IBM Security QRadar Reviews

Our primary use case is logging for any anomalous traffic in terms of access times and deviations when users are in different groups within the AD. When a user deviates from their functionality, it's flagged in the UBA and for VPN traffic. I also use it for geolocation functionality. We are partners of IBM and I'm a system engineer. 

The timeline and the machine learning features are great at quickly flagging users who have either left the organization or have dormant accounts. The way that the app has transformed over time is quite phenomenal. One of the major improvements is its capacity for creating machine models. It comes with 16 default machine learning models, where it tracks user activity and changes in profiles and authentications. There are various default machine learning models and I'm able to model those to parameters that suit my needs. It's great that I'm able to implement an unlimited number of use cases on the UBA, putting in as many different kinds of logic as I want. It's a big advantage. 

I'd like to see improved support from the vendor. In addition there are things that are not documented on the IBM site. If you'd like to do something at a high level, the information is not available in the documentation and you have to find it elsewhere. 

I've been using this solution for five years. 

The solution has never crashed or failed, it's stable. 

We haven't tested scalability and currently have around 100 users. I'm responsible for maintenance.

The customer support is helpful but that's more about it being a good solution. 

The initial setup is straightforward, it's just a download and it installs. It's a matter of configuring a few parameters in terms of tweaking the thresholds that you want the app to fire in on. Installing takes a few seconds, but in terms of letting it land so that you can tweak it and tune the various metrics, takes about a week. 

This is a free solution which is one of the main reasons we chose it. It's just a matter of getting a license for the curator as a platform.

I recommend this solution and rate it seven out of 10. 

I am an integrator of this solution, my customers use this as a SIEM solution for log management.

This solution has excellent security analytics.

I think that the search speed of this solution could be improved.

This is a scalable solution, we have customers who have scaled.  

The initial setup is very easy and takes just one day.

I would recommend this solution to everyone considering using it.

I would rate this solution a nine out of ten.

I am currently working in the Brazilian operation of my company. I have a project in the airline industry in Brazil. This project improves the correlation of logs. There is another company I ticket to improve the solution, they have chosen to correlate the logs. We have SOC, Security Operation Center in Brazil, with 53 employees. We developed all these solutions in Brazil and it is in operation in 34 countries. 

Overall a great solution.

There needs to be better integration with other applications.

We have approximately 40 users using the solution.

The technical support is good.

The installation is complex.

We do the deployment for the solution.

I rate IBM QRadar a ten out of ten.

IBM QRadar is a FIM component within the security operation center we were deploying in the customer environment. We are managing their cyber defense capability.

The feature that I have found most valuable is its artificial intelligence component, Watson. Its contribution is pretty good from a machine-learning artificial intelligence perspective. This compliments the orchestration automation component, as well.

The features that could be improved include the licensing model and the dashboards and all those presentations. Overall, the user experience part can be improved.

Additionally, the coverage, the connectors, and the flex connectors for legacy systems and other aspects could be improved. This is something they can work on and improve.

I have been using IBM QRadar for more than two years.

It is a stable product.

It takes two to three people for its management, but it purely depends on the scope of the security operations center, the SOC.

It is scalable. 

It's kind of non-direct user component. It sits under the security operations center, so it won't be visible to the user, but it will be covering devices and users. It can support 100 to 10,000 devices. So it's kind of a back instance.

In terms of plans to increase usage, I'm currently in a management level, so I'm no longer into the directly technical part. But if there is a requirement, IBM QRadar is definitely one of my preferences.

IBM technical support is good.

We were using ArcSight from Micro Focus, but we were having some challenges integrating with the systems, with the APIs, and with the connectors. That's why we moved to IBM.

The initial setup is at an intermediate, medium level. It's not that straightforward, but not that complex either. The only thing is that their licensing model is a bit complex because they charge for a couple of components like EPS and NetFlow, so that kind of licensing charging is a bit tricky. But all in all, it's a medium, not that complex.

I think it was set up within a month. But use-case finalization and other configurations took another month. It's kind of a two to three month project to move to production completely.

Our licensing is yearly. But it's based on Event Per Second, which is one of the models. Storage capacity for log management is also considered with the fees. Licensing is a bit complex in IBM, as well. Different aspects needs to be considered.

I would recommend IBM to others who want to start using it.

On a scale from one to 10, I would rate IBM QRadar a seven.

Our primary use case for this solution is compliance. 

This solution has improved our organization by allowing us to promote vertical security as an added service for our customers.

It has also improved our integration with other applications. Previously we used to have challenges in terms of application integration. I think that it is slowly changing; for example, Oracle Hyperion and these kinds of products integrate more easily because they have the proper plugins. It is important to know that they are properly integrated with your solution.

First, the dashboard is a valuable feature. There is a single dashboard that gives us a complete overview of what is happening around the globe. We are able to follow the devices that are connected to the network. 

The second thing is the customization that we have done. For example, if there is an account login made in Tokyo then we will immediately get an alert.

With the transition to a modern IT operation center, I think that many of the devices are going to be mobile. Somebody may not be at the NOC (Network Operations Center), data center, or SOC (Security Operations Center). If anybody from the non-security team or the NOC team has to receive an active alert, it should be enabled in multiple channels.

Ideally, we would like a mobile version so that any alert that comes in will notify us in a mobile app, or by using SMS integration. We are working on these things internally, but I think that these are some of the things that you're expecting from this product.

The stability of this product is pretty good.

The solution is highly scalable. It is one of the reasons that we have chosen this product.

Currently, our network has more than thirteen countries deployed. A roadmap is in place for a total of forty countries, so twenty-six more will be added. Deployment is a continuous exercise for us in terms of increasing the number of devices and applications.

The EPS (Event Per second Licensing) is adjusted based on scale. At this time we have close to three or four hundred events per week. As we grow, we are expecting at least fifteen-hundred events per week.

The support is very important during the implementation and initial stages.

I think that the turnaround time has to improve. If we raise a ticket then we have to wait for a patch. After this, the patch will probably have to be applied within our test environment. After testing it has to be promoted to production. Overall, the turnaround time is slow. 

Choosing the cloud platform gives a significant advantage in terms of the setup. I have been deploying the same solution across enterprise organizations from day one, and previously it used to take a month for implementation. Now, I think that it has been reduced to two weeks.

The challenge with the old model is that you normally need to work with the hardware vendors to ensure the right patches or data is available. We used to install the physical hardware, but with the cloud version, you can just start your service and add devices. You can start populating and getting reports on alerts and such in a week's time.

The implementation team is about three or four members. It has not yet grown to an operational stage because we are still implementing the solution. 

We do the implementation in-house. I am the program manager and I lead the model from inception to completion. That said, we have to connect with the IBM team to assist with integrating the solution. We're getting pretty good support from them.

The solution is a subscription-based model. It is a yearly subscription from my understanding.

In terms of additional costs, it depends on the subscription that you choose. There are plenty of options to choose from.

There is the EPS licensing cost (Event per second licensing), which is a parameter that you choose. By adding countries to our solution, we have to increase the EPS.

Yes, for each project we discuss which product to choose, and decide depending on what suits our needs.

SolarWinds is one of the solutions that we use for our NOC operations. We had internal discussions and considered many parameters, but later we decided to move to IBM.

I would rate this solution eight and a half out of ten.

Our primary use case is to get logs mainly from firewalls, although you can also get logs from anything that can forward syslogs. We use it to sort events.

Instead of logging in to multiple devices and checking the logs, QRadar gives us one centralized point for comparing data against each other and rules to make sure that you don't miss anything. It tells you where all the detections happened. It provides easier access and we pick up things way quicker than in the past.

The most valuable feature is the QRadar Vulnerability Manager which provides vulnerability scans. In addition, I like the way QRadar generates alerts.

It would be good if the program allowed certain profiles to only see certain customer information.

If you're running the latest version under recommended specifications, it is very stable thus far.

It's scalable.

The technical support has definitely improved. In 2016-17 it took me about ten hours to get a reply from IBM. It now takes an hour to two hours for them to reply to me.

We went with QRadar because it's a more well-known product. I was only using the AlienVault Community Edition, a free version. It wasn't a fully-paid version I was using at the time. IBM QRadar was just the product the company was using.

The setup is straightforward. The last one I did took me about three days. It only takes half an hour to set up QRadar, but getting the other systems to talk with QRadar, to forward syslogs, is what took the additional time, because I didn't have all the login information. If you've got all the relevant information, it shouldn't take you more than a day to set it up.

QRadar is quite expensive. It wouldn't be worth it for a small business unless, through a third-party company, they used it in a software-as-a-service type of arrangement, rather than buying the licenses outright.

There are additional costs beyond the standard licensing fees. For example, there are add-ons like the QRadar Vulnerability Manager.

QRadar, as a product, might be very straightforward, but to fully understand the product you would need to go for the QRadar training. IBM's training for QRadar is very expensive but it really helps you use the product to its full potential. Before I went to the training, I only used about ten percent of its capability. I would recommend going for the training on the product.

In terms of the number of users, it's not users logging in every day and doing stuff on QRadar. It's a handful of people from the team monitoring QRadar. We could be managing, for example, 50 or 70 customers through one dashboard and about ten people would be monitoring it. The users have a specific role.

The amount of staff required for deployment or maintenance depends on the type of update or patch that's being deployed. For deployment of a new patch it, it could take anything from an hour to about ten hours. It depends on the patch, how big the patch is, and if you've gone through a testing phase or not. So there are multiple dependencies on how long it would take. An average, for me, would be three hours to do certain deployments.

Currently it's being used quite widely. The only downfall of this product would be its price. I wouldn't recommend it for a small company. For larger companies I know it's being widely used.

We use it to detect security incidents.

• IBM Resilient Incident
• IBM Threat Intelligence
• IBM QRadar is easy to use.

The user guide is not readily available. I would suggest the support or technical team release a PDF guide, like Splunk, SolarWinds, or ArcSight. This will be good for consultants or whomever is using QRadar. This would be really helpful. I have searched on a lot on sites, but I have not found a single PDF containing everything. Our consultants are taking too much time understanding the product's technical aspects.

They could arrange a demo on their website so user who register may use WebEx or any type of meeting invitation, and the support team could give a demo. Having hands-on technology is important. We lost a few clients, because they asked us, "Do you have hands-on QRadar?" At that time, we said, "No, but we will cover it." Due to this, we didn't get the project. Clients wants consultants who are certified in QRadar. Even after completing the certification as a QRadar deployment professional, I would suggest QRadar release any documentation or give an online demo, like videos on YouTube. It would increase publicity and public appeal. 

The stability is good.

The scalability is good.

I haven't contact the technical support yet.

We have a security consultant for our deployments. 

We haven't deployed yet, but our client has deployed IBM QRadar. We have been monitoring it, creating rules, and fine tuning it. These are my responsibility with respect to QRadar. 

I did not get opportunity or experience to deploy the QRadar into the client's environment.

We are recommending IBM QRadar, SolarWinds, and ArcSight to our clients.

• CRM and billing system
• 100 multiple technology servers: Windows AD, Linux, HP-UX, etc.
• 40 firewall multiple routers 
• Cisco Nexus switches

Log correlation is very useful for processing alerts. It serves to follow up alerts in real-time, building an entire workflow.

• DSM parsing
• Log correlation
• X-Force connectivity
• Ease of DSM customisation
• Multiple reports
  

• Data encryption
• Flow encryption
• Third-party compliance
• Its architecture is very complicated.
• Its hardware is Lenovo-based.