Key Product/Solution Subdomains

Key Infrastructure product and solution areas vary in existing market analyst literature. Key market sub-categories discussed here include Unified Threat Management (UTM), Enterprise Grade Firewalls (EFWs), Anti-Virus and Endpoint Security Management (AVEM), Secure Email Gateways (SEGs), Secure Web Gateways (SWGs), and Intrustion Prevention Systems (IPS). Cross sharing of functionality across many of these sub-domain areas is common.

Focus: Unified Threat Management (UTM) devices provide small and midsize businesses with multiple network security functions in a single appliance, thereby acting as multifunctional network security products. UTM products must continually add new functions and therefore encompass the feature sets of many other network security solutions, including next-generation firewall, secure web and email gateways. Other specific sub-functionality typically found in UTM solutions includes wireless options, modular Ethernet port density, data loss prevention (DLP), and basic application control (focused on key internet applications such as Facebook, Google and YouTube among other widely used cloud services). UTM capabilities can be delivered as physical or virtual appliances, either deployed in-house or via third-party cloud options.

Such feature consolidation usually leads to compromises in feature performance and capability, but most SMEs are willing to to deal with this in purchased solutions. Purchase of UTMs among SMEs is often driven by the need to comply to key regulatory controls (such as PCI Data Security standards). UTMs may also be used by larger enterprises to use lower grade UTM products in branch office locations. The UTM market is mature and many SMB organisations are now renewing their UTM technology, rather than acquiring it for the first time.

Leading Players/Products: market leaders include Fortinet (via it FortiGate range), Checkpoint, Sophos (SG Series portfolio), Dell (SonicWALL), and WatchGuard (via XTM and Firebox product lines). Cisco and Juniper also have various UTM like offerings, the former via its ISA500 and ASA 5500 appliances as well as its (recently acquired) Meraki appliances, and Juniper via it’s SRX, SSG and ISG Series product lines. Clavister, gateprotect, and Stormshield also provide prominent solutions within key European regional markets. 

Focus: While UTM appliances are predominantly focussed on needs in the small and mid-sized mass-market, the Enterprise Firewall segment is is more oriented towards purpose-built appliances and virtualised models for securing larger corporate networks, with particular emphasis on integration of next-generation firewall (NGFW) functionality beyond simple stateful firewalls, incorporating full-stack inspection to support intrusion prevention, application-level inspection and granular policy control.

Key differentiating factors in these areas are IPS effectiveness, as demonstrated through third-party testing under realistic threat and network load conditions, and fine-grained policy enforcement across the most widely used commercial business applications. Such NGFWs are expected to eventually subsume mainstream deployments of stand-alone network intrusion prevention system (IPS) appliance technology at the enterprise edge. Web application firewall (WAF) functionality is often compared with core enterprise grade firewall functionality, typically placed in front of data centre web servers, typically to control internal web applications. 

The firewall market is highly penetrated in the larger markets (i.e. North America and Western Europe), which means to protect their installed base, incumbents must add improved capabilities and increase performance, or face either replacement by innovative new market entrants or commoditisation by low-cost providers.

Key Players (Products): Leaders in Enterprise-Grade firewall segment include Palo Alto Networks (PA Series) and Checkpoint (e.g. 21000 and 61000 series appliances). Fortinet, Cisco and Juniper are viewed as key challengers in the enterprise firewall segment.

Focus: While anti-virus (AV) suites still account for a large proportion of PACs revenues from the consumer mass-market, the endpoint security market in the corporate context is fast moving from an AV-only one towards one that favours multiple functions in an integrated suite, with routine IT management tasks now increasingly integrated with security. Hence, endpoint security suites traditionally focused on malware detection and removal  now routinely extend to include threat protection, patch and vulnerability management, and even system management functions.

Key overarching aims from corporate endpoint security management solutions include:

(1) Traditional AV role of defending against threats that specifically target user endpoints.

(2) Supporting the increasingly diverse vulnerability management and patch management problem  in enterprises to reduce the attack surface.

(3) To support monitoring and gain visibility over user endpoints to support compliance initiatives.

Key Players (Products): Leaders in the endpoint management space possess a broad endpoint security portfolio, and a product roadmap that converge endpoint threat protection with security/IT management. These include Symantec (Endpoint Protection Suite), Kaspersky (Endpoint Suite, System Watcher), Trend Micro (OfficeScan, Deep Security, Deep Discovery) Sophos (Safeguard Enterprise Suite) and McAfee (Total Protection Suite, ePO).

Leaders with the greatest market share in the standalone AV segment

Focus: Secure email gateways (SEGs) provide basic message transfer agent functions; inbound filtering of spam, phishing, malicious and marketing emails; and outbound data loss prevention and email encryption. More SEG vendors are also incorporating targeted phishing detection methods, with popular approaches including time-of-click URL filtering and attachment sandboxing.

The SEG market is a mature one, with penetration rate of commercial SEG solutions close to 100% of enterprises, meaning that buyers are becoming increasingly price-sensitive over product purchases. Market growth is levelling off with little indication of new entrants entering the space. An increase in suite bundling, especially with hosted mailboxes, will blur the SEG market, making future growth and market size difficult to identify. As more business goes to cloud email vendors such as Microsoft and Google for cloud mailboxes, such vendors selling SEG functionality as an enterprise add-on will effectively increase their SEG market share to the detriment of all other vendors, because hygiene services come bundled with the mailboxes. By extension, there is increasing acceptance in delivery of SEG functionality via SaaS.

Key Players (Products): Proofpoint is viewed as the current standout leaders in the SEG segment, via it’s Enterprise and Essentials suites, combined with recent  acquisitions in the space (Sendmail, Armorize and NetCitadel). Solutions across the Cisco Enterprise suite are also rated highly, particularly for onsite solutions for mid-sized and larger enterprises. Other challenging players include solutions from Symantec (Messaging Gateway, Email Security suites), Microsoft (Exchange Online Protection), Barracuda (Avira, Clam, Lastline and Sophos (Sophos Email Appliance).

Focus: Secure Web gateways (SWGs) utilise URL filtering, advanced threat defense, legacy malware protection and application control technologies to defend users from internet-borne threats, and to help enterprises enforce internet policy compliance. SWGs are delivered as on-premises appliances (hardware and virtual) or cloud-based services. Vendors differ greatly in the maturity and features of their cloud-based services, and in their ability to protect enterprises from advanced threats. Most buyers still implement SWGs on premise, however an increasing number are leveraging cloud delivery options as an alternative.

The SWG market is segmented between large enterprises and SMBs. Solutions aimed at SMBs are designed for ease of use, cost-effectiveness and basic security protection. Solutions aimed at large enterprises provide tools and detailed reports that security operations teams can use to respond to advanced threats and malware alerts.

Key Players (Products): Bluecoat are viewed as a leader in the space, combining existing technologies developed inhouse (ProxySG and CAS) with a number of recent SWG-related acquisitions, including Netromone, Solera Networks and Norman Shark. Other SWG leaders include Cisco (predominantly via technologies acquired via multiple acquisitions such as Cognitive, Sourcefire and ThreatGRID), Zscaler (particularly strong in cloud-based delivery via its Shift platform), Websense (Triton, RiskVision) , and Intel/McAfee (McAfee Web Gateway, and Advance Threat Defence appliance, the latter acquired from ValidEdge in February 2013).

Focus: The network intrusion prevention system (IPS) appliance market is composed of stand-alone appliances that inspect all network traffic that has passed through frontline security devices, such as firewalls, secure web gateways and secure email gateways. IPS devices are most often deployed in-line, and perform full-stream reassembly of network traffic. They provide detection via several methods — for example, signatures, protocol anomaly detection, behavioral monitoring or heuristics. When deployed in-line, IPSs can also use various techniques to block attacks that are identified with high confidence.

The capabilities of IPS products need to adapt to changing threats, and next-generation IPSs (NGIPSs) have evolved incrementally in response to advanced targeted threats that can evade first-generation IPSs. Next generation IPS implies fuller stack inspection alongside new sources of intelligence to existing techniques such as:

(1) Correlating events internal and external to the IPS to each other.

(2) Bringing wider contextual information to bear to understand the observations.

(3) Greater classification of content executables.

The network IPS market has undergone dynamic evolution, increasingly being absorbed by next-generation firewall placements. Next-generation IPSs are available for the best protection, but the IPS market is being pressured by the uptake of other advanced threat defense solutions, as well as emerging network forensics solutions.

Key Players: Intel/McAfee (NSP product line, plus IPS assets acquired from Stonesoft), Cisco (4300, 4200 and 4500 lines, alongside it’s IPS acquisitions from Sourcefire)  HP (NGIPS product line), and IBM (XGS 3100, 4100 and 5100 series).

Competitive Trends and Innovation Gaps

Increasing security roll-up and changes in feature boundaries is a common trend across several of the sub-segments highlighted here, with most of the markets at a maturing stage relative to other PACs market subsegments.

UTM: Gartner estimates that the 2013 UTM market was valued at approximately $1.5bn globally.  Like other domains an increasing amount of UTM deployments are now cloud-based. The UTM market is mature and many SMB organisations are now renewing their UTM technology, rather than acquiring it for the first time. Displacing active channel partners from another UTM vendor is difficult because it means these partners will have to maintain the legacy technology of existing customers, and also learn the vendor's replacement technology. It has also lead to many commoditised vendors competing primarily on price rather than new advanced functionality. The market is still growing faster than other network security markets, but higher market penetration will slowly drive the UTM market growth rate down. However the cloud deployment model may not suit all SMB buyers for several reasons, including issues around technical latency, and ability to speedily accessing consoles during attack events.

Regional issues relating to privacy and trust also encourage buyers to purchase solutions from niche regional vendors in many cases. Analysts believe that UTM vendors can overplay benefits of cloud deployment approaches and UTM feature consolidation with other security appliances; and such benefits may not be suitable for all SMB buyer needs. Additionally, needs among the SMB segment can differ from requirements from the large enterprise segment, for example:

(1) Greater need for channel managed solutions as SMBs may not have specialist security staff.

(2) Lower need for most advanced UTM features.

(3) Much greater price sensitivity among other factors.

In the longer term, the security market for SMB might be influenced by the increased adoption of mobile technology, cloud services and — for upper midsize businesses — virtualised demilitarised zone (DMZ) and data center. While there is no visible actor that could disrupt the UTM market yet, alternate approaches, such as endpoint and mobile device management or secure web gateway hosted in the cloud, could provide a future basis for UTM market disruption.

EFWs: The firewall market is highly penetrated in the larger markets (North America and Western Europe), which means to protect their installed base, incumbents must add improved capabilities and increase performance, or face either replacement by innovative new market entrants or commoditisation by low-cost providers – this particularly applies for the enterprise level segment. In tandem, firewall policy management (FPM) products are increasingly used for managing complexity. Given this high existing installed base, market is also driven by product refresh cycles (typically 3-5 years). Featureset boundaries between next generation firewalls (NGFWs), IPSs and UTMs, with overlapping features evident across the appliance silos for some target buyers but not for others. For examples UTMs often evolve to subsume many NGFW features over time, and NGFWs  are increasingly subsuming functionality found in IPS appliances. However many larger enterprises already using firewalls and seperate IPSs in parallel often continue to use both appliance types in parallel. Demand for virtualisation support has also grown, however firewall features integrated with virtualisation platforms (e.g. VMWare) do not tend to replace demand for seperate firewall appliances provided by vendors in this market space.

AVEM: Anti-virus and endpoint management solutions are becoming increasingly integrated in the enterprise IT context, favouring multiple solutions in an integrated suite, broadening support for key security stages such a policy development, protection, detection and remediation. Integration with other solution areas such as endpoint encryption, web security and endpoint DLP is also becoming more commonplace. Expanding endpoint management offerings towards mobile management support is another increasing trend, for example Symantec’s acquisitions of Odyssey Software and Nukona; and IBM’s acquisition of BigFix’s TEM suite.  Enhanced support forvirtualised endpoints is another trend, demonstrated by Deep Security’s expertise in particular. 

SEGs: The SEG market is mature market space where penetration rate of commercial SEG solutions is close to 100% of enterprises. The increase in suite bundling, especially with hosted mailboxes, will blur the SEG market, making future growth and market size difficult to identify; however most recent available estimates indicated a market size of $1.7bn in 2013, with low single-digit growth (2-4%).  Buyers are becoming more price-sensitive; slightly less than 80% of recently surveyed reference customers said that price was important or very important in their next SEG purchase. SEG market growth rate has leveled off with no significant market entrants or acquisitions of late indicating a mature market.Cloud-Based (software-as-a-service) deployments in the SEG market is anticipated to grow from 37% in to more than half of all revenue value by 2016. Ancillary services, such as DLP and encryption, are the main feature drivers of growth in this market, while traditional spam and virus-filtering services, as well as other license and subscription revenue, are declining.  A number of technology innovation gaps have been highlighted by analysts; for example improving protection from targeted phishing attacks; ability to handle bulk email filtering more effectively; and improving usability of encryption for email senders and recipients, particularly around mobile devices.    

SWGs: In contrast to the SEG segment, the market for cloud-based SWG services is far from mature - It is estimated that the market grew approximately 11% during 2013 (leaving a market size of $1.3bn), and is anticipated tol grow 10% to 12% in 2014. Vendor differentiation remains high around key areas of cloud services, such as global coverage (number of countries and data centers), mobile operating systems support, and the ability to deliver hybrid (cloud and on-premises) implementations. New techniques around dealing with advanced threat categories are also a key point of differentiation in the space, with a combination of sandboxing and cloud-based approaches widely used. Many vendors are acquiring such new capability either internally or via acquisition of new companies.

IPSs: the intrustion prevention appliance space is being increasingly marginalised by functionality changes in other adjacent solutions, particularly next generation firewalls (NGFWs),  other emerging advanced threat solutions and network forensics products – where integrated IPS-like capabilities are embedded. Hence it is estimated that from 2015, revenues in the IPS specific segment will begin to decline. However, demand for specific IPS appliances will still persist across several scenarios, including (1) if incumbent firewalls in a buyer site do not provide adequate NGFW protection, (2) seperation of firewall and IPS is desirable for organisational/operational solutions; (3) best of breed IPS features are required which will be found in next generation IPS products; and (4) advanced internal network segmentation scenarios exist where use of IPSs is desirable without the use of a firewall.  

Key Source Data: (all downloaded from publically available sources, both online (vendor-based) and via third party libraries):

“Gartner Quadrant for Unified Threat Management”, Aug 2014

“Gartner Quadrant for Enterprise Network Firewalls”, Feb 2013

“Forrester Wave: Governance, Risk and Compliance Platforms”, Q1, 2014

“Gartner Magic Quadrant for Endpoint Protection Platforms”, Jan 2014

“Forrester Wave, Endpoint Security”, Q1 2013

“Gartner Magic Quadrant for Secure Email Gateways”, Jul 2013

“Gartner Magic Quadrant for Secure Web Gateways”, Jun 2014

“Gartner Magic Quadrant for Intrusion Prevention Systems”, Dec 2013