Sales Pulse Research / Securosis. Information Security. Refresh / Upgrade Cycle for Network Security PANW, CSCO, FTNT

Transcription

1 Sales Pulse Research / Securosis Information Security Refresh / Upgrade Cycle for Network Security PANW, CSCO, FTNT June 6,

2 Current Trends in This Report: ü Refresh / Upgrade Cycle for Network Security Vendor Views in This Report: ü PANW Very Strong Indications for Continued Growth, Watching for Upside from End Point, Possible Threat from Increased Competition ü FTNT Strong Indications for Continued Growth; Some Evidence of Progress in Large Enterprises ü CSCO Opportunity to Pick up the Pace and Disrupt This is the first report resulting from the partnership between Sales Pulse and Securosis. In this joint effort our goal is to provide our clients with a view of industry and vendor dynamics that results from depth of knowledge that Securosis brings from their industry backgrounds and work with end users and from Sales Pulse' on-going surveys and dialogue with VARs, integrators, and sales teams. In this report, Securosis has contributed subject matter expertise on the security market and end user requirements. Sales Pulse Research is solely responsible for opinions or expression of conviction regarding individual vendors. 2

3 Network Security (continued) Key Takeaways - The current upgrade cycle for network security is more than a typical product refresh. In addition to moving to faster hardware, and integrating more functionality, NGFWs provide multi-purpose platforms for new solutions that include anti-malware and threat detection. The depth of these new offerings greatly expands the Total Addressable Market (TAM). - Palo Alto has taken the lead in this next generation market and input suggests their continued leadership. We anticipate more challenging competitive responses as the market develops. For now, however, Palo Alto is executing well and best positioned in this large market. - Fortinet is executing well and showing some signs of improving their image in the enterprise and contending more with Palo Alto. Fortinet has the product strength to compete with Palo Alto. We are seeing signs that they are making renewed progress in the enterprise market. They appear to be gaining growing respect in the channel and just may break out of their traditional role and gain some of the luster that Palo Alto has. - Cisco is targeting security for accelerated growth and will likely succeed. Cisco is building on strong, but in some cases lagging technologies. They have been executing well with the technology they acquired with Sourcefire. Industry contacts believe that Marty Roesch is providing a strong vision. Even without great products the Cisco machine will achieve growth in this market. If they can execute well on the product side, Cisco may achieve their goal of growing their market share in security from ~7% to 20%. We will discuss where we think that share will come from. 3

4 Network Security Continued Network Technology Evaluation and Upgrade Cycle The security industry is benefitting from a long term upgrade cycle as organizations evaluate their network security/perimeter architecture driven by the need for next generation network security and that usually means a competitive bid (and possible displacement) of the incumbent. Giving up on Prevention We are observing the beginning of a budget shift away from ineffective prevention technologies to detecting and investigating attacks. We see organizations with mature security programs making this shift, but many others continue to focus on blocking attacks. Prevention is clearly still needed in the network organizations still need a firewall and IPS to enforce both positive (access control) and negative (attack) policies on their perimeters. They just need to be realistic about what they can block even shiny NGFW models. To Focus on Threat Detection So if many organizations have given up trying to block all attacks, what are they supposed to do? Spend tons of money on more appliances to detect attacks they missed at the perimeter, of course. RSAC featured a heavy focus on network-based threat detection including malware and breach detection, persistent threats and zero-day attacks. Threat detection technology is advancing. Analyzing network traffic patterns, profiling and baselining normal communications, and then looking for stuff that s not normal gives you a much better chance of finding compromised devices. What s new is the type of analysis possible with today s better analytics. Baselines aren t built only on Netflow records or DNS queries any more they can now incorporate very granular metadata from network traffic including identity, content, frequency of communication, and various other attributes. Over time, these aspects of detection will become integrated into network devices. Malware Sandboxes Demand for malware detection has been accelerating and is likely to see sustained growth. Vendors debate whether an on-premise approach versus a cloud-based approach to detonation is best. Both can be effective. And vendors are making a lot of noise about data center firewalls - basically just really fast segmentation devices. Some vendors describe this as micro-segmentation. It is another application of firewall technology that is increasing the TAM (Total Addressable Market), for security devices. 4

5 Network Security (continued) While Consolidating Functions Some big organizations still think they need separate devices for all their key functions. Pretty much all the network security players have technologies that allow authorized traffic and block attacks. Back when category names mattered, those functions were called firewalls and IPS respectively. But now everything is a next-generation firewall. But it does a lot more than a firewall. It also detonates malware (or integrates with a cloud service that does). And it looks for commandand-control traffic patterns. Product categories aside, regardless of whether a network security vendor started as a firewall player or with IPS (or both, thanks to the magic of acquisitions), they are all attacking the same real estate: what we call the network security gateway. And Looking for Automation Another hot topic that is ramping up in network security is automation, because managing hundreds of firewalls is complex and time consuming. At RSAC, there were a bunch of new startups showcasing new technologies that showed you how to use an alert from your SIEM or a bad IP address from your threat intelligence provider to make changes automatically on firewalls. Automating some of those rote functions of managing security devices can free up time to do more important and strategic things. In the Cloud At RSAC all the vendors discussed how their fancy 7-layer inspection technology is now available as a virtual machine. Of course unless they are old (like us), they won t remember that network security appliances happened because granular inspection and policy enforcement in software did not scale. Details, we know. But it is sometimes amusing when vendors position software-based network security as new and innovative. Inserting inspection points and bottlenecks in a cloud environment (public, private, or hybrid) breaks the whole cloud computing model. Effective cloud security takes a new approach, not just repositioning existing network security. There are some significant advantages that cloud architectures offer for separation of processes, users and data. Leveraging these advantages and mitigating a few disadvantages will take a new approach. More on that later. 5

6 Vendor Views Sales Pulse does not make buy or sell recommendations. We do express sentiment regarding current segment and vendor trends. The views below are our current views for the Information Security portion of business for these vendors. We are always monitoring for information that will change our views, primarily based upon field input. High Conviction Views Strong Growth: PANW, FTNT, GIMO, CUDA Positive Views Favorable Execution and Growth: PFPT, IMPV, QLYS, CYBR, RDWR, SPLK Cautious Views Signs of Possible Disruption: FEYE, VSCO, JNPR, NTCT, VDSI, SYMC, VMW, CHKP In Transition, Monitoring Execution: CSCO, FFIV, BLOX 6

7 Vendor Views PANW Very Strong Indications for Continued Growth, Watching for Upside from End Point, Possible Threat from Increased Competition - Palo Alto has done the best job of positioning as the next strategic security platform. They have a very strong brand and large distribution engine. Fortinet probably has a price / performance advantage, but is not nearly as proficient at selling to the enterprise. It s less about product capabilities and more about sales execution now, and Palo Alto is pretty good at sales execution. That has also favored Palo Alto and FireEye for advanced threat deals. The endpoint is the potential Achilles heel. Network security companies usually are poor at providing endpoint security, and the Cyvera technology they bought was raw and has needed a lot of work. - The company continues to aggressively expand their sales force with some recent hires coming from the storage market, EMC and NetApp in some markets. In this case Palo Alto appears to be hiring based upon success in competitive markets rather than security expertise. Key Issues: - We expect more aggressive responses by incumbent FW vendors who would like to make it harder for Palo Alto to take share. Although Cisco, Juniper and Check Point continue to try to show some progress so far there have been no significant improvements that we see as impacting Palo Alto s trajectory. We anticipate more moves this year by these vendors to shore up their position. Cisco has the greatest potential to improve their competitiveness through the introduction of a next gen platform. Fortinet is also working to step up their efforts against Palo Alto. In their case, they have a competitive platform but have some marketing challenges to overcome to have a greater impact in Palo Alto s core market. - Development of the Palo Alto s Traps, end point solution - as we will explore further in a separate report, the end point market is very large and ripe for change. Palo Alto and other vendors have introduced new and useful technology. No solutions are yet ready however to make major inroads into this market. Despite the fact that Palo Alto s initial success with Traps has been over stated, the end point market represents potential upside. 7

8 PANW (continued): Current outlook: - At this time we see no disruption in sight to Palo Alto s strong execution and growth. Palo Alto has continued to build on the lead they established with their solution set and marketing of their next generation security platform. The few execution issues we have seen (i.e. initially misguided telecom sales effort) have been overcome by their favorable overall execution and the benefit of very good market timing. Palo Alto has a large addressable market that is going through a major technology evaluation and refresh. - Some have recently suggested that we are approaching a peak in the firewall refresh cycle. As discussed in our section on Network Security, the current market evolution is not only based upon the move to NGFW, but the deployment of technologies for malware detection and threat intelligence. The addition of this much needed functionality is increasing the TAM for the Network Security Gateway to the benefit of vendors who have been aggressive in adding these solutions to their next generation platforms. - Palo Alto continues to receive the highest score for growth in our quarterly surveys. On-going dialogue with VARs, SIs, and other field contacts in this market indicates continued strength for Palo Alto. 8

9 FTNT Strong Indications for Continued Growth; Some Evidence of Progress in Large Enterprises - Fortinet is executing well in their traditional markets - SMB (where their UTM approach is efficient in cost and resources), Distributed Enterprise (where their very low cost edge UTM is unmatched in price / performance / functionality) and in large, managed service provider data centers (where the high performance / low latency of their ASIC based architecture is needed). They have picked up some new channels after Sourcefire was acquired by Cisco. They also continue to build their sales and marketing organizations in an effort to accelerate their growth. - Fortinet's gets high marks for keeping up with an aggressive product roadmap. The company displays the engineering approach of their CEO as well as his lack of marketing focus. Some criticize them for having too broad of a product set (includes WiFi, cameras, and a few other misc products that provide very little revenue and arguably distract from their security focus). But they execute very well on their security product roadmap so this does not seem to be a big concern. - Fortinet does well in head to head tests when the focus is on price / performance against Palo Alto and others, although their management software is not as strong, especially for large environments. It appears that Fortinet s slower growth vs. Palo Alto has helped them realize the importance of marketing. Over the past year they have been investing much more heavily in expanding sales and marketing. Feedback is that they have hired some very capable marketing people. - Fortinet has shown that they may be accelerating in the large enterprise market with some impressive wins in the past few quarters. Current outlook: - Based upon ongoing feedback we believe Fortinet will continue to grow faster than the market because of their strong execution in the three markets we discussed. We believe they are benefitting from the pickup in hiring they have done over the past three quarters. We also expect their OPEX to remain fairly high because they appear committed to continue to hire in their attempt to catch up to Palo Alto s growth rate. - In very recent discussions we are hearing that some VARs are growing frustrated with the difficulty they are having representing Palo Alto because of their hot stature in the market. Although this is generally a positive indication for Palo Alto, a number of the VARs we have spoken with have decided to put more effort into selling Fortinet. In revisiting Fortinet some have commented on their surprise at the advantages of Fortinet s solutions. The new attention of some capable VARs along with Fortinet s strong platform and improved marketing could be an added boost for Fortinet. As always we will be monitoring for additional signs of progress. 9

10 CSCO Opportunity to Pick up the Pace and Disrupt - Recent comments made by Cisco s CEO and CFO disclaim interest in FireEye, but affirm expectations for future acquisitions in the security market. As the largest vendor in the security market Cisco has the potential to pick up their pace of growth and possibility disrupt some some current hot vendors including Palo Alto, Fortinet and FireEye. With mediocre execution Cisco can continue to pick up their pace of growth in the security market. To disrupt they need to execute on an aggressive product roadmap, something that has always proven to be difficult for large organizations. - Still a share loser in FW market - Cisco has a relatively large share in the fragmented security market. In the firewall segment they remain a net share loser in a growing market as their aging ASA FW has been targeted for replacement by competitors, most notably Palo Alto and Fortinet. In their most recent quarter Cisco has shown renewed growth in security based upon strong execution with products acquired via Sourcefire. Sourcefire has provided a leading IPS solution as well as strong anti-malware and end point technology. Although some end users, especially mid-size, are consolidating traditional FW and IPS functionality in next generation platforms there are still many organizations who keep these functions separate. Cisco/Sourcefire has a strong IPS solution and Cisco s sales force has been ramping up in their ability to sell it. - Opportunity for acceleration - Cisco is competing more effectively as their Sourcefire technology permeates through the ASA hardware. They most recently added Sourcefire IPS capabilities via a co-processor in the ASA platform. Although not a strong performer, this upgrade has added functionality and is effective in environments where performance is not a constraint. They remain vulnerable in evaluations and head to head tests against competitors where performance is a major consideration. We believe that Cisco has been working very hard on a new product set that will leverage legacy ASA functionality and Sourcefire IPS and other advanced features in a true next generation platform. If they execute well and deliver a competitive solution in the near future, they have the opportunity to protect their base, take advantage of strong security budgets and realize stronger revenue growth. As a strategic supplier to their large customer base, they also have the opportunity to consolidate other security functions in response to CIOs who would rather reduce their number of suppliers vs. chase all the point products that they are now using to meet the ever increasing number of security threats. The key question is when Cisco may introduce a next generation platform and how competitive it will be. Marty Roesch, former founder and CEO of Sourcefire, who now leads Cisco s security group is highly regarded and believed to provide the right vision and leadership for Cisco s efforts. We believe that delivering a next generation hardware is easier now then in the past. Platforms from Cavium and Netronome provide very high performance and rich software for performing packet inspection and the basic functions of security. The Cisco / Sourcefire product is currently based on the Netronome processor and that would seem to offer 10

11 CSCO (continued): one path to a very competitive next gen platform. ASA software provides legacy FW features and Sourcefire has leading IPS functionality. With all these building blocks how hard could it be to deliver a solution set that will go head to head with Palo Alto, Fortinet, Dell,. Apparently product development is harder than it looks. - Some Thoughts on Acquisitions - In recent articles Palo Alto, Fortinet, Check Point, FireEye, F5, Imperva, and others have been named as potential acquisition targets by Cisco. We believe that Cisco will make multiple acquisitions in the security segment but likely smaller companies with technology they can leverage with their large sales engine. Many of the companies named have solutions that overlap with Cisco s ASA / Sourcefire technology discussed above where we believe Cisco is still committed to their own development efforts. The security market offers many choices in terms of problems to solve and there has been a proliferation of early stage security companies with innovative solutions. Cisco has recently made small acquisitions in security including Neohapsis (Dec 2014, Security advisory services) and Threat Grid (June 2014, Threat intelligence and malware analysis). We expect more of these types of acquisitions, especially in the services area where Cisco needs to add resources that will be difficult to achieve organically. Two other areas where Cisco may get more aggressive are in the end point market and analytics. These are both large markets that are ripe for new solutions (more about that in a future report). There are numerous private companies, and a few public in analytics, that would accelerate their efforts. It is also possible that Cisco may go after public players like Imperva or CyberArk, where there is little overlap with their current technology, (although in Privileged Identity Management Xceedium may be a better choice). Current Outlook: - In summary, we believe that Cisco is determined to accelerate their growth in the security market. We have no doubt that they are working hard at internal development and at acquisitions and we expect to see the results of both as this year progresses. With mediocre execution they can at least see improved growth, with strong execution they can disrupt a number of today s hot vendors. It promises to be an interesting year and we will be watching closely and collecting input from our network of industry professionals to help us understand the dynamics and impact that Cisco s moves will have on the market and vendors. 11

12 Sales Pulse Universe of Coverage in Security Segment A10 Networks Barracuda Check Point Software Cisco Citrix CyberArk F5 FireEye Fortinet Gigamon HP IBM Imperva Infoblox Intel Security Juniper Networks MobileIron Netscout / Arbor Palo Alto Networks Proofpoint Qualys Radware Splunk Symantec Trend Micro Varonis Vasco VMware Private and early stage companies including: Blue Coat Dell Gemalto / SafeNet Bit9 + Carbon Black ForeScout Tenable Network Security Netronome Websense Bromium Invincea Tanium Open Peak LightCyber Dumballa Vectra Networks Okta There are many, many more private companies entering the security market, some that we are familiar with and others less so. We are always happy to discuss other vendors and reach out to our network of industry contacts to get feedback that may be helpful to clients. 12

13 Additional Topics in This Series of Reports: In this and following reports, we discuss our views of the information security market with a focus on current trends, anticipating disruption and monitoring the market for change. Examples of topics we will explore include: ü Growing Budgets for Information Security ü Refresh / Upgrade Cycle for Network Security Acceleration of Anti-malware, Remediation Application Security Endpoint Security A Very Large Market Segment Ripe for Disruption Infection Point for Identity and Access Management Security Management and the Growth of Analytics Cloud Security Fundamental Change vs. Cloud Washing. Security as a Service Response of the Large Incumbents (Cisco, Symantec, Intel, Juniper, to Share Erosion and Change) We offer our current views and will update on an on-going basis based upon input from VARs, SIs, End Users with insight into competitive market dynamics, share shift and evaluation of the size of the TAM for various segments. 13

14 Copyright 2015, Sales Pulse Research, LLC All rights reserved. Important Disclosures: Facts and the other informalon contained in this report have been obtained from public sources considered reliable but are not guaranteed in any way. No independent confirmalon of the truth, correctness or accuracy of the informalon presented has been made by Sales Pulse Research, LLC. This report is published solely for informalon purposes and is not an offer to buy or sell or a solicitalon of an offer to buy or sell any security or derivalve. Sales Pulse Research, LLC accepts no responsibility for any loss or damage suffered by any person or enlty as a result of any such person's or enlty's reliance on the informalon presented in this report. Opinions and eslmates expressed herein consltute judgments as of the date appearing on the report and are subject to change without nolce. Employees of Sales Pulse Research, LLC may from Lme to Lme acquire, hold or sell a posilon in the securiles menloned herein in this report. All of the recommendalons and views about the securiles and companies in this report accurately reflect the personal views of the analyst(s) of Sales Pulse Research, LLC. No part of analyst's compensalon was, is, or will be directly or indirectly related to the specific recommendalons or views expressed by the research analyst. No part of this document may be copied, photocopied, or duplicated in any form or other means redistributed or quoted without the prior wri\en consent of Sales Pulse Research, LLC. The informalon contained herein has been obtained from sources believed reliable but is it not necessarily complete and accuracy is not guaranteed. ConfidenLality NoLce: This transmi\al is a confidenlal communicalon or may otherwise be privileged or confidenlal. If you are not the intended recipient, you are hereby nolfied that you have received this transmi\al in error and that any review, disseminalon, distribulon or copying of this transmi\al is strictly prohibited. If you have received this communicalon in error, please nolfy the sender immediately by reply and delete this message and all its a\achments, if any. 14

15 Addendum 15

16 Technology Blankblank Trends Rating Change Since Fall Survey +.1 Survey Results The graphic on this page is from our March survey. The column on the far right compares recent results with our survey from last fall. The question asked our field contacts for their estimate of growth for each vendor on a scale of 1 5. We will mention our typical disclaimer, that we do not usual find the greatest value in numerical results. They do sometimes provide clues however, along with the comments and anecdotes to help us better understand the market. A few takeaways from these results: Results for all vendors in the security segment indicated growth (above the 3.0 level). Although our field contacts are an optimistic group by nature, this is the highest aggregate level we have seen for any segment and correlates with other bullish indicators for security spending. No surprise that indications for Palo Alto are the strongest of any vendor - consistent with input that we have received over the past year as well as published reports showing rapid new account gains and growing deal sizes. Both CyberArk and Proofpoint saw somewhat notable ratings increases. These increases correlate well with comments we have heard from VARs regarding the acceleration of their businesses. Indications for other vendors are discussed in the vendor section of this and upcoming reports

17 Supplemental Information: Sales Pulse Research Update Notes Archive - Bloomberg Terminal Function PLSR Sales Pulse Research Update Notes Archive ( Contact SPR for PW Securosis - Research Library ( Securosis Blog ( Both Sales Pulse and Securosis have a history of working hard to keep marketing hype to a minimum, reports concise and focusing on what we know and believe to be the best way to offer value to our clients. We are always happy to discuss areas of specific interest in more detail and work collaboratively with clients on targeted projects. 17

18 Sales Pulse Research In addition to coverage of the Cyber Security market Sales Pulse provides research on technology market segments that includes Cloud, Data Center / Virtualization, WLAN, Big Data and Analytics, Storage, Telecommunications, Enterprise Networking, Optical Networking, SaaS, XaaS, Network Management, Application Acceleration/Optimization, and Unified Communications and Collaboration. Contacts: Tom Morphis Sales Pulse Research, LLC (404) tom@salespulse.net Steve Thompson Sales Pulse Research, LLC steve@salespulse.net 18