IBM Security QRadar Reviews

The primary use case of this solution is for monitoring an enterprise data center, globally for 12,000 devices.

It has improved the way that the organization functions.

The most valuable feature is the searching capability and real-time operational use.

Some of the cloud apps need improvement.

In the next release, I would like to see improving the stability of some of the add-on applications.

I have been using IBM QRadar for two years.

We are using the current version.

Stability is moderate.

We have 15 people using this solution in our organization. Their positions vary from Network Engineers, Security Engineers, and Security Analysts.

It's very scalable.

Technical support is good.

I would rate them a nine out of ten. Their response time is good.

Previously, I did not use another solution.

The initial setup is complex. It's just the nature of the CM tool.

I think that the price is fair, but we can always say that the price could be cheaper.

Like any complex enterprise CM tool, you have to have a strong support organization. People who are good at understanding Linux operating systems. You also need a strong technical support team in-house.

I would rate this solution an eight out of ten.

This is a security monitoring product and the primary use case is to detect strange behavior by users. For example, if we have a user that has not used the service for a long time and then all of a sudden, somebody logs in one night. This is not normal and the system will detect it. This is just one example of many use cases.

Integration is very easy and the reporting is good.

This is a good product, although it does require some fine-tuning.

The dashboard is pathetic and it takes a long time to perform a search.

The graphics need to be improved.

Providing good support is something that they need to work on.

It would be helpful if IBM published more use cases.

We have been using QRadar UBA since 2016.

The issue that I have with technical support is related to their large pool of resources. If you are lucky then you get good support, but sometimes you get pathetic support. Suppose you open a ticket, there are times where it will be very good, but the quality is intermittent.

I have experience working with Splunk and I find that the searching capabilities are better with it. Also, the processing time in Splunk is better. With QRadar UBA, when you have three, four, or five rules together, it takes more time to respond.

The complexity and length of time required for the initial setup depend on the requirements. There are some out-of-the-box features that can be implemented right away, but some equipment is not supported directly, so you need to write a DSM (device support module).

Implementing a DSM takes some time, although it will depend on the log source. If the log source is fully compatible then it will be very quick. However, if it is not compatible then you will need to do some scripting and other work.

The price of this product is high.

QRadar is not perfect. It's a good security monitoring product that can provide threat intelligence, but it cannot do it alone. You need to integrate with many other things, such as IBM Orchestrator. Also, you need to have X-Force. After these kinds of things are integrated, it works a little bit better.

I would rate this solution a six out of ten.

Our primary use for this solution is to collect and correlate our logs. We also create appropriate alarms based on the contents of the logs.

This solution provides me with various alarms, and I have found security issues with some of my other products. We also have some special correlation rules that give me information about mail servers, websites, and other user behavior.

The most valuable feature is user-behavior analytics, where it will create logs based on the users' behavior and report suspicious events or other anomalies. I am working with the data analytics so it is a very good one for what I am doing. 

There is a lot of manual configuration required in order for the product to run smoothly, and I think that it could be made more automatic. There is no need for so much manual configuration. For example, it should be able to automatically create at least some of the rules that are suitable for our environment.

The solution has a good user interface, but it could be further developed. I have used other products that are more user-friendly. I would rate the user interface a six out of ten.

We have not experienced any bugs or vulnerabilities, so the stability seems to be fine.

The scalability seems great.

We have five hundred people in our company. All of them are end-users, except for myself and one of my colleagues who are administrators. We have more that one hundred assets, such as databases, that are monitored by this solution.

I have never used technical support for this solution.

The initial setup for this solution is very easy. It is an image file, and we haven't had any difficulties in the setup. After installation, there are many things to do. Again, the difficult part is the configuration of the product.

The installation period was very short, at perhaps one or two weeks. The configuration takes six months or more.

We have a technology company, and we are working with them for deployment and maintenance. They spend one or two hours per week maintaining this solution.

We have not calculated ROI.

I am familiar with products from other vendors, such as McAfee. We specifically evaluated Splunk, which is a good solution but there is no local partner in Turkey for support. Having a local partner is very important to us.

We chose this solution because we have a good relationship with IBM, and they are able to provide us with local support.

There are many good products and solutions on the market, but for implementation and maintenance, I can say that the most important thing is local support.

We do not have any issues with this product, and we have seen the benefits of it. It is easily configured and installed, and we have a local team to support it. It does have issues in terms of user experience, however.

I would rate this solution an eight out of ten.

The primary use case for us is the plug and play implementation and it is pretty easy to set it up, and scale up the SIEM. It has a kind of a functionality to it. 

It is really helpful to us from the compliance point of view. Whenever we had an external lawyer come in, he used to ask us for the data retention and log retention. So, QRadar could put out reports that could audit for us within the log collections. It was very helpful for us to meet compliance requirements.

In addition, it is a helpful solution for forensic analysis. It will easily perform Google type searches and get the logs searched easily. This is really helpful for us, and gives us a quicker investigation.

The most valuable feature is that it is a one stop solution for many things. It is a manager for vulnerability, functionality, packet filtering, packet analysis and log analysis.

They have introduced a lot of different suite of products and functionalities and that sometimes leads to confusion among the customers. There are a lot of options to provided and then I need to decide, what is my requirement, and what is my desire. I may be tempted to have a particular feature, but I have to decide whether it is relevant or not.

The stability is very good. There is not a single point lacking in terms of stability. And, I have never faced technical issues.

The scalability is good, especially with the introduction of data nodes. As of now, it is not a problem.

The tech support is not that good. They often rely on their learned knowledge base, instead of getting their hands dirty upon the actual case issues. They just think of the traditional approach of "OK, try this, or that." Obviously, we already know which steps to follow, we need for them to come up with some out-of-the-box solutions. This delays the process of finding a solution to the problem. Unfortunately, this happens a lot.

I previously used Splunk. And, we considered Sumo Logic, which has a similar kind of functionality. But, they are still in a very premature stage in terms of the product development.

The initial setup was straightforward. It was not complex or difficult. It is not complicated.

The cost of this product is expensive.

If you are a medium to large size enterprise, you can surely consider IBM as one of the major contenders for your selection. If you are a small enterprise, QRadar may be too much for you, it may be too complex.

When deciding on a solution, we always consider:

• Cost-benefit
• Shelf-life of the solution
• Security of the solution

It has improved our ability to research and detect anomalous behavior and activity within our network. It has really helped us in our ability to research active threats. We saw the threats when we implemented it, and we saw that we had all kinds of deficiencies in our network infrastructure that we were unaware of previously.

It has the ability to summarize all the other security products and give us a one-stop-shop dashboard.

IBM has added a new UBA (User Behavior Analytics) app to QRadar that uses the cognitive abilities of Watson to detect and prioritize user activity and risks on the network. It analyzes log activity already recorded so it can begin providing insights quickly after installation.

I'm anxious to see the Watson integration. We just finished an upgrade of our appliance so that we can be eligible to do the Watson integration. I'm anxious to see how that works.

It works well. We've been using it for a year now. It's helped us greatly to cut down on the time it takes to research a problem or to actually find the problem.

In terms of scalability, so far, so good. What we've purchased so far is well with the infrastructure that we have. I know there are options to buy additional components should I need them.

We use a business partner for implementation and support. They are always involved with it. They are not IBM.

We weren't previously using a different solution. As security becomes more and more important, we added different security components from IBM, with QRadar being the last one. We needed some way to see all the data, all the information, and get it together in one single source of truth.

I was involved as far as picking and approving the solution. I was not involved in the installation.

We try to do everything all at once.

Find the right partner to help you do the implementation.

When picking a vendor, we look for the support, the ease of the installation, and the future of the product.

We are using it for monitoring different systems, and we are monitoring the logs with QRadar. This is one of the good tools which we have identified, and we are using it for monitoring the application.

Any issues regarding monitoring, if we feel that there is anything going on in the application, QRadar collects the logs, we monitor those logs, and we get alerts for those logs.

Reporting should be very good, and a proper integration with cloud, not only the IBM cloud, but with other clouds also.

The stability is good. I never got a complaint, but sometimes we have difficulty in configuring new applications. Since it is going into the cloud, we have a big challenge how we are going to monitor those applications which are sitting in Bluemix.

The scalability is good. We have been using and increasing the applications most of the time.

I think my team has used technical support. They are responsive, I can say it is 8-9/10.

We were using a different solution, and we moved to QRadar. It has some more benefits than our previous solution. We have totally transferred to QRadar now.

I was not involved in the initial setup.

We have evaluated only the large vendors. As we have a long-standing relationship with IBM, that's why we moved to QRadar. I don't know which other vendors were on the shortlist for evaluation.

If you have the budget, go for QRadar. It depends on the company size. It's expensive.

• User behavior analytics.
• Alert features on any suspicious activities.
• It contributes a lot of knowledge towards your network environment.

You can add value once you connect a lot of syslogs of a lot of applications to the actual SIEM product. It pretty much does the monitoring of our network, so just having the tool secures the environment itself.

I don't have any particular suggestions at the moment, but giving the ability to their business users to leverage the functionality well is important. Right now, the way we use it internally is mainly just for our security team, but other products, like Splunk, for instance, do monitoring on not only the network but also monitoring of system performance.

Server performance is important, whether or not the application is up or down or things of that nature.

The product is very stable.

The product is very scalable.

Technical support is good. It's not great, it's good. When you leverage the tier 1 folks just to do some troubleshooting, it takes a bit of time to transition a case over. They could improve that turnaround time, especially when the first level guy doesn't know exactly what's going on or doesn't know the answers to the questions.

I wasn't directly involved in the initial implementation. I wouldn't say it's complex, but I mean just by enabling different data sources, you can go crazy with it and enabling them all in one shot is just too much.

Taking your time is probably a better approach so, that way, things operate smoothly and you can fine-tune things as you start seeing the network activity.

Ensure that it's scalable and that you have good customer support. Also, take your time doing the implementation.

The SIEM features are what sell this product. Lately, it has been heavily expanded with others. For example vulnerability management, risk management, incident forensics, cognitive security, and user behavior analytics.

Basic SIEM features include log management, reporting, and correlations and alerting. All SIEM products started with those.

Modern SIEM solutions are expanded with additional components that i mentioned.

So today, you will rarely see RFP for only SIEM. It will usually include other requirements. To answer this, vendors started adding additional valuable features.

Lately, Qradar also opened their APIs to the development community, in order to confront Splunk, and that resulted in a large number of additional functionalities in the form of add-ons (Qradar apps).

We are an IBM business partner. In short, this tool helps our clients have visibility into the IT infrastructure, events, and network traffic.

Dashboards!!! Dashboards are one of the most frequent complaints I receive from customers. Customers are complaining about the limited set of graphs and the inability to change colors. Although this might seem trivial, a large number of the same complaints probably mean something.

A lot of bugs are reported for dashboard items. Also, I personally have found that it does not work as indicated by the documentation. The same methodology is used to produce different results for similar searches. Also, customers would like to see near real-time data on the dashboard, which is very hard to achieve according to the mentioned problems.

I have been using this since 2011, even before the IBM acquisition.

We have not had stability issues.

High availability deployments have serious upgrade issues.

Support is great, but sometimes they are a little slow.

We did not have any previous solution. We have used only QRadar for the last six years. Even at that time, it was leader in Gartner and so it remained. It is very user friendly.

The initial setup was very easy. Integrating the infrastructure configuration is the biggest problem for any SIEM project.

Licensing was simplified two months ago. I don’t have insight into pricing. But as with any software, the price can probably change depending on your negotiation skills :)

We didn’t evaluate other solutions. However, in my career, I saw Splunk, RSA, ArcSight, and AlienVault.

If you are a security officer who wants to protect his job, go for Splunk :) If you are a customer who wants to have an easy tool and save time and resources, definitely go for QRadar.