Source: Panther Media GmbH

IBM's surprise departure from cybersecurity software this week didn’t just rearrange the competitive landscape — it also reshuffled the procurement plans and vendor relationships for many CISOs rebuilding their SOCs.

IBM has agreed to sell the QRadar SaaS portfolio to Palo Alto Networks for an undisclosed sum. After years of development, IBM started rolling out the QRadar Suite in 2023, a cloud-native set of shared endpoint security components, including multiple detection and response products (EDR, XDR, and MDR), along with log management capabilities, notably security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms.

In early 2024, IBM released QRadar SIEM and earlier this month rolled out an on-premises version based on Red Hat OpenShift. The plan included subsequent incremental releases of generative AI with learning language models based on its new watsonx AI platform.  

The deal, which builds on a partnership between the two companies that was previously expanded in late 2023, is expected to close by the end of September. The pact also calls for IBM Consulting to become a "preferred managed security services provider (MSSP)" for existing and future Palo Alto Networks customers, with the two vendors sharing a joint security operations center (SOC).

Palo Alto Networks said that organizations wishing to stick with on-premises installations of QRadar will continue to receive feature updates, critical bug fixes, and updates to existing connectors. It was not immediately clear how long that will be offered. 

Nevertheless, IBM's divestiture of its QRadar SaaS business is a stunning about-face. It follows IBM’s ambitious plan to turbocharge its aging legacy QRadar offerings, including its widely deployed SIEM platform with a cloud-native SaaS suite.

Potential Confusion for Customers 

Now customers must determine if they want to follow the newly announced chosen path, which calls for the migration of the QRadar legacy and SaaS suites to Palo Alto's Cortex XSIAM, or evaluate other options.

According to Omdia research, IBM's QRadar is the third largest next-generation SIEM provider based on revenue, behind Microsoft, and Splunk (now part of Cisco). "It's one of the most surprising moves I've seen in the enterprise cybersecurity space in many years," says Omdia managing principal analyst Eric Parizo.

Parizo says the move is especially surprising because IBM has invested millions of dollars and put extensive resources in the last three years into transforming QRadar into a cloud-native platform. IBM acquired QRadar, an on-premises SIEM, from Q1 Labs in 2011. 

"For IBM to then turn around and sell QRadar to Palo Alto Networks, seemingly with little to no warning for customers, is shocking, and frankly not in line with the customer-centric ethos IBM is known for," Parizo says. "I would imagine there are many confused and frustrated QRadar customers [now] looking for answers."

CISOs face these decisions at a pivotal time. Major vendors and analysts have signaled SIEM, SOAR, and XDR coalescing into a unified SOC operations platform, led by cloud giants AWS, Microsoft, and Google, and large platform providers including CrowdStrike, Cisco, and Palo Alto Networks. 

Lending credence to that predicted consolidation, Exabeam and LogRhythm revealed their merger plans just hours before the IBM-Palo Alto Networks news became public. The combined company plans to integrate LogRhythm's legacy and new cloud-native SIEM technology with Exabeam's user and entity behavior analytics (UEBA) platform. 

"As a combined organization, we will continue to push the envelope of security operations innovation with solutions that bring AI, automation, SIEM, security analytics, and UEBA together to deliver a holistic approach to combating cyber threats," Exabeam CEO Adam Geller, said in a statement. 

"All legacy SIEM players are facing increasing competition from tech titans (aka hyperscalers) as well as XDR vendors that are aggressively positioning as SIEM alternatives," notes Forrester principal analyst Allie Mellen.

IBM may have been hinting at its ultimate strategy with last year's launch of the QRadar SaaS suite as a migration plan for its legacy SIEM and other cybersecurity offerings. At the time of the launch in November, IBM released a cloud-native upgrade of its SIEM, but the company still lacked a fully-fledged XDR offering, Mellen notes.  "Most of what they're providing is very, very EDR-focused," she says.

A Boost for Palo Alto

Analysts believe QRadar will benefit organizations that favor Palo Alto Networks, as it promises to boost its Cortex XSIAM SIEM offering. Mellen points out that Palo Alto Networks XSIAM has attracted customer interest because of its automation and MDR capabilities, plus it’s bundled with its Cortex XDR offering. 

"However, getting to the scale of customers that legacy SIEM vendors and some of the bigger players have is a long road," Mellen says. Palo Alto Networks' acquisition of IBM's QRadar SaaS will accelerate that, she added.   

Palo Alto Networks said existing QRadar SaaS customers will be offered free migration paths to its Cortex XSIAM, which will be provided jointly by IBM and Palo Alto Networks. IBM, whose employees are not transitioning to Palo Alto Networks, said it will deploy over 1,000 security consultants to provide migration and deployment services.

Notably, Mellen emphasizes that the free migration option will also be extended to "qualified" QRadar on-premises customers. She advises customers to determine if they are qualified for those free migrations as soon as possible.

Dubious Future for QRadar SaaS

It remains to be seen what technology from QRadar SaaS will work its way into XSIAM and Cortex. Still, based on the announcement, Mellen believes the acquisition is about gaining the QRadar customer base. 

"PANW clearly does not have long-term plans for the QRadar SaaS offering," Mellen notes. "As soon as contractual obligations run out, existing QRadar SaaS customers need to embrace XSIAM or migrate to a different vendor."

Omdia's Parizo adds that Palo Alto Networks has been making a significant investment in Cortex XSIAM, its new SIEM offering released in early 2022, but doesn't believe it's on par with QRadar. "While the solution has evolved quickly in the past two years, it is still relatively young and broadly less mature and less robust in terms of specific capabilities than IBM QRadar," Parizo says.

"To me, it is not feasible to expect QRadar customers to migrate to XSIAM at any point in the next 12-24 months and receive an equivalent set of capabilities," particularly for threat detection, investigation, and response, he adds. "Ultimately, I believe Palo Alto Networks will have to support QRadar customers on the existing solution for a longer period of time and significantly incentivize QRadar customers to migrate to XSIAM to overcome the challenges that will come with this current period of uncertainty."

Bringing watsonx AI to Cortex SXIAM

While Palo Alto Networks' intentions with the QRadar stack may be uncertain, the agreement does call for incorporating IBM's watsonx large language models into Cortex XSIAM, which will provide its new Precision AI tools. 

"IBM has very good AI; they just don't have much market share," says Gartner distinguished analyst Avivah Litan. "Maybe this will help them."