In an unexpected move that has disrupted the cybersecurity equilibrium, IBM has announced its exit from the cybersecurity software market by selling its QRadar SaaS portfolio to Palo Alto Networks. This development has left many Chief Information Security Officers (CISOs) rethinking their procurement strategies and vendor relationships as they work to rebuild their Security Operations Centers (SOCs).
IBM's QRadar Suite: A Brief Overview
The QRadar Suite, rolled out by IBM in 2023, included a comprehensive set of cloud-native security tools such as endpoint detection and response (EDR), extended detection and response (XDR), managed detection and response (MDR), and key components for log management, including security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms. The suite was recently expanded to include on-premises versions based on Red Hat OpenShift, with plans for integrating AI capabilities through IBM's Watsonx AI platform.
The agreement, expected to close by the end of September, also designates IBM Consulting as a "preferred managed security services provider (MSSP)" for Palo Alto Networks customers. This partnership will see the two companies sharing a joint SOC, potentially benefiting customers looking for integrated security solutions.
Palo Alto Networks has assured that feature updates and critical fixes will continue for on-premises QRadar installations. However, the long-term support for these on-premises solutions remains uncertain.
Customer Impact and Reactions
The sudden divestiture has taken the cybersecurity community by surprise, particularly given IBM's significant investment in transforming QRadar into a cloud-native platform. Eric Parizo, managing principal analyst at Omdia, noted the unexpected nature of this move, highlighting the substantial resources IBM had dedicated to QRadar's development.
Customers now face a critical decision: migrate to Palo Alto's Cortex XSIAM platform or explore other alternatives. Omdia's research indicates that IBM's QRadar was the third-largest next-generation SIEM provider, trailing only Microsoft and Splunk (now part of Cisco). The sudden shift has left many customers seeking clarity and solutions.
Market Dynamics
This acquisition comes at a pivotal time in the cybersecurity industry, with SIEM, SOAR, and XDR technologies increasingly converging into unified SOC platforms. Major players like AWS, Microsoft, Google, CrowdStrike, Cisco, and Palo Alto Networks are leading this trend. Just before IBM's announcement, Exabeam and LogRhythm revealed their merger plans, aiming to combine their SIEM and user and entity behaviour analytics (UEBA) capabilities.
Forrester principal analyst Allie Mellen pointed out that IBM's QRadar lacked a fully-fledged XDR offering, focusing more on EDR. This gap might have influenced IBM's decision to divest QRadar.
For Palo Alto Networks, acquiring QRadar represents a significant boost. The company plans to integrate QRadar's capabilities with its Cortex XSIAM platform, known for its automation and MDR features. While Palo Alto Networks has made rapid advancements with Cortex XSIAM, analysts like Parizo believe it still lacks the maturity and robustness of IBM's QRadar.
Palo Alto Networks intends to offer free migration paths to its Cortex XSIAM for existing QRadar SaaS customers, with IBM providing over 1,000 security consultants to assist with the transition. This free migration option will also extend to "qualified" on-premises QRadar customers.
The long-term prospects for QRadar SaaS under Palo Alto Networks remain unclear. Analysts suggest that the acquisition aims to capture QRadar's customer base rather than sustain the product. As contractual obligations expire, customers will likely need to transition to Cortex XSIAM or consider alternative vendors.
A notable aspect of the agreement is the incorporation of IBM's Watsonx AI into Cortex XSIAM, which will enhance its Precision AI tools. Gartner's Avivah Litan highlighted IBM's strong AI capabilities, suggesting that this partnership could benefit both companies.
In conclusion, IBM's exit from the cybersecurity software market marks a paradigm shift, prompting customers to reevaluate their security strategies. As Palo Alto Networks integrates QRadar into its offerings, the industry will closely watch how this transition unfolds and its impact.
Among various cyber threats, business e-mail compromise (BEC) and ransomware attacks continue to be on the top of the global watch list.
As per Ms. Wendi Whitmore, Palo Alto Network’s Unit 42 senior vice-president, BEC scams, targets both corporations and individuals making genuine transfer-of-funds requests. It makes BEC the most common and costly threat to organizations worldwide.
“We see (criminal) organizations where you’ve got a member in Nigeria that’s closely communicating (on the Dark Web) with someone in Eastern Europe, and maybe communicating closely with someone in Asia […] I think that as the economy continues to have more challenges, we’re going to see even more of that level of interconnectivity,” says Ms. Whitmore.
On the FBI Internet Crime Complaint Centre report 2021, BEC continues to hold the apex position, for the sixth year.
Does Dark Web Harbor Cybercrime?
Mr. Vicky Ray, a principal researcher at Unit 42 who studies data and telemetry used in such global cyberattacks, believes that the Dark Web has become a breeding ground for cybercrime.
On the Internet or the ‘Surface web,’ which is readily accessed by the general public, one can look for a variety of information or participate in forums. On the other hand, in order to access Dark Web, one needs a certain browser and a known URL. Some Dark Web forums demand that new members have a known party vouch for them.
According to Palo Alto, the growth of Darknet markets in Asia has given cybercriminals more flexibility, since the platform's anonymity makes it less likely that they will ever be tracked.
“It’s hard, but at the end of the day, it is our job to connect these dots together to really answer... the hard question of who may be behind it (a cyberattack) or what the motivation is.” Mr. Ray told The Straits Times.
No matter if the attack is a ransomware attack or a data breach, cyber criminals are in an ecosystem where “everyone supports each other and collaboration is everywhere”, he continues, showing a screengrab of a malware developer apparently receiving feedback on a Dark Web forum.
“What has changed in the past three years has been the tactics of ransomware as a service […] These gangs who were actually creating and using the ransomware to target victims, or potential victims back in the day, what they have realized is, if they provide that to other criminals, who are called affiliates, they can be more profitable,” he adds.
Cybercrime on Dark Web
Criminals on the Dark Web co-operate in an operation in a variety of ways, from "consultants" who offer professional guidance to affiliates who buy malware from developers.
However, there also lies a similar collaboration between law enforcement and business parties, like Palo Alto, which shares its criminal research with Interpol.
In one such case, for instance, in 2021, the Nigerian Police Force detained 11 members of certain cybercrime gangs, who are assumed to be part of a threat group ‘SilverTerrier’ recognized for their BEC scams, said Interpol on its website.
During Operation Falcon II, which ran from December 13 to December 22, 2021, investigators analyzed data from the network's BEC scams, which were allegedly linked to 50,000 individuals. One suspect had more than 800,000 potential victim domain credentials on his laptop, while no monetary amount was disclosed.
In regards to this, Interpol said, “Through Interpol’s Gateway initiative, Palo Alto Networks’ Unit 42 and Group-IB (a cyber-security firm) have contributed to investigations by sharing information on ‘SilverTerrier’ threat actors, and analyzing data to situate the group’s structure within the broader organized crime syndicate. They also provided key technical expertise consultancy to support the Interpol teams.”
The Gateway Initiatives aid law enforcement agencies and corresponding private companies to communicate information in a secure and quicker manner, in order to mitigate and disrupt cybercrime.
“We really see the significance of these (partnerships)... So you will see a lot of the law enforcement now openly talking to us and collaborating,” adds Mr. Ray