IBM Security QRadar Reviews

The use cases that are widely used across the globe are related to ransomware phishing, lateral movement, et cetera.

The simple user access model, or the user interface, is something that is very helpful.

The initial setup is not too difficult. 

So far, we have found the product to be stable. 

We've found the solution to be scalable.

The IBM support can be better. It's an aspect that needs improvement. 

In future iterations, I'd like to see an advance in office management, the out-of-the-box use cases that are provided. That needs to be part of the requirement.

It's a stable solution. There are no bugs or glitches. It doesn't crash or freeze. It's reliable. 

The solution scales well.

We have 45,000 users on the solution right now. 

We do plan to increase usage soon. 

We've dealt with technical support in the past and it was lacking. 

They have provided dedicated time to us, to work on the issue that we are observing right now.

We did not use a different solution. We chose this due to the fact that it's an industry-accepted solution. The use cases are easy to configure in multiple things that we considered important while taking the solution.

The deployment was easy. It wasn't overly complex.

It took me around six months to do the implementation. 

We handled the deployment with the assistance of a vendor partner. 

I can't speak to the exact pricing. I've never looked at its commercial costs. 

We did consider other options before choosing this product.

We are a preferred partner of IBM.

I'd rate the solution at a seven out of ten.

We don't have a business relationship with IBM QRadar, our relationship is a customer relationship. We use IBM QRadar as our primary security solution.

QRadar is the primary tool in our security center. We use it to collect information from different devices, detect, and analyze various threats or attacks to protect our system.

Vulnerability detection is the most valuable feature. It's the tool that finds the threats.

The tool is very complicated. One place for improvement would be to have a more user-friendly interface. Having better support in Spanish would be cool.

The solution is scalable. Currently, wehave between 50 to 70 users working with this solution.
We have plans to increase the usage of the product in the future.

My experience with technical support has not been so good because I would prefer support in Spanish which I haven't gotten.

The initial setup was very complex.

We are planning to take at least one year for the complete setup. Deployment went fast, between six and three hours.

We used an integrator for the deployment. The experience was excellent, outstanding.

This kind of solution is essential. The communication network functions very well.

On a scale of one to 10, ten being the best, I would give this product a rating of nine.

IBM Qradar is

• Ease of install . Its effectively redhat6.5 with an app on top.

• Automatic log source identification

• Inbuilt rules and reports are comprehensive so out of the box the system does things

• Recognises every log source we have added.
• IBM supply a virtual image which makes the standing up of a system a small piece of work.

IBM Qradar has great data reduction. We have several hundred million log records arrive on various of the platforms daily and have been able to tune them to alert on important things well. Very few false positives.

Like any SIEM product at a very base level the system is a pattern matcher. Looking for patterns in single log messages or looking for patterns in multiple logs messages combined with flow data. It has a primary focus of Security Event Management but you can look for anything in the information flowing through the system and can alert on it. So it can be used - and we do - as a general IT event management/monitoring system.

Room for improvement - IBM Qradar:

• Graphing on the system is a tad course. Analytics now requires really high quality graphing to assist in pinpointing anomalies.
• Need for multiple Java versions for deployment setup is a pain.
• There are areas you need to have Java 7 to be able to use.(Primary need for this is to access the Deployment area)
• We need to be able to handle multiple overlapping ip address areas. That is coming we know. But slowly.
• When you are building this in a virtualised environment you do have a bit of difficulty accessing the GUI.

3.5 years

I have used several versions of the Qradar system. Both the IBM version and the Juniper STRM OEM version.

IBM I rate as 7.5/10

STRM at 7/10

No real issues with deploy. What it is doing is exactly what we expected. It does have a few wrinkles but that is more about where we are collecting logs from.

No stability issues yet.

No scalability issues yet. We have sized the latest system to cope with up to 10000 eps and or only at about 4000 at the moment. Scaling is simply adding extra license as required at the moment. Easy.

Generally excellent.

Generally excellent.

• We were using SPLUNK. Licensing does not allow you to expose Splunk screens to customers (we are an ISP and IT service provider).
• Mcafee Nitro was too expensive
• Arcsight takes too long to install and tune

Simple:

• Boot VM off ISO image.
• Install license
• Point logs at it
• Done

Occasionally the documentation did not reflect what was happening so did need to access tech support a few times.

We implemented it ourselves. Initial seat of pants approach. Worked. I got my Redhat builder to spin up the two VM servers off the supplied image, licensed them, gave them the appropriate IP addresses, created the deployment (the Java 7 bit) and the system started receiving logs from the 1200 CISCO routers.

We are fulfilling a government contract. Install and move to BAU has been done and it came in under the estimated budget…..so All Good.

• Mcafee Nitro
• Juniper STRM
• AlienVault. Note. We would probably have used AlienVault but there was no representation in Asia Pacific at the time
• TrustWave

• First gather your requirements
• From that build a business case.
• Understand that no matter what technology you choose the technology area is 15% of the effort. Your processes are 85%. No process…then 5h1t in …5h1t out.
• Make sure you know your business reasons for the implementation

I think this is a good product for enterprises because of the performance and out-of-the-box rules and use cases. If they want to reach the maturity level early, they can use these out-of-the-box rules and use cases. That will help them a lot.

IBM QRadar User Behavior Analytics is good, but I think the functionality should be much more integrated. You should have easy access to the artifacts if you are doing a particular investigation. It's good, but other team solutions like LogRhythm are actually merging the functionality. So, I think that is something IBM can work on. 

We have been using IBM QRadar User Behavior Analytics for about four years.

Stability is good, but the investigation system should be better.

IBM QRadar User Behavior Analytics is scalable. You have the EPS and closed license. I think scalability is not an issue because it is available on both the hardware and the software. You can install the software plans if you want, and there is also a hardware plan.

Their technical support is good. I have not faced any issues before, and the technical support is good.

I will recommend this solution to potential users.

On a scale from one to ten, I would give IBM QRadar User Behavior Analytics a seven. 

We are service providers, and we are always exploring tools to accompany existing tools. I am always searching for the best products to meet my clients' requirements. I always look to understand the technology first, learn what benefits we can get from the product, how competitive is it with other tools such as DarkTrace, and Palo Alto.

We are working with this solution, but it is being managed by another vendor.

We are service providers. We are providing SOC service and MSSP services for our clients. 

We are working on various products, not one specific product. We can provide services for any product, in fact, any security solution.

There have been many advancements made in the most recent year. There are many add-ons included in the licenses that I have yet to explore.

There have been many improvements. When I worked with this solution at the core technical level, it was a SIEM solution. Many attributes have been added, such as threat intelligence, SO solutions, automation, and OT security. Many other platforms have been included as part of IBM QRadar.

The flexibility is good in terms of pulling log files.

Automation is an area that people are looking for. IBM does have the SO solutions platform, but it would be more useful if they could have predefined use cases rather than using more generic ones. It would be much better if they could customize their use cases.

It's resource-intensive.

The IBM QRadar team has to be proactive and they have to be informative about the product.

They don't want to spend too much money on the SIEM because it is obviously resource-intensive. But the SIEM is a very useful product when you have good resources and good software.

For large organizations, that want to integrate all of the log sources, the pricing will be too expensive. This is the main reason that clients are not interested in SIEM solutions.

I have been working with IBM QRadar for approximately four years.

I moved into consulting, at the architectural level. I'm not working at the core level but I know the basics of QRadar and how exactly it functions. 

Technical support is good. 

My personal experience was fantastic. They are always good and we have never had any problems.

There are a lot of online resources available.

When compared with other SIEM solutions, QRadar is considerably less expensive. I would like to compare it with Elasticsearch because they have different pricing strategies.

QRadar is events per second, EPS-based, whereas Elasticsearch is resource-based. You have to estimate based on how many resources will be used in the infrastructure, irrespective of log resources and log volumes. 

They are charging based on the resources. 

I'm exploring the Elastic Stack Elasticsearch currently. Splunk is out of scope for us right now, we're not interested in that. Sentinel is one that we are interested in.

There are many competitive tools that are emerging regarding XDR solutions or SO solutions, which are capabilities that QRadar offers.

The competition is very different from the geographical locations.

For the Indian market, locally, they are still working on the old SIEM structure. It is a very generic SIEM model. Western countries, especially North American clients, are advanced in terms of moving the infrastructure to the cloud. Some have OT security and they're also doing some Office 365 advancements and several advanced search engines for endpoint detection.

They are expecting that nothing is left behind without using any licenses. Microsoft provides part of the security services if you go with the EFI license.

As vendors, we need to counter with the important visibility areas, and the critical access, which needs to be monitored as part of security. 

I would rate IBM QRadar a seven out of ten.

This a Security Information and Event Management (SIEM) solution and we use it for many purposes.

One of the most valuable features of this solution is it has very good data correlation.

In a future release, the solution could provide malware analysis.

I have been using this solution for approximately three years.

The solution is stable.

The scalability is good and we have approximately 200 users using this solution.

The technical support has been very good in my experience.

The initial setup was straightforward.

There is a license required for this solution. There are some limitations depending on what license you purchase.

I would recommend this solution.

I rate IBM QRadar an eight out of ten.

We are looking for the entire QRadar spectrum but it has many products. QRadar is a kind of program, we are looking for system modelling, point modelling, network side modelling similar to QRadar network inside, and the capability to correlate between the network and endpoint. Most of the SIEM's have to rely on when it comes to network side third party or separate network traffic analysis. When it comes to QRadar, they can do the correlation and not only in networks but also endpoints. This is one of the good features that we have noticed.

Since we have not used the solution very long my information is limited when it comes to improvements. I have noticed the interface has room for improvement.

I have been using the solution for two years. However, my company has not deployed the solution yet and we are in the early stages of testng.

The solution has a good technical team.

The installation is complex. There is some overloading that happens, this could be simplified and made easier by allowing all key features on the first level dashboard to be viewed.

When it comes to the initial pricing there can be a huge discount from there side and also I think they are open to competing with other products. Even though the price can be a little high sometimes there product is number one. They have a wide range of products.

We have compared Securonix and many other solutions to this one.

I rate IBM QRadar a nine out of ten.

We primarily use the solution for log collection and security incidents as well as event management.

We benefit the most from the integration on offer. IBM QRadar offers a solution to our enterprise customers, and certainly, the admin has been benefiting from it, in terms of having more visibility on what's happening on the network in terms of events, flows, et cetera, and all in real-time. 

In general, the product is awesome. It's almost perfect.

The most valuable aspect of the solution is the integration capabilities on offer. It's very helpful to have so many options.

The initial setup is pretty straightforward.

The stability is good.

We've found the scalability to be excellent.

It offers all of the specifications of the hardware that we need.

The performance of the solution could be improved. Right now, it's the weakest aspect. I wish it was better.

Technical support could be improved by a bit.

I've been dealing with the solution for five years at this point.

The stability of the solution is very good. It's reliable. There aren't bugs or glitches. It doesn't crash or freeze. It's been good.

There's nothing better than QRadar when it comes to scalability. You can scale it to 100,000s of events per second. It can be scaled as much as you want. It has no limitations to it.

Technical support is okay. On a scale from one to ten, I would give them an eight. They could do better, however, we are mostly happy with their level of support.

The initial setup is not complex at all. It's quite straightforward. If a company implements this solution, they shouldn't have any issues with the setup process at the outset.

How long it takes to deploy depends on the size of the environment and the company. If it's a small enterprise, it can be done basically in a week or so. It's all about not just the department, however. It's all about collecting the log sources to integrate into it. That is where the process takes time. If the log sources are put together, things become much easier to handle. It's quicker and easier to define the rules, correlations, and reporting. The most time spent at the outset is in collecting the log sources and getting the log sources to send the data to.

The deployment process doesn't need many people. It depends on the deployment structure at first. If it treats a distributed architecture, of course, you need a couple of guys to be on board. However, then it's not only about deploying the solution, it's all about integrating the solution with different products or different platforms. That is where the time goes in. It's not a one-person job. Right from the application database, metro securities, and different controls that are in place, they all need to be integrated into the center. If we're talking about an enterprise, the team in an enterprise is equally responsible for waiting for those things to integrate.

The NEMA licensing structure is very easy. It's far better than the previous licensing structure they had. They charge you based on the number of events per second and flows per second, and that's the beauty of it. The rest of the components are complimentary. That's it. It's not a complex process of licensing anymore. It's very simple and straightforward.

We are resleers of QRadar.

In general, we have been quite happy with the solution. I would rate it nine out of ten.

We get excellent visibility in every aspect. It's easy to handle incidents when you really have everything in one place. You begin to know exactly what's happening on a network, and how the systems are performing and behaving.

When you compare it to other products, what I would advise is you look at how long they have been in business. This product has been in business for a very long time. You also need to look at the other integration factors, such as forensic, as they're very important. When it comes to forensic, nobody does better than what IBM Qradar Forensic does. There are other factors too - like its Watson integration, and all those things really play an equally important role.

It's not only about just the SIM, or your goals towards is going to be in building the SOC, Security Operation Center. It's all about automation as well. The integration should also look into automation capabilities. That way, you will be able to scale it up to build up a proper SOC.