The enterprise endpoint protection platform (EPP) market is a composite that is primarily made up of collections of products. These include:
EPP solutions also will often include:
These products and features are typically centrally managed and ideally integrated by shared policies. Not all products in this analysis provide the same collection of features. In this analysis, we focused primarily on anti-malware effectiveness and performance, management capability, protection for non-Windows platforms (such as VMware, Macintosh, Linux, Microsoft Exchange and Microsoft SharePoint), MDM capability, application control, and vulnerability assessment. See the Completeness of Vision section below for more information.
DLP, MDM and vulnerability assessment are also evaluated in their own Magic Quadrant or MarketScope analyses (see the Gartner Recommended Reading section). In the longer term, portions of these markets will be subsumed by the EPP market, just as the personal firewall, host intrusion prevention, device control and anti-spyware markets have been subsumed by the EPP market in the past. EPP suites are a logical place for the convergence of these functions. In a recent Gartner survey,1 40% of organizations said they already use a single vendor for several of these functions, or are actively consolidating products. In particular, mobile data protection is the leading complement to EPP, and purchasing decisions for the two products are increasingly made together. For most organizations, selecting a mobile data protection system from their incumbent EPP vendors will meet their requirements. Application control and the features of vulnerability analysis are also rapidly integrating into EPP suites. Currently, MDM is largely a separate purchase for more demanding large enterprise buyers; however, small or midsize businesses (SMBs) are likely to be satisfied with EPP MDM capabilities.
The total EPP revenue of the Magic Quadrant participants at year-end 2012 was slightly more than $2.8 billion — essentially flat from 2011 — even as the number of reported seat licenses sold increased by 8%. Essentially, this means that the license revenue per seat was declining slightly. At the same time, EPP suites continue to grow in functionality. Consequently, some EPP revenue is inflow from other markets. We anticipate that growth will continue to be in the low single digits in 2014.
Source: Gartner (January 2014)
Arkoon Network Security was acquired by Cassidian CyberSecurity, an aerospace and defense company. Arkoon's Ability to Execute score is hampered by its relatively small market share and limited geographic presence. Its Completeness of Vision score benefits from its design as a seamless, integrated EPP with a focus on behavioral protection, tempered by a still-maturing management and a Windows-only focus. It is a reasonable shortlist solution for organizations in supported geographies that are seeking a behavior-based approach to malware detection.
BeyondTrust continues to integrate reporting from eEye's vulnerability analysis and endpoint protection with its privileged management solutions. Current BeyondTrust and Retina Vulnerability Management customers and enterprises that value integrated vulnerability analysis should consider BeyondTrust's PowerBroker Endpoint Protection Platform (formerly named Blink).
Bitdefender (created by private software company Softwin) is primarily known for its consumer products, but is now included in this analysis for its increasing enterprise market presence. Bitdefender is a consistently solid performer in anti-malware test results, and noted by clients for ease of use and customer support. It is a good choice for SMBs in supported geographies that highly weight malware detection accuracy and performance.
Check Point Software Technologies is a well-known network security company. Its venture into the EPP market, starting with the 2004 acquisition of ZoneAlarm, has suffered from poor marketing and channel execution. However, it will still appeal to organizations that value strong integration among remote access solutions, full-disk and media encryption, and malware protection.
Eset has built a substantial installed base in EMEA, particularly in Eastern Europe, and it has a rapidly growing SMB presence in North America. Its Completeness of Vision score benefits from good malware effectiveness in a lightweight client, but it still suffers from weak enterprise management capabilities and lack of investment in market-leading features, such as application control and virtualization support. Eset is a good shortlist option for organizations seeking an effective, lightweight anti-malware solution.
F-Secure, a veteran of the anti-malware industry for more than 20 years, has a very good track record for malware testing results. Its Completeness of Vision score is tempered by the slow development of advanced capabilities, such as dashboards, security state assessments, application control, MDM and virtualization protection. F-Secure is a good choice for organizations in supported geographies that weight malware protection heavily.
IBM's EPP offering is built on the foundation of its strong client management tool platform, the Tivoli Endpoint Manager (TEM). IBM recently acquired Trusteer, which has some interesting application exploit protection technology. TEM for Core Protection is provided by Trend Micro, and advanced HIPS capability is provided by Proventia. These tools are augmented by IBM's X-Force research labs. Large organizations that are considering IBM for client management tools, or those looking at Trend Micro, should include IBM on their shortlists.
Kaspersky Lab's global brand awareness is growing rapidly as it continues to broaden its offering with internally developed, "policy"-based protection features. Kaspersky Lab's Completeness of Vision score benefits from malware effectiveness, virtual server support, MDM, integrated application control and vulnerability analysis. It is a good candidate solution for most organizations.
LANDesk is a pioneer in the integration of client management tools, MDM and security. In 2013, LANDesk added several native security features, but it is largely reliant on partner Kaspersky Lab for anti-malware. LANDesk Security Suite is an excellent choice for the vendor's current customers, and a good shortlist candidate for enterprises seeking integrated security and operations.
The Lumension Endpoint Management and Security Suite (LEMSS) is delivered as a single-server, single-console, single-agent architecture that includes antivirus, application control, encryption, device control, patch management and remediation. Current Lumension customers, or those seeking integrated solutions for security, operations and compliance, should add the vendor to their shortlists.
McAfee, a wholly owned subsidiary of Intel, holds the second-largest EPP market share worldwide, and offers a broad portfolio of information security solutions. Its acquisition by Intel in 2011 appears to be working well, and, as a result, McAfee has expanded its R&D efforts and extended its security product road maps for several years. McAfee's ePolicy Orchestrator (ePO) policy management and reporting framework provides a platform for addressing several aspects of the security life cycle. The vendor should be considered by any large, global enterprise that is seeking solid management and reporting capabilities across a number of disparate security controls.
Microsoft's System Center 2012 Endpoint Protection (SCEP, formerly Forefront) is intimately integrated into the popular System Center management console, and Microsoft licensing often includes SCEP, thereby making it an attractive shortlist candidate. We view SCEP as a reasonable solution for Windows-centric organizations licensed under Core Client Access License (CAL) that have already deployed Microsoft System Center Configuration Manager, and that have additional mitigating security controls in place.
Panda Security is rapidly advancing the state of the art in cloud-based EPP with numerous advanced features that provide customers with tools for all stages of the security life cycle. However, at the time of this writing, these features have only recently launched, and have not been widely field-tested.
Panda is also the first EPP vendor to fully embrace cloud delivery of security services. It offers EPP, email, Web gateways and PC management capabilities — all delivered within a cloud-based management console. SMBs that are seeking easy-to-manage cloud-based solutions should consider Panda as a good shortlist entry in supported geographies (primarily Spain, Germany, Sweden, Portugal, the Benelux region and North America).
Sophos is one of a few companies in this Magic Quadrant that sells exclusively to enterprise markets. It is currently branching out into the network security market, with a longer-term goal to provide a consolidated network and endpoint security solution that is differentiated by ease of use and out-of-the-box integration, and is primarily aimed at the SMB market. We de-emphasized data protection in this year's analysis, which had a detrimental effect of Sophos' Completeness of Vision score. However, Sophos, remains a good fit for buyers that value simplified administration with solid support, and do not require complex policies.
In January 2013, Symantec announced a new strategy to reinvigorate company growth by better utilizing its many technologies in a more consolidated and holistic manner. Its endpoint protection and management offerings are now in the User Productivity & Protection group, with a charter to create a more seamless endpoint security suite across multiple devices for consumers and businesses — and between consumers and businesses. Symantec remains the market share leader in EPP, and is a good choice for solid anti-malware endpoint protection.
ThreatTrack Security was spun out of GFI Software and is now a private company that continues to sell the Vipre-branded EPP solution. Vipre was squarely aimed at the small business market, where ease of use and "set and forget" functionality are sought-after attributes; however, ThreatTrack is now attempting to move Vipre into the midsize and large enterprise business. The vendor should be considered by SMBs that are looking for straightforward anti-malware protection with a low performance impact.
Trend Micro is the third-largest enterprise endpoint protection vendor, with a large worldwide installed base focused on the Asia/Pacific region and EMEA. Trend Micro offers two primary endpoint protection offerings: OfficeScan and Worry-Free Business Security for desktops and laptops, and Deep Security for servers. An overlay console architecture called Control Manager can pull information from both offerings to provide an overall dashboard, as well as policy management across endpoint and messaging security. Control Manager is the new focal point for the integration of Trend Micro capabilities, such as MDM. Trend Micro is a good shortlist candidate for buyers looking primarily for anti-malware capability.
Webroot SecureAnywhere Business Endpoint Protection takes a behavior-based approach that uses cloud databases to keep its EPP client small and fast. Webroot SecureAnywhere is a reasonable shortlist inclusion for organizations in supported geographies that are seeking a lightweight, behavior-based approach to malware detection. It can also be a good additional tool for high-security organizations.
The rise of the targeted attack is shredding what is left of the anti-malware market's stubborn commitment to reactive protection techniques. Improving the malware signature distribution system, or adapting behavior detection to account for the latest attack styles, will not improve the effectiveness rates against targeted attacks. When 35% of reference customers for EPP solutions1 have been successfully compromised, it is clear that the industry is failing in its primary goal of keeping malicious code off PCs. The sad reality is that any targeted attacker will code and test his or her payload to evade the target's anti-malware system. To be successful going forward, EPP solutions must be more proactive and focus on the entire security life cycle.
There are essentially four stages in the security life cycle:
In this Magic Quadrant analysis, we have evaluated vendors based on the features they provide to aid in all stages of the security life cycle.
Proactive policy-setting work — like patching Web-facing applications and utilities, reducing the number of applications to manage, removing administrator rights, and potentially exploiting application control — will, by itself, defeat 85% to 90% of malware. When we reference "security state assessments" in this analysis, we are describing the vendor's ability to quickly show the current posture of the device and its susceptibility to malware infection, and to provide prioritized remediation actions.
Despite the need to focus on the security life cycle going forward, we must acknowledge that EPP buyers put the highest value on prevention, hoping to avoid the additional work of proactively setting policy or tracking down anomalies that may turn out to be false positives. Consequently, in this Magic Quadrant, we continue to weigh prevention and performance heavily in our Completeness of Vision analysis.
Concurrently, long dwell times are a hallmark of successful advanced attacks. Gartner clients are searching for tools that can help reduce these long dwell times. When we discuss "detection" or "forensic" capability, we are addressing the vendor's ability to identify clients that may already be compromised, as well as tools that aid in incident response and forensic investigation.
Most enterprise buyers are starting to look for EPP products that can address not only Windows PCs, but also a broad array of servers and clients. We evaluated a vendor's ability to protect and manage new endpoints (such as Mac, iOS and Android devices), which is integrated into the management console. Today, many large enterprise buyers are selecting a best-of-breed MDM capability; however, within the next two years, we expect the EPP market to subsume this function (which is already happening at the SMB end of the market).
We also considered specialized features for virtualized servers, as well as the breadth of protection for specialized servers such as Exchange, SharePoint, Linux and Unix.
The large enterprise EPP market is still dominated by Symantec, McAfee and Trend Micro, which represent approximately 65% of the total revenue of Magic Quadrant participants. Sophos and Kaspersky Lab are the two other global Leaders that are competitive across multiple functions and geographies. The combined Leaders quadrant market share is 82%. While still dominant, the combined market share of the Leaders is down 3% from the 2013 analysis. The displacement of incumbents is still a significant challenge in the large enterprise market; however, in the less demanding small and midsize market, competition is more intense, and the Niche Players and Visionaries collectively are slowly eroding the market share of the Leaders with a dedicated focus on specific features or geographic regions.
In the longer term, we believe that the increased displacement of Windows endpoints by application-controlled OSs (such as Microsoft Windows Runtime, and Apple's iOS and OS X Mountain Lion) is the biggest market threat. These solutions shift the value proposition of EPP solutions from traditional anti-malware to MDM and data and privacy protection capabilities.