IBM's QRadar core product is recognized by multiple analyst firms, including Gartner, Forrester, and Aberdeen, as a leadership technology. Gartner considers QRadar more suited to midsize and large enterprises that require core SIEM capabilities, in addition to those looking for a unified platform that covers a wide range of security monitoring and operational technologies. It scores high marks for advanced analytics and user-based monitoring. However, implementation complexity and the need to license additional components for full functionality may limit its value to SMEs or companies lacking internal security expertise.
QRadar launched its core security analytics product in 2005, and Q1 Labs was acquired by IBM in 2011. IBM has continued to invest in the product line.
IBM Security QRadar offers SIEM, security intelligence and security analytics. By chaining together multiple security events into known patterns of malicious behaviors, QRadar can pinpoint network breaches, data exfiltrations and anomalies occurring on an organization's network. This core capability is richly supported by vulnerability management, network forensics tools, and an integrated incident response solution in the same workbench.https://o1.qnsr.com/log/p.gif?;n=203;c=204660768;s=9477;x=7936;f=201812281316470;u=j;z=TIMESTAMP;a=20392955;e=i
Recently added features include:
- Opening up the platform to integrate with third-party vendor applications
- QRadar Data Store with unlimited logging at a fixed price per appliance
- Domain Name Server Analyzer for the detection of Domain Generating Algorithms (DGA), Tunneling and Squatting, which can hide this malicious behavior
- Sysmon Content Pack to integrate with all the Windows Sysmon Events
- QRadar Cloud Visibility to better secure resources in Amazon Web Services, Microsoft Azure and IBM Cloud environments
- QRadar Network Insights to detect phishing, insider threats, data exfiltration and malware activity by analyzing network packet data as it traverses the network
- QRadar User Behavior Analytics to address insider threats
QRadar SIEM Features Rated
Threats blocked: Very good. QRadar provides the ability to detect an unlimited number of threats of all types. It integrates with a wide range of network, endpoint and database security solutions to enable threats to be quickly and automatically blocked when detected.
Sources ingested: Very good. QRadar supports over 500 modules for ingesting data and uses automation to sense sources of security log data and discover new network flow traffic associated with new assets appearing on the network. It also includes netflow, jflow, sflow, and packet capture.
Throughput: Best. Event Per Second (EPS) collection and processing rates for QRadar are not uncommon in the 50,000+ range, with some deployments running at rates in the 100,000+ and others in excess of 1.5 million EPS. QRadar can process over 3 million Flows Per Minute on a single appliance.
Value: Very good. A Forrester Research study found QRadar provided:
- 75% improvement in the quality of threat detection and time to detection
- 75% improvement in incident response times due to the ability to see all related data in one place
- 50% efficiency gains in investigations and compliance reporting
- 35% ROI (Benefits of $14.1 million over three years versus costs of $10.5 million, adding up to an ROI of 35%)
Implementation: Good. The current average deployment time for QRadar on Cloud, including setting rule and initial tuning, is 30 days. Ponemon Institute said QRadar customers are able to deploy their solutions in 1/3 the time of competitive SIEM solutions. Customer feedback on the QRadar architecture is generally positive, but for buyers requiring a multicomponent-based architecture, the number of licensable components and options required can generate confusion in the and buying process.
Management: Very good – but requires expertise. One financial industry security manager said, "a solid team of SOC specialists is needed to translate the knowledge of the environment, application landscape, network and specific use cases to really make it effective."
- Centralized, web-accessible management from the main QRadar interface
- Integration with standardized identity platforms for authentication and authorization such as LDAP, AD, Radius, TACACS, and more
- Data archive/backup management as well as user-defined retention of data based on comprehensive filtering
- Real-time status and monitoring of all data sources, with alerting/notifications on data feed loss
Support: Very good. One security engineer called it "pricey but best-of-breed." Gartner noted that there is widespread availability of managed service support for on-premises QRadar deployments from third parties (and from IBM for large accounts), and QRadar is also available in a hosted SIEM model.
Scalability: Very good.
- One appliance supports 300+ servers
- Several large customers have deployments with 150 to 200 managed hosts collecting from data points worldwide
- Many accounts have over more than 300 authorized users
Markets and Use Cases
QRadar sees more traction in mid-sized to large organizations that are most likely to have a wealth of valuable data that cybercriminals can exploit on an open marketplace. This includes financial, government and healthcare verticals, but also manufacturers possessing intellectual property, utilities supporting critical infrastructures, communications and transportation companies seeking to preserve business continuity, and retail establishments. In addition, its multi-tenanted design enables Managed Security Service Providers (MSSPs) to run and manage the solution on behalf of their customers. QRadar on Cloud, IBM's SaaS offering, is used by small to medium organizations.
Common Criteria, ISO 27001, GLBA, GSX-Memo-2, FISMA, GPG - 13, Garante, ARJEL, HIPPA, CoCo, NERC, PCI DSS, SOX, NIST, GPG13, ISO 27001, SANS Top 20, NIST, GDPR, FIPS 140-2 Levels 1 and 2, DHS CDM.
Cloud (BYOL for AWS and Azure), SaaS (QRadar on Cloud), on-premises hardware, software, virtual machine. The on-premises solution can be implemented on IBM-provided hardware appliances, third-party appliances, cloud-hosted instances, and virtual appliances. In All-in-One instances, a single appliance or VM serves the purpose of event/flow collector, event/flow processor and console (UI). In distributed environments, users can deploy as many collectors/processors as they choose.
IBM QRadar (on-premises) starts at $10,700, including 12 months of support. IBM QRadar on Cloud (SaaS) starts at $800 U.S. per month, on an annual term.
For more analysis of IBM QRadar, see IBM QRadar vs Splunk: Top SIEM Solutions Compared and ArcSight vs IBM QRadar: Top SIEM Solutions Compared.