IBM Security QRadar Reviews

The main tool for this operation center for collectings events from different devices, whatever server or network devices, such as switches and routers. It handles anything related to data that can be harmful related to security. Those events can be mapped to promote the threat, it creates another event for promoted threats.

We are a service provider and we provide services to our customers. We use IBM QRadar for many types of businesses, such as banks and telecom. It has a good reputation.

IBM QRadar has a margin for development, for out-of-the-box use cases. It can be enhanced with better support and automate the use cases for that.

I have been using IBM QRadar for approximately two years.

I have found IBM QRadar to be stable.

IBM QRadar is scalable.

The technical support of IBM QRadar is good.

IBM QRadar is the best SAN solution we have used compared to the others.

We manage the installation of the solution. It is not something difficult, it is reasonable. It is not that easy for anyone to do, it needs a technical team.

The implementation needs a technical team and we have two engineers for the implementation and maintenance.

There is a license to use this solution, which is paid annually. However, there are subscription options available.

I recommend this solution to others.

I rate IBM QRadar an eight out of ten.

My primary use case is for security monitoring. We activated freeze, proxy and firewalls and we collect data from them. We receive alerts and customize that according to our customer environments.

It has improved my efficiency. It has also reduced the implementing time. So we have reduced the time we are getting it readily available and you can just do small customizations. We can also do automation, as well using QRadar.

QRadar has somewhat of a new structure recently from last gen. They have moved from the standard UI based infrastructure. There are multiple aspects coming in which are actually plugin and play kind of stuff, we don't have to write rules, we don't have to create dashboards and all. For example, on the dashboard we have user behavior analytics. And, it is very helpful for us to use customization and build from scratch.

There are other solutions out there that have made it app based. They have a lot of apps available and they are readily integrated with other tools, as well.

It is very stable. I've seen this product grow since it started. It initially started with another company and then it was bought by IBM.

This tool is very user friendly, and is scalable. But, we do use other products in tandem with it.  

There are three zones that make up the technical support team, one is Asia Pacific(where the people from India are IBM India they work in that particular region), there are Europe(people from the UK and the Netherlands) and America (the people from the US). When comparing these support teams, the Indian team is lacking.

There are an abundance of  customers in the market who are actually using QRadar for their security monitoring purposes. This is a real advantage of this solution.

We compared it to Splunk. The only difference between QRadar and Splunk is that Splunk works on the data analytics, This makes it easy to help create those data lakes and searches whereas QRadar does not focus on that. The SQL database on the back end, takes some time and it's not so flexible in data storage or data lake creation, so that is the only backfall of QRadar. 

Additionally, Splunk is app based, and QRadar is not app based.

There are new things that are coming up in QRadar, such as AI to IBM Watson. This is going to create a huge impact in these types of solutions, because we don't have an artificial intelligence coming in. There are other tools that have artificial intelligence, but IBM QRadar getting integrated with artificial intelligence is the next step.

It should be noted that the QRadar type products are actually changing their strategy. they will move on to the next stage that is called "Threat Hunting." Instead of waiting for some attack to happen and getting an alert, the new solutions will try to find out those suspicious activities in your network or environment and resolve it before it creates havoc.  

My primary use case for this solution is to monitor security events in our cloud environment.

They do have a way to pre-configure or have pre-configurations for companies that are starting and they don't know too much about SIEM or working with SIEMs. The solution uses SIEM to get the information to the managers so I will say that they have an ongoing boarding process that is very good if you are starting because it already has what you need to start up.

In addition, they have more HIPAA. It's a pre-order on QRadar, so when we go to the process of selecting our use cases, they go by building blocks. QRadar links it to building blocks so we don't have too much to cut on it.

It is not a user-friendly program. It is a very glorified Excel program. I would love to see a more user-friendly version in a future rollout. 

In addition, the management services team needs some improvement. They are, at times, confused with our requests.

Another problem with QRadar, is that they have a very big signal protection. This needs to be fixed. You can only see what you know.  Let me give you an example of how I feel. Here is an analogy for you. Let's say you are a cowboy and you're on wild on the plains. You go out there and get your cows back, right? So you have a noose, you have your hat, your boots, your spurs, you are a real cowboy, right? But you are working on a, this is my opinion right? But you are working on building cars. So how would you look being fully dressed in all your gear, selling cars? It's like you are ready and prepared, you have your tools, but you don't like those rulings. You feel like you are in the wrong place.

No, it has not improved the efficiency of our security team. They have an integrated mobile with Watson so what this means is when we have an event that has a high magnitude, Watson takes it and investigates, right? So every time I see an offense, I see Watson has gone and investigated this. What am I expecting from AI to do? I want to see location, what happened, what is it, sources, stuff like that. They just give you a routing chart of what I think was involved. I can do that with my bare hands, I don't need Watson to do that. So why am I paying for AI?

On a scale of one to four, I would rate it a four. We have had some issues. For example, the other day I wanted to add a new correlation. So I opened a ticket for that new correlation. I went to go change my correlation, but they took so long to get the correlations down. I had to go ahead and open the ticket before I got to change the management process.

I have used Splunk in the past. 

The initial setup was complex, and it took six months. 

It is a pricey product. It is very expensive. 

QRadar needs a lot of fine tuning. I had to schedule meetings with IBM for help. For example, one of the things that we were having difficulties with QRadar is that the detection rules are sent by IBM and we wanted those detection rules. In one case, I know there's new malware out there, BlackIce, but I am not able in QRadar, because it's a managed service, to go in and create a detection rule that say the malware is out.

Normally, an offense comes in and an offense is something negative, to put it plainly, that impacted your environment. Once it comes through, you can then see from the QRadar log sources, who or what triggered the offense. For example, if an IP is browsing somewhere where it shouldn't be browsing. Let's say that one of your log sources reported it back to QRadar. You can see if the IP that browsed on certain websites where it shouldn't be browsing. When you right-click and go to the threat protection network, that will normally show you who is browsing, where that IP is coming from, what type of website it is browsing, and if it is good or bad. If it's bad, it will give you recommendations on how to resolve the issue.

The threat protection network is the most valuable feature because when you get an offense, you can actually trace it back to where it originated from, how it originated, and why.

I would like to see a more user-friendly product. I would like them to make it much more user-friendly. At this stage, you need to use a lot of widgets to do your searches.

To advance searches, you must do a lot of Regex expressions.

In the first year I used it, there were a few stability problems. In the previous three years, there haven’t been any stability issues.

I've seen no scalability issues in any of the environments where I am working at the moment. I've seen how it handles lot of load. I'm talking about a 5,000-user environment. It can handle a lot of logs and events coming through simultaneously.

If you spec it properly, with the proper hardware requirements, then it doesn’t crash. I've seen how people give it way less specs then it should have, and then it does crash. But that was the fault on the users’ side, and not the fault of the product.

I would give technical support a rating of 8/10. When they help you with a call for a problem with the product, which I've had twice, the next day, they roll out an update worldwide for all their products to be patched on that problem.

They lose too much time, in my opinion. Normally, you struggle a bit to get a hold of them and get to the correct person to assist you. Even though this isn't a very big delay, it usually takes about an hour. However, in my company, an hour can make a very big difference in my life. For example, it will take me about an hour to an hour and a half to get support from them. I'm a person who loves to get it done now. So if you don't mind waiting about an hour, then it can be very good support. When you log a call with IBM, it takes them about an hour to start working on the problem.

We used Splunk in the past and we are using both products at the same time.

The setup was very straightforward. It's basically, "next, next, and next”, and then you are finished.

I wasn't completely part of the whole process when they chose a product. I know they evaluated AlienVault, which unfortunately I do not have any experience with. I'm not able to provide pointers as to why the company chose IBM QRadar. I believe it's because we are a partner with them.

Just spec it correctly and it will do its job for you. It has an active community. IBM patches the product regularly when problems are picked up. I haven’t heard about a lot of problems from other people using the product. When we only have four hours to respond, an hour can make a difference in waiting for support.

I believe AQL is the most valuable feature. It allows me to extract data from the QRadar database directly using a very flexible language similar to SQL. So, if somebody has SQL experience, it is easy to learn.

My organization did not have SIEM at all. We had Log Manager only, but it was very slow and user-unfriendly. QRadar allowed us to concentrate two functions in one place: an extremely fast log manager with a very user-friendly web UI and the ability to correlate events from many different sources. Thanks to that, the efficiency of the security team has increased.

I think Risk Manager (one of the optional QRadar modules) is something that needs improvement.

I have been using QRadar for three years.

Sometimes, after a new release, we had issues with stability or some bug showed up. It is strongly recommended to have a DEV or UAT environment to test the release before going into production.

We have not really had scalability issues.

Technical support is at acceptable level, but sometimes a case is stuck on L1 too long.

We did not previously use a different solution.

Initial setup was straightforward, but as with all SIEMs, out-of-the-box configuration presents minimal value from a security standpoint. Furthermore, good analysis on where to put collectors is essential, especially when it comes to QFlows.

Put some efforts and evaluate what license (EPS) you need for which collector before making an order. It is worth hiring a professional to do it for you (somebody who has experience with QRadar sizing).

We evaluated HPE ArcSight.

Don't forget to hire the right people. They are expensive, but it is far more cost-effective to pay them now than to try to integrate SIEM without professional knowledge and break it (it is especially important in the architecture and integration phase). Because, then you will pay twice and your security monitoring program can be delayed months. In the operation phase, don't forget to invest in training for both analysts and SIEM administrator teams. It is very easy to use this tool the wrong way and then it will give you almost no value.

Its technology is quite new and it has a predefined set of templates that can be readily used for our business, so we don't have to innovate much. These are some unique features about this tool.

Security: We do have cloud services. It's very difficult to control cloud vendors, when it is for security. But this tool conducts an independent audit and makes sure that security, identity and governance are in check every time.

This tool is more suited for the technical industries or it's more specific for technical security. However, now since new laws are coming out such as the GDP in Europe and the biometric laws, in order to secure patient data, IBM may have to innovate more and incorporate certain legislation / regulations into their tool. It should be readily available to the pharma companies, so that they don't need to struggle to make more templates and thus don't have to tailor it to our needs. It should be a custom off-the-shelf solution, i.e., COTS. So, they're looking for more innovations in that area.

We're just the earlier adoptors of this tool for now. We are in the pharma industry, so we have started doing pilots across different functions in the organization. It will take us around one or two years to come to a conclusion in regards to the stability of this solution.

It is a little bit too premature for me to comment on scalability but it is quite good, because they have already identified 10-11 projects that we we'll be using with this tool. So, we don't think scalability is going to be an issue.

We do use technical support. We are IBM customers and IBM controls our infrastructure for the company. We do use their technical and business analysts. They were very helpful and knowledgeable. They are prepared for the pharma industry. That is very important for us.

We were not previously using a different solution. IBM approached us with best practices and they conducted a survey. They control our infrastructure and security; they advised us in regards to the product. After a series of discussions, our management decided to go ahead with certain pilots, so as to see the efficiency and then finally decided on this solution.

We are a grounded manufacturing and pharma organization, thus we are looking for vendors with proven skill sets in that arena. We are bound by more regulations than any other industry, so we look for certain certifications that the vendor should have. They should be compliant with the USFDA guidelines, before we select a vendor. After we start evaluating vendors, it does depend on the versatility and the scalability of the solutions.

Currently, there are a couple of vendors in the shortlist. After we complete our pilot, we will be choosing one single vendor. We are a SAP shop for ERP, so we did have some discussions about the interoperability within IBM and SAP. I think both of them are good partners in that area. At this point, we are not looking for any other vendors.

The solution seems to be very promising on paper, i.e., in theory, some things look good but practically, after we apply the solution in the next one or two years, we'll come to know more.

You should first conduct an assessment from IBM and the system should follow the selection of the tool. You should not just go by what you want, but instead by what you need. Most of the companies don't know what they need in terms of the security.

IBM QRadar is used to help our customers collect information. It collects the information from other tools on the firewall, network devices, cyber tools with both Carbon Black, Cortex, Cynet, and Darktrace.

It's a complete platform.

The interface is good.

They have more than 100 features.

It is not easy to use.

The updates are not very easy. It is very complex. I would like to see the update process simplified.

When I said "it is not easy to use", I mean that QRadar is not for beginners.
Needs high competence and skyll to use it in a satisfactory way to really help customers.
The complexity is not a flaw, but it si a necessary quality for QRadar to be a truly effective tool in a Cyber environement.

We have used IBM QRadar within the last twelve months.

IBM QRadar is a stable solution.

It's a scalable platform.

Technical support is good.

Positive

Pricing is good.

I would rate IBM QRadar an eight out of ten.

We primarily use the solution for breach management. We use it for identifying rogue IPs and picking up anomalies in terms of the network traffic coming in. We've seen a year of use cases in terms of breach management and incident management. We find IBM QRadar quite relevant in terms of protecting against potential malicious traffic coming into your organization. 

Obviously, it is evolved, and where we're utilizing IBM QRadar is to do other analytical capabilities, which include identity and access management. We've got a unique way where we use the platform to generate a view of all your identities and access that is granted within your environment and so forth. We are able to map that using IBM QRadar, which is not a use case that is normally thought about, however, we found from an analytical point of view, this is what we can do because we get all the information we need here.

IBM QRadar is phenomenal as a SIEM SOC solution. In terms of its capability, in terms of its usability, in terms of the SOC solutions or SIEM solutions out there, we find QRadar the most user-friendly. 

It gives you the right coverage as the analytical platform that's coupled with Watson is phenomenal.

From a deployment perspective, we found it very, very good.

What we like about QRadar and the models that IBM has, is it can go from a small-to-medium enterprise to a larger organization, and it gives you the same value.

It's easy to use if you go through the proper training. We find that the current IBM team in South Africa is not as good as the teams abroad, however, if you get the right support and the right training, which we have got, we find it very, very, very customizable and user-friendly. 

What we have done is we do not use a lot of level-one analysts. We use a lot of developers, so we constantly evolve the rule-set. Most of the organizations that have employed QRadar, what they do is they stack it up with level-one and level-two analysts, as opposed to having more security developers who enhance the rule-set, due to the fact that all of the same technologies work on rule-sets. If you can dynamically change the rule-set on the fly, you're good. We have got a different model in terms of the way we operate a SOC, where we have more developers amending the rules, you will lessen the number of false positives that you encounter. The biggest problem with most of the SIEM technologies out there is that you get too many false positives, and again, it impacts your operational SOC. We don't have that issue here. 

The only challenge with products like IBM is the EPS. You just have to be really on the events per second, as that's where the cost factor becomes a huge issue.

You do need proper training. Better training leads to better implementation. South Africa does not have the most knowledgeable technical support team. One challenge that you have in South Africa is the quality of the IBM resources. They're not up to the level companies need. I have to criticize IBM on that point - the skill level in South Africa and the South African franchise of IBM doesn't necessarily meet the quality of the product.

They can improve on the architecture. It's the way you deploy it. It's your enterprise architecture team that needs to understand it well. Again, due to our unique skillset on it, we deploy it in a very different way where we reduce the consumption of events per second, which reduces the overall cost of it. However, with the architecture, you need to get better guidance from IBM in terms of the way which the architecture is done. 

What I will say about IBM is that if you deploy it stock standard, it can be a very expensive tool, especially with your events per second, and where the way you deploy it architecturally will determine how much it costs you to manage it, as your events per second can be reduced through proper architecture. It's critical to an IBM install that a user understands the architecture and the deployment strategy. 

I've been dealing with the solution for a very long time. It's likely been about six years or so at this point. I've used it for a while.

We've got three customers on the solution currently. 

Technical support is lacking in South Africa and it doesn't meet the quality of the product. We're not quite satisfied with the level of service of knowledgeability on offer here. 

They need to be faster and more knowledgeable. If you log a ticket to South Africa, they can be quicker and more knowledgeable about issues. It's a problem within South Africa where the skill level of the IBM local team is not to the level it should be. Whether it's training or support, there's a problem. It's not the greatest.

The initial setup can be difficult if you don't have a good understanding of the product, for us, it's not too difficult. 

To do a small deployment takes us about two weeks.

When we did the deployment for one of our clients recently it took us four engineers from our side and four engineers from the outside to deploy it within two weeks. 

We handle deployments for our clients. Occasionally we need outside assistance. 

From a return on investment, the client sees in terms of its value from an IBM perspective, is a massive value from the deployment of QRadar.

On-premises is pretty expensive as opposed to the cloud. 

You do need to pay for a year subscription. You are charged at events per second as well. 

On QRadar, we look at the cloud-based uses as opposed to on-premise due to the cost factor. 

In terms of SIEM technologies, in terms of what you can get, I would rate it an eight out of ten. The QRadar platform is phenomenal in terms of what it does.

If you want to get the best out of IBM, spend more time on the rules generation and the modification of the rules.