EDR — Benefits, Concerns and Issues

EDR — Benefits, Concerns and Issues

Published 17 July 2018 – ID G00319345 – 23 min read


Security and risk management leaders increasingly look for detailed visibility, actionable insight and tailored remediation endpoint capabilities. But misunderstanding and overestimating the capabilities of EDR offerings and the effort needed to leverage them can cause more issues than they solve.

Overview

Key Findings

  • Endpoint detection and response (EDR) solutions remain very complex to operate.
  • For all the vendor and industry talk of AI and machine learning, EDR solutions continue to rely primarily on the oversight of highly skilled humans to identify and resolve issues.
  • Typical organizations that face normal budget and staffing challenges are ill prepared to leverage and maximize the benefits of EDR solutions by themselves.
  • Organizations with low maturity endpoint maintenance and management programs experience higher EDR workloads.
  • Detecting and responding to incidents or events caused by vulnerable applications or operating systems reduce the value of having an EDR solution vis-a-vis a vulnerability-scanning platform.
  • Managed EDR solution provider capabilities vary dramatically among vendors and regions.

Recommendations

SRM leaders who are weighing the deployment of an EDR solution must:
  • Establish well-defined security operations and incident response programs with mature vulnerability and patch management processes already in place.
  • Focus on post-event analysis and response capabilities rather than active hunting, detection and response; this is especially true for Type B and Type C organizations.
  • Deploy EDR as an active detection and response platform and plan to incorporate a managed EDR solution to complement their internal capabilities.
  • Shortlist providers that offer technical assistance in incident response to supplement staffing.

Analysis

Organizations have long had the ability to look at detailed log and forensics data from their network and perimeter solutions. Operational data from firewalls, gateways, proxies, networks and other sources have been part of the routine post-event forensics analysis process for many years, with organizations often leveraging security information and event management (SIEM) solutions as their central repository and analysis platform.
Until the advent of EDR, the traditional approach of collecting forensic data from endpoints has been on a reactive basis, where a forensics tool would be deployed to target post-event endpoints and the data collected would depend on what the operating system logged. EDR provides organizations deep granular endpoint data that they have been accustomed to getting from network and perimeter solutions.

Table 1: EDR — An Overview of Principal Benefits, Concerns and Issues

Enlarge Table
Benefits
Concerns
Issues
Recording of context-rich endpoint event and state information.
Pricing of EDR solutions remains at a premium.
Incident data collection and analysis occur post-event with limited incident response automated capabilities.
Option to store collected data on endpoints themselves, centralized servers, the cloud or as a hybrid of these.
Requires the installation, management and updating of yet another agent.
EDR provides very limited to no contextual insight outside of the endpoint data it collects, requiring manual intervention to correlate data with such external sources as firewalls, CASB, etc.
Data retention periods can support the operational needs of different organizations.
Support of EDR capabilities varies by platforms and versions of operating systems.
Knowledgeable staffs with EDR experience are extremely difficult to find and come at a premium.
Ability to search collected data to identify issues on one or many endpoints at a time.
Requires staff with strong knowledge of endpoint operations to obtain benefits.
Vendors and managed service providers offer staff augmentation, but capabilities and costs vary dramatically.
Currently available solutions now appeal to a broad segment of organizations with differing technical abilities.
AI and machine learning remain mostly marketing terms rather than actual product capabilities.
Contrary to many clients’ understanding of the products, EDR does not resolve fundamental security and operational issues within organizations, nor does it eliminate the need for basic hygiene and patching.
Source: Gartner (July 2018)

EDR Benefits

EDR agents are akin, in their most basic form, to flight data recorders, or “black boxes,” on airplanes. Black boxes record all of the technical and operational data of aircraft including heading, speed, altitude; positioning of the landing gear, ailerons, flaps; weight, center of gravity; plus much other technical data including pilot conversations. Black boxes do not record passenger conversations.

EDR Solutions

EDR solutions record all of the technical and operational data of endpoints including IP, MAC, DNS data, connected USB device information, network connections and ports, running processes, device drivers, threads and their related metadata, windows services, loaded DLLs, CMD and PowerShell command history and memory contents and much more. EDR solutions do not record such application data as what is typed in a Word document or email, although they may scan files for malicious macros. EDR solutions can store all of this data or only the most critical elements either on on-premises-located servers, on endpoints themselves, in the cloud or as a hybrid of them depending of vendor solutions.
This data is typically stored for a period ranging from a few days to several months. EDR solutions provide organizations with the ability to analyze and search such detailed endpoint data by using filters and Indicators of Compromise (IOC) along with other data sources and search parameters.
Organizations can use EDR solutions to search for traces of malicious software and activity, patching data and other endpoint-related activities and can even help answer such day-to-day operational questions as how often a particular application has been used in the past month on a single endpoint or on all the endpoints in a department or across the organization. The questions that can be answered with an EDR solution are quite boundless, but most organizations use EDR specifically to address security-related questions, because that is where EDR solutions provide some of their unique visibility and insights — and ultimate value.
Most, but not all, EDR solutions provide capabilities that can manually or automatically remediate or trigger remediation processes, alert conditions on endpoints either from within or as parts of an integration with such third-party tools as system patching and updating solutions. Levels of capability vary dramatically between vendor offerings. One example of an automated remediation is one in which — on the detection of ransomware activity on an endpoint — the network drivers for that endpoint are disabled to prevent the spread of the ransomware.

EDR Appeal Crossing Organizational Types

EDR solutions have become more broadly available from both next-generation vendors and traditional endpoint protection platform (EPP) providers. As a result, EDR solutions have transitioned their appeal from being the sole purview of Type A or lean forward or leading-edge organizations to Type B and even Type C organizations.
Type A organizations represent the smallest group of organizations. They adopt new technologies very early in the adoption cycle and have the budgeting and staffing resources to configure and implement new technologies and solutions rapidly within their environment. These organizations tend to focus on best-of-breed solutions that best address their business, technology and security needs and have the capacity to integrate, develop and build custom-made components as required. They see the use of technology as a competitive differentiator. Their tolerance for operational risk is high and their approach to technology change is to run projects in parallel by tasking multiple teams to work on technology and business changes simultaneously.
Type B organizations represent the largest group of organizations. They typically experience budgeting and staffing resource constraints and, as a result, focus on overall value by weighing the risks of the early use of new technology against the benefits. Their goal is to stay relatively current on technology without getting too far ahead of or behind their competition and focus on technology deployments that improve their organization’s productivity, product quality, customer service and security. Type B organizations typically wait for a technology to become mainstream before considering implementation. They tend to be moderate in their approach, frequently using benchmarks within their industry to justify their investments in technology. Type B organizations balance innovation with reasonable caution when selecting new solutions. This is the highest growth market for EDR at this time.
Type C organizations represent the second-largest group. They typically view technology as an expense or operational necessity and use it as a means to reduce costs. These organizations experience severe budgeting and staffing resource constraints and, as a result, prefer simple-to-deploy and -use integrated solutions with managed service add-ons that can best complement their minimal staff. These organizations wait for technologies to become absolutely stable and for costs to acquire and operate to reach the lowest quartile before committing to purchase. They focus on prevention rather than on detection and response capabilities and on solutions that are integrated and offer a complement of managed services. EDR is typically deployed in Type C organizations when available in conjunction with an EPP solution. This market is one that demonstrates very slow growth for EDR.

EDR Concerns

EDR solutions provide enhanced capabilities over traditional endpoint security solutions and can create a force multiplier of staff, but these capabilities have their drawbacks.

EDR Capabilities Come at a Significant Cost

While product costs have on average dropped by roughly 35% per year over the past four years, products remain priced at a premium versus other endpoint solutions even today. They typically range from one to three times the cost of a traditional full EPP suite.
Many of the renewal quotes that Gartner has reviewed over the past 18 months do not always show pricing reductions that are in step with the market. This means that organizations that are renewing an EDR solution originally acquired three years earlier often have to put in significant effort to push pricing down to today’s market price averages (typically seen in new deployment quotes). The initial quote offered for a renewal is often only slightly reduced or perhaps offered at exactly the same or even slightly higher pricing than what was negotiated in the initial purchase several years earlier.

EDR Agent

An additional cost to consider is the distribution of other agent endpoint software. While most EDR agents are relatively small and represent minimal impact on system memory and CPU resources, they do represent yet another component that needs to be distributed and managed on the endpoint. While there have been minimal reports of agent issues due to updates of endpoint software components or the operating system itself, from time to time clients have reported issues that have temporarily locked systems until refreshed.
Significant capability differences also exist between EDR agents available by vendors for Windows 10, 8, 7, XP (if available); Windows Server version; Mac and Linux. Mobile device agents are currently not available or offer very elementary capabilities. Some EDR agents can record only some of the endpoint activities on some operating systems and not on others. Other agents have limited or no prevention or remediation capabilities on some platforms. This can result in a patchwork of security solutions that are inconsistent across organizational assets.
Finally, EDR solutions can only monitor systems that have the EDR agent installed. That can limit visibility in an environment containing populations of BYOD where the EDR agent has not been deployed. Plus EDRs for cloud workloads like containers and Internet of Things (IoT) devices are currently not available, which limits visibility into critical operational components.

Perceived Versus Actual Implementation

A simple way to explain the perceived versus the actual implementation of an EDR solution is by way of an analogy. I enjoy fishing. My young son also enjoys fishing. Our idea of father-and-son fishing is quite simple: My son gets his movie-character-themed fishing rod, we buy a small container of worms and we visit my friend at his lakefront cottage. We fish right off the dock. Within 10 minutes, my son usually has caught nearly a dozen fish — admittedly very small fish — but the excitement and energy are at a high peak. After that engaging means of activity, he is pretty much done fishing for the day. As far as fishing is concerned, we accomplished our goal with minimal effort and maximized our fun in the process. Success!
Most organizations expect their EDR solutions to operate in a very similar way to my son’s experience of fishing. Open up the console, have just about anyone enter “ransomware” or some other generic search term and all of the key events will be triaged and organized from severe to benign with a pull-down list of automated and contextualized remediation conveniently available right beneath their fingertips. All that is left to do is to click away and all the organization’s security problems will be solved. Unfortunately, the reality is quite different.
While it is true that many EDR solutions now provide simple guided search operations, most organizations still do not know what they really need to search for. Also, the work of reviewing or even obtaining some form of a basic understanding of what a particular event means entails that triaging and assigning a severity and then determining the best course of action remain the responsibilities of the console operator.
Continuing with the fishing analogy, operating an EDR solution is in fact much more like my experience of fishing with my friend. He is by all accounts a truly expert fisherman. He could easily have his own TV show if only he had better jokes. When I go fishing with him, it is a lot of work for me. It turns out that fishing is serious business after all — and it requires a lot of planning.
The first question he always asks me is, “Which fish do you want to catch today?” My answering “the one that lives in the water” is never a good reply and puts a serious damper on the start of our day. So I have learned over the years to turn the tables around and use his expert knowledge to start things off in a better way to help me determine what fish we should be fishing for that day. I start by asking him questions like: “Which fish can we find in this lake?” “Which of these fish would be most active based on the time of the day we will be going out?” “Which fish would be most active based on the temperature, position of the sun, the wind, etc.?”
In fact, I am using my friend to guide me down the assessment process to identify our target fish. Once we have determined the fish we are looking to catch, I then use my friend to guide me down the next set of decisions, such as where we will go to catch this fish, which rod, line, lure, etc. we will use, at what depth we will cast our lines and so on. He is my expert coach and without his help I would never have any hope of actually catching the fish we had decided was our target for that day.
While EDR solutions are being sold and deployed in more typical Type B and some Type C organizations, the unfortunate truth is that, even with all the marketing emphasis and industry talk of AI and machine learning being applied within EDR solutions, AI and ML are still at a very early stage of maturity, and EDR vendors still expect your organization to have talented experts operating the console.

AI and ML Gone Missing

Today, EDR solutions do not come with an EDR version of my friend bundled in like an “analyst in the box.” They do not come with a coach to guide you through various analysis or decision trees within their products directly unless they are directly bundled with a managed detection and response offering, which is a fancy way of saying that they will provide talented staff to help you with your EDR deployment.
AI and ML are overhyped and overused marketing terms that unfortunately do not have any standardized connotations regarding actual capabilities within EDR solutions. As a result, each vendor claim must be thoroughly vetted to ensure that the organization’s understanding of the capabilities provided by the solution is in fact realized in the product.
The unfortunate reality is that operating EDR for most organizations is more like my going fishing without my friend and expecting to catch the target fish with zero experience, knowledge or the proper tools: essentially relying on just plain luck. EDR provides very rich and very complex data that requires advanced knowledge, understanding and experience to analyze and understand.
This is why most Type B and Type C organizations — often after several months of frustration — tend to eventually reconsider their EDR deployment as an incident-response-focused solution rather than as a platform by which they are guided in their efforts to conduct active threat hunting, detection and response, because they lack those capabilities.
Using an EDR solution as a post-event endpoint data analysis tool is the way the majority of organizations end up using their EDR deployment. However, this is not usually what organizations had in mind when they originally purchased their EDR solutions.

Cloud or On-Premises

As noted previously, EDR solutions can store all or only the most critical data elements it collects either on an on-premises server, on the endpoint itself, in the cloud or as a hybrid of them depending on the vendor solution. The typical concern over storing data in the cloud relates to the disclosure of sensitive data about the day-to-day operations of endpoint software to a third-party outside the organization. While most organizations have embraced cloud-based solutions for many of their IT and security workload needs, some types of clients in specific verticals still prefer to maintain their data on-premises or within specific geographies when using the cloud.
Most vendors cannot accommodate such specific geographic requirements as hosting both data collection and analysis outside the U.S. This can impact data compliance requirement within regions. But the main benefits of cloud storage include lowered complexity in deploying solutions, elimination of on-premises server hardware/software and maintenance, ease of scaling to larger or smaller workloads and access to data even when an endpoint is off or is compromised. This comes at a cost.
Cloud storage requires that organizations decide on their retention periods upfront. Retention periods can be from a few days all the way up to six months. The longer the retention period, the more visibility into past events and also typically the higher the cost for storing data. The upload of the endpoint data to the cloud can have an impact on outbound data throughput. While some solutions offer compressed data streams or a form of load balancing of data upload over longer periods of time, large environments with restricted networks or chokepoints can experience bursting issues.
Cloud-based solutions can also pose challenges in the integration of security and operational data from such other existing solutions as directory and inventory services, network devices, perimeter solutions and SIEMs as well as in creating workflows with ticketing services, update and patching. They may require opening additional connections and ports on the perimeter to support uni- or bidirectional communications.

EDR Issues

EDR solutions provide visibility into how an event occurred and, as a result, can tell an endpoint’s overall story. These findings can be used to help determine the overall condition of the endpoint, the potential root cause and also if other endpoints within the environment exhibit similar symptoms. A remediation can be put into action using EDR and other solutions. This part is a good side of EDR.

Getting to the Root of Problems

In a typical incident-response-focused deployment, this analysis, or creating the narrative of the story line, is conducted at some period of time after a situation has taken place and may have already spread. The trigger of the investigation is often when a user reports experiencing an issue with the system or perhaps the operations team notices a degradation of service. In this manner, EDR is used to review the events leading up to the issue and assisting in determining the root cause.
EDR does speed up this investigative process, but there is still a high level of skill involved in performing the investigation. Given enough time, even a poorly staffed EDR solution can successfully search the collected endpoint data and resolve some issues because it is limited to the investigation of a clearly identified target. While this approach resolves issues and does provide value, it rarely elevates an organization’s overall security posture, as it is a very reactive and inconsistent approach to security. It also does not provide for the proactive detection and containment of threats in real time, which means an organization will remain vulnerable to evolving threats.
Most EDR solutions provide very limited note taking within events, workflow tracking, ticketing (internal or external) or even basic role-based access control (RBAC) to assign specific administrative and oversight entitlements to EDR operations staff or a managed service provider. This lack of capabilities results in a poor experience when investigating events that require multiple analysts to resolve, such as after-hours investigations, leveraging a managed service or third-party incident response provider or when there is a need to create an action that is outside the EDR solution itself, such as when an update or patch is required on an endpoint.
Third-party integration, when available, is conducted through APIs and typically requires knowledgeable staff to code the integration or a consulting engagement with a third party to build the component. Report generation is usually focused on the technical aspects of incidents that are difficult to communicate to other stakeholders within the organization, such as line of business leaders and senior management.
EDR solutions rarely incorporate such asset critical data as “this system belongs to the CEO or has PCI data” or activity data sourced from other solutions in the organization, such as active directory information, network and firewall logs and other data sources to help prioritize events. EDR operators often have to connect to multiple consoles to pull this asset and any operational and risk-related data and have to use external systems to keep track of their investigations. And although user and entity behavior analytics (UEBA) have become integrated with many security solutions, EDR has yet to leverage this innovative and potentially valuable source of data analysis.

Do You Patch?

Type B and Type C organizations often struggle with system management, patching and updating. This results in environments that have limited protections even against well-known vulnerabilities and threats.
Organizations deploying EDR solutions in such environments can expect to experience significantly increased strains on their operations staff and systems responsible for endpoint management because many of the resolutions to issues identified by EDR are to remove malicious software, patch or update an application or service, or perhaps even reimage an entire systems in situations where no other option is possible, which can result in data loss if the system was not backed up.
Using EDR to catch basic threats that should be blocked by baseline security hygiene measures is the wrong use of EDR. Doing so will ultimately not result in a better security posture for the organization.

Can You Staff?

Many Type B organizations struggle with finding operational budgets to adequately staff an EDR deployment and have difficulty in finding qualified individuals with the depth of knowledge and experience required to operate an EDR solution even on a basic level. While organizations are typically capable of finding perimeter security or network security staff at reasonable market rates, the skills required to do perimeter or network analysis tasks are not easily transferable to endpoints.
Perimeter and network event data differ greatly from endpoint software operations collected by an EDR solution and, as a result, perimeter or network staff require significant training to become proficient in understanding, analyzing and remediating endpoint issues. Endpoint experts with experience with EDR deployments remain rare commodities.

Augmenting Your Staff

Managed security services (MSS) have been part of the security outsourcing landscape for many years, taking care of the day-to-day operations of IT and IT security solutions within their client organizations. A new breed of MSS that offer managed EDR has evolved over the past few years to address skills and staffing shortages in this market. These solution providers often offer one or more tiers of services with different SLAs and capabilities.
One example is that of a very high-level and low-touch model, where the role of the service provider is to act more like a backup or supplement to an already-staffed EDR operations team. In this capacity, they do not perform day-to-day activities but rather offer additional oversight and reporting and can complement the existing client’s team during incidents. This form of managed EDR is typically inexpensive and includes retainer fees when additional assistance is required by the client, such as during the response to an incident.
Another example, at the other extreme, is that of a low-level very high-touch model where the solution provider, from a remote office, actively investigates security threats using data collected by the EDR and other security solutions and programmatically contains or mitigates threats using the elements that make up the security technology stack in the client’s environment. In this capacity, the solution provider is an integrated extension of a client organization’s existing capabilities. This form of managed EDR is typically significantly more costly and can run many times the cost of the EDR solution itself, depending on the capabilities required.
Managed EDR solutions have become more widely available over the past 18 months, with some EDR vendors providing their own capabilities themselves or via their reseller or system integrator network. However, the quality and availability of the detective, investigative and remediative services vary dramatically between vendors and regions.

Vendor Lock-In and Vendor Risk

Over time, EDR solutions become intertwined with security and operations teams and it becomes difficult to switch out to another vendor, especially when a lot of customized scripts for responses and workflow have been created due to the amount of work required to re-create them. While this isn’t necessarily bad, there are currently too many vendors in this market and many will not survive long term. Also, there are limited paths to exit for small vendors because all of the existing incumbent EPP vendors have created their own EDR solutions, which is traditionally an exit path for small vendors.
This means that vendors who have traction currently either have IPO ambitions or are opting to go for additional series of venture-capital-backed funding to fuel growth. Vendors who have not secured market share or a niche of client deployments are at risk. Clients using these vendors should consider establishing plans in the event that their vendor disappears.

EDR Does Not Mean Protection Is Improved

Organizations need to consider all of the factors highlighted in this research when contemplating an EDR solution to ensure that their EDR deployments meet their operational and security ambitions. Deploying an EDR solution in and of itself does not eliminate the need to deploy other security solutions, nor does it imply that security will improve without significant effort or cost.

Evidence

Over 700 inquiry calls on the topic of EDR.
Analysis as part of the EPP Magic Quadrant and EPP Critical Capabilities
Advertisements

Gartner – Magic Quadrant for Web Application Firewalls

Gartner – Magic Quadrant for Web Application Firewalls

340592_0001.png

 

The WAF market is growing, driven by the adoption of cloud WAF services. Enterprise security teams should use this research as part of their evaluations of how WAFs can provide improved security that’s easy to consume and manage, while respecting data privacy requirements.

Strategic Planning Assumptions

By 2020, stand-alone web application firewall (WAF) hardware appliances will represent fewer than 20% of new WAF deployments, which is a decrease from today’s 35%.
By 2023, more than 30% of public-facing web applications will be protected by cloud web application and API protection (WAAP) services that combine distributed denial of service (DDoS) protection, bot mitigation, API protection and WAFs. This is an increase from fewer than 10% today.

Market Definition/Description

This document was revised on 3 September 2018. For more information, see the  Corrections page.
The web application firewall (WAF) market is being driven by customers’ needs to protect public and internal web applications. WAFs protect web applications and APIs against a variety of attacks, including automated attacks (bots), injection attacks and application-layer denial of service (DoS). They should provide signature-based protection, and should also support positive security models (automated whitelisting) and/or anomaly detection.
WAFs are deployed in front of web servers to protect web applications against external and internal attacks, to monitor and control access to web applications, and to collect access logs for compliance/auditing and analytics. WAFs exist in the form of physical or virtual appliances, and, increasingly, are delivered from the cloud, as a service (cloud WAF service). WAFs are most often deployed in-line, as a reverse proxy, because, historically, that was the only way to perform some in-depth inspections. There are other deployment options. The rise of cloud WAF services, performing as reverse proxies by design, and the adoption of more-recent transport layer security (TLS) suites that require in-line traffic interception (man in the middle) to decrypt, have reinforced the use of reverse proxy.
Cloud WAF service combines a cloud-delivered as-a-service deployment with a subscription model. Cloud WAF service providers may offer a managed service, and, for some, it is a mandatory component of using the WAF. Some vendors have chosen to leverage their existing WAF solutions, repackaging them as SaaS. This enables vendors to have a cloud WAF service available to their clients more quickly, and they can leverage the existing features to differentiate from cloud-native WAF service offerings with a more limited feature set. One of the difficulties with this approach is simplifying the management and monitoring console, inherited from the comprehensive WAF appliance feature set to meet clients’ expectations for ease of use, without shrinking security coverage. Gartner defines cloud web application and API protection (cloud WAAP) services as the evolution of existing cloud WAF services (see “Defining Cloud Web Application and API Protection Services”). In the long term, cloud WAF services, which were built from the beginning to be multitenant and cloud-centric, avoid costly maintenance of legacy code. They also provide a competitive advantage, with faster release cycles and rapid implementation of innovative features. Some organizations consuming cloud WAF services built from WAF appliances do it to acquire a unified management and reporting console.
This Magic Quadrant includes WAFs that are deployed external to web applications and not integrated directly on web servers:
  • Purpose-built physical, virtual or software appliances
  • WAF modules embedded in application delivery controllers (ADCs; see “Magic Quadrant for Application Delivery Controllers”)
  • Cloud WAF service, including WAF modules embedded in larger cloud platforms, such as content delivery networks (CDNs), and cloud WAF services delivered directly from infrastructure as a service (IaaS) platform providers
  • Virtual appliances available on IaaS platforms, as well as WAF solutions from IaaS providers
API gateway, and runtime application self-protection (RASP) are adjacent to the WAF market, and might compete for the same application security budgets. This motivates WAF vendors to add relevant features from these markets, when appropriate. For example, cloud WAF services often bundle web application security with DDoS protection and CDN. The ability of WAFs to integrate with other enterprise security technologies — such as application security testing (AST), web access management (WAM), or security information and event management (SIEM) — is a capability that supports its strong presence in the enterprise market. Consolidation of WAFs with other technologies, such as ADCs, CDNs or DDoS mitigation cloud services, brings its own benefits and challenges. However, this market evaluation focuses more heavily on the buyer’s security needs when it comes to web application security. This includes how WAF technology:
  • Maximizes the detection and catch rate for known and unknown threats
  • Minimizes false alerts (false positives) and adapts to continually evolving web applications
  • Differentiates automated traffic from human users, and applies appropriate controls for both categories of traffic
  • Ensures broader adoption through ease of use and minimal performance impact
  • Automates incident response workflow to assist web application security analysts
  • Protects public-facing, as well as internally used, web applications and APIs
Gartner scrutinizes these features and innovations for their ability to improve web application security beyond what a network firewall, intrusion prevention system (IPS) and open-source/free WAF (e.g., ModSecurity) would do, by leveraging a rule set of generic signatures.
Gartner has strengthened this year’s inclusion criteria for the web application Magic Quadrant, to reflect enterprises’ changing expectations when selecting WAF providers (see Inclusion Criteria). Updated criteria include a requirement to get minimal revenue outside of a vendor’s home region, which led to the exclusion of some of the more local vendors.

Magic Quadrant

Figure 1. Magic Quadrant for Web Application Firewalls

Source: Gartner (August 2018)

Magic Quadrant for Web Application Firewalls

Vendor Strengths and Cautions

Akamai

Akamai is in the Leaders quadrant. Clients looking for a cloud WAF service that can support web-scale applications and combine multiple web application security features often add Akamai to their shortlists when price sensitivity is low, especially when they already use Akamai as a CDN.
Akamai is a global CDN provider with headquarters in Cambridge, Massachusetts. It has more than 7,500 employees, with a growing team dedicated to web application security. In addition to its WAF (Kona Site Defender), Akamai offers additional security services, including application access control (Enterprise Application Access), managed DDoS scrubbing service (Prolexic), API gateway (Akamai API Gateway), and DNS services (Fast DNS). The WAF can be augmented with optional add-ons, including IP reputation, volumetric DDoS protection options, and two bot mitigation subscriptions (Bot Manager and Bot Manager Premier). Akamai also offers a trimmed-down, and lower-cost, version of Kona Site Defender, called Web Application Protector (WAP).
Recent news includes the release of Bot Manager Premier as a separate option, providing mouse and keyboard activity analysis, along with a mobile software development kit (SDK). Kona Site Defender has improved its management options for multiple applications, and has updated reporting and real-time analytic dashboards.
Kona Site Defender is a good shortlist candidate for all use cases in which WAF delivered from the cloud is acceptable, and low price is not the highest priority, especially for existing Akamai CDN customers.

Strengths
  • Product Strategy: Akamai demonstrates a sustained commitment to develop and improve its web application security solutions. The vendor also grows its threat research and security operations center (SOC) team at a good pace.
  • Product Offering: the broad portfolio of Akamai’s cloud services, appeals to organizations looking for an easy way to deploy controls in front of a diverse set of applications. Many customers using Kona Site Defender are using other services, especially the CDN.
  • Geographic Strategy: Akamai is a global infrastructure provider with especially strong presence in North America, and good visibility in European shortlists too.
  • Managed Services: Akamai offers professional services to help harden the security configuration of Kona Site Defender. It also provides a managed SOC, which can monitor incidents.
  • Capabilities: Akamai applies automated analytics and triage on the entire traffic it processes for clients to tune their signatures and gather threat intelligence to create new protections. It has released a first version of API security features that customers find promising.
  • Customer Experience: Customers using Akamai managed security services and customers using the WAP product cite a lower-than-expected rate of false alerts.

Cautions
  • Market Segmentation: Akamai’s WAF is available as a cloud service only. For organizations that are simply not comfortable with cloud security solutions, or where prospective clients’ assessments determine that compliance and regulatory restrictions limit its use, Akamai does not appear on client shortlists.
  • Pricing and Contracting: Akamai Kona is an expensive product, especially when bundling multiple options, such as Bot Manager subscriptions. Clients continue to cite pricing as a barrier. Gartner analysts have observed an increase in complaints from prospects, and from existing clients. Organizations frequently consider using a second WAF brand, because it would be too expensive for them to deploy Akamai’s solution. The less-expensive WAP solution has not yet fixed this issue.
  • Customer Experience: The most-vocal complaints from clients target the poor policy management system, which is leaving clients frustrated by a dated policy and no useful way to test the updated rules. They also would like to see more improvements in the monitoring and reporting, as well as improved notification options.
  • Technical Architecture: Akamai has historically lagged behind some of its competitors in security automation. It has published a first version of an API to manage Kona’s security configuration, which is still in beta.
  • Capabilities: Akamai lacks a positive security model, with the exception of its API protection module. Customers using WAP cannot use Bot Manager.

Amazon Web Services

Amazon Web Services (AWS) is in the Niche Players quadrant. It serves almost exclusively AWS clients, and invests significantly in continuous improvements to its WAF solution.
AWS is a subsidiary of Amazon, based in Seattle, Washington. It is a cloud-focused service provider. It offers a large portfolio of cloud workloads (EC2), online storage (S3, EBS and EFS), database, and artificial intelligence (AI) frameworks. Its security portfolio is not as well-known, but includes identity and access management (IAM; Cognito), managed threat detection (GuardDuty) and HSM (AWS Cloud HSM). AWS Shield provides managed DDoS protection, and its WAF product is simply called AWS WAF.
AWS WAF can be delivered through AWS Application Load Balancer or through Amazon CloudFront as part of the CDN solution. AWS WAF is not limited to protecting origin servers hosted on Amazon infrastructure. AWS also partners with WAF vendors and offers their solutions in the AWS marketplace.
In recent months, AWS has released managed rules, a feature that allows clients to deploy sets of rules managed by third-party WAF vendors. The vendor has also recently released AWS Firewall Manager, which allows it to centralize the deployment of WAF policies and managed rules set. Also, AWS Config, the vendor’s configuration monitoring service, can monitor AWS WAF rule sets (RuleGroup).
AWS customers looking for an easy way to add runtime protection in front of their applications hosted on AWS should consider deploying AWS WAF, especially when combined with AWS Shield, and with one, or multiple, set of managed rules.

Strengths
  • Capabilities: With managed rulesets, AWS customers have access to more than a dozen sets of rules from established WAF or managed security service (MSS) vendors that are automatically updated. Because they can deploy multiple rulesets simultaneously, it is easy, even if it comes at a cost, to provide multiple layers of defense, or to test multiple providers.
  • Customer Experience: Existing AWS customers appreciate being able to quickly deploy and enable AWS WAF. Customers give good scores to the autoscaling and built-in integration with Cloudfront.
  • Capabilities: AWS WAF helps organizations in a DevOps mode of operation with the full-featured APIs and CloudFormation automation. AWS customers can provision a set of WAF rules for each stack, or provision a set of WAF rules, and automate the association of those rules with a new stack.
  • Roadmap Execution: AWS continues to regularly improve its WAF, releasing relevant features to close existing gaps, such as the recent firewall manager, at the time they are announced.
  • Sales Execution: AWS WAF is integrated in AWS Shield Advanced. For customers not using AWS Shield Advanced, AWS charges per use for AWS WAF are based on how many rules customers deploy and how many web requests are inspected.

Cautions
  • Marketing Strategy: AWS WAF’s reach is mainly limited to AWS workload protection, where it competes with cloud WAF services and virtual appliances. As more clients consider a multicloud strategy, AWS WAF is less likely to be on WAF shortlists.
  • Capabilities: AWS WAF lacks bot detection techniques, relying on reputation-based controls. Customers need to deploy AWS API Gateway to get dedicated API security features, because AWS does not parse JavaScript Object Notation (JSON) or XML. The vendor does not offer managed SOC for AWS WAF as part of its SiteShield managed services offering. Its DDoS Response Team (DRT) focuses on DDoS response only.
  • Product Strategy: Despite numerous corporate security initiatives, the WAF product remains mostly a siloed product. The vendor does not yet have a dedicated threat research team to add new protections to the WAF. AWS WAF does not leverage AWS AI capabilities, the use of machine learning for web app security is built-in only for DDoS protection.
  • Customer Experience: Customers would like to be able to whitelist a specific rule from the managed ruleset. Currently, they can only disable the entire ruleset, and have trouble identifying why a rule was triggered.
  • Customer Experience: Clients cite logging and reporting as a weakness. They cannot get detailed logging, aggregated events and mention occasional delays in getting the logs. Some clients also request integration with SIEM.

Barracuda Networks

Barracuda Networks is in the Challengers quadrant. Barracuda has good visibility for its WAF deployment over IaaS, and for existing Barracuda customers, but focuses on catching up with market leaders.
Barracuda Networks (CUDA) is based in Campbell, California. Barracuda is a known brand in security and backup markets, especially for midsize enterprises. In addition to network firewalls, its product portfolio includes email security and a user awareness training tool (acquired from Phishline in January 2018). The vendor also offers DDoS protection. The vendor delivers its WAF line in physical or virtual appliances. It is also available on the Microsoft Azure, AWS and Google Cloud Platform (GCP) platforms.
In November 2017, Barracuda agreed to be acquired by private equity firm Thomas Bravo. The acquisition was completed in February 2018. Barracuda has recently released Barracuda WAF-as-a-Service, its self-service cloud WAF. This release follows its DDoS protection service (Barracuda Active DDoS Prevention Service). The vendor has improved its integration on Microsoft Azure for better scalability, and made its virtual appliances available on Google Cloud Platform. It has also worked on its ability to work with continuous integration tools, and has made significant updates of its management API, improving the ability for Barracuda WAF to be deployed programmatically.
Barracuda is a good shortlist contender for midsize enterprises and existing Barracuda customers. It offers interesting solutions for organizations in North America and Europe, developing a multicloud strategy.

Strengths
  • Offering Strategy: Barracuda remains one of the most visible WAFs on Microsoft Azure. Customers are then more likely to select Barracuda in multicloud strategy for unified management.
  • Pricing Strategy: Barracuda Cloud WAF as a Service includes DDoS protection at no additional charge.
  • Product Offering: With the release of the WAF appliance 1060, Barracuda now supports throughput as high as 10 Gbps.
  • Technical Support: Gartner clients across multiple regions give excellent scores to Barracuda’s customer support. Barracuda partners cite the vendor’s focus on customer satisfaction as the reason they choose to sell Barracuda WAF.
  • Capabilities: Barracuda’s offer of the free WAF add-on Vulnerability Remediation Service is attractive to Barracuda’s targeted small or midsize business (SMB) customers, which often lack the time, money and expertise to support an in-house application scanning program.

Cautions
  • Sales and Marketing Execution: Barracuda struggles to adapt to the multiplication of meaningful competitors. Its visibility in shortlists is shrinking, and the vendor has lost market share during the past 12 months.
  • Customer Experience: Many customers have complained about Barracuda’s WAF appliance user interface (UI). They cite a long learning curve, difficulties locating features buried in submenus and longer-than-necessary amounts of time spent updating the configuration.
  • Market Responsiveness: Barracuda has been late to the market in providing cloud WAF as a service. Prospects should scrutinize the vendor’s infrastructure and point-of-presence availability across regions, as well as investigate the vendor’s ability to meet enterprise-class SLAs for availability, because the solution remains a recent addition.
  • Capabilities: Despite recent improvements, Barracuda WAF lags behind the leaders in bot mitigation and advanced analytics for anomaly detection. Its predefined list of good bots is limited to a few search engines.
  • Capabilities: Barracuda WAF lacks access management features and support for Oauth.
  • Capabilities: Barracuda WAF lags behind the leaders in security monitoring. It lacks automated alert aggregation in the real-time log view, and users report that they would like to see more improvements.

Citrix

Citrix is in the Challengers quadrant. Most of Citrix sales for WAF are an add-on to an existing ADC deployment, but Citrix’s attach rate for the WAF option is lower than 50%. Gartner rarely sees Citrix participating in a pure-WAF competition with other vendors.
With more than 9,600 employees, Citrix (CTXS) is a global provider with a broad portfolio of virtualization, cloud infrastructure and ADC solutions. The vendor is co-headquartered in Santa Clara, California, and Fort Lauderdale, Florida. The NetScaler ADC portfolio includes hardware (MPX), software (VPX), containerized (CPX) and multi-instance (SDX). All of those ADC options offer WAF (NetScaler AppFirewall) and Secure Sockets Layer (SSL) virtual private network (VPN) as modules. WAF is also available as a stand-alone product.
In 2017, Citrix introduced the Web App Firewall (initially called NetScaler Web App Security service) as its cloud WAF service, and refreshed its hardware product line.
NetScaler AppFirewall is a good choice for Citrix clients that value high-performance WAF appliances.

Strengths
  • Sales Execution: Citrix licenses its products and service through multichannel globally, which makes Citrix the No. 2 ranked ADC vendor (by revenue). This creates opportunities for selling a WAF module on top of its ADC appliances. Existing ADC and Citrix-based application customers like the tight integration of the AppFirewall module.
  • Capabilities: NetScaler’s ability to scale appeals to large organizations. NetScaler TLS’s decryption capabilities and integration with Thales and SafeNet hardware security modules (HSMs) are often key differentiators in prospect comparative testing.
  • Customer Experience: Customers score highly the support they receive from system integrators and service providers. They also praise improvements in API-driven manageability.
  • Customer Experience: Surveyed customers welcomed NetScaler management and analytics service (MAS), and give good scores to the Security Insight dashboards.

Cautions
  • Product Strategy: Citrix faces intense competition from many large and small vendors on its leading products. Acquisitions have been a significant part of its growth strategy. However, most of the recent acquisitions (CedexisInx, Norskale, Contrade and Unisdesk) have little to do with security and will take attention from innovating on the WAF technology.
  • Sales Execution: Citrix rarely competes in dedicated WAF deals, and its overall visibility has continued to decrease. The vendor mostly sells AppFirewall as an add-on to customers primarily interested in its ADC features, or in high-performance environments.
  • Technical Architecture: Most Citrix clients use NetScaler AppFirewall as a software option on top of an ADC physical appliance. Gartner rarely sees Citrix being deployed on IaaS, such as Amazon and Microsoft. Google Cloud is not supported.
  • Capabilities: AppFirewall does not include advanced bot mitigation and anomaly detection options.
  • Market Responsiveness: The pace of WAF features release on Netscaler has been slow for a few years now, except for TLS decryption-related capabilities. Although Citrix is only now catching up to its competitors in cloud WAF delivery, it has not gained visibility in shortlists against other cloud WAF vendors. Citrix cannot match competitors’ offerings, because it does not bundle CDN with its cloud WAF.
  • Customer Experience: Many customers would like better ways to handle false alerts (false positive rate). Citrix ability to block bots gets a low score. Clients would also like to see better documentation for the WAF advanced features.

Cloudflare

Cloudflare is in the Challengers quadrant. As more applications move to the cloud, and a growing number of organizations consider multicloud options, the appeal of Cloudflare’s bundled service continues to grow.
Headquartered in San Francisco, California, Cloudflare is growing quickly, with more than 700 employees. The vendor’s primary offering is a combination of DDoS protection and a CDN offering. Other products offered as a service include DNSSEC, Bot Mitigation, SSL, Rate Limiting and Orbit for securing Internet of Things (IoT) devices. Cloudflare stands out for its service delivery, which usually uses the self-service model, allowing its clients to make quick and easy configurations through wizards. Although Cloudflare’s brand is associated with its inexpensive service plans for consumers, the vendors have a sizable enterprise customer base, through a higher-priced custom Enterprise plan.
In recent months, Cloudflare announced changes promoting unlimited and unmetered DDoS protection for all of its customers. This can benefit clients by not punishing the customer for the amount, time and size of the DDoS attack. It also released a tunnel mode (Argo Tunnel), multiprotocol support (Spectrum) and some authentication brokering features, integrating with a number of identity providers (Cloudflare Access).
Cloudflare is a good shortlist candidate for internet-exposed applications in global organizations with customers in multiple regions that are concerned with the risk of DDoS attacks.

Strengths
  • Technical Architecture: Cloudflare is a provider with 15 Tbps capacity and 152 data centers worldwide. This infrastructure not only supports the high performance of the applications, it promotes a close-to-the-edge security protection capability.
  • Customer Experience: Customers typically score the ease of use and implementation of the WAF and DDoS solution highly. Customers also praise the vendor’s DDoS mitigation capabilities. Cloudflare has a large base of technically savvy individuals who use its solution for personal web applications, and then become internal sponsors when their organizations consider a cloud WAF.
  • Market Responsiveness: Cloudflare continually develops new capabilities related to better user experience in ease of use and implementation. Cloudflare has announced Spectrum, which is expanding DDoS protection beyond web servers to include other TCP-based services. The vendor also occasionally acquires technologies to more quickly serve new features, as they did when they acquired Neumob’s mobile SDK.
  • Capabilities: The recent addition of Cloudflare Workers enables customer to host web applications on Cloudflare’s infrastructure, which should appeal to smaller organizations. The vendor also provides an easy-to-reach, “I’m under attack” button. This automatically enables a set of protections, and is convenient for emergency reaction.
  • Capabilities: Cloudflare has recently released the ability to assign rules per uniform resource identifier (URI), improving its ability to provide more-granular control without damaging the security posture for the entire application. Its keyless SSL technology offers interesting support for customers that want to store their private keys on their preferred HSM solutions.
  • Geographic Strategy: Cloudflare is one of the few global providers with local points of presence in China.

Cautions
  • Market Segmentation: Cloudflare offers WAF as a cloud service only. For organizations with restrictions on cloud services, or in locations where the appetite for cloud services isn’t high (e.g., the Middle East and Asia regions), Cloudflare can’t address use cases that require on-premises physical or virtual appliances. The lack of WAF appliance might penalize them for the nascent hybrid web application deployment use cases (partly on-premises and partly cloud-hosted), where more-conservative organizations highly rank the ability to get unified management and reporting for the WAF solution.
  • Customer Experience: Many customers, especially the larger organizations, rated Cloudflare alert and reporting low. The vendor lacks an automated aggregation of alerts for faster incident triage. Some customers complain of occasional API instability, as well as a higher-than-expected frequency of local performance degradation.
  • Capabilities: Cloudflare’s management console presents restrictions on offering more-granular configuration capabilities, such as building custom-made rules. In addition, the management console’s role-based access shows its limits when users want to define the per-app role, or when auditing management actions.
  • Capabilities: Cloudflare still lags behind some of its competitors for bot management. It lacks an easy way to manage good bots. Despite a recent initiative to learn from the large amount of data the vendor processes, Captcha remains the most frequent technique Cloudflare uses to block bots. This hurts the user experience. The WAF also lacks an automated positive security model, which could prove useful, especially for high-risk pages or API-driven applications.
  • Product Strategy: Gartner observes thatCloudflare’s security roadmap appears to aim at good-enough security, with a focus on pervasive, commercial off-the-shelf (COTS) web applications (e.g., WordPress and Magento). Its web application security threat research team efforts are targeted at quick reaction in case of a new attack campaign. However, when it comes to using new protection techniques based on in-house threat research, the vendor is less proactive than its leading competitors.

Ergon Informatik

Ergon Informatik is a Niche Player. The vendor is mostly visible in Switzerland and Germany, with slow international developments in financial institutions from other countries. Ergon provides WAF appliance only. Its roadmap execution is primarily driven by incremental improvements.
Ergon Informatik is a software engineering and consulting company, headquartered in Zurich, Switerland, and it has 280 employees. The vendor has developed a full suite of products to serve existing clients. The product portfolio is centered around the Airlock Suite, which includes the Airlock WAF, a WAM solution (Airlock Login) and a more-comprehensive IAM solution (Airlock IAM).
Latest news includes the release of Airlock WAF 7.0, at the end of 2017, with the addition of Geo-IP, and automatic whitelisting learning. It has integrated Kibana for the reporting and real-time dashboards, and added support for more log formats, including JSON and Common Event Format (CEF).
Ergon Informatik is a contender worth considering for large banking and financial enterprises in need of a WAF appliance.

Strengths
  • Customer Experience: The vendor continues to get good feedback from faithful customers and resellers, who trust the company and praise its ability to be close to its clients. They almost always use the vendor’s IAM features and mention them as a differentiator.
  • Vertical Strategy: Ergon Informatik’s strongest presence is with banking and other financial institutions, where it can provide a large number of satisfied references.
  • Market Execution: Despite its smaller size, Ergon is a profitable company that enjoys growth at a rate that exceeds the WAF appliance market as a whole.
  • Customer Experience: Customers give good scores to Airlock WAF for its API security capabilities, and to the combination of access management features and content inspection on JSON and REST payloads.
  • Capabilities: The recent addition of geo-IP goes beyond blocking, and allows traffic to be redirected, based on the source’s region or country. Clients liked the real-time monitoring and logging upgrade, which provides the flexibility to build their own dashboards and advanced searches in log. Support for the CEF format improves the ability to integrate with SIEM vendors.
  • Capabilities: With the addition of automating whitelisting learning, Ergon Informatik now offers a comprehensive set of controls for positive security models, in addition to the already-available URL and cookie encryption features. It also provides predefined templates for known commercial applications, such as Microsoft Exchange.

Cautions
  • Product Strategy: Ergon is not a good choice for hybrid or cloud-native web applications. It does not offer cloud WAF or DDoS protection services, and has not shown any intention to pursue a cloud WAF service strategy. The vendor lacks centralized management for its WAF appliances, and its WAF virtual appliances are unavailable in the IaaS marketplace.
  • Market Segmentation: Ergon is not the best fit for smaller organizations. It offers only two hardware appliances (Medium and Large). Most customers mention that the deployment is not the easiest possible, and the management interface can be complex, especially for novice users.
  • Geographic Strategy: Ergon is predominantly visible in Swiss and German shortlists, with the exception of some rare appearances in Asian financial institution shortlists. The vendor has limited direct presence outside Western Europe. Prospects from other regions should first assess the ability of the vendor to provide support in their time zones and, if necessary, in local languages.
  • Capabilities: Airlock offers limited, role-based management with four predefined roles, and experimental command line interface (CLI)-based possibility to add custom roles. Its management API feature is not yet complete.
  • Capabilities: Airlock still lacks third-party or in-house threat intelligence feeds. Its generic rule set is updated only during firmware updates. This limits the ability of customers to benefit from ad hoc, emergency-released protections in case of a new attack campaign. The vendor also relies on integration with IBM Trusteer to provide bot mitigation.
  • Market Responsiveness: Ergon Informatik’s roadmap delivery contains a higher mix of continuous improvements of existing features.

F5

F5 has moved from the Leaders quadrant to the Challengers quadrant. It continues to participate frequently in client shortlists for WAF appliances beyond its ADC customer base. The company is in the middle of reinventing itself for a cloud-first world, but has yet to reproduce the success it built in past years as a strong WAF appliance provider in the cloud WAF segment.
Based in Seattle, Washington, F5 is known for its ADC product lines (Big-IP and Viprion). The vendor employs more than 4,300 employees, which includes a small business unit dedicated to security products.
F5’s WAF is primarily consumed as a software option, Application Security Manager (ASM), which is integrated in the F5 Big-IP platform. The F5 hardware Big-IP appliance product line can also run a license-restricted (yet upgradable) version of the full software to act as a stand-alone security solution (such as a stand-alone WAF). F5’s security portfolio includes a WAM solution, Access Policy Manager (APM), web fraud protection (WebSafe), and a DDoS mitigation solution, DDoS Hybrid Defender (DHD).
Under the Silverline brand, F5 delivers cloud WAF and DDoS protection. Two flavors of the service are available: Silverline Managed WAF and self-service WAF Express, with a threat intelligence add-on (Silverline Threat Intelligence). All Silverline services rely under-the-hood on Big-IP technology.
In recent news, F5 launched a dedicated solution to handle TLS traffic decryption for inbound and outbound traffic (the F5 SSL Orchestrator). The vendor has launched a WAF product called “Advanced WAF.” It includes, in addition to what is also available in ASM, a mobile SDK, specialized features for fraud prevention through form fields obfuscation, bot mitigation, application-layer DoS and API security features.
F5 is a good shortlist contender for large-scale WAF appliances, and for scenarios requiring unified management.

Strengths
  • Marketing Strategy: As its legacy ADC appliance market declines, F5 has identified security as one of the core markets for its new messaging. The vendor has publicly committed to reinforce its investment in security.
  • Technical Architecture: F5 supports AWS, Azure, Google Cloud, OpenStack and VMware Cloud. The support for multicloud with unified management appeals to the organizations building a hybrid architecture.
  • Capabilities: Clients continue to mention iRules as a reason to select, and to stick with ASM WAF. They also mention the depth and breadth of features available on the platform.
  • Customer Experience: Customers of the managed WAF services give good scores to their interactions with the professional services, and managed SOC teams. Surveyed customers like the multiple managed rulesets from F5, which can be deployed quickly on the top of AWS WAF.
  • Customer Experience: Several customers mention the user community and vendor support as strong assets.

Cautions
  • Product Strategy: With the existingSilverline product segmentation, F5 links its self-managed Silverline Express with the lower tier of the market, but positions it at a price point that’s much higher than its direct competitors. Gartner analysts see that as a missed opportunity for F5’s product strategy and its current portfolio gap. Larger enterprises are more likely to get in-house SOCs than midsize organizations, and most enterprises prefer self-service WAF options. F5 does not yet provide a fully-featured, and easy-to-manage self-service WAF.
  • Sales Execution: Gartner analysts observe limited adoption of Silverline products, and low visibility in cloud WAF shortlists.
  • Product Strategy: With Advanced WAF, F5 risks frustrating its core customer base, which has used WAF as a module of their ADC for years. They now fail to get the best security features, even when purchasing the “best” bundle, and need to get an additional security license upgrade.
  • Cloud WAF Service: Silverline’s infrastructure significantly lags behind its direct competitors. It lack a presence in South America, Middle East, Africa and China. It serves the entire Asia/Pacific (APAC) region from a single data center, hosted in Singapore.
  • Customer Experience: Many customers mention the need of the UI refresh, because it can be complex. They noted some improvement with the recently released hierarchy of policies.
  • Operations: F5 continues to experience big changes in its leadership, including a new lead for security business unit. Prospective clients should monitor early signs of strategic shift that could affect the investment on the appliance product line.

Fortinet

Fortinet is in the Challengers quadrant. The vendor continues to grow its market share in the WAF appliance segment, with improved security capabilities. It is slowly catching up on the cloud WAF segment, with an initial release in 2017.
Based in Sunnyvale, California, Fortinet is a large firewall vendor that offers a broad portfolio of security and network solutions. The vendor’s almost 5,000 employees include approximately 1,000 in R&D. Fortinet’s portfolio includes a firewall (FortiGate) that constitutes most of the vendor’s revenue, a WAF (FortiWeb), a threat intelligence service (Fortinet TIS), a SIEM (FortiSIEM), and a sandbox (FortiSandbox). FortiWeb is available as a physical or virtual (FortiWeb-VM) appliance, and on AWS and Azure IaaS platforms. FortiWeb subscriptions include IP reputation, antivirus, security updates (signatures and machine learning models), credential stuffing defense and cloud sandboxing (FortiSandbox).
Recent Fortinet’s corporate strategy shift articulates the concept they named “Security Fabric.” It consists of integrating many solutions from Fortinet’s portfolio with, for example, unified visibility gained collecting telemetry from every deployed product.
In late 2017, Fortinet launched a first version of a cloud WAF service (FortiWeb Cloud). FortiWeb 6.0, released in May 2018, integrates closely with the FortiGate FortiOS 6.0. This release adds machine learning algorithms to improve anomaly detection, which deprecates the automatic application learning. FortiWeb now support Google Cloud and VirtualBox hypervisor.
FortiWeb is a good shortlist candidate for organizations looking for a WAF appliance, especially when deployed in hybrid scenarios, and for Fortinet’s existing customers.

Strengths
  • Sales Execution: FortiWeb’s visibility in shortlists has improved, especially in Fortinet’s customer base.
  • Capabilities: Fortinet delivers strong threat intelligence, supported by the large team of its Fortiguard Labs, a shared resource for all Fortinet’s products. The vendor has strong ability to quickly deliver, and automatically deploy new targeted signatures, even before the attacks have gained enough scale to be visible globally. With FortiWeb 6.0, security analysts can search for attacks usingcommon vulnerabilities and exposures (CVE) IDs.
  • Marketing Strategy: Fortinet applies the same strategy to FortiWeb that drove FortiGate’s success. It offers a comprehensive portfolio of hardware appliances (eight models, ranging from 25 Mbps to 20 Gbps), and it wins on good price/performance ratio. The vendor also improves its WAF by leveraging global R&D efforts, to quickly mature its WAF solution, despite being a relatively recent entrant on the market. Recent release of FortiWeb Cloud now offers a solution to Fortinet’s large customer base of midmarket enterprises.
  • Capabilities: FortiWeb’s recent use of machine learning algorithms to complement ad hoc signatures and detect attacks from their behavior is promising. The syntax analysis pass on the request helps catch false alerts that could result from the new technique.
  • Capabilities: FortiWeb is a good choice to protect file-sharing services, because it offers comprehensive options and integration for malware detection. The WAF can inspect for malware, as well as integrate with Fortinet’s sandboxing solutions.

Cautions
  • Cloud WAF Service: Fortinet has been late releasing a first version of a cloud WAF service, which is still unproven, especially in its ability to avoid and mitigate false alerts. FortiWeb Cloud has more limited capabilities than its appliance counterpart, and it lacks available peer references.
  • Organization: The vendor has a modest increase of its WAF R&D department this year. Its investment in WAF remains less important than for other products in Fortinet’s portfolio, and is relatively small, compared with some of its direct competitors.
  • Market Segmentation: Fortinet is not yet visible in shortlists for web-scale organizations trying to protect their core business-critical applications, and for cloud-native web applications that heavily leverage continuous integration.
  • Customer Experience: Some customers would like Fortinet to go one step further and unify the centralized management for WAF and firewall. Today, you need two separate management platforms for FortiWeb and FortiGate. They also would like better documentation in the form of “how-to,” especially on recent features, and better change control.
  • Capabilities: FortiWeb lags behind leaders in bot mitigation. The vendor does not offer, nor does it integrate with DDoS protection service.
  • Capabilities: FortiWeb’s machine learning does not work in high-availability deployments. In the initial version, the UI exposes a lot of the internal mechanics behind the machine learning engine. Although it compares nicely with other vendors’ “black box” approaches, and this helps with the credibility of the engine, which can be intimidating and lengthen the learning curve.

Imperva

Imperva is in the Leaders quadrant. The vendor is one of the most visible in both the appliance and cloud WAF service segments. Imperva frequently wins on the basis of security features and innovation. Imperva can provide strong WAF functionality as a traditional appliance and cloud WAF service, but faces stronger competition for its cloud offering.
Imperva is an application, database and file security vendor, with headquarters in Redwood Shores, California. Its portfolio includes database security products (SecureSphere Data Protection and Database Audit and CounterBreach), a WAF appliance (SecureSphere WAF), and a cloud WAF service (Incapsula). Imperva also offers managed security services and managed SOC.
SecureSphere can be delivered as physical and virtual appliances. It is also available on AWS and Microsoft Azure marketplaces. The vendor also offers managed rule sets for AWS WAF.
In recent months, Imperva saw changes in its executive team, including a new CEO and CFO, followed by an internal reorganization to refocus on a cloud-first strategy. The company recently announced the acquisition of Prevoty, a RASP vendor. The vendor continued its investment in Incapsula infrastructure with new points of presence, refreshed some SecureSphere hardware appliances, and released Attack Analytics, a new real-time event management solution for Imperva SecureSphere and Incapsula.
Imperva is a good shortlist candidate for all kind of organizations, especially large enterprises looking for high-security WAF appliances, or organizations planning to transition their applications from on-premises to the cloud.

Strengths
  • Marketing Strategy: Imperva’s offers a flexible licensing for organizations with a mix of on-premises and cloud-hosted applications. It allows the vendor to target a wider range of use cases and organizations, and to better manage the transition from WAF appliance to cloud WAF service.
  • Sales Execution: Imperva is one of the only vendors providing both WAF appliances and cloud WAF service to achieve strong visibility in shortlists and large customer bases for both segments.
  • Customer Experience: Gartner clients using SecureSphere continue to praise customer support. They’ve noted some improvements in Incapsula’s bot mitigation.
  • Capabilities: Incapsula and SecureSphere benefit from the shared threat intelligence from ThreatRadar.
  • Capabilities: Imperva has recently released attack analytics to get unified and improved monitoring for SecureSphere and Incapsula. The vendor has also made available a first version of role-based administration for Incapsula.
  • Geographic Strategy: Imperva has strong WAF presence in most geographies, and offers effective support across most regions. Recent presence has been especially strong in the APAC region.

Cautions
  • Market Responsiveness: Imperva is experiencing a lot of organizational changes, which could be the source of a slower pace of release, especially for the SecureSphere product line.
  • Cloud WAF Service: Customers wish that Incapsula supported single sign-on (SSO) features, such as SAML 2.0. They also would like better and more-flexible canned reports.
  • Capabilities: Customers considering Incapsula to replace SecureSphere often notice the lack of feature parity. The cloud WAF service cannot yet match the depth and breadth of security function covered by the appliance product line.
  • Pricing: SeveralGartner clients cited higher-than-competitive prices for Imperva WAF SecureSphere, and to a lesser extent for Incapsula.
  • Cloud WAF Service: Incapsula’s infrastructure does not include any point of presence in China, and its infrastructure lags behind other cloud-native WAF services in South America and Africa.
  • Customer Experience (WAF Appliance): SecureSphere customers report that the management console remains complex when using the more advanced capabilities. Customers frequently mentioned that deployment often requires professional services to effectively implement the offerings at scale. They also would like to see closer integration between Attack Analytics and the WAF management consoles, and more-unified management capabilities between SecureSphere and Incapsula.
  • Customer Experience (Cloud WAF Service): Some customers complain about Incapsula’s limited cross-sites and multidomain management and reporting, especially when multiple applications share the same IP address. Surveyed customers and resellers indicated that they did not get the same quality of support for Incapsula, compared with what they are accustomed to with Securesphere. They cite too many canned and not necessarily helpful answers as a first response when contacting support.

Instart

Instart has moved from the Visionaries quadrant to the Niche Players quadrant. The vendor’s security roadmap has seemed to stagnate. WAF is positioned as an add-on to the CDN and performance optimization platform, and its visibility in shortlists remains limited.
Headquartered in Palo Alto, California, Instart (until recently named Instart Logic) employs 200 employees, and came out of the stealth mode in 2010. Instart offers a bundle of cloud services, including CDN, WAF and DDoS protection. The vendor’s core marketing message for its WAF (InstartWeb App Firewall) is about being “endpoint aware,” facilitated through a lightweight JavaScript agent (Nanovisor), which is injected into HTTP traffic and analyzes aspects of client-side web browser behavior. Instart offers rule tunings and 24/7 SOC as an option. Instart’s team continually analyzes logs for its clients with a tool called Helios, which the vendor uses to update its client policies.
In recent months, Instart has completed a new round of $30 million funding. Product-related news includes the launch of a self-service rule feature, enabling clients to create their own traffic processing and WAF rules. Instart has continued to grow its infrastructure, adding more than 15 points of presence across all regions.
Instart is a valid shortlist contender for the vendor’s existing clients, and for organizations that need to quickly combine performance optimization and security features in front of their cloud-native web applications.

Strengths
  • Organization: Instart is part of a new wave of web app security vendors developing easy-to-deploy, cloud-native solutions. The lack of technical debt from legacy solution allows the vendor to try new approaches, such as the Nanovisor, more easily.
  • Viability: Instart continues to grow quickly, demonstrating its ability to attract new customers. It is well-funded to further enhance its solutions in the future.
  • Vertical Strategy: Instart continues to be visible in shortlists for small and large e-commerce companies. Customers from these organizations report that they selected Instart for its ability to combine security features with the performance optimization and anti-advertisement blocking features for which they were primarily looking.
  • Customer Experience: New customers continue to be satisfied with the ease of deployment when collaborating with the vendor. They also mention high-quality vendor support.
  • Capabilities: Instart has released a bot mitigation feature, priced separately from the WAF. It is too early to judge the quality of the feature. However, customers from Instart’s top verticals, e-commerce and online media, are heavily targeted by bots, and welcomed the new feature.
  • Capabilities: Instart management provides a fully featured API, which facilitates its integration in dynamic application ecosystems. When adding a new feature, such as the custom rule creation, a related API is also available.

Cautions
  • Product Strategy: Instart positions its WAF as an add-on, and sells it mostly to its existing customer base for its other products, who don’t conduct in-depth evaluation of the security modules. The vendor has yet to demonstrate that it is interested in more than selling security as a commodity to its IT customer base.
  • Organization: Instart is a growing company, but has experienced organizational hiccups recently, with a change of CEO and internal reorganizations intended to overcome slower-than-investor-expected growth and market awareness. As the vendor prepares for its IPO, it might be distracted from innovating in the security space. Its WAF development team is one of the smallest among the vendors evaluated in this research.
  • Capabilities: Instart does not offer API security features. It does not parse JSON or XML payloads, does not offer authentication features, or integrate with identity providers to enable SSO, using SAML protocol.
  • Geographic Strategy: The vendor still has a low visibility in shortlists, especially outside the U.S. Prospective customers should first verify the availability of local skills, assess their need for support in their native language and ask for local peer references. The vendor has not yet deployed points of presence in China.
  • Capabilities: Instart does not provide a fully featured, self-service option. Although customers can now create their own rules, they still need the vendor for on boarding. The role-based access control (RBAC) feature is reputed to be quite limited. Configuration tuning quickly requires a request to Instart’s team. Many clients point out the poor documentation and scarcity of available technical resources.
  • Customer Experience: Customers would like to see more improvements in the reports, as well as more customizable dashboards. Because the WAF lacks integration with ticketing systems, AST and most SIEM technologies, organizations faces difficulty integrating it into their enterprise incident workflows.

Microsoft

Microsoft is in the Niche Players quadrant. The vendor has released a first version of WAF, which offers baseline protection to web applications, and is visible mostly in its customer test initiatives. The vendor needs to demonstrate a continued commitment to improving the solution and building a more-feature-rich WAF.
Based in Redmond, Washington, Microsoft is a one of the most well-known IT brands, with a diversified and broad portfolio. Microsoft Azure, its IaaS solution includes virtual machines (VMs), storage and database services. Its WAF (Azure WAF) is built on the top of its application delivery solution (Azure Application Gateway) integrates with other Azure products, such as Azure Traffic Manager (ATM) and Azure Load Balancer (ALB). Azure WAF is priced per gateway and per hour, as part of the Application Gateway consumption-based model.
Azure Portal and Security Center are the management solutions for Azure Application Gateway and for Azure WAF.
In 2017, Microsoft made its WAF available globally.
Microsoft Azure WAF is a good choice for organizations looking for an ad hoc WAF available immediately while deploying workloads on Microsoft Azure.

Strengths
  • Sales Strategy: Azure WAF is bundled with the Application Gateway, making it easy for clients to enable it, while deploying the underlying application delivery infrastructure, and providing protection to their applications right away.
  • Capabilities: Azure WAF includes a fully featured REST API for managing the WAF configuration.
  • Capabilities: The vendor can parse JSON and XML payloads, and apply security rules to this content.
  • Geographic Strategy: Now that Azure WAF is available globally, it benefits from Microsoft’s global infrastructure of data centers, with multiple points of presence in all regions, except Africa and the Middle East.

Cautions
  • Organization: Microsoft is still building its WAF team, which is relatively small, when compared with the challengers and leaders in this research. Prospective buyers should get references to validate expected capabilities.
  • Product Strategy: At this point in time, Azure WAF consists mainly of a repackaged ModSecurity engine, using ModSecurity core rulesets (CRSs). Although many WAF offerings have started with similar approach, the vendor must continue to demonstrate its commitment to developing the WAF beyond basic.
  • Capabilities: As with any recent introduced product, customers should expect that Azure WAF lacks some of its competitor features. It lacks integrated CDN, bot management and user credential abuse detection. It cannot block based on geolocation or inspect malware.
  • Customer Experience: Rule propagation can take several minutes. WAF onboarding, based on deploying an Application Gateway virtual appliance, is more complicated than its cloud-native WAF’s competitors.
  • Customers Experience: Because of the limited number of deployments to protect applications in production, the feedback on Azure WAF is scarce. Early adopters mention initial scalability issues, because Microsoft’s WAF is built on VMs in the back end, and the lack the ease of autoscaling that other cloud-native WAFs offer.
  • Technical Architecture: Azure WAF is built on the top of Azure Application Gateway. It lacks autoscaling features, requiring the use of an Azure load balancer (Traffic Manager) to dynamically route the traffic between Azure WAF’s instances in multiple data centers.

Oracle

Oracle is in the Visionaries quadrant. Although the product is relatively recent, and feedback is scarce, Zenedge, its recently acquired WAF solution, uses machine learning to risk score events as a differentiator in this market.
Oracle is a large provider of applications, databases and cloud services, with headquarters in Redwood, California. Originally known for its database products, Oracle now offers a broad portfolio of solutions, including IaaS (Oracle Cloud Infrastructure [OCI]). Oracle offers multiple products in security, notably comprising Identity and Access Management (IAM), Cloud Access Security Brokers (CASBs), Security Information and Event Management (SIEM), compliance, data security, and managed security services. Oracle acquired Dyn, a managed domain name service (DNS) service provider, in 2016. Oracle then acquired Zenedge, a cloud-native WAF provider, in February 2018. Zenedge is now a relatively small team, part of OCI, and the WAF product has been rebranded as Oracle WAF. Oracle continues to offer Oracle WAF as a managed service.
Zenedge was under evaluation for this market research before the acquisition. Recent product news includes the release of a bot mitigation solution, combining JavaScript challenges, Captcha and rate limiting, and improved management API.
Oracle WAF is a good shortlist candidate for organizations looking at a managed cloud WAF service, especially those looking for new ways to detect anomalies.

Strengths
  • Market Responsiveness: Surveyed customers liked the vendor’s responsiveness to feature requests, and the regular product improvements.
  • Market Execution: Through OEM agreement, the vendor has quickly acquired a sizable customer base.
  • Customer Experience: Although the solution is still recent, early feedback on the new bot manager features are promising. The vendor’s team in charge of managing the WAF also get good scores from surveyed customers and resellers.
  • Capabilities: Oracle WAF leverage statistical analysis to create a risk score for suspicious queries, and trigger alert, or blocking actions, based on this score. Feedback from customers indicates that this feature enables them to better tune the WAF configuration, and to focus on important events.
  • Capabilities: As Zenedge is now part of Oracle, it can get visibility on a big chunk of traffic, which could be useful to further improve the learning algorithms and, therefore, the quality of Oracle WAF’s detection.
  • Support: Contacted customers confirmed to Gartner analysts that the acquisition had no impact on the quality of their interactions with Zenedge team.

Cautions
  • Product Strategy: Zenedge, a relatively small startup, has been acquired by Oracle, which is a cloud provider and a large enterprise. In other network and application security acquisitions, Gartner analysts have observed that a cultural chasm, and potential conflicts in roadmap priorities could slow down feature delivery. Prospects, especially those protecting applications not hosted on Oracle cloud, should request commitment on the vendor’s roadmap delivery, in case required capabilities are missing at the time of purchase.
  • Technical Architecture: Oracle WAF infrastructure lacks points of presence in China, the Middle East and Africa. It has a limited number of points of presence in South America and Asia. Oracle infrastructure is global, so the vendor might quickly increase the number of available points of presence for Oracle WAF.
  • Capabilities: Although many features are available with a self-service portal, Oracle recommends to its customers to connect with Oracle Dyn managed services team to onboard new applications. Oracle WAF does not yet integrate with SIEM vendors. Logs can be exported in a comma-delimited flat file (.csv) format, or pulled through an API, but are not available in CEF or over syslog.
  • Customer Experience: Customers would like to see improvements in Oracle WAF’s reporting. The event view, which is different from the active-learning view, where the risk score appears, does not aggregate individual alerts into attack or attack campaign, resulting in a large number of alerts.
  • Product: Some early clients highlighted that Zenedge WAF, prior to the acquisition, was still a work in progress, lacking some expected features. Oracle Dyn has a smaller team for WAF-related threat research, compared with many of its leading competitors.

Radware

Radware is in the Visionaries quadrant. This vendor has robust technical capabilities delivering consistently most of its technology through on-premises, as well as cloud-based, and good understanding of the DevOps environment. However, the vendor lags behind the leaders in being visible in WAF shortlists.
Based in Tel Aviv, Israel, and Mahwah, New Jersey, Radware is a DDoS protection and application delivery and security provider, employing nearly 1,000 people. Alteon, its ADC platform, continues to contribute significantly to its revenue. However, Radware’s security portfolio drives the vendor’s growth, with a DDoS mitigation appliance (DefensePro) and a cloud DDoS mitigation service (Cloud DDoS Protection). Radware also offers a specialized security solution for carriers and service providers (DefenseFlow). Its WAF, AppWall, may be deployed as a physical or virtual appliance, as a module on top of Radware’s ADC appliance (Alteon) or, using the same technology as part of Radware’s Cloud WAF Service. The Radware Cloud Security Services is a fully managed service that delivers security protection through three categories of protection: cloud DDoS protection service, application protection (cloud WAF service and cloud web acceleration service), and cloud CDN.
Recent announcements on Radware products include the release of AppWall to support Microsoft Azure. Radware has also introduced security policy templates (customizable) to accelerate the WAF deployment and improve its bot mitigation feature.
Radware is a good shortlist candidate for most organizations, especially those that want strong positive security and want to deploy the same security levels across hybrid environments. Organizations with high-security use cases, or applications that are unlikely to be compatible with a whitelisting approach should engage in security testing, as part of the evaluation of the technology.

Strengths
  • Capabilities: Radware’s Emergency Response Team (ERT) leverages in-house threat research and provides 24/7 managed SOC, in addition to ad hoc support, when Radware’s customers are under attack.
  • Product Strategy: At the heart of the AppWall WAF technology is Radware’s automatic policy learning. Radware’s engine tracks changes and updates to the application and updates the policy, also leveraging integration with AST solutions to implement virtual patches in case of new vulnerabilities. This also works for APIs.
  • Customer Experience: Radware customers praise the combination of high-efficacy DDoS protection and WAF. Users of the AppWall appliances are satisfied with the level of effort required to tune the positive security model.
  • Market Execution: Many customers of Radware’s WAF were initially DDoS protection customers, or purchase the WAF and DDoS protection offers all together. Radware’s good reputation in the DDoS protection space reflects positively on its WAF prospects.
  • Cloud WAF Service: Radware customers, relying on the vendor to manage the WAF, express satisfaction with the vendor’s professional service and incident response (ERT) teams.
  • Vertical Strategy: Radware has good visibility in media and retail organizations, two vertical segments combining large-scale web applications, budget constraints and relatively small security teams.
  • Marketing Strategy: The vendor regularly publishes threat reports as a tool to raise awareness about issues. However, this also incidentally demonstrates the efficacy of its approach.

Cautions
  • Customer Experience: Although comments on support are generally positive, customers in the APAC regions are less satisfied with the timeliness of the response from Radware’s support for issues that require more than a canned answer.
  • Cloud WAF Service: Managed WAF is not the preferred option for many customers; however, it is the main option for Radware cloud WAF service. Radware cloud WAF service clients express interest in further improvements of the self-service management capabilities.
  • Customer Experience: Radware’s customers cite a need to improve the AppWall UI. It scores low on surveys, and the most frequently cited issue is its lack of intuitiveness, when searching for a configuration option. Customers also comment on the lack of out-of-box reports related to compliance. These reports are available on APSolute Vision reporter, Radware’s dedicated reporting solution.
  • Capabilities: Some prospects encountered challenges successfully implementing Radware’s positive security approach.
  • Market Execution: Radware is not as visible in U.S. shortlists as many of its competitors. Organizations evaluating AppWall should focus on their evaluation of the vendor’s capabilities, relative to their requirements, rather than on the overly aggressive communications from the vendor and its channel partners, who frequently exaggerate capabilities relative to leading competitors.
  • Customer Experience: Radware customers continue to be dissatisfied with the training and documentation on AppWall, mentioning that it lengthens the learning curve when trying to deploy the technology, implement new features or understand whether there’s a configuration issue.

Rohde & Schwarz Cybersecurity

Rohde & Schwarz Cybersecurity is in the Niche Players quadrant. Its WAF appliance product line bundles several advanced security features, resulting in most deployments being in blocking mode. The vendor struggle with market reach beyond its home country, and its cloud WAF offering has made little progress.
Headquarted in Munich, Germany, Rohde & Schwarz is a large electronics group. The vendor has acquired several vendors to build Rohde & Schwarz Cybersecurity, which has almost 500 employees. Its WAF business unit, DenyAll, was acquired in 2017, and employs nearly 90 people. In addition to the R&S Web Application Firewall, Rohde & Schwarz Security’s products include R&S Unified Firewalls (acquired from German company gateprotect), a network firewall targeting midsize enterprises and endpoint security solutions.
A key concept in the DenyAll WAF is the use of graphical workflow to configure traffic processing and inspection. Workflow view is a diagram, where administrators can drag-and-drop controls, response modifications and other actions. The DenyAll WAF is available on AWS and Microsoft Azure. R&S Cloud Protector is the cloud WAF service solution.
In addition to the rebranding, recent news include a refresh of the WAF appliance product line, active-active high availability and improved processing of JSON payloads.
Rohde & Schwarz Cybersecurity is a good shortlist contender for organizations looking for a WAF appliance, combining ease of use and in-depth security features, especially those located in Europe.

Strengths
  • Customer Experience: Rohde & Schwarz customers like the graphical workflow, backed up by a more traditional view. Former DenyAll rWeb users noted that the addition of a web security engine in the new WAF product improved their results.
  • Product Strategy: Following the acquisition, the DenyAll team maintained an open security culture, participating in events where they let penetration testers try to hack or pass through the WAF. R&S WAF is also one of the only products evaluated in this research with an official bug bounty program.
  • Capabilities: DenyAll WAF includes multiple analysis engines and leverages user session risk scoring to ensure accurate detection and low false-positive rates.
  • Capabilities: Building on previous enhancements to its reporting solution, Rohde & Schwarz has improved its investigative capabilities by enabling attack replay and dedicated investigation dashboards.
  • Capabilities: R&S Cloud Protector offers predefined configurations only using the management console, like most cloud WAF services built on the foundation of a WAF appliance. However, customers can fully manage the WAF, using the API.
  • Customer Experience: Customers continue to give positive feedback about presale and postsale local support.

Cautions
  • Market Responsiveness: The number of new features released on R&S WAF and R&S Cloud Protector has been severely limited for a few years now. Smaller vendors evaluated for this research have achieved significantly more during the same period, especially when it comes to the development of a cloud WAF service.
  • Marketing and Sales Execution: Even though the acquisition gave DenyAll access to Rohde & Schwarz’s sales force, the vendor is losing market share.
  • Capabilities: The acquisition by Rohde & Schwarz did not lead to significant investment in the DenyAll small threat research team. DenyAll WAF does not automatically deploy ad hoc signatures, following an attack, relying on the generic engine, and leaving customers to guess from the detailed log information whether the alert triggered is related to recent attack campaigns.
  • Capabilities: Rohde & Schwarz does not offer unified centralized management for its WAF appliance and R&S Cloud Protector. The vendor offers limited bot mitigation, compared with many of the vendors evaluated in this research.
  • Geographic Strategy: R&S WAF is not visible in shortlist outside its original home market, France, and Germany. Prospective customers outside of these countries should verify the availability of peer references.
  • Customer Experience: Many customers have complaints about the Java-based UI, and would like to see faster transition to the web-based management promised for years. They also note that bot mitigation could be better.

Vendors Added and Dropped

We’ve updated the inclusion criteria to reflect enterprise’s more demanding requirements. Part of the change is a new requirement for vendors to have a customer base outside of their home region.
We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.

Added

  • Microsoft (Azure)
  • Oracle (acquired Zenedge)

Dropped

  • NSFOCUS, Penta Security, Positive Technologies and Venustech were dropped, due to updated and more-demanding inclusion criteria.

Inclusion and Exclusion Criteria

WAF vendors that meet Gartner’s market definition/description are considered for this Magic Quadrant under the following conditions:
  • Their offerings can protect applications running on different types of web servers.
  • Their WAF technology is known to be approved by qualified security assessors as a solution for PCI DSS Requirement 6.6, which covers Open Web Application Security Project (OWASP) Top 10 threats, in addition to others.
  • They provide physical, virtual or software appliances, or cloud WAF service.
  • Their WAFs were generally available as of 1 January 2017.
  • Their WAFs demonstrate global presence, and features/scale relevant to enterprise-class organizations:
    • $12 million in WAF revenue during 2017; able to demonstrate that at least 200 enterprise customers use its WAF products under support as of 31 December 2017.
    • And, the vendor must have sold at least 40 net-new customers in 2017.
    • Or, $7 million in WAF revenue during 2017, and two years of compound annual revenue growth of at least 30%growth.
  • The vendor must provide at least three WAF customer references for WAF appliances, or three customer references for cloud WAF service, or both, if the vendor offers both solutions.
  • The vendor must demonstrate minimum signs of global presence:
    • Gartner received strong evidence than more than 5% of its customer base is outside its home region. Vendors appearing in Gartner client inquiries, competitive visibility, client references and the vendor’s local brand visibility are considered.
    • The vendor can provide at least two references outside its home region.
  • The provider offers 24/7 support, including phone support (in some cases, this is an add-on, rather than being included in the base service).
  • Gartner has determined that they are significant players in the market, due to market presence, competitive visibility or technology innovation.
  • Gartner analysts assess that the vendor’s WAF technology provides more than a repackaged ModSecurity engine and signatures.
  • The vendor must provide evidence to support meeting the above inclusion requirements.
WAF companies that were not included in this research may have been excluded for one or more of the following reasons:
  • The vendor primarily has a network firewall or IPS with a non-enterprise-class WAF.
  • The vendor is primarily a managed security service provider (MSSP), and WAF sales mostly come as part of broader MSSP contract.
  • The vendor is not actively providing WAF products to enterprise customers, or has minimal continued investments in the enterprise WAF market.
  • The vendor has minimal or negligible apparent market share among Gartner clients, or is not actively shipping products.
  • The vendor is not the original manufacturer of the firewall product. This includes hardware OEMs, resellers that repackage products that would qualify from their original manufacturers, and carriers and internet service providers (ISPs) that provide managed services. We assess the breadth of OEM partners as part of the WAF evaluation, and do not rate platform providers separately.
  • The vendor has a host-based WAF, WAM, RASP or API gateway (these are considered distinct markets).
In addition to the vendors included in this Magic Quadrant, Gartner tracks other vendors that did not meet our inclusion criteria because of a specific vertical market focus and/or WAF revenue and/or competitive visibility levels in WAF projects, including A10 Networks, Alibaba, Alert Logic, Array Networks, Avi Networks, Beijing Chaitin Technology, Brocade, DBAppSecurity, DB Networks, ditno., Indusface, Kemp Technologies, Limelight, ModSecurity, NGINX, NSFOCUS Penta Security, PIOLONK, Positive Technologies, Qualys, Sangfor, SiteLock, Sucuri, Threat X, Trustwave, Venustech, Verizon and Wallarm.
The adjacent markets focusing on web application security continue to be innovative. This includes the RASP market and other specialized vendor initiatives. Those vendors take part in web application security, but often focus on specific market needs, such as bot mitigation (Distil Networks, PerimeterX, Shape Security and Stealth Security), or take an alternative approach to web application security (e.g., Signal Sciences and tCell).

Magic Quadrant for Disaster Recovery as a Service

Magic Quadrant for Disaster Recovery as a Service

336410_0001.png

 

Published 12 July 2018 – ID G00336410 – 45 min read


The disaster-recovery-as-a-service market consists of hundreds of providers, all with different approaches and capabilities. This creates immense complexity around vendor selection. Infrastructure and operations leaders should use this Magic Quadrant to help evaluate providers of DRaaS.

Market Definition/Description

This document was revised on 20 July 2018. The document you are viewing is the corrected version. For more information, see the  Corrections page on gartner.com.
Gartner defines the disaster recovery as a service (DRaaS) market as a productized service offering in which the provider manages server image and production data replication to the cloud, disaster recovery run book creation, automated server recovery within the cloud, automated server failback from the cloud, and network element and functionality configuration, as needed. Source servers supported must include a combination of both virtual and physical. To be considered DRaaS versus other options that enable do-it-yourself recovery, all elements of the service must be included in the service offering contract between the provider and customer, and offer a standardized SLA for recovery.
Services may be delivered by the provider as a fully managed offering, as an assisted recovery offering or as self-service:
  • Fully managed services are those where the provider is solely responsible for all aspects of the service offering.
  • Assisted recovery is where the provider is responsible for the recovery infrastructure and manages data replication. The customer is responsible for run book creation and operating the recovery solution in the event of a recovery exercise or following an actual disaster declaration. Solutions where the provider is able to take control via a support process, but does not assume full management responsibility for all services for exercising or event declaration, fall into this category.
  • Self-service offerings are those where customers are willing to share increased responsibility for action, such as recovery configuration activation and shutdown, managing virtual machine (VM) replication, recovery plan creation, and updates. It supports greater control by end users over the server image replication, failover and failback procedures. Service providers must make tools available to accomplish these tasks, but they do not have a responsibility to operate the tools.
The fiscal responsibility for all infrastructure utilized must be on the provider, versus using customer-owned assets, independently procured cloud infrastructure as a service (IaaS) or other separate hosting contracts. This last factor is what separates self-service offerings from true “do it yourself” (DIY) cloud-based solutions, where, although you may purchase the tools from a single provider, you are responsible for all of the cloud-based infrastructure for recovery.

Current Market

As stated in the 2017 iteration of this Magic Quadrant, DRaaS is now a mainstream offering. In fact, Gartner estimates it to currently be a $2.40 billion worldwide business, and it is expected to reach $3.73 billion by 2021. Yet its mainstream status does not make it less complex for potential customers to choose which offering is best for them.

Key Differences in This Year’s Magic Quadrant

Some minor changes in the 2018 Magic Quadrant are associated with the DRaaS definition itself. Examples include the requirement for automated failback, and a delineation between DRaaS and products or solutions that enable cloud-based disaster recovery through a variety of means. There is now a further focus on those vendors that serve clients who wish to procure DRaaS separately, instead of as part of a larger data center outsourcing solution.
Larger changes were made with the purpose of the DRaaS Magic Quadrant as a tool to assist Gartner end-user clients in evaluating DRaaS providers. The biggest changes for 2018 materialized in the form of evolved inclusion and exclusion criteria, and even greater emphasis on the “value for money” when it comes to support for heterogeneous platforms.

Inclusion and Exclusion Criteria

Several providers who were in the 2017 DRaaS Magic Quadrant were excluded in 2018. Their exclusion should not be interpreted as their offerings being inferior — in fact, in many cases, the opposite is true. Rather, the new inclusion and exclusion criteria served two purposes:
  • Bring additional focus in terms of Gartner client buyer persona.
  • Help answer the simple question, “If I want DRaaS and only DRaaS, which providers are the most relevant?” by differentiating further tangential service offerings related to traditional disaster recovery, workplace recovery, data center outsourcing (DCO), cloud-enabled managed hosting or managed services on public cloud — many of which have Magic Quadrants of their own.
Some specific examples made in 2018 include requirements related to a need for direct sales to be the primary focus versus channel partners, such as managed service providers (MSPs), value-added resellers (VARs) and system integrators (SIs). We made a further distinction between industrialized and repeatable DRaaS offerings versus customized disaster recovery, and added a requirement that most existing customers of the DRaaS service provider have more than $50 million in revenue.
As a result of these changes, the number of service providers from last year decreased significantly. It is also important to make note that because the types of providers are also fewer, the degree of differentiation for certain attributes can be affected. Consequently, we do not recommend comparing last year’s placement with 2018’s. More details and information on the excluded organizations are in the Dropped Vendors section.

Value of Heterogeneous Platform Support

Mainframe, UNIX, and other proprietary, heterogeneous platforms have experienced a rapid decline in terms of need, per Gartner end-user inquiry trends. The trailing 12 months saw less than 50% of the client interest on these topics compared to the prior period. In the past, the ability to support platforms like mainframe and UNIX was considered a differentiator because there were few providers in the marketplace selling DRaaS-only offerings for those platforms. The DRaaS market continues to evolve where that is becoming less of a buying factor due to end-user plans to replatform or migrate the associated applications to SaaS. When plans to replatform or migrate from those legacy platforms are not in place, the client may find that using colocation for those one-offs is better from a total cost of ownership (TCO) perspective. Or when the client is very large, the initiative evolves from DRaaS to a larger DCO opportunity. Consequently, less credit was given to providers by virtue of having non-x86 DRaaS support, and greater emphasis was placed on the comparative value associated with competing options.

Magic Quadrant

Figure 1. Magic Quadrant for Disaster Recovery as a Service

Source: Gartner (July 2018)

Magic Quadrant for Disaster Recovery as a Service

Vendor Strengths and Cautions

Bluelock

Bluelock was founded in 2006 as a managed hosting and IaaS provider. In the past four years, the company has primarily invested in and focused on its DRaaS offerings for U.S.-based midsize and large companies. Bluelock is not large in terms of scale. However, where it continues to stand out is its very hands-on and consultative, business-focused sales approach and in its customer onboarding process. Through this “Bluelock Experience,” the organization helps clients gain constituent alignment, recovery assurance and colocation recovery integration. On 15 March 2018, Bluelock was acquired by InterVision as a complement to its existing managed services offerings.
Primary Support Approaches: Fully managed via Bluelock, or assisted after initial onboarding by Bluelock.
Primary Workloads Supported: Virtual x86 with integrated colocation capabilities for non-x86 workloads.
Regional Recovery Presence: Two locations in the U.S. — Indianapolis, Indiana, and Las Vegas, Nevada.
Customer Complexity: Experienced with supporting up to 75 server images in combined physical and virtual environments, and over 300 server images in virtual-only environments.
Recommended Use: U.S. companies that desire a business-related, high-touch approach toward DRaaS and have heterogeneous workloads that require not only colocation, but also integration into a recovery plan.

Strengths
  • Bluelock supports a “roll back” option (only available for DRaaS Ready) that will allow the client to bring the DR site online to act as the production site. The production site then acts as the DR site with reverse replication between the two maintained.
  • Customer satisfaction is often a strong point with Bluelock, which may be related to the zero turnover in customer-facing support staff throughout 2017.
  • Recovery Assurance — the process of fully managing onboarding, DR Playbook creation and maintenance, and recovery response, and providing attestation of successful recovery testing — is a core offering and a focus for most of Bluelock’s customers.

Cautions
  • Although its portal interface, known as Portfolio, is very good, its lack of overarching orchestration across physical and virtual platforms shows that Bluelock’s focus is still on fully managed offerings, where its internal teams can overcome the lack of a centralized automation capability.
  • Bluelock clients are responsible for all security monitoring and management of the virtual machines within their Virtual Datacenter while running during a failover event.
  • While Bluelock takes a very consultative approach to selling its solutions, it leverages partners for advanced services such as performing application dependency mapping and business impact analysis for customers.
  • The two included tests are only sandbox tests that are conducted during business hours. Those tests do include project management, playbook validation, debriefs and test certificates. However, full-scale failover tests or advanced tests will require either more advanced testing options negotiated upfront or additional time and materials (T&M) engagements.

C&W Business

C&W Business operates in over 20 countries in the Caribbean, Latin American and North American regions. Its customer support centers offer both Spanish and English interactions. Technical support services are also provided in both languages. The company operates as a subsidiary of Liberty Latin America. The foundation for much of C&W’s differentiation with respect to DRaaS is rooted in its multicountry network connectivity capabilities, as well as its commitment to full service for IBM-based platforms and x86 environments.
Primary Support Approaches: Fully managed, although self-service is an option.
Primary Workloads Supported: Physical and virtual x86, UNIX (AIX, Solaris), and IBM i.
Regional Recovery Presence: Seven regional data centers — Miami, Florida; the Cayman Islands; Panama (two); Curaçao; and Bogota, Colombia (two).
Customer Complexity: Experienced with support of up to 200+ server images, with multiple database and application cluster environments.
Recommended Use: When regional needs, especially network connectivity and hybrid recovery, are priorities for low- to medium-complexity environments, or when organizations have a desire for complete data center outsourcing.

Strengths
  • C&W Business has a focus on “medium-complex” clients, which often includes applications and platform variations such as Oracle DB, IBM i and fully managed services.
  • With an onboarding timeline that completes in as little as 14 days, C&W Business can quickly initialize new client environments.
  • It is one of the few service providers that offers IaaS-based DRaaS solutions for AIX/iSeries.

Cautions
  • C&W Business only offers credits for SLA penalties after monthly availability is lower than 99.6% or their response time surpasses three hours.
  • For fully managed services, implementation and additional test fees listed by C&W Business are charged on a per-VM basis and were the highest of any vendor in the Magic Quadrant. However, all contracts do include three tests per year as a way to offset the need for additional tests.
  • Clients are free to change their choice of recovery data centers utilized from any of the six locations. However, they will still need to relocate data, unless they have utilized the additional-cost option to proactively have data resident in multiple locations.

CloudHPT

CloudHPT is the cloud solution division of BIOS Middle East Group. It is headquartered in the United Arab Emirates and principally serves the Gulf Cooperation Council (GCC) region. It was founded in 2002, and its business is focused on cloud services for IaaS, DRaaS and backup as a service (BaaS) for both customer environments and major SaaS providers.
Primary Support Approaches: Fully managed.
Primary Workloads Supported: Physical and virtual x86.
Regional Recovery Presence: Four data center locations: two in the U.A.E. (Dubai and Abu Dhabi) and two in Saudi Arabia (Jeddah and Riyadh).
Customer Complexity: Historically fewer than 140 servers for DRaaS itself, but adept with handling regional networking limitations and political aspects.
Recommended Use: Organizations with data residency requirements in the Middle East.

Strengths
  • CloudHPT deploys workload discovery tools during the sales engagement, which are used to help enable onboarding and capture changes to the environment during the contract period. The service offering also includes monthly virtual test (noninvasive) and a full annual disaster recovery (DR) test without additional charge.
  • CloudHPT is one of the only MSPs that can meet the needs of clients with in-country requirements within Dubai and Saudi Arabia. It also has some existing clients configured for recovery to Amazon Web Services (AWS) and Microsoft Azure — within and outside of the Middle East.
  • The vendor has a strong focus on disaster avoidance through proactive security information and event management (SIEM) capabilities, as evidenced by its SIEM as a Service, which is included in its DRaaS offering for the first 100 days.

Cautions
  • CloudHPT will begin to see more competition as larger players gain greater in-country presence in the region. While some of this risk has been partially mitigated through automation and partnerships, potential customers must factor that into the sourcing decision.
  • Geopolitical risk in the region can alter — and has altered — plans for expanded service locations.
  • CloudHPT is thinner in its leadership ranks than most in the Magic Quadrant. Prospective clients are encouraged to inquire about succession planning in order to reduce potential risk.

Expedient

Expedient is a colocation, cloud and data center IaaS provider headquartered in Pittsburgh, Pennsylvania. It was founded in 2001. Expedient provides DRaaS to clients hosted within its data centers and separately as a service for customers hosting their production workloads on-premises or in other locations using On-Site Private Cloud appliances.
Primary Support Approaches: Fully managed.
Primary Workloads Supported: Physical and virtual x86.
Regional Recovery Presence: Midwest, mid-Atlantic and Northeastern portions of the U.S.
Customer Complexity: Experienced with support of up to 600+ server images, with dedicated infrastructure in up to three locations.
Recommended Use: Organizations that prefer Expedient’s regional locations and local staff along with compute resources that can be utilized for more than just DR.

Strengths
  • Expedient’s Push Button DR can rapidly fail over entire sites with minimal interruption to external service availability by leveraging Border Gateway Protocol (BGP) during failover instead of making DNS modifications.
  • Although a regional player, Expedient mitigates the risk of there not being resources for clients in the event of a regional outage by not oversubscribing clients across its resource pools.
  • Customer references repeatedly stated that the buying process featured quick turnaround for proposals, and that sales engagements weren’t “pushy.” References most often reported functional capabilities as the key factor in choosing Expedient over other providers.

Cautions
  • Expedient’s pricing is on the higher end of the spectrum. Proposals contain cost protections for Expedient’s data center costs and software costs that are similar to those found in colocation provider contracts.
  • Gartner believes Expedient’s sales proposal collateral and commercial service description structures can be confusing in areas and could potentially lead to unintentional misinterpretation. Examples include the degree in which compute resources are “committed” and the extent to which RTO/RPO-specific SLAs are included.
  • While localized resources for sales and support are available in the areas that Expedient supports, outside of those areas of focus it provides remote staff, just as many other providers do.

IBM

The IBM Resiliency Services portfolio consists of over 13 services that fall into categories including advisory services, business continuity, backup and data protection, facilities and data center services, and disaster recovery. The latter includes traditional options like traditional disaster recovery and work area recovery, as well as new offerings such as Cyber-Resilience Services, Resiliency Orchestration (which has evolved from its 2016 Sanovi Technologies acquisition) and Disaster Recovery as a Service.
Primary Support Approaches: Fully managed.
Primary Workloads Supported: Physical and virtual x86, UNIX (AIX, Solaris, HP-UX), IBM i, IBM Z, storage area network (SAN) replication, and database appliances.
Regional Recovery Presence: Over 100 IBM Resiliency Data Centers spanning North America, Latin America, Europe, the Middle East, Africa and Asia/Pacific, and a global presence for Orchestrated DRaaS for IBM Cloud in 19 countries.
Customer Complexity: Experienced in supporting clients with complex heterogeneous environments, over 1,000 server images, involving two recovery locations, four recovery tiers, 200+ database instances and 300+ application recovery runbooks.
Recommended Use: Organizations that desire fully managed DRaaS and global support for IBM hardware offerings, and organizations that need additional related services in addition to DRaaS.

Strengths
  • IBM is one of three vendors in this Magic Quadrant with significant non-x86 workload and mainframe recovery experience. Moreover, IBM has supported more than 1,000 recoveries since 1989.
  • IBM is the strongest in the field of MQ providers in terms of depth and breadth across its overall Resiliency Services portfolio. This can well serve clients who wish to evolve recovery options over a longer period of time as business needs change.
  • IBM is well-positioned over the longer horizon in terms of supporting clients with fragmented, distributed environments across several platforms. This is due to IBM’s long-term strategic vision and skilled engineers and project managers.

Cautions
  • Gartner clients and customer reference sentiment consistently point to issues with IBM DRaaS prices being too high in relation to value. This is true for DRaaS related to both UNIX and mainframe too.
  • IBM has had widespread marketing around cognitive-related disaster resiliency, bolstered by its strategic assets, like Watson and The Weather Company, for several years. This can be confusing for clients, because DRaaS-specific contracts themselves don’t exhibit demonstrable mapping to those capabilities in terms of unique service levels. Similarly, newer Recovery Orchestration service offerings can be confusing to potential customers because of multiple usage scenarios. It is sometimes positioned as a DIY solution that can use IBM Cloud (separate business unit), other times as a component for self-service DRaaS and sometimes truly more of a “how” IBM delivers fully managed services.
  • IBM’s customer reference satisfaction scores were low. Areas for improvement cited were linked to service and support issues and limitations regarding on-demand options for scheduling and billing.

iland

Founded in 1994 as a website development company, and headquartered in Houston, Texas, and London, iland created its colocation and managed hosting offerings around 2000. It first delivered its VMware-based IaaS offering in 2008, with coinciding cloud-based recovery offerings. Today, the portfolio is global in nature and primarily consists of iland Secure Cloud (IaaS), iland Secure Disaster Recovery as a Service (DRaaS) and iland Secure Cloud Backup. In the past 12 months, it has expanded its geographic presence, added new fully managed support offerings and expanded the platforms it can support through the use of additional service delivery partners.
Primary Support Approaches: Self-service, assisted self-service.
Primary Workloads Supported: Primarily physical and virtual x86.
Regional Recovery Presence: Three recovery centers in the U.S., two in the U.K., one in Amsterdam, Netherlands, one in Australia and one in Singapore.
Customer Complexity: Experienced supporting up to 500+ servers under management with up to two locations under management.
Recommended Use: Organizations with compliance and/or network complexities that desire VMware-based IaaS as well as DRaaS in a self-service manner.

Strengths
  • Pricing of its DRaaS services is among the lowest within this year’s Magic Quadrant.
  • The iland Customer Success Center, its online community for sharing best practices and ideas, enables self-supported customers to learn from each other’s experiences.
  • Compliance with financial, legal, healthcare, security and sovereign requirements is often necessary for DRaaS, and is enabled by iland’s compliance team and certification programs.
  • Contract lengths are flexible, varying from only month-to-month commitments up to 60 months if desired by customers.

Cautions
  • Although iland has once again started offering fully managed DRaaS support, its offering is still very much oriented toward self-supported or assisted supported configurations.
  • Application integrated protection for disaster recovery is entirely up to customers to configure and support.
  • Customer references point to financial reporting within the iland console as an opportunity to improve the service capabilities.

Microsoft

Microsoft provides infrastructure, platform and software services as well as DRaaS through its Azure Cloud Services. Azure Site Recovery (ASR) is part of the Operations Management Suite. Microsoft built ASR internally, and then integrated the InMage technology it acquired in 2014 to now provide DR for VMware, Hyper-V and physical workloads. In the past year, Microsoft has improved its ASR cloud-to-cloud protection roadmap and improved its install experience by offering a new virtual-based appliance approach.
Primary Support Approaches: Self-service.
Primary Workloads Supported: Physical and virtual x86.
Regional Recovery Presence: Global, with more than 35 locations across the Americas, Europe and Asia.
Customer Complexity: Experienced with support of up to 300+ server images, with integrations to support application-specific replication and recovery via additional scripting.
Recommended Use: When low costs and unlimited, pay-as-you-go testing are priorities for low-complexity, x86-only environments.

Strengths
  • Pricing is competitive. No long-term contracts are required to try ASR. All testing and data storage are based on actual utilization. Microsoft has significant global reach and service consistency, which is scalable for the future.
  • Microsoft has addressed some areas of customer onboarding friction by now providing a virtual ASR appliance that automates some of the previous steps required. This has resulted in improved ease of use and made the service less prone to configuration issues.
  • Gartner believes Microsoft will continue to invest heavily in ASR because the same service underpinnings are also being leveraged for its migration services. Similar investment levels are expected with ancillary add-on services like Traffic Manager, which helps clients minimize downtime for public-facing endpoints by redirecting traffic from on-premises to ASR upon failover.

Cautions
  • Limitations and initial sizing considerations require upfront analysis to determine fit for purpose and TCO. Examples include the need for customers to provide on-premises configuration servers, constraints related to higher change rate workloads, compute resource usage by guest agent on the protected servers and limited failback options for physical workloads following a DR event.
  • Microsoft has made significant improvement over the last year in terms of documentation and support. However, due to the complexity of setup and operations for ASR, many customers utilize partners for initial onboarding or long-term operations. Moreover, Gartner frequently gets feedback from Gartner clients who were unable to use ASR due to missing features, and opted to buy a different product to replicate and recover workloads to Azure without the ASR portion.
  • Functionality to replicate from on-premises to more than one ASR region and the ability to use ASR between regions for Azure IaaS are not currently supported or generally available. Furthermore, Azure Backup and ASR services are bundled, but are not integrated.

Recovery Point

Recovery Point began in business under the auspices of its now wholly owned subsidiary, First Federal, in 1982. Its client base consists of commercial, civilian and secure federal agencies, and state and local governments. Its primary focus is helping customers deal with complex heterogeneous environments that include physical systems and servers, such as IBM Z, IBM i, IBM Power Systems and Oracle SPARC.
Primary Support Approaches: Most are fully managed or assisted; 20% of customers are self-service after initial onboarding.
Primary Workloads Supported: Physical and virtual x86, UNIX (AIX, HP-UX, Solaris), IBM i, and mainframes.
Regional Recovery Presence: Three data centers in the U.S.
Customer Complexity: Organizations based in the U.S. with complex heterogeneous environments and typically up to 750 servers under management.
Recommended Use: U.S.-based organizations with complex recovery needs for x86 or other platforms, organizations with U.S. Federal Information Security Management Act (FISMA) needs and those that wish to leverage tape as a secondary recovery option to DRaaS.

Strengths
  • Recovery Point is one of three vendors in this Magic Quadrant that has significant experience providing recovery for non-x86 workloads and mainframes. Of the three, Recovery Point proposals have been the most competitive by a significant margin when Gartner has performed side-by-side comparison contract reviews on behalf of Gartner clients.
  • Recovery Point has invested in its own dark-fiber-based national network infrastructure, which helps lower customer costs and provides FISMA-level protection to all customers by default.
  • Recovery Point contractually commits to limit subscriptions in a radius around a customer’s location to mitigate risk associated with dilution of resources due to a regional event. Meanwhile, existing customers tout Recovery Point’s staff in terms of technical expertise, responsiveness, degree of involvement during exercises, and general willingness in terms of flexibility and collaboration.

Cautions
  • Service availability is currently limited to the U.S.
  • The limited automation, high degree of personalized service, coupled by the number of platforms supported by Recovery Point could challenge its limits over the long haul, given customer growth. In addition, although Recovery Point has programs in place for employee retention, its dependencies on higher skilled and salaried employees outside major metropolitan locations is a risk.
  • Its portal is a landing page for access to native tools versus being completely integrated. However, Gartner believes this is less relevant in the immediate term for more complex environments where multiple replication tools are required — particularly when recovery is fully managed by the provider.

Sungard Availability Services

Sungard Availability Services (AS) has offered disaster recovery services for more than 40 years, and as a core competency, DR represents about half of its overall service portfolio revenue. Specific to DRaaS, customers use either Sungard AS facilities or AWS as a recovery target. In addition to server-level recovery, application recovery support is separately offered via its Managed Recovery Program (MRP). Combined with network capabilities, Sungard AS can provide fully managed, multitiered, application-level recovery for hybrid environments across Sungard AS data centers, customer premises and public cloud environments.
Primary Support Approaches: Fully and partially managed services.
Primary Workloads Supported: Physical and virtual x86, UNIX (AIX, Solaris, HP-UX), IBM i, and IBM Z.
Regional Recovery Presence: Eleven DRaaS recovery locations (not including AWS), including four in the U.S., two in Canada, two in the U.K., and one each in Ireland, France and Sweden.
Customer Complexity: Experienced in supporting clients with complex heterogeneous environments, over 1,000 server images, involving two recovery locations, four recovery tiers, and multiple databases and application clusters.
Recommended Use: Organizations that prefer fully managed DRaaS for complex environments, require global support for both x86 and non-x86 platforms, could benefit from SLA-backed recovery for the applications themselves, or desire complimentary services in the portfolio such as workplace recovery.

Strengths
  • Sungard AS is one of three vendors in this Magic Quadrant with significant experience providing recovery for non-x86 workloads and mainframes. In fact, it has supported well over 3,000 recoveries since 1990.
  • Sungard AS optionally provides application recovery support provided through its Managed Recovery Program — a differentiator among those in the Magic Quadrant. It has added recovery capabilities to provide recovery for Amazon Web Services workloads as well as recovery from customer premises to AWS.
  • Sungard AS’s Recovery Execution System (RES) platform enables automated reservation of resources and recovery of hybrid recovery scenarios in conjunction with multiple third-party orchestration technologies. It also provides customers a real-time view of the recovery at both the task level and the application/server level.

Cautions
  • Gartner clients and customer reference sentiment consistently point to issues with Sungard AS prices being relatively high.
  • Gartner clients and customer references also point to concerns related to limited self-service portal functionality, lack of transparency of pricing with bundled services and some operational support challenges as Sungard AS transitioned support to a more globalized delivery model.
  • In late 2017, Sungard AS launched updated services for cloud recovery to both its data centers and AWS that are positioned as more automated, price-competitive, faster-time-to-value service offerings. However, these services were not available in the market long enough to be evaluated through client feedback and customer references.
  • Most of Sungard AS’s references that participated in this year’s study were not clients recently onboarded to its DRaaS offerings, as requested by Gartner.

TierPoint

TierPoint was formed in 2010 when Cequel Data Centers began an acquisition campaign, purchasing smaller regional companies (Colo4 and Perimeter Technology in 2011, TierPoint in 2012, Windstream Hosted Solutions in 2015 and Cosentry in 2016). As a result, it now has over 40 facilities dispersed across 20 locations in the U.S. It provides a full set of disaster recovery services, including workspace recovery in some of its locations, in addition to offering cloud and colocation solutions to enable hybrid IT and hybrid resiliency.
Primary Support Approaches: Fully managed and self-service.
Primary Workloads Supported: Physical and virtual x86, UNIX (AIX, Solaris, HP-UX), and SAN and database replication.
Regional Recovery Presence: Twenty locations in the U.S., spread from the Northwest to the East Coast.
Customer Complexity: Experienced with support of up to 200+ server images, with multiple database and application cluster environments.
Recommended Use: When flexibility in technology choices and multiple tiers of services are priorities for medium-complexity environments.

Strengths
  • Customer references scored TierPoint the highest for satisfaction among the providers in this year’s Magic Quadrant.
  • As a point to its flexibility, TierPoint will customize responsible, accountable, consulted and informed (RACI) matrices for customers (although this can require additional fees).
  • Managed customers have both an initial failover test and one yearly test included in the pricing, with the option to purchase additional tests if desired. There are no fees for disaster declarations, although usage above the reservation level is subject to usage-based billing, and there is a one-time fee per failback if that is needed.

Cautions
  • The new orchestration portal interface is now developed in-house, but TierPoint is still adding features and validating the reliability of those features.
  • While TierPoint has a wide variety of capabilities, they are not uniformly available in all locations — for example, eight of 20 locations have cloud pods to support multitenant DRaaS services.
  • Customer references recommended that prospective customers understand how and when handoffs occur during implementation and exercising, as they have experienced issues with coordination during those phases.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.

Added

No vendors were added in this year’s edition of the Magic Quadrant.

Dropped

As indicated in the Key Differences in this Year’s Magic Quadrant section, several vendors were dropped from this year’s edition of the Magic Quadrant due to changes in the inclusion criteria. The individual reasons were either one of or a combination of the following:
  • Direct sales were less than the inclusion criteria.
  • The majority of existing customers had an annual revenue of less than $50 million.
  • The vendor did not have a large-enough or focused-enough DRaaS offering.
  • Existing capabilities were not repeatable and industrialized, as defined as the DRaaS market definition.
Vendors dropped are:
  • Acronis — Acronis, founded in 2003, has provided cloud-related recovery services for more than seven years and data recovery products for more than 14 years. Headquartered in Singapore, it operates 14 data centers globally and is primarily a partner-driven business with a focus on manufacturing, automotive, public sector and education markets. In November 2017, it launched the Disaster Recovery Cloud service to enable partners and managed service providers to resell its cloud-based DR solutions.
  • Axcient — Originally founded in 2006, Axcient provides a single solution that includes data protection, disaster recovery, archiving and test/development. It eliminates the need for multiple solutions, data centers or silos of infrastructure by extending the value of copy data management to the cloud. Axcient was purchased by eFolder on 27 July 2017, and has focused on the MSP and channel market for its DRaaS offerings.
  • Carbonite— Founded in 2005 and headquartered in Boston, Massachusetts, Carbonite has a new self-service DRaaS offering known as Carbonite Recover, which supports recovery of Windows, Linux, VMware and Hyper-V systems. Legacy environments are supported through its Carbonite Disaster Recovery offering, where recovery testing and recovery operations are largely provider-managed. It also sells Carbonite Availability (formerly known as DoubleTake) which is utilized by other DRaaS providers for physical and virtual server replication.
  • Daisy — Daisy Group is one of the largest business communications and IT service providers in the U.K. It was founded in 2001, and offers network services, nine data centers and 18 worksite recovery locations consisting of over 30 office locations in the U.K.
  • Databarracks — Databarracks was founded in the U.K. in 2002 as a full-service MSP, but in 2016, it retired some non-continuity-related services completely. It now focuses on only three areas: disaster recovery as a service, backup and resilient cloud-based infrastructure design. Its business is entirely focused on U.K. clients, with a concentration of clients related to legal, government and nonprofit organizations. In 2017, it launched a Business Continuity as a Service (BCaaS) offering to handle business continuity management and planning for customers.
  • Datto — Datto, headquartered in Norwalk, Connecticut, is a provider of backup and disaster recovery appliances, SaaS data protection and managed networking products. It was founded in 2007 and has more than 5,000 managed service provider partners that market its products worldwide.
  • Evolve IP — Evolve IP was founded in 2006 and is headquartered in Wayne, Pennsylvania. It leads with its OneCloud solution, which allows organizations to migrate multiple cloud computing and cloud communications services onto a single, unified platform. This includes virtual data centers/servers, disaster recovery, virtual desktops, IP phone systems/unified communications and contact centers.
  • Flexential (formerly Peak 10) — Flexential, formed by the merger of Peak 10 and ViaWest in 2017, is based in Charlotte, North Carolina, with 41 data centers located across 21 cities in 16 states in the U.S. It also has data centers in Alberta, Canada and Amsterdam, Netherlands. In addition to DRaaS, it offers data center and network services, managed services, and cloud-based infrastructure and object storage services.
  • Infrascale — Founded in 2011, Infrascale is primarily focused on DRaaS and leads with its mission statement, “eradicate downtime.” Using its own technology and supporting recovery on a variety of hyperscale or partner clouds, it allows for recovery of heterogeneous workloads via self-service or a combination of partner and Infrascale support. Infrascale was named “Best in Show” at the ConnectWise IT Nation 2017 conference, which focuses on MSPs.
  • NTT Communications — NTT Communications, an NTT Group company, is a separate operation from NTT DATA and Dimension Data. Its primary focus is on network and data center operations, and it offers services for cloud, data center, network, security and governance, and professional and managed services. DRaaS is one of its many managed service offerings.
  • Quorum — Headquartered in San Jose, California, Quorum offers HA Anywhere via its Quorum onQ software, a high-performance, one-click instant recovery instance that can be run in the Quorum cloud, locally via an onQ appliance or from a remote location. DRaaS services are provided via its three recovery centers in the U.S. and the U.K.
  • StorageCraft — StorageCraft is a storage and services company headquartered in Draper, Utah. It was founded in 2003, and its business is entirely focused on data protection and restoration services that are offered through value-added and channel partners. It also offers cloud services that can be utilized for disaster recovery by its managed partners.
  • Unitrends — Headquartered out of Burlington, Massachusetts, Unitrends offers its products and offerings only through authorized resellers. In 2017, it merged the individual backup and disaster recovery tools into an “all-in-one enterprise backup and continuity” product, which offers ransomware protection and cloud integration. It also still maintains a low-cost cloud recovery product, Boomerang, which allows customers to replicate workloads to hyperscale public cloud providers in a self-service manner. In May 2018, Unitrends merged with Kaseya, a supplier of IT infrastructure management products for MSPs.

Inclusion and Exclusion Criteria

The following considerations were made in selecting providers for this research. The vendor must have:
  • Services delivered in-line with the Gartner market definition of DRaaS.
  • A specialized offering in DRaaS, with at least 10% of their overall customer base being DRaaS or related DR services subscribers and/or more than 2,500 DRaaS customers.
  • Fully managed, assisted recovery, or self-service DRaaS that provides automated failover and failback capabilities from customer locations to cloud.
  • At least 50% of their customers from a revenue segmentation of greater of $50 million or greater.
  • Available and defined SLAs for customer RTO/RPOs.
  • Included DRaaS capabilities that do not require clients to sign-up for separate services from other providers.
  • Publicly offered DRaaS service(s) for at least three years and the current DRaaS services for at least 12 months, as of 1 January 2018.
  • Included DRaaS services for sale to and contracted directly to end consumers, either via click-buy, direct sales teams or through partners.
Service providers that focus their efforts on the MSP or partner market instead of directly at end users, and/or have greater than 50% of their annual sales coming from indirect (channel partners, MSP, SI) segments, will be excluded from the Magic Quadrant.

Notable Vendors

Other notable vendors in DRaaS include:
  • OVH — OVH purchased and continues to operate and evolve the DRaaS offering that is now known as vCloud Air powered by OVH. In addition to the existing capabilities (see 2017 “Critical Capabilities for Disaster Recovery as a Service”for more details), OVH has expanded its offerings to now include a Disaster Recovery Plan service that’s powered by Zerto.
  • VMware — Although VMware sold its vCloud Air and associated DRaaS related offerings to OVH in 2017, it has introduced new DRaaS capabilities with the VMware Site Recovery service, which utilizes VMware Cloud on AWS as the recovery target. This was released in November 2017, making it too new to include in this year’s Magic Quadrant.
  • Webair — Webair remains a solid choice for prospective companies that need not only x86 recovery capabilities, but IBM i as well. Although it has historically focused on the Long Island, New York and New York City metro areas, it also has recovery locations in Los Angeles, California; Montreal, Canada and Amsterdam, Netherlands. Commercially, it provides excellent value for the money, has experience with many different replication approaches and has several healthcare-related customers with signed business associate agreements (BAAs).

Magic Quadrant for Intrusion Detection and Prevention Systems

 

 

Magic Quadrant for Intrusion Detection and Prevention Systems

Published 10 January 2018 – ID G00324914 – 63 min read


IDPS continues to be absorbed by firewall placements at the perimeter, yet still offers the best detection efficacy and a central prevention, detection, and response solution on a network. Security and risk management leaders should seek innovation in advanced analytics and public cloud support.

Strategic Planning Assumptions

By year-end 2020, 70% of new stand-alone intrusion detection and prevention system (IDPS) placements will be cloud-based (public or private) or deployed for internal use cases, rather than the traditional placement behind a firewall.
By year-end 2020, 60% of IDPS deployments will be augmented with the use of analytics methods, like machine learning and user and entity behavior analytics, up from less than 10% today.

Market Definition/Description

This document was revised on 17 January 2018. The document you are viewing is the corrected version. For more information, see the  Corrections page on gartner.com.
The network IDPS market is composed of stand-alone physical and/or virtual appliances that inspect network traffic, either on-premises or in virtualized/public cloud environments. They are often located in the network to inspect traffic that has passed through perimeter security devices, such as firewalls, secure web gateways and secure email gateways. While detection only (i.e., intrusion detection system [IDS]) is still often used, a large number of appliances are still deployed in line to allow for blocking capabilities. They provide detection via several methods — for example, signatures, protocol anomaly detection, various methods of analytics, behavioral monitoring and heuristics, advanced threat defense (ATD) integration, and threat intelligence (TI) to uncover unwanted and/or malicious traffic and report or take action on it.
All of the aforementioned methods augment IDPS capabilities with more context to reduce both the number of alerts as well as false positives. False positives are still a concern for clients when IDPSs are in blocking mode. For detection mode, clients have justifiable concerns over how this technology is just another “event canon” generating alerts that, even if events of interest are there, are drowned out by noise. When deployed in line, IDPSs can also use various techniques to detect and block attacks that are identified with high confidence; this is one of the primary benefits of this technology. The capabilities of leading IDPS products have adapted to changing threats, and next-generation IDPSs have evolved incrementally in response to advanced targeted threats that can evade first-generation IDPSs (see “Defining Next-Generation Network Intrusion Prevention”).
This Magic Quadrant focuses on the market for stand-alone IDPS appliances; however, IDPS capabilities are also delivered as functionality in other network security products. Network IDPSs are provided within a next-generation firewall (NGFW), which is the evolution of enterprise-class network firewalls, and include application awareness and policy control, as well as the integration of network IDPSs (see “Magic Quadrant for Enterprise Network Firewalls”). IDPS capability is available in unified threat management (UTM) “all in one” products that are used by small or midmarket businesses (see “Magic Quadrant for Unified Threat Management”).
So, while the stand-alone IDPS market is forecast to start shrinking from 2017 (see “Forecast: Information Security, Worldwide, 2015-2021, 3Q17 Update”), the technology itself is more widely deployed than ever before on various platforms and in multiple form factors. The technology is increasingly ubiquitous in technology like NGFW and UTM.
In addition, some vendors such as Alert Logic and McAfee offer functionality in the public cloud in order to provide controls closer to the workloads that reside there. Gartner is tracking the growth of these deployments carefully, and will monitor their efficacy.
Stand-alone IDPSs are most often deployed for the following reasons:
  • When separation of duties means that some networking functions (firewalls) are managed by a different team managing security (i.e., IDPS)
  • Behind the firewall as an additional layer of defense to inspect north-south traffic
  • Behind an application delivery controller (load balancer) to inspect traffic allowed
  • When best-of-breed detection efficacy is required
  • As an IDPS on the internal network in line to provide protection/detection for internal assets
  • As an IDS monitoring the internal network for lateral movement of threats and other compliance mandates
  • When high IDPS throughput and low-latency performance are required
  • To provide network security separation (segmentation) on parts of the internal network where it’s easier to deploy IDPS than technology like firewalls
  • To provide additional visibility and detection capabilities in the public or private cloud
  • For network-based intrusion and threat detection using additional methods like advanced analytics (such as user and entity behavior analytics [UEBA]) to detect threats that have bypassed other controls

Magic Quadrant

Magic Quadrant for Intrusion Detection and Prevention Systems

324914_0001

Figure 1. Magic Quadrant for Intrusion Detection and Prevention Systems

Source: Gartner (January 2018)

Magic Quadrant for Intrusion Detection and Prevention Systems

Vendor Strengths and Cautions

Alert Logic

Alert Logic is a privately held security-as-a-service provider based in Houston, Texas. Services it offers include managed IDS, web application firewall (WAF), log management and vulnerability management. Alert Logic’s IDS is built on a Snort foundation with additional anomaly-based signatures, heuristics and supervised machine learning intelligence. It is offered in two packages: Alert Logic Threat Manager is an IDS-only offering and includes vulnerability management capabilities; and Alert Logic Cloud Defender includes out-of-band WAF and log management, along with detection based off of logs. Alert Logic’s IDS is offered as a physical on-premises appliance, with new deployments more often in the form of virtual machines deployed in hosting or cloud environments. The vendor has also invested in applying machine learning to the IDS event stream to help reduce the amount of “net events” that need to be reviewed by human analysts.
Since Alert Logic’s IDS is deployed out of band in detection mode with managed components, it does not offer a wide range of high-performance appliances. Alert Logic adds and subtracts sensors, where it makes sense for the customer’s changing network in order to meet high-throughput detection needs by scaling horizontally, not in the appliance.
Strengths
  • Alert Logic is especially strong in public cloud and virtualized environments where the solution can be deployed quickly and enabled by prebuilt integrations via Chef/Puppet/Ansible.
  • Customers value Alert Logic’s ease of use.
  • Alert Logic’s capability to deploy, and to rapidly shift an existing deployment, is ideally suited for agile and DevSecOps environments.
  • Alert Logic is one of the first vendors to use analytics and machine learning to postprocess IDS event streams. This improves its ability to detect threats and incidents that take multiple days/weeks to evolve faster and with more efficacy.
Cautions
  • The solution is “IDS only” and blocking requires additional solutions, using Alert Logic’s WAF or via the capability to send blocking requests to firewalls.
  • There is no “user” context in the product today, which reflects its main use case for internet-facing and cloud deployments.
  • Alert Logic doesn’t have advanced threat or sandbox integrations in the product today, limiting its ability to detect threats in network objects/files that traverse a network.

Cisco

Cisco, headquartered in San Jose, California, has a broad security product portfolio and has had IDPS offerings for many years. The Sourcefire acquisition has continued to be a positive and strong influence on Cisco’s network security portfolio, giving the company traction in the firewall market that it would not have garnered otherwise. The Firepower IDPS line also shares a management console with the Cisco firewall offerings, called the Firepower Management Center.
Cisco has 22 models of IDPS available in the 4100, 7000, 8000 and 9300 Series Appliances, and virtual appliances for VMware deployments. They range from 50 Mbps through to 60 Gbps of inspected IDPS throughput, giving Cisco a very versatile appliance range — from remote branch up to demanding data center use cases. The same IDPS is available in the Cisco Adaptive Security Appliance (ASA), labeled as “with FirePOWER Services.” Additionally, the software-based IDPS is available as an option within the enterprise firewall, Cisco Internetwork Operating System (IOS)-based routers and Integrated Services Routers (ISR) IDPSs. The Meraki MX platform also runs the Snort engine plus Advanced Malware Protection (AMP) for Networks, making its IDPS technology ubiquitous throughout its network security portfolio. It is also the most widely deployed IDPS on the market today. The continued evolution of OpenAppID and the addition of DNS security for features like inspection and sinkholing are also seen as net improvements for detection and prevention use cases.
New capabilities introduced include URL-based security intelligence and AMP Threat Grid integration. Cisco will benefit from IBM’s exit of the IDPS market as IBM is now co-selling Cisco IDPS and directing renewals.
Strengths
  • Gartner’s clients that are described as advanced security with larger budgets enjoy Firepower’s usefulness as an IDS analysis/investigation tool, in addition to its utility as an in-line, blocking IDPS. Those that deploy the product in IDS mode particularly like Cisco’s Snort open rules capabilities.
  • Cisco has wide international support, an extremely strong channel and the broadest geographic coverage. Certain Smart Net-supported customers can get two-hour return merchandise authorization (RMA) response when a unit fails. In addition, thousands of partner engineers are certified on Cisco Firepower.
  • The AMP products that work closely with, and provide intelligence to, the IDPS supplies coordinated malware detection at the network, sandbox and endpoint layers. This coordination differentiates it from many competing solutions.
  • Talos, Cisco’s security research organization, has a large team researching malware and vulnerabilities and developing security content for all Cisco security products, including writing signatures and determining default blocking policies. During the evaluation period, Talos discovered 171 vulnerabilities. It is a key differentiator for this technology as it demonstrates Cisco’s continued ability to understand specific threats and the threat landscape in general as it relates to IDPS.
  • Support for its own Cisco’s Application Centric Infrastructure (ACI) architecture with its IDPS is well-implemented for heavily virtualized environments that use it, although ACI is not widely deployed yet.
Cautions
  • Some Type A clients have expressed concern that IDPS innovation has slowed as Cisco works on integration with acquired capabilities and focuses on its enterprise firewall product line. Customers with these concerns should insist upon roadmap clarity that makes planned IDPS enhancements explicit. For example, the ability to take the rich telemetry and then do advanced analytics is still not in the product, despite smaller startups having this capability.
  • There are a plethora of support options available, sometimes complicating choices; and the support maintenance percentage (often based off recommended retail price [RRP] versus sale price) is on the higher end of solutions in the market today.
  • Cisco initially lagged behind other competition in introducing support for Amazon Web Services (AWS), and has yet to offer support for Microsoft Azure. It also doesn’t yet have support for a “virtual overlay” to enable coverage of agile workloads like some of its competitors.
  • Cisco does not support the full range of vulnerability assessment and management tools to allow for policy to be derived from, and priorities based on, the vulnerabilities that exist in an environment; but it does have an API that would allow for other tools to do so. Firepower Management Center, however, remains an effective way to model the types of systems on a network within the Cisco IDPS solution itself.

FireEye

FireEye is a U.S.-based cybersecurity company headquartered in Milpitas, California. It is a well-known security vendor specializing in advanced threat protection, security analytics, threat intelligence and incident response. In recent years, it has expanded its product and service portfolio extensively with a mix of organic growth and acquisitions. These additions are with managed services, cloud security analytics, threat intelligence, network forensics and security orchestration, as well as via adding IPS to its most well-known solution, the FireEye Network Security (NX Series) solution, which is available as a physical or virtual appliance. The virtual appliances support a range of hypervisors, including Amazon AWS, but not Microsoft Azure.
In the past year, FireEye has improved its architecture by decoupling the IDPS (the NX Series) from the Multi-Vector Virtual Execution (MVX; for ATD/sandboxing) presenting the concept of a “smart node” (the IDPS appliance) and the “smart grid” (MVX/sandbox) with version 7.9 of the solution. Additionally, the “smart grid” MVX now supports bursting from the local instance(s) to the cloud, allowing for better scalability without the need for additional on-premises appliances. These evolutions let the solution scale horizontally for performance, and allow for better support to detect lateral movement of threat use cases (versus just north-south) and also for distributed environments.
FireEye is now competing more directly with independent IDPS technology on more use cases this year, but, primarily, its focus is on advanced threats and network elements of malware on the inside of the network.
Strengths
  • FireEye NX is designed for detecting and preventing known and unknown exploits to servers and endpoints, and its focus on exploitation and malware is well-regarded.
  • The ability to automatically correlate alerts from the IDPS and MVX is a differentiator for day-to-day security operations as it can significantly reduce the alerts that security staff need in order to operate the solution.
  • FireEye has consistently proved its ability to detect advanced threats, including zero days, via its large research and threat intelligence team. All of its products benefit from this capability, including the IDPS.
  • Threat intelligence integration from existing teams, as well as subscriptions from iSIGHT Threat Intelligence (from the iSIGHT Partners acquisition in 2016), make it a very capable threat detection/prevention solution.
Cautions
  • The ability to deep dive in the IDPS policy by severity, Common Vulnerabilities and Exposures (CVE), name, etc. is limited in the console compared to other IDPS solutions.
  • It does not have capabilities in application/user-based policies, and delivering these is provided by FireEye’s endpoint security (HX Series) solution.
  • FireEye NX does not have the ability to tune the IDPS policy by using vulnerability scan data.
  • The IDPS engine is still based on Snort; it would be improved significantly by using the improved Suricata engine to support higher throughput.
  • Throughput has now improved with the “smart node” architecture, but is still limited to 10 Gbps — less than a majority of its competitors.

Hillstone Networks

Headquartered in Beijing and Santa Clara, California, Hillstone Networks is a network security provider that offers NGFWs along with IDPSs. Hillstone has been shipping IDPS devices since 4Q13. At present, its IDPS customer base is predominantly located in China.
The vendor offers a total of 23 IDPS models; however, only five are available to the global market — the S-series models of appliances. These appliances range in performance from 1 Gbps to 50 Gbps, an increase in number and, in particular, in throughput over past year. Hillstone does not offer a virtual IDPS model, but it does support on-box virtual instances, including the ability to apply performance constraints on each virtual instance. IDPS signatures are developed internally and obtained from other partners.
During the evaluation period, Hillstone introduced several new models. New enhancements introduced in that period include improved antivirus efficacy, HTTPS flood request protection and better IDPS reporting. Additionally it has three new features, Abnormal Behavior Detection (ABD) engine, Advanced Threat Detection (ATD) and a cloud sandbox. ABD is Hillstone’s analytics approach that does network baselining looking for abnormal behavior. The sandbox is also interesting for the IDPS market because it allows for “fuzzy” malware behavior signatures to be used to help convict new iterations of existing families of malware.
Strengths
  • Hillstone continues to be a good option for clients that are already consuming other Hillstone solutions, midmarket buyers and those located in Southeast Asia.
  • The introduction of its cloud-based “read only” console for basic monitoring and checking alerts will be well-received by midmarket clients.
  • Hillstone continues to be very competitive on price/performance metrics for IDPS across a wide scope of throughput ranges.
  • Hillstone supports a wide range of detection and prevention options with signatures, behavioral analytics, anti-malware and cloud-based sandboxing available as options.
Cautions
  • There is no Active Directory integration for user-based controls and only on-box user accounts are supported.
  • General analyst work for alert processing is functional, but basic; for example, users can’t create search templates that can be reused to speed up investigations and aid in better reporting.
  • Reporting is basic and only supports PDF exporting.
  • Hillstone is active, but not visible in other non-Asia markets. Clients should ensure there is relevant and contestable support for their deployments in these markets.

McAfee

McAfee, based in Santa Clara, California, has now completed its move out of Intel, creating a stand-alone company. The new McAfee company has a significant product portfolio across network, server, cloud, web, security information and event management (SIEM), network analytics, data loss prevention (DLP), and endpoint security. In November 2017, it was also announced McAfee would acquire SkyHigh Networks, a leading cloud access security broker (CASB) provider. Intel will retain a 49% equity interest in McAfee. This move to being an independent entity has been a net positive for the company. It has led to better roadmap execution and will allow McAfee to better focus and compete in the security market. Its IDPS, called the Network Security Platform (NSP), is a main element of its network security product offerings, McAfee has focused heavily on roadmap execution and integration of this range into its other portfolio of products.
The NSP is the stand-alone IDPS model line, with 18 physical appliance models that range from 100 Mbps to 40 Gbps of throughput, and three virtual models, including one specially tailored for VMware NSX deployments. In addition, McAfee has significantly enhanced the ability to operate natively in public cloud with integrations that support both detection and in-line prevention modes of operation, in the same scalable way that clients operate their cloud environments with a complementary host agent to forward traffic. Gartner sees clients deploying NSP mostly in blocking mode (for IPS), but observes a number of detection mode use cases as well. McAfee’s Advanced Threat Defense (ATD sandbox) is a natively integrated component and it supports deployments both on-premises and from the cloud. The Network Threat Behavior Analysis (NTBA) product, like ATD, can be natively integrated into an IDPS deployment, offering improved network visibility, including being able to detect threats and provide enhanced metadata to security teams. This is a leading architectural approach today.
Strengths
  • Clients appreciate NSP’s sophisticated policy options, ease of deployment and performance under load; and the IDPS console continues to score well in competitive selections and independent tests.
  • Customers cite McAfee’s thorough integration with other McAfee products, including ATD, endpoint context, NTBA and Threat Intelligence Exchange, as strong positives.
  • In organizations concerned with false positive rates coming from heavy use of signatures, McAfee’s multiple signatureless inspection techniques give it an advantage over more signature-based IDPS technologies.
  • Today, McAfee’s support for public cloud deployments is leading the market for this capability, as it provides the ability to support the dynamic nature of infrastructure as a service (IaaS), which makes heavy use of immutable infrastructure.
Cautions
  • McAfee is an IDPS provider that lacks a firewall line. The IDPS range is vulnerable to combined firewall plus IDPS replacements from vendors such as Cisco, Palo Alto Networks and Check Point.
  • Some clients find the user interface complicated, and it needs to evolve to adopt modern UX standards and to provide better workflow that allows people to understand the implications of policy configuration changes.
  • McAfee does not have the ability to natively tune its IDPS based on the vulnerability landscape of the client environment.
  • Some clients have reported issues when troubleshooting the product when in IPS mode to determine specifically which configuration element(s) is blocking the specific session.

NSFOCUS

NSFOCUS is headquartered in Beijing and California. It is a large regional security vendor for Asia and is expanding to other geographies. NSFOCUS offers distributed denial of service (DDoS; via its Anti-DDoS System [ADS] offering), web application scanning (via Web Vulnerability Scanning System [WVSS]), and WAF and vulnerability management (via Remote Security Assessment System [RSAS]). The vendor also offers managed security services (MSSs) on a number of its products.
The NSFOCUS IDPS has a large range of appliances, models ranging from 300 Mbps to 120 Gbps of throughput and four virtual appliances. This is an improvement over when it was reviewed for the previous Magic Quadrant, with higher-throughput chassis now available. The virtual appliances are certified on VMware, Kernel-Based Virtual Machine (KVM) and OpenStack, but not Xen. Its IDPS includes sandboxing capabilities called Threat Analysis Center (TAC), as well as application control and anti-malware, and it can also utilize reputation-based controls. Additionally, most models support a flexible licensing scheme, allowing clients to buy a chassis from a “range,” but then simply increase the inspected throughput with a licensing update — increasing throughput without having to replace the device.
Strengths
  • NSFOCUS has a large client base in China with good support for region-specific applications (like instant messaging).
  • NSFOCUS has a functional threat intelligence portal for clients that includes the ability to search and visualize all the data in its threat intelligence database (for the purpose of investigations) and general information that is not found in the base logs.
  • NSFOCUS has its own ATD technology allowing it to detect malware that can be defined by policy of location and file type. If the cloud option is used, this feeds its entire intelligence network that is used by all of its clients.
  • NSFOCUS has a functional threat intelligence portal that can also be helpful for using IDPS as it has data on IP addresses, vulnerabilities and malware with the ability to configure notifications on them.
Cautions
  • The core IDPS engine is signature-based and might be prone to evasion by heavily obfuscated threats.
  • There is limited ability to enforce policies based on users, but rudimentary correlation to match traffic to an internal user is possible.
  • Today, there is no support for public clouds like AWS or Azure for the product, although NSFOCUS does support a range of other hypervisors like VMware.
  • NSFOCUS only supports its own vulnerability scanner to tune the policy based on the vulnerability landscape of the client environment.

Trend Micro

Headquartered in Japan, Trend Micro is a large, global IT security vendor. It completed its acquisition of TippingPoint from Hewlett Packard Enterprise (HPE) in March 2016. The acquisition of TippingPoint has been a net positive for Trend Micro’s IDPS product, sales and marketing operations. TippingPoint is well-placed within Trend Micro in the same division as the Deep Discovery products. The top IDPS model now supports stacking with no other external hardware and can run up to 120 Gbps of inspected throughput. The new TX Series range can run up to 40 Gbps of inspected throughput in a 1U chassis, which is one of the leading traffic/chassis combination in this market. While using Intel CPU technology, field-programmable gate array (FPGA) and a switch fabric are used in the larger models to support higher throughput, lower latency and availability — all key features for use in sensitive and more demanding data center applications. IDPS content updates are provided through Digital Vaccine Labs (DVLabs). The DVLabs team also operates the Zero Day Initiative (ZDI) program, which continues to be an excellent source of vulnerability information for Trend Micro, while also supporting independent security researchers.
The IDPS is also benefiting from synergies between TippingPoint’s and Trend Micro’s research teams on malware, which is enhancing the ability of the IDPS to specifically address the network-based elements of malware threats. Additionally, the Trend Micro advanced threat (sandbox) technology for its IDPS, called Deep Discovery, now has integrations to its IDPS to be able to receive telemetry in real time that can be used for prevention and detection use cases. The Security Management System (SMS) has moved from a SQL back end to Vertica for most data storage tasks now, which significantly improves performance and enables new use cases. For example, the IDPS can natively export NetFlow to the SMS manager and to itself (rather than a separate NTA/NBA tool), and is then used for real-time and historical investigations of network traffic passing through deployed IDPSs.
Trend Micro’s IDPS platforms have gained native integrated advanced threat capabilities, a significantly larger channel with more expertise in selling security, and access to Trend Micro’s significant research resources.
Strengths
  • Trend Micro continues to be one of the easiest to deploy and manage IDPSs on the market, including at very high throughput.
  • Structured Threat Information Expression (STIX)/Trusted Automated Exchange of Indicator Information (TAXII) support is now included in the SMS Manager, making it easier to operationalize machine-readable threat intelligence (MRTI).
  • While also available for end users, the DVToolkit can be used by TippingPoint support to create custom filters for end users, providing “time to coverage” value.
  • TippingPoint has always excelled at very-high-throughput and low-latency hardware, and the new 8200TX supports 40 Gbps of inspected throughput in 1U, a market-leading rate from a throughput-per-rack-unit point of view. This supports the most demanding use cases for data center and high-performance network perimeters.
  • During the evaluation period, the ZDI vulnerability disclosure program discovered roughly 700 vulnerabilities, which directly benefits all of Trend Micro’s clients with early coverage of threats.
  • SSL decryption in hardware is supported natively inside the new TX range.
Cautions
  • Coverage of public/private cloud is via a separate solution with the complementary Deep Security product range, which is a host-based intrusion prevention system (HIPS)-based solution. End users should be aware that there is a difference between the two in terms of the IDPS technology used.
  • End-user context is available in SMS, but customers cannot create policy for enforcement by user at this point in time.
  • Today, the IDPS can only offload some objects (like URLs) to the ATD (Deep Discovery) for inspection. Deep Discovery has to be deployed separately, and it can stream threat telemetry directly into the IDPS via its SMS management server.

Vectra Networks

Vectra Networks is based in San Jose, California. It has been shipping its Cognito product since 2014 and is a leading example of using advanced analytics (like UEBA) for network IDS use cases. It focuses on detection of threats that have bypassed traditional controls and on detecting lateral movement of threats on the inside of an organization’s network.
The solution is available in a physical or virtual appliance form factor. The hardware sensors, called the S-series and X-series, are distributed on the network, and the management server provides the collection, deduplication, and analytics functions. Due to its behavioral nature, content updates are infrequent (often monthly) and primarily in the form of new algorithms or enhancements to existing mathematical models used to detect threats.
Vectra’s approach is innovative as it directly addresses some key issues in security operations today. First, the issue of alert fatigue, where a traditional IDS generates alerts that describe malicious activity, it also generates a large volume of alerts. Determining what is an alert and what is an incident — as the two are not the same — consumes too much time. This solution excels at the ability to roll up numerous numbers of alerts to create a single incident to investigate that describes a chain of related activities, rather than isolated alerts that an analyst then has to piece together. Second, adversary dwell time today is far too long for organizations, and having different means to detect malicious or unwanted activity is a key value proposition for Vectra. This is especially true for detecting the lateral movement of threats on a network that have already evaded other security controls.
While an IDS in terms of deployment, Vectra does have a number of other integrations with existing tools for further response actions. Example categories are firewalls, network access control (NAC), endpoint, ticketing systems and SIEM.
Strengths
  • The evolution of IDS to using advanced analytics like machine learning is well-suited to the types of telemetry these technologies generate, and proves to add a different way of detecting malicious or unwanted behavior within an environment.
  • Use of virtual test access point (TAP) architecture from Gigamon/Ixia, as well as other integrations with hypervisors like VMware, allows the product to be deployed into heavily virtualized environments like public, private and hybrid cloud.
  • Management overhead of this product is minimal in comparison to many other solutions on the market.
  • Clients appreciate the lack of onerous policy work and continuous policy updates. Vectra’s algorithms require infrequent updates and little to no tuning by end users in day-to-day operations because they are based on advanced analytics.
Cautions
  • This solution is “detection-centric” and has no typical prevention capabilities. It relies on integrations with other solutions like endpoint detection and response (EDR) and security orchestration, automation and response (SOAR) tools.
  • Because the product is focused on threat detection only, it cannot be used for “virtual patching” of known vulnerabilities, which is a use case that is popular with Gartner clients.
  • Vectra Networks is a startup and has yet to establish a global channel that has global reach. Clients outside of North America and parts of the EMEA geographies may receive different levels of support and not have access to same level of support from channel partners.

Venustech

Venustech is a security vendor headquartered in Beijing. It was founded in 1996, and has been shipping IDPSs since 2003 and dedicated IPSs since 2007. In addition to its IDPS, Venustech has a range of security product offerings covering SIEM, firewall, UTM, WAF, database compliance and audit (DCAP), vulnerability assessment, application delivery controller, and an endpoint security solution. Venustech has a virtual IPS edition available that supports VMware and OpenStack. It also has support for the Alibaba, Tencent and Huawei clouds as deployment options.
Venustech is a good option for its existing clients consuming its other products, and large and midmarket organizations in South East Asia that need to augment existing controls with an IDPS that covers a range of threats.
Strengths
  • The policy configuration interface is laid out in an easy-to-understand and -navigate manner.
  • Venustech also has a traditional anti-malware plus advanced threat detection capability in the appliance, which enables the blocking of malicious-content-based attacks, as well as other more advanced methods to detect threats, like SQL injection.
  • Support for the Chinese cloud providers gives Venustech a strong advantage for cloud deployments in that geography.
Cautions
  • Venustech is seen as a follower in the IDPS market and does not have features causing disruption to its competitors in the market.
  • Venustech is almost exclusively active in the China region today, constraining its growth.
  • Venustech is not yet making use of advanced analytics to help postprocess the events that are generated by the solution.
  • Venustech is not able to use vulnerability scanning output to help derive a more effective IDPS policy.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.

Added

  • Vectra Networks

Dropped

  • IBM exited the IDPS market in 2017, and thus was not included in this research.
  • Huawei failed to meet revenue requirements.
  • AhnLab failed to meet revenue requirements.

Inclusion and Exclusion Criteria

Only products that meet the following criteria will beincluded:
  • Operate as a network appliance (physical or virtual) that supports both in-line intrusion prevention and/or intrusion detection of threats and network usage.
  • Apply policy based on several detection methodologies to network traffic, including methods like protocol and content analysis, signatures, security analytics, behavior analysis, historical metadata analysis and threat intelligence.
  • Perform packet normalization, assembly and inspection to support these detection and prevention use cases.
  • Provide the ability to identify and respond to malicious and/or unwanted sessions with multiple methods, such as, allow/multiple alert types/drop packet/end session, etc.
  • Adapt the policy based on correlation with vulnerability assessment tools to dynamically apply protections to protect internal and external assets found to be vulnerable.
  • Have achieved network IDPS product sales and maintenance revenue globally in the year between June 2016 and June 2017 of over $10 million in U.S. dollars.
  • Sell the product as primarily meeting stand-alone network intrusion detection and prevention use cases or materially compete with intrusion detection and prevention technology.
  • Be visible to Gartner clients and have an active presence or an office or official partner in at least two of the major regional markets — that is, North America, South America, Asia/Pacific and EMEA — and compete in those markets.
  • Have active customers buying the IDPS product(s) in the past 12 months in at least two of the major regions (that is, North America, South America, Asia/Pacific and EMEA).
Product and vendors will beexcluded if:
  • They are sold only as features of an NGFW or UTM platform.
  • They are in other product classes or markets we already identify as different, such as network behavior assessment (NBA) products or NAC products, are not IDPS and are covered in other Gartner Research.
  • They are only host IPS, such as software on servers and workstations rather than a device on the network.
This Magic Quadrant is not evaluating pure open-source technology like Snort, Suricata, Bro IDS, etc. If a vendor is using this, they must demonstrate that they are providing over and above the functionality delivered by these projects by improved packaging (hardware or software), analytics and especially additional research and security content that would take this beyond “just running Snort/Suricata/Bro IDS.”

Vendors to Watch

There are eight vendors in particular that provide capabilities that are relevant to the IDPS market, but that have not fully met IDPS Magic Quadrant inclusion criteria. Organizations that need to implement IDPS functions for supported use cases should also consider and evaluate these vendors.

AhnLab

AhnLab, founded in 1995 and headquartered in South Korea, is a network and endpoint security vendor. TrusGuard IPX was released in 2012. The AhnLab product portfolio includes firewalls, ATD, DDoS attack mitigation and endpoint security solutions. It is shipping three IPX appliances between 5 Gbps and 40 Gbps in range. TrusGuard IPX currently does not come in the form of a virtual appliance. Secure Sockets Layer (SSL) decryption is available for traffic visibility, and TI can be used for command and control (C&C) threat detection. Malicious URL detection/blocking is also supported.
AhnLab has the majority of its presence in South Korea today, followed by a number of other East Asian countries (such as Indonesia, Thailand and Vietnam), mostly within midmarket organizations. It is trying to expand into Latin America as well.

BluVector

BluVector is a recent startup, based out of Fairfax, Virginia, and has been shipping product since January 2017. It is one of a small number of new entrants that is also making use of advanced analytics techniques (like supervised machine learning) to deliver innovation to the intrusion detection market space. The solution also supports sandboxing and other methods of object inspection for detection of various fileless and other malware threats. It has invested its efforts in the core value proposition of “detecting threats” by using robust open-source solutions like Suricata/Bro IDS for general detection capabilities, malware detection and third-party threat intelligence support. The solution is running on industry-standard x86 architecture and coupled with its own custom-developed analytics capabilities — some of which are patented and have been under development for many years under Northrop Grumman before being commercialized. The solution can run on a physical appliance or in a virtual form factor as well, allowing for use in virtualized environments including public cloud. BluVector did not meet the revenue requirements for this research.

Bricata

Bricata, headquartered in Columbia, Maryland, is a startup that leverages open-source IDPS and other detection frameworks, adding software and hardware expertise to maximize performance and scalability. Its IDPS solution is based on open source that combines the Bro IDS and Suricata engines with commercial technologies, delivering signature-based and anomaly detection with network and behavior analysis. The combination achieves better detection via Suricata’s packet inspection, while Bro’s anomaly-based engine provides context around alerts and provides correlation across multiple sessions identifying interrelated events. The Central Management Console (CMC) supports a “manager of managers” deployment architecture. Bricata’s appliances ship with a large (in comparison to other solutions) amount of on-chassis storage, allowing for the collection of large amounts of network metadata and packet capture for future analysis that supports use cases like threat hunting, incident response and forensics. Bricata did not meet inclusion revenue thresholds for this research.

Corelight

Corelight is a relatively new startup based on Bro IDS, or, as it’s often simply called, Bro. Many of the company’s founders both founded the Bro IDS project and also have been heavily involved in its ongoing maintenance to this day. The Bro IDS open-source project, along with Snort/Suricata, powers a number of vendors’ engines in network security today. Additionally, Bro IDS is in use by an extensive number of security practitioners and companies around the world. Corelight provides a way to get value out of this powerful and very popular solution with its dedicated appliances. It still needs to work on its ability to provide a centralized management platform, its event storage and analytics capabilities, and enterprise policy management capabilities. Corelight did not meet the revenue inclusion criteria for this research.

Darktrace

Darktrace is a late-stage startup security vendor with headquarters in both San Francisco and Cambridge, U.K. It is focusing on using advanced analytics, like unsupervised machine learning, to detect threats on an organization’s network. Darktrace does not orientate its technology as a replacement for all IDS use cases today. Darktrace deploys like all existing IDS technology, but then uses a number of existing and its own custom-developed algorithms and analytics to build a mathematical model of users and entities on a network, looking for outliers that are turned into alerts for analysts to then investigate. The solution is primarily subscription-based.
This approach is innovative because it helps deal with a number of pressing issues in the network security market as the technology addresses alert fatigue by generating significantly less alerts for analysts to triage. The technology can also detect active threats on the inside of a network. Alternatively, because there is no “known threat” capability, it does not rapidly detect existing known threats.
Darktrace does not deploy in line, allowing for primarily intrusion detection use cases only, but it does support response options found in IDS such as TCP resets. This feature is called Antigena and is an optional extra. It is in use by a smaller, but growing, portion of its client base. Darktrace also supports integrations with other technologies, like firewalls and EDR for further response options. Antigena can operate in three modes: recommendation, active or human confirmation. The analytics does take a period of time to begin to surface information, often measured in days and weeks, based on the mathematical model built from activity on an organization’s network. Some clients do report difficulty in getting more details on threats from the user interface, and day-to-day usage by security analysts has given feedback for improvements in this area.

Fidelis Cybersecurity

Fidelis Cybersecurity, headquartered in Washington, D.C., has been in the network security market since the mid-2000s, originally with a network DLP solution with a content and session focus. As the threat landscape over the past decade has increasingly moved to content-based threats, Fidelis has further aligned its network security offerings to also protect against an increasing range of threats, including those that can be difficult to detect using traditional packet-based technologies. Its product also now has native advanced threat integration, as well as a very credible incident response endpoint technology that was acquired from Resolution1 in 2015. It also includes strong synergies between IDPS and EDR technologies in general and clients value having credible options for these capabilities from one provider.
Fidelis also has the ability to have its appliances generate detailed metadata of network sessions that is stored to allow for analysis. This then enables effective near-real-time, as well as historical, incident investigation capabilities. Metadata storage is advantageous for historical threat hunting as well as for opportunities for correlation and detailed investigations of incidents. This is a leading capability in this market currently. This integrated metadata storage and analysis capability is seen as innovative in the IPS industry.
Fidelis does not have an extensive channel serving global markets outside of North America and Europe, so finding both resellers and contestable professional services can be difficult.

Huawei

Headquartered in Shenzhen, China, Huawei, with a core strength in networking, offers a range of network security controls, including IDS/IPS, firewall, log management, advanced threat detection (sandbox) and DDoS mitigation appliances. Huawei introduced its IDS/IPS product line, called Network Intelligent Protection (NIP) System, in 2004. NIP includes six physical appliances, ranging from 600 Mbps to 200 Gbps. They have the ability to offload objects to anti-malware and sandbox engines for additional threat detection capabilities. The vendor’s IDPS currently does not come in the form of a virtual appliance, although this is expected to change. SSL decryption for visibility and TI (reputation)-based blocking is supported. Huawei did not meet revenue requirements for this research.

IronNet Cybersecurity

IronNet is a relatively new startup based out of Fulton. Maryland. It was formed by a number of industry luminaries in the area of cybersecurity with the goal of improving organizations’ abilities to detect threats that have bypassed other controls. Its technology deploys by collecting network traffic from multiple locations, including OT networks, and then applies multiple techniques to surface events of interest to security operations teams.
IronNet also uses various analytics measures to reduce “alert fatigue.” Examples of the types of threats detected are, but not limited to, suspicious beaconing, DNS tunneling, behavior changes of users/devices on the network, VPN misuse, data exfiltration and lateral movement of threat actors. As a point of visibility for a network, it also provides full packet capture to support proactive/reactive threat hunting and incident investigation and response use cases. IronNet did not meet the revenue requirements for this research.

Evaluation Criteria

Ability to Execute

Product or Service: Core goods and services that compete in and/or serve the defined market. This includes current product and service capabilities, quality, feature sets, skills, etc. This can be offered natively or as defined in the market definition and detailed in the subcriteria.
  • Product service and customer satisfaction in deployments.
  • Performance in competitive assessments and having best-in-class detection and security content quality are highly rated.
  • Competing effectively to succeed in a variety of customer placements.
Overall Viability: Viability includes an assessment of the organization’s overall financial health as well as the financial and practical success of the business unit. Views the likelihood of the organization to continue to offer and invest in the product as well as the product position in the current portfolio.
Sales Execution/Pricing: The organization’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support and the overall effectiveness of the sales channel.
Also included is pricing including dollars per Gbps, revenue, average deal size, installed base and use by managed security service providers (MSSPs), managed detection and response (MDR) and service providers.
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve, and market dynamics change. This criterion also considers the vendor’s history of responsiveness to changing market demands.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message in order to influence the market, promote the brand, increase awareness of products and establish a positive identification in the minds of customers. This “mind share” can be driven by a combination of publicity, promotional, thought leadership, social media, referrals and sales activities.
Customer Experience: Products and services and/or programs that enable customers to achieve anticipated results with the products evaluated. Specifically, this includes quality supplier/buyer interactions technical support, or account support. This may also include ancillary tools, customer support programs, availability of user groups, service-level agreements, etc.
Winning in highly competitive shortlists versus other competitors is highly weighted.
Operations: The ability of the organization to meet goals and commitments. Factors include: quality of the organizational structure, skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently.

Table 1: Ability to Execute Evaluation Criteria

Enlarge Table
Evaluation Criteria
Weighting
Product or Service
High
Overall Viability
High
Sales Execution/Pricing
Medium
Market Responsiveness/Record
Medium
Marketing Execution
Medium
Customer Experience
High
Operations
Medium
Source: Gartner (January 2018)

Completeness of Vision

Market Understanding: This includes providing the correct blend of detection and blocking technologies that meet or are ahead of the requirements for network intrusion detection and prevention. Innovation, forecasting customer requirements, having a vulnerability-based (rather than exploit-based) product focus, being ahead of competitors on new features, and integration with other security solutions are highly rated. Additionally, handling placement on the inside of clients’ networks, deployments in public cloud, and support for using advanced threat detection and advanced analytics are considered.
Also included is an understanding of and commitment to the security market, addressing the prevailing threat landscape and, more specifically, the network security market. Vendors that rely on third-party sources for signatures or have weak or “shortcut” detection technologies score lower.
This criterion also refers to the ability to understand customer needs and translate them into products and services; that is, vendors that show a clear vision of their market — listen, understand customer demands, and can shape or enhance market changes with their added vision.
Marketing Strategy: Clear, differentiated messaging consistently communicated internally, externalized through social media, advertising, customer programs and positioning statements.
Sales Strategy: This criterion refers to a sound strategy for selling that uses the appropriate networks including: direct and indirect sales, marketing, service, and communication. It also includes partners that extend the scope and depth of market reach, expertise, technologies, services and their customer base.
Sales strategy includes pre- and postproduct sales support, value for pricing, and providing clear explanations and commendations for detection events. Also included is the ability to handle newer licensing methods that are purely subscription-based, and how this works for direct and indirect sales and channel partners.
Offering (Product) Strategy: This refers to an approach to product development and delivery that emphasizes market differentiation, functionality, methodology, and features as they map to current and future requirements. Emphasis is on product roadmap and threat detection efficacy. Successfully completing third-party testing, such as the NSS Group IPS tests and Common Criteria evaluations, is important. Vendors that reissue signatures are overreliant on potentially evadable detection methods and are slow to issue quality signatures do not score well.
Business Model: This includes the design, logic and execution of the organization’s business proposition to achieve continued success. Additionally, the process and success rate for developing new features and innovation through investments in research and development are considered.
Innovation: This criterion includes:
  • Direct, related, complementary, and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
  • Innovation, including R&D, and quality differentiators, such as performance, management capabilities, and interface and clarity of reporting.
  • Features that are aligned with the operational realities of security analysts, such as those that reduce event fatigue, “gray lists” (e.g., reputation and correlation). Enterprise management capabilities,
  • The ability to monitor/instrument the IDPS with a supported API that allows for additional integration, workflow and automation options. Examples include integrations with SOAR or threat and vulnerability management (TVM) tools.
  • Support for open standards like STIX/TAXII for threat intelligence.
  • The ability to reduce the number of alerts that require security analyst interaction and security efficacy. For those that need investigation, having high levels of threat and other environment context, which allows for better decision support, enables efficiency of operational process and supports workflow.
  • A roadmap that includes moving IDPS into new placement points (for example, on the internal network or public cloud) and better-performing devices that support the reality of data centers with 10 Gbps/40 Gbps connectivity.
  • Ability to assist clients with mitigating the core issue of vulnerabilities being exploited and how this work is prioritized by understanding context from tools like vulnerability assessment tools.
  • Use of additional methods like endpoint context, ATD/sandbox integrations, metadata capture and analysis, and advanced analytics.
Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries, as appropriate for that geography and market.

Table 2: Completeness of Vision Evaluation Criteria

Enlarge Table
Evaluation Criteria
Weighting
Market Understanding
High
Marketing Strategy
Low
Sales Strategy
Medium
Offering (Product) Strategy
High
Business Model
Medium
Vertical/Industry Strategy
Not Rated
Innovation
High
Geographic Strategy
Low
Source: Gartner (January 2018)

Quadrant Descriptions

Leaders

Leaders demonstrate balanced progress and effort in all execution and vision categories. Their actions raise the competitive bar for all products in the market, and they can change the course of the industry. To remain leaders, vendors must demonstrate a track record of delivering successfully in enterprise IDPS deployments, and in winning competitive assessments. Leaders produce products that embody next-generation IDPS capabilities, provide high signature quality and low latency, innovate with or ahead of customer challenges (such as providing associated ATD technologies to make enriched IDPS intelligence), and have a wide range of models, including high-throughput models. Leaders continually win selections and are consistently visible on enterprise shortlists. However, a leading vendor is not a default choice for every buyer, and clients should not assume that they must buy only from vendors in the Leaders quadrant.

Challengers

Challengers have products that address the typical needs of the market, with strong sales, large market share, visibility and clout that add up to higher execution than Niche Players. Challengers often succeed in established customer bases; however, they do not often fare well in competitive selections, and they generally lag in new feature introductions.

Visionaries

Visionaries invest in leading-edge/”bleeding”-edge features that will be significant in next-generation products, and that give buyers early access to improved security and management. Visionaries can affect the course of technological developments in the market, especially new next-generation IDPSs or novel anti-threat capabilities, but they lack the execution skills to outmaneuver Challengers and Leaders.

Niche Players

Niche Players offer viable solutions that meet the needs of some buyers, such as those in a particular geography or vertical market. Niche Players are less likely to appear on shortlists, but they fare well when given the right opportunities. Although they generally lack the clout to change the course of the market, they should not be regarded as merely following the Leaders. Niche Players may address subsets of the overall market (for example, the small or midsize business segment, or a vertical market), and they often do so more efficiently than Leaders. Niche Players frequently are smaller vendors, and do not yet have the resources to meet all enterprise requirements.

Context

  • Current users of network IDPSs highly prioritize next-generation network IDPS capabilities at refresh time.
  • Current users of NGFWs look at a next-generation network IDPS as an additional defense layer, and expect best-of-breed signature quality.
  • Organizations with traditional network IDPS and firewall offerings should build and plan to execute migration strategies to products that can identify and mitigate advanced threats.
  • Organizations with flat internal networks should consider deploying IPS for “virtual patching” to help prevent the exploitation of vulnerabilities, the leading cause of breaches today.
  • Organizations should continue to improve their ability to detect and respond to threats as “prevention-centric only” approaches will fail eventually.

Market Overview

According to Gartner market research, the worldwide IDPS market in 2016 for stand-alone appliances was approximately $1.3 billion and is forecast to shrink in coming years. Data collected from vendors in this Magic Quadrant validates this range. Factors driving those estimates include:
  • The threat landscape continues to be aggressive, with the advantage on the side of threat actors. Major IDPS vendors were initially slow to address advanced targeted threats and other classes of threat. Some spending that could have gone to IDPS products instead has gone to advanced threat detection and network forensics products. With leading IDPS products now containing these capabilities, IDPS is no longer losing out due to this capability being missing.
  • NGFWs are taking a significant portion of the stand-alone perimeter IDPS market as next-generation IDPSs are absorbed into firewall refreshes and are enabled in existing IDS-/IPS-capable firewalls.
  • IDS/IPS continues to be a significant network security market, but is forecast to flatten. A large percentage of organizations have moved to collapse their IDPS for north-south use cases into their firewall and UTMs, especially in the midmarket. This has concurrently increased the amount of IDPS on networks, but has led to constraints for traditional IDPS deployments.
  • Organizations need to better address the internal use case that covers protection of internal assets, and helps detect and prevent lateral movement of threats. The “flat internal network” problem is one that Gartner sees still existing in a majority of our clients’ networks, and it is a systemic issue. If IDPS vendors can address this significant issue in organizations with better messaging and use case support, it will provide more relevance for organizations’ security operations programs.
  • Further to the point above, most breaches today occur because of the exploitation of known vulnerabilities, not zero days. Organizations are clearly not using compensating technology like IDPS to address the issues. Below are some reasons why they are leveraged by threat actors:
    • Not being able to patch systems to the same schedule of threat actors exploiting vulnerabilities
    • The absence of a patch from the vendor
    • Systems that can’t be patched due to regulatory issues and compliance mandates
    • Business-level SLAs and other functional requirements that require uptime and application functionality as the top priority
  • The term “virtual patching” has been in use for some time. With the plethora of security incidents originating from the exploitation of vulnerabilities in the past two years as a direct result of this issue, IDPS vendors need to improve how they integrate telemetry from vulnerability assessment and management tools to help users derive a more effective security policy. This one principle alone would considerably lower the attack surface of every single client that implements it (see “It’s Time to Align Your Vulnerability Management Priorities With the Biggest Threats”).
  • Organizations are adopting public cloud IaaS for their compute. Traditional firewall vendors are not showing signs of traction due to software-defined networking (SDN) and microsegmentation; but, primarily, IaaS providers are delivering basic routing, network address translation (NAT) and segmentation as part of their offerings for free or little cost. IDPS still has relevance here, as there is no sign of these providers delivering more advanced deep packet inspection (DPI) security capabilities. Concurrently, IDPS vendors are now able to deploy more effectively in these more agile compute architectures, either natively or with integration with packet brokers like Gigamon and Zentera.
  • As market penetration for these integrated and cloud-resident IDPS form factors has advanced, the IDPS appliance market is predicted to start declining in 2017, but from a large base.
  • TI integration is now pervasive in the IDPS market with vendors providing add-on integrations either for free or as an optional extra. This has added significant context and visibility for both traditional and advanced threats. It has also added to the ability for third-party integrations, extending the life of next-generation IDPSs by allowing them to perform the “block and tackle” role of outbound data exfiltration detection and prevention. Support for STIX/TAXII, however, is not uniform across the vendor landscape and IT security leaders are advised to demand from their vendors that they support open standards in their IDPS solution.
  • IDS is still a widely deployed use case. With the adaptive security architecture and now continuous adaptive risk and trust assessment (CARTA; see “Use a CARTA Strategic Approach to Embrace Digital Business Opportunities in an Era of Advanced Threats”), Gartner has, since 2014, advocated for improving the ability to detect and response, as well as prevent.
  • There are also credible ways to be running IDS and IPS that don’t involve buying an appliance per se, but in renting one that is fully managed and monitored. This suits a range of organizations, especially in the midmarket.
  • Leading vendors in 2017 have architectures that have adapted to being effective in public cloud environments, leaving them additional opportunities to expand coverage (and therefore revenue) into this large and rapidly growing market of security in IaaS environments.
  • Startups in recent years have taken advantage of a historical problem with IDPS: event fatigue. New startups are using IDS engine technology, like Snort/Suricata/Bro IDS, and are feeding this telemetry into advanced analytics and machine learning engines, which has proven effective in reducing event fatigue. This is a disruptor in this market, and Gartner expects this trend to continue.

IDPS Has Evolved

IDPSs have had two primary performance drivers: the handling of network traffic at wire speeds (either in line or in detection mode), and the deep inspection of that traffic based on more than just signatures, rules and policies to detect, prevent, and respond to threats. The first generation of IDPSs were effectively a binary operation of “threat or no threat,” based on signatures of known vulnerabilities. Rate shaping and quality of service were some of the first aspects that brought context to otherwise single-event views. As inspection depth has increased, digging deeper into the same silo of the traffic yields fewer benefits. This next generation of IDPSs applies:
  • Signatures — These are often developed and deployed rapidly in response to new threats, and are often exploit-specific, rather than vulnerability-generic.
  • Protocol analysis — This enables the IDPS engine to inspect traffic for threats, regardless of the port that the traffic is traversing.
  • Application and user awareness — It should identify applications and users specifically.
  • Context awareness — It should be able to bring multiple sources together to provide more context around decisions to block sessions. Examples include user directory integration that applies IDPS rules by the user, and application and geolocation information where you can permit, deny or monitor access, based on its origin.
  • TI reputation services — These include action-oriented intelligence on spam, phishing, botnets, malicious websites, web exploit toolkits and malware activity.
  • Content awareness — It should be able to inspect and classify inbound executables and other similar file types, such as PDF and Microsoft Office files (that have already passed through antivirus screening), as well as outbound communications.
  • User extensibility — The solution should support user-generated IDPS signature content.
  • Advanced threat detection — The solution should be able to use various methods to identify and send suspicious payloads to another device or cloud service to execute and positively identify potential malicious files.
  • Historical analysis — The solution should assist or support the short to medium traffic storage, either in full or via other means, like metadata extraction and NetFlow. This can identify applications, files, users, communications, URLs, domain names, etc. It is then used for analytics and incident investigation use cases.
  • Advanced analytics — This feature leverages what has become to be called UEBA in the security industry. For this market, vendors are using analytics to advance the use of IDS to detect threats that have bypassed other security controls.
  • Support of entry-level routing and network address translation — The solution will optionally be able to process traffic and act as a Layer 3 control and enforcement point. This means basic routing and network address translation can occur. This supports use cases in which security and performance features are paramount, and only coarse-grain firewall rules are required, using a limited-in-size rule base.
These advances are discussed in detail in “Defining Intrusion Detection and Prevention Systems.” Best-of-breed next-generation IDPSs are still found in stand-alone appliances, but have recently been incorporated into some NGFW platforms.

Advanced Threat Detection Is Now Available From Next-Generation IDPSs

Along with SSL decryption, Gartner IDPS Magic Quadrant customer references mention advanced threat detection as a feature in IDPS selections. To compete effectively, next-generation IDPS vendors must more deeply integrate ATD capabilities to step up their ability to handle targeted attack detection — for malware detection, anomaly detection, and also for outgoing communication with command-and-control servers from infected endpoints.
Gartner notes that some specialized advanced threat detection vendors have evolved their products’ capabilities to deliver basic network IDPS capabilities to complement their advanced threat solutions. If other advanced threat vendors bring “good enough” IDPS capabilities from adjacent network security areas to market, clients will have more options and new IDPS approaches to choose from. This could, in some way, cause this market to instead flatten out in revenue versus the predicted decline.

IDS Is Still Widely Deployed and Effective

Client reference surveys for this Magic Quadrant align with conclusions from our general client inquiry, where we see 20% of IDPSs deployed as IDS only (and approximately another 30% using IPS, but run their solution mostly in detection mode). It is clear that organizations are still deploying IDS technology purely for monitoring and visibility use cases, and not necessarily for blocking only. This is especially true in the network core or where any kind of blocking technology often cannot meet performance needs or will not be considered for deployment by the IT operations team. This is being driven by multiple reasons, but the need to detect intrusions and respond more efficiently to incidents is still a key investment (see “Use a CARTA Strategic Approach to Embrace Digital Business Opportunities in an Era of Advanced Threats”).
While going “in-line” with this technology is preferred for some use cases, as it at least offers the capability to block should the need arise, IDS is still a staple in a large number of environments. As CARTA highlights, detection is a critical capability. The number of breaches in recent history highlight clearly that organizations large and small are failing in their ability to perform detection and response once threats are active inside the network. IDS is still very effective at delivering threat detection capabilities in familiar ways to organizations’ security teams. If an IPS is in the mix, IDPSs concurrently have powerful uses in responding to a range of threats.
Some organizations are getting additional life out of older IDPS investments (or by making new investments in IDS) by enabling basic IDPS in the NGFW and moving their existing dedicated IDPS and IDS elsewhere in the environment, where they are tuned for those use cases. So rather than decommission stand-alone IDPSs, they instead deploy in “IDS mode,” internally or on other parts of the network for monitoring of what is generally called east-west traffic, versus the traditional north/south traffic at the internet perimeter. Detecting vulnerability exploitation, service brute forcing, botnet command and control channel activity, application identification, and so on, are all standard features of modern IDPSs and IDSs, and still have utility.

Web Application Vulnerabilities Are Still a Major Problem

Gartner recommends considering a WAF over an IDPS for protecting web applications to reduce the exposure to security threats (see “Magic Quadrant for Web Application Firewalls”). Making use of application security measures to significantly reduce the vulnerabilities during the development life cycle is even more effective (see “Magic Quadrant for Application Security Testing”).
For a long time, IDPSs have had content that can address some of the web application security issues that organizations have continued to find, often in large numbers, in their web-based applications. Coverage for the more straightforward web applications issues, like SQL injection and cross-site scripting, exists in the majority of products evaluated for this Magic Quadrant. Without an application security program or a WAF deployed, IDPS can offer some coverage of web-application-focused threats. IDPS also has access to SSL decryption options for multiple types of deployments, including inspecting inbound web traffic. Some leading vendors, like McAfee, are investing in improving their coverage of web application threats significantly in order to be able to deploy in public cloud. Alert Logic does this differently by using its WAF for blocking, but leveraging its IDS for detection use cases. Generally though, web application content can be “noisy” when enabled on IDPS, and can be more prone to false positives than what a leading WAFs are delivering today.

IDPS Has Potential in the Cloud

Traditional firewall vendors are not making an impact in terms of usage in public cloud environments like Amazon AWS, Microsoft Azure and Google Cloud. This is primarily because the built-in firewall controls are providing native integration, agility, less expensive pricing and, in general, “good enough” capabilities for the types of workloads that run in public clouds. Generally speaking, you don’t need advanced enterprise firewall features to protect server workloads in the cloud, and the ruleset is often very basic. WAF and IDPS are more relevant security add-ons for workloads running in these environments. Cloud-delivered WAF is now prevalent and still far exceeds WAF functionality delivered by cloud service providers (CSPs). No CSP today is investing in the type of advanced DPI solutions delivered by cloud-ready IDPS solutions.
Gartner expects this deployment form factor for IDPS to become a leading use case for the technology in the coming years. As the shift continues to move workloads to IaaS, so too will the relevance of advanced detection, prevention and response capabilities to security teams with workloads running in private, hybrid and public clouds. The client reference survey this year reported that approximately 30% of respondents have IDPS deployed either in public and/or hybrid cloud environments.

More IDPSs Get Absorbed by NGFWs, but the Stand-Alone IDPS Market Will Persist

With the improvement in availability and quality of the IDPS within NGFWs, NGFW adoption reduces the need for a dedicated network IDPS in enterprises (especially smaller ones) at the network perimeter. The perimeter placement traditionally is the most popular deployment location for IDPS. However, the stand-alone IDPS market will persist to serve several scenarios:
  • The incumbent firewall does not offer a viable next-generation IDPS option for reasons of security efficacy.
  • Clients continue to report significant performance impact of enabling IDPS in their NGFWs. This impact, in real-world feedback from Gartner clients, is frequently in the 40% to 80% range (depending on the IDPS policy in place) regardless of traffic profile. For environments that require sustained throughput of 10 Gbps to 20 Gbps and higher, a separate NGFW and next-generation IDPS is a sensible architecture to pursue for security efficacy and cost reasons.
  • Separation of the firewall and IDPS is desired for organizational or operational reasons, such as where firewalls are a network team function and IDPSs and IDSs are run by the security team.
  • A best-of-breed IDPS is desired, meaning a stand-alone next-generation IDPS is required.
  • Niche designs exist (as in certain internal deployment scenarios) where IDPS capabilities are desired, but don’t require a firewall. This can also apply to SDN and public cloud scenarios where routing/NAT functions are covered in the base platform and only advanced network inspection is required.
  • For internal network segmentation projects, IDPS deployments are advantageous as they happen at Layer 2 (transparently with no significant routing/switching requirements), with better reliability/resiliency, lower latency, and general equal or higher-quality security content than a transparent NGFW, and therefore are considerably easier to deploy while providing the best protection available.
While the trend is toward IDPS consolidation on NGFWs, Gartner sees anecdotal examples of organizations switching back from an NGFW to a stand-alone IDPS, where improved blocking quality and performance are required.

Endpoint Context Is Increasingly Important and Available in Leading IDPS

An interesting development over the past few years is how IDPS vendors are increasingly bringing in various levels of details from endpoints. This complements IDPSs on the network significantly. As a simple example, being able to dig into traffic by mapping the specific application on the host that is generating the traffic is a very important use case, which previously would only be possible from multiple consoles or via event processing in an SIEM. This is increasingly becoming available from IDPS vendors, like Cisco and McAfee, as built-in options. Other vendors in this Magic Quadrant, like Trend Micro and Fidelis, have the opportunity to further add significant value for organizations by making the network IDPS and IDS more effective with host context; and also the reverse, with host agents being more effective by having a complementary network option.

Developments in Threat Intelligence Have Implications for IDPSs

TI or reputation feeds have provided much-needed additional visibility, threat context and blocking opportunities for IDPS deployments. In the past few years, all IDPS vendors have added these “feeds” to their existing product lines. TI feeds have the following strengths and challenges:
Strengths:
  • Time to coverage — for example, a piece of malware can be inspected and TI feeds updated with detection/blocking metadata like IP address, DNS hostname or URL, which is considerably faster than the deep-soak signature testing cycle that IDPS vendors require to ship IDPS security content.
  • Improved context and visibility on the threat landscape for fast-moving threats, particularly malware and botnets.
  • Most feeds include not only the threat (for example, “botnet”), but also a score (often from 0 to 100, for example), allowing users to define the threshold of when alerting versus blocking occurs.
  • Allow for the use of relatively accurate geographic IP details for context and blocking opportunities.
  • Allow for third-party integration via IDPS vendors’ APIs of other feeds. This normally requires additional work.
Challenges:
  • TI feeds are proprietary in nature, and users cannot use open standards such as STIX/TAXII without additional software.
  • Like all security content, TI feeds are prone to various levels of false positives, meaning clients may often have to tune policies to avoid blocking nonmalicious traffic.
  • Most vendors, without third parties creating their own integrations or doing so from additional products, generally only use their own TI feeds. These are limited in scope and coverage of the threat landscape from that vendor only.
  • The volume of TI that is available today is staggering. There are well over 100 free (open-source) feeds and dozens of commercial and industry-led initiatives that organizations can consume. The issue is in how to target the type, volume and variety of TI so that it doesn’t:
    • Overload security operations with yet more events
    • Bring false positives from low- or semitrusted sources
    • Overload the IDPS with too much TI, which can significantly affect performance
STIX/TAXII standards are now at a point that they have gained adoption momentum of a sizable number of groups generating/consuming threat intelligence, including computer emergency response teams (CERTs), global information sharing and analysis centers (ISACs), vendors, and end users. While nascent, in the coming two to three years, we expect to see an acceleration of block-and-tackle vendors — such as firewall, intrusion prevention, secure web gateway, endpoint threat detection and response (ETDR), and SIEM tools — all supporting full implementations of these open standards. These two standards in particular will accelerate the ability to consume threat information and then act on it at time scales not previously possible, and will do so in an end user’s environment that has a mixed ecosystem of vendors.
Finally, while not meeting the definition of a next-generation IDPS, and therefore not included in this research, in-line TI appliances have appeared on the market. While niche, they serve an important purpose for some clients by aggregating larger numbers of indicators of compromise (IOCs) that are not able to be run on other network appliances like IDPS and firewalls. These are not fully featured IDPSs per se; they only offer blocking around source, destination IP address, DNS and sometimes URLs, meaning they are based purely on TI feeds. However, they often support much larger TI databases than are available from leading IDPS vendors. Example vendors are Centripetal Networks, LookingGlass and Ixia (see “Emerging Technology Analysis: Threat Intelligence Gateways”).

Evidence

Gartner used the following input to develop this Magic Quadrant:
  • Results, observations and selections of IDPSs, as reported via multiple analyst inquiries with Gartner clients
  • A formal survey of IDPS vendors
  • Formal surveys of end-user references
  • Gartner IDPS market research data
Details on  STIX and  TAXII.

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.
Overall Viability: Viability includes an assessment of the overall organization’s financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization’s portfolio of products.
Sales Execution/Pricing: The vendor’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor’s history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This “mind share” can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers’ wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers’ wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor’s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.
Business Model: The soundness and logic of the vendor’s underlying business proposition.
Vertical/Industry Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.

Critical Capabilities for Endpoint Protection Platforms

Critical Capabilities for Endpoint Protection Platforms

Published 30 April 2018 – ID G00334896 – 33 min read


Endpoint protection is evolving to address security architecture tasks such as hardening, investigation, incident detection and incident response. Security and risk management leaders should evaluate EPP vendors’ ability to keep up with modern endpoint threats and their deployment requirements.

Overview

Key Findings

  • Advanced prevention capabilities such as machine learning, software behavior analytics and exploit prevention are no longer only available from newer EPP vendors; rather, they have become part of the core set of prevention solutions offered by nearly all vendors in this market.
  • Many Type B organizations want to incorporate advanced EDR capabilities as a means of actively detecting and responding to threats; however, EDR solutions remain challenging to deploy and operate for most.
  • Most Type B and Type C organizations eventually elect to use EDR as a forensics-focused solution if they operate it themselves, or they opt to engage managed services to supplement their internal capabilities.
  • The appeal of traditional EPP suites has somewhat been tempered over the recent years, with the emphasis and focus on newer malware detection features and capabilities such as machine learning and behavioral analysis. Still, many Type B and Type C organizations continue to derive significant value from the integration and common management provided by them.

Recommendations

Security and risk management leaders responsible for endpoint protection platforms:
  • Type A organizations: Focus on solutions that are flexible and customizable to meet their operational requirements.
  • Type B organizations: Focus on a blend of prevention and detection and response capabilities commensurate with the skills and experience of their security operations teams. Alternatively, evaluate MSS and MDR capabilities to extend their internally available capabilities.
  • Type C organizations: Emphasize prevention-focused solutions. Evaluate EDR mainly as a forensics capability only, and favor solution providers that also offer MSS and MDR capabilities.

Strategic Planning Assumption

By 2021, endpoint protection platforms (EPPs) will provide automated, orchestrated incident investigation and breach response. Separate, stand-alone endpoint detection and response (EDR) solutions will focus on managed security service provider (MSSP) and large enterprise security operations center (SOC) environments.

What You Need to Know

This document was revised on 29 May 2018. The document you are viewing is the corrected version. For more information, see the  Corrections page on gartner.com. 
This Critical Capabilities research is based on the same data set used for the 2018 Magic Quadrant for Endpoint Protection Platforms. Both documents evaluate products that were publicly available on or before 14 November 2017.
In September 2017, in response to changing market dynamics and client requirements, Gartner adjusted its definition of an EPP. An EPP is a solution deployed on endpoint devices to prevent file-based malware, to detect and block malicious activity from trusted and untrusted applications, and to provide the investigation and remediation capabilities needed to dynamically respond to security incidents and alerts (see  “Redefining Endpoint Protection for 2017 and 2018”). 
Organizations are placing a premium on protection and detection capabilities within an EPP, and are depreciating the EPP vendors’ ability to provide data protection capabilities such as data loss prevention, encryption or server controls. Security buyers are increasingly looking to the built-in security capabilities of their OS vendors, and most organizations are adopting disk encryption at the OS level with BitLocker in Microsoft Windows 10 and FileVault in Apple macOS.
Concurrently, protection for servers has diverged from EPP, with specialized tools to address the modern hybrid data center (cloud and on-premises; see  “Market Guide for Cloud Workload Protection Platforms”). Gartner recommends that organizations separate the purchasing decisions for server workloads from any product or strategy decisions involving endpoint protection. The evolutionary shift from hardware servers to virtual machines (VMs), containers and private/public cloud infrastructure means that server workloads now have different security requirements compared to end-user-focused, interactive endpoints (see  “Endpoint and Server Security: Common Goals, Divergent Solutions”). 
This is a transformative period for the EPP market, and as the market has changed, so has the analysis profile used for this research. In the 2017 Magic Quadrant for Endpoint Protection Platforms, capabilities traditionally found in the EDR market (see  “Market Guide for Endpoint Detection and Response Solutions”) were considered as “nice to have” features. In this 2018 research, some of these features are now core components of an EPP that can address and respond to modern threats. 
Note that definitions of Type A, B and C organizations are found in the Use Cases section.

Analysis

Critical Capabilities Use-Case Graphics

Figure 1. Vendors’ Product Scores for Type A Use Case

Source: Gartner (April 2018)

Vendors' Product Scores for Type A Use Case

Figure 2. Vendors’ Product Scores for Type B Use Case

Source: Gartner (April 2018)

Vendors' Product Scores for Type B Use Case

Figure 3. Vendors’ Product Scores for Type C Use Case

Source: Gartner (April 2018)

Vendors' Product Scores for Type C Use Case

Vendors

Bitdefender

Bitdefender provides a solution that is among the highest evaluated effectiveness across a broad range of platforms and capabilities in third-party scores. Its solution is the most repackaged across all EPP vendors. Bitdefender offers EPP and EDR in one platform, and one agent across endpoints, and physical, virtual or cloud servers. While a large part of the installed base is in the consumer segment, the gap between enterprise and consumer business is narrowing.
Bitdefender is a good choice for organizations that value malware detection accuracy and performance, as well as full support for data center and cloud workloads from a single solution provider. Bitdefender is also a partner for Microsoft’s Windows Defender Advanced Threat Protection (ATP) platform, providing agents for Linux and macOS.
The vendor continues to round out its endpoint features for larger enterprises. However, its brand awareness remains low. Bitdefender’s cloud-based, single-agent approach, large installed base, and recently released EDR module keep it relevant in this space.

Carbon Black

Carbon Black is in the middle of a significant corporate transition, consolidating its overall offerings into a new cloud-based security platform called Predictive Security Cloud. The company’s overall offerings consist of Cb Defense (EPP), Cb Response (threat hunting and incident response), and Cb Protection (application whitelisting and device lockdown). Carbon Black began to consolidate EDR features from Cb Response into Cb Defense in 2017 as it started to build a presence in the EPP market. With the upcoming movement to cloud-based management and agent consolidation, Carbon Black implementations should become much simpler for its clients.
Cb Response is typically found in more complex environments with very mature security operations teams. The Cb Defense agent collects and sends all the unfiltered endpoint data to the cloud using a proprietary data streaming mechanism that eliminates bursting and peaks on networks.

Cisco

Cisco’s Advanced Malware Protection (AMP) for Endpoints consists of prevent, detect and respond capabilities deployed as a cloud-managed solution that can be hosted in a public or private cloud.
Cisco’s AMP for Endpoints leverages similar technology to the AMP capabilities in other Cisco products. Its AMP Cloud technology detects known threats, and uses threat intelligence data from Threat Grid and Talos security researchers for exploit prevention.
Gartner clients rarely shortlist AMP for Endpoints for its technology. When they do, it is usually because they get a strong financial incentive when purchasing other Cisco products. AMP for Endpoints did not participate in public endpoint-focused third-party testing in 2017, which impacts its scores in this Critical Capabilities.
Cisco’s AMP solution has the most appeal for existing Cisco clients that leverage other Cisco security solutions and aspire to establish security operations around Cisco products.

Comodo

The Comodo brand is best-known as a digital certificate authority. In October 2017, Francisco Partners acquired a majority stake in Comodo’s certificate authority business, with Comodo planning to focus on its endpoint protection strategy.
Comodo Advanced Endpoint Protection (AEP) includes malware protection, a host-based intrusion prevention system (HIPS), web filtering, a personal firewall, sandbox analysis, vulnerability analysis and patching, and a classification capability that helps guarantee a good or bad verdict on all executable files. When an executable is untrusted or unknown, it is run in a tightly controlled container to isolate any potentially malicious activity.
Comodo also sells secure web gateways, web application firewalls and mobile device management focused on midsize enterprises and small and midsize businesses (SMBs). Its security products are managed from a central web-based portal that manages service request ticketing and workflow.

CrowdStrike

CrowdStrike Falcon’s lightweight single agent supports all environments (physical, virtual and cloud) and functions with the same agent and management console for Falcon Prevent protection and Falcon Insight EDR. With its EDR heritage, CrowdStrike records most endpoint events and sends all recorded data to its cloud for analysis and detection. Some prevention is done locally on the agent.
Alongside EPP and EDR capabilities, CrowdStrike offers a complementary service called Falcon OverWatch that is widely used by its clients.
Falcon OverWatch provides managed threat hunting, alerting, response and investigation assistance.
Organizations with small or no SOC teams will find the combination of Falcon OverWatch and Falcon Endpoint Protection compelling. CrowdStrike also offers a well-respected breach response service.

Cylance

Cylance was one of the pioneers in using machine learning (ML) to detect file-based malware, but by 2017, most EPP competitors claimed to have added ML capabilities, pressuring Cylance to more aggressively address non-file-based attacks. In late May 2017, Cylance formally launched its EDR product, CylanceOPTICS, which was late to market compared to other vendors, and is generally perceived to be lacking in advanced capabilities already available in key competing products.
Eighty-five percent of Cylance’s business is in North America, although the company has about 3,700 customers across the globe, half of which represent organizations with fewer than 500 seats.
CylancePROTECT is cloud-based, with Cylance hosting and managing the console infrastructure directly. The vendor finally started participating in the VirusTotal community in 2017, but has a poor third-party test participation record when compared with established EPP vendors.
Cylance is a good EPP shortlist candidate for organizations requiring a lightweight, low-impact client agent.

Endgame

Endgame is a privately held organization that has evolved from pure EDR for large enterprises and defense organizations, with the addition of prevention capabilities for the broader enterprise market.
Endgame is one of the few vendors in this analysis that sells a single product offering — meaning there are no additional add-ons or purchases — to address protection, detection and response use cases.
The platform is missing a number of traditional EPP-related features, such as application control and suspicious file quarantining. Yet Endgame scores well in protection capabilities by focusing on the tools, techniques and procedures used by adversaries, rather than simply looking for bad files.
Endgame’s big differentiator is in its investigation and threat-hunting capabilities, where natural language understanding (NLU) queries, such as “Search for PowerShell” and “Find NetTraveler,” allow organizations to make use of advanced detection capabilities without the need for deep experience.
Endgame is a good EPP shortlist candidate for organizations with an existing or emerging SOC where incident investigation and response is a key requirement.

ESET

ESET has a strong EPP market share among SMBs to large enterprises. It provides protection with a lightweight agent that includes a large protection stack, consisting of a host-based intrusion prevention system (HIPS), ML, exploit prevention, detection of in-memory attacks and ransomware behavior detection.
ESET recently launched an additional platform for EDR capabilities, called Enterprise Inspector. Customers with experienced security staff will be able to inspect and modify the detection rules within Enterprise Inspector, and further tailor them to their unique requirements.
ESET has significant security community mind share through published research, disruption of organized crime and its WeLiveSecurity website. The vendor’s evaluation is impacted in this assessment by its limited cloud management capabilities, and the relative lateness of its EDR capabilities.
ESET has localized support in 35 languages, which means it is an attractive choice for globally distributed organizations. Its protection capabilities make it a solid shortlist candidate for any organization.

FireEye

FireEye is a security suite vendor that provides email, web, network, endpoint security and threat intelligence, which are managed in the Helix security operations platform.
FireEye revenue from its HX Series endpoint security product is a relatively small portion of the vendor’s overall business. The HX management console is deployed through the cloud or as a virtual or on-premises hardware appliance that supports up to 100,000 endpoints.
FireEye Endpoint Security 4.0 shipped in late September 2017; therefore, market response to FireEye’s endpoint protection capabilities was limited during this research period.

Fortinet

Fortinet is a network security suite vendor whose products include enterprise firewalls, email security, sandbox, web application firewalls and its FortiClient endpoint security software. FortiClient includes components designed to work in conjunction with Fortinet products, including FortiGate (firewall), FortiSandbox, FortiMail, FortiWeb and others.
FortiClient is not well-known to most Gartner clients that inquire about endpoint security, and we see little adoption of it outside of Fortinet’s client base. FortiClient is becoming more focused on the enterprise space, but its current installed base is mostly in the SMB space, and about half of its customers have less than 1,000 seats installed.
Gartner clients will find Fortinet most appealing when integrated as part of an existing Fortinet deployment.

F-Secure

In 2017, F-Secure continued with its long track record for high-accuracy, lightweight and low-impact anti-malware detection with its cloud-based F-Secure Protection Service for Business (PSB) offering and on-premises solution, F-Secure Business Suite. F-Secure added an integrated password manager with password protection capabilities and improved device control management to PSB and Business Suite. F-Secure also added ML capabilities to Rapid Detection Service, which is its managed EDR solution.
Over the past 12 months, F-Secure further enhanced its product deployment and management capabilities, making it a good choice for larger, more complex enterprises.
F-Secure is focusing its investments in its managed service offerings, and has added product enhancements with a specific focus on preventing ransomware attacks.

Kaspersky Lab

Kaspersky Lab’s research team makes up one-third of the organization, and is well-known for its accurate malware detection and in-depth investigation and analysis of many sophisticated attacks.
Kaspersky Lab is late to market with EDR capabilities, and has no vendor-managed, SaaS-type cloud-based management options for organizations with more than 1,000 endpoints to manage.
In September 2017, the U.S. government ordered all federal agencies to remove Kaspersky Lab’s software from their systems. Furthermore, several media reports, citing unnamed intelligence sources, have claimed that Kaspersky’s software was being used by the Russian government to access sensitive information. Although the U.S. government has not given any official explanation for the ban, Kaspersky Lab vehemently refutes the unsubstantiated claims and stresses that there has yet to be any evidence produced of its alleged wrongdoing. Kaspersky maintains that the actions lack sufficient basis and are unconstitutional, and has initiated legal action against the U.S. government. Gartner clients, especially those who work closely with U.S. federal agencies, should continue to monitor this situation for updates.
From a technology and malware prevention perspective, Kaspersky Lab remains a good candidate as a solution for any organization that is not constrained by U.S. government recommendations. Despite the media stories surrounding Kaspersky Lab, it continues to grow its endpoint presence globally.

Malwarebytes

In 2017, Malwarebytes delivered cloud-based management, and added mainstream and advanced EDR capabilities to its single agent, which includes the breach remediation tools for remediating infections. It is one of the few vendors in this space that can roll back the changes made by ransomware, including restoring files that were encrypted in the attack. This ransomware remediation can be performed remotely from the cloud management console up to 72 hours after the attack, without the need for any local access to an endpoint.
For organizations with small IT or security teams, Malwarebytes provides strong protection capabilities and some advanced EDR capabilities, all at an attractive price point. For larger organizations or organizations with a mature security team, there are some missing enterprise features that make the Malwarebytes solution a challenge to incorporate into an existing SOC workflow.

McAfee

Intel completed the sale of 51% McAfee to TPG in April 2017 and, as a stand-alone company, McAfee has refocused its efforts on the core aspect of its business: endpoint protection. McAfee remains one of the top three incumbent EPP vendors by market share, and its execution issues over the past three years make it the top competitive target for displacement by other vendors in the EPP Critical Capabilities.
Specifically, Endpoint Security (ENS) version 10.x (v.10.x) upgrades remained a very challenging adoption cycle for most McAfee clients. The feature set and protection capabilities included in the most recent release are quite compelling, and public test scores have improved over the past year. However, McAfee’s execution assessment is hampered by organizations continuing to be hesitant to adopt the latest version, leaving those organizations vulnerable to commodity malware as well as more advanced threats. Gartner client inquiry data identified McAfee as the single most-quoted EPP vendor that clients were planning to replace. Customer satisfaction scores were low again for 2017.
McAfee’s ePolicy Orchestrator (ePO) continues to be the most quoted reason for clients initially adopting McAfee solutions in their environment, or for retaining McAfee over their contract terms and subsequent renewals. However, disenchantment with the EPP product is quickly eroding the perceived value of ePO in favor of vendors with cloud-based EPP management.
McAfee remains a good shortlist candidate for medium and larger organizations requiring an effective solution and that have a focus on an integrated management and reporting capability.

Microsoft

Microsoft is unique in the EPP space, as it is the only vendor with the capacity to embed protection features directly into the OS. It has used this advantage to step up its efforts in security with Windows 10 features, improvements to Windows Defender (also known as System Center EndpointProtection), and the addition of Windows Defender Advanced Threat Protection and Windows Defender Security Center.
Windows 10 OS-level features and capabilities available with Windows Enterprise E3 and E5, such as Application Guard, App Locker, Secure Boot, Device Guard, Exploit Guard, Advanced Threat Protection (ATP) and Credential Guard, significantly improve protection against current common threats. However, these protections are not as integrated in previous OS versions.
Overall, Microsoft now provides a broad range of security protections that address a wide spectrum of threats across endpoint, Office 365 and email. The comprehensive solution set will resonate with most organizations’ security requirements, provided their budgets stretch to the higher-tier, E5-level subscription.
Microsoft has become the most-asked-about vendor during EPP-related Gartner client inquiry calls, and there is significant interest in using the security capabilities in Windows 10 to reduce security spend with other vendors. However, while it is improving its detection rates, the solution continues to be challenged to protect against sophisticated threats, and manageability of the solution remains a challenge.

Palo Alto Networks

Palo Alto Networks is still best-known to Gartner clients for its next-generation firewall (NGFW) product line, and this continues to be the main line of introduction to Palo Alto Networks Traps for Gartner clients.
Traps uses a stack of nonsignature detection capabilities, such as ML, static and dynamic analysis, as well as monitoring processes and applications as they are spawned for suspicious activity and events. Suspect files from the endpoint can be tested by Palo Alto Networks WildFire, its cloud-based threat analysis and malware sandboxing platform, which is included with a Traps subscription.
Palo Alto Networks acquired LightCyber in 2017; its behavioral-based analytics technology provides automated detection of suspicious user and entity activity indicative of malware. Traps without LightCyber currently offers limited EDR capabilities, which impacts its scores in this assessment.
Gartner clients will find Palo Alto Networks Traps most appealing when it can integrate with an existing Palo Alto Networks NGFW deployment.

Panda Security

Panda Security’s main value proposition is the classification or attestation of every single executable file and process on a protected endpoint device. It is the only vendor to include a managed threat hunting service in the base purchase of its EPP. Adaptive Defense 360 is fully cloud managed, and combines EPP and EDR into a single offering and single agent.
The attestation service implements an automatic application whitelisting model, where only trusted and approved applications and processes are able to execute.
Panda Security’s cloud-first approach, and the managed services backing the EPP and EDR capabilities, are beginning to increase brand awareness outside of Europe.
Organizations without experienced security staff will find Panda Security a good shortlist candidate for an EPP solution, as will organizations considering managed detection and response solutions that are prepared to replace their incumbent EPP vendor.

SentinelOne

SentinelOne is a part of the new wave of EPP solution providers that have experienced fast growth over the past few years. The cloud-based solution is designed around an embedded EDR feature set and behavioral protection. SentinelOne was one of the first vendors to offer a ransomware protection guarantee based on its behavioral detection and file journaling features.
SentinelOne offers endpoint visibility for investigative information in real time, and an API to integrate common-format, indicator of compromise (IOC)-based threat feeds.
SentinelOne is a good prospect to replace or augment existing EPP solutions for any organization looking for a solution with strong protection and visibility.

Sophos

In March 2017, Sophos acquired Invincea — a Visionary vendor in the 2017 Magic Quadrant for Endpoint Protection Platforms — giving Sophos access to its deep-learning ML algorithms.
The Sophos Intercept X product, designed to protect against and recover from the malicious actions related to ransomware and exploits, is available to Sophos Endpoint Protection customers and as an augmentation to an incumbent EPP.
Also included in the Intercept X purchase are Sophos’ EDR-like capabilities — called Root Cause Analysis — and the ML malware detection technology from the acquisition of Invincea, which was added in late 2017.
Sophos’ cloud-based EPP with the Intercept X platform is a good fit for organizations that can take advantage of a cloud-based administration platform, and that value strong protection against ransomware and exploit-based attacks over advanced forensic investigation capabilities.

Symantec

Symantec continues to provide one of the most comprehensive EPPs available in this market, with third-party test scores remaining in the top tier. Symantec has added advanced features to better address the changing threat landscape, becoming the first vendor to combine malware protection, EDR, system hardening and deception capabilities in a single agent. Application whitelisting continues to be a weak point.
Symantec has begun the process of migrating its offerings to a cloud-first model, with a hybrid option available to clients that prefer to maintain some of the management capabilities on-premises.
Symantec remains a good shortlist candidate for organizations of all sizes.

Trend Micro

Trend Micro is the third-largest vendor in the EPP market, with products ranging across network, data center and endpoint systems. It has a large worldwide footprint, with more than half of its business coming from Japan and the Americas.
Although the vendor has had a rather unremarkable year from a technology innovation perspective, it ticks boxes for mainstream EPP requirements, particularly for those looking for a comprehensive suite of solutions at an affordable price. Trend Micro’s EDR solution is delivered as a separate agent to the EPP solution. While it integrates with additional on-premises products like the Deep Discovery sandbox, it lacks integration with its cloud sandbox, and cannot be managed from Trend Micro’s cloud platform.
One of Trend Micro’s biggest advantages is its vulnerability assessment and virtual patching technology, which uses an IPS engine to detect vulnerabilities, and uses HIPS to create a virtual patch to block the exploitation.
Trend Micro remains a good shortlist candidate for organizations of all sizes.

Context

When selecting EPP solutions, enterprises should evaluate them in terms of support for specific use cases. Vendors differ in their ability to accommodate different use cases. This research ranks vendors’ solutions against typical use cases.

Product/Service Class Definition

Gartner reviewed the following classes of products and services: prevention, console alerting and reporting, EDR core functionality, EDR advanced response, third-party integration, EPP suite, managed services, geographic support, and OS support.

Critical Capabilities Definition

Prevention

This is the quality, quantity, accuracy and ease of administration of an EPP’s anti-malware technology.
It covers the tools required to block file-based malware attacks, detect and prevent fileless malware attacks, and mitigate the risk of OS and application vulnerabilities. We look at test results from various independent testing organizations and data from VirusTotal, and use Gartner client inquiries as guides to the effectiveness of these techniques and implementations against modern malware.
EPP Suite

This is the support for EPP components traditionally offered as part of an extended EPP suite, in addition to anti-malware and anti-exploit based prevention.
These include offerings for a personal firewall, port and device control, application control, enterprise mobility management, data protection (such as full disk and file encryption) and data loss prevention. Vendors that offer a broad range of capabilities as part of an extended EPP suite are given extra credit here.
Console Alerting and Reporting

This is the provisioning of a centralized, role-centric console or dashboard that enhances the real-time visibility of an organization’s endpoint security state.
It provides clearly prioritized alerts and warnings and intuitive administration workflows. Vendors that have delivered a cloud-first model with feature parity to an on-premises management platform are given extra credit, as organizations struggle to maintain visibility and control over endpoints in use by the increasing remote workforce.
EDR Core Functionality

This is the EDR component’s capabilities for discovering, reporting and prioritizing vulnerabilities present in the environment.
It provides educated guidance for customers to visualize and investigate incidents, remediate malware infections and provide clear root cause analysis, helping reduce the attack surface. EDR core capabilities are typically focused on a forensics use of EDR, meaning investigating an event well after it has occurred. Vendors that focus on lowering the knowledge and skills barrier through guided response tools and easy to-understand and easy-to-use user interfaces are given extra credit here.
EDR Advanced Response

These are the EDR component’s advanced investigative and remediation capabilities, complex automation, and ability to send and receive detailed investigative workflow information.
It provides capabilities and customizations that push EDR from a functionally forensics-focused use case to an adaptable detection and response platform that can detect and investigate an event as it occurs. Vendors that focus on providing advanced customization capabilities required by an active security operations center are given extra credit here.
Third-Party Integration

This is the support via APIs, and unilateral and bidirectional integration of third-party on-premises and cloud-based solutions, such as Active Directory, security information and event management (SIEM), sandboxes, firewalls, threat and indicators of compromise feeds, and SOAR/orchestration.
It provides the ability to have unilateral and bilateral communications between the endpoint agent and/or console and third-party resources to enhance the prevention, detection, analysis and response capabilities with the rich data only available on these other platforms. Vendors that not only focus on providing a set of APIs for their own products, but that also have demonstrated integrations with a widely diverse set of third parties to provide additional context and correlation of events, are given extra credit here.
Managed Services

This is support for managed security solutions (MSS) and managed detection and response (MDR) offerings.
MSS offerings typically focus on the deployment and remote operation of traditional endpoint security solutions, including most of the components of a traditional EPP suite. MDR offerings focus on remotely delivering a managed security service that responds to threats that have made it past the prevention capabilities deployed within an environment. MDR solutions that actively detect, investigate, contain and mitigate threats are given extra credit here.
Geographic Support

This is a vendor’s ability to support global customers, as well as the number of languages it supports.
Vendors offering local, regional support offices, 24/7 support in each client region, and other local resources to assist with the deployment and operation of their solutions in a global deployment context (including MSS and MDR) are given extra credit here.
OS Support

This is a vendor’s ability to support the typical operating systems found in client organizations.
Several vendors focus solely on Windows endpoints. Solutions that can also support macOS and Linux with near parity on the features delivered in the Windows clients, most notably in advanced prevention and the activity and event monitoring areas of EDR, are given extra credit here.

Use Cases

Type A

Type A organizations, also referred to as “lean forward” organizations, adopt new technologies very early in the adoption cycle.
Type A organizations represent the smallest group of organizations. They have the budgeting and staffing resources to configure and implement new technologies and solutions rapidly within their environment. These organizations tend to focus on best-of-breed solutions that best address their business, technology and security needs and have the capacity to integrate, develop or build custom-made components as required. They see the use of technology as competitive differentiator. Their tolerance for risk is high and their approach to technology change is to run projects in parallel having multiple teams working on technology and business changes simultaneously. For EPP, these organizations focus on best-of-breed prevention, detection and response.
Type B

Type B organizations aim to stay relatively current on technology without getting too far ahead or behind their competition.
Type B organizations represent the largest group of organizations. They typically experience budgeting and staffing resource constraints and, as a result, focus on overall value by weighing the risks of the early use of new technology against the benefits. Their focus is on technology deployments that improve their organization’s productivity, product quality, customer service and security. Type B organizations typically wait for a technology to become mainstream before considering implementation. They tend to be moderate in their approach, frequently using benchmarks within their industry to justify their investments in technology. Type B organizations balance innovation with reasonable caution when selecting new solutions. For EPP, these organizations focus on a blended approach between prevention, detection and response capabilities that can be complimented with managed services where needed.
Type C

Type C organizations typically view technology as an expense or operational necessity, and use it as a means to reduce costs.
Type C organizations represent the second-largest group. These organizations experience severe budgeting and staffing resource constraints and, as a result, prefer simply to deploy and use integrated solutions with managed services add-ons that can best complement their minimal staff. These organizations wait for technologies to become absolutely stable and for costs to acquire and operate to reach the lowest quartile before committing to purchase. For EPP, these organizations focus on prevention, rather than on integrated detection and response capabilities and solutions that offer a complement of managed services.

Vendors Added and Dropped

Added

None

Dropped

None

Inclusion Criteria

Inclusion in this Critical Capabilities was limited to vendors that met these minimum criteria:
  • The majority of detection events must be from the vendor’s own detection technique, and designed, owned and maintained by the vendor itself. Augmenting with an OEM engine is acceptable, provided it is not the primary method of detection.
  • The vendor’s nonconsumer EPP must have participated in independent, well-known, public tests for accuracy and effectiveness within the 12 months prior to 18 November 2017, or be a current participant in the VirusTotal public interface. Examples include Virus Bulletin, AV-TEST, AV-Comparatives, NSS Labs and SE Labs.
  • The vendor must have more than five named accounts larger than 10,000 seats that use the vendor’s EPP as their sole EPP.
  • The vendor must have a minimum of 500,000 deployed licenses, protecting nonconsumer endpoints, with at least 50,000 of those licenses protecting nonconsumer endpoints within North America.
  • The vendor must satisfy at least 12 of the following “basic” capabilities, and at least four of the following “desirable” capabilities:
    • Basic capabilities:
      • Blocks known and unknown file-based malware, without relying on daily signature distribution
      • Detects suspicious and malicious activity based on the behavior of a process
      • Implements protection for common application vulnerabilities and memory exploit techniques
      • Can perform static, on-demand malware detection scans of folders, drives or devices such as USB drives
      • Suspicious event data can be stored in a centralized location for retrospective IOC and indicator of attack (IOA) searching and analysis
      • Allows real-time IOC/IOA searching across all endpoints (for example, file hash, source/destination IP, registry key)
      • Allows remote quarantining of an endpoint, restricting network access to only the EPP management server
      • Automatically updates policies, controls and new agent/engine versions without connecting directly to the corporate network
      • Continues to collect suspicious event data when outside of the corporate network
      • Detections and alerts include severity and confidence indicators, to aid in prioritization
      • Provides risk-prioritized views based on confidence of the verdict and severity of the incident
      • Displays full process tree to identify how processes were spawned, for an actionable root cause analysis
      • Automatically quarantines malicious files
      • Identifies changes made by malware, and provides the recommended remediation steps
      • Detects, blocks and reports attempt to disable or remove the EPP agent
    • Desirable capabilities:
      • Primary EPP console uses a cloud-based, SaaS-style, multitenant infrastructure, and is operated, managed and maintained by the vendor
      • Implements vulnerability shielding (aka virtual patching) for known vulnerabilities in the OS and for non-OS applications
      • Can implement default-deny whitelisting with a vendor-maintained “app store”-type approach and user self-service features
      • Can implement application isolation to separate untrusted applications from the rest of the system
      • Includes access to a cloud- or network-based sandbox that is VM-evasion-aware
      • Includes deception capabilities designed to expose an attacker
      • Vendor itself offers managed detection services, alerting customers to suspicious activity
      • Vendor itself offers managed threat hunting, or managed IOC/IOA searching, for detecting the existence of threats (not via a third party or channel)
      • Supports advanced natural-language queries with operators and thresholds (for example, “Show all machines with new PE >1 week old AND on <2% of Machines OR Unknown”)
      • Provides guided analysis and remediation based on intelligence gathered by the vendor (for example, “85% of organizations follow these steps”)
      • Provides attribution information and potential motivations behind attacks
      • Can utilize third-party, community and intelligence feeds
      • Allows remote remediation via the management console
      • Includes APIs for integration with security orchestration, automation and response (SOAR)/orchestration for automation 

Table 1: Weighting for Critical Capabilities in Use Cases

Enlarge Table
Critical Capabilities
Type A
Type B
Type C
Prevention
10%
15%
20%
Console Alerting and Reporting
5%
15%
20%
EDR Core Functionality
20%
15%
10%
EDR Advanced Response
20%
5%
0%
Third-Party Integration
15%
5%
0%
EPP Suite
5%
10%
15%
Managed Services
5%
15%
25%
Geographic Support
10%
10%
5%
OS Support
10%
10%
5%
Total
100%
100%
100%
Source: Gartner (April 2018)
This methodology requires analysts to identify the critical capabilities for a class of products/services. Each capability is then weighed in terms of its relative importance for specific product/service use cases.

Critical Capabilities Rating

Each of the products/services has been evaluated on the critical capabilities on a scale of 1 to 5; a score of 1 = Poor (most or all defined requirements are not achieved), while 5 = Outstanding (significantly exceeds requirements).

Table 2: Product/Service Rating on Critical Capabilities

Enlarge Table
Critical Capabilities
Bitdefender
Carbon Black
Cisco
Comodo
CrowdStrike
Cylance
Endgame
ESET
FireEye
Fortinet
F-Secure
Kaspersky Lab
Malwarebytes
McAfee
Microsoft
Palo Alto Networks
Panda Security
SentinelOne
Sophos
Symantec
Trend Micro
Prevention
4.5
2.3
2.3
3.5
3.5
3.0
3.7
4.5
2.3
2.5
4.0
4.8
4.5
4.0
3.0
3.5
4.0
3.7
4.3
4.5
4.5
Console Alerting and Reporting
3.5
3.0
3.0
3.0
4.0
3.0
3.5
4.0
3.0
2.8
3.5
3.8
4.0
4.3
2.2
3.0
3.3
3.5
4.0
4.0
3.8
EDR Core Functionality
2.5
3.0
3.0
2.5
4.0
3.0
4.0
3.3
3.5
3.0
4.0
3.2
3.5
3.3
3.0
2.8
3.8
3.8
2.5
3.8
3.3
EDR Advanced Response
2.0
2.0
2.2
3.0
4.5
2.2
3.5
2.8
3.5
2.5
3.2
3.2
3.3
3.2
2.5
2.0
3.2
3.8
2.5
3.8
3.2
Third-Party Integration
3.2
3.0
3.0
2.0
4.0
3.0
2.5
2.5
3.3
2.5
2.5
3.0
2.5
3.3
2.5
3.5
3.0
3.5
2.5
3.3
3.2
EPP Suite
4.0
1.0
1.0
3.0
2.0
2.0
2.0
4.0
1.0
3.5
3.8
4.5
3.8
4.5
3.0
1.7
3.0
2.5
4.5
4.5
4.5
Managed Services
3.0
2.5
3.0
2.7
4.9
3.2
2.0
2.0
3.0
2.0
3.5
3.0
2.0
2.0
2.0
2.0
3.5
2.5
2.8
2.8
2.5
Geographic Support
4.0
4.0
4.0
3.7
3.0
3.5
2.0
4.0
4.0
3.8
3.0
4.0
4.0
4.0
4.0
4.0
3.0
3.0
4.0
4.0
4.1
OS Support
4.5
3.0
3.2
3.8
3.8
3.5
2.0
3.8
3.5
3.5
3.5
3.8
2.5
3.8
1.0
2.8
3.8
4.0
3.8
4.0
3.8
Source: Gartner (April 2018)
Table 3 shows the product/service scores for each use case. The scores, which are generated by multiplying the use case weightings by the product/service ratings, summarize how well the critical capabilities are met for each use case.

Table 3: Product Score in Use Cases

Enlarge Table
Use Cases
Bitdefender
Carbon Black
Cisco
Comodo
CrowdStrike
Cylance
Endgame
ESET
FireEye
Fortinet
F-Secure
Kaspersky Lab
Malwarebytes
McAfee
Microsoft
Palo Alto Networks
Panda Security
SentinelOne
Sophos
Symantec
Trend Micro
Type A
3.21
2.71
2.79
2.94
3.88
2.90
3.02
3.33
3.23
2.87
3.41
3.56
3.33
3.52
2.64
2.85
3.42
3.54
3.15
3.83
3.56
Type B
3.54
2.67
2.78
3.06
3.77
2.99
2.88
3.52
2.96
2.88
3.57
3.76
3.42
3.60
2.58
2.82
3.48
3.34
3.52
3.87
3.68
Type C
3.63
2.49
2.62
3.05
3.77
2.95
2.84
3.52
2.69
2.75
3.67
3.86
3.45
3.56
2.54
2.68
3.51
3.17
3.68
3.86
3.69
Source: Gartner (April 2018)
To determine an overall score for each product/service in the use cases, multiply the ratings in Table 2 by the weightings shown in Table 1.

Evidence

  • Gartner responded to more than 2,100 client inquiries from 1Q17 to 1Q18.
  • Gartner conducted an online survey of 129 EPP reference customers in 4Q17.
  • Gartner conducted an online survey of 55 EPP channel references in 4Q17.

Critical Capabilities Methodology

This methodology requires analysts to identify the critical capabilities for a class of products or services. Each capability is then weighted in terms of its relative importance for specific product or service use cases. Next, products/services are rated in terms of how well they achieve each of the critical capabilities. A score that summarizes how well they meet the critical capabilities for each use case is then calculated for each product/service.
“Critical capabilities” are attributes that differentiate products/services in a class in terms of their quality and performance. Gartner recommends that users consider the set of critical capabilities as some of the most important criteria for acquisition decisions.
In defining the product/service category for evaluation, the analyst first identifies the leading uses for the products/services in this market. What needs are end-users looking to fulfill, when considering products/services in this market? Use cases should match common client deployment scenarios. These distinct client scenarios define the Use Cases.
The analyst then identifies the critical capabilities. These capabilities are generalized groups of features commonly required by this class of products/services. Each capability is assigned a level of importance in fulfilling that particular need; some sets of features are more important than others, depending on the use case being evaluated.
Each vendor’s product or service is evaluated in terms of how well it delivers each capability, on a five-point scale. These ratings are displayed side-by-side for all vendors, allowing easy comparisons between the different sets of features.
Ratings and summary scores range from 1.0 to 5.0:
1 = Poor or Absent: most or all defined requirements for a capability are not achieved
2 = Fair: some requirements are not achieved
3 = Good: meets requirements
4 = Excellent: meets or exceeds some requirements
5 = Outstanding: significantly exceeds requirements
To determine an overall score for each product in the use cases, the product ratings are multiplied by the weightings to come up with the product score in use cases.
The critical capabilities Gartner has selected do not represent all capabilities for any product; therefore, may not represent those most important for a specific use situation or business objective. Clients should use a critical capabilities analysis as one of several sources of input about a product before making a product/service decision.

Magic Quadrant for Endpoint Protection Platforms

Magic Quadrant for Endpoint Protection Platforms

Published 24 January 2018 – ID G00325704 – 64 min read


Endpoint protection is evolving to address more of Gartner’s adaptive security architecture tasks such as hardening, investigation, incident detection, and incident response. Security and risk management leaders should ensure that their EPP vendor evolves fast enough to keep up with modern threats.

Strategic Planning Assumption

By 2021, endpoint protection platforms (EPPs) will provide automated, orchestrated incident investigation and breach response. Separate, stand-alone endpoint detection and response (EDR) solutions will focus on managed security service provider (MSSP) and large enterprise security operations center (SOC) environments.

Market Definition/Description

In September 2017, in response to changing market dynamics and client requirements, we adjusted our definition of an EPP. An EPP is a solution deployed on endpoint devices to prevent file-based malware, to detect and block malicious activity from trusted and untrusted applications, and to provide the investigation and remediation capabilities needed to dynamically respond to security incidents and alerts. (see  “Redefining Endpoint Protection for 2017 and 2018”). 
Organizations are placing a premium on protection and detection capabilities within an EPP, and are depreciating the EPP vendors’ ability to provide data protection capabilities such as data loss prevention, encryption or server controls. Security buyers are increasingly looking to the built-in security capabilities of their OS vendors, and most organizations are adopting disk encryption at the OS level with BitLocker in Microsoft Windows 10, and FileVault in Apple macOS.
Concurrently, protection for servers has diverged from EPP, with specialized tools to address the modern hybrid data center (cloud and on-premises; see  “Market Guide for Cloud Workload Protection Platforms”). Gartner recommends that organizations separate the purchasing decisions for server workloads from any product or strategy decisions involving endpoint protection. The evolutionary shift from hardware servers to VMs, containers and private/public cloud infrastructure means that server workloads now have different security requirements compared to end-user focused, interactive endpoints (see  “Endpoint and Server Security: Common Goals, Divergent Solutions”). 
This is a transformative period for the EPP market, and as the market has changed, so has the analysis profile used for this research. In the 2017 Magic Quadrant for Endpoint Protection Platforms, capabilities traditionally found in the EDR market (see  “Market Guide for Endpoint Detection and Response Solutions”) were considered as “nice to have” features. In this 2018 research, some of these features are now core components of an EPP that can address and respond to modern threats. 

Magic Quadrant

Figure 1. Magic Quadrant for Endpoint Protection Platforms

Source: Gartner (January 2018)

Magic Quadrant for Endpoint Protection Platforms

Vendor Strengths and Cautions

Bitdefender

Bitdefender provides good effectiveness across a broad range of platforms and capabilities. Bitdefender offers EPP and EDR in one platform, and one agent across endpoints, and physical, virtual or cloud servers.
While a large part of the installed base is in the consumer segment, the gap between enterprise and consumer business is narrowing. Bitdefender is a good choice for organizations that value malware detection accuracy and performance, as well as full support for data center and cloud workloads from a single solution provider. Bitdefender is also a partner for Microsoft’s Defender Advanced Threat Protection (ATP) platform, providing agents for Linux and macOS.
The vendor continues to round out its endpoint features for larger enterprises, and its brand awareness is low, impacting its execution. Bitdefender’s cloud-based, single-agent approach; large installed base; and recently released EDR module keep it relevant in this space.
Strengths
  • Bitdefender’s detection technology is well-regarded and performs well in third-party tests. The vendor has a long list of technology and service providers that use its detection capabilities as OEMs.
  • Bitdefender is noted by clients for ease of use, deployment and customer support, and in particular for its vision of single agent and single console (released in November 2017), providing a fully integrated EPP and EDR solution.
  • Patch management capabilities provide detailed information from the Common Vulnerability and Exposure (CVE) repository, and event severity, helping IT operations to prioritize updates and understand risks.
  • Bitdefender has partnered with Microsoft to provide protection to macOS and Linux systems in a Microsoft Windows Defender EPP environment, and will integrate with the Windows Defender ATP platform.
Cautions
  • While the macOS agent does benefit from machine learning (ML)-based detection instead of the normal substandard signature-based detection typically used for macOS, it does not report EDR data, leaving a visibility gap for most organizations.
  • The Bitdefender EPP agent lacks basic investigation capabilities like real-time indicator of compromise (IOC) searching.
  • There are no options for orchestration or automation with security operations, analytics and reporting (SOAR) tools.
  • While Bitdefender has invested in growing its enterprise sales operations, mind share remains low with larger enterprises, thereby limiting shortlist opportunities and apparent viability to larger clients.

Carbon Black

Carbon Black is in the middle of a significant corporate transition, consolidating its overall offerings into a new cloud-based security platform called Predictive Security Cloud. The company’s overall offerings consist of Cb Defense (EPP), Cb Response (threat hunting and incident response), and Cb Protection (application whitelisting and device lockdown). Carbon Black began to consolidate EDR features from Cb Response into Cb Defense in 2017 as it started to build a presence in the EPP market.
Carbon Black has earned a strong reputation as offering one of the leading EDR solutions in the marketplace. Cb Response (threat hunting) is typically found in more complex environments with very mature security operations teams. The Cb Defense agent collects and sends all the unfiltered endpoint data to the cloud using a proprietary data streaming mechanism that eliminates bursting and peaks on networks.
The majority of Carbon Black clients make tactical purchases, usually a one-year subscription with options to renew at the end of the term.
Carbon Black is in the Visionaries quadrant this year, but Cb Defense is still unproven, which impacts its execution. The vendor has a poor record of participation in public, independent malware accuracy and effectiveness testing, which impacts its vision and execution in this assessment.
Strengths
  • Carbon Black provides an advanced toolset that has broad appeal with organizations that have mature security operations teams consisting of high-caliber and very experienced personnel.
  • Carbon Black’s Cb Defense solution incorporates a blended approach consisting of signatures, ML, software behavior monitoring, process isolation and memory protection, along with exploit prevention.
  • Carbon Black’s updated and streamlined console offers advanced administrators simplified views of threats via visual alerts and triage, resulting in faster detection and response.
  • Carbon Black’s rich set of APIs and broad third-party partner ecosystem provide opportunities for mature SOCs to integrate Carbon Black findings into a diverse set of analysis, workflow and case management solutions.
Cautions
  • Clients that have not yet moved to Carbon Black’s cloud-based EPP and EDR product (Cb Defense) continue to report that they are struggling with the operational complexity of their Carbon Black deployments.
  • Some advanced prevention features such as cloud detonation and hash look-ups require online access to the Carbon Black cloud infrastructure, reducing the effectiveness for devices without a permanent connection to the internet.
  • Carbon Black has not yet integrated its threat hunting module from Cb Response or its application whitelisting capabilities from Cb Protection into its cloud-based platform, so customers that require those features will need separate agents and separate management consoles.
  • Carbon Black continues to be at the premium end of cost per endpoint in terms of cost to acquire and cost to operate, especially if organizations require the EPP and the separate application whitelisting capabilities provided by Cb Protection.
  • Carbon Black has continued to favor private or sponsored malware accuracy and effectiveness tests of its product and has had a poor record of consistent participation in public tests in 2017. Consequently, it is difficult to determine its efficacy versus peers.

Cisco

Cisco’s Advanced Malware Protection (AMP) for Endpoints is a new entrant to this year’s Magic Quadrant. It consists of prevent, detect and respond capabilities deployed as a cloud-managed solution that can be hosted in a public or private cloud.
Cisco’s AMP for Endpoints leverages similar technology to the AMP capabilities on other Cisco devices. Its AMP Cloud technology detects known threats, and uses threat intelligence data from Threat Grid and Talos security researchers for exploit prevention.
Gartner clients rarely shortlist AMP for Endpoints for its technology, usually because they get a strong financial incentive when purchasing other Cisco products. Although a component of AMP for Endpoints is present in VirusTotal’s public interface, it did not participate in public endpoint-focused third-party testing in 2017, which impacts its execution and vision in this assessment.
Cisco’s AMP solution has the most appeal for existing Cisco clients that leverage other Cisco security solutions and aspire to establish security operations around Cisco products.
Strengths
  • The main strength of Cisco AMP is in threat intelligence and exploit prevention as a means of reducing the attack footprint available for compromise.
  • The Cisco AMP agent for Windows and macOS both collect process and usage data, providing EDR coverage and visibility for the most popular devices in enterprises.
  • Cisco offers a broad range of managed services, including SOCs, managed detection and response, active threat hunting, and incident support.
  • Reporting integration and data sharing between AMP and other Cisco security offerings, such as network, firewall, NGIPS, routers, email gateway and web proxies, are improving.
Cautions
  • Cisco is, first and foremost, a network security and hardware vendor, and originally exited the endpoint protection market in 2010 when it discontinued the Cisco Security Agent (CSA) product before gaining the AMP technology through the acquisition of Sourcefire.
  • Advanced malware protection requires access to the Cisco AMP Cloud to perform advanced analysis.
  • While the data provided across the dashboard is relatively comprehensive, the workflow requires multiple clicks to multiple screens to get a full understanding of the state of an endpoint or the issues being caused by malicious software.
  • The Cisco workflow provides limited role-based access, and limited case management capabilities.
  • Cisco’s AMP solution is part of a “better together” product ecosystem. Organizations that do not leverage other Cisco security solutions will realize fewer of the integration benefits, such as intelligence sharing and automated blocking of new threats at all control points.
  • Cisco AMP has not been tested widely in public, independent tests to determine its efficacy versus peers.

Comodo

The Comodo brand is best-known as a digital certificate authority and, in late October, Francisco Partners acquired a majority stake in Comodo’s certificate authority business, with Comodo planning to focus on its endpoint protection strategy.
Comodo Advanced Endpoint Protection (AEP) includes malware protection, a host-based intrusion prevention system (IPS), web filtering, a personal firewall, sandbox analysis, vulnerability analysis and patching, and a 100% classification capability that helps guarantee a good or bad verdict on all executable files. When an executable is untrusted or unknown, it is run in a tightly controlled container to isolate any potentially malicious activity.
Comodo also sells small or midsize business (SMB)-focused web gateways, web application firewalls and mobile device management. Its security products are managed from a central web-based portal that manages service request ticketing and workflow.
Strengths
  • Comodo AEP is best-known for its default deny approach, where unknown applications and executables are wrapped in secure, isolated containers, and known bad applications are blocked.
  • Comodo is showing sales strength and technical scalability as it starts making progress with a handful of global companies with more than 100,000 seats.
  • Comodo provides managed endpoint protection, detection, response and remediation services through integration with the cloud-based IT and Security Manager, and its patch, device, and asset management capabilities.
  • Comodo’s Valkyrie file verdict system is focused on file analysis, and its cloud-based threat intelligence and analysis platform benefits from intelligence gathered from Comodo customers, honeypots, crawlers and partners.
  • Gartner clients report that AEP is easy to deploy and use, and that Comodo implementation support is very responsive. Support for end-of-life OSs, (e.g., Windows 2003) is good as well.
Cautions
  • The solution depends on its autocontainment capability to prevent attacks, and detection is limited to known indicators of compromise (IOCs).
  • Gartner clients report that the Linux product is lacking in functionality, with ineffective detection and no central management or monitoring capabilities.
  • According to Gartner clients, it takes too much time to tune the AEP engine to accept custom applications. This is a common scenario with application control.
  • Comodo’s new EDR product, cWatch EDR, is available for free, but has not been proven by organizations using EDR for advanced threat hunting and self-driven threat analysis. Event recording is limited, and detection is mainly based on IOC and indicators of attack (IOA) scanning.
  • cWatch EDR lacks automated remediation and incident response, but some of these capabilities are included in Comodo AEP itself.

CrowdStrike

CrowdStrike made strong progress in 2017 and managed to replace incumbent legacy EPP vendors at large organizations. With 79% of its business in North America, CrowdStrike has deployments in 176 countries and includes some very large organizations with more than 50,000 seats.
CrowdStrike Falcon’s lightweight single agent supports all environments (physical, virtual and cloud) and functions with the same agent and management console for Falcon Prevent protection and Falcon Insight EDR. With its EDR heritage, CrowdStrike records most endpoint events and sends all recorded data to its cloud for analysis and detection. Some prevention is done locally on the agent.
Alongside EPP and EDR capabilities, CrowdStrike offers a complementary service called Falcon OverWatch, at an attractive price point, leading to extremely high adoption among its installed base. Falcon OverWatch provides managed threat hunting, alerting, response and investigation assistance.
Organizations with small or no SOC teams will find the combination of Falcon OverWatch and Falcon Endpoint Protection compelling. CrowdStrike also offers a well-respected breach response service.
Strengths
  • Gartner clients report simple and easy Falcon deployments, in part due to the cloud architecture.
  • Ninety-eight percent of Falcon customers use CrowdStrike’s Falcon OverWatch managed detection and response service, which provides varying levels of service to suit varying customer requirements. If appropriate, CrowdStrike can manage Falcon deployments, incident response and remote remediation services, which is especially attractive to smaller organizations.
  • Falcon uses a range of detection and prevention tools centered around behavioral analytics that essentially implement a “deny malicious behavior” policy. Falcon analytics enable very specific response capabilities, depending on the severity of malicious behavior.
  • CrowdStrike’s cloud-based architecture provides an extensible platform that enables additional security services like IT hygiene, vulnerability assessment and threat intelligence. Its EDR and EPP functionalities are well-integrated.
  • CrowdStrike’s Falcon Insight EDR agent provides parity across Windows, macOS, and Linux systems, providing a solid visibility base for most organizations.
Cautions
  • CrowdStrike does not have an integrated deployment solution, but it does work well with third-party tools.
  • The full product is more expensive than other EPP solutions, but includes the OverWatch service, and covers the costs of cloud data storage for EDR.
  • CrowdStrike Falcon’s offline protection is greatly enhanced when connected to the cloud-based Falcon platform, so is not suitable for air-gapped networks.
  • Like most other EDR platforms, Falcon’s EDR functionality requires skilled technical staff to use, which is why CrowdStrike’s OverWatch service is so popular with customers.
  • Customers report that CrowdStrike’s roadmap is not proactively communicated in a timely manner.

Cylance

Cylance was one of the pioneers in using machine learning to detect file-based malware, but by 2017, most EPP competitors claimed to have added ML capabilities, pressuring Cylance to more aggressively address non-file-based attacks. In late May 2017, Cylance formally launched its EDR product, CylanceOPTICS, which was late to market compared to other vendors, and generally perceived to be lacking in advanced capabilities already available in key competing products.
Eighty-five percent of Cylance’s business is in North America, although the company has about 3,700 customers across the globe, half of which represent organizations with fewer than 500 seats.
CylancePROTECT is cloud-based, with Cylance hosting and managing the console infrastructure directly. The vendor finally started participating in the VirusTotal community in 2017, but has a poor third-party test participation record when compared with established EPP vendors.
Strengths
  • Cylance has a strong OEM business, with over half of its licensed seats sold through its OEM relationships, including Dell. It also launched an MSSP partner program in 2017 and onboarded 70 new MSSPs.
  • Aside from Windows, Cylance supports macOS, Linux and virtual environments.
  • Gartner clients report a good experience, effective customer support, and effective malware and ransomware protection.
  • CylancePROTECT has a small footprint and easy-to-use management console, with low maintenance support requirements.
  • CylancePROTECT runs effectively in offline mode and doesn’t require a connection to the internet to remain effective.
Cautions
  • Administrative functions in Cylance’s management console need to be more fully developed, according to Gartner clients, in order to more easily manage several features, such as device and script control.
  • The aggressive ML capabilities prove very good at detecting new versions of known malware. As with any ML-based technology, however, it can be gamed by malware authors, and Gartner clients report that it can have a high false-positive rate. The lack of cloud-based look-ups hampers the vendor’s ability to quickly resolve false positives, leaving the customer to manage the exclusion of false positives themselves, until the vendor is able to push out a client-side rule update (which it calls Centroids), before ultimately updating the ML model.
  • CylancePROTECT and CylanceOPTICS require two separate agents with two separate installations.
  • EDR functionality does not enable automated rollback. The UI and data captured in CylanceOPTICS is not robust enough for advanced threat hunting. Its InstaQuery only provides information from devices that are online.
  • Cylance lacks adjacent security applications, such as inventory of installed applications, IT hygiene assessments and vulnerability assessments, but does benefit from API integrations with some SOAR and security information and event management (SIEM) providers.
  • Custom applications, or applications that have not been analyzed by Cylance, may generate false positives, thereby requiring organizations to establish a whitelisting process when they release new builds of the custom application. As previously noted, once the false positive has been analyzed, Cylance’s Centroid technology will push out a new client-side rule update to mitigate the false positives until they are included in the next ML model.

Endgame

Endgame is a new entrant to the Magic Quadrant this year. It is a privately held organization that has evolved from pure EDR for large enterprise and defense organizations, with the addition of prevention capabilities for the broader enterprise market.
Endgame is one of the few vendors in this analysis that sells a single product offering — meaning there are no additional add-ons or purchases — to address protection, detection and response use cases.
Although the platform is missing a number of traditional EPP-related features, like application control or suspicious file quarantining, Endgame scores well in protection capabilities by focusing on the tools, techniques and procedures used by adversaries, rather than simply looking for bad files.
Endgame’s big differentiator is in its investigation and threat hunting capabilities, where natural-language understanding (NLU) queries, such as “Search for PowerShell” and “Find NetTraveler,” allow organizations to make use of advanced detection capabilities without the need for deep experience.
Endgame is a good EPP shortlist candidate for organizations with an existing or emerging SOC where incident investigation and response is a key requirement.
Strengths
  • The platform scales to very large deployments, and still performs fast, real-time investigation actions.
  • It lowers the barrier to entry for advanced capabilities like threat hunting, allowing less experienced security staff to begin, and often complete, investigation work.
  • Endgame has been evaluated against the Mitre ATT&CK matrix, which evaluates where in the kill-chain the product’s capabilities are designed to prevent attacks.
  • Endgame’s platform can function in a fully offline mode, with no internet required.
  • The agent utilizes hardware assistance (called HA-CFI), detecting in-memory exploit attempts by looking for abnormal behavior in the CPU register. However, this detection technology is not available when Endgame is deployed in a virtual environment, reducing the effectiveness to only DBI-based detection on those devices.
Cautions
  • No application control capabilities are provided in the agent.
  • Despite deploying an agent to every endpoint, there is no vulnerability reporting, which leaves a disconnect and creates additional work for both IT operations and security.
  • Files cannot be temporarily quarantined, and are deleted if they are deemed malicious; however, false positives can be recovered and restored from the management console as samples are collected for further analysis.
  • There is currently no macOS agent for protection or EDR, leaving a gap in visibility for most organizations.

ESET

ESET has a strong EPP market share among SMBs to large enterprises, providing solid protection with a lightweight agent. But it still manages to provide a large protection stack, including a host-based intrusion prevention system (HIPS), ML, exploit prevention, detection of in-memory attacks and ransomware behavior detection.
ESET recently launched an additional platform for EDR capabilities, called Enterprise Inspector. Customers with experienced security staff will be able to inspect and modify the detection rules within Enterprise Inspector, and further tailor them to their unique requirements.
ESET has significant security community mind share through published research, disruption of organized crime and its WeLiveSecurity website. The vendor’s completeness of vision is impacted in this assessment by its limited cloud management capabilities, and the relative lateness of its EDR capabilities.
ESET has localized support in 35 languages, which means it is an attractive choice for globally distributed organizations. Its protection capabilities make it a solid shortlist candidate for any organization.
Strengths
  • Despite the low overhead from its lightweight client, ESET’s anti-malware engine remains a consistently solid performer in test results, with a strong protection stack.
  • ESET has a comprehensive set of capabilities that incorporate operational IT into the protection and detection stack.
  • Managed EDR features delivering threat hunting and attack detection were recently made available to customers.
  • Customers can take advantage of free implementation services in some countries, reducing the burden of migrating from another vendor.
Cautions
  • Cloud-based management options are limited to Microsoft Azure or Amazon Web Services (AWS) instances, rather than a true SaaS platform. These instances can be customer self-managed, managed by a managed service provider partner or managed by ESET for North American customers.
  • Although ESET’s endpoint agent implements exploit prevention and in-memory scanning for attacks, there is no vulnerability discovery or reporting capability. These capabilities are supplied through ESET’s partner ecosystem.
  • ESET does not include application whitelisting or system lock-down capabilities in its endpoint agent; instead, applications and executables are blacklisted by file hash or through HIPS control policies.
  • The ESET macOS agent does not support real-time IOC search and does not integrate with EDR, leaving a visibility gap for many organizations.
  • The role-based administration within ESET Enterprise Inspector only allows two user modes (administrator and end user), meaning larger organizations with defined escalation paths may find implementation challenging, due to the lack of case and incident management workflow within Enterprise Inspector.

FireEye

FireEye, a new entrant to this Magic Quadrant, is a security suite vendor that provides email, web, network, endpoint security and threat intelligence, which are managed in the new Helix security operations platform launched in April 2017.
FireEye revenue from its HX Series endpoint security product is a relatively small portion of the vendor’s overall business. The HX management console is deployed through the cloud or as a virtual or on-premises hardware appliance that supports up to 100,000 endpoints. FireEye’s HX endpoint security agent is installed on 9 million endpoints globally, with over 70% of customers in North America and 15% in EMEA. FireEye’s appeal to Gartner clients is as a security suite and not as a best-of-breed endpoint security vendor.
FireEye Endpoint Security 4.0 shipped in late September 2017; therefore, market response to FireEye’s endpoint protection capabilities was limited during this research period. FireEye met the inclusion criteria by participating in its only public third-party test in late 2017, which impacts both vision and execution in this assessment.
Strengths
  • In 2017, FireEye HX added support for macOS and Linux hosts, cloud and hybrid management; bolstered prevention via an OEM signature-based AV component; and increased behavior analysis and exploit prevention.
  • HX customers that use Helix have 30 days of endpoint data stored in the cloud by default, and this can be configured for up to one year’s worth.
  • HX benefits from threat intelligence from Mandiant’s breach investigation team and iSIGHT Threat Intelligence service, as well as from FireEye products’ shared threat indicators.
  • FireEye offers a global managed detection and response service, FireEye as a Service, to help clients that are short on resources.
Cautions
  • Most of the EDR data is stored on the endpoint, with a subset stored on the HX server and, if enabled, in the cloud with FireEye Helix. Incident responders may not be able to perform a full root cause analysis involving compromised endpoints that are offline, or, as in the case of ransomware, have had their data encrypted.
  • A few Gartner clients report that HX produces high false-positive rates when the product is first implemented.
  • FireEye’s cloud-based management offering was new in 2017, and uptake was small at the time of this research.
  • Manual remediation capabilities are restricted to endpoint containment, and there is no support for automated configuration rollbacks or file restoration.
  • At the time of this research, FireEye HX has not been tested widely in public, independent tests to determine its efficacy versus peers.

Fortinet

Fortinet is a network security suite vendor that sells enterprise firewalls, email security, sandbox, web application firewalls and a few other products, including its FortiClient endpoint security software. The vendor is a new entrant to this Magic Quadrant. FortiClient is not well-known to most Gartner clients inquiring about endpoint security, and we see little adoption of it outside of Fortinet’s client base. FortiClient is becoming more focused on the enterprise space, but its current installed base is mostly in the SMB space, and about half of its customers have less than 1,000 seats installed.
In 2017, FortiClient generated less than 1% of the vendor’s revenue. Its track record of endpoint-focused third-party testing is poor, and this impacts its execution and vision in this assessment.
Strengths
  • The FortiClient EPP agent has four customizable modules that include components designed to work in conjunction with Fortinet products, including FortiGate (firewall), FortiSandbox, FortiMail, FortiWeb and others. It can be a good choice if an organization wants to consolidate its solutions with a network security suite vendor, rather than take a best-of-breed approach.
  • FortiClient is easy to deploy and easy to manage.
  • Patch management is part of the FortiClient application, which also benefits from FortiGuard Labs global threat intelligence and native integration with its sandbox.
  • FortiClient quarantines objects and kills processes in real-time using client-side analysis and, if present, based on the FortiSandbox verdict.
  • Fortinet’s FortiGate firewall is a Leader in Gartner’s Magic Quadrant for Enterprise Network Firewalls, enabling the vendor to leverage its good reputation to sell its FortiClient EPP application.
Cautions
  • Along with the lack of independent, third-party testing to validate the accuracy and effectiveness, Gartner clients report that FortiClient needs to improve on the malware protection it affords.
  • The management console needs to be more customizable, according to Gartner clients.
  • FortiClient, together with FortiSandbox, only provide partial EDR coverage. Full EDR recording is not provided.
  • Although FortiClient includes a signatureless anti-exploit engine, the primary malware protection engine is based on rules and signatures. As such, it has more difficulty detecting unknown malicious operations and malware and zero-day attacks without the other components of Fortinet’s Advanced Threat Protection solution.
  • As a successful network security suite vendor, Fortinet is likely to continue focusing its R&D efforts on the interactions and interdependencies of its various suite modules. Without a focus on the EPP market, FortiClient is likely to be slow to develop into a complete and self-contained endpoint protection solution.

F-Secure

In 2017, F-Secure continued with its long track record for high-accuracy, lightweight and low-impact anti-malware detection with its cloud-based F-Secure Protection Service for Business (PSB) offering and on-premises solution F-Secure Business Suite. F-Secure added an integrated password manager with password protection capabilities and improved device control management to PSB and Business Suite. F-Secure also added ML capabilities to its Rapid Detection Service, which is its managed EDR solution.
Over the past 12 months, F-Secure further enhanced its product deployment and management capabilities, making it a good choice for larger, more complex enterprises.
F-Secure is focusing its investments in its managed service offerings, and has added product enhancements with a specific focus on preventing ransomware attacks.
Strengths
  • F-Secure is unique in that it works with a very rapid iteration, agile development process, with a release update every two weeks. This small update approach allows it to automate much of the agent update process, and adapt rapidly to new threats and attack techniques.
  • F-Secure has consistently good malware test results and performance tests. It includes cloud-based file intelligence look-ups and a virtual sandbox for malicious behavior detection.
  • DataGuard, a new ransomware protection capability, provides advanced protection of sensitive local and network folders by preventing modification, tampering or encrypting from unauthorized applications and users.
  • Patch management capabilities are integrated in the endpoint client (on-premises and cloud) and offer automation capabilities via the management console to keep endpoints up to date. This reduces the complexities associated with traditional distinct patching processes.
  • Clients report that F-Secure’s Rapid Detection Service provides strong security specialist review, analysis and response capabilities.
  • Clients report that the F-Secure EPP solution is easy to deploy and maintain.
Cautions
  • F-Secure’s EDR offering is still evolving, and is primarily designed as a managed service called Rapid Detection Service. Organizations looking for a hands-on investigation tool will notice missing features in the current version that are found in competitive offerings, such as global process and application inventory.
  • While sales are strong in Northern Europe and the Asia/Pacific region and Japan, global organizations should review their local vendor coverage and support options to ensure that F-Secure or their chosen reseller will be able to adequately service the needs of their account.
  • F-Secure has a healthy focus on malware detection effectiveness, but it has not delivered some common protection and detection techniques available in most competitive solutions. There is no application control, application whitelisting or network-based malware sandboxing capability. This reduces the appeal of F-Secure to organizations looking for a broad baseline of protection capabilities.
  • Despite a strong brand name, the majority of F-Secure clients are sub-5,000 seats, and it is unclear how well the cloud management and investigation platform scales for larger organizations.

Kaspersky Lab

Kaspersky Lab’s “built not bought” approach has provided good integration and allows for a strong approach to managed services. The vendor is late to market with EDR capabilities, and has no vendor-managed, SaaS-type cloud-based management options for organizations with more than 1,000 endpoints to manage.
The vendor’s research team makes up one-third of the organization, and is well-known for its accurate malware detection and in-depth investigation and analysis of many sophisticated attacks.
Kaspersky Lab has been the subject of media scrutiny, citing unnamed intelligence sources, claiming that Kaspersky’s software was being used by the Russian government to access sensitive information.
While the U.S. government has issued a ban on the use of Kaspersky software by government agencies, the U.S. government has not given any evidence that Kaspersky software has been used by the Russian government to gain sensitive information. It has also not demonstrated that Kaspersky software is more vulnerable (technical or otherwise) than any other vendors’ antivirus software. Kaspersky filed an appeal in U.S. federal court in late 2017, asking that the government ban be overturned.
From a technology and malware prevention perspective, Kaspersky Lab remains a good candidate as a solution for any organization that is not constrained by U.S. government recommendations. Despite the media stories surrounding Kaspersky Lab, it continues to grow its endpoint presence globally.
Strengths
  • Kaspersky Lab is a consistent top performer in public, third-party AV tests.
  • The Kaspersky agent and management console provides detailed vulnerability reporting and prioritization, and the ability to automate the deployment of patches.
  • A semiautomated IOC search within the new EDR capabilities can take advantage of open IOC format files, making initial threat assessments fast and repeatable.
  • Kaspersky Managed Protection and Targeted Attack Discovery are fully managed threat detection services that will be attractive to organizations without a dedicated SOC.
  • Kaspersky R&D continues to publish more public reports on sophisticated attacks and threat actor investigations than any other vendor.
Cautions
  • Gartner clients report that the management console, Kaspersky Security Center, can appear complex and overwhelming, especially when compared to the fluid, user-centric design of newer EPP and EDR vendor management consoles.
  • The mainstream EDR capabilities were introduced into the Kaspersky Anti Targeted Attack Platform in late 2017, one of the last vendors to begin adding these features.
  • The EDR investigation lacks step-by-step, guided investigations for less experienced organizations, but Kaspersky Lab can provide training on using its products for advanced topics like digital forensics, malware analysis and incident response.
  • The Kaspersky Endpoint Security Cloud — a cloud-based management solution — is currently available only for SMB customers. Larger organizations looking for cloud-based management must deploy and maintain the management server in AWS or Azure.

Malwarebytes

Malwarebytes continues to gain momentum, using its experience as the incident response tool of choice by organizations of all sizes, and has doubled its seat count in the past 12 months.
In 2017, Malwarebytes delivered cloud-based management, and added mainstream and advanced EDR capabilities to its single agent, which includes the breach remediation tools for remediating infections. It is one of the few vendors in this space that can roll back the changes made by ransomware, including restoring files that were encrypted in the attack. This ransomware remediation can be performed remotely from the cloud management console up to 72 hours after the attack, without the need for any local access to an endpoint.
For organizations with small IT or security teams, Malwarebytes provides strong protection capabilities and some advanced EDR capabilities, all at an attractive price point. For larger organizations, or organizations with a mature security team, there are some missing enterprise features that make it a challenge to incorporate into an existing SOC workflow.
Strengths
  • The new EDR module included in Malwarebytes’ cloud-based platform provides advanced investigation capabilities that are rarely seen outside of a dedicated EDR tool. For example, the Active Response shell provides remote access to interact with processes, view and modify the registry, send and receive files, and run commands and scripts remotely.
  • Ransomware rollback can be initiated remotely, including file recovery.
  • Malwarebytes offers application hardening and exploit mitigation, anomaly detection, ML, and behavior monitoring and blocking.
  • With the exception of EDR and investigation, Malwarebytes does not require an internet connection to provide threat protection. Organizations with untethered endpoints and no network connectivity will, therefore, continue to have the full protection.
  • The Malwarebytes endpoint agent can be orchestrated by workflows and triggers in enterprise-scale platforms such as IBM BigFix, Tanium, Phantom, ForeScout and SCCM.
Cautions
  • The cloud-based management is lacking in visual reporting and quick-view dashboards. Customers report that the workflow for finding and responding to alerts is inefficient.
  • Although the endpoint agent implements strong protection against exploits, there is no vulnerability discovery or reporting capabilities within the Malwarebytes administration console.
  • There are no role-based access controls or directory-based access controls available for the management console. Larger organizations may find the lack of case and incident management workflow a challenge.
  • The Malwarebytes macOS agent does not report EDR data, leaving a visibility gap for most organizations.

McAfee

Intel completed the sale of 51% McAfee to TPG in April 2017 and, as a stand-alone company, McAfee hopes it can now refocus its efforts on the core aspect of its business: endpoint protection.
McAfee remains one of the top three incumbent EPP vendors by market share, and its execution issues over the past three years make it the top competitive target for displacement by other vendors in the EPP Magic Quadrant. Specifically, Endpoint Security (ENS) version 10.x (v.10.x) upgrades remained a very challenging adoption cycle for most McAfee clients. While the feature set and protection capabilities included in the most recent release are quite compelling, and public test scores have improved over the past year, McAfee’s execution assessment is hampered by organizations continuing to be hesitant to adopt the latest version, leaving them vulnerable to commodity malware as well as more advanced threats. Gartner client inquiry data identified McAfee as the single most-quoted EPP vendor that clients were planning to replace. Customer satisfaction scores were low again for 2017.
McAfee’s ePolicy Orchestrator (ePO) continues to be the most quoted reason for clients initially adopting McAfee solutions in their environment, or for retaining McAfee over their contract terms and subsequent renewals. However, disenchantment with the EPP product is quickly eroding the perceived value of ePO, in favor of vendors with cloud-based EPP management.
Strengths
  • McAfee’s investment in developing an EDR solution has resulted in an offering with a useful feature set.
  • ePO provides a common administrative platform for all of McAfee’s offerings and integrates with over 130 third-party applications. McAfee also offers a cloud-based ePO.
  • Available in McAfee’s advanced endpoint suites, Dynamic Application Containment (DAC) provides behavior-based containment/isolation of untrusted applications using McAfee Global Threat Intelligence data.
  • McAfee has the optional Threat Intelligence Exchange (TIE) and Data Exchange Layer (DXL) to share local object reputation information across both network and endpoint products. TIE is also part of the new common endpoint framework.
Cautions
  • Although adoption of ENS v.10.x versions has seen significant acceleration over the past year, a large number of McAfee’s clients remain on v.8.8, resulting in client questions about McAfee’s resellers’ and system integrators’ commitment to the upgrade, and the viability and effectiveness of the platform overall.
  • The vendor reports that most McAfee customers are actively engaged with ENS, but many Gartner clients still running v.8.8 were still not aware that they are entitled to move to a newer version, despite having renewed their contract within the last 12 to 24 months.
  • Although McAfee was among the first of the traditional EPP vendors to provide EDR capabilities, it remains in the early stages of customer adoption when compared to other vendors.
  • The most common customer complaints continue to be with the effectiveness of the older multiple-agent architecture in v.8.8, and its impact on deployment complexity and performance. Client inquiries reveal that many clients are not actively planning a migration process to the updated platform, and are looking for alternative vendors.
  • Clients that complete the upgrade to ENS v.10.x report only modest performance improvements over the previous v.8.8 client.

Microsoft

Microsoft is unique in the EPP space, as it is the only vendor with the capacity to embed protection features directly into the OS. It has used this advantage to step up its efforts in security with Windows 10 features, improvements to Windows Defender (also known as System Center Endpoint Protection), the addition of Windows Defender Advanced Threat Protection and Windows Defender Security Center.
Windows 10 OS-level features and capabilities available with Windows Enterprise E3 and E5, such as Application Guard, App Locker, Secure Boot, Device Guard, Exploit Guard, Advanced Threat Protection (ATP) and Credential Guard, significantly improve protection against current common threats. However, these protections are not as integrated in previous OS versions.
Overall, Microsoft now provides a broad range of security protections that address a wide spectrum of threats across endpoint, Office 365 and email. The comprehensive solution set will resonate with most organizations’ security requirements, provided their budget stretches to the higher-tier, E5-level subscription.
Microsoft has become the most-asked-about vendor during EPP-related Gartner client inquiry calls, and there is significant interest in using the security capabilities in Windows 10 to reduce security spend with other vendors.
Strengths
  • Over the past two years, Microsoft has made steady improvements in the security solutions available as part of Window 10. A deployment of Windows Defender with Defender ATP can be considered directly competitive with some of the EPP solutions available from other vendors noted in this research.
  • Windows Defender provides file-based protection using signatures and heuristics, along with cloud look-ups to detect newer malware. The cloud look-up and cloud-based ML has dramatically improved Microsoft’s detection accuracy in test results. Defender in Windows 10 will step up to protect clients automatically if a third-party EPP engine fails, is out of date or is disabled.
  • Microsoft’s EDR solution, Defender ATP, leverages Microsoft’s own Azure infrastructure offering to store six months of endpoint data at no extra charge.
  • Microsoft’s Windows Security Research Team benefits from a vast installation of over 1 billion consumer endpoint versions of the antivirus engine and its online system-check utilities, which provide a petri dish of malware samples and IOAs.
Cautions
  • The biggest challenge continues to be the scattered security controls, management servers, reporting engines and dashboards. Microsoft is beginning to center its future management and reporting around the Windows Defender Security Center platform, which is the management interface for the whole Windows Defender suite, including ATP. Microsoft Intune is replacing System Center as the primary management tool.
  • To access advanced security capabilities, organizations need to sign up for the E5 tier subscription, which clients report as being more expensive than competitive EPP and EDR offerings, reducing the solution set’s overall appeal.
  • Microsoft relies on third-party vendors to provide malware prevention, EDR and other functionality on non-Windows platforms, which may lead to disparate visibility and remediation capabilities and additional operational complexities.
  • The advanced security capabilities are only available when organizations migrate to Windows 10. It does much less to address all other Windows platforms currently in operation.

Palo Alto Networks

Palo Alto Networks is still best-known to Gartner clients for its next-generation firewall (NGFW) product line, and this continues to be the main line of introduction to Palo Alto Networks Traps for Gartner clients.
Traps uses a stack of nonsignature detection capabilities, such as ML, static and dynamic analysis, as well as monitoring processes and applications as they are spawned for suspicious activity and events. Suspect files from the endpoint can be tested by Palo Alto Networks WildFire, its cloud-based threat analysis and malware sandboxing platform, which is included with a Traps subscription.
Palo Alto Networks acquired LightCyber in 2017; its behavioral-based analytics technology provides automated detection of suspicious user and entity activity indicative of malware. Traps without LightCyber currently offers limited EDR capabilities, which impacts its execution and vision evaluation in this assessment.
Gartner clients will find Palo Alto Networks Traps most appealing when it can integrate with an existing Palo Alto Networks NGFW deployment.
Strengths
  • Organizations with existing Palo Alto Networks NGFW devices will be good candidates for an integrated deployment.
  • Traps does not rely on signature updates, and although it does use the WildFire platform to perform fast look-ups by file hash, it is able to block malware/ransomware when offline or disconnected from the internet.
  • Traps provides solid exploit prevention and mitigation, which is useful for organizations with a difficult patch management process.
  • There are strong integrations with orchestration and SOC automation vendors such as Splunk, ServiceNow and Phantom.
Cautions
  • There is currently no cloud-based management option; customers must use an on-premises management server.
  • While Traps collects endpoint forensics data, it does not provide any response capabilities or postevent remediation tools. Organizations that do not use a Palo Alto Networks NGFW will need to take a multivendor approach to gain these capabilities.
  • Traps lacks EDR capabilities beyond simple IOC searching, making investigation hard without an additional product.
  • Palo Alto Networks acquired LightCyber in early 2017, but has not yet used the technology to improve the limited detection and response capabilities in Traps.
  • Traps displayed a high rate of false positives in AV-TEST testing between August and October 2017.

Panda Security

Panda Security’s unique value proposition is the classification or attestation of every single executable file and process on a protected endpoint device, and it is the only vendor to include a managed threat hunting service in the base purchase of its EPP. Adaptive Defense 360 is fully cloud managed, and combines EPP and EDR into a single offering and single agent.
The attestation service implements an automatic application whitelisting model, where only trusted and approved applications and processes are able to execute. By offloading the classification and authorization process to the vendor, organizations will have a much better deployment success rate than trying to deploy a manual application control solution.
Panda Security’s cloud-first approach, and the managed services backing the EPP and EDR capabilities, are beginning to increase brand awareness outside of Europe.
Organizations without experienced security staff will find Panda Security a good shortlist candidate for an EPP solution, as will organizations considering managed detection and response solutions that are prepared to replace their incumbent EPP vendor.
Strengths
  • The 100% attestation service can drastically reduce the threat surface of endpoints.
  • Due to the classification of all executable processes, Panda Security is able to provide detailed information on vulnerable versions of applications that are present in the environment.
  • Panda Security’s Adaptive Defense platform was one of the first to combine endpoint protection features with managed EDR capabilities.
  • The price point is extremely attractive when buyers consider the capabilities and managed services that are included.
Cautions
  • The macOS agent is limited to signature-based malware detection, and does not integrate with EDR capabilities, leaving a visibility gap for many organizations.
  • Mind share is still weak across the EPP marketplace, which results in limited RFI/RFP presence within the Gartner client base.
  • File and process classification requires access to Panda’s cloud-platform. Administrators will need to decide the impact this has on an endpoint without internet access; running unclassified executables (albeit scanned and monitored for known IOAs) or blocking until connectivity to Panda is restored.
  • An application control and application whitelisting approach are not suitable for all types of user roles. For example, developers who regularly run and test new software builds locally will need exceptions, and adding exceptions will reduce the overall security benefit of this approach.

SentinelOne

SentinelOne is a part of the new wave of EPP solution providers that have experienced fast growth over the past few years. The cloud-based solution is designed around fully embedded EDR and behavioral protection. SentinelOne was one of the first vendors to offer a ransomware protection guarantee based on its behavioral detection and file journaling features. In 2017, SentinelOne struggled to maintain its mind share and share-of-voice in a crowded market, which impacts the marketing-related assessment criteria across both vision and execution. However, the vendor continued to sign on a broad range of partners and resellers.
SentinelOne is a good prospect to replace or augment existing EPP solutions for any organization looking for a solution with strong protection and visibility.
Strengths
  • SentinelOne’s single agent design provides fully integrated file and advanced behavioral anti-malware, based on its EDR functionality.
  • The management console, including full EDR event recording, can be deployed as cloud-based or an on-premises or hybrid approach, easing installation and increasing scalability.
  • SentinelOne offers endpoint visibility (Windows, Linux, macOS and VDI) for investigative information in real time, and an API to integrate common-format, IOC-based threat feeds.
  • SentinelOne leverages volume shadow copy snapshots to return an endpoint to a previously known good state.
Cautions
  • The most significant challenge that SentinelOne faced in 2017 was the churn in staff roles across product, sales, marketing, and other internal and client-facing groups. Gartner clients reported inconsistent interactions with SentinelOne throughout the year. This negatively impacts on its execution and vision in this assessment.
  • SentinelOne does not offer application whitelisting or leverage the use of sandboxing for suspicious file analysis (local, network or cloud).
  • While SentinelOne offers broad platform support, not all platforms provide the same level of capabilities or response options, which can lead to disparities in overall protection and workflow.
  • Larger organizations with advanced SOCs will find the management console lacking in visibility and workflow capabilities.

Sophos

In March 2017, Sophos acquired Invincea — a Visionary vendor in the 2017 Magic Quadrant for Endpoint Protection Platforms — giving Sophos access to its deep learning ML algorithms.
The Sophos Intercept X product, designed to protect against and recover from the malicious actions related to ransomware and exploits, proved popular with both existing Sophos Endpoint Protection customers and as an augmentation to an incumbent EPP. This momentum continued its increased brand awareness in the enterprise space.
Also included in the Intercept X purchase are Sophos’ EDR-like capabilities — called Root Cause Analysis — and the ML malware detection technology from the acquisition of Invincea was added in late 2017.
Sophos’ cloud-based EPP with the Intercept-X platform is a good fit for organizations that can take advantage of a cloud-based administration platform, and that value strong protection against ransomware and exploit-based attacks over advanced forensic investigation capabilities.
Strengths
  • Intercept X clients report strong confidence in not only protecting against most ransomware, but also the ability to roll back the changes made by a ransomware process that escapes protection.
  • Intercept X is available as a stand-alone agent for organizations that are unable to fully migrate from their incumbent EPP vendor.
  • The exploit prevention capabilities focus on the tools, techniques and procedures that are common in many modern attacks, such as credential theft through Mimikatz.
  • The Sophos Central cloud-based administration console can also manage other aspects of the vendor’s security platform, from a single console, including disk encryption, server protection, firewall, email and web gateways.
  • Root Cause Analysis provides a simple workflow for case management and investigation for suspicious or malicious events.
  • Root Cause Analysis capabilities are available to macOS, along with protection against cryptographic malware.
Cautions
  • Although we credited Sophos for a cloud-first approach last year, it has now made parts of Intercept X available for on-premises customers. This is likely to hamper cloud adoption and extend the time that Sophos manages and maintains separate protection stacks.
  • Root Cause Analysis is not available in Intercept X for clients that use the on-premises version of Sophos Endpoint Protection.
  • Sophos’ primary improvement was the integration of Invincea’s deep learning technology. Beyond that, there has been little in the way of enhancements to the EDR capabilities of the Sophos Endpoint Protection platform in the last 12 months.
  • Sophos does not provide vulnerability reporting; rather, it relies on its mitigation and blocking technologies, so organizations will need to find other ways to prioritize their patch management program.

Symantec

The divestiture of the Veritas business in January 2016 and the acquisition of Blue Coat in August 2016 provided a new executive team with leadership and vision that has refocused the vendor and resulted in an improved execution score in this analysis. In 2017, Symantec successfully released product updates for its traditional products with enhancements and new capabilities, such as deception technologies. In the EDR space, Symantec is the most successful of the traditional EPP vendors, where the Advanced Threat Protection (ATP) product uses the same agent as Symantec Endpoint Protection (SEP).
Throughout 2017, Symantec continued to be the leading vendor mentioned by other vendors as their main competition. Symantec continues to generate growth and increased revenue in both the consumer and enterprise businesses (roughly evenly split 50/50). It continues to lead the market in EPP revenue and market share.
Symantec continues to provide one of the most comprehensive EPPs available in this market, with third-party test scores remaining in the top tier, and has added advanced features to better address the changing threat landscape, becoming the first vendor to combine malware protection, EDR, system hardening and deception capabilities in a single agent.
Symantec has begun the process of migrating its offerings to a cloud-first model, with a hybrid option available to clients that prefer to maintain some of the management capabilities on-premises.
Strengths
  • Symantec seems to have finally found a stable footing with its management team bringing stability across the company.
  • SEP 14 and, most recently, SEP 14.1 have proven to be very stable and efficient on resources. Clients report that the addition of ML and other advanced anti-malware capabilities have improved threat and malicious software detection, and containment.
  • Symantec ATP, its EDR-focused solution, provides good capabilities for detection and response, and existing SEP customers will benefit from its use of the existing SEP agent.
  • Symantec has started to embrace a cloud-first strategy with the introduction of its latest product updates, including SEP Cloud and EDR Cloud, which provide a cloud-based console with feature parity to the on-premises management console.
  • Symantec’s broad deployment across a very large deployment population of both consumer and business endpoints provides it with a very wide view into the threat landscape across many verticals.
Cautions
  • When compared with other vendors in the EPP market, Symantec is still perceived as more complex and resource-intensive to manage.
  • Although Symantec has gained strong traction with its EDR components, the vendor struggles to effectively message the benefits of its single agent approach. Many Gartner clients that use SEP and desire EDR capabilities are initially unaware of the availability of Symantec ATP.
  • Symantec offers a full managed service and managed SOC, which are only attractive when an organization wishes to offload its entire SIEM capability to the vendor. The larger scope of its Managed Security Services (MSS) is expensive when compared to other options from newer vendors that focus on a narrower set of services or features.
  • Symantec customers continue to report inconsistent support experience, even when large organizations are provided with dedicated support personnel. Symantec customers also reported poor client/account manager communication.

Trend Micro

Trend Micro is the third-largest vendor in the EPP market, with products ranging across network, data center and endpoint systems. It has a large worldwide footprint, with more than half of the business coming from Japan and the Americas.
Although the vendor has had a rather unremarkable year from a technology innovation perspective, it ticks boxes for mainstream EPP requirements, particularly for those looking for a comprehensive suite of solutions at an affordable price. Unlike the more visionary participants in this Magic Quadrant, Trend Micro’s EDR solution is delivered as a separate agent to the EPP solution. And while it integrates with additional on-premises products like the Deep Discovery sandbox, it lacks integration with its cloud sandbox, and cannot be managed from Trend Micro’s cloud platform.
One of Trend Micro’s biggest advantages is the vulnerability assessment and virtual patching technology, which uses an IPS engine to detect vulnerabilities, and uses HIPS to create a virtual patch to block the exploitation.
Trend Micro remains a good shortlist candidate for organizations of all sizes.
Strengths
  • Trend Micro participates in a wide range of third-party tests, with good results overall, and the OfficeScan client delivers functionality that other traditional vendors provide in their separate EDR add-on, such as IOA-driven behavioral detection.
  • The virtual patching capabilities can reduce pressure on IT operational teams, allowing them to adhere to a strategic patch management strategy without compromising on security.
  • For customers looking for a single strategic vendor, Trend Micro has strong integration across the endpoint, gateway and network solutions to enable real-time policy updates and posture adjustments.
  • Trend Micro offers managed detection and response services, in its Advanced Threat Assessment Service, to augment the technology with expert analysis and best practices.
Cautions
  • EPP and advanced EDR capabilities such as process visualization for investigation and threat hunting are delivered by separate agents.
  • Although the cloud management and on-premises management consoles for the OfficeScan EPP agent are identical, some organizations may need to continue with on-premises management if they wish to use functions beyond the base EPP, such as EDR.
  • Although more than 50% of its installed base is running the latest product release, a number of Trend Micro customers reporting poor malware detection told Gartner they were unaware of the availability of new products or new capabilities. This is not unique to Trend Micro, it is common across the larger, traditional vendors.
  • There is no macOS support for EDR, leaving a visibility gap for most organizations.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.

Added

  • Cisco (AMP for Endpoints)
  • Endgame
  • Fortinet (FortiClient)
  • FireEye (HX Series and Helix)

Dropped

The following vendors appeared in the 2017 Gartner Magic Quadrant for Endpoint Protection Platforms but were not included in this research, due to their specific focus on single segments:
  • 360 Enterprise Security Group. One of the best-known brands of endpoint security in China, 360 Enterprise Security Group provides endpoint protection and other security suite solutions — including web gateway, data loss prevention, and mobile threat defense — that are compliant with Chinese government policy and are good choices for organizations based in China. 
  • AhnLab. With a very large SMB installed base within South Korea, and serving some very large enterprises, AhnLab focus on the Korean, Japanese, Chinese and other Asia/Pacific markets with endpoint protection, mobile security and data loss prevention. 
  • G Data Software. G Data Software is a popular vendor in the DACH region (Germany, Switzerland and Austria) that offers a suite of solutions including endpoint, web gateway and email. Its location and compliance with German data protection regulations provides a “No Backdoor Guarantee” for its solution, and the processing of telemetry takes place solely in Germany. Customers report reliable, local language customer service as a key part of their purchasing decision. 
  • Webroot. Webroot primarily focuses on delivering capabilities to managed service providers and channel partners, which use Webroot as part of a managed service offering including endpoint security, network security, security awareness training and threat intelligence services. Webroot’s technology is embedded in a number of other security vendors’ solutions. 

Inclusion and Exclusion Criteria

Inclusion in this Magic Quadrant was limited to vendors that met these minimum criteria:
  • The majority of detection events must be from the vendor’s own detection technique, and designed, owned and maintained by the vendor itself. Augmenting with an OEM engine is acceptable, provided it is not the primary method of detection.
  • The vendor’s nonconsumer EPP must have participated in independent, well-known, public tests for accuracy and effectiveness within the 12 months prior to 18 November 2017  or be a current participant in the VirusTotal public interface. Examples include Virus Bulletin, AV-TEST, AV-Comparatives, NSS Labs and SE Labs. 
  • The vendor must have more than five named accounts larger than 10,000 seats that use the vendor’s EPP as their sole EPP.
  • The vendor must have a minimum of 500,000 deployed licenses, protecting nonconsumer endpoints, with at least 50,000 of those licenses protecting nonconsumer endpoints within North America.
  • The vendor must satisfy at least 12 of the following “Basic” capabilities, and at least four of the following “Desirable” capabilities:
    • Basic capabilities:
      • Blocks known and unknown file-based malware, without relying on daily signature distribution
      • Detects suspicious and malicious activity based on the behavior of a process
      • Implements protection for common application vulnerabilities and memory exploit techniques
      • Can perform static, on-demand malware detection scans of folders, drives or devices such as USB drives
      • Suspicious event data can be stored in a centralized location, for retrospective IOC/IOA searching/analysis
      • Allows real-time IOC/IOA searching across all endpoints (e.g., file hash, source/destination IP, registry key)
      • Allows remote quarantining of an endpoint, restricting network access to only the EPP management server
      • Automatically updates policies, controls, and new agent/engine versions without connecting directly to the corporate network
      • Continues to collect suspicious event data when outside of the corporate network
      • Detections and alerts include severity and confidence indicators, to aid in prioritization
      • Provides risk-prioritized views based on confidence of the verdict and severity of the incident
      • Displays full process tree, to identify how processes were spawned, for an actionable root cause analysis
      • Automatically quarantines malicious files
      • Identifies changes made by malware, and provides the recommended remediation steps
      • Detects, blocks, and reports attempts to disable or remove the EPP agent
    • Desirable capabilities:
      • Primary EPP console uses a cloud-based, SaaS-style, multitenant infrastructure, and is operated, managed and maintained by the vendor
      • Implements vulnerability shielding (aka virtual patching) for known vulnerabilities in the OS and for non-OS applications
      • Can implement default-deny whitelisting with a vendor maintained “app store”-type approach, and user self-service features
      • Can implement application isolation, to separate untrusted applications from the rest of the system
      • Includes access to a cloud or network-based sandbox that is VM-evasion-aware
      • Includes deception capabilities designed to expose an attacker
      • Vendor itself offers managed detection services, alerting customers to suspicious activity
      • Vendor itself offers managed threat hunting, or managed IOC/IOA searching, for detecting the existence of threats (not via third party or channel)
      • Supports advanced natural-language queries with operators and thresholds (e.g., “Show all machines with new PE >1 week old AND on <2% of Machines OR Unknown”)
      • Provides guided analysis and remediation based on intelligence gathered by the vendor (e.g., “85% of organizations follow these steps”)
      • Provides attribution information and potential motivations behind attacks
      • Can utilize third-party, community and intelligence feeds
      • Allows remote remediation via the management console
      • Includes APIs for integration with SOAR/orchestration for automation

Evaluation Criteria

Ability to Execute

The key Ability to Execute criteria used to evaluate vendors were Product or Service, Overall Viability and Market Responsiveness/Record. The following criteria were evaluated for their contributions to the vertical dimension of the Magic Quadrant:
  • Product or Service: We evaluated the protection and capabilities of the product used by the majority of a vendor’s installed base, and the ability of the vendor to provide timely improvements to its customers. 
  • Overall Viability: This includes an assessment of the financial resources of the company as a whole, moderated by how strategic the EPP business is to the overall company. 
  • Sales Execution/Pricing: We evaluated vendors based on whether satisfaction with their technical training, sales incentives, marketing and product quality, and on their price and packaging strategy relative to other vendors in the market. 
  • Market Responsiveness/Record: We evaluated vendors by their market share in total customer seats under license, and their performance relative to the market and other vendors. 
  • Marketing Execution: We evaluated vendors based on self-reported growth rates in seats under license as a percentage of overall new seat growth for the market, and on the execution of marketing initiatives driving brand awareness and customer satisfaction. 
  • Customer Experience: We evaluated vendors based on reference customers’ satisfaction scores as reported to us in an online survey, and through data collected over the course of over 2,100 endpoint-security-related Gartner client interactions, and through Gartner Peer Insights. 
  • Operations: We evaluated vendors’ resources dedicated to malware research and product R&D, as well as the experience and focus of the executive team. 

Table 1: Ability to Execute Evaluation Criteria

Enlarge Table
Evaluation Criteria
Weighting
Product or Service
High
Overall Viability
High
Sales Execution/Pricing
Medium
Market Responsiveness/Record
High
Marketing Execution
Medium
Customer Experience
High
Operations
Medium
Source: Gartner (January 2018)

Completeness of Vision

The key Completeness of Vision criteria in this analysis were Market Understanding and the sum of the weighted Offering (Product) Strategy scores:
  • Market Understanding: This describes the degree to which vendors understand current and future customer requirements, and have a timely roadmap to provide this functionality. 
  • Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. 
  • Offering (Product) Strategy: When evaluating vendors’ product offerings, we looked for an approach to product development and delivery that emphasizes market differentiation, functionality, methodology and features as they map to current and future requirements. 
    • Anti-malware protection and detection capabilities: This is the quality, quantity, accuracy and ease of administration of an EPP’s anti-malware technology. It covers the tools required to block file-based malware attacks, detect and prevent fileless malware attacks, and mitigate the risk of OS and application vulnerabilities. We look at test results from various independent testing organizations and data from VirusTotal, and use Gartner client inquiries as guides to the effectiveness of these techniques and implementations against modern malware. 
    • Management capabilities: This is the provision of a centralized, role-centric console or dashboard that enhances the real-time visibility of an organization’s endpoint security state. It provides clearly prioritized alerts and warnings, and provides intuitive administration workflows. Vendors that have delivered a cloud-first model with feature parity to an on-premises management platform are given extra credit, as organizations struggle to maintain visibility and control over endpoints in use by the increasing remote workforce. 
    • Incident prevention and investigation capabilities: This includes the discovery, reporting and prioritization of vulnerabilities present in the environment. We look for vendors that provide educated guidance for customers to investigate incidents, remediate malware infections and provide clear root cause analysis, helping reduce the attack surface. Vendors that focus on lowering the knowledge and skills barrier through guided response tools, and easy to-understand-and-use user interfaces are given extra credit here. 
    • Operational IT: Vendors committed to reducing their customers’ attack surface do so with risk-based, prioritized security state assessments — highlighting known vulnerabilities and misconfigurations. We look for vendors that help their customers understand weaknesses in security posture and process, and those that help audit and measure the impact of security investments. 
    • Supported platforms: Several vendors focus solely on Windows endpoints, but the advanced solutions can also support macOS with near parity on the features delivered in both clients, notably in the activity and event monitoring areas of EDR. 
  • Innovation: We evaluated vendor responses to the changing nature of customer demands. We accounted for how vendors reacted to new threats, invested in R&D and/or pursued a targeted acquisition strategy. 
  • Geographic Strategy: We evaluated each vendor’s ability to support global customers, as well as the number of languages supported. 

Table 2: Completeness of Vision Evaluation Criteria

Enlarge Table
Evaluation Criteria
Weighting
Market Understanding
High
Marketing Strategy
Medium
Sales Strategy
Not Rated
Offering (Product) Strategy
High
Business Model
Not Rated
Vertical/Industry Strategy
Not Rated
Innovation
Medium
Geographic Strategy
Low
Source: Gartner (January 2018)

Quadrant Descriptions

Leaders

Leaders demonstrate balanced and consistent progress and effort in all execution and vision categories. They have broad capabilities in advanced malware protection, and proven management capabilities for large enterprise accounts. However, a leading vendor isn’t a default choice for every buyer, and clients should not assume that they must buy only from vendors in the Leaders quadrant. Some clients believe that Leaders are spreading their efforts too thinly and aren’t pursuing clients’ special needs. Leaders tend to be more cautious and only gradually react to the market when Visionaries challenge the status quo.

Challengers

Challengers have solid anti-malware products, and solid detection and response capabilities that can address the security needs of the mass market. They also have stronger sales and visibility, which add up to a higher execution than Niche Players offer. Challengers are often one or two core capabilities short, or lack a fully converged strategy, which affects their completeness of vision when compared to the Leaders. They are solid, efficient and expedient choices.

Visionaries

Visionaries deliver in the leading-edge features — such as cloud management, managed features and services, enhanced detection or protection capabilities, and strong incident response workflows — that will be significant in the next generation of products, and will give buyers early access to improved security and management. Visionaries can affect the course of technological developments in the market, but they haven’t yet demonstrated consistent execution. Clients pick Visionaries for best-of-breed features.

Niche Players

Niche Players offer solid anti-malware solutions, and basic EDR capabilities, but rarely lead the market in features or function. Some are niche because they service a very specific geographic region or customer size, while some focus on delivering excellence in a specific method or combination of protection capabilities. Niche Players can be a good choice for conservative organizations in supported regions, or for organizations looking to deploy an augmentation to an existing EPP for a “defense in depth” approach.

Context

In the past 12 months, EPP solutions have continued on track to consume features from the EDR market, and some of the traditionally pure-play EDR vendors have continued to bolster their solutions with protection capabilities more often found in EPP (see  “Market Guide for Endpoint Detection and Response Solutions”). 
This trend of playing catch-up from two directions has resulted in a slew of vendors with similar capabilities and with little to differentiate themselves.
Those that do differentiate do so with managed features backed by automation  and human analysts; a focus on cloud-first management and reporting, and improving the operational side of IT with a focus on vulnerability protection and reporting; and, most importantly, pushing full-stack protection for EPP and EDR use cases to organizations of all sizes. 
The new wave of endpoint security vendors was previously considered by risk-averse buyers as complementary to, rather than direct replacements for, traditional EPP. This year, however, Visionary vendors are now gaining traction across all market segments. Although these new-wave vendors attempt to position themselves at a premium price when compared with the renewal costs of a traditional vendor, the sheer volume of vendors in the space makes it a buyer’s market. Heavy discounting is apparent, especially with traditional vendors keen to keep their installed base, and with new-wave vendors that have investors and venture capital firms to please.
Gartner clients should look to vendors that have faster development cycles, providing quicker responses to changing attack trends, and delivering smaller updates that do not need a full uninstall and reinstall. Regardless, organizations should endeavor to upgrade to the latest version as soon as practical; we recommend a minor version upgrade within three months and a major version upgrade within six months.

Market Overview

Testing, Transparency and Evaluation

Malware attacks in early 2017 were seminal to the increased scrutiny on security vendors by the media, independent researchers, and customers and prospects. Gartner’s endpoint protection analyst team received hundreds of inquiries driven by media stories, showing that vendor-client trust is a huge part of any buying decision.
As with previous Magic Quadrants, this year’s inclusion criteria mandate that vendors must have participated in public, independent testing during 2017. Gartner is disappointed with several vendors’ weak participation in standardized tests. There are legitimate complaints about current testing methods and scenarios; however, short of an organization putting a red team together to perform custom-made penetration testing, these tests remain the best indicators of effectiveness, and can be a useful data point to compare trends and performance over time in the same test framework.
Participating in independent tests by AV-Comparatives, AV-TEST, Virus Bulletin and other platforms with public interfaces like VirusTotal demonstrates not only that the products are fit for purpose, but also that the vendor is comfortable with and committed to engaging in a more transparent industry. It’s worth noting that many vendors, from traditional to the new wave, are embracing the shift to a more open community. Solutions from vendors without a long-term commitment to engagement and transparency should be approached with caution.
When evaluating a security solution, it is critical to understand which areas that organizations are currently over- or underinvested in. Gartner provides a simple framework in the Adaptive Security Architecture, which many vendors use to communicate their value and feature set in a simple way. Other frameworks exist for more technical evaluations, and the Mitre ATT&CK 1framework, in particular, is growing in popularity as a way to understand which distinct attack techniques an EPP can prevent or detect. 

EPP, EDR and IT Operations

Successful attacks still make use of known vulnerabilities and weaknesses in an organization’s security policy and device configuration. Even the most damaging and high-profile attacks in 2017 (WannaCry and NotPetya) could have been mitigated or the impact reduced by better IT operations, and by better education and communication from security vendors to their customers. Organizations that suffered despite their growing investment in strong endpoint security capabilities felt let down by their vendors. Many of these clients were dissatisfied when their request for help in recovering was met with, “Well, you should have deployed a patch.” These clients asked Gartner, “If these weaknesses were common knowledge, why didn’t our vendor warn us when they have a presence on all our endpoints?”
The most visionary and leading of vendors in 2018 and 2019 will be those that use the data collected from their EDR capabilities to deliver actionable guidance and advice that is tailored to their clients. Detecting known IOCs and suspicious behavior is only one side of the EPP coin — solutions must detect and proactively alert on weaknesses or vulnerabilities that are being exploited right now, or are likely to be exploited in the future.
The fast-moving nature of attacker tools, techniques and procedures means that an organization’s endpoint security strategy must be continually assessed and adapted (see  “Use a CARTA Strategic Approach to Embrace Digital Business Opportunities in an Era of Advanced Threats”). 
Organizations that are approaching renewal for their incumbent EPP should appraise their current security posture. For example:
  • How effective is our patch management strategy, and do our EPP controls protect against the misuse of vulnerable applications?
  • How fast is our time to resolution of alerts and incidents?
  • Will our staffing level — and the experience of those employees — allow us to take advantage of advanced tools to deliver stronger security capabilities?
  • Should we make a short-term, tactical investment in additional managed services, or switch to a vendor that can provide on-demand managed assistance when we need it?
With a better understanding of current state, organizations can make educated purchasing decisions, based on the features and capabilities that make a difference to them and their security posture. Gartner clients can use the Adaptive Security Architecture framework to assess their capabilities within the protection, detection, response and prediction (see  “Designing an Adaptive Security Architecture for Protection From Advanced Attacks”). 

Evidence

  • Gartner responded to more than 2,100 client inquiries.
  • Gartner conducted an online survey of 129 EPP reference customers in 4Q17.
  • Gartner conducted an online survey of 55 EPP channel references in 4Q17.

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria. 
Overall Viability: Viability includes an assessment of the overall organization’s financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization’s portfolio of products. 
Sales Execution/Pricing: The vendor’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel. 
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor’s history of responsiveness. 
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This “mind share” can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities. 
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on. 
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. 

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers’ wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers’ wants and needs, and can shape or enhance those with their added vision. 
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. 
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. 
Offering (Product) Strategy: The vendor’s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements. 
Business Model: The soundness and logic of the vendor’s underlying business proposition. 
Vertical/Industry Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets. 
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. 
Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.