Critical Capabilities for Endpoint Protection Platforms

Critical Capabilities for Endpoint Protection Platforms

Published 30 April 2018 – ID G00334896 – 33 min read


Endpoint protection is evolving to address security architecture tasks such as hardening, investigation, incident detection and incident response. Security and risk management leaders should evaluate EPP vendors’ ability to keep up with modern endpoint threats and their deployment requirements.

Overview

Key Findings

  • Advanced prevention capabilities such as machine learning, software behavior analytics and exploit prevention are no longer only available from newer EPP vendors; rather, they have become part of the core set of prevention solutions offered by nearly all vendors in this market.
  • Many Type B organizations want to incorporate advanced EDR capabilities as a means of actively detecting and responding to threats; however, EDR solutions remain challenging to deploy and operate for most.
  • Most Type B and Type C organizations eventually elect to use EDR as a forensics-focused solution if they operate it themselves, or they opt to engage managed services to supplement their internal capabilities.
  • The appeal of traditional EPP suites has somewhat been tempered over the recent years, with the emphasis and focus on newer malware detection features and capabilities such as machine learning and behavioral analysis. Still, many Type B and Type C organizations continue to derive significant value from the integration and common management provided by them.

Recommendations

Security and risk management leaders responsible for endpoint protection platforms:
  • Type A organizations: Focus on solutions that are flexible and customizable to meet their operational requirements.
  • Type B organizations: Focus on a blend of prevention and detection and response capabilities commensurate with the skills and experience of their security operations teams. Alternatively, evaluate MSS and MDR capabilities to extend their internally available capabilities.
  • Type C organizations: Emphasize prevention-focused solutions. Evaluate EDR mainly as a forensics capability only, and favor solution providers that also offer MSS and MDR capabilities.

Strategic Planning Assumption

By 2021, endpoint protection platforms (EPPs) will provide automated, orchestrated incident investigation and breach response. Separate, stand-alone endpoint detection and response (EDR) solutions will focus on managed security service provider (MSSP) and large enterprise security operations center (SOC) environments.

What You Need to Know

This document was revised on 29 May 2018. The document you are viewing is the corrected version. For more information, see the  Corrections page on gartner.com. 
This Critical Capabilities research is based on the same data set used for the 2018 Magic Quadrant for Endpoint Protection Platforms. Both documents evaluate products that were publicly available on or before 14 November 2017.
In September 2017, in response to changing market dynamics and client requirements, Gartner adjusted its definition of an EPP. An EPP is a solution deployed on endpoint devices to prevent file-based malware, to detect and block malicious activity from trusted and untrusted applications, and to provide the investigation and remediation capabilities needed to dynamically respond to security incidents and alerts (see  “Redefining Endpoint Protection for 2017 and 2018”). 
Organizations are placing a premium on protection and detection capabilities within an EPP, and are depreciating the EPP vendors’ ability to provide data protection capabilities such as data loss prevention, encryption or server controls. Security buyers are increasingly looking to the built-in security capabilities of their OS vendors, and most organizations are adopting disk encryption at the OS level with BitLocker in Microsoft Windows 10 and FileVault in Apple macOS.
Concurrently, protection for servers has diverged from EPP, with specialized tools to address the modern hybrid data center (cloud and on-premises; see  “Market Guide for Cloud Workload Protection Platforms”). Gartner recommends that organizations separate the purchasing decisions for server workloads from any product or strategy decisions involving endpoint protection. The evolutionary shift from hardware servers to virtual machines (VMs), containers and private/public cloud infrastructure means that server workloads now have different security requirements compared to end-user-focused, interactive endpoints (see  “Endpoint and Server Security: Common Goals, Divergent Solutions”). 
This is a transformative period for the EPP market, and as the market has changed, so has the analysis profile used for this research. In the 2017 Magic Quadrant for Endpoint Protection Platforms, capabilities traditionally found in the EDR market (see  “Market Guide for Endpoint Detection and Response Solutions”) were considered as “nice to have” features. In this 2018 research, some of these features are now core components of an EPP that can address and respond to modern threats. 
Note that definitions of Type A, B and C organizations are found in the Use Cases section.

Analysis

Critical Capabilities Use-Case Graphics

Figure 1. Vendors’ Product Scores for Type A Use Case

Source: Gartner (April 2018)

Vendors' Product Scores for Type A Use Case

Figure 2. Vendors’ Product Scores for Type B Use Case

Source: Gartner (April 2018)

Vendors' Product Scores for Type B Use Case

Figure 3. Vendors’ Product Scores for Type C Use Case

Source: Gartner (April 2018)

Vendors' Product Scores for Type C Use Case

Vendors

Bitdefender

Bitdefender provides a solution that is among the highest evaluated effectiveness across a broad range of platforms and capabilities in third-party scores. Its solution is the most repackaged across all EPP vendors. Bitdefender offers EPP and EDR in one platform, and one agent across endpoints, and physical, virtual or cloud servers. While a large part of the installed base is in the consumer segment, the gap between enterprise and consumer business is narrowing.
Bitdefender is a good choice for organizations that value malware detection accuracy and performance, as well as full support for data center and cloud workloads from a single solution provider. Bitdefender is also a partner for Microsoft’s Windows Defender Advanced Threat Protection (ATP) platform, providing agents for Linux and macOS.
The vendor continues to round out its endpoint features for larger enterprises. However, its brand awareness remains low. Bitdefender’s cloud-based, single-agent approach, large installed base, and recently released EDR module keep it relevant in this space.

Carbon Black

Carbon Black is in the middle of a significant corporate transition, consolidating its overall offerings into a new cloud-based security platform called Predictive Security Cloud. The company’s overall offerings consist of Cb Defense (EPP), Cb Response (threat hunting and incident response), and Cb Protection (application whitelisting and device lockdown). Carbon Black began to consolidate EDR features from Cb Response into Cb Defense in 2017 as it started to build a presence in the EPP market. With the upcoming movement to cloud-based management and agent consolidation, Carbon Black implementations should become much simpler for its clients.
Cb Response is typically found in more complex environments with very mature security operations teams. The Cb Defense agent collects and sends all the unfiltered endpoint data to the cloud using a proprietary data streaming mechanism that eliminates bursting and peaks on networks.

Cisco

Cisco’s Advanced Malware Protection (AMP) for Endpoints consists of prevent, detect and respond capabilities deployed as a cloud-managed solution that can be hosted in a public or private cloud.
Cisco’s AMP for Endpoints leverages similar technology to the AMP capabilities in other Cisco products. Its AMP Cloud technology detects known threats, and uses threat intelligence data from Threat Grid and Talos security researchers for exploit prevention.
Gartner clients rarely shortlist AMP for Endpoints for its technology. When they do, it is usually because they get a strong financial incentive when purchasing other Cisco products. AMP for Endpoints did not participate in public endpoint-focused third-party testing in 2017, which impacts its scores in this Critical Capabilities.
Cisco’s AMP solution has the most appeal for existing Cisco clients that leverage other Cisco security solutions and aspire to establish security operations around Cisco products.

Comodo

The Comodo brand is best-known as a digital certificate authority. In October 2017, Francisco Partners acquired a majority stake in Comodo’s certificate authority business, with Comodo planning to focus on its endpoint protection strategy.
Comodo Advanced Endpoint Protection (AEP) includes malware protection, a host-based intrusion prevention system (HIPS), web filtering, a personal firewall, sandbox analysis, vulnerability analysis and patching, and a classification capability that helps guarantee a good or bad verdict on all executable files. When an executable is untrusted or unknown, it is run in a tightly controlled container to isolate any potentially malicious activity.
Comodo also sells secure web gateways, web application firewalls and mobile device management focused on midsize enterprises and small and midsize businesses (SMBs). Its security products are managed from a central web-based portal that manages service request ticketing and workflow.

CrowdStrike

CrowdStrike Falcon’s lightweight single agent supports all environments (physical, virtual and cloud) and functions with the same agent and management console for Falcon Prevent protection and Falcon Insight EDR. With its EDR heritage, CrowdStrike records most endpoint events and sends all recorded data to its cloud for analysis and detection. Some prevention is done locally on the agent.
Alongside EPP and EDR capabilities, CrowdStrike offers a complementary service called Falcon OverWatch that is widely used by its clients.
Falcon OverWatch provides managed threat hunting, alerting, response and investigation assistance.
Organizations with small or no SOC teams will find the combination of Falcon OverWatch and Falcon Endpoint Protection compelling. CrowdStrike also offers a well-respected breach response service.

Cylance

Cylance was one of the pioneers in using machine learning (ML) to detect file-based malware, but by 2017, most EPP competitors claimed to have added ML capabilities, pressuring Cylance to more aggressively address non-file-based attacks. In late May 2017, Cylance formally launched its EDR product, CylanceOPTICS, which was late to market compared to other vendors, and is generally perceived to be lacking in advanced capabilities already available in key competing products.
Eighty-five percent of Cylance’s business is in North America, although the company has about 3,700 customers across the globe, half of which represent organizations with fewer than 500 seats.
CylancePROTECT is cloud-based, with Cylance hosting and managing the console infrastructure directly. The vendor finally started participating in the VirusTotal community in 2017, but has a poor third-party test participation record when compared with established EPP vendors.
Cylance is a good EPP shortlist candidate for organizations requiring a lightweight, low-impact client agent.

Endgame

Endgame is a privately held organization that has evolved from pure EDR for large enterprises and defense organizations, with the addition of prevention capabilities for the broader enterprise market.
Endgame is one of the few vendors in this analysis that sells a single product offering — meaning there are no additional add-ons or purchases — to address protection, detection and response use cases.
The platform is missing a number of traditional EPP-related features, such as application control and suspicious file quarantining. Yet Endgame scores well in protection capabilities by focusing on the tools, techniques and procedures used by adversaries, rather than simply looking for bad files.
Endgame’s big differentiator is in its investigation and threat-hunting capabilities, where natural language understanding (NLU) queries, such as “Search for PowerShell” and “Find NetTraveler,” allow organizations to make use of advanced detection capabilities without the need for deep experience.
Endgame is a good EPP shortlist candidate for organizations with an existing or emerging SOC where incident investigation and response is a key requirement.

ESET

ESET has a strong EPP market share among SMBs to large enterprises. It provides protection with a lightweight agent that includes a large protection stack, consisting of a host-based intrusion prevention system (HIPS), ML, exploit prevention, detection of in-memory attacks and ransomware behavior detection.
ESET recently launched an additional platform for EDR capabilities, called Enterprise Inspector. Customers with experienced security staff will be able to inspect and modify the detection rules within Enterprise Inspector, and further tailor them to their unique requirements.
ESET has significant security community mind share through published research, disruption of organized crime and its WeLiveSecurity website. The vendor’s evaluation is impacted in this assessment by its limited cloud management capabilities, and the relative lateness of its EDR capabilities.
ESET has localized support in 35 languages, which means it is an attractive choice for globally distributed organizations. Its protection capabilities make it a solid shortlist candidate for any organization.

FireEye

FireEye is a security suite vendor that provides email, web, network, endpoint security and threat intelligence, which are managed in the Helix security operations platform.
FireEye revenue from its HX Series endpoint security product is a relatively small portion of the vendor’s overall business. The HX management console is deployed through the cloud or as a virtual or on-premises hardware appliance that supports up to 100,000 endpoints.
FireEye Endpoint Security 4.0 shipped in late September 2017; therefore, market response to FireEye’s endpoint protection capabilities was limited during this research period.

Fortinet

Fortinet is a network security suite vendor whose products include enterprise firewalls, email security, sandbox, web application firewalls and its FortiClient endpoint security software. FortiClient includes components designed to work in conjunction with Fortinet products, including FortiGate (firewall), FortiSandbox, FortiMail, FortiWeb and others.
FortiClient is not well-known to most Gartner clients that inquire about endpoint security, and we see little adoption of it outside of Fortinet’s client base. FortiClient is becoming more focused on the enterprise space, but its current installed base is mostly in the SMB space, and about half of its customers have less than 1,000 seats installed.
Gartner clients will find Fortinet most appealing when integrated as part of an existing Fortinet deployment.

F-Secure

In 2017, F-Secure continued with its long track record for high-accuracy, lightweight and low-impact anti-malware detection with its cloud-based F-Secure Protection Service for Business (PSB) offering and on-premises solution, F-Secure Business Suite. F-Secure added an integrated password manager with password protection capabilities and improved device control management to PSB and Business Suite. F-Secure also added ML capabilities to Rapid Detection Service, which is its managed EDR solution.
Over the past 12 months, F-Secure further enhanced its product deployment and management capabilities, making it a good choice for larger, more complex enterprises.
F-Secure is focusing its investments in its managed service offerings, and has added product enhancements with a specific focus on preventing ransomware attacks.

Kaspersky Lab

Kaspersky Lab’s research team makes up one-third of the organization, and is well-known for its accurate malware detection and in-depth investigation and analysis of many sophisticated attacks.
Kaspersky Lab is late to market with EDR capabilities, and has no vendor-managed, SaaS-type cloud-based management options for organizations with more than 1,000 endpoints to manage.
In September 2017, the U.S. government ordered all federal agencies to remove Kaspersky Lab’s software from their systems. Furthermore, several media reports, citing unnamed intelligence sources, have claimed that Kaspersky’s software was being used by the Russian government to access sensitive information. Although the U.S. government has not given any official explanation for the ban, Kaspersky Lab vehemently refutes the unsubstantiated claims and stresses that there has yet to be any evidence produced of its alleged wrongdoing. Kaspersky maintains that the actions lack sufficient basis and are unconstitutional, and has initiated legal action against the U.S. government. Gartner clients, especially those who work closely with U.S. federal agencies, should continue to monitor this situation for updates.
From a technology and malware prevention perspective, Kaspersky Lab remains a good candidate as a solution for any organization that is not constrained by U.S. government recommendations. Despite the media stories surrounding Kaspersky Lab, it continues to grow its endpoint presence globally.

Malwarebytes

In 2017, Malwarebytes delivered cloud-based management, and added mainstream and advanced EDR capabilities to its single agent, which includes the breach remediation tools for remediating infections. It is one of the few vendors in this space that can roll back the changes made by ransomware, including restoring files that were encrypted in the attack. This ransomware remediation can be performed remotely from the cloud management console up to 72 hours after the attack, without the need for any local access to an endpoint.
For organizations with small IT or security teams, Malwarebytes provides strong protection capabilities and some advanced EDR capabilities, all at an attractive price point. For larger organizations or organizations with a mature security team, there are some missing enterprise features that make the Malwarebytes solution a challenge to incorporate into an existing SOC workflow.

McAfee

Intel completed the sale of 51% McAfee to TPG in April 2017 and, as a stand-alone company, McAfee has refocused its efforts on the core aspect of its business: endpoint protection. McAfee remains one of the top three incumbent EPP vendors by market share, and its execution issues over the past three years make it the top competitive target for displacement by other vendors in the EPP Critical Capabilities.
Specifically, Endpoint Security (ENS) version 10.x (v.10.x) upgrades remained a very challenging adoption cycle for most McAfee clients. The feature set and protection capabilities included in the most recent release are quite compelling, and public test scores have improved over the past year. However, McAfee’s execution assessment is hampered by organizations continuing to be hesitant to adopt the latest version, leaving those organizations vulnerable to commodity malware as well as more advanced threats. Gartner client inquiry data identified McAfee as the single most-quoted EPP vendor that clients were planning to replace. Customer satisfaction scores were low again for 2017.
McAfee’s ePolicy Orchestrator (ePO) continues to be the most quoted reason for clients initially adopting McAfee solutions in their environment, or for retaining McAfee over their contract terms and subsequent renewals. However, disenchantment with the EPP product is quickly eroding the perceived value of ePO in favor of vendors with cloud-based EPP management.
McAfee remains a good shortlist candidate for medium and larger organizations requiring an effective solution and that have a focus on an integrated management and reporting capability.

Microsoft

Microsoft is unique in the EPP space, as it is the only vendor with the capacity to embed protection features directly into the OS. It has used this advantage to step up its efforts in security with Windows 10 features, improvements to Windows Defender (also known as System Center EndpointProtection), and the addition of Windows Defender Advanced Threat Protection and Windows Defender Security Center.
Windows 10 OS-level features and capabilities available with Windows Enterprise E3 and E5, such as Application Guard, App Locker, Secure Boot, Device Guard, Exploit Guard, Advanced Threat Protection (ATP) and Credential Guard, significantly improve protection against current common threats. However, these protections are not as integrated in previous OS versions.
Overall, Microsoft now provides a broad range of security protections that address a wide spectrum of threats across endpoint, Office 365 and email. The comprehensive solution set will resonate with most organizations’ security requirements, provided their budgets stretch to the higher-tier, E5-level subscription.
Microsoft has become the most-asked-about vendor during EPP-related Gartner client inquiry calls, and there is significant interest in using the security capabilities in Windows 10 to reduce security spend with other vendors. However, while it is improving its detection rates, the solution continues to be challenged to protect against sophisticated threats, and manageability of the solution remains a challenge.

Palo Alto Networks

Palo Alto Networks is still best-known to Gartner clients for its next-generation firewall (NGFW) product line, and this continues to be the main line of introduction to Palo Alto Networks Traps for Gartner clients.
Traps uses a stack of nonsignature detection capabilities, such as ML, static and dynamic analysis, as well as monitoring processes and applications as they are spawned for suspicious activity and events. Suspect files from the endpoint can be tested by Palo Alto Networks WildFire, its cloud-based threat analysis and malware sandboxing platform, which is included with a Traps subscription.
Palo Alto Networks acquired LightCyber in 2017; its behavioral-based analytics technology provides automated detection of suspicious user and entity activity indicative of malware. Traps without LightCyber currently offers limited EDR capabilities, which impacts its scores in this assessment.
Gartner clients will find Palo Alto Networks Traps most appealing when it can integrate with an existing Palo Alto Networks NGFW deployment.

Panda Security

Panda Security’s main value proposition is the classification or attestation of every single executable file and process on a protected endpoint device. It is the only vendor to include a managed threat hunting service in the base purchase of its EPP. Adaptive Defense 360 is fully cloud managed, and combines EPP and EDR into a single offering and single agent.
The attestation service implements an automatic application whitelisting model, where only trusted and approved applications and processes are able to execute.
Panda Security’s cloud-first approach, and the managed services backing the EPP and EDR capabilities, are beginning to increase brand awareness outside of Europe.
Organizations without experienced security staff will find Panda Security a good shortlist candidate for an EPP solution, as will organizations considering managed detection and response solutions that are prepared to replace their incumbent EPP vendor.

SentinelOne

SentinelOne is a part of the new wave of EPP solution providers that have experienced fast growth over the past few years. The cloud-based solution is designed around an embedded EDR feature set and behavioral protection. SentinelOne was one of the first vendors to offer a ransomware protection guarantee based on its behavioral detection and file journaling features.
SentinelOne offers endpoint visibility for investigative information in real time, and an API to integrate common-format, indicator of compromise (IOC)-based threat feeds.
SentinelOne is a good prospect to replace or augment existing EPP solutions for any organization looking for a solution with strong protection and visibility.

Sophos

In March 2017, Sophos acquired Invincea — a Visionary vendor in the 2017 Magic Quadrant for Endpoint Protection Platforms — giving Sophos access to its deep-learning ML algorithms.
The Sophos Intercept X product, designed to protect against and recover from the malicious actions related to ransomware and exploits, is available to Sophos Endpoint Protection customers and as an augmentation to an incumbent EPP.
Also included in the Intercept X purchase are Sophos’ EDR-like capabilities — called Root Cause Analysis — and the ML malware detection technology from the acquisition of Invincea, which was added in late 2017.
Sophos’ cloud-based EPP with the Intercept X platform is a good fit for organizations that can take advantage of a cloud-based administration platform, and that value strong protection against ransomware and exploit-based attacks over advanced forensic investigation capabilities.

Symantec

Symantec continues to provide one of the most comprehensive EPPs available in this market, with third-party test scores remaining in the top tier. Symantec has added advanced features to better address the changing threat landscape, becoming the first vendor to combine malware protection, EDR, system hardening and deception capabilities in a single agent. Application whitelisting continues to be a weak point.
Symantec has begun the process of migrating its offerings to a cloud-first model, with a hybrid option available to clients that prefer to maintain some of the management capabilities on-premises.
Symantec remains a good shortlist candidate for organizations of all sizes.

Trend Micro

Trend Micro is the third-largest vendor in the EPP market, with products ranging across network, data center and endpoint systems. It has a large worldwide footprint, with more than half of its business coming from Japan and the Americas.
Although the vendor has had a rather unremarkable year from a technology innovation perspective, it ticks boxes for mainstream EPP requirements, particularly for those looking for a comprehensive suite of solutions at an affordable price. Trend Micro’s EDR solution is delivered as a separate agent to the EPP solution. While it integrates with additional on-premises products like the Deep Discovery sandbox, it lacks integration with its cloud sandbox, and cannot be managed from Trend Micro’s cloud platform.
One of Trend Micro’s biggest advantages is its vulnerability assessment and virtual patching technology, which uses an IPS engine to detect vulnerabilities, and uses HIPS to create a virtual patch to block the exploitation.
Trend Micro remains a good shortlist candidate for organizations of all sizes.

Context

When selecting EPP solutions, enterprises should evaluate them in terms of support for specific use cases. Vendors differ in their ability to accommodate different use cases. This research ranks vendors’ solutions against typical use cases.

Product/Service Class Definition

Gartner reviewed the following classes of products and services: prevention, console alerting and reporting, EDR core functionality, EDR advanced response, third-party integration, EPP suite, managed services, geographic support, and OS support.

Critical Capabilities Definition

Prevention

This is the quality, quantity, accuracy and ease of administration of an EPP’s anti-malware technology.
It covers the tools required to block file-based malware attacks, detect and prevent fileless malware attacks, and mitigate the risk of OS and application vulnerabilities. We look at test results from various independent testing organizations and data from VirusTotal, and use Gartner client inquiries as guides to the effectiveness of these techniques and implementations against modern malware.
EPP Suite

This is the support for EPP components traditionally offered as part of an extended EPP suite, in addition to anti-malware and anti-exploit based prevention.
These include offerings for a personal firewall, port and device control, application control, enterprise mobility management, data protection (such as full disk and file encryption) and data loss prevention. Vendors that offer a broad range of capabilities as part of an extended EPP suite are given extra credit here.
Console Alerting and Reporting

This is the provisioning of a centralized, role-centric console or dashboard that enhances the real-time visibility of an organization’s endpoint security state.
It provides clearly prioritized alerts and warnings and intuitive administration workflows. Vendors that have delivered a cloud-first model with feature parity to an on-premises management platform are given extra credit, as organizations struggle to maintain visibility and control over endpoints in use by the increasing remote workforce.
EDR Core Functionality

This is the EDR component’s capabilities for discovering, reporting and prioritizing vulnerabilities present in the environment.
It provides educated guidance for customers to visualize and investigate incidents, remediate malware infections and provide clear root cause analysis, helping reduce the attack surface. EDR core capabilities are typically focused on a forensics use of EDR, meaning investigating an event well after it has occurred. Vendors that focus on lowering the knowledge and skills barrier through guided response tools and easy to-understand and easy-to-use user interfaces are given extra credit here.
EDR Advanced Response

These are the EDR component’s advanced investigative and remediation capabilities, complex automation, and ability to send and receive detailed investigative workflow information.
It provides capabilities and customizations that push EDR from a functionally forensics-focused use case to an adaptable detection and response platform that can detect and investigate an event as it occurs. Vendors that focus on providing advanced customization capabilities required by an active security operations center are given extra credit here.
Third-Party Integration

This is the support via APIs, and unilateral and bidirectional integration of third-party on-premises and cloud-based solutions, such as Active Directory, security information and event management (SIEM), sandboxes, firewalls, threat and indicators of compromise feeds, and SOAR/orchestration.
It provides the ability to have unilateral and bilateral communications between the endpoint agent and/or console and third-party resources to enhance the prevention, detection, analysis and response capabilities with the rich data only available on these other platforms. Vendors that not only focus on providing a set of APIs for their own products, but that also have demonstrated integrations with a widely diverse set of third parties to provide additional context and correlation of events, are given extra credit here.
Managed Services

This is support for managed security solutions (MSS) and managed detection and response (MDR) offerings.
MSS offerings typically focus on the deployment and remote operation of traditional endpoint security solutions, including most of the components of a traditional EPP suite. MDR offerings focus on remotely delivering a managed security service that responds to threats that have made it past the prevention capabilities deployed within an environment. MDR solutions that actively detect, investigate, contain and mitigate threats are given extra credit here.
Geographic Support

This is a vendor’s ability to support global customers, as well as the number of languages it supports.
Vendors offering local, regional support offices, 24/7 support in each client region, and other local resources to assist with the deployment and operation of their solutions in a global deployment context (including MSS and MDR) are given extra credit here.
OS Support

This is a vendor’s ability to support the typical operating systems found in client organizations.
Several vendors focus solely on Windows endpoints. Solutions that can also support macOS and Linux with near parity on the features delivered in the Windows clients, most notably in advanced prevention and the activity and event monitoring areas of EDR, are given extra credit here.

Use Cases

Type A

Type A organizations, also referred to as “lean forward” organizations, adopt new technologies very early in the adoption cycle.
Type A organizations represent the smallest group of organizations. They have the budgeting and staffing resources to configure and implement new technologies and solutions rapidly within their environment. These organizations tend to focus on best-of-breed solutions that best address their business, technology and security needs and have the capacity to integrate, develop or build custom-made components as required. They see the use of technology as competitive differentiator. Their tolerance for risk is high and their approach to technology change is to run projects in parallel having multiple teams working on technology and business changes simultaneously. For EPP, these organizations focus on best-of-breed prevention, detection and response.
Type B

Type B organizations aim to stay relatively current on technology without getting too far ahead or behind their competition.
Type B organizations represent the largest group of organizations. They typically experience budgeting and staffing resource constraints and, as a result, focus on overall value by weighing the risks of the early use of new technology against the benefits. Their focus is on technology deployments that improve their organization’s productivity, product quality, customer service and security. Type B organizations typically wait for a technology to become mainstream before considering implementation. They tend to be moderate in their approach, frequently using benchmarks within their industry to justify their investments in technology. Type B organizations balance innovation with reasonable caution when selecting new solutions. For EPP, these organizations focus on a blended approach between prevention, detection and response capabilities that can be complimented with managed services where needed.
Type C

Type C organizations typically view technology as an expense or operational necessity, and use it as a means to reduce costs.
Type C organizations represent the second-largest group. These organizations experience severe budgeting and staffing resource constraints and, as a result, prefer simply to deploy and use integrated solutions with managed services add-ons that can best complement their minimal staff. These organizations wait for technologies to become absolutely stable and for costs to acquire and operate to reach the lowest quartile before committing to purchase. For EPP, these organizations focus on prevention, rather than on integrated detection and response capabilities and solutions that offer a complement of managed services.

Vendors Added and Dropped

Added

None

Dropped

None

Inclusion Criteria

Inclusion in this Critical Capabilities was limited to vendors that met these minimum criteria:
  • The majority of detection events must be from the vendor’s own detection technique, and designed, owned and maintained by the vendor itself. Augmenting with an OEM engine is acceptable, provided it is not the primary method of detection.
  • The vendor’s nonconsumer EPP must have participated in independent, well-known, public tests for accuracy and effectiveness within the 12 months prior to 18 November 2017, or be a current participant in the VirusTotal public interface. Examples include Virus Bulletin, AV-TEST, AV-Comparatives, NSS Labs and SE Labs.
  • The vendor must have more than five named accounts larger than 10,000 seats that use the vendor’s EPP as their sole EPP.
  • The vendor must have a minimum of 500,000 deployed licenses, protecting nonconsumer endpoints, with at least 50,000 of those licenses protecting nonconsumer endpoints within North America.
  • The vendor must satisfy at least 12 of the following “basic” capabilities, and at least four of the following “desirable” capabilities:
    • Basic capabilities:
      • Blocks known and unknown file-based malware, without relying on daily signature distribution
      • Detects suspicious and malicious activity based on the behavior of a process
      • Implements protection for common application vulnerabilities and memory exploit techniques
      • Can perform static, on-demand malware detection scans of folders, drives or devices such as USB drives
      • Suspicious event data can be stored in a centralized location for retrospective IOC and indicator of attack (IOA) searching and analysis
      • Allows real-time IOC/IOA searching across all endpoints (for example, file hash, source/destination IP, registry key)
      • Allows remote quarantining of an endpoint, restricting network access to only the EPP management server
      • Automatically updates policies, controls and new agent/engine versions without connecting directly to the corporate network
      • Continues to collect suspicious event data when outside of the corporate network
      • Detections and alerts include severity and confidence indicators, to aid in prioritization
      • Provides risk-prioritized views based on confidence of the verdict and severity of the incident
      • Displays full process tree to identify how processes were spawned, for an actionable root cause analysis
      • Automatically quarantines malicious files
      • Identifies changes made by malware, and provides the recommended remediation steps
      • Detects, blocks and reports attempt to disable or remove the EPP agent
    • Desirable capabilities:
      • Primary EPP console uses a cloud-based, SaaS-style, multitenant infrastructure, and is operated, managed and maintained by the vendor
      • Implements vulnerability shielding (aka virtual patching) for known vulnerabilities in the OS and for non-OS applications
      • Can implement default-deny whitelisting with a vendor-maintained “app store”-type approach and user self-service features
      • Can implement application isolation to separate untrusted applications from the rest of the system
      • Includes access to a cloud- or network-based sandbox that is VM-evasion-aware
      • Includes deception capabilities designed to expose an attacker
      • Vendor itself offers managed detection services, alerting customers to suspicious activity
      • Vendor itself offers managed threat hunting, or managed IOC/IOA searching, for detecting the existence of threats (not via a third party or channel)
      • Supports advanced natural-language queries with operators and thresholds (for example, “Show all machines with new PE >1 week old AND on <2% of Machines OR Unknown”)
      • Provides guided analysis and remediation based on intelligence gathered by the vendor (for example, “85% of organizations follow these steps”)
      • Provides attribution information and potential motivations behind attacks
      • Can utilize third-party, community and intelligence feeds
      • Allows remote remediation via the management console
      • Includes APIs for integration with security orchestration, automation and response (SOAR)/orchestration for automation 

Table 1: Weighting for Critical Capabilities in Use Cases

Enlarge Table
Critical Capabilities
Type A
Type B
Type C
Prevention
10%
15%
20%
Console Alerting and Reporting
5%
15%
20%
EDR Core Functionality
20%
15%
10%
EDR Advanced Response
20%
5%
0%
Third-Party Integration
15%
5%
0%
EPP Suite
5%
10%
15%
Managed Services
5%
15%
25%
Geographic Support
10%
10%
5%
OS Support
10%
10%
5%
Total
100%
100%
100%
Source: Gartner (April 2018)
This methodology requires analysts to identify the critical capabilities for a class of products/services. Each capability is then weighed in terms of its relative importance for specific product/service use cases.

Critical Capabilities Rating

Each of the products/services has been evaluated on the critical capabilities on a scale of 1 to 5; a score of 1 = Poor (most or all defined requirements are not achieved), while 5 = Outstanding (significantly exceeds requirements).

Table 2: Product/Service Rating on Critical Capabilities

Enlarge Table
Critical Capabilities
Bitdefender
Carbon Black
Cisco
Comodo
CrowdStrike
Cylance
Endgame
ESET
FireEye
Fortinet
F-Secure
Kaspersky Lab
Malwarebytes
McAfee
Microsoft
Palo Alto Networks
Panda Security
SentinelOne
Sophos
Symantec
Trend Micro
Prevention
4.5
2.3
2.3
3.5
3.5
3.0
3.7
4.5
2.3
2.5
4.0
4.8
4.5
4.0
3.0
3.5
4.0
3.7
4.3
4.5
4.5
Console Alerting and Reporting
3.5
3.0
3.0
3.0
4.0
3.0
3.5
4.0
3.0
2.8
3.5
3.8
4.0
4.3
2.2
3.0
3.3
3.5
4.0
4.0
3.8
EDR Core Functionality
2.5
3.0
3.0
2.5
4.0
3.0
4.0
3.3
3.5
3.0
4.0
3.2
3.5
3.3
3.0
2.8
3.8
3.8
2.5
3.8
3.3
EDR Advanced Response
2.0
2.0
2.2
3.0
4.5
2.2
3.5
2.8
3.5
2.5
3.2
3.2
3.3
3.2
2.5
2.0
3.2
3.8
2.5
3.8
3.2
Third-Party Integration
3.2
3.0
3.0
2.0
4.0
3.0
2.5
2.5
3.3
2.5
2.5
3.0
2.5
3.3
2.5
3.5
3.0
3.5
2.5
3.3
3.2
EPP Suite
4.0
1.0
1.0
3.0
2.0
2.0
2.0
4.0
1.0
3.5
3.8
4.5
3.8
4.5
3.0
1.7
3.0
2.5
4.5
4.5
4.5
Managed Services
3.0
2.5
3.0
2.7
4.9
3.2
2.0
2.0
3.0
2.0
3.5
3.0
2.0
2.0
2.0
2.0
3.5
2.5
2.8
2.8
2.5
Geographic Support
4.0
4.0
4.0
3.7
3.0
3.5
2.0
4.0
4.0
3.8
3.0
4.0
4.0
4.0
4.0
4.0
3.0
3.0
4.0
4.0
4.1
OS Support
4.5
3.0
3.2
3.8
3.8
3.5
2.0
3.8
3.5
3.5
3.5
3.8
2.5
3.8
1.0
2.8
3.8
4.0
3.8
4.0
3.8
Source: Gartner (April 2018)
Table 3 shows the product/service scores for each use case. The scores, which are generated by multiplying the use case weightings by the product/service ratings, summarize how well the critical capabilities are met for each use case.

Table 3: Product Score in Use Cases

Enlarge Table
Use Cases
Bitdefender
Carbon Black
Cisco
Comodo
CrowdStrike
Cylance
Endgame
ESET
FireEye
Fortinet
F-Secure
Kaspersky Lab
Malwarebytes
McAfee
Microsoft
Palo Alto Networks
Panda Security
SentinelOne
Sophos
Symantec
Trend Micro
Type A
3.21
2.71
2.79
2.94
3.88
2.90
3.02
3.33
3.23
2.87
3.41
3.56
3.33
3.52
2.64
2.85
3.42
3.54
3.15
3.83
3.56
Type B
3.54
2.67
2.78
3.06
3.77
2.99
2.88
3.52
2.96
2.88
3.57
3.76
3.42
3.60
2.58
2.82
3.48
3.34
3.52
3.87
3.68
Type C
3.63
2.49
2.62
3.05
3.77
2.95
2.84
3.52
2.69
2.75
3.67
3.86
3.45
3.56
2.54
2.68
3.51
3.17
3.68
3.86
3.69
Source: Gartner (April 2018)
To determine an overall score for each product/service in the use cases, multiply the ratings in Table 2 by the weightings shown in Table 1.

Evidence

  • Gartner responded to more than 2,100 client inquiries from 1Q17 to 1Q18.
  • Gartner conducted an online survey of 129 EPP reference customers in 4Q17.
  • Gartner conducted an online survey of 55 EPP channel references in 4Q17.

Critical Capabilities Methodology

This methodology requires analysts to identify the critical capabilities for a class of products or services. Each capability is then weighted in terms of its relative importance for specific product or service use cases. Next, products/services are rated in terms of how well they achieve each of the critical capabilities. A score that summarizes how well they meet the critical capabilities for each use case is then calculated for each product/service.
“Critical capabilities” are attributes that differentiate products/services in a class in terms of their quality and performance. Gartner recommends that users consider the set of critical capabilities as some of the most important criteria for acquisition decisions.
In defining the product/service category for evaluation, the analyst first identifies the leading uses for the products/services in this market. What needs are end-users looking to fulfill, when considering products/services in this market? Use cases should match common client deployment scenarios. These distinct client scenarios define the Use Cases.
The analyst then identifies the critical capabilities. These capabilities are generalized groups of features commonly required by this class of products/services. Each capability is assigned a level of importance in fulfilling that particular need; some sets of features are more important than others, depending on the use case being evaluated.
Each vendor’s product or service is evaluated in terms of how well it delivers each capability, on a five-point scale. These ratings are displayed side-by-side for all vendors, allowing easy comparisons between the different sets of features.
Ratings and summary scores range from 1.0 to 5.0:
1 = Poor or Absent: most or all defined requirements for a capability are not achieved
2 = Fair: some requirements are not achieved
3 = Good: meets requirements
4 = Excellent: meets or exceeds some requirements
5 = Outstanding: significantly exceeds requirements
To determine an overall score for each product in the use cases, the product ratings are multiplied by the weightings to come up with the product score in use cases.
The critical capabilities Gartner has selected do not represent all capabilities for any product; therefore, may not represent those most important for a specific use situation or business objective. Clients should use a critical capabilities analysis as one of several sources of input about a product before making a product/service decision.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s