IBM Security QRadar Reviews

IBM QRadar is a FIM component within the security operation center we were deploying in the customer environment. We are managing their cyber defense capability.

The feature that I have found most valuable is its artificial intelligence component, Watson. Its contribution is pretty good from a machine-learning artificial intelligence perspective. This compliments the orchestration automation component, as well.

The features that could be improved include the licensing model and the dashboards and all those presentations. Overall, the user experience part can be improved.

Additionally, the coverage, the connectors, and the flex connectors for legacy systems and other aspects could be improved. This is something they can work on and improve.

I have been using IBM QRadar for more than two years.

It is a stable product.

It takes two to three people for its management, but it purely depends on the scope of the security operations center, the SOC.

It is scalable. 

It's kind of non-direct user component. It sits under the security operations center, so it won't be visible to the user, but it will be covering devices and users. It can support 100 to 10,000 devices. So it's kind of a back instance.

In terms of plans to increase usage, I'm currently in a management level, so I'm no longer into the directly technical part. But if there is a requirement, IBM QRadar is definitely one of my preferences.

IBM technical support is good.

We were using ArcSight from Micro Focus, but we were having some challenges integrating with the systems, with the APIs, and with the connectors. That's why we moved to IBM.

The initial setup is at an intermediate, medium level. It's not that straightforward, but not that complex either. The only thing is that their licensing model is a bit complex because they charge for a couple of components like EPS and NetFlow, so that kind of licensing charging is a bit tricky. But all in all, it's a medium, not that complex.

I think it was set up within a month. But use-case finalization and other configurations took another month. It's kind of a two to three month project to move to production completely.

Our licensing is yearly. But it's based on Event Per Second, which is one of the models. Storage capacity for log management is also considered with the fees. Licensing is a bit complex in IBM, as well. Different aspects needs to be considered.

I would recommend IBM to others who want to start using it.

On a scale from one to 10, I would rate IBM QRadar a seven.

Our primary use case for this solution is compliance. 

This solution has improved our organization by allowing us to promote vertical security as an added service for our customers.

It has also improved our integration with other applications. Previously we used to have challenges in terms of application integration. I think that it is slowly changing; for example, Oracle Hyperion and these kinds of products integrate more easily because they have the proper plugins. It is important to know that they are properly integrated with your solution.

First, the dashboard is a valuable feature. There is a single dashboard that gives us a complete overview of what is happening around the globe. We are able to follow the devices that are connected to the network. 

The second thing is the customization that we have done. For example, if there is an account login made in Tokyo then we will immediately get an alert.

With the transition to a modern IT operation center, I think that many of the devices are going to be mobile. Somebody may not be at the NOC (Network Operations Center), data center, or SOC (Security Operations Center). If anybody from the non-security team or the NOC team has to receive an active alert, it should be enabled in multiple channels.

Ideally, we would like a mobile version so that any alert that comes in will notify us in a mobile app, or by using SMS integration. We are working on these things internally, but I think that these are some of the things that you're expecting from this product.

The stability of this product is pretty good.

The solution is highly scalable. It is one of the reasons that we have chosen this product.

Currently, our network has more than thirteen countries deployed. A roadmap is in place for a total of forty countries, so twenty-six more will be added. Deployment is a continuous exercise for us in terms of increasing the number of devices and applications.

The EPS (Event Per second Licensing) is adjusted based on scale. At this time we have close to three or four hundred events per week. As we grow, we are expecting at least fifteen-hundred events per week.

The support is very important during the implementation and initial stages.

I think that the turnaround time has to improve. If we raise a ticket then we have to wait for a patch. After this, the patch will probably have to be applied within our test environment. After testing it has to be promoted to production. Overall, the turnaround time is slow. 

Choosing the cloud platform gives a significant advantage in terms of the setup. I have been deploying the same solution across enterprise organizations from day one, and previously it used to take a month for implementation. Now, I think that it has been reduced to two weeks.

The challenge with the old model is that you normally need to work with the hardware vendors to ensure the right patches or data is available. We used to install the physical hardware, but with the cloud version, you can just start your service and add devices. You can start populating and getting reports on alerts and such in a week's time.

The implementation team is about three or four members. It has not yet grown to an operational stage because we are still implementing the solution. 

We do the implementation in-house. I am the program manager and I lead the model from inception to completion. That said, we have to connect with the IBM team to assist with integrating the solution. We're getting pretty good support from them.

The solution is a subscription-based model. It is a yearly subscription from my understanding.

In terms of additional costs, it depends on the subscription that you choose. There are plenty of options to choose from.

There is the EPS licensing cost (Event per second licensing), which is a parameter that you choose. By adding countries to our solution, we have to increase the EPS.

Yes, for each project we discuss which product to choose, and decide depending on what suits our needs.

SolarWinds is one of the solutions that we use for our NOC operations. We had internal discussions and considered many parameters, but later we decided to move to IBM.

I would rate this solution eight and a half out of ten.

Our primary use case is to get logs mainly from firewalls, although you can also get logs from anything that can forward syslogs. We use it to sort events.

Instead of logging in to multiple devices and checking the logs, QRadar gives us one centralized point for comparing data against each other and rules to make sure that you don't miss anything. It tells you where all the detections happened. It provides easier access and we pick up things way quicker than in the past.

The most valuable feature is the QRadar Vulnerability Manager which provides vulnerability scans. In addition, I like the way QRadar generates alerts.

It would be good if the program allowed certain profiles to only see certain customer information.

If you're running the latest version under recommended specifications, it is very stable thus far.

It's scalable.

The technical support has definitely improved. In 2016-17 it took me about ten hours to get a reply from IBM. It now takes an hour to two hours for them to reply to me.

We went with QRadar because it's a more well-known product. I was only using the AlienVault Community Edition, a free version. It wasn't a fully-paid version I was using at the time. IBM QRadar was just the product the company was using.

The setup is straightforward. The last one I did took me about three days. It only takes half an hour to set up QRadar, but getting the other systems to talk with QRadar, to forward syslogs, is what took the additional time, because I didn't have all the login information. If you've got all the relevant information, it shouldn't take you more than a day to set it up.

QRadar is quite expensive. It wouldn't be worth it for a small business unless, through a third-party company, they used it in a software-as-a-service type of arrangement, rather than buying the licenses outright.

There are additional costs beyond the standard licensing fees. For example, there are add-ons like the QRadar Vulnerability Manager.

QRadar, as a product, might be very straightforward, but to fully understand the product you would need to go for the QRadar training. IBM's training for QRadar is very expensive but it really helps you use the product to its full potential. Before I went to the training, I only used about ten percent of its capability. I would recommend going for the training on the product.

In terms of the number of users, it's not users logging in every day and doing stuff on QRadar. It's a handful of people from the team monitoring QRadar. We could be managing, for example, 50 or 70 customers through one dashboard and about ten people would be monitoring it. The users have a specific role.

The amount of staff required for deployment or maintenance depends on the type of update or patch that's being deployed. For deployment of a new patch it, it could take anything from an hour to about ten hours. It depends on the patch, how big the patch is, and if you've gone through a testing phase or not. So there are multiple dependencies on how long it would take. An average, for me, would be three hours to do certain deployments.

Currently it's being used quite widely. The only downfall of this product would be its price. I wouldn't recommend it for a small company. For larger companies I know it's being widely used.

We use it to detect security incidents.

• IBM Resilient Incident
• IBM Threat Intelligence
• IBM QRadar is easy to use.

The user guide is not readily available. I would suggest the support or technical team release a PDF guide, like Splunk, SolarWinds, or ArcSight. This will be good for consultants or whomever is using QRadar. This would be really helpful. I have searched on a lot on sites, but I have not found a single PDF containing everything. Our consultants are taking too much time understanding the product's technical aspects.

They could arrange a demo on their website so user who register may use WebEx or any type of meeting invitation, and the support team could give a demo. Having hands-on technology is important. We lost a few clients, because they asked us, "Do you have hands-on QRadar?" At that time, we said, "No, but we will cover it." Due to this, we didn't get the project. Clients wants consultants who are certified in QRadar. Even after completing the certification as a QRadar deployment professional, I would suggest QRadar release any documentation or give an online demo, like videos on YouTube. It would increase publicity and public appeal. 

The stability is good.

The scalability is good.

I haven't contact the technical support yet.

We have a security consultant for our deployments. 

We haven't deployed yet, but our client has deployed IBM QRadar. We have been monitoring it, creating rules, and fine tuning it. These are my responsibility with respect to QRadar. 

I did not get opportunity or experience to deploy the QRadar into the client's environment.

We are recommending IBM QRadar, SolarWinds, and ArcSight to our clients.

• CRM and billing system
• 100 multiple technology servers: Windows AD, Linux, HP-UX, etc.
• 40 firewall multiple routers 
• Cisco Nexus switches

Log correlation is very useful for processing alerts. It serves to follow up alerts in real-time, building an entire workflow.

• DSM parsing
• Log correlation
• X-Force connectivity
• Ease of DSM customisation
• Multiple reports
  

• Data encryption
• Flow encryption
• Third-party compliance
• Its architecture is very complicated.
• Its hardware is Lenovo-based.
  

I think it has improved our organization by the speed at which I can run queries compared to other software that I've used in the past. It's a lot quicker and holds a lot more information. It helps keep a good cognitive overview of our environment from a security standpoint.

Some of the most valuable things that I get from QRadar are the custom parsers. A lot of the syslog items I get pushed to QRadar, instead of trying to build a custom parser to parse out the information that we need in order to do our investigations or to review that data. There's a ton of already defined ones in the application.

Plus, when you build rules, it's a really good user experience. It's like plug-and-play rules to flow out what you want, for whether what you want to look at has a certain level of severity or if you want real-time alerting on something that's happening right away in your environment that you want to investigate.

I'd like to see it being able to be integrated with more security products. I'm a big Guardian user; it's nice for the bidirectional. I can do some stuff, like a SQL injection, or if something is happening.

But if there were other security tools that it could better integrate with, like to go both ways; say it knows that a user is having heavy traffic, maybe it integrates with DOP to look at different sessions that they're doing. Something like that; like backwards compared to DOP, like reporting to it.

It's really good, but there's room for improvement; some more bidirectional integration with different security applications, especially some of the IBM Security ones like BigFix or something like that.

We haven't encountered any issues with stability.

We can scale it as big or as large as we want in our environment just by adding multiple sources. It's just, from a licensing standpoint, you hit a certain mark. You want to make sure you either ignore some of that, or you just have to get more licenses.

I've opened PMRs before. They're usually pretty responsive. The guys usually have pretty good knowledge, and they'll help you fix your issue pretty fast.

It was easy to know we needed a new solution; when you have Symantec's DLP that's really crappy and they end-of-life it, you've got to start looking for other products. That's why we changed.

The setup wasn't too complex. It was pretty straightforward. Basically, it's pretty much out of the box. You don't have to configure it much for your environment. It's built for many different types of companies. Once you start getting in all of your different log sources and using those custom parsers I mentioned, basically you've got to start looking at, What's white noise? What's not white noise? That's really what takes up a lot of your time, as to scaling it for your environment. The setup itself isn't very difficult.

We evaluated LogRhythm. LogRhythm is a really good product. It's close to QRadar, but, as I mentioned, those custom parsers. Also, LogRhythm's a little more difficult to install; we did the PoC for both leading SIEM solutions. Working with other IBM products, plus getting a discount for how much IBM stuff we already buy; it was easier for us to go with the QRadar route.

In general, when I go to work with a vendor, the important criteria I look for are how well they build relationships with you; how well they're willing to help you. Also, what are little things they're willing to do for free? Are they willing to, maybe, teach you how to do something a little bit here and there for free? Little things, give and take, here and there, make a good relationship with a vendor.

Make sure you understand how many log sources you have in your environment. Kind of get an idea of how many per second you're going to be getting. That way, you have a good idea for your licensing model to start out with. In the past, we had a certain set we thought we were going to have, and then we had to upgrade, and then upgrade again, for the license count.

Also, make sure you're doing correct tuning. Otherwise, you're just going to flood your SOC, and they're gonna' spend too much time sifting through white noise.

It gives me insight and visibility, so I can detect a threat coming in and all the offenses are coming in from monitoring one spot.

We're centralizing all the logs in one location. So, if you have an incident, you can definitely discover it fairly quickly, as it's in one database. In general terms, if you have any botnets or malware, you identify and mitigate it fairly quickly.

The biggest challenge is in the upgrade, e.g., when it comes down to a new OS, you have to wipe it clean and reset everything. It takes time when you have 40-50 devices all over the place. It's impossible sometimes to go out and touch every single one of them. So, then, if it's an automatic process, you can upgrade to the new version in just point and click. However, that's not the case right now.

WinCollect is a challenge also, and I'd highly recommend that the Q1 team should build a lot of Windows-based collectors that simply work. Just like the competitor, Spunk, when you put it in, you don't have to do too much modifications. So, that's a challenge right now.

The environment is pretty stable. We just upgraded about a year ago, so it's pretty robust in the environment that we have. It's working really well for us, we've been using it for about 10+ years. We bought it before IBM purchased them.

We interact with IBM regularly, so we have a direct tie with them. We're almost like a partner, right now, and we are working very well together.

The technical support is pretty good, i.e., if you get the right person in, it moves pretty fast and issues are resolved fairly quickly. But, you just need to find the right person, which can be a little difficult sometimes.

The setup is very complex; it's not like somebody can walk in and build it. It requires many years of experience to manage and maintain it. You need to have at least an experienced and dedicated team, in order to maintain the environment that we have. It's nothing like a click-and-done type; it requires a lot of care and feeding to manage the environment.

It's a very solid product. However, there are a lot of things that can be improved.

Definitely get a team or hire a professional to install this product. Otherwise, I guarantee you're not going to be successful. There is a lot of filtering that needs to be done; otherwise, you are going to get overwhelmed with the events coming in and will have no idea, as to what is right and wrong. You definitely want to hire a trained team or some professionals.

The price is the most important criteria when selecting a vendor. Other factors such as the quality of the product, PoC, how well the team interacts and the support, are always important.

We are using the current version.

The solution supports MSSP models, which most service providers have. This means that a single system can be onboarded for all 200 existing customers for monitoring purposes. 

The implementation of the solution's technology needs to be simplified. It is overly complex. 

The integration also must be simplified. 

The licensing is also overly complex, as there is a need to buy the work load performance monitoring separately. These are the different modules we need to buy. 

IBM does not provide a combined, combo suitor solution which the customer can easily look at. The multiple functionalities are segmented and do not allow for an idea which is complete. It makes it difficult for us to do a realistic comparison with other products. I hope that others follow suit. 

We have been using IBM QRadar for almost eight-and-a-half years. 

No doubt about it, the solution is extremely stable. 

The solution needs to be redesigned to allow for scalability or for extending it to the existing one. There is a need to do long-term planning and migration from an existing to a new one and this cannot be easily accomplished. Storage cannot be added to the installation. One must completely migrate to the new storage to add additional terabytes. 

As such, the solution is not quite scalable. The scalability exists, but it requires migration. 

We are very happy with the technical support. 

The initial setup was extremely complex. 

We made use of an integrator. 

We have nearly two hundred customers making use of the solution.

We have direct contact with Ingram Micro or have a service partner relationship with it, but work directly with IBM as our ISP. 

We are a managed security service provider and wholesale customer of IBM QRadar

We buy a bulk license from IBM QRadar and host around 200 plus customers in a single integration so that all the customer events will be integrated in one solution. We are not integrators and do not resell their services.

As such, we don't buy the license or sell the tools to others. We will buy a license, inclusive of the services, host it with our private cloud and provide services to the end clients.

Our customer base of IBM users is limited. When it comes to a security operations center team, IBM will be looked to for providing security monitoring on an ongoing basis. We must see that it is working as it should be. 

I would recommend this solution to others. 

I rate IBM QRadar as an eight out of ten.