IBM Security QRadar Suite Software: SIEM & SOAR

In IBM Security QRadar , I used to work for a company that wanted to implement AI, generative AI, to help financials and banks improve their process of software development, including testing for their tools and all the releases they are doing for the improvements of the applications of software on the cloud.

IBM Security QRadar 's AI and machine learning capabilities for threat detection and response are exceptional, and Q Site is used to create panels and visualizations of software development processes. It's really fast and impressive compared to QuickSight . The detector library contributes significantly to its functionality. The main importance is the releases without any kind of security breaches, and IBM Security QRadar gives the opportunity to improve the time to market of the releases with a great evaluation of cybersecurity breaches. It's currently the top solution in the industry.

I assess the integration of third-party technologies with IBM Security QRadar's open architecture as lacking compared with what is available, because there are more genesis and solutions, but nothing compares with AWS  cloud solutions. The top integrations happen here. The only difficulty is when integrating with ServiceNow ; solutions from Microsoft, Google, Rackspace are really complex to integrate with ServiceNow , but Amazon is easier than other solutions.

I'm talking about IT Operation Management or hardware as management, DevOps or SecOps of ServiceNow, and those are really complex use cases to integrate with third parties, but Amazon does it better.

Overall, I would rate IBM Security QRadar an 8.5, because it depends on the use case, but there should be more focus on small and medium businesses, especially given the number of FinTechs and entrepreneurs in Mexico that require easier solutions with less budget. AWS  Cloud is amazing for macro projects on software development, but it needs to be more accessible for SMBs, which is why I give it an 8.5; there's room for improvement in that area.

With AWS as a cloud provider, I used to work for a company that implements solutions for AWS cloud solutions.

I would rate their customer service or technical support as the best in Mexico. The only issue is the language barrier sometimes, because customer support services are used from India, and that can be challenging. While I speak English, it's difficult to understand some accents. However, besides that, local support in Mexico has people ready to provide level one, level two, and level three support. When something complex arises, the ticket gets transferred to India or to third parties not in Mexico, but it's very difficult to scale a ticket that far. The customer support located in Mexico speaks Spanish and they help to resolve issues, depending on the agent.

Neutral

For the initial setup of IBM Security QRadar, you need to have the right people, but if you are a newbie to these kinds of solutions and want to do out-of-the-box implementations, Amazon provides out-of-the-box use cases that you can implement immediately, and the personalization is easy to accomplish.

In terms of return on investment, I have worked on exercises where the payback occurs within three or four months, which is very good for a cloud solution because implementation cycles can be really long. AWS gives the chance to implement a solution out of the box with use cases that are already in IBM Security QRadar. Solutions such as Q Business, Q Site, QuickSight  are already out of the box, so implementing and configuring a use case takes about two to three months, with the payback being almost immediate.

The pricing for IBM Security QRadar is not the best, but it's not the worst. It depends on how much you want to spend. The last time I worked with this technology was in 2023. The pricing reflects how much you want to spend for the results you want to have. If you want the best of the best, you go to AWS Cloud.

I rate IBM Security QRadar 8.5 out of 10.

We use IBM Security QRadar  to monitor, and it's our main source of information. It's our main SIEM  platform for our SOC, and we've collected everything on that platform.

We don't use IBM Security QRadar 's Risk Manager; mainly, it was our main tool to collect information and conduct some analytics on logs and events. That's the primary use case we've been utilizing.

The best features of IBM Security QRadar are that it's pervasive. You can have IBM Security QRadar in the dust quite easily, and almost everybody knows the platform. Almost nobody's going to say you bought the wrong SIEM  if you buy IBM Security QRadar.

The integration of third-party technologies with IBM Security QRadar is one of the high points they have. They integrate with almost anybody, anywhere. There's an integrator tool for almost anything. Everybody talks with IBM Security QRadar because they were the SIEM name of the game, at least in this country. So the integration part is one of their key advantages.

Long ago, IBM Security QRadar enabled us to have some analytics pre-thought for us. When we started with our SOC, we used some log collectors and other tools, and IBM Security QRadar gave us the advantage of having some analytics pre-considered for us. However, that was long ago. It has become just a log and events collector and our main repository of security events.

As far as reliability, security, and how it operates, I think it's because they hit first on the market, and then they built upon that, our name alongside the IBM name. Those are the reasons. It's quite awkward to use the platform; it's not intuitive, the learning curve is quite deep, and I really don't understand why it was so pervasive. However, if you have to sell managed security services to some people that use a SIEM, more than half the time you end up with an IBM Security QRadar platform on the other side. The other half you end up with WSO2, at least in Latin America.

I haven't tried IBM Security QRadar's AI and machine learning capabilities for threat detection and response fully enough to evaluate them yet.

We've been building our SOAR  capabilities with other tools, and we haven't used IBM Security QRadar's Analytics Engine for automating SOC tasks.

We are not using it as we used to, and I think that advantage is fading out, particularly after the selling of the product to Palo Alto. We are considering some roadmaps to get out of IBM Security QRadar right now; that's the truth.

We have been using IBM Security QRadar since pre-pandemic; I think maybe 10 to 12 years right now.

I find IBM support to be nice. However, as a former IBMer, I may have had some advantages in getting support because I had some contacts. The support information is correct; you get to the information and access the technical documents you need because the information is there, and they used to care about their product. I don't know how it's going to be once the program is fully under Palo Alto's management.

For the support team, I would rate IBM support an eight, a solid eight. With the support we used to have within IBM, it was good.

Positive

Setting up IBM Security QRadar is difficult; it has a deep learning curve for the analysts, and there are several hurdles to handle to get IBM Security QRadar running on your infrastructures. On the other hand, once you connect the dots, they keep sending the information, and you can continue getting those events.

The pricing, setup cost, or licensing with IBM Security QRadar was costly. It was costly mainly for the things we used to use it for. The customers used to pay the price, but it was one of the problems to onboard some people with IBM Security QRadar. It was costly mainly because of the value you can get right now compared to other solutions.

We are thinking about moving outside of IBM Security QRadar ecosystem due to cost and the belief that some functionalities of new SIEM platforms are surpassing IBM Security QRadar. We think they are not keeping pace with SIEM, which makes it harder for them to differentiate their product or compete against others that are cheaper and easier to deploy.

If you had asked me this question five or seven years ago, I would have given it a solid 10, maybe a nine, but today I believe they are losing track of that. The overall rating for IBM Security QRadar is seven out of ten.

We were partners when they were under IBM. We've been in an IBM program of MSSP  for Latin America, so we were partners of IBM Security QRadar when it was within IBM. However, with the selling to Palo Alto this year, we lost that partnership and are now just customers of a reseller.

We operate the platform for our customers. We don't have IBM Security QRadar for our own use.

For incident investigating, IBM Security QRadar  is used for logs and management. We get all the traffic from there, which gets logged in our system, and then we investigate it.

There are many things I appreciate about IBM Security QRadar . I haven't used any other SIEM  before IBM Security QRadar, so for me, it is perfect. Sometimes it takes time to load queries, but other than that, it performs excellently.

I would assess IBM Security QRadar's AI and machine learning capabilities as very helpful for threat detection and response. You have to fine-tune it sometimes with your own investigation, as sometimes they give false alerts about our system.

You have to put your own exceptions inside it, and then they won't give you another ticket about those false incidents.

Sometimes it takes time to load queries, but other than that, it performs excellently.

Personally, I have been using IBM Security QRadar for four months, but my company has been using it for three years.

I would rate their support an 8.5 with IBM. The support is really good; for instance, if a critical ticket is submitted, you will get paged right away as it gets logged, and their analyst will look into it, letting you know as soon as possible so you can work on it. If there is something bad going on or something faulty with IBM Security QRadar, when you reach out to them, they reply in 10 to 20 minutes.

Positive

I haven't used any other SIEM  before IBM Security QRadar.

I deal with products such as IBM or Elastic solutions. I have experience with IBM Security QRadar, but not with Elastic; however, we are trying to get into Elastic.

We use many different cloud providers as our main cloud provider. AWS  is one of those. We did not purchase the IBM Security QRadar product through AWS Marketplace ; that's handled by our IT team.

I work in a dealership industry, specifically in home hardware. It is easy to use; I wasn't familiar with it, but after getting one-on-one training with my senior, I was able to use it very efficiently and learned it quickly.

We use IBM Security QRadar's Risk Manager, but I don't use it directly as it's related to my senior. I investigate it, but those procedures are based on my senior's decisions. I have not used IBM Security QRadar's analytics engine for automating SOC tasks.

The integration of third-party technologies with IBM Security QRadar's open architecture is good; it integrates with other solutions efficiently. I have used it with many different platforms such as SentinelOne and ExtraHop, and it integrates effectively.

My company are customers with IBM. The overall rating for IBM Security QRadar is 9 out of 10.

Most of the use cases are based on MITRE ATT&CK, such as phishing email, DDoS attack, privilege escalation, all MITRE ATT&CKs with scanning the environments, using suspicious activity internal to our network. We have thousands of use cases covering different domains at network levels.

We have use cases covering security controls and firewalls. We also have use cases that cover Active Directory, server events, and Citrix. Because we are working in a telecom company, we are covering 5G and 4G logs.

The aggregations are valuable when creating use cases with aggregations, which is beneficial for us.

For automation, we are using multi-platform solutions. We have FortiSOAR  and IBM Resilient  for IBM Security QRadar  orchestration. We integrate with both IBM Security QRadar  and ArcSight, as we are working with customers who use both systems.

IBM Security QRadar has some areas for improvement. We have missed some DSM components. We need to customize logs where there is no DSM or connector for certain products.

We can integrate but we have missed the DSM, which is the connector to pass logs coming from different applications. For example, with a university customer, we tried onboarding Canvas service. IBM Security QRadar does not support Canvas, so we had to create custom scripts and workarounds to pull logs from Canvas.

We have been using the solution for around five years.

The deployment is straightforward and easy for both installation types: standalone console, all-in-one, or in distribution modes.

Currently, it is very stable.

For EPS license, if you increase or exceed the EPS license, you cannot receive events and IBM Security QRadar comes with this server. This issue existed previously when exceeding the limit for EPS license.

The customer service experience is mixed. For critical issues, they provide L1 support rather than expert support initially. The L1 support follows standard steps before escalating to the development team or expertise team. In critical situations, this process can be problematic. Support needs to understand the issue first, then escalate it to the engineering team. The engineering team then sends an appointment meeting about the issue. This process can result in outages lasting three to four hours.

Neutral

I have been in the cybersecurity field since 2012. I have experience with many cybersecurity products including IBM Security QRadar, Splunk, SOAR , IBM Resilient  SOAR , Phantom , and various security controls and products.

ROI calculation is more applicable when using SOAR rather than SIM. In SIM, you don't have functions or enrichment to check if an IP is malicious or different reputations or websites. With SOAR, you can calculate ROI. For example, when an analyst receives alerts on IBM Security QRadar Offense, they would typically take 10 to 15 minutes to check an IP in VirusTotal , AbuseIPDB, TotalVirus, and other sources. With SOAR, the workflow takes one minute or less to complete the analysis.

When comparing with Splunk, IBM Security QRadar's cost is reasonable. Splunk is more expensive than IBM Security QRadar.

We have machine learning for User Behavior Analytics  (UBA ), but IBM Security QRadar does not have AI connectors or integration with ChatGPT . Some SOARs are working with AI, such as FortiSOAR , which has chatbot and AI integration with ChatGPT  to create playbooks, assist analysts in exporting reports, and provide recommendations for alert responses.

This implementation process receives a rating of six. In UAE, we have strict restrictions regarding compliance, particularly NIST compliance. Most companies should have local LLM, not public. Most SIM solutions or SOAR don't have the capability to build or need custom connectors for using AI with internal LLM, rather than cloud-based solutions ChatGPT or Gemini. Overall, I would rate IBM Security QRadar an eight out of ten.

Neutral