IBM Business Critical Service - extended service agreement - for IBM QRadar xx48 Appliance - 1 year

What is our primary use case? Our primary use case was for compliance audits. We mainly used it for compliance purposes. What is most valuable? IBM Security QRadar had good rulesets, and the scenarios we could write regarding the compliance-related issues were quite helpful. We mostly used it for prevention. What needs improvement? The commercials can be looked into. The costing part could be improved. For how long have I used the solution? I have been using the solution for around three years. What was my experience with deployment of the solution? There were no issues at all. It was straightforward. How are customer service and support? I was satisfied with IBM support. How would you rate customer service and support? Neutral Which solution did I use previously and why did I switch? We switched mostly for commercial reasons. How was the initial setup? The initial setup was straightforward. It took a couple of weeks because we had to set up the rules and other configurations. What's my experience with pricing, setup cost, and licensing? The costing part, or commercials, was a concern. What other advice do I have? I would rate IBM Security QRadar nine out of ten. The main reason for moving from this tool was the pricing. If public cloud, private cloud, or hybrid cloud, which cloud provider do you use? Other Disclaimer: I am a real user, and this review is based on my own experience and opinions.

What is our primary use case? I use it daily because it's shared as a log alert, and we have a security operations center. Every now and then, and almost every day, there are some alerts. I utilize it every day, twenty-four by seven, as you can see. What is most valuable? Actually, the dashboard is very good. The dashboard is easy to use and easy to understand what's going on and what the alerts mean. It's very user-friendly, I would say. So far, it's very good. Recently, I faced an incident, a cyber incident, and it was detected in real time. It correlates well with other solutions. I have EDR, vulnerability, and IPS, and it shows useful findings for root cause analysis. What needs improvement? There are many types of AI, and this AI is very limited in SQL and features. There may be potential for improvement. So far, it seems very limited. It shows some good features in the correlation part, but I think there is room for improvement. For instance, when creating rules, it can suggest more rules, reducing the effort needed. If AI-related support can suggest rules and integrate with existing security devices like MD, IPS, this SIM can create more relevant rules. Sometimes logs I receive don't mean anything, and I need technical stakeholders to share or forward logs, but these are sometimes inadequate. Keywords can help identify insufficient logs. I often lack time to verify logs. Sharing false positive results could be reduced to help my team. For how long have I used the solution? I have been working with the product for the last four months. What do I think about the stability of the solution? The product has been stable so far. I didn’t face any issues after deployment. I haven't encountered any software deployment issues, although I have only used it for four or five months. I might face issues after a year, two years, or with a major release or software update. What do I think about the scalability of the solution? I am satisfied with the scalability. It depends on my budget. How much I spend on licensing size is up to me. How are customer service and support? I received very good support, possibly due to a good relationship with IBM. I don't know about other companies, but I am happy with the support. How would you rate customer service and support? Positive Which solution did I use previously and why did I switch? Previously, I had another SIM before IBM brought it up, but I couldn't correlate with different solutions. Now it saves me at least one hour, sometimes up to three hours. I used Micro Focus, which I think was acquired by another company, possibly OpenText. The ownership changed. I am very satisfied with Qradar compared to OpenText. It's superior. I am not sure which one is best, but so far it is. My people had good training and needed to invest time to get good results. How was the initial setup? The initial setup was very difficult. I needed help from the local partner and expert users. Without expert users, it's challenging to deploy. What about the implementation team? Assistance from the support system is always needed. What was our ROI? It's still very early, but I have saved significant damage. Investing this amount was very much worth it for my organization. What's my experience with pricing, setup cost, and licensing? The cost depends. The price I negotiated varies by region and relationship with the OEM. Cost is not shared due to another procurement team handling negotiations, but it was reasonable as far as I know. What other advice do I have? My advice is to understand your infrastructure first. Assess the size before sending any protocol requests or RFPs to adjust licensing costs. You may procure licenses less or more than needed, impacting finances. Analyzing your infrastructure is crucial, considering the logs and security issues you will set. Trained personnel are necessary. Without them, usage is challenging. Overall, the product rating is eight out of ten. Which deployment model are you using for this solution? On-premises Disclaimer: I am a real user, and this review is based on my own experience and opinions.

What is our primary use case? I am using QRadar, like standard centimeters, for security monitoring for information systems. What is most valuable? I use standard rules and special user-defined or correlation rules. I also use behavioral analysis for users. Additionally, there is limited integration with other systems. IBM is seeking information about IBM QRadar because a part of QRadar, especially in the cloud, has been sold to Palo Alto. What needs improvement? Improving the integration with IBM Server for MetaMask for correlation rules would be beneficial. Currently, I use Sentinel in Azure, and I would prefer creating one rule to roll it out to both Sentinel and QRadar. However, this is not possible because QRadar lacks this capability. For how long have I used the solution? I have been using QRadar for five or six years. What do I think about the stability of the solution? I think QRadar is stable and currently satisfies my needs. However, there is uncertainty about the future because if IBM sold part of QRadar to Palo Alto, it would be a concerning signal. What do I think about the scalability of the solution? Scalability is fine. It is one of the three well-known CMs. How are customer service and support? I am unsure because the problem escalates through level one to level three, and then the process starts over with Novo again. This is problematic for technical support. Which other solutions did I evaluate? I am not personally using it. These boxes are in use within my company. What other advice do I have? In the middle of evaluating, I am looking for some information about comparison boxes or licenses, products, and so on. I am interested in this issue, but I will not purchase it personally. We have a plan for internal projects for this. Product rating: five out of ten. Which deployment model are you using for this solution? On-premises If public cloud, private cloud, or hybrid cloud, which cloud provider do you use? Microsoft Azure Disclaimer: I am a real user, and this review is based on my own experience and opinions.

What is our primary use case? I have experience with Centimeters solutions, one of which is Microsoft Sentinel. I often confuse the names, but I mean Sentinel. I also have experience with QRadar. In the past, I worked with Elasticsearch. I have generally configured some integrations, for example, between QRadar and other production environments for sending custom logs, though not all of them. I have been doing this for about two to three years. Usually, devices do not send CF in syslog or CS format logs, so we often troubleshoot on a Vural collector. Sometimes a device does not send the packet to a local collector, and we troubleshoot from the local collector's side. My colleagues and I generally use this management for production. I have integrated some network and security devices to send logs. In Turkey, there are regulations by the government that require collecting Internet traffic from VDS users. We need encryption on each log on QRadar. I focus on setting up this configuration. Our customers use Cisco StealthWatch, formerly known as NDR solutions, and we integrated these logs with QRadar and StealthWatch because we prefer not using all of them on NDR solutions. We send specific logs from StealthWatch. This integration is basic, not advanced, though there are some easy API integrations for communication between devices. What needs improvement? I think there is room for improvement with correlations in QRadar, especially in terms of customer logs. We receive logs from different types of devices and need a way to correlate them effectively. This would help identify critical or high-priority alarms in QRadar. Perhaps we are missing parameters in QRadar and need to double-check to enhance functionality. For how long have I used the solution? I have used the solution for approximately two to three years. What do I think about the stability of the solution? We sometimes experience downtime, but it depends on the version. There is some variability. How are customer service and support? Our partners in Turkey support QRadar integration because our team does not manage all aspects. We usually rely on local partners for support. They assist with advanced issues, such as hardware or other problems, that are not part of standard operations. How would you rate customer service and support? Positive What other advice do I have? All technologies are advancing towards AI integration. It is essential to integrate AI capabilities into devices to keep pace with future technologies and integrations. We should configure AI technologies in these products, though we currently lack experience and information. My overall rating for this solution is nine out of ten. Disclaimer: I am a real user, and this review is based on my own experience and opinions.

What is our primary use case? I’m working with the on-prem version of IBM Security QRadar. We initially deployed it with the help of IBM’s professional services for a client, but now we handle deployments ourselves. The process is quite straightforward for us because we gained knowledge from our first implementation and used the available documentation. Deployment takes a couple of hours the first time, including configuration and integration with third-party devices. I usually work with a colleague, so two people handle the deployment. Our environment is well-suited for this, and we’re using it on a virtual appliance. The experience has been smooth and efficient. We are promoting QRadar to various financial institutions, including banks and microfinances, as a superior option compared to other vendors like Fortinet. While some institutions are using other solutions, we are encouraging them to switch to QRadar for better security. How has it helped my organization? We monitor tweets and other activities on the IBM Security QRadar portal. Once, we noticed unusual traffic patterns, like tweets triggering alerts, and we blocked that traffic. We also detected some security issues on the APM through the portal, which was a great experience. As for integration, we’ve successfully integrated QRadar with other security products like Cisco, Fortinet, and Check Point. Initially, we worked with IBM’s professional services to guide us through the integration process, and after that, we were able to follow their steps to integrate third-party devices ourselves. QRadar has a significant impact on operational costs for clients. For example, we’re recommending QRadar to several banks due to its effectiveness in handling high traffic and preventing scams. The banks we’ve worked with are very satisfied and are encouraging others to deploy QRadar as well. What is most valuable? I think QRadar is great overall. We’ve had a positive experience with it and recommend it for deployment. However, there are areas for improvement. The technical support is good, and the documentation is valuable, but it could be enhanced, especially regarding integration with other systems. In terms of support and updates, QRadar’s capabilities are crucial for maintaining high security standards. Network and software administrators can monitor all traffic effectively, which reassures clients and drives further adoption. What needs improvement? For future updates, I'd like to see more advanced threat intelligence features integrated with AI. This would help with analyzing traffic patterns and improving protection. QRadar currently doesn't integrate with AI for threat analysis. However, AI could enhance its capabilities by learning traffic patterns and automatically blocking or quarantining suspicious traffic. This would be especially useful when administrators are not actively monitoring. AI could help by analyzing incoming and outgoing traffic and adjusting policies accordingly. For how long have I used the solution? I have been using IBM Security Qradar for last one years. What's my experience with pricing, setup cost, and licensing? As for licensing costs, I haven't seen the exact figures, but it is considered somewhat costly. On a scale from one to ten, where one is very expensive and ten is very cheap, I would rate it a six—it’s costly but worth the money. What other advice do I have? Overall, I would rate IBM QRadar as a ten. Disclaimer: My company has a business relationship with this vendor other than being a customer:

What is our primary use case? Basically, it is a product that serves as an SIEM solution, and its main competitor is Splunk. Splunk and IBM are lookalike tools. IBM Security QRadar hosts a panel where you can feed just about anything you can think of in terms of electronics as it relates to security, along with other elements of infrastructure. The tool provides notification of events. What is most valuable? The most valuable feature of the solution is its ability to rectify a situation involving any anomalies expeditiously. What needs improvement? I am dealing with the tool from an arm's length. I am not sitting right in the middle of things in my position. I work in the sales position,and as far as sales marketing is concerned, I am not qualified to speak about what needs improvements in the tool. IBM is in there with the client, and they pretty well have them covered in a lot of different areas. If the customers are doing their job and they are running the business the way they ought to, then IBM is in a position to do a good job for most of the clients. Communication between the silos sometimes becomes an issue, making it an area where improvements are required. For how long have I used the solution? I have been using IBM Security QRadar since 2015 or 2016. What do I think about the stability of the solution? The solution's stability is pretty good. The tool has been there in my company over a long period of time. It is a solid product. IBM doesn't produce junk, and if it does, then such tools are taken off the market pretty quickly. What do I think about the scalability of the solution? Scalability-wise, I rate the solution an eight out of ten. The tool is used by government contractors who are our clients. The tool offers plug-and-play options, and it does not even involve APIs, making it pretty easy. IBM Security QRadar's interface is useful. The product is highly competitive. Though Splunk has become a standard tool, IBM Security QRadar is still out there even though it is not number one. How are customer service and support? I rate the technical support an eight out of ten. How would you rate customer service and support? Positive Which solution did I use previously and why did I switch? The main difference between Splunk and IBM is that the former one is on the edge in terms of innovation, but the latter one is not that good. Compared to IBM Security QRadar, IBM X-Force is good. How was the initial setup? On a scale of one to ten, if ten means easy, I rate the product's initial setup phase as an eight. As long as you have your policies and if they all relate to security and other areas like infrastructure, then the rules are pretty easy to feed into the product. The time needed for the product's deployment phase depends on how the entity, the client, has its policies and rules set up. I don't want to say the tool is like a plug and play product because nothing really is in today's market. The tool offers ease of use and integration. I rate the tool a seven to eight for the ease of use and integration it offers. What was our ROI? The tool's ability to redeploy resources, like manpower, is about the same as that of other competitors. The benefit the tool offers is the protection and the ability to act on whatever the situation might be quickly, efficiently and terminate whatever is happening. The tool is useful to the bottom and helps with the remediation part. What's my experience with pricing, setup cost, and licensing? The tool is priced in a competitive manner. The tool's price is dependent on the installation and the product size, but it is competitive in the marketplace. The marketplace right now is being set by Splunk, which offers a pretty good deal if someone wants it. As a matter of fact, I would say that out of who we are working with right now, Splunk is the major one. What other advice do I have? Speaking of how the tool handles real-time threat management in our specific industry, I would say that for our company's services, which are used with Crows Nest Software, we face the product as per the policies and rules that are set up within an entity or a client. For instance, if we see an anomaly, like if I send you an email, and we are within the same company, or I am within this ABC company, and you are external to it. If I am sending you information that I am not allowed to send outside of the company, what happens is we can either stop it ourselves, especially if that is what the instructions are through the policy, or if the client says, then we send such information to IBM Security QRadar and as per the instructions and policy, they can terminate it or do what they will with it after it is terminated. Speaking about how anomaly detection has impacted security operations, if I consider it from a dollars and cents point of view, I would say that if I am sending you something that is intellectual property and they stop it, it is like you can put a price tag on it after it is leaked, but prior to it, things could seem hard. For instance, if I am a nefarious individual in a company, then in most cases, I would be sending information outside of the organization to somebody who is in the government or serves as a contractor of a nation or a state. They can then take such information and build whatever they want as far as the competition is concerned and be in the competitive marketplace with my product. Such instances happen all the time with government contractors. When I say government contractors, they are those who deal in military hardware development, and, for that matter, they may be involved in a business revolving around air conditioners. In the market concerning air conditioners, there might be someone who has perfected a new way of pulling moisture out of the air and making it into ice cream, which may seem ridiculous. In the tool, the rules are really external. The good rules are external, and when I say that, it means it goes with the development of your security policies or your policies in general as they relate to security. When sitting down with the client, to be honest, what happens is that if they are installing something like this and they are developing rules and policies to go with it, it acts as an eye-opener for a lot of folks. With some companies, we classify data according to what we are able to pull. Suppose it is data that we have been given access to. In that case, we can determine and produce how it is in a snapshot over a two-week period and sit down with a client or somebody like a consultant firm to help in the area of BPM or something that can be like a spin-off of KPMG, and they do an excellent job of working with us. To prepare policies and rules, and those can be easily, you know, migrated or installed into any product, like Splunk and IBM Security QRadar. IBM offers Watson for machine learning and artificial intelligence. I feel IBM has done a pretty good job with it. We have partnered with various groups and companies that enhance their products, and we are continuing to do that. Since we utilize machine learning and AI from the start, we are well-versed in both areas. Additionally, we are working on something innovative with blockchain, as well as collaborating with another company focused on classification. There are companies on the periphery that specialize in the classification of various things, and they do tasks we don't handle on the front end. They provide us with information, and we share it, enabling us to interface more effectively with platforms like Splunk, QRadar, or others. I rate the tool an eight out of ten. Disclaimer: I am a real user, and this review is based on my own experience and opinions.

What is our primary use case? I have worked on several use cases, including creating custom ones. QRadar also provides built-in use cases. How has it helped my organization? Once integrated, you gain comprehensive visibility into all threats. The user behavior analytics module is particularly strong, and adding features allowing integration with third-party threat intelligence services enhances the analysts' ability to identify threats. What is most valuable? The best aspect of Pareto is its user-friendliness. Unlike other solutions requiring query language knowledge, Pareto is entirely GUI-based. This makes it easy to use and understand without learning any query languages. What needs improvement? People are increasingly moving towards big data tools, so QRadar needs to enhance its compatibility. For example, QRadar does not integrate with SAP HANA, widely used in large industries. Similarly, QRadar lacks support for integrating with Fortinet's firewall management services, resulting in limited visibility. It is still in its early stages. AI analytics require further development because, in my experience, they often generate false positive alerts. For how long have I used the solution? I have been using IBM Security QRadar for seven years. What do I think about the stability of the solution? It is very much stable. What do I think about the scalability of the solution? On-premises deployments can be challenging to scale. In contrast, cloud solutions offer much greater scalability; you simply place an order for the required EPS, get approval, and then proceed. This process is more straightforward and faster than on-premises setups. How was the initial setup? The initial setup is user-friendly and straightforward, making deployment easy. However, compatibility issues with other security controls still need to be addressed. It provides a 35-day period for project enablement. This timeframe is too short and should be extended to 45 or 50 days. When deploying QRadar on-premises, we assess the organization's size to determine the required number of UPS units, application servers, and other necessary hardware. Once these requirements are identified, we proceed with the deployment. We face challenges in the deployment phase, especially when working with an MSSP license. The main issue is with QRadar's multi-tenancy, which often causes the system to crash. Their support services are not very helpful in addressing these problems. We allocate two working days for the deployment of QRadar for our customers. Our team includes a senior engineer who communicates with the client and a junior engineer responsible for deploying and installing other services. The deployment time can vary based on the size of the setup. Large deployments, such as those with 20,000 to 25,000 EPS for corporate clients, take longer due to the need for multiple hardware servers. In such cases, it can take several days. QRadar can be installed in about three to four hours for smaller setups. What's my experience with pricing, setup cost, and licensing? The price is lower than Splunk but remains high compared to other SIEMs like LogRhythm, Elastic, and RSA. For example, 1,000 EPS costs around $55,000. While it's somewhat more affordable than Splunk, it is still higher than LogRhythm, Elastic, and RSA. What other advice do I have? QRadar offers a clean solution with straightforward integration for various devices. Once you define your scope, you effectively gain visibility into it. When comparing QRadar to other SIEM solutions like GloD and Splunk, QRadar lags behind other modern advancements. While new SIEM solutions focus on data lakes and big data, QRadar continues to rely on traditional correlation modules. QRadar should prioritize R&D and product improvement. Their support services have also declined and need attention. In QRadar's user behavior analytics, we observed an alert triggered by an unusual login attempt from one of our administrators. While monitoring alerts during my shift, QRadar's anomaly-based detection identified a login attempt outside normal hours. The system detected this as a deviation from the established baseline since the administrator had never logged in at that time before. This triggered the alert, helping us identify the compromised account. QRadar requires ongoing maintenance, and running it effectively often depends on support from engineers. Unlike big data tools, QRadar can struggle with integration and may require fine-tuning, restarts, or troubleshooting if issues arise. Since its merger with other companies, we've encountered many problems and have experienced delays in receiving timely technical support. You don’t need to learn any additional tools to use the system. It allows you to create dashboards from a management perspective, and its user behavior analytics work very well, although the AI analytics module is still developing. When handling compliance requests or forensic investigations, an SIEM solution like QRadar is essential. It helps pull up logs and identify what happened during incidents or breaches. The time required for investigation depends entirely on the impact of the attack. Sometimes, only a single device or network is compromised, which may be resolved quickly. However, the investigation takes longer in cases where the scope is broader, involving multiple devices and networks. The timeframe is driven by the extent of the incident, not just by QRadar. QRadar is a good product. In Pakistan, many financial sectors are starting to shift towards other solutions. In South Asia, particularly Pakistan, has a growing trend towards Splunk. Similarly, there is a shift towards Splunk, LogRhythm, and RSA in the Gulf region. Overall, I rate the solution a seven out of ten. Disclaimer: My company has a business relationship with this vendor other than being a customer:Partner

What needs improvement? One major drawback we are facing is in the area of IBM Security QRadar integration with flat file databases. IBM Security QRadar does not support flat file database integration. We are currently facing an issue with respect to the database, which you normally call a NoSQL database. There is no direct integration mechanism available with IBM Security QRadar. We have to approach IBM and generate a ticket so that they can develop a custom method for the integration. In database integration, we are facing issues with IBM Security QRadar. The solution does not support the integration of flat file databases. Certain organizations have flat file databases. IBM does not support direct integration with some databases. We had to create a plug, and we requested IBM to develop a parser, but it is taking IBM a couple of months to develop it. I think a flat-file database should be supported directly instead of developing a parser plugin. There should be a more refined threat intelligence platform, and cross-integration should be possible with locally available threat intelligence platforms. For how long have I used the solution? I have been using IBM Security QRadar for three years. I use the solution's latest version. What do I think about the stability of the solution? Stability-wise, I rate the solution a seven out of ten. What do I think about the scalability of the solution? It is a scalable solution. With respect to threat intelligence platform integration with locally developed software solutions, IBM works on and provides certain sorts of APIs. The tool also leads to advancement in threat intelligence, which could be beneficial during product deployment. My company has an unlimited number of user versions. Basically, it does not depend on the number of users. It basically works on events per second. We already acquired unlimited EPS on our IBM QRadar. I rate the scalability an eight out of ten. We have two teams using the tool. If you talk about engineering, we have five to ten people on the engineering side who look after the administration. There are also twenty-four hours and seven weeks of managed SOC services catering to the needs of twenty people in each shift. We pursue the principle of following the sun, so you can say the managed SOC services are used in three shifts. Which solution did I use previously and why did I switch? My company is only using IBM. How was the initial setup? We didn't face any difficulty in the deployment process. The strategy we follow in the deployment is a phased approach. Initially, we deployed the workspace, and then we moved to routers and hardware-related things. In phase two, we start integrating the tool with business applications. The solution is deployed on an on-premises version. The solution can be installed for the initial configuration and settings in around three to four hours or five hours. Asset onboarding varies. Through assets, we integrate very quickly, like switches and data, with instances where no approval is required. Other typical assets like this are applications where certain views we have to create certain views in order to create our fetch logs. It all depends from application to application. Three or four people are required to install the tool. Actually, we have a team and deployed the tool with five people. Two people did installations, and two people are supporting, and getting the required things or approvals would be done. You can say it is normally a team of five engineers. They actually take part in maintenance, too. Actually, we divided it into two phases, like team deployment and implementation. One has a team of engineers with whom we are involved with the deployment and installation. Another is the SOC team, which is responsible for monitoring logs on IBM Security QRadar. What's my experience with pricing, setup cost, and licensing? IBM solutions are always expensive, as it offers some industry-leading solutions, which is why we have implemented them. Now, locally developed and open-source solutions like Wazuh are available. Certain organizations are deploying the solutions. We receive no cost-benefit from IBM. It is an expensive solution, and we have to incur these costs. The tool's price is high. Our company faces pricing-related challenges with locally available products and other offerings like Splunk and Wazuh. In addition, there is a need to pay the tool's standard licensing fee. We outsource our SOC operations, so such expenses are in addition to the deployment. Which other solutions did I evaluate? After going through the different reviews over the internet, we found out that IBM is a leader, and we also did a study of the various banks in Pakistan and internationally to find what products they use. After comparing these banks, international banks, and locally made products, we decided to go for IBM. What other advice do I have? IBM Security QRadar enhances threat detection and incident response in our specific industry. The threat intelligence is somewhat different in Pakistan. We also have to deploy other open-source solutions and integrate them with the new system. We have IBM X-Force, and the solution provides threat intelligence releases for global incidents. Basically, we have CTM360, which helps with the threat intelligence part. We are actually using both with the solution. I think IBM X-Force complements our challenges, but it is not up to the mark we require. We have to collaborate with different solutions as well with CTM360. The tool's anomaly detection was useful with respect to application integration. We use a use case where we recently implemented the tool with respect to business applications where we define a rule set, and the system perfectly identifies and triggers an event against the rule set we define, so it is related to business applications. Our use cases are related to the event. An incident was caused a couple of days ago due to the Log4j vulnerability. For such vulnerabilities, the use case will also be helpful. It is easy to integrate with different solutions or different databases like MySQL and Oracle. It has the edge over other solutions, like open-source solutions like Wazuh and Splunk, so IBM Security QRadar is very much refined with respect to these solutions. Regarding the tool's ability to maintain high-security standards, I rate it ten out of ten. So far, we haven't used any AI feature in the tool, or it may not be available in the version we use. Overall, I recommend the tool to others. We are currently recommending it to peer banks and peer colleagues who need to make a decision to buy a product. Maintenance is not required, but we regularly check the tool's health reports. If any event occurs monthly or quarterly, then we need to maintain it. Otherwise, no maintenance is required. I rate the tool an eight out of ten. Which deployment model are you using for this solution? On-premises Disclaimer: I am a real user, and this review is based on my own experience and opinions.