IBM's unexpected departure from cybersecurity software this week not only reshuffled the competitive landscape but also disrupted the procurement plans and vendor relationships for many Chief Information Security Officers (CISOs) rebuilding their Security Operations Centers (SOCs).

The Deal: QRadar SaaS Portfolio to Palo Alto Networks

IBM has agreed to sell its QRadar SaaS portfolio to Palo Alto Networks for an undisclosed sum. After years of development, IBM began rolling out the QRadar Suite in 2023. This cloud-native set of shared endpoint security components includes various detection and response products (EDR, XDR, and MDR) and log management capabilities, notably security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms.

In early 2024, IBM released QRadar SIEM, followed by an on-premises version based on Red Hat OpenShift earlier this month. The plan included subsequent incremental releases of generative artificial intelligence (AI) with learning language models (LLMs) based on its new Watsonx AI platform.

The deal, expected to close by the end of September, also designates IBM Consulting as a "preferred managed security services provider" (MSSP) for existing and future Palo Alto Networks customers. Both vendors share a joint SOC.

Customer Impact and Confusion

Organizations opting to stick with on-premises QRadar installations will continue receiving feature updates, critical bug fixes, and updates to existing connectors. However, the duration of this support remains to be determined. IBM's divestiture of its QRadar SaaS business represents a significant reversal, especially given its recent efforts to enhance its aging legacy QRadar offerings with a cloud-native SaaS suite.

Customers must now decide whether to migrate their QRadar legacy and SaaS suites to Palo Alto's Cortex XSIAM or explore other options. According to Omdia research, IBM's QRadar is the third largest next-generation SIEM provider based on revenue, behind Microsoft and Splunk (now part of Cisco).

Analyst Reactions

Omdia's managing principal analyst, Eric Parizo, described the move as one of the most surprising in the enterprise cybersecurity space. He noted that IBM had invested millions of dollars and extensive resources over the past three years to transform QRadar into a cloud-native platform.

"For IBM to turn around and sell QRadar to Palo Alto Networks, seemingly with little to no warning for customers, is shocking and frankly not in line with the customer-centric ethos IBM is known for," Parizo said. "I imagine many confused and frustrated QRadar customers are now looking for answers."

Consolidation in the Cybersecurity Market

CISOs face these decisions at a pivotal time. Major vendors and analysts have signaled that SIEM, SOAR, and XDR are coalescing into a unified SOC operations platform led by cloud giants AWS, Microsoft, and Google and large platform providers like CrowdStrike, Cisco, and Palo Alto Networks.

Lending credence to this predicted consolidation, Exabeam, and LogRhythm announced their merger plans just hours before the IBM-Palo Alto Networks news. The company plans to integrate LogRhythm's legacy and new cloud-native SIEM technology with Exabeam's user and entity behavior analytics (UEBA) platform.

Benefits for Palo Alto Networks

Analysts believe QRadar will benefit organizations that favor Palo Alto Networks, promising to boost its Cortex XSIAM SIEM offering. Forrester principal analyst Allie Mellen pointed out that Palo Alto Networks XSIAM has attracted customer interest due to its automation and MDR capabilities, bundled with its Cortex XDR offering.

"However, getting to the scale of customers that legacy SIEM vendors and some of the bigger players have is a long road," Mellen wrote. Palo Alto Networks' acquisition of IBM's QRadar SaaS will accelerate that process.

IBM and Palo Alto Networks will jointly offer existing QRadar SaaS customers free migration paths to Cortex XSIAM. IBM will deploy over 1,000 security consultants to assist with migration and deployment services. Free migration options will also be extended to "qualified" QRadar on-premises customers.

The Future of QRadar SaaS

The long-term plans for QRadar SaaS within Palo Alto Networks still need to be determined. Mellen believes the acquisition is primarily about gaining the QRadar customer base. "PANW does not have long-term plans for the QRadar SaaS offering," she noted. As contractual obligations expire, existing QRadar SaaS customers must embrace XSIAM or migrate to a different vendor.

Palo Alto Networks has been investing significantly in Cortex XSIAM, its new SIEM offering released in early 2022. However, Omdia's Parizo adds that while the solution has evolved quickly, it still needs to be more mature and robust than IBM QRadar regarding specific capabilities, particularly for threat detection, investigation, and response.

Bringing Watson AI to Cortex XSIAM

The agreement also includes incorporating IBM's Watson LLMs into Cortex XSIAM and providing new Precision AI tools. "IBM has very good AI; they just don't have much market share," says Gartner distinguished analyst Avivah Litan. This may help them.

Conclusion

The integration of AI in cybersecurity significantly enhances the capabilities of a SOC, providing valuable tools for data analysis, threat detection, and initial response. However, more than AI is needed to replace the need for skilled human analysts and responders. Combining AI and a dedicated SOC team ensures comprehensive, adaptive, and effective security management. By leveraging the strengths of both AI and human expertise, organizations can better navigate the complex and ever-evolving cybersecurity landscape.

This is where CyberSecOp's SOC team excels. CyberSecOp offers a highly skilled team of cybersecurity professionals adept at utilizing the latest AI tools and technologies. We provide continuous monitoring, proactive threat hunting, and tailored incident response strategies to protect your organization. With CyberSecOp's SOC team, you gain the advantage of our extensive experience and deep understanding of cybersecurity, ensuring your organization remains resilient against current and emerging threats. Our commitment to excellence in security management and compliance helps safeguard your assets and maintain operational integrity in an increasingly hostile digital environment.