Magic Quadrant for Endpoint Protection Platforms

Analyst(s): Peter Firstbrook, Neil MacDonald, John Girard

Endpoint protection platforms continue to struggle to block typical malware threats, and are even less effective with low-volume targeted attacks. A few vendors have started to provide proactive tools, such as vulnerability detection and application control, that reduce the attack surface.

(This document was revised on 18 January 2012. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com.)

The enterprise endpoint protection platform (EPP) market is a composite market primarily made up of collections of products. These include:

• Anti-malware
• Anti-spyware
• Personal firewalls
• Host-based intrusion prevention
• Port and device control
• Full-disk and file encryption
• Endpoint data loss prevention (DLP)
• Application vulnerability management and application control

These products and features are typically centrally managed and ideally integrated at the policy level.

Despite the introduction of new players, the displacement of incumbents is still a significant challenge in the large-enterprise market. The biggest impact of the Magic Quadrant Challengers and Visionaries is to push the dominant market players into investing in new features and functionality (sometimes via acquisitions), and to keep pricing rational. However, in the sub-thousand-seat-level market, we do see more displacement, and buyers have more product choices due to lower management requirements. Current prices for comparable offerings are down from our last Magic Quadrant; however, vendors are often substituting more-complete suite offerings with little or no increase in annual costs.

In 2010, the enterprise market was still dominated by McAfee, Symantec and Trend Micro, which represents approximately 60% of the total enterprise market. Notably, however, the share of these dominant players is down considerably from 85% in 2007. These market leaders are losing market share to increased competition, primarily in the lower end of the market with less than 1,000 seats, but also making inroads in larger accounts. Sophos and Kaspersky Lab are the primary beneficiaries of this trend, and these vendors are improving mind share and market share in the enterprise market.

The market size at year-end 2010 was approximately $3 billion, up 6% from 2009, following the macroeconomic recovery of enterprise PC growth. This is slightly higher than the 5% growth we projected in the 2010 Magic Quadrant. We anticipate growth rates to continue in the 5% range in 2011 and 2012.

Microsoft's impact on the enterprise market has not yet been significant; however, it increasingly appeared on the 2011 shortlists of customers due to recent improvements to its offering and licensing changes, which makes the solution effectively "free" to organizations licensed under Core CAL. We note that approximately one-third of enterprise buyers indicate that they are actively considering Microsoft or plan to do so during their next renewal periods. Microsoft continues to make steady product progress and is now, finally, poised to take some enterprise market share; however, its impact will be tempered by high growth on a small market share and product limitations (outlined here). Moreover, Microsoft's impact in the enterprise market may be influenced by the Windows 8 penetration rate, and any decision to include malware protection in Windows 8 is likely to face legal and regulatory issues, especially in Europe if it is viewed to unfairly affect market competition.

Source: Gartner (January 2012)

Vendor Strengths and Cautions

Check Point Software Technologies

Well-known in the enterprise network firewall and VPN market, Check Point continues to improve its EPP product suite with an emphasis on addressing the increasing proliferation of unmanaged devices. Despite its significant enterprise network presence, brand and channel, the company has failed to significantly improve its market share or mind share in this market. Organizations that value strong integration between remote access solutions and the EPP suite, full-disk and media encryption, a strong host firewall, and application control solutions should include Check Point on their shortlists.

Strengths

• Like its network offerings, Check Point Endpoint Security uses a "software blade" architecture where clients pay for only the capabilities they need from a comprehensive suite of capabilities. These include personal firewall, anti-malware (licensed from Kaspersky Lab), full-disk encryption, network access control (NAC) and integrated VPN.
• Check Point's management console integrates malware protection and data encryption suite offerings. It offers a clean interface with easy navigation and quick access to summary data (overview/dashboard, organization, policies, reports and deployment) that is very similar to a network firewall interface. Reporting is significantly improved. The dashboard can be customized for each administrator. It provides good hierarchical and object-oriented policy, and can exploit network firewall policy objects, such as network zones, in a client firewall policy and can leverage installed gateway appliances as relays for client updates. Check Point offers a unique user-based management capability that allows administrators to develop and view user-specific policies across multiple devices.
• The personal firewall is comprehensive and includes extensive prepopulated program profiles, excellent location-based policies and very good VPN client integration.
• Check Point offers application control capabilities (which it calls program control) augmented with Check Point's Program Advisor service. This enables administrators to define acceptable applications based on an existing inventory of applications, certificates and/or Check Point's database of known good applications.
• Check Point has very strong full-disk and file/media encryption, as well as extensive port control, including very granular device and file identification.
• Check Point added browser protection technology from ZoneAlarm, which helps clients avoid malicious Web-based malware.
• Check Point added support for Mac clients in 2011.

Cautions

• Check Point is best known for its network-based protection solutions, and has had difficulty with penetration into the broader EPP market beyond its installed base of VPN, host firewall and encryption customers. Gartner customers rarely inquire about this solution. Moreover, the company is not forthcoming with financial and customer data that would allow us to accurately evaluate its progress in this market.
• Check Point is dependent on Kaspersky Lab for anti-malware signatures to review suspicious code samples and to prepare custom signatures for targeted malware. Although signatures are becoming a replaceable commodity, business disruptions in Kaspersky could affect Check Point customers. It is also increasingly challenged to differentiate itself from its core malware detection engine partner, Kaspersky, for clients seeking basic protection, or from market leaders for clients seeking data protection solutions.
• The management console provides a good summary view of the EPP agent status; however, it does not include any vulnerability or configuration assessments, nor does it have any integration with operations tools. The Compliance Blade does assess the configuration/security level of endpoints in the system and provides a detailed report showing compliance issues.
• The Check Point management console is a Windows client/server application and does not offer a browser-based option. Check Point is dependent on software distribution tools to install the initial client, and lacks the ability to remove other anti-malware products. The solution doesn't include many options to minimize the impact of scheduled scans, such as the impact on CPU use, or to avoid conflicts with critical programs.
• Check Point's program control solution can't prevent programs from installing. It only blocks network access via firewall permissions and terminates the process. Program control is not as flexible as competitive solutions to address the needs of large enterprises. For example, it doesn't have a good centralized way of allowing trusted sources of change. An improved application control software blade that includes trusted sources of change is currently in pilot tests with customers.
• The SmartDefense HIPS policy isn't tunable and doesn't allow administrators to whitelist applications that incur false positives.
• Although Check Point has mobile device management (MDM) capabilities on its road map, it has not yet shipped these capabilities.
• Although Check Point introduced network-based DLP in 2011, Check Point's data protection strategy is still missing client-based content-aware DLP. An endpoint DLP security blade is currently in pilot tests with customers.
• Check Point protection is primarily limited to Windows endpoint PCs. Not all software blades are available for the Mac client, and it doesn't offer protection for specialized servers, such as Microsoft Exchange, Lotus Notes or Microsoft SharePoint.
• Although its agent will run in VMs, Check Point has no specific optimization for virtualized environments.

eEye Digital Security

eEye provides a unified management console for vulnerability analysis as well as malware and intrusion prevention capabilities, backed by its own malware research labs and augmented by a licensed signature database from Norman. Existing eEye Retina customers and enterprises that value integrated vulnerability analysis should consider eEye Blink.

Strengths

• In early 2011, eEye completed the transition of its customers to the Retina CS Console from its legacy management console. Retina CS manages eEye's network-based and endpoint vulnerability management products.
• The Retina CS management console is a Web/Flash-based user interface that manages the various eEye offerings. It provides role-based reporting and dashboards, dynamic associations of target machines via Active Directory and Smart Groups, as well as additional reporting modules for compliance, configuration and patching.
• Since our last analysis, the new antivirus engine improved the capability to detect "Fake AV" and other advanced malware, and is faster, consumes less memory and has a smaller update size. eEye has also added real-time alerting capability and a wizard-based application and network protection policy creation.
• Blink uses an embedded version of eEye's Retina Network Security Scanner to perform local vulnerability assessments and report the findings to the Retina CS console.
• The eEye Retina Protection Agent (RPA) is a subset of Blink designed to work alongside other EPP and antivirus solutions, and to provide agent-based vulnerability assessment and intrusion prevention services.
• eEye's central vulnerability management supports the capturing of malware events from more than 15 vendors and targeted Windows events, and integrates with Windows Server Update Services (WSUS) to allow patching.
• All functions are packaged in a single agent, including the Norman signature engine. Layers of function are easily enabled or disabled by the administrator without making changes to the installed image or drivers. Security policies can be monitored and updated from outside the firewall without requiring a VPN.
• eEye is one of the few providers in this analysis to offer a service-level agreement (within 48 hours) on new critical exploits, meaning that it will protect against these exploits within 48 hours, even if the system is unpatched.
• eEye uniquely offers physical management appliances for rapid deployment and management, and offers a software as a service (SaaS) product for vulnerability assessment.
• eEye has a small but very skilled team of malware experts that provides excellent technical support and malware information.

Cautions

• eEye is one of the smallest companies in this market. Its total staff size, including research and engineering groups, is small compared with the EPP industry average. It has a limited presence outside North America and in organizations with more than 500 employees.
• Its solution has the capability to blacklist applications, but it is a manual process with no trusted sources of change. It offers limited NAC integration.
• Although eEye develops its own spyware signature database and cleanup routines, the solution relies on Norman for anti-malware signatures; business disruptions in Norman could impact eEye customers. Although the Norman anti-malware engine is tested regularly, eEye does not participate in many industry tests to demonstrate the effectiveness of its collection of technologies. Automated malware damage cleanup capabilities are limited.
• eEye has limited device control capabilities, but no encryption or DLP capabilities. It lacks the ability to enforce encryption on data that's written to external storage devices, but it does have a number of policies to limit access and writing to external devices.
• It supports only Windows OS desktop and server platforms (including IIS), so companies with other devices (for example, Apple Macintosh) and specialized servers (such as Microsoft Exchange or SharePoint) cannot use the product. It also does not have any MDM or protection capabilities.
• The anti-malware agent works on a virtualized Windows host. However, it is not optimized for a virtualized environment.

Eset

Eset has built a substantial installed base in EMEA, particularly in Eastern Europe, and it has a rapidly growing small or midsize business (SMB) presence in North America. Its Completeness of Vision score benefits from good malware effectiveness in a lightweight client, but it still suffers from weak enterprise management capabilities and lack of investments in market-leading features, such as data protection or more-holistic security state assessments. Eset is a good shortlist option for organizations seeking an effective, lightweight anti-malware scan engine and personal firewall that does not have extensive management requirements.

Strengths

• The flagship enterprise product, Eset Smart Security, includes integrated anti-malware, anti-spam and a personal firewall in a single-agent footprint.
• The low performance impact of the Eset product has been noted by many customers.
• The management console is a native Windows application with a spreadsheet-style interface. It has the look and feel of a Microsoft Management Console. We like its capability to highlight machines in the log table and then, with a left click, install the EPP agent or perform other remediation activities.
• The Eset anti-malware engine is a consistently solid performer in test results. The Eset engine has a strong reliance on heuristics and generic signatures, and includes client-based malicious URL filtering and sandbox heuristics, which run all executable files in a virtual emulator.
• Recent improvements include active memory scanning and the addition of a whitelist to improve scanning performance.
• Eset supports a broad range of Windows clients and servers, including Exchange, Lotus Notes/Domino, Linux Solaris, and Novell NetWare and Dell storage servers, mobile devices (Windows Mobile Android and Symbian), and Apple OS X and Linux desktop platforms.
• Eset offers a limited MDM solution with the launch in 2011 of the Mobile Security Business Edition for Windows Mobile and Symbian.

Cautions

• Eset is lacking in management features for larger, more-complex organizations. The management console is long overdue for an update; it's very complex and lacks a clear, actionable dashboard view to enable more-rapid or automated problem identification and remediation. A separate Web-based dashboard provides a flexible customizable reporting interface, but it does not allow for direct drill-down into the management console. It also lacks many common enterprise capabilities, such as role-based administration, information and policy elements that can be delegated (or restricted) to end users and automatic rogue machine detection. It offers limited options for scheduled scan priority.
• It has very weak reporting. A lot of information is captured, but it is hard to get at, and there is no ad hoc reporting, just filtered log views. It is overly reliant on "parametric" groups to segment reporting data. Eset Sysinspector shows lots of detail about a client for troubleshooting; however, this data cannot be used across all clients for reporting or grouping.
• There is no significant security state assessment beyond EPP agents, such as application vulnerability and configuration assessments, and no significant integration with operations tools.
• Clients can be distributed by the management console; however, deinstallation of competitive solutions is an additional service cost that isn't included in the solution.
• The HIPS capability can only be activated or deactivated; it can't be selectively deactivated to allow specific false-positive files to execute. Heuristics can add a performance impact, especially on older PCs, although these are not turned on by default.
• Eset doesn't yet offer many of the additional EPP components, such as application control, encryption and DLP. Port/device control capabilities are not very granular, just block or allow.
• Although Eset operates in a virtual environment and has a low system impact, it has not been optimized for these environments.

F-Secure

F-Secure has been in the anti-malware industry for more than 20 years and has a very good track record for malware testing results. The company is focused on endpoint protection and is less interested in other aspects of the EPP market, such as data protection. F-Secure is a good choice for organizations in supported geographies that prefer dedicated malware protection solutions.

Strengths

• F-Secure provides on-premises software-based management and hosted solutions, as well as managed services via partners. It also offers very attractive pricing with monthly or yearly subscriptions.
• F-Secure has consistently good malware test results and performance tests. It provides cloud-based look-ups and a file reputation feature (DeepGuard), which considers file metadata such as prevalence, source and age before allowing files to execute. In 2011, cloud-based look-ups were extended to on-demand and scheduled scans.
• Its generic detection and removal of rootkits is delivered via BlackLight.
• F-Secure supports virtualized environments (VMware, Citrix and Microsoft Hyper-V), with database and policy update randomization. It also offers protection for Linux and Mac platforms.
• F-Secure has mobile clients for Android, Research In Motion, Symbian and Windows Mobile, and a cloud-based MDM capability primarily aimed at SMB organizations.

Cautions

• F-Secure is strongly based in the EU and has very little presence or brand recognition in other markets. It is growing much slower than the overall market.
• Although F-Secure develops some of its own signatures, the solution relies heavily on Bitdefender for its anti-malware signatures; business disruptions in Bitdefender could impact F-Secure customers.
• F-Secure's client/server-based (Windows or Linux) management interface is very limited and is lacking numerous enterprise features. It only has two roles ("full" or "read only"). It does not offer any state information beyond anti-malware status and does not provide any significant dashboard capability or any drill-down into remediation capability. Autodiscovery of new agents is a manual process and can't be scheduled. Reporting capability is very basic and does not allow for ad hoc reporting.
• F-Secure does not believe that encryption or DLP is relevant to its malware detection mission. It does not offer flexible device or port control, nor does it offer any application control beyond DeepGuard.
• MDM capability is not integrated into the endpoint management console.
• F-Secure does not provide any protection for SharePoint servers.

GFI Software

GFI Software offers a wide range of security solutions (notably, secure email Web gateways, email archives, vulnerability scanning, patch management, event monitoring, storage management and backup solutions) primarily for SMBs. GFI is a shortlist candidate for SMBs looking for a simple and lightweight anti-malware engine.

Strengths

• GFI's Vipre management interface is efficient and clean. It provides a large range of preinstalled movable dashboard widgets, and provides good ability to view and drill into log data and assign policy to groups and users. Since our last analysis, most of GFI's improvements were aimed at a fast, out-of-the-box installation process. It added a removal tool that uninstalls popular EPP solutions, Windows firewall autoconfiguration to allow the Vipre client to communicate policy and update servers, and an integrated database (the previous version required a separate SQL database). It also added a remote access tool for easy remote site management.
• Malware detection is augmented with MX-Virtualization, which analyzes malware in real time in a sandboxed environment on the PC.
• GFI offers client-based malicious URL blocking, rootkit scanning and automatic scanning of USB drives.
• The client is relatively lightweight and efficient, providing fast scanning.
• GFI offers Windows and Mac client support, as well as Exchange server versions.
• GFI offers a free Web-hosted malware analysis engine that provides immediate forensic feedback on submitted application files.

Cautions

• GFI is squarely aimed at the SMB market, where ease of use and set-and-forget functionality are assets. We do not have a lot of reference customers in the Gartner installed base, and GFI is not evaluated in most of the malware effectiveness testing, so performance and effectiveness are not well-documented.
• The Vipre management capability will be limiting for larger enterprises. It relies on Windows network browser or Active Directory information to find unmanaged machines.
• Reporting and dashboards are very basic. It does not have any ad hoc reporting capability, only filtered views of historical data. Role management is not scalable.
• It does not offer data protection capabilities, such as encryption and DLP.
• Although the company has some vulnerability and patch management assets, they are not integrated with the EPP suite. The solution does not provide a holistic security state assessment or any remediation capability.
• GFI does not provide any MDM capability or mobile endpoint protection products.
• It does not have any specific features to support virtual environments.
• The company does not have any hosted offerings for the management server, nor does it have real-time cloud-based update capabilities.
• It does not offer any application control capabilities.
• Device control is not part of the EPP suite.

IBM

IBM built its EPP on top of a PC life cycle management platform, the Tivoli Endpoint Manager (TEM) acquired with BigFix. The core malware engine and firewall are provided by Trend Micro, now called TEM Core Protection (TEM-CP), and advanced host-based intrusion prevention system (HIPS) and firewall capability is provided by Proventia (formerly ISS). These tools are augmented with IBM's X-Force research labs. Large organizations that have a close relationship with IBM or Trend Micro should include IBM on their shortlists.

Strengths

• During 2011, IBM announced a new Security Systems Division to centralize all of its security assets, effective 1 January 2012, with a dedicated sales force, which should help in execution in 2012. It also enhanced performance in the TEM CP malware engine. It has also continued integration of management capabilities of a number of IBM products, including IBM Security Server Protection.
• This solution combines a unified console and a single agent for PC life cycle management, including power, patch and vulnerability management, with two options for endpoint protection: (1) a fully integrated solution leveraging Trend Micro as well as (2) the ability to monitor other agents such as McAfee, Symantec and Microsoft Forefront.
• Leveraging the capabilities of Trend Micro, the TEM-CP solution now provides VMware vCenter and Citrix Xen Server performance optimization capabilities, including virtualization awareness, serialization of antivirus scans to prevent resource contention, and intelligent scanning through caching of files based on VDI golden image. IBM also added Trend Micro's advanced device control and endpoint DLP solutions.
• IBM Security Server Protection, Proventia Server for Linux, and RealSecure Server Sensor provide deep packet inspection and HIPS capabilities, sharing the same Protocol Analysis Module of ISS network-based appliances. IBM server protection products boast very broad server support with Windows, Linux, HP-UX, Solaris and AIX, including 64-bit support for Windows and Linux, and new AIX 6.1 support.
• For mobile laptop users, the TEM Relay provides real-time visibility and control for endpoints, regardless of network location, and allows for updating malware definitions, engines and EPP.
• The IBM Global Services group offers a mature managed security services.

Cautions

• IBM has not executed well in the EPP market in the past, and it has not provided Gartner with enough information to accurately evaluate its current progress in this market. Mind share of this solution, as represented by Gartner customer inquiries, is very low despite IBM's obvious size and channel advantages. The new security services division should help in this regard and be reflected in a better execution during 2012.
• IBM has a large, and somewhat confusing and overlapping product portfolio in this market, and prospective customers must carefully match desired features with specific product offerings. The complete suite is expensive.
• The Tivoli Endpoint Manager is very powerful; however, it can be complex to use, and it is not optimized for the security role. The TEM management interface is not browser-based and has limited customization capability. IBM also has a Web-based reporting console and dashboard that has a totally different look and feel, and is not linked to remediation actions. Security-state assessments are still disjointed, lack prioritization and are missing from the dashboard. The look and feel of the Proventia products is also very different. Management of non-IBM solutions is limited to monitoring, and does not replace the native management servers and their configuration capabilities.
• IBM doesn't offer any integrated full disk encryption, (although BitLocker Management was added in Q4 2011) and has very limited application control capabilities.
• IBM's mobile device management (MDM) solution was in beta testing during this review; it is scheduled for release in 1Q12 and will be evaluated in the next Magic Quadrant.
• No support beyond Windows and Macintosh clients is offered, and there is no ISS firewall planned for Macs. Also, no support is offered for Microsoft Exchange, Lotus Notes, SharePoint and other specialized servers.
• Although IBM has its X-Force security analysis team, it has no signature-based anti-malware capabilities of its own and is dependent on Trend Micro. Disruptions at this critical partner could have an impact on customers. Integration of the Trend Micro engine into the TEM client offers a very different experience from a native Trend Micro Office Scan implementation and a potential forced delay in upgrading to the latest Trend Micro Client, although the last upgrade was only a lag of two months.

Kaspersky Lab

Kaspersky Lab continues to be one of the fastest-growing large vendors in this Magic Quadrant, and its brand awareness is growing outside of its large European installed base, improving its ability to execute. Kaspersky has released a new version of its solution that significantly improves its vision criteria with the inclusion of vulnerability management, application control and Web control capabilities. This nicely complements its traditional strength in malware effectiveness and customer satisfaction. Organizations looking for an alternative vendor to the traditional market leaders should evaluate Kaspersky.

Strengths