As Palo Alto Networks Absorbs IBM QRadar, Traditional SIEM Is Fading: Analysis

Despite being one of the top SIEM tools for years, IBM QRadar is ‘basically surrendering—in the transition to the cloud—to another vendor,’ a Forrester analyst tells me. The deal was announced the same day as another surprise move in the market, in a sign of the fading fortunes of traditional SIEM vendors.

If last week’s pair of surprise M&A announcements is any indication, the fortunes of traditional SIEM vendors are fading fast.

In the bigger of the two deals, Palo Alto Networks is planning to acquire IBM’s QRadar SaaS business for $500 million. It’s a stark illustration of the decline of traditional SIEM (security information and event management), given that the deal is mainly targeted at migrating customers to the cybersecurity vendor’s rival cloud-native tool for security operations — as CEO Nikesh Arora acknowledged during a call with analysts Monday.

[Related: Palo Alto Networks To ‘Change How Cybersecurity Is Done’ With AI Launch: CPO Lee Klarich]

The QRadar deal came last Wednesday just hours after another longtime SIEM vendor, LogRhythm, announced plans to merge with a somewhat newer vendor in the sector, Exabeam.

“Today is the day three SIEM tools died,” Google Cloud’s Anton Chuvakin wrote last Wednesday in a post on X, referencing LogRhythm, Exabeam and IBM QRadar.

As part of the QRadar deal, Palo Alto Networks is set to acquire the Software-as-a-Service assets associated with the offering, including QRadar intellectual property. The deal is expected to close by the end of September.

For cybersecurity giant Palo Alto Networks, however, the assets don’t seem to be the main focus. The bigger motive for the deal is to gain an entry point for migrating QRadar SaaS customers onto its competing platform, Cortex XSIAM (extended security intelligence and automation management).

“What's interesting here is that Palo Alto [Networks] is taking the customers from IBM. They're not focused on necessarily taking the technology with it and incorporating that into their stack,” Allie Mellen, principal analyst at Forrester, told me.

XSIAM is Palo Alto Networks’ AI-powered platform for security operations teams, which has seen rapid customer adoption since its debut in late 2022.

The acquisition deal announced last Wednesday has shocked many in the industry in part because QRadar “has been one of the top tools in the market for SIEM for so long,” Mellen said. IBM’s QRadar business originated with the tech giant’s acquisition of Q1 Labs in 2011.

“It has been just a massive transition for the industry — to see a titan like this basically surrendering, in the transition to the cloud, to another vendor,” she told me.

I’ve reached out to IBM for comment.

SIEM Consolidation Accelerates

Without a doubt, the moves are in part a response to Cisco’s $28 billion acquisition of SIEM stalwart Splunk in March. But pressure on the older SIEM vendors has also come from the moves into the market by cloud giants including Microsoft and Google Cloud, as well as by cybersecurity juggernauts like CrowdStrike and SentinelOne.

Looking ahead, “we’re going to continue to see consolidation in this market, for sure, especially the security analytics platform market,” Mellen said.

Meanwhile, the QRadar announcement also highlights the rise of XDR (extended detection and response) as a newer — and potentially, higher-quality — method for detecting cyberthreats than traditional SIEM. Palo Alto Networks was the originator of the XDR concept, and its ascendancy in the security operations market by combining XDR with XSIAM is a significant development.

Prior to XDR, “we've really never seen another market be able to potentially take on some of the more-established SIEM vendors before,” Mellen told me.

Decision Time For Customers

IBM and Palo Alto Networks are saying they will “facilitate the migration” of QRadar SaaS customers to XSIAM platform once the acquisition closes. For QRadar SaaS customers, “there's a lot of decisions that they'll have to have to think through before they can necessarily make that migration,” Mellen told me.

Meanwhile, on-premises QRadar customers will continue to receive updates and support, the companies have said — though Arora has made clear he is looking to win over those customers, too. The deal opens the door for Palo Alto Networks to pursue the migration of on-prem QRadar customers to XSIAM, “which is a much larger prize,” he said Monday.

In a blog post on Thursday, Mellen and two other Forrester analysts, Jeff Pollard and Joseph Blankenship, noted that IBM had “made QRadar the focal point of its security product portfolio” since the Q1 Labs acquisition more than a decade ago. However, IBM had “faltered in recent years as it attempted to shift the offering to the cloud,” the Forrester analysts wrote.

Going forward, it’s unlikely that Palo Alto Networks has major plans for the QRadar assets and intellectual property when it comes to the future development of XSIAM, Mellen told me.

“A lot of reengineering work would be required to make use out of the QRadar assets,” she said. “It would just be a lot of work for Palo Alto [Networks] that they could spend building a new feature or capability within the [XSIAM] offering.”

During the call with analysts Monday, Arora certainly emphasized the customer acquisition angle with the IBM QRadar deal. The move should provide a major boost to Palo Alto Networks’ “platformization” push, which seeks to make it easier for customers to consolidate on the vendor’s broad security platform.

“Part of platformization is [being] able to transition customers off their existing contracts,” Arora said Monday. “Now the good news [with the IBM deal] is, we can transition these customers irrespective of the term when they expire.”

For instance, rather than waiting several years to migrate a QRadar SaaS customer to XSIAM, “I can just walk up to them and say, ‘Listen, you're already my customer now, because I've acquired the contract,’” he said. “‘Why don't you come [and we'll] work on transitioning to XSIAM?’”