IBM Security QRadar Reviews

Its technology is quite new and it has a predefined set of templates that can be readily used for our business, so we don't have to innovate much. These are some unique features about this tool.

Security: We do have cloud services. It's very difficult to control cloud vendors, when it is for security. But this tool conducts an independent audit and makes sure that security, identity and governance are in check every time.

This tool is more suited for the technical industries or it's more specific for technical security. However, now since new laws are coming out such as the GDP in Europe and the biometric laws, in order to secure patient data, IBM may have to innovate more and incorporate certain legislation / regulations into their tool. It should be readily available to the pharma companies, so that they don't need to struggle to make more templates and thus don't have to tailor it to our needs. It should be a custom off-the-shelf solution, i.e., COTS. So, they're looking for more innovations in that area.

We're just the earlier adoptors of this tool for now. We are in the pharma industry, so we have started doing pilots across different functions in the organization. It will take us around one or two years to come to a conclusion in regards to the stability of this solution.

It is a little bit too premature for me to comment on scalability but it is quite good, because they have already identified 10-11 projects that we we'll be using with this tool. So, we don't think scalability is going to be an issue.

We do use technical support. We are IBM customers and IBM controls our infrastructure for the company. We do use their technical and business analysts. They were very helpful and knowledgeable. They are prepared for the pharma industry. That is very important for us.

We were not previously using a different solution. IBM approached us with best practices and they conducted a survey. They control our infrastructure and security; they advised us in regards to the product. After a series of discussions, our management decided to go ahead with certain pilots, so as to see the efficiency and then finally decided on this solution.

We are a grounded manufacturing and pharma organization, thus we are looking for vendors with proven skill sets in that arena. We are bound by more regulations than any other industry, so we look for certain certifications that the vendor should have. They should be compliant with the USFDA guidelines, before we select a vendor. After we start evaluating vendors, it does depend on the versatility and the scalability of the solutions.

Currently, there are a couple of vendors in the shortlist. After we complete our pilot, we will be choosing one single vendor. We are a SAP shop for ERP, so we did have some discussions about the interoperability within IBM and SAP. I think both of them are good partners in that area. At this point, we are not looking for any other vendors.

The solution seems to be very promising on paper, i.e., in theory, some things look good but practically, after we apply the solution in the next one or two years, we'll come to know more.

You should first conduct an assessment from IBM and the system should follow the selection of the tool. You should not just go by what you want, but instead by what you need. Most of the companies don't know what they need in terms of the security.

The simplicity of the solution is the best feature.

The dashboards are all legacy and old. Their cloud support and the content available for cloud and containers are also minimal.

We have been using this solution since 2019.

I rate the stability a nine out of ten.

I rate the scalability an eight out of ten, and we have about 35 people using it.

I rate the technical support a five out of ten. They need to improve their availability. They have global support, which means we need to wait longer for a response.

Neutral

I rate the initial setup a seven out of ten, and it is deployed on-premises. The deployment took about four to six weeks, and we did it in-house.

We have seen an ROI.

I rate the price a six out of ten, with ten being affordable and one being expensive. They recently changed their licensing model, and it's more complex.

I rate this solution a six out of ten. Regarding advice, using this solution purely depends on the use case. If it meets your use case, then IBM QRadar is good, but other solutions like Securonix are much better.

QRadar UBA's most valuable feature is the risk rating of users depending on their behavior.

QRadar UBA only keeps the data for a short while (it's refreshed every five minutes) and would be improved if this were extended to a week or month. In the next release, I would like to be able to do a historical search of user scores.

I've been using QRadar UBA for two and a half years.

QRadar UBA is quite stable.

QRadar UBA's price is a little more than street price and could be reduced.

I would rate QRadar UBA seven out of ten.

IBM QRadar is used to help our customers collect information. It collects the information from other tools on the firewall, network devices, cyber tools with both Carbon Black, Cortex, Cynet, and Darktrace.

It's a complete platform.

The interface is good.

They have more than 100 features.

It is not easy to use.

The updates are not very easy. It is very complex. I would like to see the update process simplified.

When I said "it is not easy to use", I mean that QRadar is not for beginners.
Needs high competence and skyll to use it in a satisfactory way to really help customers.
The complexity is not a flaw, but it si a necessary quality for QRadar to be a truly effective tool in a Cyber environement.

We have used IBM QRadar within the last twelve months.

IBM QRadar is a stable solution.

It's a scalable platform.

Technical support is good.

Positive

Pricing is good.

I would rate IBM QRadar an eight out of ten.

We primarily use the solution for breach management. We use it for identifying rogue IPs and picking up anomalies in terms of the network traffic coming in. We've seen a year of use cases in terms of breach management and incident management. We find IBM QRadar quite relevant in terms of protecting against potential malicious traffic coming into your organization. 

Obviously, it is evolved, and where we're utilizing IBM QRadar is to do other analytical capabilities, which include identity and access management. We've got a unique way where we use the platform to generate a view of all your identities and access that is granted within your environment and so forth. We are able to map that using IBM QRadar, which is not a use case that is normally thought about, however, we found from an analytical point of view, this is what we can do because we get all the information we need here.

IBM QRadar is phenomenal as a SIEM SOC solution. In terms of its capability, in terms of its usability, in terms of the SOC solutions or SIEM solutions out there, we find QRadar the most user-friendly. 

It gives you the right coverage as the analytical platform that's coupled with Watson is phenomenal.

From a deployment perspective, we found it very, very good.

What we like about QRadar and the models that IBM has, is it can go from a small-to-medium enterprise to a larger organization, and it gives you the same value.

It's easy to use if you go through the proper training. We find that the current IBM team in South Africa is not as good as the teams abroad, however, if you get the right support and the right training, which we have got, we find it very, very, very customizable and user-friendly. 

What we have done is we do not use a lot of level-one analysts. We use a lot of developers, so we constantly evolve the rule-set. Most of the organizations that have employed QRadar, what they do is they stack it up with level-one and level-two analysts, as opposed to having more security developers who enhance the rule-set, due to the fact that all of the same technologies work on rule-sets. If you can dynamically change the rule-set on the fly, you're good. We have got a different model in terms of the way we operate a SOC, where we have more developers amending the rules, you will lessen the number of false positives that you encounter. The biggest problem with most of the SIEM technologies out there is that you get too many false positives, and again, it impacts your operational SOC. We don't have that issue here. 

The only challenge with products like IBM is the EPS. You just have to be really on the events per second, as that's where the cost factor becomes a huge issue.

You do need proper training. Better training leads to better implementation. South Africa does not have the most knowledgeable technical support team. One challenge that you have in South Africa is the quality of the IBM resources. They're not up to the level companies need. I have to criticize IBM on that point - the skill level in South Africa and the South African franchise of IBM doesn't necessarily meet the quality of the product.

They can improve on the architecture. It's the way you deploy it. It's your enterprise architecture team that needs to understand it well. Again, due to our unique skillset on it, we deploy it in a very different way where we reduce the consumption of events per second, which reduces the overall cost of it. However, with the architecture, you need to get better guidance from IBM in terms of the way which the architecture is done. 

What I will say about IBM is that if you deploy it stock standard, it can be a very expensive tool, especially with your events per second, and where the way you deploy it architecturally will determine how much it costs you to manage it, as your events per second can be reduced through proper architecture. It's critical to an IBM install that a user understands the architecture and the deployment strategy. 

I've been dealing with the solution for a very long time. It's likely been about six years or so at this point. I've used it for a while.

We've got three customers on the solution currently. 

Technical support is lacking in South Africa and it doesn't meet the quality of the product. We're not quite satisfied with the level of service of knowledgeability on offer here. 

They need to be faster and more knowledgeable. If you log a ticket to South Africa, they can be quicker and more knowledgeable about issues. It's a problem within South Africa where the skill level of the IBM local team is not to the level it should be. Whether it's training or support, there's a problem. It's not the greatest.

The initial setup can be difficult if you don't have a good understanding of the product, for us, it's not too difficult. 

To do a small deployment takes us about two weeks.

When we did the deployment for one of our clients recently it took us four engineers from our side and four engineers from the outside to deploy it within two weeks. 

We handle deployments for our clients. Occasionally we need outside assistance. 

From a return on investment, the client sees in terms of its value from an IBM perspective, is a massive value from the deployment of QRadar.

On-premises is pretty expensive as opposed to the cloud. 

You do need to pay for a year subscription. You are charged at events per second as well. 

On QRadar, we look at the cloud-based uses as opposed to on-premise due to the cost factor. 

In terms of SIEM technologies, in terms of what you can get, I would rate it an eight out of ten. The QRadar platform is phenomenal in terms of what it does.

If you want to get the best out of IBM, spend more time on the rules generation and the modification of the rules.

It is suitable for large companies with critical infrastructure. For our clients, robustness, availability at a high level, and the level of references and experiences connected to the solution are important. They need to know that other energy players are also using it.

There should be easier and wider integration opportunities. There should be more 
opportunities for integration with CTI info sharing areas. On platforms where you exchange CTI, there should be more visibility connected to what we share, what we can reach, or what options are connected to CTI info sharing. This is one area where they could add value because we cannot integrate it easily with QRadar. If a client has a legacy or already existing solutions for CTI, we cannot ask them to forget it because we cannot guarantee that QRadar is able to deliver everything connected to this area. 

I have been using this solution for three years.

We have five to ten customers of this solution. My impression is that it can cost a lot to scale upwards. It didn't bother us in most cases, but that could be a problem for SMEs at times.

Their support during the operation seems fine. I'm a consultant, and very often, I am offsite. I am not there when clients get into operating QRadar in the long run. So, I know more about implementation than the operation itself.

It requires expertise. If you have the right personnel, you can manage. It wouldn't be easy for a client and admins to set it up without proper support or support from QRadar itself.

Setting it up requires an assistant like us. QRadar plays a role there, but that's not enough. There is also the language barrier. Not every Hungarian company is good in English, and IBM naturally doesn't have full Hungarian support.

It requires cooperation between clients and us. Typically, we send a team of five people that includes tech guys, a project manager, and maybe one process guy, if needed. Generally, you don't have 360-degree professionals, so you have someone good in networking, someone good in log management or log analysis, and so on. Because of that, we need this kind of team. 

The client also has a few people. Typically, we send in more people than the client. These are not full-time people on our side and client-side. 

It could be cheaper, but the value itself is far more important for us than the price. Typically, our clients have yearly subscriptions.

I don't know what I would recommend for SMEs because we never worked with SMEs, but I would be very careful in recommending QRadar for SMEs. 

I would rate IBM QRadar a nine out of 10.

The solution is primarily used for threat detection and response. QRadar can be integrated with other services from IBM such as Watson, among others. The main need is for threat detection, incident response, and dealing with threats or hunting threats. 

What else? I mean, it's always you're looking for threats. Usually, whoever buys this SIM solution or buys QRadar, for example, is looking for hidden threats and they get the logs to see what's happening within their system. They want a solution that looks very deep inside in order to correlate those logs and see if there's any information that they can get out of those logs or even live packets that are spanning through their networks. Therefore, it's usually threat hunting. That's the main thing, Others might use it to understand the system, and how it's performing overall.  However, that's the lesser use case.

Inside IBM QRadar there are a lot of engines that actually work to help us to do the correlation and normalization as well for the logs that we're receiving from multiple devices. IBM is very powerful in that regard. 

QRadar, as a solution, can integrate with a lot of other applications. You can write your own custom rules if you want to. We can ask it to detect whatever we want it to, even with the devices that are not supported to send logs. IBM QRadar can understand these types of commands and we can still integrate and write our own rules to help us to detect those logs that are coming from, for example, IoT devices or from other devices that usually we don't understand.

It can handle really a huge number of logs with fewer false positives. We can use the artificial intelligence and the rules that IBM is providing to make it really smart. The solution can help you predict even the false positives when we are alerting the admin or the security admin about some offenses that we have seen from the logs.

Their product is very user-friendly.

Customer service is very good and very helpful.

The initial setup is quite straightforward.

The solution can scale.

The solution is very stable.

As per Gartner, maybe the price makes it so that the customers are not going for IBM QRadar. It's a little bit pricey compared to other solutions in the market. More or less that's the area that needs to be improved. That's usually the main concern that we receive from the customers - that it's a little bit pricey. That's the only thing I can say.

The custom rules could be simplified more or it should be possible to use a different language, other than the ones that the solution is already using. They should add other languages into the mix. You need some advanced customers in order to use the custom rules or to use their rules in order to configure the IBM QRadar in a proper way. Usually, they find it very difficult, especially if they don't have the experience.

Sometimes it works and catches whatever we want, however, sometimes it doesn't work. That's in rare cases, however, that's one thing that they need to maybe enhance.

I've been working with the solution for three years or so.

For stability, I'm not a customer who's using it on daily basis, however, from feedback that I'm getting from the customers who are attending to the solution, I've heard that this solution is stable. That's why it's in the leader area in Gartner. If you compare it to others in Gartner, it shows how their product is actually efficient. Whether I get QRadar, whether it's Splunk, whether it's LogRhythm, all of those products as a SIM are very good at that point. They're all quite reliable.

The scalability is very good. The product is scalable. A company shouldn't have trouble expanding it if they need to.

We typically work with banks and bigger organizations.

Technical support has been very good. They are helpful and responsive.

I've also learned a lot from the documentation, especially the online documentation. Due to the fact that I'm an official instructor for IBM, I have my other resources too, on the Learning Center from IBM. Documentation is not a problem. It's very helpful.

The initial setup is very straightforward. It's not overly complex. It's quite easy.

The deployment takes time, definitely. You've got to prepare for your solution so that it's going to work in spanning all the other devices too. That doesn't mean it's a complex process, it just means it takes a bit.

IBM QRadar is pricey, and therefore, usually small enterprises are not able to afford it. Usually, probably most of the customers are usually large enterprises.

I'm actually teaching IBM and some services such as IBM QRadar, as part of my work. I'm familiar with Splunk, however, I'm not working with it on a daily basis. I'm teaching that technology to others. I'm not a customer. I'm using it for teaching purposes. I'm working in a training center. I'm not dealing with it on a daily basis, however, I understand how the product works. We do sometimes help integrate it and work as consultants occasionally as well.

While 7.4 is out, we're currently working with version 7.3.

Overall, I would rate the product at an eight out of ten. There's more to be done on it, however, we are mostly pleased with its capabilities.