Recently the first publications of vendors appeared, which means that a fresh comparison and analytics regarding Endpoint Protection market from Gartner officially available
The results of this year will certainly raise questions, and already now heated discussions have begun on social networks (sic!). Based on such questions and critical opinions, for a number of which I have answers and my own opinion, I would like to conduct some analytics myself and share here.
First of all, I don't want to offend anyone and while personally participating in the evaluations for MQ 2019, I have a fairly large set of information to compose unbiased (especially after leaving the previous company) opinion.
IMPORTANT: The information below is not related to my current or past employer, and personally expresses my position as an expert and professional in the field of cybersecurity. If you have a desire to discuss some points deeper, I’m happy to transfer the discussion to personal conversation.
In order to meet readable size for this post I will try to summarize my main thoughts and personal conclusions regarding the latest Endpoint Protection MQ.
Why EPP MQ will attract increased attention in 2019
- New dawn of EPP.
Let's admit two or three years ago, it seemed that Endpoint Protection was becoming a fairly traditional topic, which even from information security department task was transferred to the responsibility of IT specialists. Meanwhile, the active promotion (
Hype) of SOC ideas, advanced (APT) threats and Endpoint Detection & Response (EDR) has largely created interest around the Endpoint security solutions/products. And then an explosive increase in successful attacks and as a result a demand for Digital Forensics, Threat Hunting and Threat Analytics happened. Many companies (experts) again drew attention to Endpoints and Servers that always remained main target for adversaries, provided the most relevant data for the investigation (logs, events, evidence), and in general remained the main elements of IT infrastructure. And this trend is growing under the influence of digital transformation. Overall the risks of cybercrime - headache for top-management.
- Technology evolution (=mess).
If in the case of "market guides" for EPP and EDR Gartner issued reports with retention of cycles, then in the case of EPP MQ, a different situation occurred - the last one was released in January 2018. In many ways, this can be attributed to internal rearrangements in the analytical agency, which were certainly needed given the serious change in views on technologies, approaches and requrements for Endpoint Security suite. Such a change was not unseen and clearly visible through the released "Critical capabilities" and "market guides" which continiously educated customers over the requirements for the EDR functionality; trends of "from" and "for" the cloud security; the formation of the service based security market - MDR / MEDR.
- Vendors sales enablement.
It is necessary to remind that over almost 7 quarters (taking into account the time of preparation for MQ 2018), many vendors have changed their portfolios significantly, 2-3 versions of flagship EPP solutions have been released, external companies have been absorbed and their technologies have already been introduced as part of the main product.
As a summary I can say that with such a gap in time between MQs, the work was almost to start from scratch, according to the "new rules". In many ways, back in 2018, Gartner, as visionaries of trends and technologies, had already begun such work, and rather felt a number of moments that reflected on the results in EPP MQ 2018.
- It all started back in late 2017 and early 2018.
In fact, in 2018 many (like me 0_0) were surprised at the results with which EPP MQ 2018 was released. A plenty of visionaries indicating an overload of ideas or a lack of uniqueness, the emergence of a "cloud first" paradigm. As a result, the need to shake the "old" leaders of classical endpoint security betting on quality and efficiency, but to a lesser extent on flexibility and innovation (not able or not ready to position themselves as an "early adopters"). Two leaders faced a problems: one lost position and another moved to Visionaries. Overall Gartner has set new trends of cloud delivered security; first voiced the need of an EDR (for that time just as a complimentary part of EPP proposal) and pushed ideas of a service models - MDR (MEDR).
Before talking about MQ 2019, let's look at what analysts had to work with, what conditions were in 2018:
- The accumulation of vendors in the area of Visionaries in itself seemed to be a factor in the stagnation of the EPP segment. Probably if you ask me right now this was the result of various interesting ideas provided by vendors (like EP Deception) and some new approaches which seemed innovative that time. Interesting that most of them (not EP Deception =) ) will later become part of the critical capabilities for EPP.
As a challenge, there was a need to make changes in order to somehow disperse such heterogeneous vendors from this "facal point".
2. At that moment, it seemed obvious to me that the presence of 3 leaders did not clearly reflect the situation on the global market for Endpoint Security.
Small remark: Gartner has a gradation of vendors' evalution into customer scenarious/profiles - see "type A, B, C" . Using this gradation it is convenient for compiling and doing single evaluation document, but probably violates the representatuon of vendors positions in relation to each other. For example, how can you compare Sophos (Mid SMB) and FireEye (Mid Enterprise). While working with antifraud systems, a similar situation was with Gartner's web fraud detection MQ (I think many will remember it with the negative). On the other hand, if with EPP they are more likely hostages of an existing situation, then in the Anti-APT (Advanced Threat Prevention / Detection) market this is most likely the main reason why after Five Styles of Advanced Threat Protection (3+ years ago it seems) nothing more was done, and MQ for this class not even in plans. Too heterogeneous offers on the same market - Sandboxes, MDR, Anti-APT, EDR, NTA (all representing similar result/threats/risks/budget). But back to the EPP...
The right choice is a shift of the axes first of all. Which can reflect the sales results, vendors capabilities, the situation that on the mature markets vendors expanding just on replacements and a demand for an identification of new leaders - cloud-ready and MDR (MEDR). At that moment, the axes could only be changed a little and this would correct the situation (my ideas below):
Most likely at that moment there was an idea of such a move. Below, I rely on this idea and try to consider the result of 2019 all the same in relation to the results of 2018.
My thoughts on the result of 2019.
Regarding the predicted axial movement, which I presented on the previous chart, by applying it to the quadrant of 2018, you can see how the situation is with the vendors presented. I have divided them into three groups:
- Improved their position
McAfee and Sentinel One were in the "red zone" but moved to the Visionaries. Mostly it happened due to the development and evolution of their EDR proposal:
- McAfee launched new MVISION EDR cloud platform
- Sentinel One leads the market with the adoption of the Active EDR concept with automated response
(the source of most debates for the next 1-2 months in community) Major improvement done by Microsoft with release of new Windows ATP version and launch of MDR service. By leveraging cool R&D team and using "VIP" access to their own OS, MS have a good offer on cybersecurity today with pretty unique set of features from the box.
CrowdStrike continues to provide full bundle EPP proposal based on service model which attract a lot of customers ready for outsourcing.
BitDefender and FireEye strengthen their positions in the niche segment without any unique or innovative improvements in technology but with new versions and better integration within their portfolio of products.
2. Lost their position
For Sophos and Symantec, the situation did not change much at first glance, overall, good positions in the Mid-High SMB and Enterprise segments. But it could be a sign of stagnation taking into account the total increase of Microsoft and CrowdStrike. For Symantec with the latest news around selling Enterprise business, I can say it is probably a negative trend.
F-Secure, Panda Security - deservedly occupy their positions in the niche segment (having good sales in home markets, yet global expansion and the capabilities of companies look modest).
(I think second topic to discuss with the beer) The key fall of this year is Malwarebytes (I’ll probably omit my guesses.). The company is very entertaining, again completely niche, but with potential. It could be a good point for them to change the way of how expansion happening especially if recently they made a stake on services with announce of Malware Removal Service (MRS). And they even hired AlienVault security veteran to lead MSP/MSSP part of the business.
3. Remained on same place, or slightly strengthened their position
Veterans - ESET, TrendMicro, Kaspersky. Companies in very risky situation and demand for finding new positioning. Most already have some critical parts (MDR/EDR/Cloud) but missing "hype"-like stories and innovative future looking ideas. Still in current situation I see all three company doing right moves and following right direction. Probably with the good leadership they can drive the market and be the main players in Visionaries segment (they have money, R&D and time for that).
Cylance (BlackBerry)... It is good to keep the position for now. Probably in the future as part of BlackBerry for Cylance is better to move in Unified Endpoint Management. Having just ML (even the best one in the world) is not enough to be successful in complex EPP solution segment.
Updated 27.08: Interesting that my point regarding the axis shift and some vendors who just remained on the same place probably has additional prove. First Cylance (with BlackBerry) and now the news regarding CarbonBlack (https://www.carbonblack.com/2019/08/22/the-next-chapter-in-our-story-vmware-carbon-black/). More infrastructure vendors willing to have own security platform. Security by design?
For Firewalls vendors EPP is just an addition to overall proposal. Havent seen any enteprise customer who really using Endpoint protection from network vendors without NGFW from the same vendor. So it is more like ecosystem. Glad that my friends Checkpoint returned to MQ. Cisco is increasing sales of AMP through the Threat Hunting and SOC topics but while the amount of money is growing there are not so many projects. For me it is just not a mass market proposal and again more like complex monovendor project. Very strange situation with PaloAlto, which launched the Cortex XDR. Somehow this not affected a lot the position maybe because it is hard to put it into EPP class (better say it is an Anti-APT).
Forecast. What to expect in 2020 for Endpoint Protection market?
1. The increase in the number of MDR offers.
- Vendors will look for a differentiation, new SLAs, results and quality;
- More customers will understand the specifics of offering what leads to growing demand for the real services and not just monitoring/correlation/basic malware remove;
- Service based turnkey projects. Full Cybersecurity outsourcing from A to Z;
- More Enterprise companies will demand Threat Hunting;
- Rapid growth of vendors business of selling platforms for MSSPs, SIs, and "MSSP wannabes";
2. Security Awareness will become part of an EPP suite
- Real user centric approach of security based on employees culture
- Policy enforcement and adjustment based on Security Awareness scoring (strict policies for newcomers until the validation through the SA system, automated policy matching personalised for each employee)
- Security Awareness employee scores as part of Incident Management process (why he did it, what is the personal risk, why an attack works etc.)
3. On-premise vs Cloud-ready. Private EPP security.
- Regulation - Cloud Prohibition for specific industries (data sharing)
- Geopolitical situation will lead to more concerns over cloud-hosted/cloud-provided security solutions
- Dissatisfaction with the result of the MDR service will lead companies to establish the internal security team
4. Debunking the myths of automated EDR
- All that can be automated once should be part of EPP (AV, NG AV);
- Automation are not applicable for targeted attacks with manual/non-malicious stages;
- The growing number of advanced threat types which Prevention can handle;
- EDR reflects a manual process, and any automation is only useful in terms of routine tasks (data colection, analysis, specific features or the process itself - IRP, SOAR);
5. Unified Endpoint Management (sleeping giant waiting for attack)
- With the growth of corporate IoT devices, the protection of Endpoints (like Mac,Windows, Linux) will lose importance and manageability will come first;
- Policy management and hardening will be implemented in more industries to avoid compromisation;
I understand that any analytics of such a plan can cause even more questions than the comparison itself. Meanwhile, I hope, for some questions, the material will be useful to you in terms of understanding what is happening on the EPP market.