IBM Security QRadar Reviews

I'm an administrator. I have been leading the security operation center for the past four years. I have more than 12 members or SOC analysts for our 24/7 operations. I have been pitching the solutions to multiple customers, and I have also designed, implemented, and administered customer projects and completed them at the specified timeline.

We have many use cases. The most common use cases are related to insights into any threats from the inside and outside. I have also configured X-Force with QRadar, and we are getting all the feeds showing malware-based IPs, etc. I also have designed some anomaly-based rules in case anyone has logged in from outside Pakistan. Most of the rules are custom-based.

The QNI feature is the one I am very interested in, and I have also been interested in Watson. From the log analysis and the security perspective, we are able to dive deep into any of the logs and anomalies.

It is user-friendly, and it is easy to develop. If you know the architecture, what to develop, and how to get the output for your results, you can easily work with it.

I have also been working with other SIEM solutions, and I have observed that they have extensive Linux-based and Unix-based integrations. They have been able to support some of the Linux-based agents, which is useful to investigate and process the information on the Linux and Unix side.

It could have pre-defined automation and integration of all those device parameters that analysts have to share manually.

It is stable.

I would rate them a 3.5 out of 5.

It is not very difficult. I have done more than 10 deployments, and I have integrated and developed custom applications. I have also developed a Python-based script to support me with the things that IBM cannot support. I am using that script from the health check perspective. It gives me a high-level and low-level overview of QRadar with respect to the rules that have been triggered and the notifications that have been generated and how to tune them.

I would rate it an eight out of 10.

Our company includes 20 senior engineers and analysts who use the solution to detect viruses on Windows servers and critical assets.

We also track user activity such as connections during travel. 

We have many use cases and playbooks in our portfolio. 

Our company uses the solution as our main CM to detect malicious activity. There are many campaigns targeting Europe and other countries so it is important that we remain vigilant about suspicious activity inside our organization. 

The solution uses rules to identify suspicious activity that needs to be investigated. We conduct advanced forensic investigations based on the solution's output, including collecting logs from devices and correlating them for processing by a security analyst. 

Blocks of predefined conditions can be used to configure detection rules without having to write complicated script. 

Real-time detection is quite efficient and valuable. Other products such as Splunk focus only on running searches to detect a particular behavior.

The Vulnerability Manager module is useful and quite efficient. 

The dashboard and reports are not user-friendly or efficient so are of little help with threat hunting activity. We deal with large data sets so need to have great visibility for detection of malicious activity and indicators for cybersecurity. 

For example, the dashboards for Power BI and Splunk are very efficient and it is easy to observe suspicious activity. 

I have been using the solution for five years.

The solution is stable and easy to use if deployed well.

On occasion, you might get an error when running advanced analytics but reboots are not needed. 

The solution is scalable and it is easy to add appliances or expand your license. 

Engineers used technical support regularly between 2016 and 2019 and found them to be very helpful and responsive. If a situation was urgent, technical support intervened immediately. 

I rate technical support an eight out of ten. 

Positive

I used the solution, switched to Splunk, then switched back to the solution. 

The ease of setup is based on the complexity of your environment and network architecture.

The initial setup is not complicated and should go smoothly if you set all predefined requirements prior to installing the solution.  

It took us two weeks to prepare all requirements and a few hours to deploy which included installing all resources. 

Documentation for the installation process is pretty straightforward. 

An in-house team that handles integrations was responsible for implementing the solution. Myself and other cybersecurity analysts participated with the team.

A team of three engineers handle ongoing maintenance for our large environment. 

The solution has a licensing model that is based on events per second so it scales to need and budget. 

At the time of deployment, we were premium partners with IBM so received advantageous pricing. 

The on-premises solution and its license are not impacted by the number of users so it is easy to add staff. 

In my experience, Splunk is efficient because it is customizable. You can create scripts to detect multiple behaviors based on scheduled jobs. 

I rate the solution a seven out of ten because it is difficult to write script for advanced detection cases and the dashboard is insufficient. 

We use the blocking mode and spam mode for the IPS - XGS 5000 series and use of QRadar as a SIEM Solution for logging and monitoring network security, security analysis, and monitoring for network-related attacks. 

The playbook is defined with identified use cases. IPS acted as an inline to the firewall. It helped to track and sniff the packet and match the details. It helped to reduce the insider and outsider attacks. The traffic is analyzed and helped users to know the patters and access level in the network and resource being used.

It helped our organization to identify and prevent security attacks.

We need to come with new releases and understand what will happen and how the customer will be able to manage and update the system what are ways in which user behavior and access to various resources in the network could be tracked and alerted in more robust manner. 

There needs to be proper patch management which is done in a controlled environment with a proper newsletter update. The new releases from the company in terms of product and services needs to be updated to product managers in organization.

The monitoring and dashboards are great. 

The user behavior analysis could be better. The playbook guide which specifies the rules for security use cases needs to be provided to support in case the organization needs help. The security playbook needs more help when it comes to QRadar. The QRadar implementation guide, especially in cluster environment, is complicated to deploy in an enterprise level. The support of SIEM of QRadar is complicated and when we encounter implementation issues it needs quick response. The skilled resources are really important for support.

I have deployed the solution for 230 sites across globe using for past seven years.

We are a product-based organization. We use this solution for a shared SOC service and security audits and compliance.

There are a lot of features in QRadar. App Exchange is the most valuable feature. User behavior analytics (UBA) is also a very good feature. Watson is also there, but we are not currently using Watson.

It is versatile and quite easy. It also has an all-in-one-box feature and good integration with AWS. 

SOAR is what is expected the most from QRadar. They have something called SOAR Resilient, and it would be great if that gets induced in SIEM. IBM QRadar (as well as McAfee ESM) should have analytics platform integration. Currently, SIEMs don't have full-fledged integration with analytics where we are able to dump our data in SIEM, and the same data can be called from different analytics applications. We should be able to bring this data to a platform like Hadoop for big data and run the analytics there. Currently, people are seeing the past data and taking some actions in the present, but when it comes to analytics, there should be futuristic data where you can predict something out of your present and past data. Apart from that, I would like to see a full-fledged ITSM tool in QRadar.

It sometimes has some technical issues that need to be checked. It requires a dedicated QRadar engineer to completely manage it. It has different module sets, such as event collector and event processor, and some technical glitches come in between. It takes the log but doesn't exactly process it in the way we want. 

If its pricing can be reduced, it would help a lot of customers in bringing in a new SIEM environment.

It is stable. There are no incidents when SIEM completely stopped. 

I have expanded it. It is very good in terms of scalability. Because it is on the cloud, it can be scaled anytime. If I want to increase my CPU's RAM, I can do it. At any point in time, if I want to get additional licenses, I can just call support, and they will provide that.

I have around six customers who are using QRadar in a shared model. We do have plans to increase its usage. We are looking after different customers, and when they're ready, we can integrate it.

They are good and responsive. However, because of COVID, of late everyone is working from home, and sometimes, their response has been a little bit slow for incidents. They did apologize for that.

It is straightforward. AWS has a feature called Marketplace in its environment. When we click it, we can load it directly. It doesn't take more than two to three days to completely deploy the infrastructure. 

They can give us some scalability and flexibility on pricing. If its pricing can be reduced, it would help a lot of customers in bringing in a new SIEM environment and grow business in the market. If I start a license today and take around 10,000 EPS, and after a month, there is an increase in the number of clients on my platform, I can increase the number of licenses. I can add 5,000 EPS on a yearly basis.

We chose QRadar over McAfee ESM.

It has good integration with AWS. AWS has come up with a Marketplace click-in option that provides direct integration between your AWS and data centers or cloud solutions through a small VPN. It allows you to bring up small environments with 5,000 EPS or 6,000 EPS or even 3,500 EPS or 2,500 EPS very quickly. It is very flexible and not at all tough for a startup engineer to click and bring solutions inside. It is quite easy.

I would rate IBM QRadar an eight out of ten.

It is used to dive deep into threat analysis. It is a SIEM solution that can be hooked up with some of the endpoint security or threat discovery solutions such as Forescout, Qualys, Sophos, and MDM. After the endpoint security or threat discovery solution discovers the threat, QRadar takes it further from that point onwards and allows you to go deep into the threat analysis. It has a lot of integrations, such as with CMDB, and it can do the asset classification. It can also tell the CVSS score. These are the capabilities or use cases. 

Integrations are quite a useful and key feature of this solution. It has integration with the CVSS score, which is a central point for all the data and scores about the threats. There is an IBM Bluemix dashboard that is integrated with the CVSS score.

I don't look at only the features and benefits; I also look at the price. It is a bit expensive when compared with other solutions. It is expensive for specific deployment topologies, and the decision-makers go for alternatives like ArcSight. 

It should also have more AI features or capabilities for better threat intelligence. The more it uses machine learning, the better would be the dashboard, analytics, and other things.

I have been using this solution for five years. 

You can scale it easily in the cloud with a given deployment topology. We have somewhere around 50 plus users.

IBM is very strong on the technical support side. They have proper support available across different regions. After the implementation is done, the admin within the organization is in touch with IBM technical support for any day-to-day support requirements.

We have been switching for some time between Micro Focus ArcSight and IBM QRadar.

For cloud deployment, you need to go for IBM Bluemix Cloud, and you can deploy easily on a private cloud. You create the stack and use the Bluemix Cloud formation template. If you have the IBM Bluemix Cloud subscription, you can deploy it easily within maybe half a day or one day. You can create all the resources by using the Bluemix Cloud formation template.

For deployment, you need a small team of two or three because it just needs the team to provision the resources on the IBM Bluemix Cloud. For support, we need a bigger team of around 10 plus people.

It is costlier as compared to the other alternatives available in the market.

I would definitely recommend this solution. It is a good solution with good capabilities like integration with CMDB and CVSS score. The dashboard is also really nice. It can help with threat intelligence, and it also has artificial intelligence. It is a futuristic kind of technology because the more AI-driven a product is, the better are the results. We plan to keep using this solution.

I would rate IBM QRadar a seven out of ten.

The most valuable feature for us is probably the intelligence we get out of the product.

The organizational value we derive from it is that it helps us track down where we have problems.

We appreciate ease of use in the product, so I suppose they could bring the cost down. I haven't really thought about possible improvements. They've added a lot of good features to the apps. I'm still exploring those and there are a lot of good features there.

I have used the solution for about 15 years.

Overall I'd say the stability is pretty good. I have noticed some issues with the patch and updates recently, especially version 72A. There have been some problems where a patch would come out and a few days later another patch would have to come out to fix issues that weren't encountered so that's caused some issues for us.

Scalability is good.

The initial technical support to call is less than adequate. I usually know more than the level one or level two, again because I've been a customer for 15 years. I worked with the original QRadar guys to help develop their SIEM solutions so I know quite a bit about it. Usually when we call in it's a real problem because we fix most of our own problems.

Fifteen years ago it was very complex because of the linking of different flow collectors. Being processed together, upgrading them was painful. That part has improved greatly as you can just put the update process in the console and push Yes. That's a lot better.

It's a great product. They're obviously an industry leader right now in this field, if you're looking for SIEM, I would recommend it.

When it sends the log source, QRadar generates a lot of noise and false positives. LogRhythm logs when the alarm rules are disabled, so it doesn't generate any noise when sending the log source. I think LogRhythm's one, this one too. QRadar, we have to cure it all the time. It's only this advantage with QRadar.

I would also like to see more integration with other vendors. IBM doesn't integrate well with products from China, like Huawei. Many Middle Eastern customers are switching to Huawei from American vendors like Cisco because of the price. In most RFPs, Huawei wins because it costs less. 

IBM needs to integrate better with Huawei. I opened one case with IBM, and they told me to submit a request for enhancement so they could write the correct DSMs to integrate with Huawei. We were very disappointed. Customers who want to implement QRadar or LogRhythm need to consider all the other components. The environment needs to be homogenous to avoid problems due to a lack of integration.

My old company used QRadar, so I still use it sometimes when I consult for them. They get stuck on a few things. I also worked on vulnerability discovery. Right now, my current customers are migrating from QRadar to LogRhythm.

QRadar is built around Red Hat Linux, which is highly robust.

IBM's support for QRadar could be improved. Sometimes it takes them two days to reply to a low-priority case. However, it tasks them about 1.5 hours to respond to a more serious case. Sometimes our customer service will think it's a priority one case, so he asks me to open it as priority one, then IBM reduces it to two or three. 

We don't have any security appliances from Huawei, but they have the best technical support. We have engineers everywhere with CRM, and they call you after the problem is resolved. IBM closes the case, and that's it. It's a very restricted environment. 

QRadar is reasonable compared to LogRhythm.

I rate IBM QRadar nine out of 10. If you're going to use QRadar, you have to be familiar with it and know all the components. IBM offers free appliances, like data nodes, that offload many processes from the collectors and the processors. 

Every engineer must understand the overall portfolio to add some value to the solutions. If a solution isn't integrated with other solutions, they are only collectors. You need to tune the rules and be up to date with the Mitre Att&ck framework all the time.

We are using it from the compliance perspective. We need this solution to comply with HIPAA and PCI because our clients require HIPAA and PCI DSS compliance. We also use it for log management, primarily security logs, and to some extent, for operational activities, even though this tool is actually not meant for operational tasks. We do keep track of errors in our appliances like hardware, storage, and network switches through QRadar.

The main or core solution is on-premises. There is an extended arm, which is in the cloud as well for cloud integration.

Security incident and event management are actually the core functionalities of this solution. We receive security logs on this product and based on the received logs, we can create offense tickets that are forwarded to Netcool, which is another solution that we have. I don't have experience with that, but our integration is there so that any offense or security event is forwarded to Netcool, and a ticket is automatically generated in ServiceNow for that offense. This level of automation that we have for security-related events is done through this solution. There's no manual work involved, which obviously takes away a lot of load from the individuals who are managing the security side of it.

It is a pretty solid product for the type that it is representing i.e. SIEM. It can do automatic correlation based on the traffic that you are receiving to some extent. It has plethora of options available for third party application integration. For e.g CISCO Firepower, Palo Alto Dashboard for CISCO and Palo Alto Firewall respectively. Integration with Cloud based Log Sources is also supported via. parsers that support API Connect. This is helpful when pulling in Logs from AWS, Azure, GCP or other Cloud Based Solution like Carbon Black, Imperva etc.

A lot of information that we receive for the devices is IP-based, but it would help if we could have a default dashboard in which we can add more details about the assets for which we are receiving the information. For example, if it is a Windows or Linux device, we only get the IP for that particular device. We don't really get the name and other details of that particular device. For that, you have to drill down into your own asset management system. It would be good to have a place where we can probably add this information so that we don't have to look into other tools.

I have been using this solution for about six months.

It is very stable. As long as you have the proper connectivity availability, it is pretty stable.

Our deployment covers North America, South America and part of Europe. The product is easy to deploy and scale. Almost everyone in our organization is using this solution because most of our projects rely on this. Because of the compliance requirement, most of our projects have to be integrated with QRadar. Each business unit or each program that we have in another environment has independent access to the solutions. They might not be the end users, of course, but at least every admin team of every program unit has access to this tool so that they can see what's happening in their environment.

It also supports multi-tenancy. So, if you have multiple clients or multiple tenants in your environment, you can create logical containers for them. From a logical point of view, you can create separate disconnected containers for each client so that they can only see their data.

Their technical support is quite good. I would rate them a nine out of ten.

Yes, we switched over from NNT to QRardar. This product is more detailed. Expensive but definitely more detailed! :)

It was pretty straightforward. These are hardware appliances. So, you need to rack and stack them. If the rack space, cabling, and other things are already done, which would typically be the responsibility of a data center team, it essentially takes three to five days. But this is only the core deployment. The fine tuning on top of it would take extra time based on the environment and how complex it is.

It was implemented by team that included me. We have an external team for its maintenance.

The IBM QRadar Licensing for the core Events(EPS) and Flows(FPS) is per second based. The licensing is perpetual and surely expensive but the output of the Product makes it worth your money. 

I would absolutely recommend this solution. I am pretty okay with it, and I don't have any issues with it. It has some competitors like Splunk and LogRhythm. Symantec has its own SIEM solution. ArcSight, LogRhythm, and Splunk are in the first quadrant for the Gartner research. They are leaders in their products, and they know what they're doing. It also comes down to what your company is into, how does it fit into a particular environment, and how compatible it is with a particular environment. I could have gone on the Splunk path and probably said the same thing for it as well. 

I would rate IBM QRadar a nine out of ten. It is a pretty solid product.