IBM Security QRadar Reviews

We work with it in the banking sector. We had torrent limitations and big banks could join them. It has performed well. However, the limitation is not easy, so the product is not easy.

You cannot get the real value of the product unless you combine it with the other products from IBM, like BigFix, the full integration of Vulnerability Management, and so on. 

The product is great. It does good correlation for events. It does good general analysis, and it has good apps as well.

• The artificial intelligence ease of integration; it has a good integration with the artificial intelligence engine of Watson.
• There is good collaboration between IBM Cloud and all IBM customers. 

The implementation and configuration are not easy.

We would like to see user behavior analysis in the next release. IBM claims they have this feature, but I do not see it as mature as in Splunk. 

The stability of the solution is great.

Technically, there are no scalability issues.

Support is good. The technical engineers seem they know what they are doing. Though, the escalation response is bad. An escalation takes time, because the response time is not as fast as it should be.

The implementation is complex.

It is expensive. It is not a product that I can provide for SMBs. It is a program that I can only provide for really large enterprises.

Also, the maintenance costs are high.

IBM needs to invest more into the collaboration with other vendors.

If you want to go to IBM, do not just go for QRadar. You need QRadar and all the products that surround QRadar, especially BigFix, because the product is ten times stronger with it.

Most important criteria when selecting a vendor: 

• The technical features of the solution.
• The people in my region at the vendor.
• The perspective of the project manager on the customer side.
• Data involved and time of the implementation. 
• The needs of the customer.
• The cost of the project.
• Training involved.

We used QRadar SIEM over Juniper Secure Analytics platform. 

The company profile is telecom. The infrastructure has a large geographical spread.

IBM QRadar is great help from its security event monitoring to data center and NOC troubleshooting of issues hard for other departments to spot.

• It has a logical, user-friendly GUI. 
• Very easy to drill down in offenses and get to the bottom of raw data.

Dashboards and reports could provide better visualization of SIEM activity. 

An executive or CISO dashboard would be nice to have by default.

The tool gets better value in the hands of an experienced security analyst. 

As a PS consultant on projects where the customer is transitioning from a competitor's SIEM to QRadar, they are very pleased when they see the number of quality offenses being caught soon after implementation and integration of log sources just from the out-of-the box rules enabled by default.

As a Professional Services consultant, I have heard many reports of how QRadar SIEM has quickly identified offenses which the users were unaware of previously. In addition to giving CISO’s gained visibility and increasing security posture, QRadar adheres to an organization's regulatory compliance across a number of  industries (i.e. Healthcare, Financial, Retail, Energy and Government)

• Correlation Rule Engine, built-in use cases: QRadar has the highest number of built-in use cases among any SIEM on the market. There are many built-in rules that are enabled by default and easily tunable to meet the specific needs of each organization. The correlation engine automates what is a manual process for many SIEM platforms.
• Network-Based Anomaly Detection (NBAD): Using NetFlow, JFlow, SFlow, or QFlow (all 7 layers), offenses are detected as a response when a rule is triggered.
• QRadar Vulnerability Management: Built-in vulnerability scanner or leverage for other supported scanners to either schedule a scan and/or import the results from a scan. Importing the results enriches the assets profile database to quickly identify assets that have known vulnerabilities.
• X-Force Threat Intelligence: Threat intelligence IP reputation feed which leverages a series of international data centers to collect tens of thousands of malware samples, to analyze web pages and URLs, and to run analysis to categorize potentially malicious IP addresses and URLs.
• App Exchange: Many vendors have written apps to enhance QRadar. The apps are free and enhance your SIEM experience by adding rules and custom event properties. In some cases a new tab. You will need to have purchased the third party solution. For example, if you have Palo Alto or Blue Coat, there's a free app for better integration.

Some UI enhancements would be nice, such as exporting custom event properties and the ability to export rules.

We did not encounter any issues with stability.

We did not encounter any issues with scalability.

The technical support is very good.

We had limited experience with RSA enVision, LogRhythm, and HPE ArcSight. QRadar is much easier and takes less time to implement and maintain.

The initial setup was straightforward.

Go through a vulnerability assessment review for price breaks. A virtualized solution will also cut down on cost.

We did not evaluate any other options.

Every SIEM tool has a certain degree of complexity, especially where use cases and rules are concerned. I advise using Professional Services so your SIEM is configured by trained professionals.

• Users' behavior analytics
• Monitor leakage for data
• Payment card industry compliance
• Integration with end points management system
• Integration with Incident Response and Ticketing System

• Easy to deploy
• Time to value
• Total cost of ownership (TCO)
• Deployment options for on-premise
• SaaS
• Hybrid

• X-Force feed
• Watson for cyber security
• App Exchange
• Scalability and licensing model
• Vulnerability and risk management on network topology

Needs to be improved:

• Graphical User Interface (GUI) 
• Multi-tenancy and domain(s) segregation.

It has improved our ability to research and detect anomalous behavior and activity within our network. It has really helped us in our ability to research active threats. We saw the threats when we implemented it, and we saw that we had all kinds of deficiencies in our network infrastructure that we were unaware of previously.

It has the ability to summarize all the other security products and give us a one-stop-shop dashboard.

IBM has added a new UBA (User Behavior Analytics) app to QRadar that uses the cognitive abilities of Watson to detect and prioritize user activity and risks on the network. It analyzes log activity already recorded so it can begin providing insights quickly after installation.

I'm anxious to see the Watson integration. We just finished an upgrade of our appliance so that we can be eligible to do the Watson integration. I'm anxious to see how that works.

It works well. We've been using it for a year now. It's helped us greatly to cut down on the time it takes to research a problem or to actually find the problem.

In terms of scalability, so far, so good. What we've purchased so far is well with the infrastructure that we have. I know there are options to buy additional components should I need them.

We use a business partner for implementation and support. They are always involved with it. They are not IBM.

We weren't previously using a different solution. As security becomes more and more important, we added different security components from IBM, with QRadar being the last one. We needed some way to see all the data, all the information, and get it together in one single source of truth.

I was involved as far as picking and approving the solution. I was not involved in the installation.

We try to do everything all at once.

Find the right partner to help you do the implementation.

When picking a vendor, we look for the support, the ease of the installation, and the future of the product.

Some of the valuable features are QM, QRM, and forensics.

There many use cases.

I would like to see SOC.

We have been using this for three years.

There were no deployment issues.

There were no stability issues.

There were no scalability issues.

Customer service is very good.

Technical support is excellent.

We used another solution and we switched due to false positives.

The setup was straightforward and not complex.

We used a partner and vendor team and we have expertise in-house.

The ROI is acceptable.

It is a bit more expensive than some others, SIEM, but it is more efficient.

We evaluated AlienVault, McAfee, and Splunk.

It is a good solution.

Normally, an offense comes in and an offense is something negative, it triggers when certain events don't comply with the rules, to put it plainly, it is something that will have impacted your environment very negatively. Once it comes through, you can then see from the QRadar log sources, who or what triggered the offense.

For example, if an IP is browsing somewhere where it shouldn't be browsing. Let's say that one of your log sources reported it back to QRadar. You can see if the IP that browsed on certain websites where it shouldn't be browsing. When you right-click and go to the threat protection network, that will normally show you who is browsing, where that IP is coming from, what type of website it is browsing, and if it is good or bad. If it's bad, it will give you recommendations on how to resolve the issue.

The threat protection network is the most valuable feature, because when you get an offense, you can actually trace it back to where it originated from, how it originated, and why.

I would like to see a more user-friendly product. I would like them to make it more user-friendly. At this stage, you need to use a lot of regular expressions to do your searches.

In the first year I used it, there were a few stability problems. In the previous three years, there haven’t been any major stability issues.

I've seen no scalability issues in any of the environments where I am working at the moment. I've seen how it handles a lot of load. I'm talking about a 5,000-user environment. It can handle a lot of logs and events coming through simultaneously.

If you spec it properly, with the proper hardware requirements, then it doesn’t crash. I've seen how people give it way less specs than it should have, then it does crash. But that was the fault on the users’ side, and not the fault of the product.

I would give technical support a rating of an eight out of 10. When they help you with a call for a problem with the product, which I've had twice, the next day, they roll out an update worldwide for all their products to be patched on that problem.

They lose too much time, in my opinion. Normally, you struggle a bit to get a hold of them and get to the correct person to assist you. Even though this isn't a very big delay, it usually takes about an hour. However, in my company, an hour can make a very big difference in my life. For example, it will take me about an hour to an hour and a half to get support from them. I'm a person who loves to get it done now. So if you don't mind waiting about an hour, then it can be very good support. When you log a call with IBM, it takes them about an hour to start working on the problem.

The setup was very straightforward. It's basically, "next, next, type in machine details and next”, then you are finished.

IBM's Qradar is not for small companie. Unfortunately, it would be 'overkill' to place it plainly. The pricing would be too much.

I wasn't completely part of the whole process when they chose a product. I know they evaluated AlienVault, which unfortunately, I do not have any experience with, neither was I part of the whole processes. I'm not able to provide pointers as to why the company chose IBM QRadar. I believe it's because we are a partner with them.

Just spec it correctly and it will do its job for you. It has an active community. IBM patches the product regularly when problems are picked up. I haven’t heard about a lot of problems from other people using the product.

• User-friendly
• Easy to deploy
• Easy to create use cases
• Easy to review an offense
• Its correlation engine is one of the best

I usually work on the deployment and fine-tuning of this product. However, I have some operational experience as well. For instance, you can simply audit all the IT equipment in your environment, such as the firewall, the IPS, and the Active Directory (AD) server.

It should have built-in blocking capability.

I have used this solution for four years.

On a scale of 100, it is 95% stable.

I did experience some scalability issues in one organization.

The technical support is excellent.

We were not using any other solution previously. This was my first solution. I am still working on it. I also have experience with McAfee Nitro and LogRhythm.

The setup was straightforward.

The pricing will definitely vary according to your EPS, but it is worth spending money on this product.

We looked at other solutions, such as McAfee Nitro and LogRhythm.

Work on sizing as much as you can so you can avoid any issues after deployment. You should also fulfill hardware requirements for this product. Otherwise, you will not get its full functionality.