Re: QRadar

[John Ramsey <jramsey () STUDENTCLEARINGHOUSE ORG>]

We are pretty extensive QRadar shop now for about 5 years.  We’re pretty satisfied and it’s a top of the line SIEM.  
Like any SIEM though, there is some TLC required to ensure you’re pulling in the correct logs and tweaking alerts where 
necessary.

John

John Ramsey, Chief Information Security Officer, National Student Clearinghouse
Certified:  CISSP, CISM, PMP, CSSLP, CRISC, CGEIT
2300 Dulles Station Blvd., Suite 220, Herndon, VA 20171
P: 703.742.4428  |   http://www.studentclearinghouse.org<http://www.studentclearinghouse.org/>
Read the Clearinghouse Today Blog<https://nscblog.org/>

Winner “2016 When Work Works” & “Excellence in Work-Life Balance”

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Scott Stoops
Sent: Friday, August 24, 2018 9:43 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] QRadar

We recently completed a PoC of QRadar. Our intent is to purchase it as soon as we can reasonably arrange the budget. 
Things that affected our decisions:

1) It is a single interface. All configuration and interaction is through that single interface.
2) Initial set up was easy. Out of the box it is fairly chatty in terms of the information it presents. We anticipate 
that the actual tuning will take us quite some time.
3) The rules are very similar in concept to firewall rules. The logic for rules can be quite complex but each statement 
is straightforward.
4) The product can handle most of the common log formats out of the box. There are add-ons available to integrate with 
various other security products.
5) It is fairly extensible through its application marketplace.
6) We were able to work extensively with an engineer during the PoC to make sure that we could see the value in the 
product. During that time they assisted us with examining incidents and determining ways to handle them.

We are a small shop and don't have the resources to devote a fulltime person to monitoring a SIEM. QRadar looks like 
the kind of product that would allow us to see value from it without full time eyes on the product.
--------------------------------------------------------------------------------------------------
Scott Stoops
Security Analyst II
Office of Information Technology | 100 Patterson Technology Center
Ashland, OH 44805
(w) 419-289-5405
sstoops () ashland edu<mailto:sstoops () ashland edu>



On Fri, Aug 24, 2018 at 9:01 AM Walzer, Jeff R <walzer () pitt edu<mailto:walzer () pitt edu>> wrote:
We are looking at QRadar and was looking for any feedback from any schools that have deployed it. Pros/cons, good/bad, 
etc.

Thx
---------------------------------------------------------------------------
Jeff Walzer
Senior Security Analyst
Computing Services and Systems Development (CSSD)
University of Pittsburgh
315 S. Bellefield Ave., Rm 403
PGH, PA 15260
---------------------------------------------------------------------------


=======================================================

This message has been analyzed by Deep Discovery Email Inspector.