For devoted customers of IBM Security’s QRadar cybersecurity product line, it was a bit of a seismic shock when Palo Alto Networks recently announced that it was buying the QRadar unit from IBM and changing how customers will get their QRadar services and support.
The May 15 deal came as a surprise because IBM has historically been active in improving and developing the QRadar product line, including a November 2023 announcement that it was retooling its QRadar security information and event management (SIEM) system to help users scale their hybrid cloud and artificial intelligence (AI) workloads.
That announcement also included plans from IBM to integrate generative AI capabilities within its QRadar threat detection and response products by tying in its watsonx data and AI platform. And in April 2023 IBM had announced the launch of its then-new IBM Security QRadar Suite, which was built to streamline security analyst experiences across the full incident lifecycle.
But now IBM is changing that earlier strategy by selling its SaaS-based QRadar line to Palo Alto Networks and moving to work with Palo Alto to provide AI-powered security consulting services to customers in the future, according to the companies.
Big Decisions Ahead for QRadar Customers
For customers the big questions are about how the deal will affect their use of the QRadar services. Will some IBM QRadar customers be angry about the changes and move their business from Palo Alto and IBM to work directly with MSPs and MSSPs to get their cybersecurity needs met?
The changes under the deal are significant. The biggest is that the companies' plan to migrate IBM QRadar SaaS customers over to Palo Alto’s own Cortex extended security intelligence and automation management (XSIAM) security operations center (SOC) platform to get their future SaaS managed security services.
But not every IBM QRadar customer will have to migrate. Under the deal, QRadar customers who use it on-premises and who want to continue the on-premises approach will continue to receive IBM features, support, and updates. An incentive will be available, however, for eligible customers to receive no-cost migration services for QRadar SaaS and on-prem clients who do migrate over to Cortex XSIAM, the companies said.
The coming QRadar sale to Palo Alto, which is expected to close by the end of September 2024, means that customers, MSSPs and MSPs must brace for all these impacts, two analysts told MSSP Alert.
Allie Mellen, an analyst with Forrester Research, characterized the sale to Palo Alto as a surprise for customers, who will now have to figure out what will do in the future, depending on their requirements. For customers, these evaluations will not be easy or quick, she said.
“QRadar SaaS customers should prepare to migrate to another vendor, whether it is Palo Alto [and its incentives for no-cost migration], or to a different vendor that is a better fit for their use case,” Mellen said. “This is a fundamental and unfortunate shift for these customers, as SIEM migration is no small task. Customers need to prepare for this transition as soon as possible. The customers currently using QRadar SaaS assets will be the most affected by this transition in the short term.”
For IBM, the deal may be beneficial in the long term, especially as it focuses on hybrid multi-cloud and AI.
“QRadar — while a massive part of IBMs security portfolio — has become less of a natural fit for the direction of the business,” Mellen said.
Another analyst, Jonathan Ong of Omdia, agreed that regardless of what existing QRadar customers decide to do individually in the future, every one of them will have to prepare for a migration project sooner or later.
“All of IBM’s QRadar clients will need to evaluate the compatibility of Palo Alto’s offerings with their current infrastructure and security needs,” Ong said. “IBM and Palo Alto’s concerted effort to retain clients through the provision of consultants and the no-charge migration initiatives will help smoothen it to a certain extent. However, Palo Alto’s current migration-centric messaging may be less appealing to IBM’s clients, which may not feel their needs being addressed.”
Ong said he was also surprised by the deal given how much IBM has been investing in QRadar over the past few years.
“As an IBM Security executive mentioned, it is becoming increasingly competitive with the rise of hyperscalers and large pure-play cybersecurity firms,” he said. “From Palo Alto’s perspective, they made a big bet on ‘platformization’ which saw their stock drop more than 25% in February 2024. They need to make sure it pays off, and this acquisition is a move in that direction.”
IBM has certainly made moves like this before, as it did with its 2021 spinoff of its Kyndryl consulting business to focus on cloud and AI across consulting and management.
“In the short term, it is likely to ensure a smooth transition and retain most of the customers between IBM and Palo Alto,” Ong said. “In the long term, IBM and Palo Alto seem to be forging deeper ties with IBM as Palo Alto’s preferred MSSP partner and Palo Alto as IBM’s preferred cybersecurity partner across network, cloud, and SOC.”
Business Opportunities Abound for MSSPs, MSPs
Ong agreed that the post-acquisition changes coming for QRadar customers could inspire MSPs and MSSPs to swoop in and gain customers who are upset about how the deal will affect them.
“There is certainly an opportunity for MSPs and MSSPs, and we expect that clients which were on the fence about going the route of the increasingly popular managed SIEM will make the switch,” Ong said.
However, it is unlikely to be a ‘blood-in-the-water’ scenario because existing QRadar customers will have to complete the IBM contracts that they have. That, says Ong, “gives Palo Alto a significant window to win them over, whether through ease of migration, attractive pricing, technical capabilities, etc.”
In addition, “existing clients may be deeply integrated with IBM and are unwilling to lose the IBM-Palo Alto support by migrating to another security provider or platform, especially since the duo appear to have concerted efforts around client retention,” said Ong. “[And] clients which use next-generation SIEMs (NG-SIEMs) such as QRadar are likely large enterprises and will look for top players in the security space. Palo Alto has few competitors on this scale. These clients may also want an established NG-SIEM provider, and switch to the big players such as Splunk (Cisco), Microsoft, Google, Elastic, etc.”
More Details on the IBM-Palo Alto Networks Deal
The IBM QRadar suite offers threat detection and response services, including endpoint detection and response (EDR), extended detection and response (XDR), managed detection and response (MDR), log management, security information and event management (SIEM), and security orchestration, automation and response (SOAR).
Under the deal, IBM and Palo Alto will establish a joint SOC and IBM Consulting will be a preferred MSSP for current and future Palo Alto customers. In addition, IBM's experts around the world will use watsonx, IT automation, and threat intelligence along with Palo Alto’s security platforms to drive their growth, the partners said.
No price tag for the transaction was announced.