IBM Security QRadar Reviews

The event collector, flow collector, PCAP and SOAR are valuable.

Whenever we connect the span port, its device and health status increase the capacity level. So I suggest the mitigation of that part for IBM. Otherwise, it's a good product. We also continuously have issues with technical support because they do not have a prompt response time.

We have been using IBM QRadar for the last five years.

I rate the stability a nine out of ten.

I rate the scalability an eight out of ten. We deploy to many customers and have completed many POCs. We have a four-person team.

The technical support is good, but they are not prompt. I rate them a five out of ten.

Neutral

I rate the initial setup a ten out of ten. It is deployed on-premises and takes about two to three days to deploy the full environment readiness. But the device integration, rules screening and log onboarding take too long, about three to four months. The deployment was completed in-house.

The solution is expensive compared to other products, and I rate the pricing a five out of ten.

I rate this solution a nine out of ten.

Find the malicious activity via filter, don't rely on the rules which trigger the offenses and fix the suspicious activities.

Gaining application visibility and anomaly detection helping IT personnel to quickly identify meaningful deviations. For example, QRadar SIEM can detect off-hours or excessive usage of an application or cloud-based service, or network activity patterns that are inconsistent with historical, moving-average profiles and seasonal usage patterns.

Providing real-time visibility for threat detection and prioritization - QRadar SIEM provides contextual and actionable surveillance across the entire IT infrastructure, helping organizations detect and remediate threats often missed by other security solutions. These threats can include inappropriate use of applications; insider fraud; and advanced, “low and slow” threats easily lost in the “noise” of millions of events..

Artificial Intelligence is superb, QRadar correlate the events smartly and remove the same events but need improvements.

One to three years...

No issues.

Very good

Mcafee, switched due to the bad correlation of data.

It was straightforward

Splunk and Logrhythm..

QRadar also supports UBA which is a fantastic feature to detect user's malicious activities.

It is a requirement for all of the banks to have a security solution in Pakistan. That is the reason most of the banks are using it. In the last one and a half years, Pakistani companies are taking security very seriously, so for that reason, they evaluate these solutions. All in all, it's a good solution. 

I would like for them to develop a detection management solution. It does not have a detection management solution in it, you have to buy it as it is, on top of the extended solution. 

It's quite scalable. We have upgraded some solutions from 1000 APS up to 3500 APS to 5000 APS. It's a good solution, they have no scalability issues.

The initial setup was straightforward. The deployment time depends on each customer. We have customers who have different infrastructures and their deployments are quite different. If we rack and stack it, around two, three days, maximum a week, but configuration and optimization take up to somewhere between six months and one year.

I would rate it an eight out of ten. 

• Paradigm shift, security intelligence 2.0
• Contextual-based incident management
• Threat-based incident management
• A single management console to handle all the data
• Ease of use
• Existing integration capabilities
• Out-of-the-box reports
• Parser development

It has helped us in the reduction of VPN frauds via the active monitoring of various frauds.

• There is a scope of improvement in the orchestration layer, such as the SecOps from RSA. RSA Security Analytics bundles their offering with their SecOps (a subset of Archer - Risk Governance tool). This gives them a competitive edge.
• The reporting and dashboard capabilities require a bit of improvement in terms of fine tuning and bifurcation for the technical and management reports.

I have used this solution for four years.

There were no stability issues.

I would give technical support a rating of 9/10.

The setup was straightforward and the deployment was easy.

The pricing policy is a bit on the higher side. IBM offers discounts when applicable.

We looked at other solutions such as RSA enVision and HPE ArcSight.

Trust it, test it, and deploy it.

The most valuable feature is the ability to get the logs and analyze them. These logs help us in terms of analyzing and actually using Watson on them. It's a pretty great tool for intelligence. I think it is really a great product.

To be able to get the logs and analyze them has improved the way my organization functions. You can see where the source destination is coming from. You can actually see the data and pause the dashboard. It actually helps you to analyze the data the way you are supposed to. Nobody else is doing that right now.

I don't have any problems with the solution right now. As I play with the tools, then I will actually come up with different ideas.

I was able to help out with IBM Guardium version 10. I was helping out with a couple of developers who actually developed the application itself.

I want to see more integration between QRadar and other applications like BigFix and a couple of other tools and applications out there. There are a lot of applications out there. QRadar security intelligence might be one of the best right now.

There were no stability issues with QRadar. We've had a couple of stability issues with all the applications that I run. I don't want to mention names.

I’ve used technical support, and they were OK. I used to work for IBM.

I was involved in the initial setup. It was straightforward and not complex.

I work as security engineer for the Department of Justice. We test hundreds of applications. I actually see which ones work best for the infrastructure.

I would suggest QRadar. The security intelligence is one of the best right now.

When looking for a vendor, I want to be able to win them. I want them to accept the fact that I’m looking for a product for what I am doing and I have a couple of requirements.

From there, I can actually tell them what they need to do, or what I need to do, in the environment.

It's easy for us to see what's happening in the environment. It's very good to see the logs and the analytic stuff.

We can see the vulnerabilities much easier with the product. You see a popup on the screen. We do not have to look for it. It is pushed to us.

It is very expensive; very expensive.

The solution is very stable.

I think it is scalable.

We have used technical support. They are very good and very nice.

We didn't evaluate any alternatives. We have yearly talks with the IBM consulting team. We look at the trends.

When choosing a vendor, we look for a stable and trustworthy company. I think QRadar is the best solution you can get.

The most valuable features are:

• Auto update: QRadar will download new logs from the database on the supported security device, so that it will automatically normalize the new log format and you will not need to rewrite all your rules/offenses again.
• X-Force/TAXII feed: QRadar can collect different types of security feeds and correlate them in real-time with your logs.

• Search engine: QRadar is like Excel, i.e., you can add rows and filter like your daily office work, without writing any scripts. So level 1 support also can handle this type of jobs.

You will learn something that you don't know on the user/machine behaviour.

The dashboards and reports may need to improve. We need to export the CSV results to create a report by Excel.

I have used this solution for three years.

It will slow down, when there are too many people doing a search at the same time, but that depends on your hardware and design.

I did not encounter any scalability issues.

You may need to allow remote support for them to help you, for troubleshooting the issues.

The setup is complex, i.e., for the first setup. SIEM is not easy so as to enable logs without any performance issues and the deployment advisor is the key for the project.

You only need to worry about the number of events per second and the number of flows per minute. Storage size is not an issue with QRadar.

We did evaluate other options. I think Splunk is the second-best option.

If you have an experienced group of security members, then you may not at all need the advisor for the product. If not, then you will have to find the path to build your team, so as to become more knowledgeable.

IBM Security QRadar has many valuable features. One of the most valuable features of IBM Security QRadar is the ease of extracting information from raw logs/events, whether the log source sending the events is supported by IBM or not (for example, a custom in-house application) and use this information in creating searches, correlation rules, reports, and dashboards. Another feature is scalability; scaling up a deployment to support more events per second is made simple just by “linking” new appliances to the main deployment through configuration steps that only take minutes to complete. I do not know if I can call this a feature, but a “general” feature of QRadar is that it does not require highly technically skilled personnel to administer. The dashboards and configurations through the web UI are easy to read, understand, and change.

Although QRadar provides incident management of the alerts it produces, this area could use a little improvement to allow more restrictions on who can close alerts and easily updating alerts with and reading text templates.

I have used IBM Security QRadar for nearly two years now. I use it as a user in my organization’s Managed Security Services division where we monitor clients’ environments. I also work with it as an implementer to deploy and customize it for clients.

Any deployment will have issues. The issues that I encounter with deploying QRadar are raised with IBM Support and are usually solved quickly through applying patches or changing individual files to fix the web GUI issue.

The causes of stability issues are usually not QRadar, but of misconfigured devices/log sources (for example, sending debug events to QRadar that results in millions of events in a short period of time). However, if a deployment is done correctly, QRadar stays stable.

No, I did not face issues with scalability. One of the great features of QRadar is the ease of scalability. A license upgrade is simply done by purchasing it and applying it through the GUI which only takes minutes to. If an organization wants a larger expansion, all that it has to do is to buy the required hardware with QRadar installed, and “link” it to the main deployment through steps that also take minutes. This new hardware will provide the extra events per second or flows per minute capabilities required for the expansion.

IBM provides support in various regions in the world. The level of technical support is good. Once a support ticket is open, the support team tries to fix it directly or passes it on to higher levels, and will involve the QRadar development team if required.

No, I did not use a separate solution, although I have read and heard about different solutions from the various clients I have met with. Clients switch to using QRadar because they say that maintaining and administering other solutions becomes a hassle and requires trained personnel. Another reason clients switch to using QRadar because of cost.

The initial setup of QRadar is straightforward. From the installation perspective, IBM provides one ISO file that can be used to install any of the QRadar components, with the activation key deciding which components to install. From the deployment perspective, QRadar has the ability to automatically detect many log sources sending logs. The out-of-the-box dashboards, searches, reports, and correlation rules allows QRadar to start displaying intelligence and insight on devices, network statistics, authentication, and many more, and to start alerting on offenses and policy violations automatically. Coupling this with the automatically detected log sources, a demonstration of QRadar can only take a few hours from the installation, to automatically detecting a log source such as firewall logs, to getting alerts on excessive firewall denies, port scans, etc.

The advice I would give to others is to work with the implementation team to properly fine tune the out-of-the-box “building block rules” and to enter their network hierarchy in QRadar in order for it to give best results and reduce false positive alerts.