IBM Security QRadar Reviews

The ability to correlate large amounts of data into rules that provide real-time alerting is the most valuable feature.

It has provided us with quicker mitigation to threats. We used to do everything manually, so it automated a lot of workflows that in the past, we weren't able to do from an automation perspective.

We are still two versions behind, so I don't know specifically what could be improved. I've told all the executives and staff we met at a recent IBM conference that integration with other solutions is important so that we don't have to do a bunch of different things to consider.

We are the largest user of QRadar, so the stability is average. There are several vulnerabilities that IBM is working with us on. They don't have a test environment big enough to imitate the stress we put on it. Stability is probably OK for the normal customers, but we break everybody's apps just because of our size.

There are some vulnerabilities that may be further exasperated at our size, so they are trying to fix some of those issues and bring stability, but it's really product issues that don't scale right now.

It was functionality which drove us to change. QRadar had better functionality than what we were getting out of the previous solution. Scale was probably also a factor at that time. It was right after IBM bought Q1 Labs, so it was an industry leader along with some others. We did an evaluation and QRadar came out on top.

Initial setup was pretty straightforward. It's a complex solution, but it was straightforward for a large environment.

The two big options we evaluated would be IBM and HP. What we understood was that QRadar would be a more simplistic implementation, taking up less time.

Make sure you really understand all the requirements before you implement. I think the group that did this implementation didn't necessarily understand fully what we were going to use it for, so it was maybe designed for smaller things. So, you should really understand the requirements prior to stepping into it. 

If QRadar is going to be a central sort of hub for IBM's security solutions, make sure that the other tools integrate very easily into it. That would probably be the biggest task.

The most valuable feature for us is probably the intelligence we get out of the product.

The organizational value we derive from it is that it helps us track down where we have problems.

We appreciate ease of use in the product, so I suppose they could bring the cost down. I haven't really thought about possible improvements. They've added a lot of good features to the apps. I'm still exploring those and there are a lot of good features there.

I have used the solution for about 15 years.

Overall I'd say the stability is pretty good. I have noticed some issues with the patch and updates recently, especially version 72A. There have been some problems where a patch would come out and a few days later another patch would have to come out to fix issues that weren't encountered so that's caused some issues for us.

Scalability is good.

The initial technical support to call is less than adequate. I usually know more than the level one or level two, again because I've been a customer for 15 years. I worked with the original QRadar guys to help develop their SIEM solutions so I know quite a bit about it. Usually when we call in it's a real problem because we fix most of our own problems.

Fifteen years ago it was very complex because of the linking of different flow collectors. Being processed together, upgrading them was painful. That part has improved greatly as you can just put the update process in the console and push Yes. That's a lot better.

It's a great product. They're obviously an industry leader right now in this field, if you're looking for SIEM, I would recommend it.

The most valuable features are:

• Auto update: QRadar will download new logs from the database on the supported security device, so that it will automatically normalize the new log format and you will not need to rewrite all your rules/offenses again.
• X-Force/TAXII feed: QRadar can collect different types of security feeds and correlate them in real-time with your logs.

• Search engine: QRadar is like Excel, i.e., you can add rows and filter like your daily office work, without writing any scripts. So level 1 support also can handle this type of jobs.

You will learn something that you don't know on the user/machine behaviour.

The dashboards and reports may need to improve. We need to export the CSV results to create a report by Excel.

I have used this solution for three years.

It will slow down, when there are too many people doing a search at the same time, but that depends on your hardware and design.

I did not encounter any scalability issues.

You may need to allow remote support for them to help you, for troubleshooting the issues.

The setup is complex, i.e., for the first setup. SIEM is not easy so as to enable logs without any performance issues and the deployment advisor is the key for the project.

You only need to worry about the number of events per second and the number of flows per minute. Storage size is not an issue with QRadar.

We did evaluate other options. I think Splunk is the second-best option.

If you have an experienced group of security members, then you may not at all need the advisor for the product. If not, then you will have to find the path to build your team, so as to become more knowledgeable.

What is valuable is that we're using it through IBM's MSS services, and that they're doing a really good job of keeping us alerted of what events are hitting, and adapting for it.

It benefits us from a standpoint that we're very immature in our review of how security should be approached, and it's really helped us move up to modern awareness of what's going on on the internet.

I'd like to see, and they're getting there, is more integration; tighter integration with some of the other IBM Security products. They're moving a lot tighter to BigFix. BigFix has a lot of power in it, and MaaS360 also has a lot of power in it. I'd like to see those more tightly integrated.

We have not had any stability or scalability issues. We're a little concerned about the latest version and the fact that it cannot be upgraded, that it requires a clean install.

We have not really used technical support, because it's a managed service, so we call the SOC and they help us. They are very helpful.

We just really sold our CIO and CTO on the fact that we need to do better than we are, where we're at today. We had a lot of virus challenges, like most companies, and malware, so we had to figure out how to reduce that.

I was involved in the initial setup. Well, IBM did it, since it was a managed service. It was pretty straightforward.

We looked at numerous other players. We chose IBM because it has a lot of power, and you can grow it as much as and however you want it to.

When I am looking for a vendor, I don't look for a VAR, I look for a partner.

If you're going to implement it, implement it using managed services, because it's too complex of a product to try to do yourself.

The most valuable feature that we found, especially this year, was the ability to build apps over it. Basically, the platform has opened up and we can now customize it, as per our needs and requirements. We can build interactive dashboards and other interesting things around it.

We are using QRadar to solve our business problems and the IT operation requirements. We are fine tuning the processes that are laid from the InfoSec perspective, such as to detect unauthorized changes happening across the IT environment or the business problems, namely the password sharing issues, which are not easy to detect otherwise.

In future versions, the various features that we would like to see are pretty much in line with what QRadar is coming up with, like this IBM QRadar UBA version 2.0 or support for STIX/TAXII. Basically, we have similar milestones there.

There are a few technical requirements that we have opened feature requests for, such as some of our complex use cases that need mathematical operators to be used within the reference maps. That's currently not available.

There were no stability issues.

There were no scalability issues. With this Event Processor and Data Node concept, I think it is highly scalable.

We have been facing a few technical issues and we are working with the technical support and the development team to resolve them.

Sometimes we get a really good response and at times, some of the issues have been floating around for a lot of time. But our IT resources have been assigned for the same and we hope that they should be resolved easily.

I was involved in the setup; it was pretty straightforward. Once you understand the overall architecture, it is pretty much easy to install and work upon.

It should be implemented by the best professionals available within IBM. It is really important to have a clean base installation, so that you can build things on the top of it.

When we are selecting a vendor, first and foremost, we look for the stability of the vendor, and what level of resources they are investing in their research and development. These are a couple of things that we look for while selecting a vendor and of course, the kind of resources we are looking for to get certain engagement and make sure those resources are aligned.

The SIEM features are what sell this product. Lately, it has been heavily expanded with others. For example vulnerability management, risk management, incident forensics, cognitive security, and user behavior analytics.

Basic SIEM features include log management, reporting, and correlations and alerting. All SIEM products started with those.

Modern SIEM solutions are expanded with additional components that i mentioned.

So today, you will rarely see RFP for only SIEM. It will usually include other requirements. To answer this, vendors started adding additional valuable features.

Lately, Qradar also opened their APIs to the development community, in order to confront Splunk, and that resulted in a large number of additional functionalities in the form of add-ons (Qradar apps).

We are an IBM business partner. In short, this tool helps our clients have visibility into the IT infrastructure, events, and network traffic.

Dashboards!!! Dashboards are one of the most frequent complaints I receive from customers. Customers are complaining about the limited set of graphs and the inability to change colors. Although this might seem trivial, a large number of the same complaints probably mean something.

A lot of bugs are reported for dashboard items. Also, I personally have found that it does not work as indicated by the documentation. The same methodology is used to produce different results for similar searches. Also, customers would like to see near real-time data on the dashboard, which is very hard to achieve according to the mentioned problems.

I have been using this since 2011, even before the IBM acquisition.

We have not had stability issues.

High availability deployments have serious upgrade issues.

Support is great, but sometimes they are a little slow.

We did not have any previous solution. We have used only QRadar for the last six years. Even at that time, it was leader in Gartner and so it remained. It is very user friendly.

The initial setup was very easy. Integrating the infrastructure configuration is the biggest problem for any SIEM project.

Licensing was simplified two months ago. I don’t have insight into pricing. But as with any software, the price can probably change depending on your negotiation skills :)

We didn’t evaluate other solutions. However, in my career, I saw Splunk, RSA, ArcSight, and AlienVault.

If you are a security officer who wants to protect his job, go for Splunk :) If you are a customer who wants to have an easy tool and save time and resources, definitely go for QRadar.

Log aggregation and event correlation did not occur in an enterprise fashion before this product. Troubleshooting more complex issues became much simpler with the addition of this product.

Search capabilities are sufficient for most tasks, although not as easy to use as some other products.

Search capability and indexing still lag behind competitors. We also need to see improved rule based access controls and rule/event tuning.

The search capabilities in QRadar are decent in their ability to be granular but the methodology of search prevents the rapid and easy modification of search parameters as an analyst works through the hunting process.

There are several examples of this. Let’s say you add two or three parameters to your search using various filter methods.

You can quickly change items like the scope of time for your search or the presentation of data, but you cannot quickly change the other parameters such as the IP address you are looking for. So you have a search of 10.0.1.1, the system processes that search, but then you realize you need to search for 10.1.1.2 instead.

You have to delete the old IP and recreate. At that point the search starts over from the beginning. In a system like Splunk if when using the filters the query string is written for you and can be easily modified/edited on the fly. While that may still result in a search restarting the manipulation of that search is faster and more efficient. This is just a single example.

I feel that some of the stability issues are attributed to our network. However, too many issues existed with the product and too many more appeared as they tried to fix different issues.

We never scaled the product before we decided to remove it from our network. From all appearances, scalability was not going to be an issue.

Technical support was OK at best due to the length of time before resolution.

I used ArcSight at a previous company. I would much rather have a correctly scoped and built QRadar to manage. However, as a consumer of ArcSight, it was a very good product.

I was not involved in the initial setup.

Do your due diligence. I found other solutions, with more features at the same cost or less. You don’t have to leave the Gartner Magic Quadrant to beat their price.

I did not choose this product.

Evaluate the product based on a full set of requirements and your security analyst workflow. Do not base your decision on the company name or promises of new abilities years down the line.

IBM Security's QRadar Security Intelligence is a multi-feature security monitoring platform that provides log management, SIEM, NetFlow, application monitoring, vulnerability scanning, full packet capture and risk analysis.

The platform is designed to be deployed as an all-in-one appliance, as discrete components that can be scaled horizontally for distributed and larger environments.

The SIEM solution is considered as a monitoring tool for the network but you can set routing roles and special actions for certain events.

• The vulnerability scanner is not accurate. It needs more vulnerability signature updates or more regulation templates to be added on.
• We urgently need to add more report templates.

Maybe the improvements could be achieved by adding some modules like IPS, IDS and a next generation firewall that is able to start from monitoring the events and processing, then takes actions not only based on signatures but smart intelligent monitoring which would make QRadar into a full SIEM security solution.

I have been using the solution for three years.

I didn't find any issues with stability of the product.

The scalability of this product is very flexible because of the way that it counts the events that exceed the threshold of licenses it handled with the queue and stores the data for 5 GB, dealing with the events in a first-in, first-out (FIFO) methodology.

I would rate the technical support as 9/10 for solving issues and 5/10 for responses.

I didn't previously use another product but I deal with some accounts that used to use other vendors, and they were facing many issues in performance and slowness in processing events.

The initial setup is very easy, just like when you install an operating system, and then you do the configuration needed for your environment.