IBM Security QRadar is a purpose-built security platform that leverages analytics, machine learning models and correlations to prioritize security issues without significant overhead and effort. This SIEM helps modernize security frameworks and mitigates some of the global security skills shortage by maintaining data privacy and supporting regulatory compliance.
Data ingestion is straightforward. Analysts select a log source type and protocol and then configure log source and protocol parameters. They can add different flows and the robust API supports a variety of technologies including in-house applications, vulnerability scanners and more.
QRadar accurately and efficiently detects threats to minimize the risk of exposure and the disruption of business. IBM allows subscribers to layer QRadar into their environments, protecting the right data with the right analytics. The platform maps all environment content to the MITRE framework with over eight hundred different rules that drive detection.
Several pre-built dashboards with many custom widgets come available out-of-the box. At first glance, the pre-built dashboards appear outdated and do not compare well against some of the other products in this space. They show general log and network activity, such as real-time information, based on configured network flows. Security teams can search and filter these activity streams as well as view end-user details on a dashboard, thanks to a free UEBA add-in. Analysts also have the option to create and customize their own dashboards.
Alert fatigue is a common problem with solutions like SIEM technologies and IBM Security QRadar has an alert prioritization model that reduces this noise and filters out false positives. Experts can create an investigation into threat offenses within the alert page. They can also configure out-of-the-box criteria for offenses or create their own. Analysts have the capability of drilling down into offenses for more information. This information will allow them to chain multiple correlated events together whenever possible.
Watson, IBM’s machine learning module, optimizes these investigations. Watson triages alerts and assigns a priority level to events based on potential impact and asset relevance. As time goes on, security analyst can choose either to agree or disagree with Watson’s triage and priority assertions, helping it learn and become more accurate. Over time, Watson learns from the actions of security teams and generates dispositions based on what action it anticipates an analyst would take in the event of an alert and why. Based on this information, Watson triggers automated playbooks to respond to alerts, although analysts may always intervene manually.
IBM Security QRadar is a highly scalable SIEM with extensive automation and out-of-the-box content. Watson prioritizes alerts quickly, supplying its augmented intelligence to security teams and alleviating some of their workloads. This added efficiency increases detection accuracy and reduces response times. Although the look and feel of the product is outdated, the automation in Watson truly maximizes threat management efficiency.
Pricing starts at $11,000 and includes 24/7 phone, email and website support. Customers also have access to a knowledgebase and FAQ list. Additional support options are available for a fee.
Tested by: Matthew Hreben