IBM Security QRadar Reviews

The most valuable features are:

• Auto update: QRadar will download new logs from the database on the supported security device, so that it will automatically normalize the new log format and you will not need to rewrite all your rules/offenses again.
• X-Force/TAXII feed: QRadar can collect different types of security feeds and correlate them in real-time with your logs.

• Search engine: QRadar is like Excel, i.e., you can add rows and filter like your daily office work, without writing any scripts. So level 1 support also can handle this type of jobs.

You will learn something that you don't know on the user/machine behaviour.

The dashboards and reports may need to improve. We need to export the CSV results to create a report by Excel.

I have used this solution for three years.

It will slow down, when there are too many people doing a search at the same time, but that depends on your hardware and design.

I did not encounter any scalability issues.

You may need to allow remote support for them to help you, for troubleshooting the issues.

The setup is complex, i.e., for the first setup. SIEM is not easy so as to enable logs without any performance issues and the deployment advisor is the key for the project.

You only need to worry about the number of events per second and the number of flows per minute. Storage size is not an issue with QRadar.

We did evaluate other options. I think Splunk is the second-best option.

If you have an experienced group of security members, then you may not at all need the advisor for the product. If not, then you will have to find the path to build your team, so as to become more knowledgeable.

IBM Security QRadar has many valuable features. One of the most valuable features of IBM Security QRadar is the ease of extracting information from raw logs/events, whether the log source sending the events is supported by IBM or not (for example, a custom in-house application) and use this information in creating searches, correlation rules, reports, and dashboards. Another feature is scalability; scaling up a deployment to support more events per second is made simple just by “linking” new appliances to the main deployment through configuration steps that only take minutes to complete. I do not know if I can call this a feature, but a “general” feature of QRadar is that it does not require highly technically skilled personnel to administer. The dashboards and configurations through the web UI are easy to read, understand, and change.

Although QRadar provides incident management of the alerts it produces, this area could use a little improvement to allow more restrictions on who can close alerts and easily updating alerts with and reading text templates.

I have used IBM Security QRadar for nearly two years now. I use it as a user in my organization’s Managed Security Services division where we monitor clients’ environments. I also work with it as an implementer to deploy and customize it for clients.

Any deployment will have issues. The issues that I encounter with deploying QRadar are raised with IBM Support and are usually solved quickly through applying patches or changing individual files to fix the web GUI issue.

The causes of stability issues are usually not QRadar, but of misconfigured devices/log sources (for example, sending debug events to QRadar that results in millions of events in a short period of time). However, if a deployment is done correctly, QRadar stays stable.

No, I did not face issues with scalability. One of the great features of QRadar is the ease of scalability. A license upgrade is simply done by purchasing it and applying it through the GUI which only takes minutes to. If an organization wants a larger expansion, all that it has to do is to buy the required hardware with QRadar installed, and “link” it to the main deployment through steps that also take minutes. This new hardware will provide the extra events per second or flows per minute capabilities required for the expansion.

IBM provides support in various regions in the world. The level of technical support is good. Once a support ticket is open, the support team tries to fix it directly or passes it on to higher levels, and will involve the QRadar development team if required.

No, I did not use a separate solution, although I have read and heard about different solutions from the various clients I have met with. Clients switch to using QRadar because they say that maintaining and administering other solutions becomes a hassle and requires trained personnel. Another reason clients switch to using QRadar because of cost.

The initial setup of QRadar is straightforward. From the installation perspective, IBM provides one ISO file that can be used to install any of the QRadar components, with the activation key deciding which components to install. From the deployment perspective, QRadar has the ability to automatically detect many log sources sending logs. The out-of-the-box dashboards, searches, reports, and correlation rules allows QRadar to start displaying intelligence and insight on devices, network statistics, authentication, and many more, and to start alerting on offenses and policy violations automatically. Coupling this with the automatically detected log sources, a demonstration of QRadar can only take a few hours from the installation, to automatically detecting a log source such as firewall logs, to getting alerts on excessive firewall denies, port scans, etc.

The advice I would give to others is to work with the implementation team to properly fine tune the out-of-the-box “building block rules” and to enter their network hierarchy in QRadar in order for it to give best results and reduce false positive alerts.

We use IBM QRadar for user behavior analytics and incident handling.

The features that I have found most valuable are that it is very stable, easy to get going, and easy to manage. It is also easy to review all incidents.

The only problem is that if you have too many events that occur, then the storage capacity becomes a problem. We would need to increase the storage capacity.

I have been using IBM QRadar for four years.

We have three customers using it and these customers have 100 to 300 users.

Getting support sometimes takes time.

The initial setup was quite straightforward.

We had the complete deployment and it was up and running in half a day.

You can implement it by yourself.

I would recommend IBM QRadar to other people who want to start using it.

On a scale of one to ten, I would give QRadar a nine.

On-premises

SIEM solutions must be business driven. Utilizing a SIEM solution depends on your enterprise goals, from meeting compliance requirements to implementing security controls and identifying the absence of controls. A SIEM solution can also be used to improve your business and increase your sales. With QRadar, you can do all these, even if you are not a security expert. It comes with a set of default rules which makes your life easier, from ransomware attacks to DDoS attacks. Everything can be detected if your logs are properly integrated into QRadar. 

It gets better with extensions and other rules you install from the IBM Security App Exchange, where you can detect malicious website access (with the intent of ransomware), P2P activity, or someone spamming everything. You can be notified, then you can run scripts to make QRadar take an action. 

I am a security analyst working with QRadar.

It is always evolving with new patches, new UX/UI (such as 7.3), new rules, and new extensions. It lets you evolve your company accordingly.

The usage of QRadar or any SIEM solution depends on the company goals, but with QRadar, the user interface, the dashboards, reports, installing extensions, and playing with the rules are easier. 

QRadar has helped our company a lot in evolving our security policy and taking care of weak controls. QRadar helped us in the blacklisting and whitelisting of applications. It helped us identify our security threats, and improve our firewalls. With the QRadar Vulnerability Manager, it helped us take care of vulnerable assets. 

• Its default set of rules: It comes with many rules disabled. You can tune them and modify them according to your enterprise needs and avoid false positives.
• The extension management: There are more than 120 extensions in QRadar, which are easy to install and configure. These can improve your analysis of events. 
• UBA 2.7: It can help you detect insider threats. 
  

QRadar log integration of various applications can be a tough job at times. There may be occasions when you will not find any QRadar guide on adding logs of a particular application. Even if you come across one, adding a log process is not an easy one. Plus, it is also vulnerable because the ports used to integrate those log sources with QRadar are well-known and most of them are vulnerable ones. 

Three to five years.

QRadar is easily scalable in many ways: vertical and horizontal.

• Horizontal: You can increase the QRadar processing power with QRadar App Node and Data Node.
• Vertical: You can always implement multiple QRadars: Event collectors and flow, collectors, and then you can route your offenses, such events and flows from one QRadar to the next one.

Buying anything, an enterprise must look for troubleshooting and fixing its issues using its support. With QRadar, all those things are easily available and just a click away on the Internet. From IBM Fixlet to dW Answers, you can do a lot.

The most valuable features of this solution are analyzing who is saying what and in case of a threat, we can easily identify from where the threat is originating, based on the analysis.

We have implemented this QRadar solution to identify the data, whether it is being used at various parties including our trading partners, i.e., both the internal as well as external partners. Thus, by using this product, we can also come to the conclusion as to how the data is being applied best and we can decide what to link, i.e., if we need any infrastructure improvements and so on.

I am not currently responsible for this product. However, I did not hear any complaints from the other people in terms of its stability.

We are not directly managing this product. I am from the integration team and the QRadar solution is mostly used by our information security.

Initially, we were using another IBM product. With QRadar, we are getting better outputs such as the reports and other outputs.

The reason why we chose IBM is because we are using so many products from IBM today.

In general, the most important criteria that we look for while selecting a vendor are that there should be other proven solutions offered by the vendor and they need to be a type of investigator since we belong to a specific healthcare industry. So, we are very careful when we are choosing a vendor.

We were involved in the setup in terms of sending the information back and forth to QRadar. Other than that, I did not take part in the installation.

Definitely invest in the QRadar solution.

I have implemented QRadar in a big airline company, where they needed to get all their security information in one place. It helped in reducing the amount of time that was needed to evaluate the risk of every event. Configuring the alerts has never been easier; you just search for the event you think you need and start creating the rules that way. It is really straightforward and you don't need much IT knowledge for it. Of course, your experience with the product and a generalist view of the infrastructure, business and IT are strongly recommended, when using a tool similar to this.

In my understanding, the best features are:

• DSMs (Device Support Modules),
• Device auto-discovery, and
• Hundreds of rules and reports already created for you to mix up.

These features are keeping QRadar on top in Gartner. You can have it running in a few hours, then start collecting your logs and events in no time.

We never experienced any stability issues. The only problem that I had was related to the hardware and the high availability worked as expected.

Something to take into account is the IBM support; they really know their business and how to fix problems. I had the opportunity to talk with L2 Managers in the US, who told me that IBM is investing in research, documentation and training for all the people working with it. This is a very interesting thing to have in mind, when choosing this platform.

We never experienced any scalability issues. If you correctly estimate the amount of EPS (the license variable), then scalability is not a problem. They can run in a really big environment (100,000 EPS tested in production) and all the infrastructure will work as a charm.

The technical support is excellent. As I've mentioned, they know their business and have a really good team behind them.

I had the opportunity to use other SIEM solutions, but no one can provide what QRadar does, i.e., in terms of its simplicity, support or integration.

The setup was really straightforward. You simply need to put your ISO image in the hypervisor, follow the on-screen instructions and you have it running in one hour.

The pricing and licensing policies are really competitive. These solutions are not for a really small business, but having just one license variable is really good. You simple tell the partner or sales representative the number of EPS you want to receive in your appliance and that's it. Other solutions have a 'correlation' license, which is more like a trap than anything else.

I have tested Splunk and used a little bit of NitroSecurity (McAfee). I have also seen a little bit of HPE ArcSight.

You should ask the sales representative to give you the Excel sheet to calculate EPS. Keep in mind that the firewalls, proxies and networking devices such as those will consume lots of EPS, but they do provide really nice information and insight from your network.

On Gartner, this is one of the top 10 SIEM solutions in the market. It is robust and IBM is investing a lot of money to get it running even better than it is running right now. You feel secured when you use it.

This solution is being implemented around the world and every day, a new feature or add-on is created for it.

Our primary use case is for monitoring global infrastructure.

The feature that I have found most valuable is how it monitors the real network. That is its leading security feature.

In terms of what could be improved, I'd say do nothing, in its current state it does quite okay for now.

The biggest problem was built on top of the QRadar in the executive operations center network. The integration was not using the network security specialist properly, and all the incidents were inferior with QRadar. Its compatibility is not really good

I have been using IBM QRadar for more than five years.

I'm using the latest version of QRadar.

The stability is very good. Its operation is very good.

We have less than five people using it.

For us, as a small security company, it is covering our needs and our growth.

Customer support is good. When an incident gets raised there is a 10 day response.

The initial setup was complex.

We use the vendor for everything. That is the style of the corporation. For these jobs the responsibility and knowledge is on the vendor's side.

Implementation is over time and the maintenance price for QRadar is competitive.

On a scale of one to ten, I would give IBM QRadar a seven.

Overall, I would of course recommend this product to others because of all its functionalities.

We use IBM QRadar to monitor security logs across the network.

One very useful feature is the plug-in offering that allows you to integrate it with other solutions, such as integrating it with plug-ins like ForeScout, Carbon Black, and the rest. Additionally, the ability of the agents to filter using XPath query to filter out the specific events you want to pick from, especially Windows log sources, is also very useful. That goes a long way in managing the EPS of the solution.

There are two ways you can pull logs: one way is where you can receive logs or send logs using the agents and previous transformation and the other way is where QRadar logs onto the servers using the admin account and then pulls the logs itself. The functionality that I would love to see with that remote pulling is to have the ability to also select what logs its pulling because when you use MSRPC now to receive loads from your log surface, it basically pulls all the events from that server. So even the noisy events that would overshoot your EPS, would also be pulled. So for particularly active or high servers that generate a whole lot of security events, let's say like your SFTP server that has a lot of devices on your network connecting to it, if you try to pull the logs remotely it would overshoot your EPS really quickly.

So if they could improve the functionality of the remote pull to also be able to select the logs that it is pulling from the log sources, that would be very, very effective. The reason for the pull is because the agents are not tamper-proof and any administrator can help shut down the service and uninstall the application and a whole lot of other things. Basically, your listening agent is at the mercy of the administrators, and for a security device or security software, that is a big vulnerability, because anybody can then go into the server, stop the agent, and then run any command or make any change they want to do, which would make your monitoring null and void. It would be good if the agent itself could be tamper-proof. And back to the first point, the reason why I prefer the remote pull is if there's no agent on the server and it's the console logging onto the server, your monitoring is much more secure. Regardless of what changes are being made on the server or what's going on the server, if the server is shut down and then a newer version is brought up with the same hostname and IP address, you would not need to go back in and re-install the agent. The console would just automatically connect back to that server once the IP address and the host are back up.

Additionally, I would like the rule creation interface to be much more user-friendly in the next release.

I have been using IBM QRadar every day for the last 12 months.

In terms of stability, it is very stable. In the almost two years in the environment, there has been only one issue. It was a disc failure and that was replaced within a week by the OEM.

Scalability might be an issue, but maybe it's because in our environment we do not use the application host. Since we use on-premise appliances we did notice that performance degraded a little when we added some plugins. So the recommendation was that we should have a separate application server that would host the application and then interface with the plugins and interface with the management console. But we do not have that within our environment so I can't speak to whether that would improve performance.

IBM tech support has been responsive.

I believe the initial setup was straightforward but I was not here for the setup, although I did not get any complaints.

The license is a yearly one.

I would recommend IBM QRadar. The user interface is really great and it simplifies the task of monitoring your environment.

On a scale of one to ten, I would give IBM QRadar an eight.

On-premises