IBM Security QRadar Reviews

We use the solution for a variety of tasks. We use it, for example, for authentication, network-related authentication, user-related tasks, and Windows UNIX servers. It's a lot. There's a ton of use cases. I really can't sync right now about every single use case, however, the main things are authentication and network-related systems and all flavors of UNIX Windows. 

It helped our organization in the sense that having it was better than nothing. However, I did not enjoy the product overall and I advised we switch to something else.

The user behavior analytics as part of our deployment was okay, even though it was clunky.

The solution can scale.

I really didn't like QRadar to be honest. I inherited it. I was part of the reason that we moved over to LogRhythm. The solution just isn't user friendly.

The solution is clunky. 

The interface could be much better.

The integration capabilities within the product are not that great.

I've been using the solution for about two years at this point. My team has been using it for two to three years, so we have a total of about five years of experience in all.

I wouldn't describe the solution as stable. 

It was really buggy. Like other app integrations, it wasn't straightforward. It was pretty clunky. We tried to integrate Qualys with it and it wasn't effective. To integrate anything took quite a bit of time and energy. It wasn't easy. When it did, it didn't work properly. It wasn't really pulling in the data correctly.

Scalability was hard as it was on-prem. We needed to add more modules, and had to add more of the servers to stack it. It wasn't that a simple task at all. I wouldn't say that it scales well, although technically, you can scale it.

When we were using the solution, we had ten to 15 users on it. They were anyone from Information Security Engineers to regular IT admins.

Technical support was awful. We often didn't even have any assistance available to us. On a scale from one to ten, I'd rate them at a three. We were very unsatisfied with the level of support we received. They just simply weren't helpful when it came down to it.

The organization didn't previously use a different solution before choosing QRadar.

We actually switched to LogRhythm as I didn't like how the solution was working for the organization.

I didn't handle the initial setup. It was handled before I arrived at the organization.

I'm not sure of which version of the solution we're using.

I wouldn't recommend the solution. I'd probably tell others to shy away and look at other products like possibly Splunk, however, it's a pricey option. LogRhythm is pretty good. We're having some issues with it. That said, for the most part, it's okay. 

Exabeam also seems like it might be a good option. I haven't worked with it personally, however, I've had some experience with a POC.

Overall, I would rate the solution at a three out of ten. We didn't have a good experience with it. If it offered, for example, easier behavior analytics, easier integrations, better interface, supported model integration, and a good user interface to perform analysis I might rate it higher. Basically, it just needs to be much more user-friendly.

In recent years, our focus has been the third-party integrations. Like most companies, we have several security products. (I hope most other companies are not relying on a single product). The challenge with a SIEM is taking the data produced by a log source and presenting it in a readable manner for technical and non-technical staff. That can be done with custom-built reports or in dashboards. With the IBM Security App Exchange you add a new extension (i.e. download from the App Exchange site) and configure it.

Since IBM opened up the API for third-party app integration it has made it increasingly easy to add other tools into the dashboards.

Currently, the App Exchange offers over 192 applications that allow QRadar to integrate with some of the top security programs on the market, along with extension add-ons provided by QRadar. Some third-party apps include (but not limited to) Splunk, McAfee, Cisco, Carbon Black, Palo Alto, ObservIT, Exabeam, Gigamon, PhishMe. Extension add-ons by QRadar include report extensions, MS AD extensions, user behavior analytics, etc.

We have a very small team and anytime I can integrate with our other tools, and save time doing so, that is a plus for my company.

Keep up with more apps. They need to continue working with other companies to develop apps for integrations. Yes, they currently have 192 apps, but that number is nowhere near the number of security products on the market. That means if your company has a product that is not in the application list then you just have to work a little harder to pull the data you need from the log source.

I'm not against hard work, I'm just trying to work smarter and faster. Time is money, so saving time without compromising the end product is a win for everyone. It would reflect well for IBM because it would show they understand the customers’ needs and it would reflect well internally because we would be able to present cleaner dashboards and reports without hours or days devoted to building them.

We experienced some memory usage issues with a user behavior app.

We haven't really had any scalability issues. You are always limited to your EPS/FPM licensing, so you have to make sure you don’t exceed those limits.

Tech support is excellent.

The initial setup is straightforward.

We do a SIEM solutions review every few years. Other options we have evaluated: LogRhythm, Splunk, AlienVault.

Research, and don’t be afraid to do a few PoCs. Also, make sure you have a team for the tool. Most solutions require a team, so if you cannot apply a team towards the tool then hopefully you can use one of the managed SIEM options.

The ability to correlate large amounts of data into rules that provide real-time alerting is the most valuable feature.

It has provided us with quicker mitigation to threats. We used to do everything manually, so it automated a lot of workflows that in the past, we weren't able to do from an automation perspective.

We are still two versions behind, so I don't know specifically what could be improved. I've told all the executives and staff we met at a recent IBM conference that integration with other solutions is important so that we don't have to do a bunch of different things to consider.

We are the largest user of QRadar, so the stability is average. There are several vulnerabilities that IBM is working with us on. They don't have a test environment big enough to imitate the stress we put on it. Stability is probably OK for the normal customers, but we break everybody's apps just because of our size.

There are some vulnerabilities that may be further exasperated at our size, so they are trying to fix some of those issues and bring stability, but it's really product issues that don't scale right now.

It was functionality which drove us to change. QRadar had better functionality than what we were getting out of the previous solution. Scale was probably also a factor at that time. It was right after IBM bought Q1 Labs, so it was an industry leader along with some others. We did an evaluation and QRadar came out on top.

Initial setup was pretty straightforward. It's a complex solution, but it was straightforward for a large environment.

The two big options we evaluated would be IBM and HP. What we understood was that QRadar would be a more simplistic implementation, taking up less time.

Make sure you really understand all the requirements before you implement. I think the group that did this implementation didn't necessarily understand fully what we were going to use it for, so it was maybe designed for smaller things. So, you should really understand the requirements prior to stepping into it. 

If QRadar is going to be a central sort of hub for IBM's security solutions, make sure that the other tools integrate very easily into it. That would probably be the biggest task.

Log aggregation and event correlation did not occur in an enterprise fashion before this product. Troubleshooting more complex issues became much simpler with the addition of this product.

Search capabilities are sufficient for most tasks, although not as easy to use as some other products.

Search capability and indexing still lag behind competitors. We also need to see improved rule based access controls and rule/event tuning.

The search capabilities in QRadar are decent in their ability to be granular but the methodology of search prevents the rapid and easy modification of search parameters as an analyst works through the hunting process.

There are several examples of this. Let’s say you add two or three parameters to your search using various filter methods.

You can quickly change items like the scope of time for your search or the presentation of data, but you cannot quickly change the other parameters such as the IP address you are looking for. So you have a search of 10.0.1.1, the system processes that search, but then you realize you need to search for 10.1.1.2 instead.

You have to delete the old IP and recreate. At that point the search starts over from the beginning. In a system like Splunk if when using the filters the query string is written for you and can be easily modified/edited on the fly. While that may still result in a search restarting the manipulation of that search is faster and more efficient. This is just a single example.

I feel that some of the stability issues are attributed to our network. However, too many issues existed with the product and too many more appeared as they tried to fix different issues.

We never scaled the product before we decided to remove it from our network. From all appearances, scalability was not going to be an issue.

Technical support was OK at best due to the length of time before resolution.

I used ArcSight at a previous company. I would much rather have a correctly scoped and built QRadar to manage. However, as a consumer of ArcSight, it was a very good product.

I was not involved in the initial setup.

Do your due diligence. I found other solutions, with more features at the same cost or less. You don’t have to leave the Gartner Magic Quadrant to beat their price.

I did not choose this product.

Evaluate the product based on a full set of requirements and your security analyst workflow. Do not base your decision on the company name or promises of new abilities years down the line.

The search capability (I've used other solutions) and data consolidation are some of the key features.

For this organization, it was the first log management solution. So, it definitely gave us the ability to search through the data when we had events. We could search based on the identity of the person, or the machine, or the IP address. We could do a lot of different searches. We could also do payload searches, and depending on how much capacity you have, you can do quite a lot with it.

I want to see a three-dimensional perspective of the data. I don't want to see just an event perspective of the data. I want to be able to identify a user, and within clicks, know all the activity of that user. I don't want to see it in events. I want to see it in relevant information.

There needs a little bit more investment into enhancing the user interface. That is the main thing; making it represent an actual incident response state-of-mind, similar to how you would troubleshoot an incident. That is the main issue. It was a major position by IBM when they bought it. But we see a lot of things being done around the Cognitive side, around the Watson side. But what we're not seeing the growth in, is the actual tools interface and usability. And that's what we wanted to see. We wanted to be able to see seamless identification of log sources, seamless categorization and normalizing of log sources, seamless alerts. In all those things, for the solution to mature, it has to be able to take data and make sense of it by itself, without a lot of input. And those are the areas that they can really improve it.

It's been stable. Stability hasn't been a problem, as long as you have enough capacity. It's all about sizing it right for the size of your environment. We do drop packets every day. So depending on how our log volume increases or reduces, you see the impact on the packets being dropped.

We've used technical support and it hasn't been great. It didn't seem like we could get the answers we needed without having to use professional services. For a solution like this, little things like how to tune it, how to upgrade it; there are things that as a customer we don't feel the need to use professional services for. We want to be able to just find a document on how to upgrade, and that has been difficult to find.

We didn't have a previous solution. We kind of inherited it as part of another acquisition from IBM, and then we scaled it up to meet our capacity.

We got the basic functionality working, which is not difficult. It's getting the full value out of the solution, which is harder.

From an analytics perspective, it's a good tool. But you have to have the resources to own it. It's not only about buying it. It's not only about capacity, but somebody has to care and feed it. It's not one of those things that you can put it in, walk away and just consume the data. If you don't take care of it and feed it, you won't get what you need out of it.

The most valuable features currently are the security behaviors and pdf files.

I would like to see more integration in place after the security lock.

I have been using IBM QRadar User Behavior Analytics for a couple of years now.

The product is very stable.

The initial setup was straightforward and took three to four months to deploy.

We used a vendor team to assist us in the process of deployment.

I would rate IBM QRadar User Behavior Analytics an eight out of ten.

Our primary use case for the solution is providing visibility for what occurs in our security system and IT assets. So all our event logs and information from a setting and criticality level go there. Additionally, there's AI used to trigger alerts when things are going bad, and then we can action them.

We find predictive analysis capabilities valuable.

The solution should include remote action capabilities.

We have been using the solution for approximately three years.

The solution is stable.

The solution is scalable. Over 1,000 people in our organization use the solution.

The initial setup is moderate, and it is neither easy nor difficult. However, it took approximately one week to complete the implementation.

We implemented it through a vendor team.

We chose this solution because it was provided to us through software as a service.

I rate the solution an eight out of ten. The solution is good but can be improved with enhanced remote control ability. I recommend the solution to new users considering it.

To be very frank, it's not that much help as of now. We are not getting that many insights from UVA, which we wanted, actually. As of now, we are exploring that UVA, and we have installed it. It's still quite new.

The initial setup is straightforward. 

The solution is still new to us. Currently, it's a work in progress with this. I'm not in any particular condition to tell what exact improvements are required. I will let a few more months go by before analyzing the overall UBS solution QRadar to get to know and final understanding of this particular application.

There are a lot of things that require modification. That's my initial observation, however, I need more time and a few more months to get to know it and get a final understanding of the solution as a whole.

I want a reduction of false positives. I want crisp true positive incidents out of it. I want to see proper user behavior. Whatever algorithm is working in the background, that algorithm should produce accurate, true positive incidents and not false positives.

We are using QRadar as an appliance for the last four years, however, we recently, for the last six months, started using UBS.

I'm not sure about the stability just yet. We've observed a few issues and we raised a supporting ticket for it.

The scalability is very good. It's not a problem.

Technical support has been very supportive. We're largely satisfied with them.

Positive

The initial setup is straightforward and simple. It's not very complex. 

We are using multiple features in QRadar. UVA is just one feature. We have overall 14 data nodes and we are almost 2,500 GB of data integrated with it and we are using multiple applications in QRadar. We have a nine-member team that manages the overall QRadar architecture, not only UBA.

We did a direct integration.

I'm an architect. Normally costs and licensing are handled by senior management.

For UBA, they haven't asked for any extra charges or anything. It's included in the licensing.

We're an IBM partner. We have platinum support with IBM.

We have segregated our data between on-prem and the cloud. All the on-prem data we have integrated with the QRadar. QRadar itself is an on-prem solution. We have QRadar hardware with us.

At this point, I would not recommend the solution to others. 

I'd rate the solution a six out of ten.