News, news analysis, and commentary on the latest trends in cybersecurity technology.

CISOs Grapple With IBM's Unexpected Cybersecurity Software Exit

IBM's abrupt divestiture of QRadar SaaS underscores the consolidation of SIEM, XDR, and AI technologies into unified platforms.

Jeffrey Schwartz, Contributing Writer

May 17, 2024

6 Min Read
Source: Panther Media GmbH

IBM's surprise departure from cybersecurity software this week didn't just rearrange the competitive landscape — it also reshuffled the procurement plans and vendor relationships for many CISOs rebuilding their security operations centers (SOCs).

IBM has agreed to sell the QRadar SaaS portfolio to Palo Alto Networks for an undisclosed sum. After years of development, IBM started rolling out the QRadar Suite in 2023, a cloud-native set of shared endpoint security components, including multiple detection and response products (EDR, XDR, and MDR). It also introduced log management capabilities, notably security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms.

In early 2024, IBM released QRadar SIEM and earlier this month rolled out an on-premises version based on Red Hat OpenShift. The plan included subsequent incremental releases of generative artificial intelligence (AI) with learning language models (LLMs) based on its new watsonx AI platform.  

The deal, which builds on a partnership between the two companies that was previously expanded late last year, is expected to close by the end of September. The pact also calls for IBM Consulting to become a "preferred managed security services provider" (MSSP) for existing and future Palo Alto Networks customers, with the two vendors sharing a joint SOC.

Palo Alto Networks said that organizations wishing to stick with on-premises installations of QRadar will continue to receive feature updates, critical bug fixes, and updates to existing connectors. It was not immediately clear how long that will be offered. 

Nevertheless, IBM's divestiture of its QRadar SaaS business is a stunning about-face. It follows IBM's ambitious plan to turbocharge its aging legacy QRadar offerings, including its widely deployed SIEM platform, with a cloud-native software-as-a-service (SaaS) suite.

Potential Confusion for Customers 

Now customers must determine whether they want to follow the newly announced chosen path, which calls for the migration of the QRadar legacy and SaaS suites to Palo Alto's Cortex XSIAM, or evaluate other options.

According to Omdia research, IBM's QRadar is the third largest next-generation SIEM provider based on revenue, behind Microsoft and Splunk (now part of Cisco).

"It's one of the most surprising moves I've seen in the enterprise cybersecurity space in many years," says Omdia managing principal analyst Eric Parizo.

Parizo says the move is especially surprising because IBM has invested millions of dollars and put extensive resources in the past three years into transforming QRadar into a cloud-native platform. IBM acquired QRadar, an on-premises SIEM, from Q1 Labs in 2011

"For IBM to then turn around and sell QRadar to Palo Alto Networks, seemingly with little to no warning for customers, is shocking and frankly not in line with the customer-centric ethos IBM is known for," Parizo says. "I would imagine there are many confused and frustrated QRadar customers [now] looking for answers."

CISOs face these decisions at a pivotal time. Major vendors and analysts have signaled SIEM, SOAR, and XDR coalescing into a unified SOC operations platform, led by cloud giants AWS, Microsoft, and Google, and large platform providers including CrowdStrike, Cisco, and Palo Alto Networks. 

Lending credence to that predicted consolidation, Exabeam and LogRhythm revealed their merger plans just hours before the IBM-Palo Alto Networks news became public. The combined company plans to integrate LogRhythm's legacy and new cloud-native SIEM technology with Exabeam's user and entity behavior analytics (UEBA) platform. 

"As a combined organization, we will continue to push the envelope of security operations innovation with solutions that bring AI, automation, SIEM, security analytics, and UEBA together to deliver a holistic approach to combating cyber threats," said Exabeam CEO Adam Geller, in a statement. 

"All legacy SIEM players are facing increasing competition from tech titans (aka hyperscalers) as well as XDR vendors that are aggressively positioning as SIEM alternatives," noted Forrester principal analyst Allie Mellen.

IBM may have been hinting at its ultimate strategy with last year's launch of the QRadar SaaS suite as a migration plan for its legacy SIEM and other cybersecurity offerings. At the time of the launch in November, IBM released a cloud-native upgrade of its SIEM, but the company still lacked a fully-fledged XDR offering, Mellen stated in a blog post.  

"Most of what they're providing is very, very EDR-focused," she said.

A Boost for Palo Alto

Analysts believe QRadar will benefit organizations that favor Palo Alto Networks, as it promises to boost its Cortex XSIAM SIEM offering. Mellen pointed out that Palo Alto Networks XSIAM has attracted customer interest because of its automation and MDR capabilities, plus it's bundled with its Cortex XDR offering. 

"However, getting to the scale of customers that legacy SIEM vendors and some of the bigger players have is a long road," Mellen wrote. Palo Alto Networks' acquisition of IBM's QRadar SaaS will accelerate that, she added.   

Palo Alto Networks said existing QRadar SaaS customers will be offered free migration paths to its Cortex XSIAM, which will be provided jointly by IBM and Palo Alto Networks. IBM, whose employees are not transitioning to Palo Alto Networks, said it will deploy over 1,000 security consultants to provide migration and deployment services.

Notably, Mellen emphasized that the free migration option will also be extended to "qualified" QRadar on-premises customers. She advised customers to determine whether they are qualified for those free migrations as soon as possible.

Dubious Future for QRadar SaaS

It remains to be seen what technology from QRadar SaaS will work its way into XSIAM and Cortex. Still, based on the announcement, said she Mellen believes the acquisition is about gaining the QRadar customer base. 

"PANW clearly does not have long-term plans for the QRadar SaaS offering," Mellen noted. "As soon as contractual obligations run out, existing QRadar SaaS customers need to embrace XSIAM or migrate to a different vendor."

Palo Alto Networks has been making a significant investment in Cortex XSIAM, its new SIEM offering released in early 2022, but doesn't believe it's on par with QRadar, Omdia's Parizo adds.

"While the solution has evolved quickly in the past two years, it is still relatively young and broadly less mature and less robust in terms of specific capabilities than IBM QRadar," Parizo says. "To me, it is not feasible to expect QRadar customers to migrate to XSIAM at any point in the next 12 to 24 months and receive an equivalent set of capabilities," particularly for threat detection, investigation, and response.

He adds: "Ultimately, I believe Palo Alto Networks will have to support QRadar customers on the existing solution for a longer period of time and significantly incentivize QRadar customers to migrate to XSIAM to overcome the challenges that will come with this current period of uncertainty."

Bringing watsonx AI to Cortex XSIAM

While Palo Alto Networks' intentions with the QRadar stack may be uncertain, the agreement does call for incorporating IBM's watsonx LLMs into Cortex XSIAM, which will provide its new Precision AI tools. 

"IBM has very good AI; they just don't have much market share," says Gartner distinguished analyst Avivah Litan. "Maybe this will help them."

About the Author

Jeffrey Schwartz

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights