What is our primary use case?
We primarily use the solution for breach management. We use it for identifying rogue IPs and picking up anomalies in terms of the network traffic coming in. We've seen a year of use cases in terms of breach management and incident management. We find IBM QRadar quite relevant in terms of protecting against potential malicious traffic coming into your organization.
Obviously, it is evolved, and where we're utilizing IBM QRadar is to do other analytical capabilities, which include identity and access management. We've got a unique way where we use the platform to generate a view of all your identities and access that is granted within your environment and so forth. We are able to map that using IBM QRadar, which is not a use case that is normally thought about, however, we found from an analytical point of view, this is what we can do because we get all the information we need here.
What is most valuable?
IBM QRadar is phenomenal as a SIEM SOC solution. In terms of its capability, in terms of its usability, in terms of the SOC solutions or SIEM solutions out there, we find QRadar the most user-friendly.
It gives you the right coverage as the analytical platform that's coupled with Watson is phenomenal.
From a deployment perspective, we found it very, very good.
What we like about QRadar and the models that IBM has, is it can go from a small-to-medium enterprise to a larger organization, and it gives you the same value.
It's easy to use if you go through the proper training. We find that the current IBM team in South Africa is not as good as the teams abroad, however, if you get the right support and the right training, which we have got, we find it very, very, very customizable and user-friendly.
What we have done is we do not use a lot of level-one analysts. We use a lot of developers, so we constantly evolve the rule-set. Most of the organizations that have employed QRadar, what they do is they stack it up with level-one and level-two analysts, as opposed to having more security developers who enhance the rule-set, due to the fact that all of the same technologies work on rule-sets. If you can dynamically change the rule-set on the fly, you're good. We have got a different model in terms of the way we operate a SOC, where we have more developers amending the rules, you will lessen the number of false positives that you encounter. The biggest problem with most of the SIEM technologies out there is that you get too many false positives, and again, it impacts your operational SOC. We don't have that issue here.
What needs improvement?
The only challenge with products like IBM is the EPS. You just have to be really on the events per second, as that's where the cost factor becomes a huge issue.
You do need proper training. Better training leads to better implementation. South Africa does not have the most knowledgeable technical support team. One challenge that you have in South Africa is the quality of the IBM resources. They're not up to the level companies need. I have to criticize IBM on that point - the skill level in South Africa and the South African franchise of IBM doesn't necessarily meet the quality of the product.
They can improve on the architecture. It's the way you deploy it. It's your enterprise architecture team that needs to understand it well. Again, due to our unique skillset on it, we deploy it in a very different way where we reduce the consumption of events per second, which reduces the overall cost of it. However, with the architecture, you need to get better guidance from IBM in terms of the way which the architecture is done.
What I will say about IBM is that if you deploy it stock standard, it can be a very expensive tool, especially with your events per second, and where the way you deploy it architecturally will determine how much it costs you to manage it, as your events per second can be reduced through proper architecture. It's critical to an IBM install that a user understands the architecture and the deployment strategy.
For how long have I used the solution?
I've been dealing with the solution for a very long time. It's likely been about six years or so at this point. I've used it for a while.
What do I think about the scalability of the solution?
We've got three customers on the solution currently.
How are customer service and technical support?
Technical support is lacking in South Africa and it doesn't meet the quality of the product. We're not quite satisfied with the level of service of knowledgeability on offer here.
They need to be faster and more knowledgeable. If you log a ticket to South Africa, they can be quicker and more knowledgeable about issues. It's a problem within South Africa where the skill level of the IBM local team is not to the level it should be. Whether it's training or support, there's a problem. It's not the greatest.
How was the initial setup?
The initial setup can be difficult if you don't have a good understanding of the product, for us, it's not too difficult.
To do a small deployment takes us about two weeks.
When we did the deployment for one of our clients recently it took us four engineers from our side and four engineers from the outside to deploy it within two weeks.
What about the implementation team?
We handle deployments for our clients. Occasionally we need outside assistance.
What was our ROI?
From a return on investment, the client sees in terms of its value from an IBM perspective, is a massive value from the deployment of QRadar.
What's my experience with pricing, setup cost, and licensing?
On-premises is pretty expensive as opposed to the cloud.
You do need to pay for a year subscription. You are charged at events per second as well.
What other advice do I have?
On QRadar, we look at the cloud-based uses as opposed to on-premise due to the cost factor.
In terms of SIEM technologies, in terms of what you can get, I would rate it an eight out of ten. The QRadar platform is phenomenal in terms of what it does.
If you want to get the best out of IBM, spend more time on the rules generation and the modification of the rules.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
As an IBMer, I'm always glad to hear about customers experiences with our solutions. Its rewarding to know that we have done a great job of delivering on our promises. Thanks for the positive feedback.