IBM Security QRadar Reviews

SIEM solutions must be business driven. Utilizing a SIEM solution depends on your enterprise goals, from meeting compliance requirements to implementing security controls and identifying the absence of controls. A SIEM solution can also be used to improve your business and increase your sales. With QRadar, you can do all these, even if you are not a security expert. It comes with a set of default rules which makes your life easier, from ransomware attacks to DDoS attacks. Everything can be detected if your logs are properly integrated into QRadar. 

It gets better with extensions and other rules you install from the IBM Security App Exchange, where you can detect malicious website access (with the intent of ransomware), P2P activity, or someone spamming everything. You can be notified, then you can run scripts to make QRadar take an action. 

I am a security analyst working with QRadar.

It is always evolving with new patches, new UX/UI (such as 7.3), new rules, and new extensions. It lets you evolve your company accordingly.

The usage of QRadar or any SIEM solution depends on the company goals, but with QRadar, the user interface, the dashboards, reports, installing extensions, and playing with the rules are easier. 

QRadar has helped our company a lot in evolving our security policy and taking care of weak controls. QRadar helped us in the blacklisting and whitelisting of applications. It helped us identify our security threats, and improve our firewalls. With the QRadar Vulnerability Manager, it helped us take care of vulnerable assets. 

• Its default set of rules: It comes with many rules disabled. You can tune them and modify them according to your enterprise needs and avoid false positives.
• The extension management: There are more than 120 extensions in QRadar, which are easy to install and configure. These can improve your analysis of events. 
• UBA 2.7: It can help you detect insider threats. 
  

QRadar log integration of various applications can be a tough job at times. There may be occasions when you will not find any QRadar guide on adding logs of a particular application. Even if you come across one, adding a log process is not an easy one. Plus, it is also vulnerable because the ports used to integrate those log sources with QRadar are well-known and most of them are vulnerable ones. 

QRadar is easily scalable in many ways: vertical and horizontal.

• Horizontal: You can increase the QRadar processing power with QRadar App Node and Data Node.
• Vertical: You can always implement multiple QRadars: Event collectors and flow, collectors, and then you can route your offenses, such events and flows from one QRadar to the next one.

Buying anything, an enterprise must look for troubleshooting and fixing its issues using its support. With QRadar, all those things are easily available and just a click away on the Internet. From IBM Fixlet to dW Answers, you can do a lot.

I think it has improved our organization by the speed at which I can run queries compared to other software that I've used in the past. It's a lot quicker and holds a lot more information. It helps keep a good cognitive overview of our environment from a security standpoint.

Some of the most valuable things that I get from QRadar are the custom parsers. A lot of the syslog items I get pushed to QRadar, instead of trying to build a custom parser to parse out the information that we need in order to do our investigations or to review that data. There's a ton of already defined ones in the application.

Plus, when you build rules, it's a really good user experience. It's like plug-and-play rules to flow out what you want, for whether what you want to look at has a certain level of severity or if you want real-time alerting on something that's happening right away in your environment that you want to investigate.

I'd like to see it being able to be integrated with more security products. I'm a big Guardian user; it's nice for the bidirectional. I can do some stuff, like a SQL injection, or if something is happening.

But if there were other security tools that it could better integrate with, like to go both ways; say it knows that a user is having heavy traffic, maybe it integrates with DOP to look at different sessions that they're doing. Something like that; like backwards compared to DOP, like reporting to it.

It's really good, but there's room for improvement; some more bidirectional integration with different security applications, especially some of the IBM Security ones like BigFix or something like that.

We haven't encountered any issues with stability.

We can scale it as big or as large as we want in our environment just by adding multiple sources. It's just, from a licensing standpoint, you hit a certain mark. You want to make sure you either ignore some of that, or you just have to get more licenses.

I've opened PMRs before. They're usually pretty responsive. The guys usually have pretty good knowledge, and they'll help you fix your issue pretty fast.

It was easy to know we needed a new solution; when you have Symantec's DLP that's really crappy and they end-of-life it, you've got to start looking for other products. That's why we changed.

The setup wasn't too complex. It was pretty straightforward. Basically, it's pretty much out of the box. You don't have to configure it much for your environment. It's built for many different types of companies. Once you start getting in all of your different log sources and using those custom parsers I mentioned, basically you've got to start looking at, What's white noise? What's not white noise? That's really what takes up a lot of your time, as to scaling it for your environment. The setup itself isn't very difficult.

We evaluated LogRhythm. LogRhythm is a really good product. It's close to QRadar, but, as I mentioned, those custom parsers. Also, LogRhythm's a little more difficult to install; we did the PoC for both leading SIEM solutions. Working with other IBM products, plus getting a discount for how much IBM stuff we already buy; it was easier for us to go with the QRadar route.

In general, when I go to work with a vendor, the important criteria I look for are how well they build relationships with you; how well they're willing to help you. Also, what are little things they're willing to do for free? Are they willing to, maybe, teach you how to do something a little bit here and there for free? Little things, give and take, here and there, make a good relationship with a vendor.

Make sure you understand how many log sources you have in your environment. Kind of get an idea of how many per second you're going to be getting. That way, you have a good idea for your licensing model to start out with. In the past, we had a certain set we thought we were going to have, and then we had to upgrade, and then upgrade again, for the license count.

Also, make sure you're doing correct tuning. Otherwise, you're just going to flood your SOC, and they're gonna' spend too much time sifting through white noise.

These features make it easy to operate the application:

• Integration with multiple platforms
• Ease of rule making
• Manufacturer support (IBM)

We use QRadar for application security, generating customized rules of correlation according to the operation of our business. It extends the security of our most critical assets.

From my point of view, they should improve the backup procedures. QRadar does not allow sending backups by FTP or SFTP, limiting the tool. I had to make a script but it is a manual process. It would be great to have it automated.

I have used it for approximately five years.

We did have stability issues. Some errors were generated when applying updates.

We have not needed to scale the solution.

It has taken a long time for support to respond to our request regarding AIX.

We didn’t have a previous solution. We have always used QRadar.

The initial configuration is simple; the maturation of the application is complex. Not because of the application of QRadar, but because they include many factors, such as the identification of critical assets and how we can secure them, with the application.

QRadar is a very expensive application but it is a good product. My advice is to validate with other correlator solutions and validate which product is right for the organization.

We did evaluate other similar products that are good, such as McAfee ESM and HPE ArcSight.

First, identify the most critical assets to be included in SIEM and then the most critical events of my organization. With that, you avoid bringing unnecessary events into SIEM.

It's a very good and versatile correlator.

The simplicity of the solution is the best feature.

The dashboards are all legacy and old. Their cloud support and the content available for cloud and containers are also minimal.

We have been using this solution since 2019.

I rate the stability a nine out of ten.

I rate the scalability an eight out of ten, and we have about 35 people using it.

I rate the technical support a five out of ten. They need to improve their availability. They have global support, which means we need to wait longer for a response.

Neutral

I rate the initial setup a seven out of ten, and it is deployed on-premises. The deployment took about four to six weeks, and we did it in-house.

We have seen an ROI.

I rate the price a six out of ten, with ten being affordable and one being expensive. They recently changed their licensing model, and it's more complex.

I rate this solution a six out of ten. Regarding advice, using this solution purely depends on the use case. If it meets your use case, then IBM QRadar is good, but other solutions like Securonix are much better.

We primarily use QRadar for monitoring and preparing use cases. 

This solution is deployed on-prem. 

The most important and valuable feature of QRadar is how useful it is for preparing use cases. It's also easy to use. 

The GUI of QRadar should be improved. 

I have been using IBM QRadar for one year. 

QRadar is stable. 

This solution is scalable. 

I have contacted IBM's technical support—it was great. They are very knowledgeable. 

QRadar is very easy to install, and I can do it myself. The time period will depend on the organization itself, since it depends on the environment and the number of servers and endpoints. 

I implemented this solution myself. 

I pay for licensing yearly. 

I also evaluated a lot of SIEM solutions, but I like LogRhythm and QRadar. 

I rate QRadar an eight out of ten. I would recommend QRadar, as well as LogRhythm, to others considering implementation. 

We primarily use the solution for breach management. We use it for identifying rogue IPs and picking up anomalies in terms of the network traffic coming in. We've seen a year of use cases in terms of breach management and incident management. We find IBM QRadar quite relevant in terms of protecting against potential malicious traffic coming into your organization. 

Obviously, it is evolved, and where we're utilizing IBM QRadar is to do other analytical capabilities, which include identity and access management. We've got a unique way where we use the platform to generate a view of all your identities and access that is granted within your environment and so forth. We are able to map that using IBM QRadar, which is not a use case that is normally thought about, however, we found from an analytical point of view, this is what we can do because we get all the information we need here.

IBM QRadar is phenomenal as a SIEM SOC solution. In terms of its capability, in terms of its usability, in terms of the SOC solutions or SIEM solutions out there, we find QRadar the most user-friendly. 

It gives you the right coverage as the analytical platform that's coupled with Watson is phenomenal.

From a deployment perspective, we found it very, very good.

What we like about QRadar and the models that IBM has, is it can go from a small-to-medium enterprise to a larger organization, and it gives you the same value.

It's easy to use if you go through the proper training. We find that the current IBM team in South Africa is not as good as the teams abroad, however, if you get the right support and the right training, which we have got, we find it very, very, very customizable and user-friendly. 

What we have done is we do not use a lot of level-one analysts. We use a lot of developers, so we constantly evolve the rule-set. Most of the organizations that have employed QRadar, what they do is they stack it up with level-one and level-two analysts, as opposed to having more security developers who enhance the rule-set, due to the fact that all of the same technologies work on rule-sets. If you can dynamically change the rule-set on the fly, you're good. We have got a different model in terms of the way we operate a SOC, where we have more developers amending the rules, you will lessen the number of false positives that you encounter. The biggest problem with most of the SIEM technologies out there is that you get too many false positives, and again, it impacts your operational SOC. We don't have that issue here. 

The only challenge with products like IBM is the EPS. You just have to be really on the events per second, as that's where the cost factor becomes a huge issue.

You do need proper training. Better training leads to better implementation. South Africa does not have the most knowledgeable technical support team. One challenge that you have in South Africa is the quality of the IBM resources. They're not up to the level companies need. I have to criticize IBM on that point - the skill level in South Africa and the South African franchise of IBM doesn't necessarily meet the quality of the product.

They can improve on the architecture. It's the way you deploy it. It's your enterprise architecture team that needs to understand it well. Again, due to our unique skillset on it, we deploy it in a very different way where we reduce the consumption of events per second, which reduces the overall cost of it. However, with the architecture, you need to get better guidance from IBM in terms of the way which the architecture is done. 

What I will say about IBM is that if you deploy it stock standard, it can be a very expensive tool, especially with your events per second, and where the way you deploy it architecturally will determine how much it costs you to manage it, as your events per second can be reduced through proper architecture. It's critical to an IBM install that a user understands the architecture and the deployment strategy. 

I've been dealing with the solution for a very long time. It's likely been about six years or so at this point. I've used it for a while.

We've got three customers on the solution currently. 

Technical support is lacking in South Africa and it doesn't meet the quality of the product. We're not quite satisfied with the level of service of knowledgeability on offer here. 

They need to be faster and more knowledgeable. If you log a ticket to South Africa, they can be quicker and more knowledgeable about issues. It's a problem within South Africa where the skill level of the IBM local team is not to the level it should be. Whether it's training or support, there's a problem. It's not the greatest.

The initial setup can be difficult if you don't have a good understanding of the product, for us, it's not too difficult. 

To do a small deployment takes us about two weeks.

When we did the deployment for one of our clients recently it took us four engineers from our side and four engineers from the outside to deploy it within two weeks. 

We handle deployments for our clients. Occasionally we need outside assistance. 

From a return on investment, the client sees in terms of its value from an IBM perspective, is a massive value from the deployment of QRadar.

On-premises is pretty expensive as opposed to the cloud. 

You do need to pay for a year subscription. You are charged at events per second as well. 

On QRadar, we look at the cloud-based uses as opposed to on-premise due to the cost factor. 

In terms of SIEM technologies, in terms of what you can get, I would rate it an eight out of ten. The QRadar platform is phenomenal in terms of what it does.

If you want to get the best out of IBM, spend more time on the rules generation and the modification of the rules.

The first thing that we implemented for user behavior was to find out whether somebody is logging in at odd hours. It studies user behavior.

My favorite thing is that it comes with good usability.

It has a powerful GUI where you can put together your use cases, and don't have to write your own scripts.

The price of this solution is a little bit expensive, so if it were cheaper then it would help.

While the interface is easy to use, it could be a little more responsive. It can be a bit sluggish at times.

I have been using IBM QRadar for about a year.

We have not experienced any issues with stability.

Scalability has not been a problem, although our environment is not very big. Perhaps at a later stage and with a bigger environment, we might have issues.

I have been in contact with technical support on one or two occasions. The experience was good and we are satisfied.

I also have experience using Splunk.

The initial setup is really straightforward. It's a bonus point of this solution.

I would rate this solution an eight out of ten.

Most of the features are good. It is an excellent solution. 

Some of the features should be more cooperative but other than that, everything is okay.

I have been using IBM QRadar User Behavior Analytics for a year. 

It is very stable. 

It is also scalable. 

Our team handles its own support. We are capable of doing our own technical support but we also have IBM to get their help as well.

The initial setup is not straightforward but of medium complexity. It's not simple but not so complex. It usually takes two to three weeks to deploy. 

The price is very high. Some of our customers cannot afford it. 

IMB should reduce the pricing, or reduce some of the features for a more economical solution for the customer.

I would rate it an eight out of ten. They should reduce the pricing.