IBM QRadar Review
Douglas Concepcion | TrustRadius Reviewer
November 13, 2019

IBM QRadar Review

Score 7 out of 10
Vetted Review
Reseller
Review Source

Overall Satisfaction with IBM QRadar

QRadar is primarily being used by companies to increase the visibility of their operational environment. It is used as the central correlation engine for relevant event sources. It is almost always the central piece of their SOC, assisting the analysts in quickly determining risks to the organization. The deployment footprint varies from client to client driven by required coverage area and cost.
  • It is easier to deploy than most SIEM's.
  • Its correlation engine in my opinion is the best of any SIEM.
  • The GUI when compared to most other SIEM's is easier to work with.
  • It is a mature SIEM with a better than average level of support.
  • As with all SIEM's that I'm aware of, it relies on supervised machine learning. This is a major weakness in today's threat landscape.
  • As with all SIEM's the more event sources it needs to correlate the slower it becomes. This becomes an issue as the deployment footprint increases, a solution needs to be developed to address this limitation.
  • The ability to customize the GUI and reporting per user needs some improvement.
  • ROI is a very tough calculation to achieve when it comes to cyber events. The reason is that how do you rate damage to the brand e.g. Target. Loss of confidence in a brand can easily lead to a company going bankrupt - how, do you measure that?
  • QRadar is in line with most other SIEM's in its category in TCO.
  • QRadar will lower the TCO and ROI of a security team's cost, due to the ability to perform most of the investigation and remediation recommendation.
Splunk Enterprise Security I've found is the easiest of all major SIEM's to deploy due to its event normalization capabilities. It lags behind QRadar in event correlation but is better in user GUI customization. One issue where QRadar beats it is in cost. Splunk starts off cheap, but as you expand (due to it's licensing model), it quickly becomes very expensive. It is the monster that keeps on feeding.
QRadar being a mature product has many different information resources to tap in too, and the quality of the IBM engineers is usually higher than most other vendors.

Do you think IBM QRadar delivers good value for the price?

Not sure

Are you happy with IBM QRadar's feature set?

Yes

Did IBM QRadar live up to sales and marketing promises?

Yes

Did implementation of IBM QRadar go as expected?

Yes

Would you buy IBM QRadar again?

Yes

HCL BigFix (formerly from IBM), HCL AppScan (formerly from IBM), Darktrace
QRadar is well suited for any SOC and it would always be my first recommendation for this kind of deployment.
The biggest issue it has is cost, for small to midsize companies looking to deploy it. It very quickly becomes cost-prohibitive. Another issue it and every SIEM that I'm aware of needs to address is east to west traffic visibility. Flows by default only give you at most sixty data points, which is not enough in today's world.

IBM QRadar Feature Ratings

Centralized event and log data collection
8
Correlation
10
Event and log normalization
8
Deployment flexibility
7
Integration with Identity and Access Management Tools
7
Custom dashboards and views
6
Host and network-based intrusion detection
9