Market Definition/Description
(This document was revised on 18 January 2012. The document you are viewing is the
corrected version. For more information, see the Corrections page on gartner.com.)
The enterprise endpoint protection platform (EPP) market is a composite market primarily
made up of collections of products. These include:
- Anti-malware
- Anti-spyware
- Personal firewalls
- Host-based intrusion prevention
- Port and device control
- Full-disk and file encryption
- Endpoint data loss prevention (DLP)
- Application vulnerability management and application control
These products and features are typically centrally managed and ideally integrated
at the policy level.
Despite the introduction of new players, the displacement of incumbents is still a
significant challenge in the large-enterprise market. The biggest impact of the Magic
Quadrant Challengers and Visionaries is to push the dominant market players into investing
in new features and functionality (sometimes via acquisitions), and to keep pricing
rational. However, in the sub-thousand-seat-level market, we do see more displacement,
and buyers have more product choices due to lower management requirements. Current
prices for comparable offerings are down from our last Magic Quadrant; however, vendors
are often substituting more-complete suite offerings with little or no increase in
annual costs.
In 2010, the enterprise market was still dominated by McAfee, Symantec and Trend Micro,
which represents approximately 60% of the total enterprise market. Notably, however,
the share of these dominant players is down considerably from 85% in 2007. These market
leaders are losing market share to increased competition, primarily in the lower end
of the market with less than 1,000 seats, but also making inroads in larger accounts.
Sophos and Kaspersky Lab are the primary beneficiaries of this trend, and these vendors
are improving mind share and market share in the enterprise market.
The market size at year-end 2010 was approximately $3 billion, up 6% from 2009, following
the macroeconomic recovery of enterprise PC growth. This is slightly higher than the
5% growth we projected in the 2010 Magic Quadrant. We anticipate growth rates to continue
in the 5% range in 2011 and 2012.
Microsoft's impact on the enterprise market has not yet been significant; however,
it increasingly appeared on the 2011 shortlists of customers due to recent improvements
to its offering and licensing changes, which makes the solution effectively "free"
to organizations licensed under Core CAL. We note that approximately one-third of
enterprise buyers indicate that they are actively considering Microsoft or plan to
do so during their next renewal periods. Microsoft continues to make steady product
progress and is now, finally, poised to take some enterprise market share; however,
its impact will be tempered by high growth on a small market share and product limitations
(outlined here). Moreover, Microsoft's impact in the enterprise market may be influenced
by the Windows 8 penetration rate, and any decision to include malware protection
in Windows 8 is likely to face legal and regulatory issues, especially in Europe if
it is viewed to unfairly affect market competition.
Return to Top
Magic Quadrant
Figure 1. Magic Quadrant for Endpoint Protection Platforms
Source: Gartner (January 2012)
Return to Top
Vendor Strengths and Cautions
Check Point Software Technologies
Well-known in the enterprise network firewall and VPN market, Check Point continues
to improve its EPP product suite with an emphasis on addressing the increasing proliferation
of unmanaged devices. Despite its significant enterprise network presence, brand and
channel, the company has failed to significantly improve its market share or mind
share in this market. Organizations that value strong integration between remote access
solutions and the EPP suite, full-disk and media encryption, a strong host firewall,
and application control solutions should include Check Point on their shortlists.
Strengths
- Like its network offerings, Check Point Endpoint Security uses a "software blade"
architecture where clients pay for only the capabilities they need from a comprehensive
suite of capabilities. These include personal firewall, anti-malware (licensed from
Kaspersky Lab), full-disk encryption, network access control (NAC) and integrated
VPN.
- Check Point's management console integrates malware protection and data encryption
suite offerings. It offers a clean interface with easy navigation and quick access
to summary data (overview/dashboard, organization, policies, reports and deployment)
that is very similar to a network firewall interface. Reporting is significantly improved.
The dashboard can be customized for each administrator. It provides good hierarchical
and object-oriented policy, and can exploit network firewall policy objects, such
as network zones, in a client firewall policy and can leverage installed gateway appliances
as relays for client updates. Check Point offers a unique user-based management capability
that allows administrators to develop and view user-specific policies across multiple
devices.
- The personal firewall is comprehensive and includes extensive prepopulated program
profiles, excellent location-based policies and very good VPN client integration.
- Check Point offers application control capabilities (which it calls program control)
augmented with Check Point's Program Advisor service. This enables administrators
to define acceptable applications based on an existing inventory of applications,
certificates and/or Check Point's database of known good applications.
- Check Point has very strong full-disk and file/media encryption, as well as extensive
port control, including very granular device and file identification.
- Check Point added browser protection technology from ZoneAlarm, which helps clients
avoid malicious Web-based malware.
- Check Point added support for Mac clients in 2011.
Cautions
- Check Point is best known for its network-based protection solutions, and has had
difficulty with penetration into the broader EPP market beyond its installed base
of VPN, host firewall and encryption customers. Gartner customers rarely inquire about
this solution. Moreover, the company is not forthcoming with financial and customer
data that would allow us to accurately evaluate its progress in this market.
- Check Point is dependent on Kaspersky Lab for anti-malware signatures to review suspicious
code samples and to prepare custom signatures for targeted malware. Although signatures
are becoming a replaceable commodity, business disruptions in Kaspersky could affect
Check Point customers. It is also increasingly challenged to differentiate itself
from its core malware detection engine partner, Kaspersky, for clients seeking basic
protection, or from market leaders for clients seeking data protection solutions.
- The management console provides a good summary view of the EPP agent status; however,
it does not include any vulnerability or configuration assessments, nor does it have
any integration with operations tools. The Compliance Blade does assess the configuration/security
level of endpoints in the system and provides a detailed report showing compliance
issues.
- The Check Point management console is a Windows client/server application and does
not offer a browser-based option. Check Point is dependent on software distribution
tools to install the initial client, and lacks the ability to remove other anti-malware
products. The solution doesn't include many options to minimize the impact of scheduled
scans, such as the impact on CPU use, or to avoid conflicts with critical programs.
- Check Point's program control solution can't prevent programs from installing. It
only blocks network access via firewall permissions and terminates the process. Program
control is not as flexible as competitive solutions to address the needs of large
enterprises. For example, it doesn't have a good centralized way of allowing trusted
sources of change. An improved application control software blade that includes trusted
sources of change is currently in pilot tests with customers.
- The SmartDefense HIPS policy isn't tunable and doesn't allow administrators to whitelist
applications that incur false positives.
- Although Check Point has mobile device management (MDM) capabilities on its road map,
it has not yet shipped these capabilities.
- Although Check Point introduced network-based DLP in 2011, Check Point's data protection
strategy is still missing client-based content-aware DLP. An endpoint DLP security
blade is currently in pilot tests with customers.
- Check Point protection is primarily limited to Windows endpoint PCs. Not all software
blades are available for the Mac client, and it doesn't offer protection for specialized
servers, such as Microsoft Exchange, Lotus Notes or Microsoft SharePoint.
- Although its agent will run in VMs, Check Point has no specific optimization for virtualized
environments.
Return to Top
eEye Digital Security
eEye provides a unified management console for vulnerability analysis as well as malware
and intrusion prevention capabilities, backed by its own malware research labs and
augmented by a licensed signature database from Norman. Existing eEye Retina customers
and enterprises that value integrated vulnerability analysis should consider eEye
Blink.
Strengths
- In early 2011, eEye completed the transition of its customers to the Retina CS Console
from its legacy management console. Retina CS manages eEye's network-based and endpoint
vulnerability management products.
- The Retina CS management console is a Web/Flash-based user interface that manages
the various eEye offerings. It provides role-based reporting and dashboards, dynamic
associations of target machines via Active Directory and Smart Groups, as well as
additional reporting modules for compliance, configuration and patching.
- Since our last analysis, the new antivirus engine improved the capability to detect
"Fake AV" and other advanced malware, and is faster, consumes less memory and has
a smaller update size. eEye has also added real-time alerting capability and a wizard-based
application and network protection policy creation.
- Blink uses an embedded version of eEye's Retina Network Security Scanner to perform
local vulnerability assessments and report the findings to the Retina CS console.
- The eEye Retina Protection Agent (RPA) is a subset of Blink designed to work alongside
other EPP and antivirus solutions, and to provide agent-based vulnerability assessment
and intrusion prevention services.
- eEye's central vulnerability management supports the capturing of malware events from
more than 15 vendors and targeted Windows events, and integrates with Windows Server
Update Services (WSUS) to allow patching.
- All functions are packaged in a single agent, including the Norman signature engine.
Layers of function are easily enabled or disabled by the administrator without making
changes to the installed image or drivers. Security policies can be monitored and
updated from outside the firewall without requiring a VPN.
- eEye is one of the few providers in this analysis to offer a service-level agreement
(within 48 hours) on new critical exploits, meaning that it will protect against these
exploits within 48 hours, even if the system is unpatched.
- eEye uniquely offers physical management appliances for rapid deployment and management,
and offers a software as a service (SaaS) product for vulnerability assessment.
- eEye has a small but very skilled team of malware experts that provides excellent
technical support and malware information.
Cautions
- eEye is one of the smallest companies in this market. Its total staff size, including
research and engineering groups, is small compared with the EPP industry average.
It has a limited presence outside North America and in organizations with more than
500 employees.
- Its solution has the capability to blacklist applications, but it is a manual process
with no trusted sources of change. It offers limited NAC integration.
- Although eEye develops its own spyware signature database and cleanup routines, the
solution relies on Norman for anti-malware signatures; business disruptions in Norman
could impact eEye customers. Although the Norman anti-malware engine is tested regularly,
eEye does not participate in many industry tests to demonstrate the effectiveness
of its collection of technologies. Automated malware damage cleanup capabilities are
limited.
- eEye has limited device control capabilities, but no encryption or DLP capabilities.
It lacks the ability to enforce encryption on data that's written to external storage
devices, but it does have a number of policies to limit access and writing to external
devices.
- It supports only Windows OS desktop and server platforms (including IIS), so companies
with other devices (for example, Apple Macintosh) and specialized servers (such as
Microsoft Exchange or SharePoint) cannot use the product. It also does not have any
MDM or protection capabilities.
- The anti-malware agent works on a virtualized Windows host. However, it is not optimized
for a virtualized environment.
Return to Top
Eset
Eset has built a substantial installed base in EMEA, particularly in Eastern Europe,
and it has a rapidly growing small or midsize business (SMB) presence in North America.
Its Completeness of Vision score benefits from good malware effectiveness in a lightweight
client, but it still suffers from weak enterprise management capabilities and lack
of investments in market-leading features, such as data protection or more-holistic
security state assessments. Eset is a good shortlist option for organizations seeking
an effective, lightweight anti-malware scan engine and personal firewall that does
not have extensive management requirements.
Strengths
- The flagship enterprise product, Eset Smart Security, includes integrated anti-malware,
anti-spam and a personal firewall in a single-agent footprint.
- The low performance impact of the Eset product has been noted by many customers.
- The management console is a native Windows application with a spreadsheet-style interface.
It has the look and feel of a Microsoft Management Console. We like its capability
to highlight machines in the log table and then, with a left click, install the EPP
agent or perform other remediation activities.
- The Eset anti-malware engine is a consistently solid performer in test results. The
Eset engine has a strong reliance on heuristics and generic signatures, and includes
client-based malicious URL filtering and sandbox heuristics, which run all executable
files in a virtual emulator.
- Recent improvements include active memory scanning and the addition of a whitelist
to improve scanning performance.
- Eset supports a broad range of Windows clients and servers, including Exchange, Lotus
Notes/Domino, Linux Solaris, and Novell NetWare and Dell storage servers, mobile devices
(Windows Mobile Android and Symbian), and Apple OS X and Linux desktop platforms.
- Eset offers a limited MDM solution with the launch in 2011 of the Mobile Security
Business Edition for Windows Mobile and Symbian.
Cautions
- Eset is lacking in management features for larger, more-complex organizations. The
management console is long overdue for an update; it's very complex and lacks a clear,
actionable dashboard view to enable more-rapid or automated problem identification
and remediation. A separate Web-based dashboard provides a flexible customizable reporting
interface, but it does not allow for direct drill-down into the management console.
It also lacks many common enterprise capabilities, such as role-based administration,
information and policy elements that can be delegated (or restricted) to end users
and automatic rogue machine detection. It offers limited options for scheduled scan
priority.
- It has very weak reporting. A lot of information is captured, but it is hard to get
at, and there is no ad hoc reporting, just filtered log views. It is overly reliant
on "parametric" groups to segment reporting data. Eset Sysinspector shows lots of
detail about a client for troubleshooting; however, this data cannot be used across
all clients for reporting or grouping.
- There is no significant security state assessment beyond EPP agents, such as application
vulnerability and configuration assessments, and no significant integration with operations
tools.
- Clients can be distributed by the management console; however, deinstallation of competitive
solutions is an additional service cost that isn't included in the solution.
- The HIPS capability can only be activated or deactivated; it can't be selectively
deactivated to allow specific false-positive files to execute. Heuristics can add
a performance impact, especially on older PCs, although these are not turned on by
default.
- Eset doesn't yet offer many of the additional EPP components, such as application
control, encryption and DLP. Port/device control capabilities are not very granular,
just block or allow.
- Although Eset operates in a virtual environment and has a low system impact, it has
not been optimized for these environments.
Return to Top
F-Secure
F-Secure has been in the anti-malware industry for more than 20 years and has a very
good track record for malware testing results. The company is focused on endpoint
protection and is less interested in other aspects of the EPP market, such as data
protection. F-Secure is a good choice for organizations in supported geographies that
prefer dedicated malware protection solutions.
Strengths
- F-Secure provides on-premises software-based management and hosted solutions, as well
as managed services via partners. It also offers very attractive pricing with monthly
or yearly subscriptions.
- F-Secure has consistently good malware test results and performance tests. It provides
cloud-based look-ups and a file reputation feature (DeepGuard), which considers file
metadata such as prevalence, source and age before allowing files to execute. In 2011,
cloud-based look-ups were extended to on-demand and scheduled scans.
- Its generic detection and removal of rootkits is delivered via BlackLight.
- F-Secure supports virtualized environments (VMware, Citrix and Microsoft Hyper-V),
with database and policy update randomization. It also offers protection for Linux
and Mac platforms.
- F-Secure has mobile clients for Android, Research In Motion, Symbian and Windows Mobile,
and a cloud-based MDM capability primarily aimed at SMB organizations.
Cautions
- F-Secure is strongly based in the EU and has very little presence or brand recognition
in other markets. It is growing much slower than the overall market.
- Although F-Secure develops some of its own signatures, the solution relies heavily
on Bitdefender for its anti-malware signatures; business disruptions in Bitdefender
could impact F-Secure customers.
- F-Secure's client/server-based (Windows or Linux) management interface is very limited
and is lacking numerous enterprise features. It only has two roles ("full" or "read
only"). It does not offer any state information beyond anti-malware status and does
not provide any significant dashboard capability or any drill-down into remediation
capability. Autodiscovery of new agents is a manual process and can't be scheduled.
Reporting capability is very basic and does not allow for ad hoc reporting.
- F-Secure does not believe that encryption or DLP is relevant to its malware detection
mission. It does not offer flexible device or port control, nor does it offer any
application control beyond DeepGuard.
- MDM capability is not integrated into the endpoint management console.
- F-Secure does not provide any protection for SharePoint servers.
Return to Top
GFI Software
GFI Software offers a wide range of security solutions (notably, secure email Web
gateways, email archives, vulnerability scanning, patch management, event monitoring,
storage management and backup solutions) primarily for SMBs. GFI is a shortlist candidate
for SMBs looking for a simple and lightweight anti-malware engine.
Strengths
- GFI's Vipre management interface is efficient and clean. It provides a large range
of preinstalled movable dashboard widgets, and provides good ability to view and drill
into log data and assign policy to groups and users. Since our last analysis, most
of GFI's improvements were aimed at a fast, out-of-the-box installation process. It
added a removal tool that uninstalls popular EPP solutions, Windows firewall autoconfiguration
to allow the Vipre client to communicate policy and update servers, and an integrated
database (the previous version required a separate SQL database). It also added a
remote access tool for easy remote site management.
- Malware detection is augmented with MX-Virtualization, which analyzes malware in real
time in a sandboxed environment on the PC.
- GFI offers client-based malicious URL blocking, rootkit scanning and automatic scanning
of USB drives.
- The client is relatively lightweight and efficient, providing fast scanning.
- GFI offers Windows and Mac client support, as well as Exchange server versions.
- GFI offers a free Web-hosted malware analysis engine that provides immediate forensic
feedback on submitted application files.
Cautions
- GFI is squarely aimed at the SMB market, where ease of use and set-and-forget functionality
are assets. We do not have a lot of reference customers in the Gartner installed base,
and GFI is not evaluated in most of the malware effectiveness testing, so performance
and effectiveness are not well-documented.
- The Vipre management capability will be limiting for larger enterprises. It relies
on Windows network browser or Active Directory information to find unmanaged machines.
- Reporting and dashboards are very basic. It does not have any ad hoc reporting capability,
only filtered views of historical data. Role management is not scalable.
- It does not offer data protection capabilities, such as encryption and DLP.
- Although the company has some vulnerability and patch management assets, they are
not integrated with the EPP suite. The solution does not provide a holistic security
state assessment or any remediation capability.
- GFI does not provide any MDM capability or mobile endpoint protection products.
- It does not have any specific features to support virtual environments.
- The company does not have any hosted offerings for the management server, nor does
it have real-time cloud-based update capabilities.
- It does not offer any application control capabilities.
- Device control is not part of the EPP suite.
Return to Top
IBM
IBM built its EPP on top of a PC life cycle management platform, the Tivoli Endpoint
Manager (TEM) acquired with BigFix. The core malware engine and firewall are provided
by Trend Micro, now called TEM Core Protection (TEM-CP), and advanced host-based intrusion
prevention system (HIPS) and firewall capability is provided by Proventia (formerly
ISS). These tools are augmented with IBM's X-Force research labs. Large organizations
that have a close relationship with IBM or Trend Micro should include IBM on their
shortlists.
Strengths
- During 2011, IBM announced a new Security Systems Division to centralize all of its
security assets, effective 1 January 2012, with a dedicated sales force, which should
help in execution in 2012. It also enhanced performance in the TEM CP malware engine.
It has also continued integration of management capabilities of a number of IBM products,
including IBM Security Server Protection.
- This solution combines a unified console and a single agent for PC life cycle management,
including power, patch and vulnerability management, with two options for endpoint
protection: (1) a fully integrated solution leveraging Trend Micro as well as (2)
the ability to monitor other agents such as McAfee, Symantec and Microsoft Forefront.
- Leveraging the capabilities of Trend Micro, the TEM-CP solution now provides VMware
vCenter and Citrix Xen Server performance optimization capabilities, including virtualization
awareness, serialization of antivirus scans to prevent resource contention, and intelligent
scanning through caching of files based on VDI golden image. IBM also added Trend
Micro's advanced device control and endpoint DLP solutions.
- IBM Security Server Protection, Proventia Server for Linux, and RealSecure Server
Sensor provide deep packet inspection and HIPS capabilities, sharing the same Protocol
Analysis Module of ISS network-based appliances. IBM server protection products boast
very broad server support with Windows, Linux, HP-UX, Solaris and AIX, including 64-bit
support for Windows and Linux, and new AIX 6.1 support.
- For mobile laptop users, the TEM Relay provides real-time visibility and control for
endpoints, regardless of network location, and allows for updating malware definitions,
engines and EPP.
- The IBM Global Services group offers a mature managed security services.
Cautions
- IBM has not executed well in the EPP market in the past, and it has not provided Gartner
with enough information to accurately evaluate its current progress in this market.
Mind share of this solution, as represented by Gartner customer inquiries, is very
low despite IBM's obvious size and channel advantages. The new security services division
should help in this regard and be reflected in a better execution during 2012.
- IBM has a large, and somewhat confusing and overlapping product portfolio in this
market, and prospective customers must carefully match desired features with specific
product offerings. The complete suite is expensive.
- The Tivoli Endpoint Manager is very powerful; however, it can be complex to use, and
it is not optimized for the security role. The TEM management interface is not browser-based
and has limited customization capability. IBM also has a Web-based reporting console
and dashboard that has a totally different look and feel, and is not linked to remediation
actions. Security-state assessments are still disjointed, lack prioritization and
are missing from the dashboard. The look and feel of the Proventia products is also
very different. Management of non-IBM solutions is limited to monitoring, and does
not replace the native management servers and their configuration capabilities.
- IBM doesn't offer any integrated full disk encryption, (although BitLocker Management
was added in Q4 2011) and has very limited application control capabilities.
- IBM's mobile device management (MDM) solution was in beta testing during this review;
it is scheduled for release in 1Q12 and will be evaluated in the next Magic Quadrant.
- No support beyond Windows and Macintosh clients is offered, and there is no ISS firewall
planned for Macs. Also, no support is offered for Microsoft Exchange, Lotus Notes,
SharePoint and other specialized servers.
- Although IBM has its X-Force security analysis team, it has no signature-based anti-malware
capabilities of its own and is dependent on Trend Micro. Disruptions at this critical
partner could have an impact on customers. Integration of the Trend Micro engine into
the TEM client offers a very different experience from a native Trend Micro Office
Scan implementation and a potential forced delay in upgrading to the latest Trend
Micro Client, although the last upgrade was only a lag of two months.
Return to Top
Kaspersky Lab
Kaspersky Lab continues to be one of the fastest-growing large vendors in this Magic
Quadrant, and its brand awareness is growing outside of its large European installed
base, improving its ability to execute. Kaspersky has released a new version of its
solution that significantly improves its vision criteria with the inclusion of vulnerability
management, application control and Web control capabilities. This nicely complements
its traditional strength in malware effectiveness and customer satisfaction. Organizations
looking for an alternative vendor to the traditional market leaders should evaluate
Kaspersky.
Strengths