4 out of 5.0, Reviewed Aug 16, 2016
QRadar scales very well, we went from collecting from primarily network devices Syslog, SDEE, and NetFlow) with their out of the box collectors, and then we began collecting the logs from our web gateway, domain controllers, and anti-malware system for a more wholistic view. Now, multiple new security products that we're implementing will be populating the system as part of a large CyberSecurity initiative. We face some challenges as some of the newer devices will require the development of a custom collector. More agility by the vendor in building out standard log collectors for enterprise level network security products (such as Cisco Web Services) would be appreciated. Overall, Security Event identification is pretty intuitive and easy for level 1 analysts to understand and follow up on. And overall, reporting seems to work well without leveraging an external reporting tool.
The intuitive nature of their dashboard and creating queries is very helpful for my team.
I would like more agility in the event/log collector space.
Integration with legacy device log and event collection is fairly broad, but would like to see more R&D around newer technologies that we are leveraging. As example, QRadar has an out of the box collector for Websense logs, but now that we are moving to Cisco Web Services we will need to build a custom collector. Creating a custom collector will require additional training for our team, or we will have to spin up a project to pay IBM to develop the collector for us.
We have a very responsive support team that checks in on a regular basis. They recommend development partners to provide resolution for specific use cases, such as event ticketing.
The system itself is very stable, product updates are easy to manage, and it integrates well into our existing infrastructure.
1 of 1 peer(s) found this review helpful.
4 out of 5.0, Reviewed Jun 22, 2016
QRadar works as advertised. It is a bit complex to set up and tune, but once it is fully operational, it is pretty rock solid.
Expect to spend a lot of time configuring and tuning any SIEM. QRadar is no exception.
It is stable and functional.
Complexity of set up and tuning.
Common integrations should be automated more.
We could have done a better job with pre-planning and scenario analysis in advance of deployment.
It was relatively easy to get support for complex issues from second and third level technical support.
Set up of QRadar was relatively complex, but that is to be expected in the SIEM space.
5 out of 5.0, Reviewed Jun 14, 2016
Overall it has been a very positive experience, they answered the RFI/RFP comprehensively and helped us with the Proof of Concept. They also help you in relation to architecting the solution but you need to be sure you are clear with the scope and you ask a lot of clarifying questions. Their implementation team (also known as the Labs team) is very strong and makes a difference on your implementation. They also have very good support and knowledge base. And they are always looking forward in relation to the industry and what's in the horizon including the cognitive area.
If you decide to go through a SIEM acquisition, invest the resources (time and people) to fully realize the solution. You cannot just leave it alone after the initial implementation and expect it to work with no issues. Once you commit, it is for a long time. I often call this a forever project.
They have been constantly developing the solution addressing the customer needs.
Lack of a message bus to address the challenge of sending events to a single destination instead of the different event processors.
Clarify the licensing better especially on how it relates to a per appliance basis.
We would be more selective in relation to the events and log sources as well as developing more relevant use cases instead of using the use cases out-of-the-box. Prioritizing against the critical assets earlier that has the ease of implementation would have allowed the quicker win.
The product has one of the strongest capabilities in relation to security monitoring ranging from a comprehensive number of log sources including network flows. They also have the ability to extend the capability through its APIs as well as support for custom event sources. Their search capability is very good and more than meets our requirements. Further enhancements to their platform including cognition and machine learning will make it a stronger product.
Assuming you have gotten the correct level of support, their support team is very knowledgeable to help address your issues. Generally, they have been timely in their response. But it is important that you know when to escalate as well.
4 out of 5.0, Reviewed Jun 14, 2016
Working with the partner to implement the tool was great. The vendor knew the tool and was able to effectively implement for the organization.
3 out of 5.0, Reviewed Jun 14, 2016
Architecture and implementation were relatively straightforward. Designing and implementation specific SIEM use cases for at the infrastructure and application level was generally straight forward with a number of the parsers being out of the box. The challenge was having IBM work on unique use cases.
Understand your environment and log sources and what types of events (and volume) they generate.
Industry recognized and a number of out of box parsers.
Understand application and infrastructure use cases more and how parsers would need to be built out.
Applications are a challenge to integrate, especially custom built ones.
4 out of 5.0, Reviewed Jun 13, 2016
Client agent for windows logging is a little clunky. Need an automated push of the client and key.
do score card for comparing different solutions. They vary a lot in capabilities and functionality.
solid performance for a wide variety of events.
full visibility requires several modules to be purchased.
better pricing from IBM directly. IBMs quote was 3 times the 3rd party reseller.
more time in actual bake-off.
4 out of 5.0, Reviewed Jun 13, 2016
Product is stable and performs well. Difficulties with integration partner and licensing/cost model complexity.
Understand your volume (EPS/bandwidth) ahead of time or you will be nickeled-and-dimed on incremental costs.
Capabilities and roadmap for additional features/functionality.
Go directly to IBM for the professional services, architecture and engineering assistance (not a 3rd party).
4 out of 5.0, Reviewed Jun 13, 2016
The implementation itself was relatively straightforward. The challenges with the product have been primarily isolated to filtering out the noise and getting the solution to provide the alerting and reporting that we need to determine what is actually happening in our environment.
Make sure that you have dedicated appropriate resources to managing your SIEM environment. This is not a set it and forget it technology.
5 out of 5.0, Reviewed May 24, 2016
QRadar is an immensely powerful platform - it allows us to easily customize rules, offenses, reports to match our environment and our maturity.
Architecture and planning are key for deployment success. Careful consideration of people and processes vital for tuning QRadar's massive building block, rules and offenses to match your organization's security strategy and incident response plans.
Makes it easier and faster to dive into complex trends and issues to find real incidents that require attention.
Long learning curve and some offence and rule explanations don't provide enough useful insight.
As with any complex product, more documentation, particularly in the form of how-to and explanatory videos around tuning, would be much appreciated.
Set up a dedicated event processor just for the Firewall logs from the get-go.
4 out of 5.0, Reviewed May 11, 2016
Great product and excellent value.