Endpoint Protection Platforms, 2007

The stand-alone antivirus market has been replaced with a broader suite of defensive technologies supported by an extensible management platform that can subsume horizontal products, such as data protection and device management capabilities.

WHAT YOU NEED TO KNOW
Point products for antivirus, anti-spyware, personal firewalls and host-based intrusion prevention (HIPS) are rapidly being replaced by suites with a centralized and extensible management framework. The management and reporting capability of endpoint protection platform (EPP) suites is a substantial differentiator, especially in large enterprises. A modular architecture that enables selective configuration based on security requirements and device location is also critical. EPP suites are being extended with new capabilities, such as encryption and data loss prevention (DLP). Management of end-node protection will increasingly duplicate operational management capability and eventually subsume these tools for small or midsize businesses (SMBs).
MAGIC QUADRANT
Figure 1. Magic Quadrant for Endpoint Protection Platforms, 2007

Source: Gartner (December 2007)
Market Overview
The traditional point product antivirus, anti-spyware and personal firewall markets have been eclipsed by broader suites of related security technologies, which Gartner has labeled the EPP. Basic component technologies in EPP suites include antivirus, anti-spyware, HIPS and a personal firewall. Advanced EPP suites will include network access control (NAC) and data protection technologies, such as DLP and full-disk encryption. The requirements for holistic NAC solutions and the demanding management needs of large enterprise are also forcing EPP suites to replicate some PC configuration life cycle management tasks, such as security configuration management, asset discovery, patching and software management. By combining multiple corelated technologies into a single management framework, EPPs have the promise of increasing security while lowering complexity, cost and administrative overhead.
Spyware and virus threat databases and scan engines have largely merged into a single
signature-based anti-malware agent. Although there are subtle differences in the speed and detection rates of anti-malware databases, this component is largely viewed as a commodity by buyers. Even the best signature databases can miss the wild threats 2% to 10% of the time, and most have less than a 50% chance of catching completely new threats. Signatures are extremely ineffective against targeted threats and “zero day” threats. HIPS and personal firewalls are increasingly critical to improve overall security. The convergence of these functions into a common management framework should increase the adoption of HIPS and desktop personal firewalls.
Enterprise interest in stand-alone personal firewalls has declined considerably as the capability of EPP suite firewalls has improved and given that Microsoft’s entry-level personal firewalls are already included with Windows. Security-conscious enterprises want more-advanced firewall functionality at least for their mobile population.
Advanced features that define more-visionary firewalls include:
• Audit capabilities and protections to ensure that the firewall policy is active
• Detailed event logs
• Verified updates to firewall settings
• Coordinated use of firewall in conjunction with malware protection for the rapid defense
of unpatched vulnerabilities
• Wireless firewall policies, such as enforcing one active network interface card (NIC) to
avoid LAN-to-wireless-LAN bridges
• Firewall policies applied locally to application network traffic and rights management
Organizations should evaluate EPP firewalls and plan to phase out stand-alone personal firewall solutions.
HIPS technologies are critical to secure endpoints from more-evasive, targeted and zero-day threats. Advanced HIPS solutions use various protection styles to provide layers of defense at endpoints, including:

• Protocol anomaly detection
• Deep-packet inspection for known network attack signatures or vulnerability attack signatures
• Simulation of potentially malicious code before it executes by using static analysis, code simulation or virtual machines
• Genetic heuristics, which is the use of broad signatures to detect variants using common malware family characteristics
• Comprehensive buffer overflow and program flow control protectio
• Advanced application control to determine which applications are allowed to execute and to restrict system resource access
• “Sandboxing” and other virtualization techniques to inspect and isolate potentially malicious code from causing damage to the endpoint
• Behavior-based analysis of executing code to determine whether it is behavingmaliciously and providing the capability to undo the damage and remove the malware.

Visionary HIPS solutions must enable selection and configuration/tuning to balance the security level, transparency to end users and administration overhead. Solutions should provide preconfigured out-of-the-box templates for common application and system configurations, as well as a learning mode for custom applications.
The management capability of EPP suites is a substantial differentiator. Simply maintaining the security status for large PC fleets that are increasingly mobile for long periods of time is difficult. As NAC becomes an integrated feature of EPP suites, management capability has been forced to expand from simply maintaining the security posture of the EPP components to checking the security configuration, software inventory and patch levels. The new EPP management consoles are beginning to add PC configuration life cycle management capabilities to ensure the security and integrity of clients. Meanwhile, some PC life cycle operations vendors are starting to add defensive security tools to their offerings. These two markets will continue to slowly converge, although it will not be until after 2010 that a significant percentage of the market will buy
completely integrated tools from a single vendor (see “PC Security and Operational ManagementFunctions Are Converging”).

Market Definition/Description
Enterprise antivirus, anti-spyware, personal firewall and desktop HIPS products make up the majority of endpoint security spending. The combined revenue of these segments was more than $2.2 billion in 2005, and we anticipate that the EPP market will grow to nearly $3.6 billion by 2010.
This market is still dominated by the market share of the big three traditional antivirus vendors (McAfee, Symantec and Trend Micro), which represent roughly 85% of the market share.
However, many nimble vendors are beginning to challenging the status quo with innovative EPP solutions and a higher level of customer focus.
Microsoft’s impact on the enterprise market is still nascent; however, we expect it to have a growing market share, starting primarily in Microsoft-centric SMBs.
Despite the introduction of new players, the displacement of incumbents is still a significant challenge. The biggest impact of the challengers and visionaries is to push the dominant players in the market to invest in new features and functionally and to keep pricing rational.

Inclusion and Exclusion Criteria
Inclusion in this Magic Quadrant is limited to vendors that meet the following minimum criteria:

• Products must provide malware (virus, spyware, rootkits, trojans and worm) detection and cleaning, a personal firewall and/or some form of host intrusion prevention (such as application control, buffer overflow protection, behavioral monitoring and enforcement, and heuristics) capability for PCs.
• Vendors must have centralized management, configuration and reporting capabilities for the products listed above that can support companies that have, at a minimum, 5,000 geographically dispersed endpoints.
• Vendors must have global service and support organizations to support enterprise products.

Added
Numerous vendors were added to the Magic Quadrant this year as a result of the evolution to endpoint protection platforms and the more liberal inclusion criteria. New entrants include BigFix, Bit9, Check Point Software Technologies, eEye Digital Security, IBM, Kaspersky Lab, LANDesk, Microsoft and Webroot Software.
Dropped
No vendors were removed

Evaluation Criteria
Ability to Execute
Our key ability to execute criteria used to evaluate vendors were overall viability, and market responsiveness and track record.

• Overall viability: This included an assessment of financial resources, such as the ability to make necessary investments in new products or channels, and the experience and focus of the executive team. We also looked at the business strategy of each vendor’s endpoint protection division and how significant that division is to the overall company.
• Market responsiveness and track record: We evaluated each vendor’s track record in bringing new products and features to customers in a timely manner, as well as the market share of the vendors.
• Sales execution: We evaluated the vendor’s licensing and pricing programs and practices. We incorporated feedback from clients and references on negotiation experiences. We also looked at the strength of channel programs, geographic presence and the track record of success with technology or business partnerships.
• Marketing execution: We evaluated the frequency of vendors’ appearance on shortlists and RFPs, according to Gartner client inquiries, and reference and channel checks. We also looked at brand presence and visibility in the market.
• Customer experience: We primarily evaluated product stability and performance, company experience with the vendor’s support, and signature quality and response times. We evaluated comments from Gartner clients and reference customers, as well as from tests, such as AV-Test.org, and other sources of data on performance and signature response times

Table 1. Ability to Execute Evaluation Criteria

Evaluation Criteria - Weighting

Product/Service - no rating
Overall Viability (Business Unit, Financial, Strategy,Organization) - high

Sales Execution/Pricing - standard
Market Responsiveness and Track Record - high
Marketing Execution - standard
Customer Experience - standard
Operations - standard

Completeness of Vision
The most important vision criteria were market understanding and the product offering.

• Market understanding: In this category, vendors that understand customer requirements for proactive and integrated defenses across all malicious software (malware) threat types and have an innovative and timely road map to provide these functionalities scored best.
• Offering/product: When evaluating vendors’ product offerings, we looked at the followin product differentiators:

1. Anti-malware signature capabilities: speed, accuracy, transparency and completeness of signature-based defenses
2. HIPS capabilities: the quality, quantity, accuracy and ease of administration of nonsignature-based defenses
3. Personal firewall capabilities: advanced capabilities that exceed Microsoft’s, such as location-based policy, specific virtual private network (VPN) and wireless rules, and Universal Serial Bus (USB) and other port protection
4. Management and reporting capabilities: comprehensive centralized reporting thatenhances the real-time visibility of end-node security state and administration capabilities that ease the management burden of policy and configuration development
5. Horizontal integration: the quantity and quality of integrated-related products or technology, such as NAC, full disk encryption, data leak prevention, and e-mail and Web gateways. These related products enable vendors to become more-strategic suppliers to organizations and offer the promise of lower administration costs and better security through simpler policy administration and monitoring, and correlated threat information.
6. Sales strategy: We evaluated each vendor’s licensing and pricing programs and practices. Vendors that emphasized value to clients, tended to incorporate new functionality without “upcharges” and were reasonable during renewal negotiations received high scores. We incorporated feedback from clients, reference customers and channel partners on negotiation tactics and pricing strategies. We also evaluated the vendors’ partnership strategies. We accounted for how vendors approached new channels and delivery models.
7. Innovation: We evaluated vendors’ responses to the changing nature of customer demands. We accounted for how vendors reacted to malicious code threats, such as spyware and targeted attacks, and how they invested in R&D or pursued a targeted acquisition strategy.

Magic Quadrant for Endpoint Protection Platforms, 2007

Peter Firstbrook, Arabella Hallawell, John Girard, Neil MacDonald

Етикети: McAfee, Symantec, Trend Micro