IBM Security QRadar Reviews

Normally, an offense comes in and an offense is something negative, to put it plainly, that impacted your environment. Once it comes through, you can then see from the QRadar log sources, who or what triggered the offense. For example, if an IP is browsing somewhere where it shouldn't be browsing. Let's say that one of your log sources reported it back to QRadar. You can see if the IP that browsed on certain websites where it shouldn't be browsing. When you right-click and go to the threat protection network, that will normally show you who is browsing, where that IP is coming from, what type of website it is browsing, and if it is good or bad. If it's bad, it will give you recommendations on how to resolve the issue.

The threat protection network is the most valuable feature because when you get an offense, you can actually trace it back to where it originated from, how it originated, and why.

I would like to see a more user-friendly product. I would like them to make it much more user-friendly. At this stage, you need to use a lot of widgets to do your searches.

To advance searches, you must do a lot of Regex expressions.

In the first year I used it, there were a few stability problems. In the previous three years, there haven’t been any stability issues.

I've seen no scalability issues in any of the environments where I am working at the moment. I've seen how it handles lot of load. I'm talking about a 5,000-user environment. It can handle a lot of logs and events coming through simultaneously.

If you spec it properly, with the proper hardware requirements, then it doesn’t crash. I've seen how people give it way less specs then it should have, and then it does crash. But that was the fault on the users’ side, and not the fault of the product.

I would give technical support a rating of 8/10. When they help you with a call for a problem with the product, which I've had twice, the next day, they roll out an update worldwide for all their products to be patched on that problem.

They lose too much time, in my opinion. Normally, you struggle a bit to get a hold of them and get to the correct person to assist you. Even though this isn't a very big delay, it usually takes about an hour. However, in my company, an hour can make a very big difference in my life. For example, it will take me about an hour to an hour and a half to get support from them. I'm a person who loves to get it done now. So if you don't mind waiting about an hour, then it can be very good support. When you log a call with IBM, it takes them about an hour to start working on the problem.

We used Splunk in the past and we are using both products at the same time.

The setup was very straightforward. It's basically, "next, next, and next”, and then you are finished.

I wasn't completely part of the whole process when they chose a product. I know they evaluated AlienVault, which unfortunately I do not have any experience with. I'm not able to provide pointers as to why the company chose IBM QRadar. I believe it's because we are a partner with them.

Just spec it correctly and it will do its job for you. It has an active community. IBM patches the product regularly when problems are picked up. I haven’t heard about a lot of problems from other people using the product. When we only have four hours to respond, an hour can make a difference in waiting for support.

SIEM solutions must be business driven. Utilizing a SIEM solution depends on your enterprise goals, from meeting compliance requirements to implementing security controls and identifying the absence of controls. A SIEM solution can also be used to improve your business and increase your sales. With QRadar, you can do all these, even if you are not a security expert. It comes with a set of default rules which makes your life easier, from ransomware attacks to DDoS attacks. Everything can be detected if your logs are properly integrated into QRadar. 

It gets better with extensions and other rules you install from the IBM Security App Exchange, where you can detect malicious website access (with the intent of ransomware), P2P activity, or someone spamming everything. You can be notified, then you can run scripts to make QRadar take an action. 

I am a security analyst working with QRadar.

It is always evolving with new patches, new UX/UI (such as 7.3), new rules, and new extensions. It lets you evolve your company accordingly.

The usage of QRadar or any SIEM solution depends on the company goals, but with QRadar, the user interface, the dashboards, reports, installing extensions, and playing with the rules are easier. 

QRadar has helped our company a lot in evolving our security policy and taking care of weak controls. QRadar helped us in the blacklisting and whitelisting of applications. It helped us identify our security threats, and improve our firewalls. With the QRadar Vulnerability Manager, it helped us take care of vulnerable assets. 

• Its default set of rules: It comes with many rules disabled. You can tune them and modify them according to your enterprise needs and avoid false positives.
• The extension management: There are more than 120 extensions in QRadar, which are easy to install and configure. These can improve your analysis of events. 
• UBA 2.7: It can help you detect insider threats. 
  

QRadar log integration of various applications can be a tough job at times. There may be occasions when you will not find any QRadar guide on adding logs of a particular application. Even if you come across one, adding a log process is not an easy one. Plus, it is also vulnerable because the ports used to integrate those log sources with QRadar are well-known and most of them are vulnerable ones. 

QRadar is easily scalable in many ways: vertical and horizontal.

• Horizontal: You can increase the QRadar processing power with QRadar App Node and Data Node.
• Vertical: You can always implement multiple QRadars: Event collectors and flow, collectors, and then you can route your offenses, such events and flows from one QRadar to the next one.

Buying anything, an enterprise must look for troubleshooting and fixing its issues using its support. With QRadar, all those things are easily available and just a click away on the Internet. From IBM Fixlet to dW Answers, you can do a lot.

I used the IBM QRadar product from 2015 until 2017.

When the WannaCry attack happened, QRadar helped the company a lot with the investigation of the firewall, antivirus, and other appliances.

The "Network Activity" feature was really good. An engineer can live monitor all the flow happening in real-time. This would help us a lot while investigating a case, and it would even help us with preventive actions.

QRadar needs to be improved on the storage side, particularly when the disc exceeded the maximum threshold.

My use case is the deployment of an X-Force successful connection with a botnet and malware website. An X-Force feed is free with QRadar.

I have been using the product for three years now. I used it for six month at an internship to PoC some different SIEM and for two and a half years as an administrator. Now, I am using it as an architect.

Previously, we had to do a lot of debugging when we wanted to change our firewall policy to find out which rule was blocking things, etc. With Qradar, when you integrate the logs of the firewall, you have with two clicks, the info in real-time.

The correlation and the parsing are important features, since it is very important for a SIEM to have a good scalability and performance.

The weak signal detection with QRadar needs improvement. You can detect what you know, but what is unknown to the rule engine can't be detected, similar to a base rule of SIEM.

Sometimes, but not from the system itself, but from the amount of logs it has received.

Not at all.

Technical support is good when they using WebEx. By portal, they are slow and inefficient.

My service since the beginning has been to only sell and manage QRadar.

It is very easy to deploy. It is not a user-friendly way to deploy, but for IT guys who have the skills of Linux servers, etc., it is easy.

Think what you will integrate into QRadar. It is a SIEM. You need to send it logs, but not everything.

Pricing (based on EPS) will be more accurate.

I had the chance to test some other products, and there is a lot of them on the market. However, when you have to deploy and manage it, not just demo it, it is a total different story.

QRadar is not perfect, but I have had the chance to manage ArcSight, Sumo Logic, Unomaly, and RSA for some specific features, and comparatively, QRadar is good

Think scalability and make sure your product can be integrate into QRadar.

We work with it in the banking sector. We had torrent limitations and big banks could join them. It has performed well. However, the limitation is not easy, so the product is not easy.

You cannot get the real value of the product unless you combine it with the other products from IBM, like BigFix, the full integration of Vulnerability Management, and so on. 

The product is great. It does good correlation for events. It does good general analysis, and it has good apps as well.

• The artificial intelligence ease of integration; it has a good integration with the artificial intelligence engine of Watson.
• There is good collaboration between IBM Cloud and all IBM customers. 

The implementation and configuration are not easy.

We would like to see user behavior analysis in the next release. IBM claims they have this feature, but I do not see it as mature as in Splunk. 

The stability of the solution is great.

Technically, there are no scalability issues.

Support is good. The technical engineers seem they know what they are doing. Though, the escalation response is bad. An escalation takes time, because the response time is not as fast as it should be.

The implementation is complex.

It is expensive. It is not a product that I can provide for SMBs. It is a program that I can only provide for really large enterprises.

Also, the maintenance costs are high.

IBM needs to invest more into the collaboration with other vendors.

If you want to go to IBM, do not just go for QRadar. You need QRadar and all the products that surround QRadar, especially BigFix, because the product is ten times stronger with it.

Most important criteria when selecting a vendor: 

• The technical features of the solution.
• The people in my region at the vendor.
• The perspective of the project manager on the customer side.
• Data involved and time of the implementation. 
• The needs of the customer.
• The cost of the project.
• Training involved.

We used QRadar SIEM over Juniper Secure Analytics platform. 

The company profile is telecom. The infrastructure has a large geographical spread.

IBM QRadar is great help from its security event monitoring to data center and NOC troubleshooting of issues hard for other departments to spot.

• It has a logical, user-friendly GUI. 
• Very easy to drill down in offenses and get to the bottom of raw data.

Dashboards and reports could provide better visualization of SIEM activity. 

An executive or CISO dashboard would be nice to have by default.

The tool gets better value in the hands of an experienced security analyst. 

As a PS consultant on projects where the customer is transitioning from a competitor's SIEM to QRadar, they are very pleased when they see the number of quality offenses being caught soon after implementation and integration of log sources just from the out-of-the box rules enabled by default.

As a Professional Services consultant, I have heard many reports of how QRadar SIEM has quickly identified offenses which the users were unaware of previously. In addition to giving CISO’s gained visibility and increasing security posture, QRadar adheres to an organization's regulatory compliance across a number of  industries (i.e. Healthcare, Financial, Retail, Energy and Government)

• Correlation Rule Engine, built-in use cases: QRadar has the highest number of built-in use cases among any SIEM on the market. There are many built-in rules that are enabled by default and easily tunable to meet the specific needs of each organization. The correlation engine automates what is a manual process for many SIEM platforms.
• Network-Based Anomaly Detection (NBAD): Using NetFlow, JFlow, SFlow, or QFlow (all 7 layers), offenses are detected as a response when a rule is triggered.
• QRadar Vulnerability Management: Built-in vulnerability scanner or leverage for other supported scanners to either schedule a scan and/or import the results from a scan. Importing the results enriches the assets profile database to quickly identify assets that have known vulnerabilities.
• X-Force Threat Intelligence: Threat intelligence IP reputation feed which leverages a series of international data centers to collect tens of thousands of malware samples, to analyze web pages and URLs, and to run analysis to categorize potentially malicious IP addresses and URLs.
• App Exchange: Many vendors have written apps to enhance QRadar. The apps are free and enhance your SIEM experience by adding rules and custom event properties. In some cases a new tab. You will need to have purchased the third party solution. For example, if you have Palo Alto or Blue Coat, there's a free app for better integration.

Some UI enhancements would be nice, such as exporting custom event properties and the ability to export rules.

We did not encounter any issues with stability.

We did not encounter any issues with scalability.

The technical support is very good.

We had limited experience with RSA enVision, LogRhythm, and HPE ArcSight. QRadar is much easier and takes less time to implement and maintain.

The initial setup was straightforward.

Go through a vulnerability assessment review for price breaks. A virtualized solution will also cut down on cost.

We did not evaluate any other options.

Every SIEM tool has a certain degree of complexity, especially where use cases and rules are concerned. I advise using Professional Services so your SIEM is configured by trained professionals.

• Users' behavior analytics
• Monitor leakage for data
• Payment card industry compliance
• Integration with end points management system
• Integration with Incident Response and Ticketing System

• Easy to deploy
• Time to value
• Total cost of ownership (TCO)
• Deployment options for on-premise
• SaaS
• Hybrid

• X-Force feed
• Watson for cyber security
• App Exchange
• Scalability and licensing model
• Vulnerability and risk management on network topology

Needs to be improved:

• Graphical User Interface (GUI) 
• Multi-tenancy and domain(s) segregation.