IBM Security QRadar Reviews

My use case is the deployment of an X-Force successful connection with a botnet and malware website. An X-Force feed is free with QRadar.

I have been using the product for three years now. I used it for six month at an internship to PoC some different SIEM and for two and a half years as an administrator. Now, I am using it as an architect.

Previously, we had to do a lot of debugging when we wanted to change our firewall policy to find out which rule was blocking things, etc. With Qradar, when you integrate the logs of the firewall, you have with two clicks, the info in real-time.

The correlation and the parsing are important features, since it is very important for a SIEM to have a good scalability and performance.

The weak signal detection with QRadar needs improvement. You can detect what you know, but what is unknown to the rule engine can't be detected, similar to a base rule of SIEM.

Sometimes, but not from the system itself, but from the amount of logs it has received.

Not at all.

Technical support is good when they using WebEx. By portal, they are slow and inefficient.

My service since the beginning has been to only sell and manage QRadar.

It is very easy to deploy. It is not a user-friendly way to deploy, but for IT guys who have the skills of Linux servers, etc., it is easy.

Think what you will integrate into QRadar. It is a SIEM. You need to send it logs, but not everything.

Pricing (based on EPS) will be more accurate.

I had the chance to test some other products, and there is a lot of them on the market. However, when you have to deploy and manage it, not just demo it, it is a total different story.

QRadar is not perfect, but I have had the chance to manage ArcSight, Sumo Logic, Unomaly, and RSA for some specific features, and comparatively, QRadar is good

Think scalability and make sure your product can be integrate into QRadar.

We work with it in the banking sector. We had torrent limitations and big banks could join them. It has performed well. However, the limitation is not easy, so the product is not easy.

You cannot get the real value of the product unless you combine it with the other products from IBM, like BigFix, the full integration of Vulnerability Management, and so on. 

The product is great. It does good correlation for events. It does good general analysis, and it has good apps as well.

• The artificial intelligence ease of integration; it has a good integration with the artificial intelligence engine of Watson.
• There is good collaboration between IBM Cloud and all IBM customers. 

The implementation and configuration are not easy.

We would like to see user behavior analysis in the next release. IBM claims they have this feature, but I do not see it as mature as in Splunk. 

The stability of the solution is great.

Technically, there are no scalability issues.

Support is good. The technical engineers seem they know what they are doing. Though, the escalation response is bad. An escalation takes time, because the response time is not as fast as it should be.

The implementation is complex.

It is expensive. It is not a product that I can provide for SMBs. It is a program that I can only provide for really large enterprises.

Also, the maintenance costs are high.

IBM needs to invest more into the collaboration with other vendors.

If you want to go to IBM, do not just go for QRadar. You need QRadar and all the products that surround QRadar, especially BigFix, because the product is ten times stronger with it.

Most important criteria when selecting a vendor: 

• The technical features of the solution.
• The people in my region at the vendor.
• The perspective of the project manager on the customer side.
• Data involved and time of the implementation. 
• The needs of the customer.
• The cost of the project.
• Training involved.

I find that the dashboards are the most helpful to get an overview of traffic flow and issues.

We find that reviewing Q1 Radar is very helpful to pinpoint configuration issues, as well as go back and find traffic flows from comprimised hosts.

No.

None.

N/A

N/A

N/A

The use cases that are widely used across the globe are related to ransomware phishing, lateral movement, et cetera.

The simple user access model, or the user interface, is something that is very helpful.

The initial setup is not too difficult. 

So far, we have found the product to be stable. 

We've found the solution to be scalable.

The IBM support can be better. It's an aspect that needs improvement. 

In future iterations, I'd like to see an advance in office management, the out-of-the-box use cases that are provided. That needs to be part of the requirement.

It's a stable solution. There are no bugs or glitches. It doesn't crash or freeze. It's reliable. 

The solution scales well.

We have 45,000 users on the solution right now. 

We do plan to increase usage soon. 

We've dealt with technical support in the past and it was lacking. 

They have provided dedicated time to us, to work on the issue that we are observing right now.

We did not use a different solution. We chose this due to the fact that it's an industry-accepted solution. The use cases are easy to configure in multiple things that we considered important while taking the solution.

The deployment was easy. It wasn't overly complex.

It took me around six months to do the implementation. 

We handled the deployment with the assistance of a vendor partner. 

I can't speak to the exact pricing. I've never looked at its commercial costs. 

We did consider other options before choosing this product.

We are a preferred partner of IBM.

I'd rate the solution at a seven out of ten.

We are a service provider and we are providing the solution as a managed service for multitenancy security.

The solution is flexible and easy to use.

IBM is going through some problems with its resources currently making its support response time slow.

I have been using the solution for a couple of months.

I find the solution reliable. 

The solution is scalable. We have 15 customers using it at the moment.

The support could be a lot better by being faster.

We recently switched to this solution from LogRhythm cloud. One of the main reasons we switched solutions was because it is more scalable.

The installation was a little difficult and could be made easier.

We have evaluated Secureonix and this solution is far superior. We did the implementation of Securonix for two customers and we canceled it. We rolled back those clients onto this solution because Securonix failed on both implementations.

I would recommend this solution to others. We have invested in it and we plan on using it in the future.

I rate IBM QRadar an eight out of ten.

We don't have a business relationship with IBM QRadar, our relationship is a customer relationship. We use IBM QRadar as our primary security solution.

QRadar is the primary tool in our security center. We use it to collect information from different devices, detect, and analyze various threats or attacks to protect our system.

Vulnerability detection is the most valuable feature. It's the tool that finds the threats.

The tool is very complicated. One place for improvement would be to have a more user-friendly interface. Having better support in Spanish would be cool.

The solution is scalable. Currently, wehave between 50 to 70 users working with this solution.
We have plans to increase the usage of the product in the future.

My experience with technical support has not been so good because I would prefer support in Spanish which I haven't gotten.

The initial setup was very complex.

We are planning to take at least one year for the complete setup. Deployment went fast, between six and three hours.

We used an integrator for the deployment. The experience was excellent, outstanding.

This kind of solution is essential. The communication network functions very well.

On a scale of one to 10, ten being the best, I would give this product a rating of nine.

IBM Qradar is

• Ease of install . Its effectively redhat6.5 with an app on top.

• Automatic log source identification

• Inbuilt rules and reports are comprehensive so out of the box the system does things

• Recognises every log source we have added.
• IBM supply a virtual image which makes the standing up of a system a small piece of work.

IBM Qradar has great data reduction. We have several hundred million log records arrive on various of the platforms daily and have been able to tune them to alert on important things well. Very few false positives.

Like any SIEM product at a very base level the system is a pattern matcher. Looking for patterns in single log messages or looking for patterns in multiple logs messages combined with flow data. It has a primary focus of Security Event Management but you can look for anything in the information flowing through the system and can alert on it. So it can be used - and we do - as a general IT event management/monitoring system.

Room for improvement - IBM Qradar:

• Graphing on the system is a tad course. Analytics now requires really high quality graphing to assist in pinpointing anomalies.
• Need for multiple Java versions for deployment setup is a pain.
• There are areas you need to have Java 7 to be able to use.(Primary need for this is to access the Deployment area)
• We need to be able to handle multiple overlapping ip address areas. That is coming we know. But slowly.
• When you are building this in a virtualised environment you do have a bit of difficulty accessing the GUI.

3.5 years

I have used several versions of the Qradar system. Both the IBM version and the Juniper STRM OEM version.

IBM I rate as 7.5/10

STRM at 7/10

No real issues with deploy. What it is doing is exactly what we expected. It does have a few wrinkles but that is more about where we are collecting logs from.

No stability issues yet.

No scalability issues yet. We have sized the latest system to cope with up to 10000 eps and or only at about 4000 at the moment. Scaling is simply adding extra license as required at the moment. Easy.

Generally excellent.

Generally excellent.

• We were using SPLUNK. Licensing does not allow you to expose Splunk screens to customers (we are an ISP and IT service provider).
• Mcafee Nitro was too expensive
• Arcsight takes too long to install and tune

Simple:

• Boot VM off ISO image.
• Install license
• Point logs at it
• Done

Occasionally the documentation did not reflect what was happening so did need to access tech support a few times.

We implemented it ourselves. Initial seat of pants approach. Worked. I got my Redhat builder to spin up the two VM servers off the supplied image, licensed them, gave them the appropriate IP addresses, created the deployment (the Java 7 bit) and the system started receiving logs from the 1200 CISCO routers.

We are fulfilling a government contract. Install and move to BAU has been done and it came in under the estimated budget…..so All Good.

• Mcafee Nitro
• Juniper STRM
• AlienVault. Note. We would probably have used AlienVault but there was no representation in Asia Pacific at the time
• TrustWave

• First gather your requirements
• From that build a business case.
• Understand that no matter what technology you choose the technology area is 15% of the effort. Your processes are 85%. No process…then 5h1t in …5h1t out.
• Make sure you know your business reasons for the implementation

I think this is a good product for enterprises because of the performance and out-of-the-box rules and use cases. If they want to reach the maturity level early, they can use these out-of-the-box rules and use cases. That will help them a lot.

IBM QRadar User Behavior Analytics is good, but I think the functionality should be much more integrated. You should have easy access to the artifacts if you are doing a particular investigation. It's good, but other team solutions like LogRhythm are actually merging the functionality. So, I think that is something IBM can work on. 

We have been using IBM QRadar User Behavior Analytics for about four years.

Stability is good, but the investigation system should be better.

IBM QRadar User Behavior Analytics is scalable. You have the EPS and closed license. I think scalability is not an issue because it is available on both the hardware and the software. You can install the software plans if you want, and there is also a hardware plan.

Their technical support is good. I have not faced any issues before, and the technical support is good.

I will recommend this solution to potential users.

On a scale from one to ten, I would give IBM QRadar User Behavior Analytics a seven.