IBM Security QRadar Reviews

Maybe the best way it helped our organization is that QRadar is well prepared for PoCs. When you are doing PoCs, you just install the solution and you can show it to the customer.

It has great benefits because we don't spend a lot of time to set it up. There are a lot of features that are there out-of-the-box. It's great to do a PoC with customers and to reduce the money spent on the implementations.

The most valuable features are all the implementations, the plug-ins, and the User Behavior Analytics (UBA). All that stuff is really cool.

We are using the solution a lot on the customer side. We like the strength of the platform, basically. I know there is no other product like QRadar.

We thought about what was missing and it was the analysis of the user behavior. However, with the User Behavior Analytics (UBA), it's much less complicated.

I recently attended a conference presentation on machine learning, and it is a great plug-in to UBA. It will help us a lot because a lot of customers want to analyze their user behavior patterns.

Maybe there should be more custom rules in the exchange. Basically, we are using a lot of threat rules, so maybe they'll develop something like that. It will be better.

I would like to see improvement in the technical support. Sometimes, when we do patching or something like that, it creates some problems. Maybe they could test the patches and the OEM product better.

The stability is not bad. We had some problems with patching, but there are problems with all software.

We had the problem when we patched from Version 7.2 to Version 7.2.8. There were some problems with the authentication tokens. It didn’t go so well, but we solved it with the help of technical support and it was very quick. I think that's cool.

Sometimes, we have a problem with support. We are also using QVM (IBM Security QRadar Vulnerability Manager) and I think it is a little bit buggy for now. We have a lot of problems with it. It should be better.

In terms of scalability, there is no doubt about it: It is perfect.

The quality of technical support depends on the agent. Sometimes, it's hard to get the person who you need. Sometimes, it's better to create a ticket when the USA is working because I think they can help you better.

We had McAfee, but we are ending our use of it. There are only some small implementations that are running with it. We are no longer developing with it. I think in the future, we will switch to QRadar. This is because we don't want to have two separate platforms.

RSA enVision was being used with one of our banking customers. However, we transferred to QRadar last year.

We implemented the solution from the scratch with our customers. We have a lot of implementations that they can check.

The setup was very complex. We have integration with a customer service desk and a lot of customization. It's the best thing that we can create our own app and adapt it to QRadar.

We attended the IBM master class to help us with an SDK to develop our own apps. Some of our customers are banks and they have a lot of things to do. Sometimes the features they need are not in QRadar, so we have to customize the solution a little bit for them.

We have a security department in the Czech Republic. We are basically only implementing IBM security products.

Definitely try it. Do a PoC with a customer. You can get the value for the customer quickly. It's great.

It gives me insight and visibility, so I can detect a threat coming in and all the offenses are coming in from monitoring one spot.

We're centralizing all the logs in one location. So, if you have an incident, you can definitely discover it fairly quickly, as it's in one database. In general terms, if you have any botnets or malware, you identify and mitigate it fairly quickly.

The biggest challenge is in the upgrade, e.g., when it comes down to a new OS, you have to wipe it clean and reset everything. It takes time when you have 40-50 devices all over the place. It's impossible sometimes to go out and touch every single one of them. So, then, if it's an automatic process, you can upgrade to the new version in just point and click. However, that's not the case right now.

WinCollect is a challenge also, and I'd highly recommend that the Q1 team should build a lot of Windows-based collectors that simply work. Just like the competitor, Spunk, when you put it in, you don't have to do too much modifications. So, that's a challenge right now.

The environment is pretty stable. We just upgraded about a year ago, so it's pretty robust in the environment that we have. It's working really well for us, we've been using it for about 10+ years. We bought it before IBM purchased them.

We interact with IBM regularly, so we have a direct tie with them. We're almost like a partner, right now, and we are working very well together.

The technical support is pretty good, i.e., if you get the right person in, it moves pretty fast and issues are resolved fairly quickly. But, you just need to find the right person, which can be a little difficult sometimes.

The setup is very complex; it's not like somebody can walk in and build it. It requires many years of experience to manage and maintain it. You need to have at least an experienced and dedicated team, in order to maintain the environment that we have. It's nothing like a click-and-done type; it requires a lot of care and feeding to manage the environment.

It's a very solid product. However, there are a lot of things that can be improved.

Definitely get a team or hire a professional to install this product. Otherwise, I guarantee you're not going to be successful. There is a lot of filtering that needs to be done; otherwise, you are going to get overwhelmed with the events coming in and will have no idea, as to what is right and wrong. You definitely want to hire a trained team or some professionals.

The price is the most important criteria when selecting a vendor. Other factors such as the quality of the product, PoC, how well the team interacts and the support, are always important.

We have very large, distributed implementations. The best case that we get out of the solution is the rapid insight into security events and offenses in our environment.

The benefit of the solution is a combined view into all of our network events and flows from many log sources across our enterprise. This provides a single pane of glass in order to review what's going on in our environment.

I would like to see more APIs available in order to provide tighter integrations between other IBM products and third-party solutions. I would like to see new cognitive advisors, cognitive capabilities, and more integration capabilities.

I find it to be highly stable. It's one of those situations where you need to have high availability. We have a high availability implementation, so we never lose an environment.

Scalability has been very good. If you need to add to the environment at any given time, based on a merger or acquisition, a new office, or a new data center, you can simply forward events from those centers or add additional hardware. You can include it right into your implementation.

I would definitely recommend QRadar to anyone looking for an SIEM solution in their organization. This is especially the case for mid- to large-scale enterprise solutions, compared with the competitors.

I believe AQL is the most valuable feature. It allows me to extract data from the QRadar database directly using a very flexible language similar to SQL. So, if somebody has SQL experience, it is easy to learn.

My organization did not have SIEM at all. We had Log Manager only, but it was very slow and user-unfriendly. QRadar allowed us to concentrate two functions in one place: an extremely fast log manager with a very user-friendly web UI and the ability to correlate events from many different sources. Thanks to that, the efficiency of the security team has increased.

I think Risk Manager (one of the optional QRadar modules) is something that needs improvement.

I have been using QRadar for three years.

Sometimes, after a new release, we had issues with stability or some bug showed up. It is strongly recommended to have a DEV or UAT environment to test the release before going into production.

We have not really had scalability issues.

Technical support is at acceptable level, but sometimes a case is stuck on L1 too long.

We did not previously use a different solution.

Initial setup was straightforward, but as with all SIEMs, out-of-the-box configuration presents minimal value from a security standpoint. Furthermore, good analysis on where to put collectors is essential, especially when it comes to QFlows.

Put some efforts and evaluate what license (EPS) you need for which collector before making an order. It is worth hiring a professional to do it for you (somebody who has experience with QRadar sizing).

We evaluated HPE ArcSight.

Don't forget to hire the right people. They are expensive, but it is far more cost-effective to pay them now than to try to integrate SIEM without professional knowledge and break it (it is especially important in the architecture and integration phase). Because, then you will pay twice and your security monitoring program can be delayed months. In the operation phase, don't forget to invest in training for both analysts and SIEM administrator teams. It is very easy to use this tool the wrong way and then it will give you almost no value.

These features make it easy to operate the application:

• Integration with multiple platforms
• Ease of rule making
• Manufacturer support (IBM)

We use QRadar for application security, generating customized rules of correlation according to the operation of our business. It extends the security of our most critical assets.

From my point of view, they should improve the backup procedures. QRadar does not allow sending backups by FTP or SFTP, limiting the tool. I had to make a script but it is a manual process. It would be great to have it automated.

I have used it for approximately five years.

We did have stability issues. Some errors were generated when applying updates.

We have not needed to scale the solution.

It has taken a long time for support to respond to our request regarding AIX.

We didn’t have a previous solution. We have always used QRadar.

The initial configuration is simple; the maturation of the application is complex. Not because of the application of QRadar, but because they include many factors, such as the identification of critical assets and how we can secure them, with the application.

QRadar is a very expensive application but it is a good product. My advice is to validate with other correlator solutions and validate which product is right for the organization.

We did evaluate other similar products that are good, such as McAfee ESM and HPE ArcSight.

First, identify the most critical assets to be included in SIEM and then the most critical events of my organization. With that, you avoid bringing unnecessary events into SIEM.

It's a very good and versatile correlator.

The most valuable feature is the ability to get the logs and analyze them. These logs help us in terms of analyzing and actually using Watson on them. It's a pretty great tool for intelligence. I think it is really a great product.

To be able to get the logs and analyze them has improved the way my organization functions. You can see where the source destination is coming from. You can actually see the data and pause the dashboard. It actually helps you to analyze the data the way you are supposed to. Nobody else is doing that right now.

I don't have any problems with the solution right now. As I play with the tools, then I will actually come up with different ideas.

I was able to help out with IBM Guardium version 10. I was helping out with a couple of developers who actually developed the application itself.

I want to see more integration between QRadar and other applications like BigFix and a couple of other tools and applications out there. There are a lot of applications out there. QRadar security intelligence might be one of the best right now.

There were no stability issues with QRadar. We've had a couple of stability issues with all the applications that I run. I don't want to mention names.

I’ve used technical support, and they were OK. I used to work for IBM.

I was involved in the initial setup. It was straightforward and not complex.

I work as security engineer for the Department of Justice. We test hundreds of applications. I actually see which ones work best for the infrastructure.

I would suggest QRadar. The security intelligence is one of the best right now.

When looking for a vendor, I want to be able to win them. I want them to accept the fact that I’m looking for a product for what I am doing and I have a couple of requirements.

From there, I can actually tell them what they need to do, or what I need to do, in the environment.

The most valuable feature of this product is the nice UI. It is easy and quick to get the information you're looking for.

The benefits are that it's easy to navigate the UI and to get the information as quickly as possible. We're able to resolve problems quicker, so that we get to the solution in an easier manner.

It would probably be better to get more access to the APIs.

The product is very stable. I don't have any issues with stability at all.

Scalability is nice, as well. We have a distributed environment and it's real easy to both manage and upgrade. Anything we need to do, we can do it from the console.

On a scale of 1-10, probably seven; I would rate the technical support team a 7/10.

We were previously using a different solution that just wasn't getting the job done. It was taking too long to get where we needed to get to.

The setup was very straightforward. The special services team gave us insight and helped out to resolve any issues.

QRadar was at the top our list. We also looked at other solutions such as HPE ArcSight and Splunk. The reason we went with QRadar is because we could bring it on-prem, which made it nice, and we also use other IBM products as well.

In general, when selecting a vendor, support is probably going to be the number one criteria. Then, the second criteria is the availability of the product; the product is not very good if it's not available, it's broken, etc.

Make sure you try them all and then, pick the one that you think would work the best. It's nice to value other people's opinions, but it's better to test all the products and choose what you think would be best, for whatever your need is.

It's very easy and initiative. It's just a good overall solution, compared to the other ones I've used.

• The ability to correlate data across our global enterprise in near real time
• The ability to integrate a lot of third-party solutions
• The machine learning pieces with Watson, indicators of compromise, and utilizing that across the value stream

I look at the solution as the best-of-the-breed product. The fact that it can work with what everybody else is doing in the cyber landscape is really what gives it the edge.

The solution has improved the efficiency of our security team. These improvements prevent the need for more proactive security activities.

The improvements did not reduce our staff. It's funny, because IBM keeps on having this conversation about staff headcount. It probably sounds good to senior leadership, like to a CIO. The reality is that nobody's looking to decrease the number of staff who they are hiring.

We're looking at refocusing those resources and energy on being able to do additional, higher-value activities. It's more of the case that I don't need as many junior resources. I can focus on some of the things that are a little bit more important.

Our equipment collects billions of pieces of data. We're 100,000-plus EPS per second. The daily list of required investigations for the offenses is manageable.

We've had incidents in our environment. How long it takes QRadar to detect them is always a function of the rules being correlated, the people watching them, and pieces of that nature. I'd say it's in real time. The question is, when it comes to tuning, we want to know if it was tuned appropriately, so it's not lost in the pile of needles.

Room for improvement is more in relation to a lot of the features, the automation of incidents themselves, and being able to automate workflow responses.

Overall, I love the product. IBM usually puts good resources and talent behind things. What they fail to do is to bring all the security together and make sure everything inter-operates and creates one pane of glass.

Actually, I don’t want to say "one pane of glass" because we have seen other vendors do that. They fail miserably because they do not understand where people are coming from.

In terms of some of the right-click functionality that is within QRadar, it should work automatically for all the other IBM products. It shouldn't be something that customers develop. There are pieces in which they have to step back and get some of the foundational pieces.

There are pieces that I feel that IBM should do better. They own Guardium, they own AppScan, and they own some of these other pieces of the security infrastructure that need to relate to QRadar or to Watson. It's the foundational pieces that I feel they need some focus on.

Let's do some of the basics really well. I'm looking at it from owning 50 or 60 different security products across a global organization.

They keep on adding products based on a simple feature set that they can do real well, but they can't integrate them into the rest of the security economy. It doesn't make sense to keep on buying products like that. Whether it's IBM or others, there are companies in the endpoint space that are taking over because they're saying, "Hey, we're going to do everything across your gamut of security needs."

IBM needs to look at that and how they are going to integrate across all of the security products and have them work together.

We have been using this solution for four years.

The stability is good.

The scalability is great.

We don't really use technical support. We're part of some of the engineering and development behind it and we work with a lot of the backend engineers.

Once in a while, we may put something in PMR but most of the time, we are working with the engineers themselves to figure out a solution. They are not really tech support issues.

We have used other solutions, but that was years ago. We've had QRadar for four years. Before that, it was the Symantec solution. The landscape for SIEM has changed progressively over the years.

You're not even talking about the same set of requirements around those things. We just needed to upgrade. We needed the speed, the flexibility, and we needed the correlation building block pieces of it.

I was involved in the initial setup. We are an advanced user of QRadar. While the initial setup was not hard for us, it is a lot more complex where we are right now. It works with integrating some of other IBM products into QRadar, and there's work that needs to be done there to make it seamless.

We were able to be operational in a matter of weeks or months, which is not a long time.

When picking a vendor, the most important thing is partnership.

I honestly have nothing but good things to say about the IBM relationship that we have related to QRadar.

Partnership is going be important. Having the right skillset from an engineering standpoint is important to ensure that you don't set up things backwards. You have a high probability of doing it. This is one of those pieces where IBM doesn't “dummify” the solution for you.

On one side for my senior engineers, they don't want it “dummified” because they need to do it. On the other side of it, there are some aspects that don’t need to be this complex.

For the SMB market, those are some of the areas where I counsel people and say they need to get these types of solutions and do these types of processes. Selling something like QRadar to them becomes a little bit more of a burden because of that complexity. It's like a compliance check mark.