Navigating the SIEM Shakeup: QRadar to XSIAM & Beyond
Everyone in cybersecurity is used to an industry that moves at breakneck speeds; it’s truly a space where evolution is the only constant. However, the recent actions and trends within the SIEM (Security Information and Event Management) market have caused everyone – CISOs, CXOs, MSSP executives, and other security professionals – to stop dead in their tracks.
The flurry of activity started in September 2023, with Cisco announcing its intention to acquire Splunk. Then, in nearly back-to-back statements on May 15, 2024, LogRhythm and Exabeam publicized their intent to merge, and Palo Alto Networks revealed it was acquiring IBM’s entire QRadar business.
These developments are not just headline-grabbing; they’re reshaping the landscape, prompting analysts to speculate on the future direction of security solutions and forcing security leaders to make unexpected critical decisions.
Understanding the Consolidation Trend in the SIEM Market
The consolidation in the SIEM market is not unprecedented; dominant market players often acquire smaller firms to integrate their niche technologies. However, these recent high-profile acquisitions and mergers don’t include any small fish – they are all established market leaders, raising questions about the driving forces behind this monumental change.
Several factors are contributing to the market transformation, including:
Tech Advancements: Legacy SIEM solutions struggle to keep pace with today’s complex security landscape. Today’s security teams require more advanced and robust solutions powered with AI, machine learning (ML), automation, and extensive analytics capabilities.
Complexity of All Things Digital: The convergence of rapidly evolving cyber threats, the exceptional volume of data being produced, and the diversity of IT environments are driving the need for security solutions that can not only keep pace but also predict and preempt potential breaches.
Need for Comprehensive Solutions: The moves these companies have made point toward merging SIEM, Security Orchestration Automation and Response (SOAR), and Extended Detection and Response (XDR) into a unified security platform. Major vendors are striving to deliver a “single pane of glass” solution for security operations (SecOps) by integrating threat detection, response, and analytics functionalities.
The solutions that will result from these acquisitions closely align with the aforementioned change drivers.
Cisco Acquiring Splunk: Cisco plans to integrate Splunk’s SIEM with its own EDR platform and security insights, signaling a shift from reactive threat detection to proactive prediction and prevention, which is necessary to combat the speed and sophistication of emerging threats.
LogRhythm Merging with Exabeam: The merger will fuse a top-tier SIEM and User and Entity Behavior Analytics (UEBA) solution, enhancing their collective capabilities in threat detection, investigation, and response.
Palo Alto Networks Acquiring IBM QRadar: This acquisition may seem surprising, considering IBM’s QRadar is the third largest SIEM provider, and IBM made substantial investments to launch its cloud-native QRadar Suite in 2023 and 2024. Despite all these investments, QRadar’s technology was falling behind the competition. The deal grants Palo Alto ownership of all IBM security operations tools, including the EDR offering from ReaQta, threat intelligence from IBM Security X-Force, QRadar SOAR, and Randori Recon, positioning the company to make significant strides in the SIEM space as its Cortex XSIAM is relatively new to the market and still lacks a considerable customer base.
Shift Towards Other SIEM-like Technologies
While mergers are restructuring the market, they are also creating opportunities for alternative security monitoring solutions; companies with related technologies are circling the SIEM market. Gartner highlights the trend of XDR vendors developing their own SIEMs while companies with security data lake capabilities or expertise in analytics or cloud telemetry management are offering solutions that could replace or supplement SIEMs.
Implications and Considerations for QRadar Customers
The abrupt nature of the Palo Alto-IBM deal has caught current QRadar customers off guard, leaving many confused and frustrated. Palo Alto Networks said qualified QRadar SaaS and on-prem customers can seamlessly migrate to Cortex XSIAM at no financial cost.
Not So Seamless Migration
While trying to understand who made the final cut in the qualified customers list, it’s important to recognize the actual scope and complexity of migrating a SIEM, its functions, and its (your) history, such as:
- Detection rules
One of the central components to assess when migrating is the detection rules, both set and dedicated. Different formats may seem like the initial issue concerning rules but it’s the conversion or the rewriting of the rules that can be time-consuming and error-prone. Dedicated rules tailored for specific customer needs may also require significant effort to replicate in XSIAM.
2. Reports, Graphs, and Dashboards:
Existing reports and dashboards in IBM SIEM likely won’t translate directly to XSIAM. Rebuilding them in XSIAM requires recreating the logic and visualizations, impacting user experience during the transition.
3. Threat Intelligence Sources & Feeds:
Compatibility between IBM SIEM and XSIAM for threat intelligence sources and feeds needs verification. Integration might require reconfiguration or even replacement of some sources, disrupting threat data flow.
4. SOAR Workflows:
Security Orchestration, Automation, and Response (SOAR) workflows might be incompatible between the two platforms. Rewriting them for XSIAM can be a complex task requiring security expertise.
5. 3rd Party Integrations:
Third-party security tools integrated with IBM SIEM might not have native integration with XSIAM. This necessitates re-integration efforts or finding alternative tools, potentially causing compatibility issues and delays. Additionally, Palo Alto is known for its lack of integrations, forcing many to swap out their existing security solutions for new ones under the Palo Alto umbrella.
6. Cold Storage and Historical Data:
Moving past security data to XSIAM requires careful consideration due to the sheer volume of data involved. This migration will impact all the logs previously used to establish the organization’s baseline behavior and unique activity patterns. The process might require additional storage or specific tools to convert the data format for ingestion into XSIAM.
Additional Considerations:
User training: Migrating to a new platform requires retraining users on XSIAM’s interface and functionalities, impacting productivity in the short term.
Downtime: There will likely be a period of downtime during migration when security monitoring capabilities are limited. Even once back on, getting up to speed can take months.
Testing and Validation: Extensive testing is crucial post-migration to ensure everything functions as intended, adding to the overall migration timeline.
And still, there is more to consider, and costs come in different forms, especially in a process as complex as SIEM migration.
Evaluation and Decision Making
Before trying to evaluate how Cortex XSIAM aligns with TDIR strategies, security decision-makers are at a crossroads where they must first reevaluate their TDIR strategies concerning SIEM at all. The evolution of the SIEM market and the solutions available, especially through a service provider, can offer not only a path towards more advanced security, but also reduce initial and ongoing costs of security operations altogether.
Still, security decision-makers need to weigh the practicality and repercussions of migration against the option of seeking out other SIEM or SIEM-like providers that align with their unique requirements or opting to continue with QRadar SaaS, knowing that its future is limited. Forrester warns of “technical debt” for businesses clinging to QRadar. Essentially, you’d be building your security on a product with limited future support, nearing its end-of-life.
Here are some key considerations:
- Migration to Cortex XSIAM: The platform offers access to next-generation security, potentially with enhanced features and functionality. However, migration is a complex undertaking and inherently disruptive. Staff will need training, workflows must be redesigned, and vulnerabilities could be introduced during the learning curve, potentially increasing risk. Since Cortex XSIAM is newer, missing functionalities or a lack of platform maturity can pose adaptation challenges, especially for more experienced professionals.
- Exploring Alternative SIEM Solutions: This path involves evaluating the current security posture and tech stack and then selecting a new vendor that aligns with the organization’s specific security needs. While this approach offers the potential for a best-fit solution, it also necessitates investing time and resources in the selection process and subsequent implementation.
- Migrate to a Managed Service: A service provider can provide a significant offload of the burden of migration, alongside comprehensive security management. Designed to free up internal IT and security resources to focus on core business functions, this option can provide the fastest time-to-value while also offering advanced and flexible security solutions. While this approach can deliver the quickest benefits and offer advanced, adaptable security solutions, it comes with a trade-off: ownership of your overall security operations is transferred. This loss of control might be a concern for some organizations.
Evolving Threats Must Be Met with Forward-thinking Solutions
The recent wave of SIEM consolidation underscores the critical need for organizations to exercise due diligence and informed decision-making. SIEM, SOAR, and XDR technologies are rapidly transforming, and understanding their capabilities and limitations is crucial for building a robust security posture.
For CISOs seeking to navigate this complex terrain, Managed Detection and Response (MDR) solutions or managed services present a compelling option. With an MDR in place, organizations can offload their entire security burden, from managing an in-house SOC to the ongoing challenge of recruiting and retaining highly sought-after Digital Forensics and Incident Response (DFIR) experts. AI or ML-powered MDR solutions can increase visibility and normalize and correlate vast amounts of data while delivering precision threat detection, investigation, risk indications, and remediation steps. Additionally, MDR ensures compliance with ever-changing security regulations. An MDR is an ideal option for organizations that want to free up valuable internal resources, focus on core business functions, and harden their security posture all at once.
The future belongs to those who safeguard their digital assets today; choose wisely.