IBM Security QRadar Reviews

IBM QRadar is used to help our customers collect information. It collects the information from other tools on the firewall, network devices, cyber tools with both Carbon Black, Cortex, Cynet, and Darktrace.

It's a complete platform.

The interface is good.

They have more than 100 features.

It is not easy to use.

The updates are not very easy. It is very complex. I would like to see the update process simplified.

When I said "it is not easy to use", I mean that QRadar is not for beginners.
Needs high competence and skyll to use it in a satisfactory way to really help customers.
The complexity is not a flaw, but it si a necessary quality for QRadar to be a truly effective tool in a Cyber environement.

We have used IBM QRadar within the last twelve months.

IBM QRadar is a stable solution.

It's a scalable platform.

Technical support is good.

Pricing is good.

I would rate IBM QRadar an eight out of ten.

We are users and implementers of this solution. 

I like the new dashboard which enables us to understand how many real threat attempts are made in a day. I also like the QRadar incident response, we installed the QIF last week. The solution has improved visibility so that we've been able to discover that some of our customers have not had any protection and were very vulnerable. It's an important area. I also find that the user behavior analysis is relatively simple. We are customers of QRadar. 

I think the user management model is very detailed but you really have to know what you're doing just to be able to manage things. I think the solution lacks some maturity. When you put it in a large organization as a security system or a cybersecurity system and you want to enable automation, it's difficult to get that level of maturity. 

We've been using this solution for about 18 months.

The solution is stable. 

The solution is scalable. We have a total of 19 users in the company. The solution is used extensively and we plan to increase the number of users. 

The technical support could be better. I'd rather work with my implementing expert and not the OEM. Although they have the expertise, the development guys are very slow.

We tested a few other solutions including AlienVault, Splunk, Micro Focus, and Outside. QRadar was the best of the breed for our needs and for a big system like ours, it's less complex than Splunk or Outside. 

The initial setup is complex. Theory is one thing and practice is another. We had to go back and forth with IBM just to find the relevant versions with the relevant operating system to sit on the relevant virtual environment. Then we found a few bugs. We are in a production system in a very big organization so deployment was carried out in stages. It took about a month in total to get things working and to start collecting logs. We had help from IBM Azure.
Maintenance is required, you have to watch it, and work on it on a daily basis. 

We pay an annual license fee. On top of that, every model adds to the cost. It's not just the license; the sales people want you to think you're only paying for certain things but we know how it works. 

The pre-design and the low-level design should be very, very, specific. It's important to check that the compatibility is there. If not, neither IBM nor OEM will support you.

I would rate the solution more highly but it's very expensive and given the high cost, I would expect quicker and better service from the OEM so I rate the solution seven out of 10. 

I was initially a reseller before selling the solution from within IBM. I'm currently a freelance security sales consultant. 

A valuable feature is the detection capability. I like that the solution can use data other than log data which means that things like vulnerability data, network data and the like, are part of the correlation and detection.

I think they could change their pricing model to be more cost effective. It currently relies on data ingestion. I'd like to see IBM extend their capability with the solution to include more than just fault finding, features such as predictive identification of threads. Having better support for things like MITRE and the ATT&CK chain, and using all of the known attacks that are out there when they're actually spotting events and correlations. 

I've used this solution for 10 years. 

The solution is very scalable. 

Technical support is pretty good, but sometimes when the problems are complex they can be slow to respond. 

The initial setup is very easy. I think it's one of the easiest SIMs to use. 

IBM has recently come out with a new version called Cloud Pak for Security but I haven't used it yet. It contains not just QRadar, but also IBM's resilience incident response products. 

I recommend the solution but because of the issues with pricing and technical support, I rate the solution seven out of 10. 

We're a customer, partner, or reseller. We use QRadar on our own internal SOC. We are also a reseller of QRadar for some of the projects. So, we sell QRadar to customers, and we're also a partner because we have different models. We roll the product out to a customer as part of our service where we own it, but the customer is paying. We also do a full deployment that a customer owns. So, we are actually fulfilling all three roles.

The most valuable thing about QRadar is that you have a single window into your network, SIEM, network flows, and risk management of your assets. If you use Splunk, for instance, then you still need a full packet capture solution, whereas the full packet capture solution is integrated within QRadar. Its application ecosystem makes it very powerful in terms of doing analysis.

In terms of the GUI, they need to improve the consistency. It has been written by different teams at different times. So, when you go around the interface, you'll find a lot of inconsistencies in terms of the way it works.

I'd like them to improve the offense. When QRadar detects something, it creates what it calls offenses. So, it has a rudimentary ticketing system inside of it. This is the same interface that was there when I started using it 12 years ago. It just has not been improved. They do allow integration with IBM Resilient, but IBM Resilient is grotesquely expensive. The most effective integration that IBM offers today is with IBM Resilient, which is an instant response platform. It is a very good platform, but it is very expensive. They really should do something with the offense handling because it is very difficult to scale, and it has limitations. The maximum number of offenses that it can carry is 16K. After 16K, you have to flush your offenses out. So, it is all or nothing. You lose all your offenses up until that point in time, and you don't have any history within the offense list of older events. If you're dealing with multiple customers, this becomes problematic. That's why you need to use another product to do the actual ticketing. If you wanted the ticket existence, you would normally interface with ServiceNow, SolarWinds, or some other product like that. 

Their support should also be improved. Their support is very slow, and it is very difficult to find knowledgeable people within IBM.

Its price and licensing should be improved. It is overly expensive and overly complex in terms of licensing. 

I have been using this solution for 12 years.

Their support is very slow. it is very difficult to find knowledgeable people within IBM. I'm an expert in the use of QRadar, and I know the technical insights of QRadar very well, but it is sometimes very painful to deal with IBM's support and actually get them to do something. Their support is very difficult to work with for some customers.

I work with Prelude, which is by a French company. It is a basic beginner's SIEM. If you never had a SIEM before and you wanted to experiment, this is where you would start, but it is probably that you would leave very quickly. I've also worked with ArcSight and Splunk.

My recommendation would depend upon your technical appetite or your technical capability. QRadar is essentially a Linux-based Red Hat appliance. Unfortunately, you still need some Linux knowledge to work with this effectively. Not everything is through the GUI. 

Comparing it with Splunk, in terms of licensing, IBM's model is simpler than Splunk's model. Splunk has two models. One is volume metrics, so you pay for the number of bytes that are transmitted daily. The other one is based upon the number of events per second, which they introduced relatively recently. Splunk can be more expensive than QRadar when you start to get into adding what they call indexes. So, basically, you create specific indexes to hold, for instance, logs related to Cisco. This is implicit within QRadar, and it is designed that way, but within Splunk, if you want to get that performance and you have large volumes of logs, you need to create indexes. This is where the cost of Splunk can escalate.

Installing QRadar is very simple. You insert a DVD, boot the system, and it runs the installation after asking you a few questions. It runs pretty much automatically, and then you're up and going. From an installation point of view, it is very easy.

The only thing that you have to get right before you do the installation is your architecture because it has event collectors, event processes, flow collectors, flow processes, and a number of other components. You need to understand where they should be placed. If you want more storage, then you need to place data nodes on the ends of the processes. All this is something that you need to have in mind when you design and deploy.

It is overly expensive and overly complex in terms of licensing. They have many different appliances, which makes it extremely difficult to choose the technology. It is very difficult to choose the technology or QRadar components that you should be deploying. 

They have improved some of it in the last few years. They have made it slightly easy with the fact that you can now buy virtual versions of all the appliances, which is good, but it is still very fragmented. For instance, on some of the smaller appliances, there is no upgrade path. So, if you exceed the capacity of the appliance, you have to buy a bigger appliance, which is not helpful because it is quite a major cost. If you want to add more disks to the system, they'll say that you can't. If they ship a disk with 2 terabytes that the older appliances have, and you say to them that you can commercially get 10 terabyte disks, they will say this is not possible, even though there is no technical reason why it cannot be done. So, they're not very flexible from that point of view. For IBM, it is good because you basically have to buy new appliances, but from a customer's point of view, it is a very expensive investment.

Make sure that you have the buy-in from different teams in the company because you will need help from the network teams. You will potentially need help from IT. 

You need to have a strategy of how you onboard logs into SIEM. Do you take a risk-based approach or do you onboard everything? You should take the time to understand the architecture and the implications of design choices. For instance, QRadar Components communicate with each other using SSH tunnels. The normal practice in security is that if I put a device in a DMZ, then communication between the device on the normal network, which is a higher security zone, and the DMZ, which is a lower security zone, will be initiated from the high-security zone. You would not expect the device in the DMZ to initiate communication back into the normal network. In the case of QRadar, if you put your processes in the DMZ, then it has to communicate with the console, which means that you have to allow the processor to communicate. This has consequences. If you have remote sites or you plan to use cloud-based processes, collectors, etc, and have an internal console, the same communication channels have to exist. So, it requires some careful planning. That's the main thing.

I would rate QRadar an eight out of 10 as compared to other products.

It is suitable for large companies with critical infrastructure. For our clients, robustness, availability at a high level, and the level of references and experiences connected to the solution are important. They need to know that other energy players are also using it.

There should be easier and wider integration opportunities. There should be more 
opportunities for integration with CTI info sharing areas. On platforms where you exchange CTI, there should be more visibility connected to what we share, what we can reach, or what options are connected to CTI info sharing. This is one area where they could add value because we cannot integrate it easily with QRadar. If a client has a legacy or already existing solutions for CTI, we cannot ask them to forget it because we cannot guarantee that QRadar is able to deliver everything connected to this area. 

I have been using this solution for three years.

We have five to ten customers of this solution. My impression is that it can cost a lot to scale upwards. It didn't bother us in most cases, but that could be a problem for SMEs at times.

Their support during the operation seems fine. I'm a consultant, and very often, I am offsite. I am not there when clients get into operating QRadar in the long run. So, I know more about implementation than the operation itself.

It requires expertise. If you have the right personnel, you can manage. It wouldn't be easy for a client and admins to set it up without proper support or support from QRadar itself.

Setting it up requires an assistant like us. QRadar plays a role there, but that's not enough. There is also the language barrier. Not every Hungarian company is good in English, and IBM naturally doesn't have full Hungarian support.

It requires cooperation between clients and us. Typically, we send a team of five people that includes tech guys, a project manager, and maybe one process guy, if needed. Generally, you don't have 360-degree professionals, so you have someone good in networking, someone good in log management or log analysis, and so on. Because of that, we need this kind of team. 

The client also has a few people. Typically, we send in more people than the client. These are not full-time people on our side and client-side. 

It could be cheaper, but the value itself is far more important for us than the price. Typically, our clients have yearly subscriptions.

I don't know what I would recommend for SMEs because we never worked with SMEs, but I would be very careful in recommending QRadar for SMEs. 

I would rate IBM QRadar a nine out of 10.

The solution is primarily used for threat detection and response. QRadar can be integrated with other services from IBM such as Watson, among others. The main need is for threat detection, incident response, and dealing with threats or hunting threats. 

What else? I mean, it's always you're looking for threats. Usually, whoever buys this SIM solution or buys QRadar, for example, is looking for hidden threats and they get the logs to see what's happening within their system. They want a solution that looks very deep inside in order to correlate those logs and see if there's any information that they can get out of those logs or even live packets that are spanning through their networks. Therefore, it's usually threat hunting. That's the main thing, Others might use it to understand the system, and how it's performing overall.  However, that's the lesser use case.

Inside IBM QRadar there are a lot of engines that actually work to help us to do the correlation and normalization as well for the logs that we're receiving from multiple devices. IBM is very powerful in that regard. 

QRadar, as a solution, can integrate with a lot of other applications. You can write your own custom rules if you want to. We can ask it to detect whatever we want it to, even with the devices that are not supported to send logs. IBM QRadar can understand these types of commands and we can still integrate and write our own rules to help us to detect those logs that are coming from, for example, IoT devices or from other devices that usually we don't understand.

It can handle really a huge number of logs with fewer false positives. We can use the artificial intelligence and the rules that IBM is providing to make it really smart. The solution can help you predict even the false positives when we are alerting the admin or the security admin about some offenses that we have seen from the logs.

Their product is very user-friendly.

Customer service is very good and very helpful.

The initial setup is quite straightforward.

The solution can scale.

The solution is very stable.

As per Gartner, maybe the price makes it so that the customers are not going for IBM QRadar. It's a little bit pricey compared to other solutions in the market. More or less that's the area that needs to be improved. That's usually the main concern that we receive from the customers - that it's a little bit pricey. That's the only thing I can say.

The custom rules could be simplified more or it should be possible to use a different language, other than the ones that the solution is already using. They should add other languages into the mix. You need some advanced customers in order to use the custom rules or to use their rules in order to configure the IBM QRadar in a proper way. Usually, they find it very difficult, especially if they don't have the experience.

Sometimes it works and catches whatever we want, however, sometimes it doesn't work. That's in rare cases, however, that's one thing that they need to maybe enhance.

I've been working with the solution for three years or so.

For stability, I'm not a customer who's using it on daily basis, however, from feedback that I'm getting from the customers who are attending to the solution, I've heard that this solution is stable. That's why it's in the leader area in Gartner. If you compare it to others in Gartner, it shows how their product is actually efficient. Whether I get QRadar, whether it's Splunk, whether it's LogRhythm, all of those products as a SIM are very good at that point. They're all quite reliable.

The scalability is very good. The product is scalable. A company shouldn't have trouble expanding it if they need to.

We typically work with banks and bigger organizations.

Technical support has been very good. They are helpful and responsive.

I've also learned a lot from the documentation, especially the online documentation. Due to the fact that I'm an official instructor for IBM, I have my other resources too, on the Learning Center from IBM. Documentation is not a problem. It's very helpful.

The initial setup is very straightforward. It's not overly complex. It's quite easy.

The deployment takes time, definitely. You've got to prepare for your solution so that it's going to work in spanning all the other devices too. That doesn't mean it's a complex process, it just means it takes a bit.

IBM QRadar is pricey, and therefore, usually small enterprises are not able to afford it. Usually, probably most of the customers are usually large enterprises.

I'm actually teaching IBM and some services such as IBM QRadar, as part of my work. I'm familiar with Splunk, however, I'm not working with it on a daily basis. I'm teaching that technology to others. I'm not a customer. I'm using it for teaching purposes. I'm working in a training center. I'm not dealing with it on a daily basis, however, I understand how the product works. We do sometimes help integrate it and work as consultants occasionally as well.

While 7.4 is out, we're currently working with version 7.3.

Overall, I would rate the product at an eight out of ten. There's more to be done on it, however, we are mostly pleased with its capabilities.

There are many use cases for this solution. One example is we are using this solution to monitor user site access to band sites. 

The solution is highly used here in Pakistan and in many sectors, they could improve it by having more SIEM connectors.

I have been using this solution for approximately four years.

The stability is good until you upgrade to a new version. You have to properly shut down services when you are doing some maintenance activities every three to four months. There might be some problems that you do not expect. We have had some complaints from users regarding operation. 

We have had bad experiences with support from IBM. We are not satisfied with the support and they have made me very angry. My customers have had similar experiences.

The initial setup of QRadar is not complex because we have done it before and we are used to the development. It is getting easier all the time.

There is a license required for this solution and it is an annual payment. I have found all solutions in the category to be expensive, including Splunk.

I am evaluating Splunk.

Here in Pakistan, this solution has already saturated the financial market.

I rate IBM QRadar a five out of ten.

We are a product-based organization. We use this solution for a shared SOC service and security audits and compliance.

There are a lot of features in QRadar. App Exchange is the most valuable feature. User behavior analytics (UBA) is also a very good feature. Watson is also there, but we are not currently using Watson.

It is versatile and quite easy. It also has an all-in-one-box feature and good integration with AWS. 

SOAR is what is expected the most from QRadar. They have something called SOAR Resilient, and it would be great if that gets induced in SIEM. IBM QRadar (as well as McAfee ESM) should have analytics platform integration. Currently, SIEMs don't have full-fledged integration with analytics where we are able to dump our data in SIEM, and the same data can be called from different analytics applications. We should be able to bring this data to a platform like Hadoop for big data and run the analytics there. Currently, people are seeing the past data and taking some actions in the present, but when it comes to analytics, there should be futuristic data where you can predict something out of your present and past data. Apart from that, I would like to see a full-fledged ITSM tool in QRadar.

It sometimes has some technical issues that need to be checked. It requires a dedicated QRadar engineer to completely manage it. It has different module sets, such as event collector and event processor, and some technical glitches come in between. It takes the log but doesn't exactly process it in the way we want. 

If its pricing can be reduced, it would help a lot of customers in bringing in a new SIEM environment.

It is stable. There are no incidents when SIEM completely stopped. 

I have expanded it. It is very good in terms of scalability. Because it is on the cloud, it can be scaled anytime. If I want to increase my CPU's RAM, I can do it. At any point in time, if I want to get additional licenses, I can just call support, and they will provide that.

I have around six customers who are using QRadar in a shared model. We do have plans to increase its usage. We are looking after different customers, and when they're ready, we can integrate it.

They are good and responsive. However, because of COVID, of late everyone is working from home, and sometimes, their response has been a little bit slow for incidents. They did apologize for that.

It is straightforward. AWS has a feature called Marketplace in its environment. When we click it, we can load it directly. It doesn't take more than two to three days to completely deploy the infrastructure. 

They can give us some scalability and flexibility on pricing. If its pricing can be reduced, it would help a lot of customers in bringing in a new SIEM environment and grow business in the market. If I start a license today and take around 10,000 EPS, and after a month, there is an increase in the number of clients on my platform, I can increase the number of licenses. I can add 5,000 EPS on a yearly basis.

We chose QRadar over McAfee ESM.

It has good integration with AWS. AWS has come up with a Marketplace click-in option that provides direct integration between your AWS and data centers or cloud solutions through a small VPN. It allows you to bring up small environments with 5,000 EPS or 6,000 EPS or even 3,500 EPS or 2,500 EPS very quickly. It is very flexible and not at all tough for a startup engineer to click and bring solutions inside. It is quite easy.

I would rate IBM QRadar an eight out of ten.

We provide cloud services to the users, and we have our own cloud setup over here. The major use case is when clients require the SOC to be set up.

Setting up the SOC itself is a huge investment. A customer has to invest a lot to build up the whole SOC environment, so, rather than the customer investing in the SOC environment and building up the SOC, we provide it as a service. Customers don't need to do any up-front investment. They use our service. We manage their security tools and security environment as per the compliance guidelines that come from the Indian government. We follow all those practices, and we help them procure more for their network and infrastructure.

QRadar, Splunk, and ArcSight are SIEM solutions with built-in AI/ML features. They can do the complete investigation and alert the admin about what is happening. They can also do the root cause analysis. 

There are many other features that come with QRadar. It has a more granular log, so you can integrate with various non-IT as well as IT-based components. You can get unstructured data to the SIEM data, and you can identify more what is happening in the network or what is happening in the central head office. You can also identify what is happening between your remote offices. You can also use it to identify what the users in the field are doing on their devices and how things are moving.

From the integration point of view, it is very centric. It gives complete control centrally. If a user is not connected to the system, whenever he comes online, we can see the policy updates over the Internet, and we can ensure that the data that is supposed to be protected is protected.

When it comes to what could be better, it is always what others are trying to do and what is the roadmap. It can have more integration. It should have more flexible RESTful APIs for integration with applications. These are the things that are always in demand for any of the SIEM solutions, not only for QRadar. 

Integration is ever-evolving. Nowadays, different versions of mobile handsets are there and data is getting scattered. Users are using their personal handsets to keep the data of the organization. So, it should have a more flexible integration, irrespective of the flavor of the firmware and iOS or Android version. It should have an API that can seamlessly get integrated. It should also provide more flexible control and a more advanced or analytical view to see what exactly is happening across the globe or network. From wherever a user is connecting and accessing the enterprise data, it should give real-time visibility and predictive visibility about what exactly is happening. These things are already there, but there should be more advanced control in terms of managing the security.

I have been using this solution for five years.

It is absolutely stable. It depends upon how the implementation has been done. We definitely have the skills to do this kind of implementation. We ensure that a customer's environment is absolutely protected.

It is very scalable, but it also depends upon how the implementation was done. We are providing services to one of the major brands in India. They have somewhere around 30,000 devices. We are currently managing more than 1 lakh QRadar users.

QRadar has a good technical team. They provide timely support whenever a ticket is raised.

Deployment of such solutions always takes time because these solutions are not simple. You should have the expertise and you should understand what is really needed for the business. We understand the real business need, and accordingly, we implement the policies.

We have been managing some of the security tools for the past 11 years. We have expert engineers who can help our customers with installation, configuration, planning, designing, and other things.

If you have an environment of 5,000 or 10,000 devices, three to five people should be enough to manage it.

Customers have to purchase a license based on the number of users, devices, and applications they want to protect. It allows you to take a license on a subscription basis for three years or five years.

I would recommend this solution. If you are looking for a SIEM solution, IBM QRadar is one that you should ideally look for.

I would rate IBM QRadar a nine out of ten.

We are using QRadar as a managed service.

This product helps us to find security incidents before they become a problem to the business. We are able to attend to them quicker and we can put protection in place so that should they occur again, we are able to deal with them more easily.

The most valuable feature is the ease of use.

The modularity could be improved.

We have been using IBM QRadar for three years.

This is a very stable product.

We have had no issues with scalability and we have approximately 1,500 users. We are not using its full capabilities at the moment because we are still growing. In the next year or two, we will see.

I don't deal with IBM directly. Rather, I deal with our service provider and they deal with IBM.

The initial set was very easy for us because we just bought what we were looking for, and not the entire infrastructure.

The company that we subscribe to for this service takes care of the installation, maintenance, and management of it. They give us updates that concern the features we use, so the maintenance doesn't affect us much.

We use QRadar as a managed service and we pay licensing fees to the partner.

This is a good tool to have because it gives you the ability to track what is currently happening in your environment. Otherwise, if you did not have that, you'd only react to an event or an incident that has already caused problems. The proactiveness goes a long way because it saves your environment and your business from being negatively affected.

In summary, this is a good product but there is always room for improvement.

I would rate this solution a nine out of ten.