In a busy week for security information and event management (SIEM) vendors to be merged or divested, Palo Alto Networks (PANW) announced that it’s acquiring IBM’s QRadar software-as-a-service (SaaS) business and migrating those customers to its Cortex® XSIAM® platform. In addition, PANW gets QRadar intellectual property rights as part of the deal.

This makes IBM the second legacy SIEM player (the other being LogRhythm) this week to attach itself to a newer, more innovative vendor. These moves come on the heels of Cisco’s completed acquisition of Splunk. All legacy SIEM players are facing increasing competition from tech titans (aka hyperscalers) as well as extended detection and response (XDR) vendors that are aggressively positioning as SIEM alternatives.

IBM Security Is Exiting The QRadar Business …

IBM has sold QRadar for well over a decade, since its 2011 acquisition of Q1 Labs. It made QRadar the focal point of its security product portfolio — going so far as to rebrand its endpoint detection and response (EDR) and security orchestration, automation, and response (SOAR) acquisitions under the QRadar banner. However, the vendor has faltered in recent years as it attempted to shift the offering to the cloud. Customers were frustrated with a perceived lack of innovation from IBM Security, leading to its release of QRadar Log Insights and QRadar SIEM SaaS. Now, it’s selling off its QRadar SaaS assets to Palo Alto Networks, the largest and most vital of which is QRadar SIEM.

PANW is a more recent addition to the SIEM game, announcing Cortex XSIAM, its security analytics platform, in early 2022. It quickly gained customer interest through its automation capabilities, its use as the platform for its managed detection and response (MDR) capability, and its bundling with Cortex XDR. However, getting to the scale of customers that legacy SIEM vendors and some of the bigger players have is a long road. Its acquisition of QRadar SaaS assets is like finding a mushroom on the track in Mario Kart — it’s going to speed things up a bit.

At its core, this acquisition is about the QRadar customer base. According to the announcement, current “qualified” QRadar SaaS customers will be provided a no-cost migration path to Cortex XSIAM by IBM and PANW. Not only that, but “qualified” QRadar on-prem customers will be offered no-cost migration option as well. PANW clearly does not have long-term plans for the QRadar SaaS offering, nor likely its brand name (though it will own that, too).

You don’t need expertise in the occult to figure this one out: As soon as contractual obligations run out, existing QRadar SaaS customers need to embrace XSIAM or migrate to a different vendor. They should also find out quickly if they are qualified for the no-cost migration to Cortex XSIAM.

To any organizations considering a QRadar purchase: Choose a different vendor or evaluate Cortex XSIAM and cut out the middleman. Current QRadar customers must rethink their approach to security operations (SecOps) and determine if Cortex XSIAM is the right path forward, or if they should plan a transition to another vendor.

QRadar customers (especially on-premises customers) that just made a purchase or are in the implementation process can take some solace in the fact that sunsetting products typically takes time, so you have some breathing room. You must consider, however, how quickly you can migrate to avoid the inherent technical debt of building on a product which will be on life support and eventually end-of-life.

… And It’s Exiting Security Operations More Broadly, Too

IBM Security considers its EDR offering (its ReaQta acquisition), threat intelligence (IBM Security X-Force Threat Intelligence), QRadar SOAR, and Randori Recon to be QRadar SaaS assets, which means Palo Alto Networks will own those as well. Customers of any of those products should expect the same outcome as QRadar SIEM: migration to Palo Alto Networks products or to a different vendor.

Another once-prominent component to IBM’s SecOps story, Watson, is almost a footnote in the announcement. As part of the partnership, PANW “intends to integrate watsonx large language models into Cortex XSIAM.” Watson, as the first AI assistant for security, never delivered on its promise to change SecOps.

IBM Basically Becomes A Palo Alto Networks VAR

On the services front, PANW extends and expands its existing partnership with IBM. It’s using IBM for deployment, implementation, and ongoing managed security services for QRadar SaaS until it can migrate customers to XSIAM. PANW features several of the large global systems integrators as partners, but IBM is the only one that once owned a portion of its product portfolio, suggesting tighter ties to the company than the alternatives.

The partnership positions IBM as a PANW reseller and integration partner, where IBM will train 1,000 consultants on PANW products and take on nonstrategic deployment, implementation, and management work. In the short term, customers looking for PANW implementation work should consider more experienced providers as IBM consultants ramp up.

The Rest Of The Announcement Is Partnership Hype

The announcement goes on to describe a deeper partnership between IBM and Palo Alto Networks in areas including watsonx, a joint security operations center (with cyber ranges), DevSecOps, and other products and services.

For the most part, consider these opportunities for these two vendors to hype portions of their portfolios. Partnerships come and go and generally leave customers wanting, so don’t expect big, transformative wins out of the rest of the announcement for you or your security team.

Security Analytics Market Changes Will Continue … Still

In our previous blog, we predicted that the changes in the security analytics market weren’t over, and we were right faster than we knew.

The security analytics platform market will continue consolidating as XDR vendors are aggressively pushing into the SIEM space with the goal of being the primary SecOps tooling. This is the biggest concession of a SIEM vendor to an XDR vendor so far and signals a sea change for the threat detection and response market. Security buyers may be finally getting the SIEM alternative they’ve been seeking for years.

Forrester clients can schedule an inquiry or guidance session with us to discuss their options with IBM and Palo Alto Networks moving forward.