IBM Surrenders SIEM While PANW Tries To Gain Ground on Tech Titans
- By Allie Mellen, Jeff Pollard, and Joseph Blankenship, Forrester
- May 20, 2024
In a busy week for security information and event management (SIEM) vendors to be merged or divested, Palo Alto Networks (PANW) announced that it’s acquiring IBM’s QRadar software-as-a-service (SaaS) business and migrating those customers to its Cortex® XSIAM® platform. In addition, PANW gets QRadar intellectual property rights as part of the deal.
This makes IBM the second legacy SIEM player (the other being LogRhythm) this week to attach itself to a newer, more innovative vendor. These moves come on the heels of Cisco’s completed acquisition of Splunk. All legacy SIEM players are facing increasing competition from tech titans (aka hyperscalers) as well as extended detection and response (XDR) vendors that are aggressively positioning themselves as SIEM alternatives.
IBM Security is exiting the QRadar business …
IBM has sold QRadar for over a decade since its 2011 acquisition of Q1 Labs. It made QRadar the focal point of its security product portfolio — going so far as to rebrand its endpoint detection and response (EDR) and security orchestration, automation, and response (SOAR) acquisitions under the QRadar banner. However, the vendor has faltered in recent years as it attempted to shift the offering to the cloud. Customers were frustrated with a perceived lack of innovation from IBM Security, leading to its release of QRadar Log Insights and QRadar SIEM SaaS. Now, it's selling off its QRadar SaaS assets to Palo Alto Networks, the largest and most vital of which is QRadar SIEM.
PANW is a more recent addition to the SIEM game, announcing Cortex XSIAM, its security analytics platform, in early 2022. It quickly gained customer interest through its automation capabilities, its use as the platform for its managed detection and response (MDR) capability, and its bundling with Cortex XDR. However, getting to the scale of customers that legacy SIEM vendors and some of the more prominent players have is a long road. Its acquisition of QRadar SaaS assets is like finding a mushroom on the track in Mario Kart — it will speed things up a bit.
At its core, this acquisition is about the QRadar customer base. According to the announcement, current "qualified" QRadar SaaS customers will be provided a no-cost migration path to Cortex XSIAM by IBM and PANW. Not only that but "qualified" QRadar on-prem customers will also be offered a no-cost migration option. PANW clearly does not have long-term plans for the QRadar SaaS offering, nor likely its brand name (though it will own that, too).
You don't need expertise in the occult to figure this out: As soon as contractual obligations run out, existing QRadar SaaS customers must embrace XSIAM or migrate to a different vendor. They should also find out if they qualify for the no-cost migration to Cortex XSIAM.
To any organization considering a QRadar purchase: Choose a different vendor or evaluate Cortex XSIAM and cut out the middleman. Current QRadar customers must rethink their approach to security operations (SecOps) and determine if Cortex XSIAM is the right path forward or if they should plan a transition to another vendor.
QRadar customers (especially on-premises customers) who just made a purchase or are in the implementation process can take some solace in the fact that sunsetting products typically takes time, so you have some breathing room. However, You must consider how quickly you can migrate to avoid the inherent technical debt of building on a product that will be on life support and eventually end-of-life.
… And it’s exiting security operations more broadly, too
IBM Security considers its EDR offering (its ReaQta acquisition), threat intelligence (IBM Security X-Force Threat Intelligence), QRadar SOAR, and Randori Recon to be QRadar SaaS assets, which means Palo Alto Networks will own those. Customers of any of those products should expect the same outcome as QRadar SIEM: migration to Palo Alto Networks products or to a different vendor.
Another once-prominent component of IBM's SecOps story, Watson, is almost a footnote in the announcement. As part of the partnership, PANW "intends to integrate watsonx large language models into Cortex XSIAM." Watson, as the first AI assistant for security, never delivered on its promise to change SecOps.
IBM basically becomes a Palo Alto Networks VAR
On the services front, PANW extends and expands its existing partnership with IBM. It's using IBM for deployment, implementation, and ongoing managed security services for QRadar SaaS until it can migrate customers to XSIAM. PANW features several large global systems integrators as partners. IBM is the only one that once owned a portion of its product portfolio, suggesting tighter ties to the company than the alternatives.
The partnership positions IBM as a PANW reseller and integration partner, where IBM will train 1,000 consultants on PANW products and take on nonstrategic deployment, implementation, and management work. In the short term, customers looking for PANW implementation work should consider more experienced providers as IBM consultants ramp up.
The rest of the announcement is partnership hype
The announcement goes on to describe a deeper partnership between IBM and Palo Alto Networks in areas including watsonx, a joint security operations center (with cyber ranges), DevSecOps, and other products and services.
For the most part, consider these opportunities for these two vendors to hype portions of their portfolios. Partnerships come and go and generally leave customers wanting, so don't expect big, transformative wins from the rest of the announcement for you or your security team.
Security analytics market changes will continue … still
In our previous blog, we predicted that the changes in the security analytics market weren’t over, and we were right faster than we knew.
The security analytics platform market will continue consolidating as XDR vendors aggressively push into the SIEM space with the goal of being the primary SecOps tooling. This is the biggest concession of an SIEM vendor to an XDR vendor so far and signals a sea change for the threat detection and response market. Security buyers may finally be getting the SIEM alternative they've been seeking for years.
The original article is here.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/vadimrysev
Allie Mellen, Jeff Pollard, and Joseph Blankenship, Forrester
Allie Mellen is Forrester’s principal analyst. She covers security operations, nation-state threats, and the use of automation, machine learning, and AI in security tools.
Jeff Pollard is Forrester’s vice president and principal analyst. He primarily contributes to Forrester's offerings for security and risk professionals.
Joseph Blankenship is Forrester’s research director. He supports security and risk (S&R) professionals, helping clients develop security strategies and make informed decisions to protect against cyberattacks.