set up QRadar, but getting the other systems to talk with QRadar, to forward syslogs, is what took the additional time, because I didn't have all the login information. If you've got all the relevant information, it shouldn't take you more than a day to set it up.

What's my experience with pricing, setup cost, and licensing?

QRadar is quite expensive. It wouldn't be worth it for a small business unless, through a third-party company, they used it in a software-as-a-service type of arrangement, rather than buying the licenses outright.

There are additional costs beyond the standard licensing fees. For example, there are add-ons like the QRadar Vulnerability Manager.

What other advice do I have?

QRadar, as a product, might be very straightforward, but to fully understand the product you would need to go for the QRadar training. IBM's training for QRadar is very expensive but it really helps you use the product to its full potential. Before I went to the training, I only used about ten percent of its capability. I would recommend going for the training on the product.

In terms of the number of users, it's not users logging in every day and doing stuff on QRadar. It's a handful of people from the team monitoring QRadar. We could be managing, for example, 50 or 70 customers through one dashboard and about ten people would be monitoring it. The users have a specific role.

The amount of staff required for deployment or maintenance depends on the type of update or patch that's being deployed. For deployment of a new patch it, it could take anything from an hour to about ten hours. It depends on the patch, how big the patch is, and if you've gone through a testing phase or not. So there are multiple dependencies on how long it would take. An average, for me, would be three hours to do certain deployments.

Currently it's being used quite widely. The only downfall of this product would be its price. I wouldn't recommend it for a small company. For larger companies I know it's being widely used.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
it_user984276
Senior Analyst at a tech services company with 201-500 employees
Real User
We can add anything to it, as it is a good companion to other tools

Pros and Cons

  • "It integrates very easily with other solutions. The solution is flexible. We can add anything to it, as it is a good companion to other tools."
  • "It's user-friendly when compared to other products."
  • "They should introduce some automation into the product."
  • "There was some complexity in the initial setup due to bandwidth issues."

What is our primary use case?

The primary use case is for insurance and product manufacturing. We use it to create rules and Windows firewalls.

How has it helped my organization?

Before implementing this solution, we had no security. After integrating many thing, we received reports letting us know what is compromised.

What is most valuable?

It's user-friendly when compared to other products. New users can easily understand the product.

It integrates very easily with other solutions. The solution is flexible. We can add anything to it, as it is a good companion to other tools.

What needs improvement?

They should introduce some automation into the product.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It has good stability. If there is an issue, we restart the box.

What do I think about the scalability of the solution?

It is easily scalable.

Our team has nine people.

How are customer service and technical support?

The technical support is good.

Which solution did I use previously and why did I switch?

Previously, I was using McAfee Nitro. Comparing with McAfee, QRadar is user-friendly and easy to use.

How was the initial setup?

There was some complexity in the initial setup due to bandwidth issues.

The implementation took two to three days.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Phillip Okemwa
Senior Information Security Analyst at a financial services firm with 501-1,000 employees
Real User
Helps us to discover any threats with their alerts and tracking

Pros and Cons

  • "It helps us discover any threats with their alerts and tracking."
  • "The only challenge is that IBM has been a closed enterprise. It should be more open to integrating with other providers at an enterprise level. We're a bank and the core banking system integration is not way straightforward and there is no integration between IBM and these products. If IBM could open up and provide a way of integrating it seamlessly, without charging more for it, that would make a big difference."

How has it helped my organization?

It helps us discover any threats with their alerts and tracking.

What is most valuable?

QNI is the most valuable feature. 

What needs improvement?

I would like for them to lower the price. 

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

The system is quite stable, so far we haven't had any problems. Although the initial supply of the appliance was a bit faulty, the processor kept on failing. We were within the warranty so they supplied new ones. After loading logs, the system is very stable and nothing to worry about.

What do I think about the scalability of the solution?

It's very scalable. There are currently five users. We may still onboard more users depending on the requirements and their departmental level.

We do plan to increase usage. 

How are customer service and technical support?

Their support is excellent, they are available when we need them. I'm satisfied so far.

How was the initial setup?

The initial setup wasn't exactly straightforward but the vendor who set it up for was helpful. It was very straightforward with their help. The deployment took two months. 

We require two admins for maintenance. 

What about the implementation team?

We used our own people and the certified IBM vendor for the implementation. We had a very good experience with them. 

What's my experience with pricing, setup cost, and licensing?

We do licenses once a year. 

Which other solutions did I evaluate?

We also looked at LogRhythm.

What other advice do I have?

I would advise someone considering this solution to write down your use cases and evaluate them with the vendor. Evaluate the best solution based on your use cases because you are the ones who are going to use it. The vendor will try and implement and leave you with your problems.

If the solution meets your requirements and solves most of your problems, you're good to go. QRadar is the best solution we have. The only challenge is that IBM has been a closed enterprise. It should be more open to integrating with other providers at an enterprise level. We're a bank and the core banking system integration is not always straightforward and there is no integration between IBM and these products. If IBM could open up and provide a way of integrating it seamlessly, without charging more for it, that would make a big difference. 

I would rate it an eight out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
NB
IT Security and Business Development Manager at a tech services company with 51-200 employees
Real User
Enables us to ensure that the data being transferred from one company to another is done securely but it needs better cloud security

Pros and Cons

  • "The support is very good. We get support whenever we need it. Sometimes they respond immediately and sometimes it will be within 24 hours. We can ask them to please do it right away and they can get a request done within an hour or two."
  • "Before we didn't have any security issues but recently a few of the user emails were hacked. We had to actually recreate their emails for them."

What is our primary use case?

Our primary use case is for the security. We use it to make sure that the data that is being transferred from one company to the other is being done securely. 

How has it helped my organization?

The security has improved my organization. 

What is most valuable?

The securing of data is the most important feature because nowadays as cloud has come in, it is especially challenging to secure. We are actually planning for Palo Alto to be a better option because IBM needs better security for their cloud.

What needs improvement?

If IBM provides me with a better service or better options than Palo Alto, I would remain with IBM. As for my knowledge, I recently evaluated Palo Alto that has better security features, especially for a client's email. 

Before we didn't have any security issues but recently a few of the user emails were hacked. We had to actually recreate their emails for them.

If IBM could give us a complete package of on-cloud solutions, firewall, antivirus, and also mobile security, that would make it a lot better. Nowadays people are using mobile and tablets, rather than laptops or computers.

We get updates from IBM directly but then the users have to update. There are challenges where sometimes if we update the client's system, it takes a lot of time to update.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

Stability is very good. It's better than it used to be. 

What do I think about the scalability of the solution?

Scalability is very good. 

Everyone has used this solution for security purposes. We use it daily.

How are customer service and technical support?

The support is very good. We get support whenever we need it. Sometimes they respond immediately and sometimes it will be within 24 hours. We can ask them to please do it right away and they can get a request done within an hour or two. 

How was the initial setup?

The initial setup is fine. The moment we send the packets for an update it's easy but then there are challenges for the users. We have actually changed the hardware, so it got updated. We have to check if the problems are due to the hardware or due to the software.

The initial setup normally will take a day. it depends on the number of users. We have 300 users on the system which took around ten days. 

We require five to ten staff members for deployment and maintenance. 

Which other solutions did I evaluate?

Before we went with IBM, we didn't look at other solutions but recently I looked into switching to Palo Alto and also evaluated Fortinet.

What other advice do I have?

I would advise someone considering this solution to evaluate several solutions, compare them, and if there is an option for customization check with the solution provider, and then go for it.

I would rate it a seven out of ten. It's a good solution, we've used it for a long time, but then there are a few issues with security.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Dr Trust Tshepo Mapoka
Senior Cybersecurity Consultant at CIA Botswana
Real User
Top 5
Enables our clients to detect threats and vulnerabilities in real time

Pros and Cons

  • "Most of our clients are interested in automation. The automation part is good because they are able to detect threats and vulnerabilities in real time. It's very fast."
  • "The API integration for AD is a problem when it comes to vulnerability management. If you want to incorporate multiple factor authentication it becomes a problem with the AD. It doesn't integrate well. That needs to be improved."

What is our primary use case?

Our primary use case if for security analytics. We do investigation and security analytics, so we collect events and after collecting events we give positive security analytics to clients.

How has it helped my organization?

Most of our clients are interested in automation. The automation part is good because they are able to detect threats and vulnerabilities in real time. It's very fast. 

What is most valuable?

The vulnerability management aspect is the most valuable feature. IBM QRadar is the only SIEM solution with integrated vulnerability management. That's why most clients are flocking to it. API integration is very easy.

What needs improvement?

The API integration for AD is a problem when it comes to vulnerability management. If you want to incorporate multiple factor authentication it becomes a problem with the AD. It doesn't integrate well. That needs to be improved.

The configuration steps are not easy to follow compared to NetWitness.

What do I think about the scalability of the solution?

Scalability is good. I have plans to increase usage it just depends on the contracts. If I get more contracts I get more people. Most clients want to manage security and so they would want to outsource their expertise. If they outsource their expertise that means I have to recruit more people.

How are customer service and technical support?

Their technical support is pretty good. 

How was the initial setup?

The initial setup was easy. It usually takes around three months or so. In terms of the implementation strategy, once we get the correct events sorted, the strategy is to connect enough events sources so that they give you an efficient solution. 

We require five to ten people for setup and maintenance. 

What about the implementation team?

I'm the consultant so we do the implementation ourselves. 

What's my experience with pricing, setup cost, and licensing?

The licensing depends on the customer. The pricing is good.

What other advice do I have?

I would rate it an eight out of ten. Not a ten because the configuration part of it should be easier. They tried to integrate everything together to be all in one, but it's not easy to configure.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
it_user797751
Security Consultant at Varutra Consulting
Consultant
The product is easy to use, but it needs a comprehensive PDF user guide

Pros and Cons

  • "The stability is good."
  • "The scalability is good."
  • "I would suggest QRadar release any documentation or give an online demo, like videos on YouTube. It would increase publicity and public appeal."

What is our primary use case?

We use it to detect security incidents.

What is most valuable?

  • IBM Resilient Incident
  • IBM Threat Intelligence
  • IBM QRadar is easy to use.

What needs improvement?

The user guide is not readily available. I would suggest the support or technical team release a PDF guide, like Splunk, SolarWinds, or ArcSight. This will be good for consultants or whomever is using QRadar. This would be really helpful. I have searched on a lot on sites, but I have not found a single PDF containing everything. Our consultants are taking too much time understanding the product's technical aspects.

They could arrange a demo on their website so user who register may use WebEx or any type of meeting invitation, and the support team could give a demo. Having hands-on technology is important. We lost a few clients, because they asked us, "Do you have hands-on QRadar?" At that time, we said, "No, but we will cover it." Due to this, we didn't get the project. Clients wants consultants who are certified in QRadar. Even after completing the certification as a QRadar deployment professional, I would suggest QRadar release any documentation or give an online demo, like videos on YouTube. It would increase publicity and public appeal. 

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

The stability is good.

What do I think about the scalability of the solution?

The scalability is good.

How are customer service and technical support?

I haven't contact the technical support yet.

What about the implementation team?

We have a security consultant for our deployments. 

We haven't deployed yet, but our client has deployed IBM QRadar. We have been monitoring it, creating rules, and fine tuning it. These are my responsibility with respect to QRadar. 

I did not get opportunity or experience to deploy the QRadar into the client's environment.

Which other solutions did I evaluate?

We are recommending IBM QRadar, SolarWinds, and ArcSight to our clients.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user795519
Senior Security Engineer at dig8labs
Real User
Custom parsing tool makes customization easy, and UI is friendly

Pros and Cons

  • "The most valuable feature is the DSM Editor. The custom parsing tool is very nice, outstanding."
  • "The product is good, but one feature they should have is an Elasticsearch. Currently, in QRadar, there are no Elasticsearch criteria."

How has it helped my organization?

The features make my work easier.

What is most valuable?

The most valuable feature is the DSM Editor. The custom parsing tool is very nice, outstanding. I have used McAfee's SIEM and LogRhythm as well, but because of this feature of QRadar, I don't think their solutions are good.

Customizing it is very easy and it has a user-friendly interface. 

What needs improvement?

The product is good, but one feature they should have is an Elasticsearch. Currently, in QRadar, there are no Elasticsearch criteria. Elasticsearch is a very fast search engine. IBM should consider it as part of QRadar. Currently, QRadar has a very slow search. If I search previous months' data it stops.

For how long have I used the solution?

More than five years.

What do I think about the scalability of the solution?

The scalability is good. I'm quite satisfied with it.

How are customer service and technical support?

Technical support is the area IBM should work on. Support is not that responsive. If I open a support ticket, it takes three to four days for them to respond. They take that much time.

Which solution did I use previously and why did I switch?

I have used different solutions in the organization, but the main reason for switching is the customization. QRadar very much supports customization. Another reason is that, in the market, we can easily get QRadar resources, like an analyst or engineer, as compared to other products. This is a reason that organizations move towards QRadar.

How was the initial setup?

The initial setup was very straightforward. I didn't have to do anything once I installed it and configured it. It was very simple. Other solutions I have worked on, such as McAfee and LogRhythm, are a bit complex. This one is very easy to install and configure.

The deployment takes one to two months, max. The implementation strategy is totally dependent on the number of EPS, the requirements, and the types of log sources. We collect this information and then create our strategy.

I have been an engineer in many firms. I have deployed it by myself. One expert can deploy it. If there are 100,000 EPS you'll need more resources. If you have 5,000 to 10,000 EPS, one person can do it.

What's my experience with pricing, setup cost, and licensing?

IBM has subscriptions plans that run for one year.

What other advice do I have?

Overall, it's much better than other products.

In terms of increasing its usage, I have suggested to my organization that it tell customers to use it, its capacity and capabilities, with other tools like Watson.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
DA
Senior Server Security Engineer
Reseller
Has great scalablity, if you use APS 25 GPS license you can change to 3000 EPS anytime

Pros and Cons

  • "IBM has everything you need in a cybersecurity solution. If you want to build a cybersecurity operation center version then I think QRadar is a perfect solution."
  • "I think QRadar is very complex. It's a distributed system and IBM QRadar has an all-in-one solution which is not like that distributed solution but it's a good product. IBM needs to consider the user interface because if we compare it with AlienVault, the AlienVault user interface is fantastic but the IBM QRadar user interface is very complex. They should focus on how to make it easier for the client."

What is our primary use case?

Our primary use case of this solution is to identify threats. 

How has it helped my organization?

We do R&D for IBM QRadar and we are also a cybersecurity solution based company. We provide solutions for our clients like banking, government agencies, and other non-government organizations. Our clients test in our labs and we try to understand how a product works and how a product will help our clients. I have more than three years experience with AlienVault and I use AlienVault a lot and I have already deployed it in a few banks. I am now trying to understand how IBM QRadar works and what the difference between IBM QRadar and AlienVault is. 

What is most valuable?

This solution has many valuable features but I especially like the Log Manager feature.

What needs improvement?

I think QRadar is very complex. It's a distributed system and IBM QRadar has an all-in-one solution which is not like that distributed solution but it's a good product. IBM needs to consider the user interface because if we compare it with AlienVault, the AlienVault user interface is fantastic but the IBM QRadar user interface is very complex. They should focus on how to make it easier for the client.

IBM has everything you need in a cybersecurity solution. If you want to build a cybersecurity operation center version then I think QRadar is a perfect solution.

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

IBM QRadar is stable and scalable. 

What do I think about the scalability of the solution?

Scalability is good. If you use APS 25 GPS license you can change to 3000 EPS anytime. Also, you can integrate a distributed solution with the all-in-one deployment. If you have a very small organization, you don't need model 5000 EPS license so you can deploy all-in-one and then one day if your organization grows bigger, you can deploy a distributed system.

How are customer service and technical support?

We have our own system and network experts, forensic experts, and database expert so until now, we haven't had any issues that required us to contact their support. 

How was the initial setup?

The initial setup was complex. When it comes to the deployment, you can get it done in a day but if you want to fine-tune it can take a very long time. This isn't only for QRadar, but this applies to most solutions. 

It takes two or three people to deploy this product but if you want to do custom configuration then you need each and every part's expert. You need a network expert, forensic expert, and system expert. If you want an advanced system configuration you need many more people. If you only want to integrate this solution in your organization then two or three people is more than enough for the deployment.

What about the implementation team?

We deploy it for our clients.

What's my experience with pricing, setup cost, and licensing?

Licensing is very expensive, IBM QRadar is a very expensive solution. If you want to minimize costs then IBM QRadar is not for you.

What other advice do I have?

I would rate it an eight out of ten. Not a ten because of the complex interface. 

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
YC
Security Consultant at a tech services company with 11-50 employees
Consultant
Easy to use and helps me analyze incidents that occur

What is our primary use case?

I use it to analyze incidents. 

What is most valuable?

I like the API and it's easy to use. 

What needs improvement?

They should provide more manual examples online so that I can learn it myself. The dashboard also needs improvement. 

For how long have I used the solution?

More than five years.

How was the initial setup?

We require eight staff members for the maintenance. 

What's my experience with pricing, setup cost, and licensing?

It's too expensive. 

What other advice do I have?

I would rate it an eight out of ten. 

What is our primary use case?

I use it to analyze incidents. 

What is most valuable?

I like the API and it's easy to use. 

What needs improvement?

They should provide more manual examples online so that I can learn it myself. The dashboard also needs improvement. 

For how long have I used the solution?

More than five years.

How was the initial setup?

We require eight staff members for the maintenance. 

What's my experience with pricing, setup cost, and licensing?

It's too expensive. 

What other advice do I have?

I would rate it an eight out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
RM
Senior Field Manager at a tech services company
Reseller
Good scalability and straightforward setup, all in all, a good solution

What is our primary use case?

It is a requirement for all of the banks to have a security solution in Pakistan. That is the reason most of the banks are using it. In the last one and a half years, Pakistani companies are taking security very seriously, so for that reason, they evaluate these solutions. All in all, it's a good solution. 

What needs improvement?

I would like for them to develop a detection management solution. It does not have a detection management solution in it, you have to buy it as it is, on top of the extended solution. 

What do I think about the scalability of the solution?

It's quite scalable. We have upgraded some solutions from 1000 APS up to 3500 APS to 5000 APS. It's a good solution, they have no scalability issues.

How was the initial setup?

The…

What is our primary use case?

It is a requirement for all of the banks to have a security solution in Pakistan. That is the reason most of the banks are using it. In the last one and a half years, Pakistani companies are taking security very seriously, so for that reason, they evaluate these solutions. All in all, it's a good solution. 

What needs improvement?

I would like for them to develop a detection management solution. It does not have a detection management solution in it, you have to buy it as it is, on top of the extended solution. 

What do I think about the scalability of the solution?

It's quite scalable. We have upgraded some solutions from 1000 APS up to 3500 APS to 5000 APS. It's a good solution, they have no scalability issues.

How was the initial setup?

The initial setup was straightforward. The deployment time depends on each customer. We have customers who have different infrastructures and their deployments are quite different. If we rack and stack it, around two, three days, maximum a week, but configuration and optimization take up to somewhere between six months and one year.

What other advice do I have?

I would rate it an eight out of ten. 

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
AS
Cyber Security Team Leader at a tech services company with 501-1,000 employees
Real User
Enables us to add extensions that provide valuable test ports but is not the best solution on the market

Pros and Cons

  • "The ability to add extensions is the most valuable feature. For example, extensions that provide valuable test ports."
  • "Their technical support is not good. We opened a lot of cases and from my experience, they are not complicated issues but it takes forever to get an answer."

What is our primary use case?

Our primary use case of this solution is for our customer's operations. 

What is most valuable?

The ability to add extensions is the most valuable feature. For example, extensions that provide valuable test ports.

What needs improvement?

I don't think this is the best solution on the market because it takes much longer than ArcSight, for example, which provides more flexibility and capability to create much more complex use cases. Other tools provide more valuable things that you can do for the active channel. 

I would like for them to develop out of the box content that doesn't require too much customization. Most of the out of the box we get from it requires too much customization. I would also like to see dynamic filters and better cross-integration between functions.  

For how long have I used the solution?

Less than one year.

What do I think about the scalability of the solution?

We've only been using it for eight months so we haven't scaled much during this time but it seems to be very scalable. We use it a minimum of eight hours a day.

Which solution did I use previously and why did I switch?

We used ArcSight.

What about the implementation team?

We did the integration ourselves. It was straightforward. 

What's my experience with pricing, setup cost, and licensing?

It is cheaper than ArcSight. 

What other advice do I have?

I would rate this solution a six out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
VP
Manager-Cloud Security Operations at a retailer with 10,001+ employees
Real User
Top 20
It is really helpful to us from the compliance point of view.

Pros and Cons

  • "It is really helpful to us from the compliance point of view."
  • "The initial setup is not complex or difficult."
  • "The tech support is not that good."

What is our primary use case?

The primary use case for us is the plug and play implementation and it is pretty easy to set it up, and scale up the SIEM. It has a kind of a functionality to it. 

How has it helped my organization?

It is really helpful to us from the compliance point of view. Whenever we had an external lawyer come in, he used to ask us for the data retention and log retention. So, QRadar could put out reports that could audit for us within the log collections. It was very helpful for us to meet compliance requirements.

In addition, it is a helpful solution for forensic analysis. It will easily perform Google type searches and get the logs searched easily. This is really helpful for us, and gives us a quicker investigation.

What is most valuable?

The most valuable feature is that it is a one stop solution for many things. It is a manager for vulnerability, functionality, packet filtering, packet analysis and log analysis.

What needs improvement?

They have introduced a lot of different suite of products and functionalities and that sometimes leads to confusion among the customers. There are a lot of options to provided and then I need to decide, what is my requirement, and what is my desire. I may be tempted to have a particular feature, but I have to decide whether it is relevant or not.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

The stability is very good. There is not a single point lacking in terms of stability. And, I have never faced technical issues.

What do I think about the scalability of the solution?

The scalability is good, especially with the introduction of data nodes. As of now, it is not a problem.

How are customer service and technical support?

The tech support is not that good. They often rely on their learned knowledge base, instead of getting their hands dirty upon the actual case issues. They just think of the traditional approach of "OK, try this, or that." Obviously, we already know which steps to follow, we need for them to come up with some out-of-the-box solutions. This delays the process of finding a solution to the problem. Unfortunately, this happens a lot.

Which solution did I use previously and why did I switch?

I previously used Splunk. And, we considered Sumo Logic, which has a similar kind of functionality. But, they are still in a very premature stage in terms of the product development.

How was the initial setup?

The initial setup was straightforward. It was not complex or difficult. It is not complicated.

What's my experience with pricing, setup cost, and licensing?

The cost of this product is expensive.

What other advice do I have?

If you are a medium to large size enterprise, you can surely consider IBM as one of the major contenders for your selection. If you are a small enterprise, QRadar may be too much for you, it may be too complex.

When deciding on a solution, we always consider:

  • Cost-benefit
  • Shelf-life of the solution
  • Security of the solution
Disclosure: I am a real user, and this review is based on my own experience and opinions.
AH
Senior Security Architect at a tech services company with 10,001+ employees
Real User
Has somewhat of a new structure recently compared to the last gen. They have moved from the standard UI based infrastructure.

Pros and Cons

  • "QRadar has somewhat of a new structure recently from last gen. They have moved from the standard UI based infrastructure."
  • "It has improved my efficiency."
  • "The Indian tech support is not helpful."
  • "It is not app based."

What is our primary use case?

My primary use case is for security monitoring. We activated freeze, proxy and firewalls and we collect data from them. We receive alerts and customize that according to our customer environments.

How has it helped my organization?

It has improved my efficiency. It has also reduced the implementing time. So we have reduced the time we are getting it readily available and you can just do small customizations. We can also do automation, as well using QRadar.

What is most valuable?

QRadar has somewhat of a new structure recently from last gen. They have moved from the standard UI based infrastructure. There are multiple aspects coming in which are actually plugin and play kind of stuff, we don't have to write rules, we don't have to create dashboards and all. For example, on the dashboard we have user behavior analytics. And, it is very helpful for us to use customization and build from scratch.

What needs improvement?

There are other solutions out there that have made it app based. They have a lot of apps available and they are readily integrated with other tools, as well.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

It is very stable. I've seen this product grow since it started. It initially started with another company and then it was bought by IBM.

What do I think about the scalability of the solution?

This tool is very user friendly, and is scalable. But, we do use other products in tandem with it.  

How is customer service and technical support?

There are three zones that make up the technical support team, one is Asia Pacific(where the people from India are IBM India they work in that particular region), there are Europe(people from the UK and the Netherlands) and America (the people from the US). When comparing these support teams, the Indian team is lacking.

What was our ROI?

There are an abundance of  customers in the market who are actually using QRadar for their security monitoring purposes. This is a real advantage of this solution.

Which other solutions did I evaluate?

We compared it to Splunk. The only difference between QRadar and Splunk is that Splunk works on the data analytics, This makes it easy to help create those data lakes and searches whereas QRadar does not focus on that. The SQL database on the back end, takes some time and it's not so flexible in data storage or data lake creation, so that is the only backfall of QRadar. 

Additionally, Splunk is app based, and QRadar is not app based.

What other advice do I have?

There are new things that are coming up in QRadar, such as AI to IBM Watson. This is going to create a huge impact in these types of solutions, because we don't have an artificial intelligence coming in. There are other tools that have artificial intelligence, but IBM QRadar getting integrated with artificial intelligence is the next step.

It should be noted that the QRadar type products are actually changing their strategy. they will move on to the next stage that is called "Threat Hunting." Instead of waiting for some attack to happen and getting an alert, the new solutions will try to find out those suspicious activities in your network or environment and resolve it before it creates havoc.  

Disclosure: My company has a business relationship with this vendor other than being a customer: I am a reseller.
Omar Sánchez (Mr.Tech)
Information Security Advisor, CISO & CIO, Docutek Services at Docutek Services
Consultant
Leaderboard
It is not a user-friendly program.

Pros and Cons

  • "A nice benefit is when we go to the process of selecting our youth cases, they go by building blocks. QRadar links it to building blocks."
  • "The initial setup was complex, and it took six months."
  • "QRadar needs a lot of fine tuning"

What is our primary use case?

My primary use case for this solution is to monitor security events in our cloud environment.

What is most valuable?

They do have a way to pre-configure or have pre-configurations for companies that are starting and they don't know too much about SIEM or working with SIEMs. The solution uses SIEM to get the information to the managers so I will say that they have an ongoing boarding process that is very good if you are starting because it already has what you need to start up.

In addition, they have more HIPAA. It's a pre-order on QRadar, so when we go to the process of selecting our use cases, they go by building blocks. QRadar links it to building blocks so we don't have too much to cut on it.

What needs improvement?

It is not a user-friendly program. It is a very glorified Excel program. I would love to see a more user-friendly version in a future rollout. 

In addition, the management services team needs some improvement. They are, at times, confused with our requests.

Network Breach

Another problem with QRadar, is that they have a very big signal protection. This needs to be fixed. You can only see what you know.  Let me give you an example of how I feel. Here is an analogy for you. Let's say you are a cowboy and you're on wild on the plains. You go out there and get your cows back, right? So you have a noose, you have your hat, your boots, your spurs, you are a real cowboy, right? But you are working on a, this is my opinion right? But you are working on building cars. So how would you look being fully dressed in all your gear, selling cars? It's like you are ready and prepared, you have your tools, but you don't like those rulings. You feel like you are in the wrong place.

Efficiency of Security Team

No, it has not improved the efficiency of our security team. They have an integrated mobile with Watson so what this means is when we have an event that has a high magnitude, Watson takes it and investigates, right? So every time I see an offense, I see Watson has gone and investigated this. What am I expecting from AI to do? I want to see location, what happened, what is it, sources, stuff like that. They just give you a routing chart of what I think was involved. I can do that with my bare hands, I don't need Watson to do that. So why am I paying for AI?

For how long have I used the solution?

One to three years.

How are customer service and technical support?

On a scale of one to four, I would rate it a four. We have had some issues. For example, the other day I wanted to add a new correlation. So I opened a ticket for that new correlation. I went to go change my correlation, but they took so long to get the correlations down. I had to go ahead and open the ticket before I got to change the management process.

Which solution did I use previously and why did I switch?

I have used Splunk in the past. 

How was the initial setup?

The initial setup was complex, and it took six months. 

What's my experience with pricing, setup cost, and licensing?

It is a pricey product. It is very expensive. 

Which other solutions did I evaluate?

QRadar needs a lot of fine tuning. I had to schedule meetings with IBM for help. For example, one of the things that we were having difficulties with QRadar is that the detection rules are sent by IBM and we wanted those detection rules. In one case, I know there's new malware out there, BlackIce, but I am not able in QRadar, because it's a managed service, to go in and create a detection rule that say the malware is out.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user923115
Cloud Security Architect at Nordcloud Oy
Vendor
It's a state-of-the-art product for security information and event management

Pros and Cons

  • "It's a state-of-the-art product for security information and event management (SIEM)."
  • "There are a lot of great out-of-the-box features included."
  • "The quality of technical support depends on the IBM support person. Sometimes, it's hard to get the right person on the other side. A ticket coordinator could be the key to better quality delivery."
  • "The released patch quality is poor. IBM should test those patches on their side, not on the client's side."

What is our primary use case?

It is under a non-disclosure agreement (NDA).

How has it helped my organization?

  • It helps because you don't need an army to execute the project when you do the PoC, and when finally going to production. 
  • The abundant out-of-the-box features which are operating wonderfully.

What is most valuable?

  • It's easy to set up.
  • There are a lot of great out-of-the-box features included.
  • It's a state-of-the-art product for security information and event management (SIEM).

What needs improvement?

  • Slow response sometimes and a not-so-helpful staff there. So make the support better, and you could succeed even more.
  • The released patch quality is poor. IBM should test those patches on their side, not on the client's side. So, there are a lot of improvement to do. 
  • I would appreciate if IBM could create another more intuitive, easier way (intuitive UI) to perform advanced searches rather that just counting on regular expressions.

For how long have I used the solution?

One to three years.

How is customer service and technical support?

The quality of technical support depends on the IBM support person. Sometimes, it's hard to get the right person on the other side. A ticket coordinator could be the key to better quality delivery.  

They are sometimes slow to respond and unhelpful.

What other advice do I have?

I highly recommend this product.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Nizar Hedhili
General Manager at Global Solutions Services
User
Log correlation is very useful for processing alerts

What is our primary use case?

CRM and billing system 100 multiple technology servers: Windows AD, Linux, HP-UX, etc. 40 firewall multiple routers  Cisco Nexus switches

How has it helped my organization?

Log correlation is very useful for processing alerts. It serves to follow up alerts in real-time, building an entire workflow.

What is most valuable?

DSM parsing Log correlation X-Force connectivity Ease of DSM customisation Multiple reports

What needs improvement?

Data encryption Flow encryption Third-party compliance Its architecture is very complicated. Its hardware is Lenovo-based.

For how long have I used the solution?

Three to five years.

What is our primary use case?

  • CRM and billing system
  • 100 multiple technology servers: Windows AD, Linux, HP-UX, etc.
  • 40 firewall multiple routers 
  • Cisco Nexus switches

How has it helped my organization?

Log correlation is very useful for processing alerts. It serves to follow up alerts in real-time, building an entire workflow.

What is most valuable?

  • DSM parsing
  • Log correlation
  • X-Force connectivity
  • Ease of DSM customisation
  • Multiple reports

What needs improvement?

  • Data encryption
  • Flow encryption
  • Third-party compliance
  • Its architecture is very complicated.
  • Its hardware is Lenovo-based.

For how long have I used the solution?

Three to five years.
Disclosure: My company has a business relationship with this vendor other than being a customer: IBM Partner
AT
Software Trainee at a tech services company with 1,001-5,000 employees
Consultant
Senses, tracks, and links significant incidents and threats

What is most valuable?

Almost every feature is useful. In particular: Sense and detect fraud, both insider and advanced threats. Sense, track, and link significant incidents and threats.

What needs improvement?

The tool is already automated in many ways, but there are some additional functions which should be automated, like sending an email, mobile notification, and integration of XFS.

For how long have I used the solution?

Less than one year.

What other advice do I have?

Overall, I love this product.

What is most valuable?

Almost every feature is useful. In particular:

  • Sense and detect fraud, both insider and advanced threats.
  • Sense, track, and link significant incidents and threats.

What needs improvement?

The tool is already automated in many ways, but there are some additional functions which should be automated, like sending an email, mobile notification, and integration of XFS.

For how long have I used the solution?

Less than one year.

What other advice do I have?

Overall, I love this product.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Srijan-Sivakumar
Director of Market Enabling Solutions at Raksha Technologies Pvt Ltd
Reseller
In one single pane of glass, we can see all the issues. Though, the architecture could be improved.

Pros and Cons

  • "On the back-end, Watson helps me figure out an exact problem, sometimes giving me the result."
  • "It saves a lot of time. We integrate the customer's firewall with all their networking devices."
  • "This console gives you the entire view, which makes life easier and allows you to take precautionary measures."
  • "The architecture could be improved. I got stuck for a long time trying to understand the architecture, as it is quite challenging."

What is our primary use case?

Its primary use case is for people who want to manage all of their logs with analytics and correlate that between different security devices whose logs are related. 

This solution is performing well.

How has it helped my organization?

It saves a lot of time. We integrate the customer's firewall with all their networking devices. If there is an issue, it helps us do the proactive work before it becomes a bigger issue. We are able to pinpoint issues and solve them.

Additionally, it is very easy to figure out. In one dashboard, we can see all the issues. There is no need to login to every device. In one single pane of glass, we can see everything.

What is most valuable?

Watson, which is an artificial intelligence, is the most valuable feature. On the back-end, Watson helps me figure out an exact problem, sometimes giving me the result. I never would have imagined this before.

What needs improvement?

The architecture could be improved. I got stuck for a long time trying to understand the architecture, as it is quite challenging.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

The stability is good.

What do I think about the scalability of the solution?

It is a combination of multiple factors. The issues is from the customer side, not from QRadar. If you are able to get the right details from the customer, this solution is scalable.

How are customer service and technical support?

I am not involved with technical support because I am in pre-sales.

Which solution did I use previously and why did I switch?

Factors in switching were the console view, as well as Watson. IBM Watson makes a huge difference on the product side.

What's my experience with pricing, setup cost, and licensing?

I do not have control over pricing, though I do help customers with their sizing.

Which other solutions did I evaluate?

I select the vendor based on the customer's requirements. On the customer side, pricing is very important. They also consider the support to be an important factor.

My present organization does mostly IBM business. We have a very good rapport with the IBM team. We have won a lot of cases against competitors. We get trained frequently, so if there is an update, then we are prepared. 

We are able to see the rapid growth of IBM through QRadar compared to the other SIEM tools.

What other advice do I have?

I would rate it a seven out of 10. I have had some challenges integrating this solution.

Each organization is looking for security. If you have a SIEM tool, you can integrate it with all of your security devices, and get all your security logs. This console gives you the entire view, which makes life easier and allows you to take precautionary measures.

People who handle only four or five security devices spread across the globe should go with this SIEM tool.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
PL
Network Security Engineer at a wellness & fitness company with 10,001+ employees
Real User
It is the core of our entire SOX

Pros and Cons

  • "It is the core of our entire SOX."
  • "Due to the skills shortage, we are able to use it from the standpoint of bringing in a lower level employee or a person who may not have security knowledge."
  • "We run 65 servers globally with just two people: an engineering person and me."
  • "The technical support is poor. Mostly because when I open a PMR for IBM, I am stuck with Level 1 staff. As an engineer, nothing that I am bringing them does not require Level 2 or Level 3 support."

How has it helped my organization?

QRadar improved risk assessment and vulnerability, plus it has reduced some staff. It has also improved the training abilities of the people who use it, e.g., IR teams. It is the core of our entire SOX. Therefore, we use it for everything through training all the way up through management. 

Due to the skills shortage, we are able to use it from the standpoint of bringing in a lower level employee or a person who may not have security knowledge. We can put them in front of the product and they will still have the information that they need and have them at a level where they can run the system. Also, products, like Watson, make it work better.

What needs improvement?

The overall workload automation should be built into it. Part of the efficiency side of it is the ability to take the information as it comes in and assign it into a group. Now, the team leader no longer needs to assign it manually. He manages the workflow as it comes in directly to the individuals. Then, the individuals respond on it. As it closes, it goes back to the workflow, recording the amount of time it took for them to close it. It should show: 

  • How long did it take to get assigned?
  • How long did it take for the person to open it?

Then, you can show that a person may have issues opening network problems.

Network Breach

We have not suffered a network breach.

Efficiency of Security Team

The solution has improved the efficiency of our security team.

Events per Day

We are at 115,000 events per second.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

We run 65 servers with just two people: an engineering person and me.

What do I think about the scalability of the solution?

We have 65 servers globally, and I just got my own.

How is customer service and technical support?

The technical support is poor. Mostly because when I open a PMR for IBM, I am stuck with Level 1 staff. As an engineer, nothing that I am bringing them does not require Level 2 or Level 3 support. Most of the stuff that I open ends up code changes or bug fixes.

Our company is far more mature than most. Our issue is that the support is slow.

How was the initial setup?

It was a whole different product when we installed it.

What other advice do I have?

The most important criteria when selecting a vendor: stability. The security space is tough. Unlike a lot of other spaces, IBM will not be bought anytime soon as a 100 year-old company.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Sebastian Osterc
Member at CIFAL Argentina
Reseller
The scalability is awesome, because QRadar includes other solutions in the same console

How has it helped my organization?

QRadar improved risk assessment and vulnerability, plus reduced staff.

What is most valuable?

The threat protection integration with other vendors.

What needs improvement?

The user interface needs improvement.

Network Breach

We have not suffered a network breach.

Events per Day

Our deployment collects nearly a 100 events a day. We often wield a backlog.

What do I think about the stability of the solution?

Stability is great.

What do I think about the scalability of the solution?

The scalability is awesome, because QRadar includes other solutions in the same console.

How is customer service and technical support?

I have not used technical support.

How was the initial setup?

I was not involved in the initial setup.

Which

How has it helped my organization?

QRadar improved risk assessment and vulnerability, plus reduced staff.

What is most valuable?

The threat protection integration with other vendors.

What needs improvement?

The user interface needs improvement.

Network Breach

We have not suffered a network breach.

Events per Day

Our deployment collects nearly a 100 events a day. We often wield a backlog.

What do I think about the stability of the solution?

Stability is great.

What do I think about the scalability of the solution?

The scalability is awesome, because QRadar includes other solutions in the same console.

How is customer service and technical support?

I have not used technical support.

How was the initial setup?

I was not involved in the initial setup.

Which other solutions did I evaluate?

We evaluated Check Point, but went with IBM because of price.

What other advice do I have?

Most important criteria when selecting a vendor: Our customers need a cross of different units which make up a better solution for them.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
Douglas Concepcion
Security Solutions Architect at Micro Strategies
Real User
It has helped us with our response time to threats

Pros and Cons

  • "It showed us where weaknesses were in our environment, so we could actively target those patches first."
  • "Do your research before implementing it, because it is tough to implement."

How has it helped my organization?

It has helped us with our response time to threats. It also showed us where weaknesses were in our environment, so we could actively target those patches first.

What is most valuable?

It works well with IBM products.

What needs improvement?

QRadar's issue is it needs to add behavioral analytics. The product's behavioral engine is weak. It just uses algorithms. It should an equation that is cursively applied. This will provide true behavior.

Network Breach

I have only once experienced a network breach with QRadar. QRadar detected the breach within an hour and the triage investigation took another four hours. Overall, it took about six hours to remediate everything. 

Efficiency of Security Team

With QRadar, everything runs better.

What do I think about the stability of the solution?

It is a very stable product. I cannot say anything bad about it.

What do I think about the scalability of the solution?

It is very scalable. It does a good job.

How are customer service and technical support?

Their Level 1 support is weak, but the support that we worked with to set up our feature sets is good. Their Level 2 and 3 support are good to work with overall, like most companies.

We contacted their technical support about adding more feature sets. We worked with their engineers to set up the feature sets that we wanted to expand upon and deliver the product, which they did.

Which solution did I use previously and why did I switch?

We originally used ArcSight, which got cumbersome and expensive. Also, HPE ruins everything that it touches. Therefore, we moved to QRadar.

How was the initial setup?

It is a pain to set up; basically it is not that easy.

Which other solutions did I evaluate?

We evaluated LogRhythm and Splunk. 

  • LogRhythm had limitations.
  • Splunk was never designed to be a SIEM.

What other advice do I have?

Do your research before implementing it, because it is tough to implement.

Most important criteria when selecting a vendor: support. I say this to every vendor.

It is not always about pricing, which is nice when we start, but when the crap hits the fan. I want the vendor to be there with me. 

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
it_user398799
Sr. Security Analyst with 1,001-5,000 employees
Real User
Enables us to integrate with some of the top security products on the market

What is our primary use case?

In recent years, our focus has been the third-party integrations. Like most companies, we have several security products. (I hope most other companies are not relying on a single product). The challenge with a SIEM is taking the data produced by a log source and presenting it in a readable manner for technical and non-technical staff. That can be done with custom-built reports or in dashboards. With the IBM Security App Exchange you add a new extension (i.e. download from the App Exchange site) and configure it.

How has it helped my organization?

Since IBM opened up the API for third-party app integration it has made it increasingly easy to add other tools into the dashboards.

What is most valuable?

Currently, the App Exchange offers over 192 applications that allow QRadar to integrate with some of the top security programs on the market, along with extension add-ons provided by QRadar. Some third-party apps include (but not limited to) Splunk, McAfee, Cisco, Carbon Black, Palo Alto, ObservIT, Exabeam, Gigamon, PhishMe. Extension add-ons by QRadar include report extensions, MS AD extensions, user behavior analytics, etc.

We have a very small team and anytime I can integrate with our other tools, and save time doing so, that is a plus for my company.

What needs improvement?

Keep up with more apps. They need to continue working with other companies to develop apps for integrations. Yes, they currently have 192 apps, but that number is nowhere near the number of security products on the market. That means if your company has a product that is not in the application list then you just have to work a little harder to pull the data you need from the log source.

I'm not against hard work, I'm just trying to work smarter and faster. Time is money, so saving time without compromising the end product is a win for everyone. It would reflect well for IBM because it would show they understand the customers’ needs and it would reflect well internally because we would be able to present cleaner dashboards and reports without hours or days devoted to building them.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

We experienced some memory usage issues with a user behavior app.

What do I think about the scalability of the solution?

We haven't really had any scalability issues. You are always limited to your EPS/FPM licensing, so you have to make sure you don’t exceed those limits.

How is customer service and technical support?

Tech support is excellent.

How was the initial setup?

The initial setup is straightforward.

Which other solutions did I evaluate?

We do a SIEM solutions review every few years. Other options we have evaluated: LogRhythm, Splunk, AlienVault.

What other advice do I have?

Research, and don’t be afraid to do a few PoCs. Also, make sure you have a team for the tool. Most solutions require a team, so if you cannot apply a team towards the tool then hopefully you can use one of the managed SIEM options.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Luis Yndigoyen
Partner at a tech services company with 11-50 employees
Real User
It has a high degree of interconnection with other systems

Pros and Cons

  • "We have the abilities to monitor each instance which originates on the process along with the performance of each department."
  • "For the common needs of clients to fulfill requirements, a real integration with Blueworks Live (BPA modeling tool also from IBM) and a more suitable BPM on cloud solution for midsize customers."

What is our primary use case?

  • Origination process in banks.
  • Insurance claims on insurance companies.

How has it helped my organization?

We are a consulting company, but our clients use it to ensure that the process has been followed. We have the abilities to monitor each instance which originates on the process along with the performance of each department. In addition, clients can enter detail in at the instance level.

What is most valuable?

  • UI capabilities
  • High degree of interconnection with other systems.
  • The business activity monitoring on the part of the solution.

What needs improvement?

For the common needs of clients to fulfill requirements, a real integration with Blueworks Live (BPA modeling tool also from IBM) and a more suitable BPM on cloud solution for midsize customers.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

No stability issues.

What do I think about the scalability of the solution?

No scalability issues.

How are customer service and technical support?

The technical support is good enough.

Which solution did I use previously and why did I switch?

We previously used Oracle BPM. We switched for a BPM project with IBM, because it has a better tool at the same price level range.

How was the initial setup?

Always the sizing on any BPM project is challenging, as with any BPM tool.

What's my experience with pricing, setup cost, and licensing?

IBM is a Ferrari if you are beginning with a concept. If it will be a pilot project, take a look at Red Hat Process Automation Manager or jBPM. Be realistic about the users' quantity. A good approach would be to begin with an On Cloud subscription, then later on do a more exact sizing.

Which other solutions did I evaluate?

We evaluated Red Hat and Bonita. We now prefer Red Hat for the price.

What other advice do I have?

Ensure you have the functional skills on BPM and the technical skills on IBM BPM.

We used to be IBM partners, but are not anymore. Now, we are Red Hat partners.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
JK
Lead Security Infrastructure Engineer at a financial services firm with 5,001-10,000 employees
Real User
Single pane of glass for analysts and SIEM administrators

Pros and Cons

  • "It is incredibly easy to deploy. All the appliances are flexible in the roles that they serve and are all managed the in the same way."
  • "Needs better visualization options beyond the time series charts and a few other options that they have."

How has it helped my organization?

It has provided support for several log sources, which has historically been problematic/unsupported by competitors. It is easy to make changes on the fly to default parsers to customize fields/mappings to our use cases.

What is most valuable?

  • Ease of use
  • Time to value in implementation
  • Single pane of glass for analysts and SIEM administrators

What needs improvement?

  • User/identity modeling needs improvement. However, it seems that they are already focusing on that. 
  • Needs better visualization options beyond the time series charts and a few other options that they have.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

We have definitely not encountered any issues with stability.

What do I think about the scalability of the solution?

We have definitely not encountered any issues with scalability.

How are customer service and technical support?

Better than average versus their competitors.

Which solution did I use previously and why did I switch?

We previously used McAfee and ArcSight. We made the switch to IBM QRadar for scalability, ease of administration and use.

How was the initial setup?

It is incredibly easy to deploy. All the appliances are flexible in the roles that they serve and are all managed the in the same way. Adding log sources is very straightforward, along with device updates, etc., which are all centrally managed.

What's my experience with pricing, setup cost, and licensing?

Pricing and licensing are competitive. Their new licensing options allow logs to bypass the correlation engine for a flat rate, which is also appealing for log data that is compliance-driven for a small amount of money.

Which other solutions did I evaluate?

We evaluated  ArcSight, LogRhythm, Splunk, etc.

What other advice do I have?

Understand how your analysts need to use SIEM to execute use cases. This platform can collect and normalize data better than just about anything (if you want it to), but it will not be useful if it is not presented in a useful way.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
ITCS user
Vulnerability Manager at a tech services company with 51-200 employees
Reseller
Once an offense comes through, you can then see from the log sources who or what triggered it.

How has it helped my organization?

Normally, an offense comes in and an offense is something negative, to put it plainly, that impacted your environment. Once it comes through, you can then see from the QRadar log sources, who or what triggered the offense. For example, if an IP is browsing somewhere where it shouldn't be browsing. Let's say that one of your log sources reported it back to QRadar. You can see if the IP that browsed on certain websites where it shouldn't be browsing. When you right-click and go to the threat protection network, that will normally show you who is browsing, where that IP is coming from, what type of website it is browsing, and if it is good or bad. If it's bad, it will give you recommendations on how to resolve the issue.

What is most valuable?

The threat protection network is the most valuable feature because when you get an offense, you can actually trace it back to where it originated from, how it originated, and why.

What needs improvement?

I would like to see a more user-friendly product. I would like them to make it much more user-friendly. At this stage, you need to use a lot of widgets to do your searches.

To advance searches, you must do a lot of Regex expressions.

What do I think about the stability of the solution?

In the first year I used it, there were a few stability problems. In the previous three years, there haven’t been any stability issues.

What do I think about the scalability of the solution?

I've seen no scalability issues in any of the environments where I am working at the moment. I've seen how it handles lot of load. I'm talking about a 5,000-user environment. It can handle a lot of logs and events coming through simultaneously.

If you spec it properly, with the proper hardware requirements, then it doesn’t crash. I've seen how people give it way less specs then it should have, and then it does crash. But that was the fault on the users’ side, and not the fault of the product.

How are customer service and technical support?

I would give technical support a rating of 8/10. When they help you with a call for a problem with the product, which I've had twice, the next day, they roll out an update worldwide for all their products to be patched on that problem.

They lose too much time, in my opinion. Normally, you struggle a bit to get a hold of them and get to the correct person to assist you. Even though this isn't a very big delay, it usually takes about an hour. However, in my company, an hour can make a very big difference in my life. For example, it will take me about an hour to an hour and a half to get support from them. I'm a person who loves to get it done now. So if you don't mind waiting about an hour, then it can be very good support. When you log a call with IBM, it takes them about an hour to start working on the problem.

Which solution did I use previously and why did I switch?

We used Splunk in the past and we are using both products at the same time.

How was the initial setup?

The setup was very straightforward. It's basically, "next, next, and next”, and then you are finished.

Which other solutions did I evaluate?

I wasn't completely part of the whole process when they chose a product. I know they evaluated AlienVault, which unfortunately I do not have any experience with. I'm not able to provide pointers as to why the company chose IBM QRadar. I believe it's because we are a partner with them.

What other advice do I have?

Just spec it correctly and it will do its job for you. It has an active community. IBM patches the product regularly when problems are picked up. I haven’t heard about a lot of problems from other people using the product. When we only have four hours to respond, an hour can make a difference in waiting for support.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
FarhanAli
Security Analyst at a security firm with 11-50 employees
Real User
With more than 120 extensions, it can improve your event analysis

Pros and Cons

  • "There are more than 120 extensions in QRadar, which are easy to install and configure. These can improve your analysis of events."
  • "It comes with many rules disabled. You can tune them and modify them according to your enterprise needs and avoid false positives."
  • "QRadar log integration of various applications can be a tough job at times. There may be occasions when you will not find any QRadar guide on adding logs of a particular application. Even if you come across one, adding a log process is not an easy one."

What is our primary use case?

SIEM solutions must be business driven. Utilizing a SIEM solution depends on your enterprise goals, from meeting compliance requirements to implementing security controls and identifying the absence of controls. A SIEM solution can also be used to improve your business and increase your sales. With QRadar, you can do all these, even if you are not a security expert. It comes with a set of default rules which makes your life easier, from ransomware attacks to DDoS attacks. Everything can be detected if your logs are properly integrated into QRadar

It gets better with extensions and other rules you install from the IBM Security App Exchange, where you can detect malicious website access (with the intent of ransomware), P2P activity, or someone spamming everything. You can be notified, then you can run scripts to make QRadar take an action. 

I am a security analyst working with QRadar.

How has it helped my organization?

It is always evolving with new patches, new UX/UI (such as 7.3), new rules, and new extensions. It lets you evolve your company accordingly.

The usage of QRadar or any SIEM solution depends on the company goals, but with QRadar, the user interface, the dashboards, reports, installing extensions, and playing with the rules are easier. 

QRadar has helped our company a lot in evolving our security policy and taking care of weak controls. QRadar helped us in the blacklisting and whitelisting of applications. It helped us identify our security threats, and improve our firewalls. With the QRadar Vulnerability Manager, it helped us take care of vulnerable assets. 

What is most valuable?

  • Its default set of rules: It comes with many rules disabled. You can tune them and modify them according to your enterprise needs and avoid false positives.
  • The extension management: There are more than 120 extensions in QRadar, which are easy to install and configure. These can improve your analysis of events. 
  • UBA 2.7: It can help you detect insider threats. 

What needs improvement?

QRadar log integration of various applications can be a tough job at times. There may be occasions when you will not find any QRadar guide on adding logs of a particular application. Even if you come across one, adding a log process is not an easy one. Plus, it is also vulnerable because the ports used to integrate those log sources with QRadar are well-known and most of them are vulnerable ones. 

For how long have I used the solution?

Three to five years.

What do I think about the scalability of the solution?

QRadar is easily scalable in many ways: vertical and horizontal.

  • Horizontal: You can increase the QRadar processing power with QRadar App Node and Data Node.
  • Vertical: You can always implement multiple QRadars: Event collectors and flow, collectors, and then you can route your offenses, such events and flows from one QRadar to the next one.

How is customer service and technical support?

Buying anything, an enterprise must look for troubleshooting and fixing its issues using its support. With QRadar, all those things are easily available and just a click away on the Internet. From IBM Fixlet to dW Answers, you can do a lot.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Daniel Christian
Operations Analyst at a logistics company with 51-200 employees
Real User
Helps a company when investigating a case and with preventive actions

What is our primary use case?

I used the IBM QRadar product from 2015 until 2017.

How has it helped my organization?

When the WannaCry attack happened, QRadar helped the company a lot with the investigation of the firewall, antivirus, and other appliances.

What is most valuable?

The "Network Activity" feature was really good. An engineer can live monitor all the flow happening in real-time. This would help us a lot while investigating a case, and it would even help us with preventive actions.

What needs improvement?

QRadar needs to be improved on the storage side, particularly when the disc exceeded the maximum threshold.

For how long have I used the solution?

One to three years.

What is our primary use case?

I used the IBM QRadar product from 2015 until 2017.

How has it helped my organization?

When the WannaCry attack happened, QRadar helped the company a lot with the investigation of the firewall, antivirus, and other appliances.

What is most valuable?

The "Network Activity" feature was really good. An engineer can live monitor all the flow happening in real-time. This would help us a lot while investigating a case, and it would even help us with preventive actions.

What needs improvement?

QRadar needs to be improved on the storage side, particularly when the disc exceeded the maximum threshold.

For how long have I used the solution?

One to three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Mathieu Dorckel
Cybersecurity Engineer Consultant at a tech services company with 501-1,000 employees
Consultant
Its correlation and the parsing features result in good scalability and performance

Pros and Cons

  • "The correlation and the parsing are important features, since it is very important for a SIEM to have a good scalability and performance."
  • "The weak signal detection with QRadar needs improvement. You can detect what you know, but what is unknown to the rule engine can't be detected."

What is our primary use case?

My use case is the deployment of an X-Force successful connection with a botnet and malware website. An X-Force feed is free with QRadar.

I have been using the product for three years now. I used it for six month at an internship to PoC some different SIEM and for two and a half years as an administrator. Now, I am using it as an architect.

How has it helped my organization?

Previously, we had to do a lot of debugging when we wanted to change our firewall policy to find out which rule was blocking things, etc. With Qradar, when you integrate the logs of the firewall, you have with two clicks, the info in real-time.

What is most valuable?

The correlation and the parsing are important features, since it is very important for a SIEM to have a good scalability and performance.

What needs improvement?

The weak signal detection with QRadar needs improvement. You can detect what you know, but what is unknown to the rule engine can't be detected, similar to a base rule of SIEM.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

Sometimes, but not from the system itself, but from the amount of logs it has received.

What do I think about the scalability of the solution?

Not at all.

How are customer service and technical support?

Technical support is good when they using WebEx. By portal, they are slow and inefficient.

Which solution did I use previously and why did I switch?

My service since the beginning has been to only sell and manage QRadar.

How was the initial setup?

It is very easy to deploy. It is not a user-friendly way to deploy, but for IT guys who have the skills of Linux servers, etc., it is easy.

What's my experience with pricing, setup cost, and licensing?

Think what you will integrate into QRadar. It is a SIEM. You need to send it logs, but not everything.

Pricing (based on EPS) will be more accurate.

Which other solutions did I evaluate?

I had the chance to test some other products, and there is a lot of them on the market. However, when you have to deploy and manage it, not just demo it, it is a total different story.

QRadar is not perfect, but I have had the chance to manage ArcSight, Sumo Logic, Unomaly, and RSA for some specific features, and comparatively, QRadar is good

What other advice do I have?

Think scalability and make sure your product can be integrate into QRadar.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
MazenHindawi
Network and Security Technical Team Leader at a wholesaler/distributor with 201-500 employees
Real User
A good integration with the artificial intelligence engine of Watson

Pros and Cons

  • "It does good correlation for events. It does good general analysis, and it has good apps as well."
  • "It has a good integration with the artificial intelligence engine of Watson."
  • "IBM needs to invest more into the collaboration with other vendors."
  • "The implementation and configuration are not easy."

What is our primary use case?

We work with it in the banking sector. We had torrent limitations and big banks could join them. It has performed well. However, the limitation is not easy, so the product is not easy.

You cannot get the real value of the product unless you combine it with the other products from IBM, like BigFix, the full integration of Vulnerability Management, and so on. 

How has it helped my organization?

The product is great. It does good correlation for events. It does good general analysis, and it has good apps as well.

What is most valuable?

  • The artificial intelligence ease of integration; it has a good integration with the artificial intelligence engine of Watson.
  • There is good collaboration between IBM Cloud and all IBM customers. 

What needs improvement?

The implementation and configuration are not easy.

We would like to see user behavior analysis in the next release. IBM claims they have this feature, but I do not see it as mature as in Splunk. 

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

The stability of the solution is great.

What do I think about the scalability of the solution?

Technically, there are no scalability issues.

How is customer service and technical support?

Support is good. The technical engineers seem they know what they are doing. Though, the escalation response is bad. An escalation takes time, because the response time is not as fast as it should be.

How was the initial setup?

The implementation is complex.

What's my experience with pricing, setup cost, and licensing?

It is expensive. It is not a product that I can provide for SMBs. It is a program that I can only provide for really large enterprises.

Also, the maintenance costs are high.

What other advice do I have?

IBM needs to invest more into the collaboration with other vendors.

If you want to go to IBM, do not just go for QRadar. You need QRadar and all the products that surround QRadar, especially BigFix, because the product is ten times stronger with it.

Most important criteria when selecting a vendor: 

  • The technical features of the solution.
  • The people in my region at the vendor.
  • The perspective of the project manager on the customer side.
  • Data involved and time of the implementation. 
  • The needs of the customer.
  • The cost of the project.
  • Training involved.
Disclosure: My company has a business relationship with this vendor other than being a customer:
JC
Director, Cybersecurity at a tech company with 51-200 employees
User
It has a logical, user-friendly GUI

What is our primary use case?

We used QRadar SIEM over Juniper Secure Analytics platform.  The company profile is telecom. The infrastructure has a large geographical spread.

How has it helped my organization?

IBM QRadar is great help from its security event monitoring to data center and NOC troubleshooting of issues hard for other departments to spot.

What is most valuable?

It has a logical, user-friendly GUI.  Very easy to drill down in offenses and get to the bottom of raw data.

What needs improvement?

Dashboards and reports could provide better visualization of SIEM activity.  An executive or CISO dashboard would be nice to have by default.

For how long have I used the solution?

Three to five years.

What other advice do I have?

The tool gets better value in…

What is our primary use case?

We used QRadar SIEM over Juniper Secure Analytics platform. 

The company profile is telecom. The infrastructure has a large geographical spread.

How has it helped my organization?

IBM QRadar is great help from its security event monitoring to data center and NOC troubleshooting of issues hard for other departments to spot.

What is most valuable?

  • It has a logical, user-friendly GUI. 
  • Very easy to drill down in offenses and get to the bottom of raw data.

What needs improvement?

Dashboards and reports could provide better visualization of SIEM activity. 

An executive or CISO dashboard would be nice to have by default.

For how long have I used the solution?

Three to five years.

What other advice do I have?

The tool gets better value in the hands of an experienced security analyst. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Sr SIEM Consultant at a tech services company with 51-200 employees
Consultant
Built-in rules are enabled by default and tunable to meet the specific needs of each organization.

Pros and Cons

  • "Network-Based Anomaly Detection (NBAD): Using NetFlow, JFlow, SFlow, or QFlow (all 7 layers), offenses are detected as a response when a rule is triggered."
  • "Some UI enhancements would be nice, such as exporting custom event properties and the ability to export rules."

What is our primary use case?

As a PS consultant on projects where the customer is transitioning from a competitor's SIEM to QRadar, they are very pleased when they see the number of quality offenses being caught soon after implementation and integration of log sources just from the out-of-the box rules enabled by default.

How has it helped my organization?

As a Professional Services consultant, I have heard many reports of how QRadar SIEM has quickly identified offenses which the users were unaware of previously. In addition to giving CISO’s gained visibility and increasing security posture, QRadar adheres to an organization's regulatory compliance across a number of  industries (i.e. Healthcare, Financial, Retail, Energy and Government)

What is most valuable?

  • Correlation Rule Engine, built-in use cases: QRadar has the highest number of built-in use cases among any SIEM on the market. There are many built-in rules that are enabled by default and easily tunable to meet the specific needs of each organization. The correlation engine automates what is a manual process for many SIEM platforms.
  • Network-Based Anomaly Detection (NBAD): Using NetFlow, JFlow, SFlow, or QFlow (all 7 layers), offenses are detected as a response when a rule is triggered.
  • QRadar Vulnerability Management: Built-in vulnerability scanner or leverage for other supported scanners to either schedule a scan and/or import the results from a scan. Importing the results enriches the assets profile database to quickly identify assets that have known vulnerabilities.
  • X-Force Threat Intelligence: Threat intelligence IP reputation feed which leverages a series of international data centers to collect tens of thousands of malware samples, to analyze web pages and URLs, and to run analysis to categorize potentially malicious IP addresses and URLs.
  • App Exchange: Many vendors have written apps to enhance QRadar. The apps are free and enhance your SIEM experience by adding rules and custom event properties. In some cases a new tab. You will need to have purchased the third party solution. For example, if you have Palo Alto or Blue Coat, there's a free app for better integration.

What needs improvement?

Some UI enhancements would be nice, such as exporting custom event properties and the ability to export rules.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

We did not encounter any issues with stability.

What do I think about the scalability of the solution?

We did not encounter any issues with scalability.

How are customer service and technical support?

The technical support is very good.

Which solution did I use previously and why did I switch?

We had limited experience with RSA enVision, LogRhythm, and HPE ArcSight. QRadar is much easier and takes less time to implement and maintain.

How was the initial setup?

The initial setup was straightforward.

What's my experience with pricing, setup cost, and licensing?

Go through a vulnerability assessment review for price breaks. A virtualized solution will also cut down on cost.

Which other solutions did I evaluate?

We did not evaluate any other options.

What other advice do I have?

Every SIEM tool has a certain degree of complexity, especially where use cases and rules are concerned. I advise using Professional Services so your SIEM is configured by trained professionals.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are a business partner of IBM.
GM
Solution Architect with 201-500 employees
User
Improved our organization's total cost of ownership

What is our primary use case?

Users' behavior analytics Monitor leakage for data Payment card industry compliance Integration with end points management system Integration with Incident Response and Ticketing System

How has it helped my organization?

Easy to deploy Time to value Total cost of ownership (TCO) Deployment options for on-premise SaaS Hybrid

What is most valuable?

X-Force feed Watson for cyber security App Exchange Scalability and licensing model Vulnerability and risk management on network topology

What needs improvement?

Needs to be improved: Graphical User Interface (GUI)  Multi-tenancy and domain(s) segregation.

For how long have I used the solution?

One to three years.

What is our primary use case?

  • Users' behavior analytics
  • Monitor leakage for data
  • Payment card industry compliance
  • Integration with end points management system
  • Integration with Incident Response and Ticketing System

How has it helped my organization?

  • Easy to deploy
  • Time to value
  • Total cost of ownership (TCO)
  • Deployment options for on-premise
  • SaaS
  • Hybrid

What is most valuable?

  • X-Force feed
  • Watson for cyber security
  • App Exchange
  • Scalability and licensing model
  • Vulnerability and risk management on network topology

What needs improvement?

Needs to be improved:

  • Graphical User Interface (GUI) 
  • Multi-tenancy and domain(s) segregation.

For how long have I used the solution?

One to three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user634836
IT Director at MyEyeDr.
Vendor
It summarizes all the other security products.

How has it helped my organization?

It has improved our ability to research and detect anomalous behavior and activity within our network. It has really helped us in our ability to research active threats. We saw the threats when we implemented it, and we saw that we had all kinds of deficiencies in our network infrastructure that we were unaware of previously.

What is most valuable?

It has the ability to summarize all the other security products and give us a one-stop-shop dashboard.

IBM has added a new UBA (User Behavior Analytics) app to QRadar that uses the cognitive abilities of Watson to detect and prioritize user activity and risks on the network. It analyzes log activity already recorded so it can begin providing insights quickly after installation.

What needs improvement?

I'm anxious to see the Watson integration. We just finished an upgrade of our appliance so that we can be eligible to do the Watson integration. I'm anxious to see how that works.

What do I think about the stability of the solution?

It works well. We've been using it for a year now. It's helped us greatly to cut down on the time it takes to research a problem or to actually find the problem.

What do I think about the scalability of the solution?

In terms of scalability, so far, so good. What we've purchased so far is well with the infrastructure that we have. I know there are options to buy additional components should I need them.

How are customer service and technical support?

We use a business partner for implementation and support. They are always involved with it. They are not IBM.

Which solution did I use previously and why did I switch?

We weren't previously using a different solution. As security becomes more and more important, we added different security components from IBM, with QRadar being the last one. We needed some way to see all the data, all the information, and get it together in one single source of truth.

How was the initial setup?

I was involved as far as picking and approving the solution. I was not involved in the installation.

What other advice do I have?

We try to do everything all at once.

Find the right partner to help you do the implementation.

When picking a vendor, we look for the support, the ease of the installation, and the future of the product.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
IT Security Manager at a tech services company
Real User
Some of the valuable features are QM, QRM, and forensics.

What is most valuable?

Some of the valuable features are QM, QRM, and forensics.

How has it helped my organization?

There many use cases.

What needs improvement?

I would like to see SOC.

For how long have I used the solution?

We have been using this for three years.

What was my experience with deployment of the solution?

There were no deployment issues.

What do I think about the stability of the solution?

There were no stability issues.

What do I think about the scalability of the solution?

There were no scalability issues.

How are customer service and technical support?

Customer Service: Customer service is very good. Technical Support: Technical support is excellent.

Which solution did I use previously and why did I switch?

We used another solution…

What is most valuable?

Some of the valuable features are QM, QRM, and forensics.

How has it helped my organization?

There many use cases.

What needs improvement?

I would like to see SOC.

For how long have I used the solution?

We have been using this for three years.

What was my experience with deployment of the solution?

There were no deployment issues.

What do I think about the stability of the solution?

There were no stability issues.

What do I think about the scalability of the solution?

There were no scalability issues.

How are customer service and technical support?

Customer Service:

Customer service is very good.

Technical Support:

Technical support is excellent.

Which solution did I use previously and why did I switch?

We used another solution and we switched due to false positives.

How was the initial setup?

The setup was straightforward and not complex.

What about the implementation team?

We used a partner and vendor team and we have expertise in-house.

What was our ROI?

The ROI is acceptable.

What's my experience with pricing, setup cost, and licensing?

It is a bit more expensive than some others, SIEM, but it is more efficient.

Which other solutions did I evaluate?

We evaluated AlienVault, McAfee, and Splunk.

What other advice do I have?

It is a good solution.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Vulnerability Manager at a tech services company with 51-200 employees
Reseller
The threat protection network is the most valuable feature

Pros and Cons

  • "The threat protection network is the most valuable feature, because when you get an offense, you can actually trace it back to where it originated from, how it originated, and why."
  • "The threat protection network is the most valuable feature, because when you get an offense, you can actually trace it back to where it originated from, how it originated, and why."
  • "I would like to see a more user-friendly product."

How has it helped my organization?

Normally, an offense comes in and an offense is something negative, it triggers when certain events don't comply with the rules, to put it plainly, it is something that will have impacted your environment very negatively. Once it comes through, you can then see from the QRadar log sources, who or what triggered the offense.

For example, if an IP is browsing somewhere where it shouldn't be browsing. Let's say that one of your log sources reported it back to QRadar. You can see if the IP that browsed on certain websites where it shouldn't be browsing. When you right-click and go to the threat protection network, that will normally show you who is browsing, where that IP is coming from, what type of website it is browsing, and if it is good or bad. If it's bad, it will give you recommendations on how to resolve the issue.

What is most valuable?

The threat protection network is the most valuable feature, because when you get an offense, you can actually trace it back to where it originated from, how it originated, and why.

What needs improvement?

I would like to see a more user-friendly product. I would like them to make it more user-friendly. At this stage, you need to use a lot of regular expressions to do your searches.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

In the first year I used it, there were a few stability problems. In the previous three years, there haven’t been any major stability issues.

What do I think about the scalability of the solution?

I've seen no scalability issues in any of the environments where I am working at the moment. I've seen how it handles a lot of load. I'm talking about a 5,000-user environment. It can handle a lot of logs and events coming through simultaneously.

If you spec it properly, with the proper hardware requirements, then it doesn’t crash. I've seen how people give it way less specs than it should have, then it does crash. But that was the fault on the users’ side, and not the fault of the product.

How is customer service and technical support?

I would give technical support a rating of an eight out of 10. When they help you with a call for a problem with the product, which I've had twice, the next day, they roll out an update worldwide for all their products to be patched on that problem.

They lose too much time, in my opinion. Normally, you struggle a bit to get a hold of them and get to the correct person to assist you. Even though this isn't a very big delay, it usually takes about an hour. However, in my company, an hour can make a very big difference in my life. For example, it will take me about an hour to an hour and a half to get support from them. I'm a person who loves to get it done now. So if you don't mind waiting about an hour, then it can be very good support. When you log a call with IBM, it takes them about an hour to start working on the problem.

How was the initial setup?

The setup was very straightforward. It's basically, "next, next, type in machine details and next”, then you are finished.

What's my experience with pricing, setup cost, and licensing?

IBM's Qradar is not for small companie. Unfortunately, it would be 'overkill' to place it plainly. The pricing would be too much.

Which other solutions did I evaluate?

I wasn't completely part of the whole process when they chose a product. I know they evaluated AlienVault, which unfortunately, I do not have any experience with, neither was I part of the whole processes. I'm not able to provide pointers as to why the company chose IBM QRadar. I believe it's because we are a partner with them.

What other advice do I have?

Just spec it correctly and it will do its job for you. It has an active community. IBM patches the product regularly when problems are picked up. I haven’t heard about a lot of problems from other people using the product.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are a Partner.
it_user575124
Sr. Security Engineer at a tech services company with 11-50 employees
Consultant
We use it to create use cases and review offenses. One of the valuable features is its correlation engine.

What is most valuable?

  • User-friendly
  • Easy to deploy
  • Easy to create use cases
  • Easy to review an offense
  • Its correlation engine is one of the best

How has it helped my organization?

I usually work on the deployment and fine-tuning of this product. However, I have some operational experience as well. For instance, you can simply audit all the IT equipment in your environment, such as the firewall, the IPS, and the Active Directory (AD) server.

What needs improvement?

It should have built-in blocking capability.

For how long have I used the solution?

I have used this solution for four years.

What do I think about the stability of the solution?

On a scale of 100, it is 95% stable.

What do I think about the scalability of the solution?

I did experience some scalability issues in one organization.

How are customer service and technical support?

The technical support is excellent.

Which solution did I use previously and why did I switch?

We were not using any other solution previously. This was my first solution. I am still working on it. I also have experience with McAfee Nitro and LogRhythm.

How was the initial setup?

The setup was straightforward.

What's my experience with pricing, setup cost, and licensing?

The pricing will definitely vary according to your EPS, but it is worth spending money on this product.

Which other solutions did I evaluate?

We looked at other solutions, such as McAfee Nitro and LogRhythm.

What other advice do I have?

Work on sizing as much as you can so you can avoid any issues after deployment. You should also fulfill hardware requirements for this product. Otherwise, you will not get its full functionality.

Disclosure: My company has a business relationship with this vendor other than being a customer: I am a vendor.
ITCS user
IT Manager at a comms service provider with 1,001-5,000 employees
Real User
Contextual and threat-based incident management.

What is most valuable?

  • Paradigm shift, security intelligence 2.0
  • Contextual-based incident management
  • Threat-based incident management
  • A single management console to handle all the data
  • Ease of use
  • Existing integration capabilities
  • Out-of-the-box reports
  • Parser development

How has it helped my organization?

It has helped us in the reduction of VPN frauds via the active monitoring of various frauds.

What needs improvement?

  • There is a scope of improvement in the orchestration layer, such as the SecOps from RSA. RSA Security Analytics bundles their offering with their SecOps (a subset of Archer - Risk Governance tool). This gives them a competitive edge.
  • The reporting and dashboard capabilities require a bit of improvement in terms of fine tuning and bifurcation for the technical and management reports.

For how long have I used the solution?

I have used this solution for four years.

What do I think about the stability of the solution?

There were no stability issues.

How is customer service and technical support?

I would give technical support a rating of 9/10.

How was the initial setup?

The setup was straightforward and the deployment was easy.

What's my experience with pricing, setup cost, and licensing?

The pricing policy is a bit on the higher side. IBM offers discounts when applicable.

Which other solutions did I evaluate?

We looked at other solutions such as RSA enVision and HPE ArcSight.

What other advice do I have?

Trust it, test it, and deploy it.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user632760
Lead Developer
Vendor
Based on the analysis, we can easily identify from where the threat is originating.

What is most valuable?

The most valuable features of this solution are analyzing who is saying what and in case of a threat, we can easily identify from where the threat is originating, based on the analysis.

How has it helped my organization?

We have implemented this QRadar solution to identify the data, whether it is being used at various parties including our trading partners, i.e., both the internal as well as external partners. Thus, by using this product, we can also come to the conclusion as to how the data is being applied best and we can decide what to link, i.e., if we need any infrastructure improvements and so on.

What do I think about the stability of the solution?

I am not currently responsible for this product. However, I did not hear any complaints from the other people in terms of its stability.

What do I think about the scalability of the solution?

We are not directly managing this product. I am from the integration team and the QRadar solution is mostly used by our information security.

Which solution did I use previously and why did I switch?

Initially, we were using another IBM product. With QRadar, we are getting better outputs such as the reports and other outputs.

The reason why we chose IBM is because we are using so many products from IBM today.

In general, the most important criteria that we look for while selecting a vendor are that there should be other proven solutions offered by the vendor and they need to be a type of investigator since we belong to a specific healthcare industry. So, we are very careful when we are choosing a vendor.

How was the initial setup?

We were involved in the setup in terms of sending the information back and forth to QRadar. Other than that, I did not take part in the installation.

What other advice do I have?

Definitely invest in the QRadar solution.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user643884
Senior System Administrator at a tech services company with 11-50 employees
Consultant
Offers device auto-discovery, along with rules and reports already created.

How has it helped my organization?

I have implemented QRadar in a big airline company, where they needed to get all their security information in one place. It helped in reducing the amount of time that was needed to evaluate the risk of every event. Configuring the alerts has never been easier; you just search for the event you think you need and start creating the rules that way. It is really straightforward and you don't need much IT knowledge for it. Of course, your experience with the product and a generalist view of the infrastructure, business and IT are strongly recommended, when using a tool similar to this.

What is most valuable?

In my understanding, the best features are:

  • DSMs (Device Support Modules),
  • Device auto-discovery, and
  • Hundreds of rules and reports already created for you to mix up.

These features are keeping QRadar on top in Gartner. You can have it running in a few hours, then start collecting your logs and events in no time.

What do I think about the stability of the solution?

We never experienced any stability issues. The only problem that I had was related to the hardware and the high availability worked as expected.

Something to take into account is the IBM support; they really know their business and how to fix problems. I had the opportunity to talk with L2 Managers in the US, who told me that IBM is investing in research, documentation and training for all the people working with it. This is a very interesting thing to have in mind, when choosing this platform.

What do I think about the scalability of the solution?

We never experienced any scalability issues. If you correctly estimate the amount of EPS (the license variable), then scalability is not a problem. They can run in a really big environment (100,000 EPS tested in production) and all the infrastructure will work as a charm.

How are customer service and technical support?

The technical support is excellent. As I've mentioned, they know their business and have a really good team behind them.

Which solution did I use previously and why did I switch?

I had the opportunity to use other SIEM solutions, but no one can provide what QRadar does, i.e., in terms of its simplicity, support or integration.

How was the initial setup?

The setup was really straightforward. You simply need to put your ISO image in the hypervisor, follow the on-screen instructions and you have it running in one hour.

What's my experience with pricing, setup cost, and licensing?

The pricing and licensing policies are really competitive. These solutions are not for a really small business, but having just one license variable is really good. You simple tell the partner or sales representative the number of EPS you want to receive in your appliance and that's it. Other solutions have a 'correlation' license, which is more like a trap than anything else.

Which other solutions did I evaluate?

I have tested Splunk and used a little bit of NitroSecurity (McAfee). I have also seen a little bit of HPE ArcSight.

What other advice do I have?

You should ask the sales representative to give you the Excel sheet to calculate EPS. Keep in mind that the firewalls, proxies and networking devices such as those will consume lots of EPS, but they do provide really nice information and insight from your network.

On Gartner, this is one of the top 10 SIEM solutions in the market. It is robust and IBM is investing a lot of money to get it running even better than it is running right now. You feel secured when you use it.

This solution is being implemented around the world and every day, a new feature or add-on is created for it.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are business partners and have a really good relationship with IBM.
it_user632703
Senior security analyst at a financial services firm with 1,001-5,000 employees
Vendor
Provides custom parsers. I'd like to see more integration with other security products, especially bidirectional.

How has it helped my organization?

I think it has improved our organization by the speed at which I can run queries compared to other software that I've used in the past. It's a lot quicker and holds a lot more information. It helps keep a good cognitive overview of our environment from a security standpoint.

What is most valuable?

Some of the most valuable things that I get from QRadar are the custom parsers. A lot of the syslog items I get pushed to QRadar, instead of trying to build a custom parser to parse out the information that we need in order to do our investigations or to review that data. There's a ton of already defined ones in the application.

Plus, when you build rules, it's a really good user experience. It's like plug-and-play rules to flow out what you want, for whether what you want to look at has a certain level of severity or if you want real-time alerting on something that's happening right away in your environment that you want to investigate.

What needs improvement?

I'd like to see it being able to be integrated with more security products. I'm a big Guardian user; it's nice for the bidirectional. I can do some stuff, like a SQL injection, or if something is happening.

But if there were other security tools that it could better integrate with, like to go both ways; say it knows that a user is having heavy traffic, maybe it integrates with DOP to look at different sessions that they're doing. Something like that; like backwards compared to DOP, like reporting to it.

It's really good, but there's room for improvement; some more bidirectional integration with different security applications, especially some of the IBM Security ones like BigFix or something like that.

What do I think about the stability of the solution?

We haven't encountered any issues with stability.

What do I think about the scalability of the solution?

We can scale it as big or as large as we want in our environment just by adding multiple sources. It's just, from a licensing standpoint, you hit a certain mark. You want to make sure you either ignore some of that, or you just have to get more licenses.

How are customer service and technical support?

I've opened PMRs before. They're usually pretty responsive. The guys usually have pretty good knowledge, and they'll help you fix your issue pretty fast.

Which solution did I use previously and why did I switch?

It was easy to know we needed a new solution; when you have Symantec's DLP that's really crappy and they end-of-life it, you've got to start looking for other products. That's why we changed.

How was the initial setup?

The setup wasn't too complex. It was pretty straightforward. Basically, it's pretty much out of the box. You don't have to configure it much for your environment. It's built for many different types of companies. Once you start getting in all of your different log sources and using those custom parsers I mentioned, basically you've got to start looking at, What's white noise? What's not white noise? That's really what takes up a lot of your time, as to scaling it for your environment. The setup itself isn't very difficult.

Which other solutions did I evaluate?

We evaluated LogRhythm. LogRhythm is a really good product. It's close to QRadar, but, as I mentioned, those custom parsers. Also, LogRhythm's a little more difficult to install; we did the PoC for both leading SIEM solutions. Working with other IBM products, plus getting a discount for how much IBM stuff we already buy; it was easier for us to go with the QRadar route.

In general, when I go to work with a vendor, the important criteria I look for are how well they build relationships with you; how well they're willing to help you. Also, what are little things they're willing to do for free? Are they willing to, maybe, teach you how to do something a little bit here and there for free? Little things, give and take, here and there, make a good relationship with a vendor.

What other advice do I have?

Make sure you understand how many log sources you have in your environment. Kind of get an idea of how many per second you're going to be getting. That way, you have a good idea for your licensing model to start out with. In the past, we had a certain set we thought we were going to have, and then we had to upgrade, and then upgrade again, for the license count.

Also, make sure you're doing correct tuning. Otherwise, you're just going to flood your SOC, and they're gonna' spend too much time sifting through white noise.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user634800
Security Consultant at Dimension Data
Consultant
The most valuable features are the implementations, the plug-ins, and the UBA.

Pros and Cons

  • "The most valuable features are all the implementations, the plug-ins, and the User Behavior Analytics (UBA)."
  • "Maybe there should be more custom rules in the exchange. Basically, we are using a lot of threat rules, so maybe they'll develop something like that."

How has it helped my organization?

Maybe the best way it helped our organization is that QRadar is well prepared for PoCs. When you are doing PoCs, you just install the solution and you can show it to the customer.

It has great benefits because we don't spend a lot of time to set it up. There are a lot of features that are there out-of-the-box. It's great to do a PoC with customers and to reduce the money spent on the implementations.

What is most valuable?

The most valuable features are all the implementations, the plug-ins, and the User Behavior Analytics (UBA). All that stuff is really cool.

We are using the solution a lot on the customer side. We like the strength of the platform, basically. I know there is no other product like QRadar.

What needs improvement?

We thought about what was missing and it was the analysis of the user behavior. However, with the User Behavior Analytics (UBA), it's much less complicated.

I recently attended a conference presentation on machine learning, and it is a great plug-in to UBA. It will help us a lot because a lot of customers want to analyze their user behavior patterns.

Maybe there should be more custom rules in the exchange. Basically, we are using a lot of threat rules, so maybe they'll develop something like that. It will be better.

I would like to see improvement in the technical support. Sometimes, when we do patching or something like that, it creates some problems. Maybe they could test the patches and the OEM product better.

What do I think about the stability of the solution?

The stability is not bad. We had some problems with patching, but there are problems with all software.

We had the problem when we patched from Version 7.2 to Version 7.2.8. There were some problems with the authentication tokens. It didn’t go so well, but we solved it with the help of technical support and it was very quick. I think that's cool.

Sometimes, we have a problem with support. We are also using QVM (IBM Security QRadar Vulnerability Manager) and I think it is a little bit buggy for now. We have a lot of problems with it. It should be better.

What do I think about the scalability of the solution?

In terms of scalability, there is no doubt about it: It is perfect.

How are customer service and technical support?

The quality of technical support depends on the agent. Sometimes, it's hard to get the person who you need. Sometimes, it's better to create a ticket when the USA is working because I think they can help you better.

Which solution did I use previously and why did I switch?

We had McAfee, but we are ending our use of it. There are only some small implementations that are running with it. We are no longer developing with it. I think in the future, we will switch to QRadar. This is because we don't want to have two separate platforms.

RSA enVision was being used with one of our banking customers. However, we transferred to QRadar last year.

How was the initial setup?

We implemented the solution from the scratch with our customers. We have a lot of implementations that they can check.

The setup was very complex. We have integration with a customer service desk and a lot of customization. It's the best thing that we can create our own app and adapt it to QRadar.

We attended the IBM master class to help us with an SDK to develop our own apps. Some of our customers are banks and they have a lot of things to do. Sometimes the features they need are not in QRadar, so we have to customize the solution a little bit for them.

Which other solutions did I evaluate?

We have a security department in the Czech Republic. We are basically only implementing IBM security products.

What other advice do I have?

Definitely try it. Do a PoC with a customer. You can get the value for the customer quickly. It's great.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user632781
Cyber Security Manager at a energy/utilities company with 1,001-5,000 employees
Vendor
In general, if you have any botnets or malware, you identify and mitigate it. The biggest challenge is in the upgrade.

What is most valuable?

It gives me insight and visibility, so I can detect a threat coming in and all the offenses are coming in from monitoring one spot.

How has it helped my organization?

We're centralizing all the logs in one location. So, if you have an incident, you can definitely discover it fairly quickly, as it's in one database. In general terms, if you have any botnets or malware, you identify and mitigate it fairly quickly.

What needs improvement?

The biggest challenge is in the upgrade, e.g., when it comes down to a new OS, you have to wipe it clean and reset everything. It takes time when you have 40-50 devices all over the place. It's impossible sometimes to go out and touch every single one of them. So, then, if it's an automatic process, you can upgrade to the new version in just point and click. However, that's not the case right now.

WinCollect is a challenge also, and I'd highly recommend that the Q1 team should build a lot of Windows-based collectors that simply work. Just like the competitor, Spunk, when you put it in, you don't have to do too much modifications. So, that's a challenge right now.

What do I think about the stability of the solution?

The environment is pretty stable. We just upgraded about a year ago, so it's pretty robust in the environment that we have. It's working really well for us, we've been using it for about 10+ years. We bought it before IBM purchased them.

How is customer service and technical support?

We interact with IBM regularly, so we have a direct tie with them. We're almost like a partner, right now, and we are working very well together.

The technical support is pretty good, i.e., if you get the right person in, it moves pretty fast and issues are resolved fairly quickly. But, you just need to find the right person, which can be a little difficult sometimes.

How was the initial setup?

The setup is very complex; it's not like somebody can walk in and build it. It requires many years of experience to manage and maintain it. You need to have at least an experienced and dedicated team, in order to maintain the environment that we have. It's nothing like a click-and-done type; it requires a lot of care and feeding to manage the environment.

What other advice do I have?

It's a very solid product. However, there are a lot of things that can be improved.

Definitely get a team or hire a professional to install this product. Otherwise, I guarantee you're not going to be successful. There is a lot of filtering that needs to be done; otherwise, you are going to get overwhelmed with the events coming in and will have no idea, as to what is right and wrong. You definitely want to hire a trained team or some professionals.

The price is the most important criteria when selecting a vendor. Other factors such as the quality of the product, PoC, how well the team interacts and the support, are always important.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user632667
Cyber Security Engineer at a tech services company with 501-1,000 employees
Consultant
Provides a view into our network events and flows from log sources across our enterprise.

What is most valuable?

We have very large, distributed implementations. The best case that we get out of the solution is the rapid insight into security events and offenses in our environment.

How has it helped my organization?

The benefit of the solution is a combined view into all of our network events and flows from many log sources across our enterprise. This provides a single pane of glass in order to review what's going on in our environment.

What needs improvement?

I would like to see more APIs available in order to provide tighter integrations between other IBM products and third-party solutions. I would like to see new cognitive advisors, cognitive capabilities, and more integration capabilities.

What do I think about the stability of the solution?

I find it to be highly stable. It's one of those situations where you need to have high availability. We have a high availability implementation, so we never lose an environment.

What do I think about the scalability of the solution?

Scalability has been very good. If you need to add to the environment at any given time, based on a merger or acquisition, a new office, or a new data center, you can simply forward events from those centers or add additional hardware. You can include it right into your implementation.

What other advice do I have?

I would definitely recommend QRadar to anyone looking for an SIEM solution in their organization. This is especially the case for mid- to large-scale enterprise solutions, compared with the competitors.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user639687
Cybersecurity Expert at a financial services firm with 10,001+ employees
Real User
AQL allows me extract data directly from the QRadar database.

What is most valuable?

I believe AQL is the most valuable feature. It allows me to extract data from the QRadar database directly using a very flexible language similar to SQL. So, if somebody has SQL experience, it is easy to learn.

How has it helped my organization?

My organization did not have SIEM at all. We had Log Manager only, but it was very slow and user-unfriendly. QRadar allowed us to concentrate two functions in one place: an extremely fast log manager with a very user-friendly web UI and the ability to correlate events from many different sources. Thanks to that, the efficiency of the security team has increased.

What needs improvement?

I think Risk Manager (one of the optional QRadar modules) is something that needs improvement.

For how long have I used the solution?

I have been using QRadar for three years.

What do I think about the stability of the solution?

Sometimes, after a new release, we had issues with stability or some bug showed up. It is strongly recommended to have a DEV or UAT environment to test the release before going into production.

What do I think about the scalability of the solution?

We have not really had scalability issues.

How are customer service and technical support?

Technical support is at acceptable level, but sometimes a case is stuck on L1 too long.

Which solution did I use previously and why did I switch?

We did not previously use a different solution.

How was the initial setup?

Initial setup was straightforward, but as with all SIEMs, out-of-the-box configuration presents minimal value from a security standpoint. Furthermore, good analysis on where to put collectors is essential, especially when it comes to QFlows.

What's my experience with pricing, setup cost, and licensing?

Put some efforts and evaluate what license (EPS) you need for which collector before making an order. It is worth hiring a professional to do it for you (somebody who has experience with QRadar sizing).

Which other solutions did I evaluate?

We evaluated HPE ArcSight.

What other advice do I have?

Don't forget to hire the right people. They are expensive, but it is far more cost-effective to pay them now than to try to integrate SIEM without professional knowledge and break it (it is especially important in the architecture and integration phase). Because, then you will pay twice and your security monitoring program can be delayed months. In the operation phase, don't forget to invest in training for both analysts and SIEM administrator teams. It is very easy to use this tool the wrong way and then it will give you almost no value.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user642180
Director SOC at a tech services company with 51-200 employees
Consultant
Integration with other platforms and the ease of rule making are valuable features.

What is most valuable?

These features make it easy to operate the application:

  • Integration with multiple platforms
  • Ease of rule making
  • Manufacturer support (IBM)

How has it helped my organization?

We use QRadar for application security, generating customized rules of correlation according to the operation of our business. It extends the security of our most critical assets.

What needs improvement?

From my point of view, they should improve the backup procedures. QRadar does not allow sending backups by FTP or SFTP, limiting the tool. I had to make a script but it is a manual process. It would be great to have it automated.

For how long have I used the solution?

I have used it for approximately five years.

What do I think about the stability of the solution?

We did have stability issues. Some errors were generated when applying updates.

What do I think about the scalability of the solution?

We have not needed to scale the solution.

How are customer service and technical support?

It has taken a long time for support to respond to our request regarding AIX.

Which solution did I use previously and why did I switch?

We didn’t have a previous solution. We have always used QRadar.

How was the initial setup?

The initial configuration is simple; the maturation of the application is complex. Not because of the application of QRadar, but because they include many factors, such as the identification of critical assets and how we can secure them, with the application.

What's my experience with pricing, setup cost, and licensing?

QRadar is a very expensive application but it is a good product. My advice is to validate with other correlator solutions and validate which product is right for the organization.

Which other solutions did I evaluate?

We did evaluate other similar products that are good, such as McAfee ESM and HPE ArcSight.

What other advice do I have?

First, identify the most critical assets to be included in SIEM and then the most critical events of my organization. With that, you avoid bringing unnecessary events into SIEM.

It's a very good and versatile correlator.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are a partner.
it_user634860
Cyber Security Engineer
Vendor
The most valuable feature is the ability to get the logs and analyze them.

What is most valuable?

The most valuable feature is the ability to get the logs and analyze them. These logs help us in terms of analyzing and actually using Watson on them. It's a pretty great tool for intelligence. I think it is really a great product.

How has it helped my organization?

To be able to get the logs and analyze them has improved the way my organization functions. You can see where the source destination is coming from. You can actually see the data and pause the dashboard. It actually helps you to analyze the data the way you are supposed to. Nobody else is doing that right now.

What needs improvement?

I don't have any problems with the solution right now. As I play with the tools, then I will actually come up with different ideas.

I was able to help out with IBM Guardium version 10. I was helping out with a couple of developers who actually developed the application itself.

I want to see more integration between QRadar and other applications like BigFix and a couple of other tools and applications out there. There are a lot of applications out there. QRadar security intelligence might be one of the best right now.

What do I think about the stability of the solution?

There were no stability issues with QRadar. We've had a couple of stability issues with all the applications that I run. I don't want to mention names.

How is customer service and technical support?

I’ve used technical support, and they were OK. I used to work for IBM.

How was the initial setup?

I was involved in the initial setup. It was straightforward and not complex.

Which other solutions did I evaluate?

I work as security engineer for the Department of Justice. We test hundreds of applications. I actually see which ones work best for the infrastructure.

What other advice do I have?

I would suggest QRadar. The security intelligence is one of the best right now.

When looking for a vendor, I want to be able to win them. I want them to accept the fact that I’m looking for a product for what I am doing and I have a couple of requirements.

From there, I can actually tell them what they need to do, or what I need to do, in the environment.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user632664
Information Security Analyst at Allegiance Air
Vendor
The UI is the most valuable feature, and the product is stable.

What is most valuable?

The most valuable feature of this product is the nice UI. It is easy and quick to get the information you're looking for.

How has it helped my organization?

The benefits are that it's easy to navigate the UI and to get the information as quickly as possible. We're able to resolve problems quicker, so that we get to the solution in an easier manner.

What needs improvement?

It would probably be better to get more access to the APIs.

What do I think about the stability of the solution?

The product is very stable. I don't have any issues with stability at all.

What do I think about the scalability of the solution?

Scalability is nice, as well. We have a distributed environment and it's real easy to both manage and upgrade. Anything we need to do, we can do it from the console.

How are customer service and technical support?

On a scale of 1-10, probably seven; I would rate the technical support team a 7/10.

Which solution did I use previously and why did I switch?

We were previously using a different solution that just wasn't getting the job done. It was taking too long to get where we needed to get to.

How was the initial setup?

The setup was very straightforward. The special services team gave us insight and helped out to resolve any issues.

Which other solutions did I evaluate?

QRadar was at the top our list. We also looked at other solutions such as HPE ArcSight and Splunk. The reason we went with QRadar is because we could bring it on-prem, which made it nice, and we also use other IBM products as well.

In general, when selecting a vendor, support is probably going to be the number one criteria. Then, the second criteria is the availability of the product; the product is not very good if it's not available, it's broken, etc.

What other advice do I have?

Make sure you try them all and then, pick the one that you think would work the best. It's nice to value other people's opinions, but it's better to test all the products and choose what you think would be best, for whatever your need is.

It's very easy and initiative. It's just a good overall solution, compared to the other ones I've used.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user634899
Global Security Engineering and Operations Director at a wellness & fitness company with 10,001+ employees
Vendor
Correlates data across our global enterprise and integrates third-party solutions.

What is most valuable?

  • The ability to correlate data across our global enterprise in near real time
  • The ability to integrate a lot of third-party solutions
  • The machine learning pieces with Watson, indicators of compromise, and utilizing that across the value stream

I look at the solution as the best-of-the-breed product. The fact that it can work with what everybody else is doing in the cyber landscape is really what gives it the edge.

How has it helped my organization?

The solution has improved the efficiency of our security team. These improvements prevent the need for more proactive security activities.

The improvements did not reduce our staff. It's funny, because IBM keeps on having this conversation about staff headcount. It probably sounds good to senior leadership, like to a CIO. The reality is that nobody's looking to decrease the number of staff who they are hiring.

We're looking at refocusing those resources and energy on being able to do additional, higher-value activities. It's more of the case that I don't need as many junior resources. I can focus on some of the things that are a little bit more important.

Our equipment collects billions of pieces of data. We're 100,000-plus EPS per second. The daily list of required investigations for the offenses is manageable.

We've had incidents in our environment. How long it takes QRadar to detect them is always a function of the rules being correlated, the people watching them, and pieces of that nature. I'd say it's in real time. The question is, when it comes to tuning, we want to know if it was tuned appropriately, so it's not lost in the pile of needles.

What needs improvement?

Room for improvement is more in relation to a lot of the features, the automation of incidents themselves, and being able to automate workflow responses.

Overall, I love the product. IBM usually puts good resources and talent behind things. What they fail to do is to bring all the security together and make sure everything inter-operates and creates one pane of glass.

Actually, I don’t want to say "one pane of glass" because we have seen other vendors do that. They fail miserably because they do not understand where people are coming from.

In terms of some of the right-click functionality that is within QRadar, it should work automatically for all the other IBM products. It shouldn't be something that customers develop. There are pieces in which they have to step back and get some of the foundational pieces.

There are pieces that I feel that IBM should do better. They own Guardium, they own AppScan, and they own some of these other pieces of the security infrastructure that need to relate to QRadar or to Watson. It's the foundational pieces that I feel they need some focus on.

Let's do some of the basics really well. I'm looking at it from owning 50 or 60 different security products across a global organization.

They keep on adding products based on a simple feature set that they can do real well, but they can't integrate them into the rest of the security economy. It doesn't make sense to keep on buying products like that. Whether it's IBM or others, there are companies in the endpoint space that are taking over because they're saying, "Hey, we're going to do everything across your gamut of security needs."

IBM needs to look at that and how they are going to integrate across all of the security products and have them work together.

For how long have I used the solution?

We have been using this solution for four years.

What do I think about the stability of the solution?

The stability is good.

What do I think about the scalability of the solution?

The scalability is great.

How are customer service and technical support?

We don't really use technical support. We're part of some of the engineering and development behind it and we work with a lot of the backend engineers.

Once in a while, we may put something in PMR but most of the time, we are working with the engineers themselves to figure out a solution. They are not really tech support issues.

Which solution did I use previously and why did I switch?

We have used other solutions, but that was years ago. We've had QRadar for four years. Before that, it was the Symantec solution. The landscape for SIEM has changed progressively over the years.

You're not even talking about the same set of requirements around those things. We just needed to upgrade. We needed the speed, the flexibility, and we needed the correlation building block pieces of it.

How was the initial setup?

I was involved in the initial setup. We are an advanced user of QRadar. While the initial setup was not hard for us, it is a lot more complex where we are right now. It works with integrating some of other IBM products into QRadar, and there's work that needs to be done there to make it seamless.

We were able to be operational in a matter of weeks or months, which is not a long time.

What other advice do I have?

When picking a vendor, the most important thing is partnership.

I honestly have nothing but good things to say about the IBM relationship that we have related to QRadar.

Partnership is going be important. Having the right skillset from an engineering standpoint is important to ensure that you don't set up things backwards. You have a high probability of doing it. This is one of those pieces where IBM doesn't “dummify” the solution for you.

On one side for my senior engineers, they don't want it “dummified” because they need to do it. On the other side of it, there are some aspects that don’t need to be this complex.

For the SMB market, those are some of the areas where I counsel people and say they need to get these types of solutions and do these types of processes. Selling something like QRadar to them becomes a little bit more of a burden because of that complexity. It's like a compliance check mark.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user634782
Security Analyst at a government with 10,001+ employees
Vendor
For vulnerabilities, you see a popup on the screen. We do not have to look for it. It is pushed to us.

What is most valuable?

It's easy for us to see what's happening in the environment. It's very good to see the logs and the analytic stuff.

How has it helped my organization?

We can see the vulnerabilities much easier with the product. You see a popup on the screen. We do not have to look for it. It is pushed to us.

What needs improvement?

It is very expensive; very expensive.

What do I think about the stability of the solution?

The solution is very stable.

What do I think about the scalability of the solution?

I think it is scalable.

How is customer service and technical support?

We have used technical support. They are very good and very nice.

Which other solutions did I evaluate?

We didn't evaluate any alternatives. We have yearly talks with the IBM consulting team. We look at the trends.

What other advice do I have?

When choosing a vendor, we look for a stable and trustworthy company. I think QRadar is the best solution you can get.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user632775
Sr. Security Architect at American Airlines
Vendor
If we feel that there is anything going on in the application, it collects the logs, we monitor them, and we get alerts. I would like proper integration with the cloud, not only the IBM cloud.

What is most valuable?

We are using it for monitoring different systems, and we are monitoring the logs with QRadar. This is one of the good tools which we have identified, and we are using it for monitoring the application.

How has it helped my organization?

Any issues regarding monitoring, if we feel that there is anything going on in the application, QRadar collects the logs, we monitor those logs, and we get alerts for those logs.

What needs improvement?

Reporting should be very good, and a proper integration with cloud, not only the IBM cloud, but with other clouds also.

What do I think about the stability of the solution?

The stability is good. I never got a complaint, but sometimes we have difficulty in configuring new applications. Since it is going into the cloud, we have a big challenge how we are going to monitor those applications which are sitting in Bluemix.

What do I think about the scalability of the solution?

The scalability is good. We have been using and increasing the applications most of the time.

How are customer service and technical support?

I think my team has used technical support. They are responsive, I can say it is 8-9/10.

Which solution did I use previously and why did I switch?

We were using a different solution, and we moved to QRadar. It has some more benefits than our previous solution. We have totally transferred to QRadar now.

How was the initial setup?

I was not involved in the initial setup.

Which other solutions did I evaluate?

We have evaluated only the large vendors. As we have a long-standing relationship with IBM, that's why we moved to QRadar. I don't know which other vendors were on the shortlist for evaluation.

What other advice do I have?

If you have the budget, go for QRadar. It depends on the company size. It's expensive.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user641277
Information Security Analyst at a transportation company with 5,001-10,000 employees
Vendor
The pre-canned rules and reports are a plus. They have new apps to integrate different tools into the dashboard.

Pros and Cons

  • "The pre-canned rules and reports in this product are a huge plus."
  • "QVM is another instance where they need to revise the vulnerability scoring and the proper remediation details."

How has it helped my organization?

Most of the time, a well-defined rule helps us to detect and investigate different threat scenarios, especially with the QRadar Vulnerability Manager (QVM) and the asset model. It also gives us a historical correlation of who has been using the box, over that time period.

What is most valuable?

The pre-canned rules and reports in this product are a huge plus. Along with this, they have new apps to integrate different tools into QRadar’s dashboard. These features are most important, since it provides a single pane for viewing and researching the offenses, thus, saving a lot of time and resolving the complexity of the issues.

What needs improvement?

This product has room for improvement in a lot of areas including the default emailing template that it uses to alert on offenses.

It also needs a lot of work in terms of the flows and the log source parsing. A lot of the times, it is very difficult to add a new/uncommon log source to this tool, as we need to map a lot of fields, rather than simply extracting these from the payload.

QVM is another instance where they need to revise the vulnerability scoring and the proper remediation details.

IBM QRadar is a wonderful product, until they release some patches and that breaks something else. There are many advancements that need to be done in terms of DSMs, when it comes to parsing.

What do I think about the stability of the solution?

We did encounter stability issues as IBM’s patches are not stable at all. Every time they release a new patch, it breaks certain components immediately and the worst part is, it breaks certain components over a period of 90 days.

What do I think about the scalability of the solution?

Apart from the pricing issues, scaling of the product with the infrastructure is pretty easy and convenient.

How are customer service and technical support?

Most of the technical support is provided by their L2 support level technicians and I would give them a 7/10 rating.

Which solution did I use previously and why did I switch?

We have only been using this solution. We have not used any other solutions.

How was the initial setup?

Setting up the equipment and installing it across the network is pretty easy. It is similar to installing a Linux server.

What's my experience with pricing, setup cost, and licensing?

Most of the time, it is easier and cheaper to buy a new product or the QRadar box. For example, with the QRadar Event Collector 1605, as and when you need to expand your EPS and the number of log sources; it’s much cheaper and the boxes usually ship with the default 1000 EPS and 750 log source limit. They have another advantage, i.e., the storage.

Which other solutions did I evaluate?

We chose this product based on the Gartner Magic Quadrant review. I had gone through a few PoCs and chose this tool, as it is full-proof.

What other advice do I have?

Evaluate your network first. Determine the target audience that you will be monitoring and working on this tool.

It is important to note whether your organization is looking for a compliance-based check mark practice (defensive security), or active threat monitoring and out-of-the-box security posture.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user640416
Assistant Manager-Information Security at a transportation company with 1,001-5,000 employees
Vendor
Integrates with other applications and systems.

What is most valuable?

SIEM technology is the most valuable feature of this solution, as it can be integrated with almost every application and system. If not, then you may ask IBM to write a parser for it.

How has it helped my organization?

You have the visibility of different events, thus we can resolve the issue.

What needs improvement?

They should provide more integration with more devices.

For how long have I used the solution?

I have been using this solution for three years.

How is customer service and technical support?

I would give the technical support a 8/10 rating. They are excellent.

How was the initial setup?

The setup was straightforward.

What's my experience with pricing, setup cost, and licensing?

The pricing policy is good.

Which other solutions

What is most valuable?

SIEM technology is the most valuable feature of this solution, as it can be integrated with almost every application and system. If not, then you may ask IBM to write a parser for it.

How has it helped my organization?

You have the visibility of different events, thus we can resolve the issue.

What needs improvement?

They should provide more integration with more devices.

For how long have I used the solution?

I have been using this solution for three years.

How is customer service and technical support?

I would give the technical support a 8/10 rating. They are excellent.

How was the initial setup?

The setup was straightforward.

What's my experience with pricing, setup cost, and licensing?

The pricing policy is good.

Which other solutions did I evaluate?

We looked at another solution, NitroSecurity Inc.

What other advice do I have?

If you have a good budget, then go for IBM QRadar.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user634842
Senior Manager at a pharma/biotech company with 1,001-5,000 employees
Vendor
It has a predefined set of templates. In order to secure patient data, they may have to incorporate certain legislation / regulations.

What is most valuable?

Its technology is quite new and it has a predefined set of templates that can be readily used for our business, so we don't have to innovate much. These are some unique features about this tool.

How has it helped my organization?

Security: We do have cloud services. It's very difficult to control cloud vendors, when it is for security. But this tool conducts an independent audit and makes sure that security, identity and governance are in check every time.

What needs improvement?

This tool is more suited for the technical industries or it's more specific for technical security. However, now since new laws are coming out such as the GDP in Europe and the biometric laws, in order to secure patient data, IBM may have to innovate more and incorporate certain legislation / regulations into their tool. It should be readily available to the pharma companies, so that they don't need to struggle to make more templates and thus don't have to tailor it to our needs. It should be a custom off-the-shelf solution, i.e., COTS. So, they're looking for more innovations in that area.

What do I think about the stability of the solution?

We're just the earlier adoptors of this tool for now. We are in the pharma industry, so we have started doing pilots across different functions in the organization. It will take us around one or two years to come to a conclusion in regards to the stability of this solution.

What do I think about the scalability of the solution?

It is a little bit too premature for me to comment on scalability but it is quite good, because they have already identified 10-11 projects that we we'll be using with this tool. So, we don't think scalability is going to be an issue.

How are customer service and technical support?

We do use technical support. We are IBM customers and IBM controls our infrastructure for the company. We do use their technical and business analysts. They were very helpful and knowledgeable. They are prepared for the pharma industry. That is very important for us.

Which solution did I use previously and why did I switch?

We were not previously using a different solution. IBM approached us with best practices and they conducted a survey. They control our infrastructure and security; they advised us in regards to the product. After a series of discussions, our management decided to go ahead with certain pilots, so as to see the efficiency and then finally decided on this solution.

Which other solutions did I evaluate?

We are a grounded manufacturing and pharma organization, thus we are looking for vendors with proven skill sets in that arena. We are bound by more regulations than any other industry, so we look for certain certifications that the vendor should have. They should be compliant with the USFDA guidelines, before we select a vendor. After we start evaluating vendors, it does depend on the versatility and the scalability of the solutions.

Currently, there are a couple of vendors in the shortlist. After we complete our pilot, we will be choosing one single vendor. We are a SAP shop for ERP, so we did have some discussions about the interoperability within IBM and SAP. I think both of them are good partners in that area. At this point, we are not looking for any other vendors.

What other advice do I have?

The solution seems to be very promising on paper, i.e., in theory, some things look good but practically, after we apply the solution in the next one or two years, we'll come to know more.

You should first conduct an assessment from IBM and the system should follow the selection of the tool. You should not just go by what you want, but instead by what you need. Most of the companies don't know what they need in terms of the security.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user634830
Group CIO at a tech services company with 501-1,000 employees
Consultant
Provides visibility in terms of the threat surface and proactively looks at mitigation measurements.

How has it helped my organization?

It gives us more visibility in terms of the threat surface and to proactively look at mitigation measurements, in terms of managing our risks. As our side business is increasing, it gives us a better way to handle of things.

What is most valuable?

We are using this SIEM solution, which is pretty good in terms of detecting threats and managing the intelligence for us.

What needs improvement?

In the next release, I obviously would want to see more integration to the cloud-based services such as Microsoft Azure and the other line of business applications, so that we have a comprehensive view on a hybrid cloud stack.

What do I think about the stability of the solution?

The stability of this product is pretty good. It's helping us a lot and they keep on adding new features. Thus, as a platform, it's quite stable.

What do I think about the scalability of the solution?

Scalability is good because it is a cloud-based offering and a managed services offering solution. The scalability is left for IBM to manage, so it's not a headache for us to manage.

How is customer service and technical support?

We have used the technical support on and off. Since it's on a 24/7 SLA, it gets managed well. It is pretty good. On a scale of 1-10, I would give it an eight.

How was the initial setup?

The setup was a bit complex. But as a project team, we pulled it through. It was complex because you need to understand the product and they need to understand our business requirements, as all of this is in the setup. So, it's not a straightforward payoff by just putting us off way there.

Which other solutions did I evaluate?

The SIEM solutions list we looked from included IBM, Cisco and Check Point.

The most important criteria while selecting a vendor are that it is a future-proof and tabulating solution. Also, the other factors involved are being a global leader and getting us up there as well.

The primary reason as to why we chose IBM is because we had a significant local presence. Also, QRadar's portfolio and its features on the Gartner's website were pretty much at the top end, i.e., as a leader in the leadership aspect.

What other advice do I have?

This is quite an established solution so, I will have no hesitations in recommending it.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user632763
Senior Security Engineer at a consumer goods company with 1,001-5,000 employees
Vendor
It helps our incident handlers find incidents within our environment and track down new threats.

What is most valuable?

The most valuable features are its ease of use and that it provides good return on investments. It's the best solution out there, in my opinion.

How has it helped my organization?

It brings down the time for our incident handlers to find incidents within our environment, to track down new threats and to keep them gainfully employed, by finding the new problems that we see.

What needs improvement?

I'm not really sure in regards to any additional features, because everything I've seen on the roadmap looks good. So, I'm pretty happy with that.

There is always scope for improvement. The QRadar WinCollect feature needs to be improved. The Windows Log collection is sort of problematic and needs to work better.

A little bit more improvement needs to be brought about in the Watson integration and I still need to see how that works. A little more improvement can be brought about in the User Behavior Analytics and Network Analytics. That would be great.

What do I think about the stability of the solution?

We've had no issues with its stability or scalability.

How is customer service and technical support?

The technical support is very good. After the Q1 Labs integration into IBM, they kept the same people. I'm a long-time user and I keep talking to the same people year after year.

What's my experience with pricing, setup cost, and licensing?

It's worth the cost. There are a lot of other options out there that are way more expensive, and that may be better in certain areas, but in my opinion, the overall best solution is QRadar.

What other advice do I have?

First, make sure that it's sized right and read all the manuals, before you do it.

Interoperability with other products is what I look for in a vendor. An open API is the big thing. I want be able to make sure that if I buy something, it will be able to talk with other products. I won't need to keep going down the same path, i.e., if I buy company X, I have to buy company X products all the way; otherwise, they won't talk to each other. Being able to talk with other products really makes a difference.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user634848
Security Operation Manager at a transportation company with 10,001+ employees
Vendor
Provides user behavior analytics.

What is most valuable?

  • User behavior analytics.
  • Alert features on any suspicious activities.
  • It contributes a lot of knowledge towards your network environment.

How has it helped my organization?

You can add value once you connect a lot of syslogs of a lot of applications to the actual SIEM product. It pretty much does the monitoring of our network, so just having the tool secures the environment itself.

What needs improvement?

I don't have any particular suggestions at the moment, but giving the ability to their business users to leverage the functionality well is important. Right now, the way we use it internally is mainly just for our security team, but other products, like Splunk, for instance, do monitoring on not only the network but also monitoring of system performance.

Server performance is important, whether or not the application is up or down or things of that nature.

What do I think about the stability of the solution?

The product is very stable.

What do I think about the scalability of the solution?

The product is very scalable.

How is customer service and technical support?

Technical support is good. It's not great, it's good. When you leverage the tier 1 folks just to do some troubleshooting, it takes a bit of time to transition a case over. They could improve that turnaround time, especially when the first level guy doesn't know exactly what's going on or doesn't know the answers to the questions.

How was the initial setup?

I wasn't directly involved in the initial implementation. I wouldn't say it's complex, but I mean just by enabling different data sources, you can go crazy with it and enabling them all in one shot is just too much.

Taking your time is probably a better approach so, that way, things operate smoothly and you can fine-tune things as you start seeing the network activity.

What other advice do I have?

Ensure that it's scalable and that you have good customer support. Also, take your time doing the implementation.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user634794
Director of Cyber Security at a insurance company with 10,001+ employees
Vendor
The ability to correlate large amounts of data into rules that provide real-time alerting is valuable.

What is most valuable?

The ability to correlate large amounts of data into rules that provide real-time alerting is the most valuable feature.

How has it helped my organization?

It has provided us with quicker mitigation to threats. We used to do everything manually, so it automated a lot of workflows that in the past, we weren't able to do from an automation perspective.

What needs improvement?

We are still two versions behind, so I don't know specifically what could be improved. I've told all the executives and staff we met at a recent IBM conference that integration with other solutions is important so that we don't have to do a bunch of different things to consider.

What do I think about the stability of the solution?

We are the largest user of QRadar, so the stability is average. There are several vulnerabilities that IBM is working with us on. They don't have a test environment big enough to imitate the stress we put on it. Stability is probably OK for the normal customers, but we break everybody's apps just because of our size.

What do I think about the scalability of the solution?

There are some vulnerabilities that may be further exasperated at our size, so they are trying to fix some of those issues and bring stability, but it's really product issues that don't scale right now.

Which solution did I use previously and why did I switch?

It was functionality which drove us to change. QRadar had better functionality than what we were getting out of the previous solution. Scale was probably also a factor at that time. It was right after IBM bought Q1 Labs, so it was an industry leader along with some others. We did an evaluation and QRadar came out on top.

How was the initial setup?

Initial setup was pretty straightforward. It's a complex solution, but it was straightforward for a large environment.

Which other solutions did I evaluate?

The two big options we evaluated would be IBM and HP. What we understood was that QRadar would be a more simplistic implementation, taking up less time.

What other advice do I have?

Make sure you really understand all the requirements before you implement. I think the group that did this implementation didn't necessarily understand fully what we were going to use it for, so it was maybe designed for smaller things. So, you should really understand the requirements prior to stepping into it. 

If QRadar is going to be a central sort of hub for IBM's security solutions, make sure that the other tools integrate very easily into it. That would probably be the biggest task.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user634773
Senior Security Analyst at The Hartford
Vendor
The organizational value we derive from it is that it helps us track down where we have problems.

What is most valuable?

The most valuable feature for us is probably the intelligence we get out of the product.

How has it helped my organization?

The organizational value we derive from it is that it helps us track down where we have problems.

What needs improvement?

We appreciate ease of use in the product, so I suppose they could bring the cost down. I haven't really thought about possible improvements. They've added a lot of good features to the apps. I'm still exploring those and there are a lot of good features there.

For how long have I used the solution?

I have used the solution for about 15 years.

What do I think about the stability of the solution?

Overall I'd say the stability is pretty good. I have noticed some issues with the patch and updates recently, especially version 72A. There have been some problems where a patch would come out and a few days later another patch would have to come out to fix issues that weren't encountered so that's caused some issues for us.

What do I think about the scalability of the solution?

Scalability is good.

How is customer service and technical support?

The initial technical support to call is less than adequate. I usually know more than the level one or level two, again because I've been a customer for 15 years. I worked with the original QRadar guys to help develop their SIEM solutions so I know quite a bit about it. Usually when we call in it's a real problem because we fix most of our own problems.

How was the initial setup?

Fifteen years ago it was very complex because of the linking of different flow collectors. Being processed together, upgrading them was painful. That part has improved greatly as you can just put the update process in the console and push Yes. That's a lot better.

What other advice do I have?

It's a great product. They're obviously an industry leader right now in this field, if you're looking for SIEM, I would recommend it.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Security Consultant at a tech services company with 11-50 employees
Consultant
It can collect different types of security feeds and correlate them in real-time with your logs.

What is most valuable?

The most valuable features are:

  • Auto update: QRadar will download new logs from the database on the supported security device, so that it will automatically normalize the new log format and you will not need to rewrite all your rules/offenses again.
  • X-Force/TAXII feed: QRadar can collect different types of security feeds and correlate them in real-time with your logs.

  • Search engine: QRadar is like Excel, i.e., you can add rows and filter like your daily office work, without writing any scripts. So level 1 support also can handle this type of jobs.

How has it helped my organization?

You will learn something that you don't know on the user/machine behaviour.

What needs improvement?

The dashboards and reports may need to improve. We need to export the CSV results to create a report by Excel.

For how long have I used the solution?

I have used this solution for three years.

What do I think about the stability of the solution?

It will slow down, when there are too many people doing a search at the same time, but that depends on your hardware and design.

What do I think about the scalability of the solution?

I did not encounter any scalability issues.

How is customer service and technical support?

You may need to allow remote support for them to help you, for troubleshooting the issues.

How was the initial setup?

The setup is complex, i.e., for the first setup. SIEM is not easy so as to enable logs without any performance issues and the deployment advisor is the key for the project.

What's my experience with pricing, setup cost, and licensing?

You only need to worry about the number of events per second and the number of flows per minute. Storage size is not an issue with QRadar.

Which other solutions did I evaluate?

We did evaluate other options. I think Splunk is the second-best option.

What other advice do I have?

If you have an experienced group of security members, then you may not at all need the advisor for the product. If not, then you will have to find the path to build your team, so as to become more knowledgeable.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are business partners.
it_user393954
Application Infrastructure innovation at a financial services firm with 1,001-5,000 employees
Vendor
Using it through IBM's Managed Security Services, they keep us alerted of what events are hitting, and adapting for it. I'd like to see tighter integration with other IBM products.

What is most valuable?

What is valuable is that we're using it through IBM's MSS services, and that they're doing a really good job of keeping us alerted of what events are hitting, and adapting for it.

How has it helped my organization?

It benefits us from a standpoint that we're very immature in our review of how security should be approached, and it's really helped us move up to modern awareness of what's going on on the internet.

What needs improvement?

I'd like to see, and they're getting there, is more integration; tighter integration with some of the other IBM Security products. They're moving a lot tighter to BigFix. BigFix has a lot of power in it, and MaaS360 also has a lot of power in it. I'd like to see those more tightly integrated.

What do I think about the stability of the solution?

We have not had any stability or scalability issues. We're a little concerned about the latest version and the fact that it cannot be upgraded, that it requires a clean install.

How are customer service and technical support?

We have not really used technical support, because it's a managed service, so we call the SOC and they help us. They are very helpful.

Which solution did I use previously and why did I switch?

We just really sold our CIO and CTO on the fact that we need to do better than we are, where we're at today. We had a lot of virus challenges, like most companies, and malware, so we had to figure out how to reduce that.

How was the initial setup?

I was involved in the initial setup. Well, IBM did it, since it was a managed service. It was pretty straightforward.

Which other solutions did I evaluate?

We looked at numerous other players. We chose IBM because it has a lot of power, and you can grow it as much as and however you want it to.

When I am looking for a vendor, I don't look for a VAR, I look for a partner.

What other advice do I have?

If you're going to implement it, implement it using managed services, because it's too complex of a product to try to do yourself.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user634779
Security Intelligence at a tech services company with 10,001+ employees
MSP
We can build interactive dashboards around it. Mathematical operators currently cannot be used within the reference maps.

What is most valuable?

The most valuable feature that we found, especially this year, was the ability to build apps over it. Basically, the platform has opened up and we can now customize it, as per our needs and requirements. We can build interactive dashboards and other interesting things around it.

How has it helped my organization?

We are using QRadar to solve our business problems and the IT operation requirements. We are fine tuning the processes that are laid from the InfoSec perspective, such as to detect unauthorized changes happening across the IT environment or the business problems, namely the password sharing issues, which are not easy to detect otherwise.

What needs improvement?

In future versions, the various features that we would like to see are pretty much in line with what QRadar is coming up with, like this IBM QRadar UBA version 2.0 or support for STIX/TAXII. Basically, we have similar milestones there.

There are a few technical requirements that we have opened feature requests for, such as some of our complex use cases that need mathematical operators to be used within the reference maps. That's currently not available.

What do I think about the stability of the solution?

There were no stability issues.

What do I think about the scalability of the solution?

There were no scalability issues. With this Event Processor and Data Node concept, I think it is highly scalable.

How is customer service and technical support?

We have been facing a few technical issues and we are working with the technical support and the development team to resolve them.

Sometimes we get a really good response and at times, some of the issues have been floating around for a lot of time. But our IT resources have been assigned for the same and we hope that they should be resolved easily.

How was the initial setup?

I was involved in the setup; it was pretty straightforward. Once you understand the overall architecture, it is pretty much easy to install and work upon.

What other advice do I have?

It should be implemented by the best professionals available within IBM. It is really important to have a clean base installation, so that you can build things on the top of it.

When we are selecting a vendor, first and foremost, we look for the stability of the vendor, and what level of resources they are investing in their research and development. These are a couple of things that we look for while selecting a vendor and of course, the kind of resources we are looking for to get certain engagement and make sure those resources are aligned.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Security Consultant at a tech services company with 11-50 employees
Consultant
Some of the valuable features are vulnerability management, cognitive security, and risk management.

What is most valuable?

The SIEM features are what sell this product. Lately, it has been heavily expanded with others. For example vulnerability management, risk management, incident forensics, cognitive security, and user behavior analytics.

Basic SIEM features include log management, reporting, and correlations and alerting. All SIEM products started with those.

Modern SIEM solutions are expanded with additional components that i mentioned.

So today, you will rarely see RFP for only SIEM. It will usually include other requirements. To answer this, vendors started adding additional valuable features.

Lately, Qradar also opened their APIs to the development community, in order to confront Splunk, and that resulted in a large number of additional functionalities in the form of add-ons (Qradar apps).

How has it helped my organization?

We are an IBM business partner. In short, this tool helps our clients have visibility into the IT infrastructure, events, and network traffic.

What needs improvement?

Dashboards!!! Dashboards are one of the most frequent complaints I receive from customers. Customers are complaining about the limited set of graphs and the inability to change colors. Although this might seem trivial, a large number of the same complaints probably mean something.

A lot of bugs are reported for dashboard items. Also, I personally have found that it does not work as indicated by the documentation. The same methodology is used to produce different results for similar searches. Also, customers would like to see near real-time data on the dashboard, which is very hard to achieve according to the mentioned problems.

For how long have I used the solution?

I have been using this since 2011, even before the IBM acquisition.

What do I think about the stability of the solution?

We have not had stability issues.

What do I think about the scalability of the solution?

High availability deployments have serious upgrade issues.

How are customer service and technical support?

Support is great, but sometimes they are a little slow.

Which solution did I use previously and why did I switch?

We did not have any previous solution. We have used only QRadar for the last six years. Even at that time, it was leader in Gartner and so it remained. It is very user friendly.

How was the initial setup?

The initial setup was very easy. Integrating the infrastructure configuration is the biggest problem for any SIEM project.

What's my experience with pricing, setup cost, and licensing?

Licensing was simplified two months ago. I don’t have insight into pricing. But as with any software, the price can probably change depending on your negotiation skills :)

Which other solutions did I evaluate?

We didn’t evaluate other solutions. However, in my career, I saw Splunk, RSA, ArcSight, and AlienVault.

What other advice do I have?

If you are a security officer who wants to protect his job, go for Splunk :) If you are a customer who wants to have an easy tool and save time and resources, definitely go for QRadar.

Disclosure: My company has a business relationship with this vendor other than being a customer: My company is a business partner.
it_user545001
Security Operations Center Manager at a financial services firm with 1,001-5,000 employees
Real User
Search capabilities are sufficient for most tasks. We need to see improved rule based access controls and rule/event tuning.

Pros and Cons

  • "Search capabilities are sufficient for most tasks."
  • "Search capability and indexing still lag behind competitors. We also need to see improved rule based access controls and rule/event tuning."

How has it helped my organization?

Log aggregation and event correlation did not occur in an enterprise fashion before this product. Troubleshooting more complex issues became much simpler with the addition of this product.

What is most valuable?

Search capabilities are sufficient for most tasks, although not as easy to use as some other products.

What needs improvement?

Search capability and indexing still lag behind competitors. We also need to see improved rule based access controls and rule/event tuning.

The search capabilities in QRadar are decent in their ability to be granular but the methodology of search prevents the rapid and easy modification of search parameters as an analyst works through the hunting process.

There are several examples of this. Let’s say you add two or three parameters to your search using various filter methods.

You can quickly change items like the scope of time for your search or the presentation of data, but you cannot quickly change the other parameters such as the IP address you are looking for. So you have a search of 10.0.1.1, the system processes that search, but then you realize you need to search for 10.1.1.2 instead.

You have to delete the old IP and recreate. At that point the search starts over from the beginning. In a system like Splunk if when using the filters the query string is written for you and can be easily modified/edited on the fly. While that may still result in a search restarting the manipulation of that search is faster and more efficient. This is just a single example.

What do I think about the stability of the solution?

I feel that some of the stability issues are attributed to our network. However, too many issues existed with the product and too many more appeared as they tried to fix different issues.

What do I think about the scalability of the solution?

We never scaled the product before we decided to remove it from our network. From all appearances, scalability was not going to be an issue.

How are customer service and technical support?

Technical support was OK at best due to the length of time before resolution.

Which solution did I use previously and why did I switch?

I used ArcSight at a previous company. I would much rather have a correctly scoped and built QRadar to manage. However, as a consumer of ArcSight, it was a very good product.

How was the initial setup?

I was not involved in the initial setup.

What's my experience with pricing, setup cost, and licensing?

Do your due diligence. I found other solutions, with more features at the same cost or less. You don’t have to leave the Gartner Magic Quadrant to beat their price.

Which other solutions did I evaluate?

I did not choose this product.

What other advice do I have?

Evaluate the product based on a full set of requirements and your security analyst workflow. Do not base your decision on the company name or promises of new abilities years down the line.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user610512
Technical Security Specialist at a tech services company with 51-200 employees
Consultant
Provides log management, application monitoring, vulnerability scanning, full packet capture and risk analysis.

What is most valuable?

IBM Security's QRadar Security Intelligence is a multi-feature security monitoring platform that provides log management, SIEM, NetFlow, application monitoring, vulnerability scanning, full packet capture and risk analysis.

The platform is designed to be deployed as an all-in-one appliance, as discrete components that can be scaled horizontally for distributed and larger environments.

How has it helped my organization?

The SIEM solution is considered as a monitoring tool for the network but you can set routing roles and special actions for certain events.

What needs improvement?

  • The vulnerability scanner is not accurate. It needs more vulnerability signature updates or more regulation templates to be added on.
  • We urgently need to add more report templates.

Maybe the improvements could be achieved by adding some modules like IPS, IDS and a next generation firewall that is able to start from monitoring the events and processing, then takes actions not only based on signatures but smart intelligent monitoring which would make QRadar into a full SIEM security solution.

For how long have I used the solution?

I have been using the solution for three years.

What do I think about the stability of the solution?

I didn't find any issues with stability of the product.

What do I think about the scalability of the solution?

The scalability of this product is very flexible because of the way that it counts the events that exceed the threshold of licenses it handled with the queue and stores the data for 5 GB, dealing with the events in a first-in, first-out (FIFO) methodology.

How are customer service and technical support?

I would rate the technical support as 9/10 for solving issues and 5/10 for responses.

Which solution did I use previously and why did I switch?

I didn't previously use another product but I deal with some accounts that used to use other vendors, and they were facing many issues in performance and slowness in processing events.

How was the initial setup?

The initial setup is very easy, just like when you install an operating system, and then you do the configuration needed for your environment.

Disclosure: My company has a business relationship with this vendor other than being a customer: Prosoft is an IBM VAD (value added distributor) in Egypt.
it_user631671
Information Security Analyst at a media company with 1,001-5,000 employees
Vendor
It takes log files from different viewpoints and puts them together in one place. I would like to see better support.

What is most valuable?

The most valuable feature is the co-ordination of the data it has, such as getting all sorts of log files from different viewpoints and putting it together in one place, so that the incident responders can get all the data they need to see the bigger picture.

How has it helped my organization?

We get more insights into the company's assets and vulnerabilities.

What needs improvement?

It is hard to tell which areas have room from improvement because we always think of new features and inform them to IBM, which they include in the next patch.

We recently went to an IBM conference to look into the Watson feature and see what they could do for us.

I would like to see better support. Their support is good, but I would say, they could do better.

What do I think about the stability of the solution?

For us, it's kind of wonky because we always try to be bleeding edge and always try to do updates. So, we're always pushing the system to its limit. It's pretty stable, but we always have open issues with it, with IBM.

What do I think about the scalability of the solution?

The scaling was done pretty well with IBM and the architecture teams. I think our system has scaled appropriately.

How are customer service and technical support?

The technical support really depends on who you get, at the time you call. There are good guys and bad guys. I can't really say. On a scale of 1 to 5, I would give them a 4/5 rating from our experience. We have a pretty good relationship with them.

Which solution did I use previously and why did I switch?

When I started out, this product was already bought and implemented by my company.

How was the initial setup?

The setup was a mixture of both, i.e., simple and complex.

It was complex because I had never dealt with it before. I had never set up a system like that. At the end, it got better.

What other advice do I have?

You should totally go for it. I've seen a couple systems out there, but I think IBM QRadar is one of the better solutions available.

Professionalism and to always be there when I call are the most important criteria when selecting a vendor. With IBM it's pretty good. We have our sales guy, who is always on top of everything.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user631740
Security Manager at a pharma/biotech company with 1,001-5,000 employees
Vendor
The search capability and data consolidation are some of the key features. I want to see a three-dimensional perspective of the data.

What is most valuable?

The search capability (I've used other solutions) and data consolidation are some of the key features.

How has it helped my organization?

For this organization, it was the first log management solution. So, it definitely gave us the ability to search through the data when we had events. We could search based on the identity of the person, or the machine, or the IP address. We could do a lot of different searches. We could also do payload searches, and depending on how much capacity you have, you can do quite a lot with it.

What needs improvement?

I want to see a three-dimensional perspective of the data. I don't want to see just an event perspective of the data. I want to be able to identify a user, and within clicks, know all the activity of that user. I don't want to see it in events. I want to see it in relevant information.

There needs a little bit more investment into enhancing the user interface. That is the main thing; making it represent an actual incident response state-of-mind, similar to how you would troubleshoot an incident. That is the main issue. It was a major position by IBM when they bought it. But we see a lot of things being done around the Cognitive side, around the Watson side. But what we're not seeing the growth in, is the actual tools interface and usability. And that's what we wanted to see. We wanted to be able to see seamless identification of log sources, seamless categorization and normalizing of log sources, seamless alerts. In all those things, for the solution to mature, it has to be able to take data and make sense of it by itself, without a lot of input. And those are the areas that they can really improve it.

What do I think about the stability of the solution?

It's been stable. Stability hasn't been a problem, as long as you have enough capacity. It's all about sizing it right for the size of your environment. We do drop packets every day. So depending on how our log volume increases or reduces, you see the impact on the packets being dropped.

How are customer service and technical support?

We've used technical support and it hasn't been great. It didn't seem like we could get the answers we needed without having to use professional services. For a solution like this, little things like how to tune it, how to upgrade it; there are things that as a customer we don't feel the need to use professional services for. We want to be able to just find a document on how to upgrade, and that has been difficult to find.

Which solution did I use previously and why did I switch?

We didn't have a previous solution. We kind of inherited it as part of another acquisition from IBM, and then we scaled it up to meet our capacity.

How was the initial setup?

We got the basic functionality working, which is not difficult. It's getting the full value out of the solution, which is harder.

What other advice do I have?

From an analytics perspective, it's a good tool. But you have to have the resources to own it. It's not only about buying it. It's not only about capacity, but somebody has to care and feed it. It's not one of those things that you can put it in, walk away and just consume the data. If you don't take care of it and feed it, you won't get what you need out of it.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user5160
IT Security Consultant at a tech vendor with 201-500 employees
Vendor
It captures and processes large volumes of event data, and scales to support them in a unified database. But, it'd be good to have a default configuration to meet PCI requirements.

Valuable Features:

It's very helpful in meeting compliance monitoring and reporting (PCI DSS, PA DSS, ISO, SOX) requirements.

Improvements to My Organization:

It captures and processes large volumes of event data, and scales to support hundreds of thousands of events in one unified database. 

It also offers high-availability and disaster-recovery options. 

There's very high quality in reporting suitable to all most all compliance requirements.

Room for Improvement:

We use it mostly for purchases and regulatory requirements of that process. It would be good, therefore, if there was a standard configuration by default that was offered or proposed during install or configuration to meet PCI requirements, e.g. log archive duration set by default to one year for each device added. 

The event Information display might prioritize event ID, user, destination, source, and date/time as the first info gathered in the report.

Use of Solution:

We're only using the Log Manager.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Cyber Security Advisor / CISO / Healthcare Security Pro at OMC SYSTEMS LLC
Vendor
The dashboards give us an overview of traffic flow and pinpoint configuration issues.

Valuable Features

I find that the dashboards are the most helpful to get an overview of traffic flow and issues.

Improvements to My Organization

We find that reviewing Q1 Radar is very helpful to pinpoint configuration issues, as well as go back and find traffic flows from comprimised hosts.

Deployment Issues

No.

Stability Issues

None.

Scalability Issues

N/A

Customer Service and Technical Support

Customer Service: N/A Technical Support: N/A

Valuable Features

I find that the dashboards are the most helpful to get an overview of traffic flow and issues.

Improvements to My Organization

We find that reviewing Q1 Radar is very helpful to pinpoint configuration issues, as well as go back and find traffic flows from comprimised hosts.

Deployment Issues

No.

Stability Issues

None.

Scalability Issues

N/A

Customer Service and Technical Support

Customer Service:

N/A

Technical Support:

N/A

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Vinod Shankar
Manager, Enterprise Risk Consulting at a tech company with 1,001-5,000 employees
Consultant
Qradar vs. ArcSight
Continuing with the SIEM posts we have done at Infosecnirvana, this post is a Head to head comparison of the two Industry leading SIEM products in the market – HP ArcSight and IBM QRadar. Both the products have consistently been in the Gartner Leaders Quadrant. Both HP and IBM took over niche SIEM players and have made themselves relevant in the SIEM market. We have worked on both the products and feel that this comparison is a good way to start the discussion rolling on features of both the products and how they approach the problem of Security Information & Event Management. Okay, let’s get started!!! ArcSight vs QRadar Subject ArcSight QRadar Product Birth Year 2000, ArcSight SIEM came into the market and incidentally this was the only product they have…

Continuing with the SIEM posts we have done at Infosecnirvana, this post is a Head to head comparison of the two Industry leading SIEM products in the market – HP ArcSight and IBM QRadar.

Both the products have consistently been in the Gartner Leaders Quadrant. Both HP and IBM took over niche SIEM players and have made themselves relevant in the SIEM market.

We have worked on both the products and feel that this comparison is a good way to start the discussion rolling on features of both the products and how they approach the problem of Security Information & Event Management.

Okay, let’s get started!!!

ArcSight vs QRadar

Subject ArcSight QRadar
Product Birth Year 2000, ArcSight SIEM came into the market and incidentally this was the only product they have worked on. In 2011 HP bought them Year 2004-2005, Q1 Labs entered into the SIEM market modifying their NBAD platform (QFLOW) and in 2012, IBM bought them.
Logging Format CEF – Common Event Format LEEF – Log Event Extended Format
Underlying DB Oracle till 2012, then combination of MySQL, PSQL etc. Proprietary based on Ariel Data store and probably Annotation Query Language (AQL)
Vendor Support ArcSight supports more than 400 vendors with their CEF certification program QRadar supports more than 250 vendors with their LEEF certification program
Portfolio Log Correlation – HP ArcSight ESM Log Management – HP ArcSight Logger Identity Correlation – HP Identity View Intelligence Feeds – HPRepSM Threat Detection – HP ArcSight Threat Detector Response and Action – HP ArcSight TRM Log Correlation – IBM QRadar Console Log Management – IBM QRadar Log Manager Network Forensics – IBM QRadar NBAD (using QFlow) Intelligence Feeds – IBM X-Force Vulnerability Management – IBM QRadar VM (with dedicated Scanner)Response and Action – IBM QRadar Incident Forensics for Response only
Identity monitoring ArcSight has a separate feature called IdentityView (separate license) to provide the identity perspective of events occurring in ArcSight. It integrates with Identity solutions (AD, Oracle) to keep track of user activity regardless of the account being used. It assigns risk scores to users based on their activity, and can graphically represent this activity and compare it to others with similar roles. QRadar does not have the capability similar to Identity View, however, it does integrate with Identity solution to provide user information in the offenses created.
Network Behavioral Analysis ArcSight does not natively collect flow data however, it can obtain Netflow data from other devices such as routers, etc. The Netflow data provides visibility only up to layer 4 (no application visibility) QRadar due to its origin as a NBAD product has powerful Network Behavioral Analysis (NBAD) capability through its QFlow appliance (Network Flows data including Layer 7 flows, Jflow, Netflow, SFlow, and Packeteer’s Flow Data Records can be collected and processed). This would allow us to review application and network flows and assess it for anomalous traffic, persistent threats etc.
Vulnerability Management ArcSight can integrate with Vulnerability scanners and gather Scan reports for correlating vulnerability information with the security events collected. However, it is more of a data aggregator in the case of VM tools. QRadar has a Vulnerability Management product (QVM). This has all the features comparable to ArcSight, however, IBM has upped the ante in this space by including a Scanner in the product that can actively scan hosts if enabled with QVM license. This provides security analysts to gather real time information if they choose to from the same SIEM console.
Dynamic Risk Management ArcSight does not have any risk management capabilities. However, it can integrate with commercial risk management products to provide basic correlation QRadar has a Risk Manager (QRM) product that collects Network configuration information and provides a risk modeling capability to assist in understanding the extent of impact of a configuration change in the network. This is akin to Skybox, Algosec or RedSeal and perform in similar capacity
Log Collection Agent Less - Using Connector Appliance. Logger Appliance can also serve as Log receivers Agent Based – Software Install on Servers for all types of log collection Agent Less – Any QRadar Appliance, Console, All-in-One Combo boxes, Event Collector etc. can collect Logs remotely Agent Based – Connector software available for Windows. For others, Agentless is the only option. Flow Collection – By default any appliance can collect flow data, however, dedicated Flow Collectors are an option in QRadar.
Log Management Separate Log Management Software, Appliance which is different from the ESM appliance. They have a Express version which combines both but in general HP Logger fills the space of a dedicated Log Management appliance Same software, same appliance can behave as all in one SIEM + Log Manager or dedicated Log Manager or SIEM depending on License added. There is no distinct product differentiation as in ArcSight family.
Event Transmission Events from the source are sent in clear text to the SmartConnectors, however, all further upstream communication happens encrypted. Compression and Aggregation can also be employed in the ArcSight ecosystem from the connectors onwards. Events from the source are sent in clear text, however, communication between QRadar Appliances happen using encrypted SSH tunnels. However, compression happens on Appliance at event storage level and does not happen in event transit.
Handling EPS bursts ArcSight uses large buffers to cache events in case of an EPS burst. Once the buffer is filled, the Queue starts to fill. Once the queue overflows, events get dropped. But the burst EPS can be sustained for longer periods of time compared to QRadar. In QRadar, Each event type has a memory buffer, once the EPS exceed the licensed level and the buffer is filled, all new events are queued and processed on a best effort basis. However, this burst EPS is not sustainable for longer periods of time as with ArcSight. So even though it can take burst EPS during times of attack, it is not sustainable.
Filtering ArcSight provides the ability to filter or modify events at the collection and logging level to eliminate the events that are not of security value. This can be as close to event source as possible using SmartConnectors QRadar provides capability to filter using Routing rules. However, for field based filtering (where only one field from the log needs to be omitted during parsing) can’t be done in QRadar.
Aggregation Log Aggregation can be done based on any field combination. This is really useful when it comes to toning down on the high volume logs of network firewalls and proxies etc. Log Aggregation or Coalescing in QRadar terminology happens at the event collection layer based on the source IP and user only and not on customizable field combinations
Data obfuscation ArcSight allows for obfuscating any field at the log collection level using SmartConnectors. This is very powerful when monitoring confidential data in logs. QRadar does provide Obfuscation abilities using a custom Regex Based, Key Based Obfuscation config. This will allow for encrypting a field, based on the Regex Match when event is processed.
Custom Log Collection Require development of customized configuration files. However, ArcSight Flex Connector SDK is a very powerful tool to build custom connectors and parsers. Also, the ArcSight community shares knowledge about custom connectors and hence more help available in case you want to develop on your own. QRadar has two parts of custom log collection capability. For supported logs or generic logs, it can update/develop parsers using the “Extract Custom Property” feature. However, if a new log source is to be integrated, then it is through customized configuration files which is much harder to create, test and maintain. Also, help to develop on your own is scarce so Professional services is mandatory.
Scalability ArcSight is really scalable such that it can support multi-tier Correlation Engines, multi-tier Loggers, and Connectors etc. and also have effective peering. QRadar scales very well horizontally at the Log Collection layer, however at the Correlation layer it does not scale as well as ArcSight. This is a challenge in large and distributed environments.
High Availability One of the long standing issues of ArcSight is HA. It does not have a true HA capability. It supports fail-over routing at the Collection layer but does not have any thing at the correlation layer. QRadar has the most simple to setup HA configuration ever. This allows sync of two Appliances in true HA style.
Multi-Tenancy ArcSight has always been one of the leading SIEM solutions for MSSP vendors. The main reason being the ability of the product to delineate events based on customers so that monitoring can be efficiently performed in a MSSP environment. It maps IP addresses to customer names and network zones to avoid overlap. QRadar did not have the feature until recently (I think v7.2 and above) and was one of the reasons it had very poor Multi-Tenancy support. However, the new feature with “Domain” based categorization provides ability to support MSSP environments. Maturity is yet to be achieved but it’s a step in the right direction.
Out-of-the-box use cases ArcSight’s out-of-the-box use cases are very light compared to and only include limited Multi-Device/Event correlation use cases. QRadar comes with a comprehensive set of basic out-of-the-box use cases for various threat types such as malware, recon, dos, authentication and access control, etc. Also, several of these use cases are Multi-Device/Event types.
Customizable dashboards and reports ArcSight reporting system includes over 350 standard report templates that address common compliance and risk requirements. The report design system is similar to what you would find in a BI solution, though not as complex. Support for charts and graphs is available, and templates can be customized through Velocity. Reports can be scheduled and distributed automatically by e-mail. QRadar provides over 2000 report templates relevant to specific roles, devices, compliance regulations and vertical industries. Only basic report customization is available. However, if advanced report customization is required, QRadar reporting seems limited. However, majority of the customers using QRadar are happy with the out-of-the box reports.
Case management ArcSight has a built-in case management system that allows the association of events to cases, limited workflow, and the ability to launch investigation tools (anything that can run from a command-line) directly from the console. Cases can contain analyst notes and customizable fields. QRadar provides a rudimentary case management capability through its Offense Management. Offense Management provides basic features such as open, close, assign, and add notes. Additional events cannot be added to Offenses. This is in stark contrast to ArcSight which has full blown case management system built in.
User portal ArcSight requires a java client to provide most of its functionality, but also provides a web interface primarily for business users. Provides all functionalities for security event monitoring and threat content development through web based GUI
User licenses Individual console licenses should be purchased for each user to perform investigation/monitoring Additional user licenses are not required to be purchased
Pricing Pricing is based on number of log sources and total log size per day Pricing is based on EPS. Linear incremental cost for scaling the solution is based on tier based EPS licensing.

Updates: This section is for posting differences based on reader feedback. So readers, feel free to add on.

Pattern Discovery ArcSight has something called a Threat Detector tool. It basically runs a set of search queries on real time data and provides patterns detected. If interesting monitoring patterns are detected, they can quickly be converted to Use Cases. This is basically useful if you want to create new use cases and you don’t know where to start QRadar does not have anything similar to Pattern discovery.
Compliance ArcSight has compliance packages that can be purchased to aid in providing compliance specific alerting, reporting etc. However, these are priced separately. QRadar has more than 2000 reports grouped based on Compliance requirement which should mostly satisfy compliance needs

I think the list can still be improved based on your feedback. Please feel free to add them in the comments section below and the feedback will be incorporated.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user163854
Security Solution Architect with 1,001-5,000 employees
Vendor
No matter what technology you choose the technology area is 15% of the effort. Your process’s are 85%

What is most valuable?

IBM Qradar is

  • Ease of install . Its effectively redhat6.5 with an app on top.
  • Automatic log source identification
  • Inbuilt rules and reports are comprehensive so out of the box the system does things
  • Recognises every log source we have added.
  • IBM supply a virtual image which makes the standing up of a system a small piece of work.

How has it helped my organization?

IBM Qradar has great data reduction. We have several hundred million log records arrive on various of the platforms daily and have been able to tune them to alert on important things well. Very few false positives.

Like any SIEM product at a very base level the system is a pattern matcher. Looking for patterns in single log messages or looking for patterns in multiple logs messages combined with flow data. It has a primary focus of Security Event Management but you can look for anything in the information flowing through the system and can alert on it. So it can be used - and we do - as a general IT event management/monitoring system.

What needs improvement?

Room for improvement - IBM Qradar:

  • Graphing on the system is a tad course. Analytics now requires really high quality graphing to assist in pinpointing anomalies.
  • Need for multiple Java versions for deployment setup is a pain.
  • There are areas you need to have Java 7 to be able to use.(Primary need for this is to access the Deployment area)
  • We need to be able to handle multiple overlapping ip address areas. That is coming we know. But slowly.
  • When you are building this in a virtualised environment you do have a bit of difficulty accessing the GUI.

For how long have I used the solution?

3.5 years

I have used several versions of the Qradar system. Both the IBM version and the Juniper STRM OEM version.

IBM I rate as 7.5/10

STRM at 7/10

What was my experience with deployment of the solution?

No real issues with deploy. What it is doing is exactly what we expected. It does have a few wrinkles but that is more about where we are collecting logs from.

What do I think about the stability of the solution?

No stability issues yet.

What do I think about the scalability of the solution?

No scalability issues yet. We have sized the latest system to cope with up to 10000 eps and or only at about 4000 at the moment. Scaling is simply adding extra license as required at the moment. Easy.

How are customer service and technical support?

Customer Service:

Generally excellent.

Technical Support:

Generally excellent.

Which solution did I use previously and why did I switch?

  • We were using SPLUNK. Licensing does not allow you to expose Splunk screens to customers (we are an ISP and IT service provider).
  • Mcafee Nitro was too expensive
  • Arcsight takes too long to install and tune

How was the initial setup?

Simple:

  • Boot VM off ISO image.
  • Install license
  • Point logs at it
  • Done

Occasionally the documentation did not reflect what was happening so did need to access tech support a few times.

What about the implementation team?

We implemented it ourselves. Initial seat of pants approach. Worked. I got my Redhat builder to spin up the two VM servers off the supplied image, licensed them, gave them the appropriate IP addresses, created the deployment (the Java 7 bit) and the system started receiving logs from the 1200 CISCO routers.

What was our ROI?

We are fulfilling a government contract. Install and move to BAU has been done and it came in under the estimated budget…..so All Good.

Which other solutions did I evaluate?

  • Mcafee Nitro
  • Juniper STRM
  • AlienVault. Note. We would probably have used AlienVault but there was no representation in Asia Pacific at the time
  • TrustWave

What other advice do I have?

  • First gather your requirements
  • From that build a business case.
  • Understand that no matter what technology you choose the technology area is 15% of the effort. Your processes are 85%. No process…then 5h1t in …5h1t out.
  • Make sure you know your business reasons for the implementation
Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user140676
Information Security Consultant at a tech services company with 51-200 employees
Consultant
Although it provides incident management of the alerts it produces, this could be improved to allow more restrictions

What is most valuable?

IBM Security QRadar has many valuable features. One of the most valuable features of IBM Security QRadar is the ease of extracting information from raw logs/events, whether the log source sending the events is supported by IBM or not (for example, a custom in-house application) and use this information in creating searches, correlation rules, reports, and dashboards. Another feature is scalability; scaling up a deployment to support more events per second is made simple just by “linking” new appliances to the main deployment through configuration steps that only take minutes to complete. I do not know if I can call this a feature, but a “general” feature of QRadar is that it does not require highly technically skilled personnel to administer. The dashboards and configurations through the web UI are easy to read, understand, and change.

What needs improvement?

Although QRadar provides incident management of the alerts it produces, this area could use a little improvement to allow more restrictions on who can close alerts and easily updating alerts with and reading text templates.

For how long have I used the solution?

I have used IBM Security QRadar for nearly two years now. I use it as a user in my organization’s Managed Security Services division where we monitor clients’ environments. I also work with it as an implementer to deploy and customize it for clients.

What was my experience with deployment of the solution?

Any deployment will have issues. The issues that I encounter with deploying QRadar are raised with IBM Support and are usually solved quickly through applying patches or changing individual files to fix the web GUI issue.

What do I think about the stability of the solution?

The causes of stability issues are usually not QRadar, but of misconfigured devices/log sources (for example, sending debug events to QRadar that results in millions of events in a short period of time). However, if a deployment is done correctly, QRadar stays stable.

What do I think about the scalability of the solution?

No, I did not face issues with scalability. One of the great features of QRadar is the ease of scalability. A license upgrade is simply done by purchasing it and applying it through the GUI which only takes minutes to. If an organization wants a larger expansion, all that it has to do is to buy the required hardware with QRadar installed, and “link” it to the main deployment through steps that also take minutes. This new hardware will provide the extra events per second or flows per minute capabilities required for the expansion.

How are customer service and technical support?

IBM provides support in various regions in the world. The level of technical support is good. Once a support ticket is open, the support team tries to fix it directly or passes it on to higher levels, and will involve the QRadar development team if required.

Which solution did I use previously and why did I switch?

No, I did not use a separate solution, although I have read and heard about different solutions from the various clients I have met with. Clients switch to using QRadar because they say that maintaining and administering other solutions becomes a hassle and requires trained personnel. Another reason clients switch to using QRadar because of cost.

How was the initial setup?

The initial setup of QRadar is straightforward. From the installation perspective, IBM provides one ISO file that can be used to install any of the QRadar components, with the activation key deciding which components to install. From the deployment perspective, QRadar has the ability to automatically detect many log sources sending logs. The out-of-the-box dashboards, searches, reports, and correlation rules allows QRadar to start displaying intelligence and insight on devices, network statistics, authentication, and many more, and to start alerting on offenses and policy violations automatically. Coupling this with the automatically detected log sources, a demonstration of QRadar can only take a few hours from the installation, to automatically detecting a log source such as firewall logs, to getting alerts on excessive firewall denies, port scans, etc.

What other advice do I have?

The advice I would give to others is to work with the implementation team to properly fine tune the out-of-the-box “building block rules” and to enter their network hierarchy in QRadar in order for it to give best results and reduce false positive alerts.
Disclosure: My company has a business relationship with this vendor other than being a customer: We're a value added services security company that is a distributor of Q1-Labs QRadar (now IBM).
Buyer's Guide
Download our free IBM QRadar Report and get advice and tips from experienced pros sharing their opinions.