Magic Quadrant for MSSPs, North America

Transcription

1 Magic Quadrant for MSSPs, North America Gartner RAS Core Research Note G , Kelly M. Kavanagh, John Pescatore, 16 April 2009, R Several IT outsourcers entered or increased their presence in the maturing managed security service provider market in North America. In addition to firewall and intrusion detection/prevention monitoring and management, security log management became a nearly universal offering. WHAT YOU NEED TO KNOW Enterprises are engaging managed security service providers (MSSPs) to meet security monitoring and device management requirements for several reasons: An inability to increase resources or expertise because of the business climate Compliance requirements for monitoring and reviewing security and user-related activities The trend toward providing local Internet connections to branch offices, rather than through a central corporate gateway The increasing use of mobile workforce and consumer-grade technology to access corporate resources MAGIC QUADRANT Market Overview Enterprise use of MSSPs continued its steady growth trend in 2008, and macroeconomic conditions and security threat trends will cause that growth to continue in These same trends, combined with others, such as increased enterprise use of software as a service (SaaS) and the consumerization of IT, will cause cloud-based security-as-a-service offerings to begin to impact the customer-premises-equipment (CPE)-focused MSSP market in 2H09 and beyond. This will bring new entrants into the market for security services, including several large global brands. MSSPs in North America generated revenue of approximately $570 million in 2007, and Gartner estimates that revenue grew about 15% in 2008, and the number of firewalls and intrusion detection/prevention (IDP) devices under monitoring/management grew 20%. The differing growth rates in revenue and devices reflect lower pricing driven by competition, market growth in the small/ midsize enterprise space, and by more multifunction devices managed. Gartner estimates that, in 2008, 60% of Fortune 500 enterprises had engaged in some level of use of an MSSP, representing about 25% of enterprise firewalls under remote monitoring or management. Firewall and intrusion prevention appliance vendors have seen that MSSPs are increasingly important channel partners, and allow the product vendors to propose more-effective monitoring and management as adjuncts to their technology products.

2 2 Growth in enterprise demand for MSS in 2008 was primarily driven by four factors: Staffing and budget growth limitations Gartner s updated forecast for IT spending indicates a 2.2% growth rate in Gartner sees continued corporate pressure to reduce operational costs, capital expenditures and staffing, while maintaining a sufficient security posture. Compliance reporting requirements Gartner sees increased pressure to reduce the cost of meeting compliance requirements, such as Payment Card Industry standards, Federal Information Security Management Act (FISMA) requirements for government agencies, Federal Financial Institutions Examination Council (FFIEC) for banking, as well as requests by customers and business partners to demonstrate the ability to monitor, identify and respond to attacks. Customers also cite strong demands to reduce the cost of ongoing compliance activities, such as meeting U.S. Sarbanes- Oxley or Health Insurance Portability and Accountability Act (HIPAA) requirements in the face of implementing newer compliance activities focused on privileged user access or data protection. Figure 1. Magic Quadrant for MSSPs, North America ability to execute challengers niche players leaders AT&T IBM Internet Security Systems Wipro Technologies Tata Communications SAIC EDS, an HP Company CGI Group Orange Business Services Unisys Savvis CompuCom (Getronics NA) Trustwave Bell Sprint visionaries completeness of vision Verizon Business Symantec SecureWorks BT Global Services Integralis VeriSign Perimeter Internetworking Solutionary Source: Gartner (2H08) Expansion of Internet connection points Enterprises are adding firewalls and multifunction firewalls to remote locations as they move toward distributed Internet connections. The deployment of network intrusion prevention devices and increased demand for remote security monitoring of servers also have led to increased device count and contract value when renewing managed service agreements. Growing experience with remote services for IT As enterprises gain experience consuming IT functions such as applications, storage and processing as services, security outsourcing will become more routine. Gartner sees significant growth in security outsourcing in areas adjacent to MSS, such as secure Web gateways, security, and identity and access management (IAM). As of 2H08 Smaller businesses in retail, energy, banking and other sectors enter into security outsourcing agreements to increase their security levels and to meet regulatory demands. They have limited ability to add head count, and are often turning to service providers with which they already do business to address security and compliance requirements at minimal additional cost. The MSS market is maturing, with larger service providers adding managed security to their portfolios via acquisition and organic development. Many enterprises heavily weight vendor viability in their evaluation of outsourcing providers, and larger service providers offer an important comfort level for these buyers. For many mainstream technology adopters and risk-averse companies The Magic Quadrant is copyrighted April 2009 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the Leaders quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner s research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

3 entering this market, security expertise, reputation and MSS innovation are of less importance than an established relationship with a trusted partner for other IT services good enough security monitoring was sufficient. Pricing Pricing on a device basis for monitoring and management of firewalls and IDP devices continues to decline at a slow pace. Gartner expects that during , pricing will continue to decline as large IT outsourcing- oriented MSSPs like Tata Communications and Wipro Technologies increase their presence in North America, and as potential as well as renewing customers reflect corporate budget pressure on IT spending. As the number of devices under management by MSSPs expands, per-unit pricing should decline as some of the economies of scale are passed on to customers. Pricing remains a strong vendor selection criterion for Type B (mainstream IT users) and Type C (risk-averse) customers, and Gartner sees Type A (technically aggressive) customers increasingly factoring in pricing for MSS vendor selection or renewal negotiations. Although per-device and per-user pricing will continue to decline, MSSPs can increase their average deal size as enterprises add additional devices under management and consume new service offerings. There are several service trends related to pricing: Compliance-specific offerings. MSSPs are proposing services designed to meet compliance requirements for example, monitoring server logs or payment systems, or providing Web application firewall services. These offerings are designed to obtain customers looking to meet those specific requirements at a low price, with the MSSP anticipating expanding the scope of services as customers gain familiarity and see value. Virtualization. Customers implementing virtualized firewalls for example, replacing 10 firewalls appliances with a single device running 10 virtual firewalls expect that the hardware cost savings they realize will also be reflected in a lower price by the MSSP to manage and monitor 10 virtual devices. Although MSSPs make the case that their costs for monitoring/managing the 10 firewalls have not fallen, customer expectations for savings are pushing MSSPs to reduce their pricing for virtualized firewalls. Based on preliminary information, pricing for virtualized firewall monitoring/management is between 50% and 80% of the pricing for doing so on physical devices. Virtualization will also affect pricing for MSSPs offering firewall services to data centers via their own equipment. As these firewalls are virtualized, service providers will be pressed to pass on some of the reduced costs to their MSS customers. Multifunction firewalls. MSSPs are introducing low-cost monitoring/management services based on multifunction firewall devices for firewall, intrusion prevention service (IPS), antivirus (AV) and Web gateway functions. These services are targeted to small or midsize businesses (SMBs) or branch-office deployments, with pricing reflecting the limited configuration changes, reporting and security operations center (SOC) interaction typically required by customers of these offerings. SMB Firewall Services MSS providers generally offer monitoring and management for SMB multifunction firewalls that encompasses firewall, IPS, AV and anti-spam, and URL filtering capability in one device. These services typically target SMB enterprises, and offer minimal security analyst interaction, and limited configuration changes and reporting. Some services will incorporate the cost of the SMB firewall in the service subscription fee so that customers do not need to buy the devices out of their capital budgets. SMBs exploring outsourcing monitoring and management of multifunction devices should assess the ability of MSSPs to deploy devices with standard configurations that address vertical industry or compliance requirements to which they are subject, as well as update those configurations as part of the standard service offering, based on changes in those requirements. Managed services for multifunction firewalls are also used by enterprise customers to provide monitoring or management to remote-office or branch-office security appliances. These offices have requirements similar to SMB needs; there is little need for analyst interaction with all office locations, and typically there are a limited number of standard configurations that the enterprise customer deploys to branch offices. Enterprises looking to use MSSPs for remote-office/branch-office device management and monitoring should assess the ability of MSSPs to provide alerting reporting that provides sufficient detail by location to the corporate security team. Security Information Management as a Service Several MSSPs have service offerings for security information management, including the collection, analysis, reporting and storage of log data from servers, user directories, applications and databases. These service offerings typically forgo real-time monitoring and alerting, and focus on compliance-oriented reporting on exceptions, reviews and documentation, with the ability to store and archive logs for later investigation and for data retention requirements. These offerings are being driven by clients that must meet compliance requirements and are seeking an alternative to buying and implementing a security information/event management (SIEM) product. There are three types of information/log management offerings, each with slight variations available: Customer-premises appliance services involve logging appliance, such as those from Loglogic or ArcSight (and others) at the customer site to collect and store log data from security and network devices, servers, applications and directories. The MSSP may manage the appliance, and may provide the customer access to the appliance s reporting capability via the MSSP s portal. Customers can often run queries and reports from the logging appliance s console, as well. The appliance can also be configured to forward a subset of events and logs to the MSSP for real-time correlation, analysis and alerting as part of the MSSP s usual monitoring services. The on-site appliance may be owned by the customer, or provided by the MSSP as a part of the service subscription. 3

4 4 An MSSP-hosted appliance provides the same services as the customer-premises deployment, but the log collection and archiving technology is hosted by the MSSP. Reporting capabilities, as well as the ability to incorporate selected data feeds into real-time correlation, analysis and reporting, are similar to the on-premises offerings. The logging technology is owned by the service provider. An MSSP-based service involves the forwarding of log data to the MSSP for storage and archiving, with the customer able to run correlation and generate reports via the MSSP s correlation engine. This offering foregoes real-time analysis and alerting by the MSSP operations staff. The MSSP-based service can include direct customer log feeds to the MSSP or may include an MSSP-provided on-premises collector to acquire customer logs and forward them to the MSSP. In practice, the deployment of managed log services is still in the early stages, with most deployments being on-premises logging appliances. There are several reasons for this: Enterprises are still gaining experience with log management technology and processes. Gartner customers report struggling with issues, such as the scope of the logging deployment, determining what specific log messages and correlations are relevant, and developing the alerting, reporting and workflow to meet the various requirements of security operations, IT operations and compliance groups. The amount of log data that must be acquired, stored and analyzed. For large enterprise logging deployments, the increased network bandwidth required to send logs to a remote service provider may be prohibitive. In addition, some enterprises may treat the information contained in logs, especially regarding privileged user and application or database activity, as sensitive. Therefore, they are reluctant to send those logs to an external service provider. Where applications or databases are hosted by external service providers, enterprises may face an additional challenge in including those logs in a centralized logging environment. Given these ongoing challenges, Gartner anticipates that enterprises will outsource log management, delivered via on-premises logging appliances or remotely, via several scenarios during the next 12 to 18 months. Gartner anticipates an increase in the deployment of outsourced customer-premises and MSSPbased logging services in four types of environments: Limited scope of technology with specific compliance requirement. We expect that large enterprises and SMBs will seek to reduce their costs of meeting specific compliance requirements via outsourcing. Initially, this may be done piecemeal for specific elements of the IT infrastructure tied to specific compliance regimes. Later, we expect a consolidation of monitoring approaches to gain efficiencies and reduce costs. SMBs with a fairly low volume of log data and limited capabilities to deploy and manage logging technology in-house. For these businesses with limited internal resources, the logging outsourcing decision is subject to the same drivers as their other outsourcing decisions limited internal resources to address the requirements. Enterprises that have already outsourced monitoring and management of their perimeter security technologies and have a trusted relationship with their MSSPs. Gartner customers that express deeper interest in outsourcing log management are typically already engaged with an MSSP. Outsourcing security means relinquishing control of the technology and process, and these enterprises have experience finding the right balance with a security outsourcer. Enterprises that have developed in-house log management capabilities, and are ready to outsource them. Enterprises that have rationalized the scope of the log management efforts and have developed the reporting and remediation processes to address operational and compliance concerns will seek to reduce ongoing maintenance and operational costs by turning to external service providers. Gartner anticipates that the outsourcing of log management will follow the general arc of outsourcing firewall management in large enterprises: redeployment of internal resources to more-business-enabling activities will drive the outsourcing decisions. During the next 24 months, MSSPs that develop successful services for log monitoring and management will address the differences between those activities and traditional MSSP perimeter security monitoring expertise and experience. There are two important areas MSSPs must address: The MSSP s expertise is limited inside the enterprise network. Unlike perimeter monitoring, where MSSPs leverage their knowledge of external threats and the profile of attacks across their customer base, the identification of suspicious activities in servers, applications and databases inside the enterprise is heavily reliant on the knowledge of users and business activities unique to the enterprise. MSSPs are addressing this by offering more self-service capabilities, so customers can develop the correlation rules, alerts and reports that are relevant to them. In addition, the MSSPs are beginning to build correlations, alerts and reports into their services that are most commonly needed by customers, even if those must be further customized. MSSPs must address the different needs of security monitoring and IT operations. MSSPs that monitor servers, applications and databases typically do so to identify security-related events, a small subset of the logging activity. MSSPs must be able to accommodate those customers with a common logging architecture for security and operations, and focus on the events relevant to customer security and compliance teams. Enterprises using IT infrastructure outsourcers for security monitoring must get security-specific service-level agreements (SLAs) to ensure that the requirements of the security operations and IT operations teams are addressed, including access to relevant log data. Enterprises using MSSPs should investigate whether the log collection and analysis capabilities managed by the service provider can be extended or customized to provide better support for IT operations.

5 In-the-Cloud MSS and Security as a Service Gartner continues to see deals for in-the-cloud (ITC)-managed firewall services and on-demand distributed denial-of-service (DDoS) offerings from ISPs and telcos. Several MSSPs are anticipating bringing to market ITC services for intrusion prevention. However, there is much market education to be done regarding the availability, benefits and costs compared with more traditional customer-premises equipment options for these technologies. Because ITC services are bundled with bandwidth services, it is possible that enterprise security organizations are not exposed to the availability of these services to the same degree as they are to the on-premises hardware solutions. Gartner recommends requesting information about ITC security services from bandwidth providers if the security group is considering outsourcing to an MSSP. Increased employee mobility and trends, such as teleworking and the consumerization of IT, have caused enterprises to look for ways to extend their perimeter protections out into the Internet cloud. When mobile employees are accessing SaaS offerings, such as salesforce.com, they are not traversing the perimeter and are at a greatly increased risk of compromise from new threats, such as botnet clients. Similarly, employees using their home PCs to access SaaS or corporate applications are also at risk. Secure Web gateway vendors are seeing the need to offer Web filtering in the cloud proxy services, and startups such as Purewire and Zscaler are building similar capabilities. These offerings will reduce the addressable market of perimeter customer-premises devices that are available for MSSP monitoring and management. MSSPs will have to evolve their own security-as-a-service offerings by 2010 to prevent market erosion. The trend toward competition for MSS renewal deals has continued since Magic Quadrant for MSSPs, North America, 1H07, and cost concerns have increased. Also on the increase is concern about the viability of specific MSSPs as a result of the economic slowdown. Even large MSSPs are not immune, with Gartner customers expressing concern about the commitment of MSSPs to the market, brain drain and the ability to meet service levels in the wake of mergers. Gartner expects a continuation of customers renewing or recompleting MSS deals to try to keep costs from growing, even as they look at possibly expanding services under contract. MSSP Location as a Factor in the North American Market As a remotely delivered service, MSS can be delivered globally from security operations centers located far from the security devices being monitored or managed. Based on feedback from Gartner customers of MSSPs based in North American and in other regions, the location of the MSSP SOCs, support staff, management and sales force is important in several contexts: Outsourcing security monitoring or management involves enterprise staff relinquishing control, as well as the ability to meet with MSSP management or operations staff, and ensuring that the SOC can increase security staff confidence. Gartner customers in North America have tended to favor MSS providers with North American SOCs and support presence. For many enterprises, managed security is a relationship buy. The presence of a service provider s local sales teams, presales technical support and consulting capability help establish that relationship earlier in the buying cycle. In cases where SOCs located outside of North America have limited resources to support English language interaction with North American customers outside of normal business hours, Gartner customers have expressed frustration and requested local support be made available. Where the MSSP is responsible for the installation and integration of security technology, or for break-fix of the technology, local presence (or effective partnering with local service providers) is typically needed to meet SLAs. Customers also report that when using the MSSP to deploy and configure technology across regions, the biggest source of delay (and frustration) is related to moving the technology across national borders. Gartner expects that some of the preference toward in-region SOC presence will erode as customers become more comfortable with security outsourcing, and as MSSPs push lower pricing based on labor costs for SOCs in other regions. However, MSSPs must address other potential concerns by providing more visible, documented and auditable evidence of service delivery to customers. Service Provider Landscape MSSPs continue to be found in a few basic flavors. There are still pure-play MSSPs, including SecureWorks, Solutionary, Trustwave and Perimeter Internetworking on the Magic Quadrant, as well as many smaller, regional pure plays. System integrators/strategic outsourcers include IBM and EDS, an HP Company), as well as telcos, including AT&T, BT Global Services, Orange Business Services and Verizon Business. VeriSign is included in this Magic Quadrant. Although VeriSign announced in late 2007 its intention to sell its enterprise security group (MSS, consulting and its security intelligence businesses), no buyer has been announced. Being in acquisition limbo has severely affected VeriSign s ability to compete; however, Gartner still views it as a viable provider. In this Magic Quadrant, we reflect the acquisition of Cybertrust by Verizon Business, with the combined entity called Verizon Business. In August 2008, KPN International sold its North America Getronics business to Compucom. During the analysis of the survey data related to this Magic Quadrant, HP announced it was acquiring EDS. AmbironTrustWave changed its name to Trustwave. In addition, we have added Tata Communications and Wipro Technologies to this Magic Quadrant, based on encountering them in several MSS deals and on our verification that they are delivering MSS in the North American market. In February 2009, StillSecure acquired MSSP ProtectPoint. We were not able to evaluate StillSecure s MSS capabilities prior to publishing this Magic Quadrant. CSC is not included in the Magic Quadrant. CSC offers managed security as a component of a broader security and risk management portfolio, and does not meet the inclusion criteria for this Magic Quadrant. 5

6 6 Vendors that only have managed security offerings that are outside of the firewall/idp management and monitoring focus of this document, such as Prolexic Technologies (DDOS protection), Qualys (scanning) or Alert Logic (scanning/ids/logging) are not included in this Magic Quadrant. Market Definition/Description For the purposes of this research, Gartner defines MSS as the remote management or monitoring of IT security information, assets and processes where the delivery of those services is via remote security operations centers, not through personnel on site. MSS does not, therefore, include any consulting or development and integration services that may be included in a security outsourcing engagement. MSSs include: Monitored or managed firewall or IPSs Monitoring or managed IDSs More than 500 firewall/idp devices under remote management or monitoring for external customers, or at least 200 external customers with those devices under management or monitoring Reference accounts relevant to Gartner customers in North America Added We have added Wipro Technologies and Tata Communications to this Magic Quadrant. These service providers now have sufficient presence for MSS in North America to qualify for inclusion. Dropped We have dropped CSC from this Magic Quadrant, because its MSS offering is presented in a larger risk and security service context, and does not meet the inclusion criteria. Table 1. Ability to Execute Evaluation Criteria Evaluation Criteria Weighting DDOS protection Managed antivirus/anti-spam services Managed gateway antivirus services Security information management Security event management Managed vulnerability scanning of networks, servers or applications Security vulnerability or threat-notification services Product/Service Overall Viability (Business Unit, Financial, Strategy, Organization) Sales Execution/Pricing Market Responsiveness and Track Record Marketing Execution Customer Experience Operations Source: Gartner (April 2009) High High Standard Standard Low High Standard Managed log analysis Reporting associated with monitored/managed devices and incident response Table 2. Completeness of Vision Evaluation Criteria Evaluation Criteria Weighting Market Understanding High All of these listed services delivered via CPE or ISP central office equipment This Magic Quadrant evaluates vendors that offer monitored/managed firewall and intrusion detection/prevention functions, rather than those focused on a single element of the services listed here. Inclusion and Exclusion Criteria To be included in this Magic Quadrant, an MSSP must have: The ability to remotely monitor or manage firewalls and IDP devices via discrete service offerings Marketing Strategy Sales Strategy Offering (Product) Strategy Business Model Vertical/Industry Strategy Innovation Geographic Strategy Source: Gartner (April 2009) Standard Standard High Standard Standard High Low

7 Evaluation Criteria Ability to Execute Ability to execute criteria (see Table 1) are discussed in Updated Criteria for Selecting an MSSP. Completeness of Vision Criteria weights for completeness of vision are shown in Table 2. Leaders Each of the service providers in the Leaders quadrant has significant mind share among enterprises looking to buy an MSS as a discrete offering. These providers generally receive positive reports on service and performance from Gartner clients. MSSPs in the Leaders quadrant are typically appropriate options for enterprises requiring frequent interaction with the MSSP for analyst expertise and advice, portalbased correlation and workflow support, and flexible reporting options. Challengers Gartner customers are more likely to encounter an MSS offered by a service provider in the Challengers quadrant as a component of that provider s other telecom, outsourcing or consulting services. Although an MSS is not a leading service offering for this type of vendor, it offers a path of least resistance to enterprises that need an MSSP and use the vendor s main services. These service providers also represent the largest portion of overall MSSP revenue. Visionaries Companies in the Visionaries quadrant have demonstrated the ability to turn a strong focus on managed security into high-quality service offerings for the MSS market. Vendors in the Visionaries quadrant are often strong contenders for enterprises requiring frequent interaction with MSS analysts, flexible service delivery options and strong customer service. Niche Players Niche players are characterized by service offerings that are available primarily in specific market segments or primarily as part of other service offerings. Vendor and AT&T AT&T has been an early and aggressive proponent of ITC services. AT&T continues to leverage the greater threat visibility gained by managing large portions of the Internet backbone. Enterprises seeking to augment bandwidth services with ITC protection, requiring remoteoffice/branch-office MSS, or requiring a multinational, multiservice MSS partner, should consider AT&T. AT&T has a broad range of services, flexible pricing and delivery forms. Its service development leverages AT&T telco strengths. AT&T has a strong internal commitment to MSS and provides ITC delivery leadership. AT&T is a stable vendor with a multinational presence. AT&T s managing/monitoring services based on CPE are not an emphasis. Security marketing struggles for attention in AT&T s overall outreach. ITC pricing needs more simplicity to enable easy comparison with CPE alternatives. Bell In addition to broader network and communications services, Bell provides a blend of traditional staff augmentation and outsourcing with MSS. Enterprises should consider Bell for MSS when security requirements must fit within existing contract or procurement arrangements with Bell. It is well-known in the Canadian market. It has a range of MSS offerings designed to meet the needs of less demanding customers, as well those with more-stringent MSS requirements. It has a strong Canada government presence, and the ability to partner with other security service providers to address service gaps (such as IBM and CGI Group) for delivery on some contracts. Bell has a relatively small number of firewalls, IDSs and IPSs under management/monitoring, and thus a limited ability to generate economies of scale from monitoring and management activities. The services offer limited asset tracking and correlation compared with competitor offerings. One reference customer reports dissatisfaction with uneven service delivery. Bell s MSS focus is primarily on the Canadian market, although it does support customers in the U.S. market, and relies on partnerships to affect worldwide service delivery. 7

8 8 BT Global Services BT s acquisition of Counterpane in 2006 gave it increased presence in the North American MSS market. Acquisition of consulting capabilities (INS) and BT s multinational presence provide the potential to expand monitoring capabilities and overall MSS portfolio. BT customers looking to augment existing telecom services with MSS, or those with requirements that include multinational presence and support should consider BT Global. BT Global has worldwide presence, and a full portfolio of managed services and consulting services. The Counterpane acquisition has added extensive security monitoring experience. BT Global has invested in expanding monitoring capabilities in North America and other regions. BT Global has reduced visibility to enterprise MSS buyers and does not appear on shortlists as often as Counterpane does. CGI has been slow to add some services to its MSS portfolio. CGI s portal lacks features and capabilities compared with those of competitors. CompuCom (Getronics NA) CompuCom s MSS capability comes from acquisition of the North American operation of Getronics (which included worldwide MSS delivery) in August Prior to the acquisition, Getronic s MSS business suffered reduced visibility due to changing business emphasis. CompuCom (Getronics NA) is incorporating its service delivery and customer support processes into the acquired managed security services. CompuCom customers or enterprises looking for retail-oriented and compliance-focused security outsourcing should consider CompuCom (Getronics NA)-managed security services. It has a full portfolio of managed security services for device monitoring and management. Its MSS business unit has maintained a stable core of personnel through several ownership changes. BT Global must sharpen its MSS focus to expand visibility to enterprises that are not already BT customers. It must also expand its ITC service delivery and service integration between monitoring and delivery. CGI Group CGI Group offers a broad portfolio of managed security services, as well as strategic outsourcing services for IT. Plans are for a slow expansion beyond Canada, including the addition of a U.S.- based SOC. Enterprises looking to add security monitoring and management to infrastructure outsourcing should consider CGI. CGI is well-known in the Canadian market and has a presence in the Canada government market. It has some visibility in the U.S. market due to acquisitions. CGI has flexible delivery options, including remote services, traditional outsourcing and staff augmentation. Gartner customers have limited visibility of CGI for security monitoring and management due to dependence on CGI s other lines of business and Bell to sell MSS. Expansion plans may be delayed due to the business climate. Its MSS business has focused on entertainment, insurance, retail and security related to compliance requirements. It has limited visibility among Gartner customers looking for MSSPs. It will take time for CompuCom to improve Getronics support and service delivery capabilities and demonstrate an increased focus on MSS. EDS, an HP Company EDS has recently begun to provide managed security services as a separate service offering from its IT outsourcing business, although MSS is still oriented toward IT outsourcing customers. Enterprises with requirements for a single provider for IT and security outsourcing should consider EDS. It offers a single-service provider option for a broad range of IT outsourcing services and security management. Its MSS offerings are device monitoring and management, augmented by hosted and CPE-based log management. EDS MSS has a Statement on Auditing Standards No. 70 (SAS 70) Type II audit, and the government operations center has ISO certification.

9 9 EDS must expand its offerings to support greater enterprise CPE deployments to be considered for engagements beyond the scope of an ITO service portal, and its reporting capabilities need improvement to achieve parity with those of competitors. As a result of the acquisition by HP, there is the potential for changes in the EDS portfolio of services, a reduced commitment to MSS as a discrete service or a negative effect on EDS s ability to delivery to the expectations of MSS customers. IBM Internet Security Systems IBM ISS is a long-established MSS provider through IBM global services and strategic outsourcing, which was given renewed focus by the acquisition of Internet Security Systems (ISS) and its MSS capabilities. Enterprises requiring strong security expertise, multinational support and the availability of extensive consulting resources should consider IBM ISS. IBM ISS has worldwide presence and delivery capability. X-Force research and IBM global services consulting augments its security monitoring and management portfolio. IBM ISS was early to offer log management services. It has SAS-70 Type II audit and SysTrust certification. Several Gartner customers report operational service issues and new offering delays as the ISS MSS organization finds its fit in IBM Global Services, and customers of IBM Global Services managed security are moved onto the ISS MSS delivery model. Gartner has received some reports of presale bias toward managing/monitoring IBM ISS products, and IBM will need to establish clear messaging to the marketplace about its productneutral MSS offerings. Integralis Integralis is well-known in Europe as a system integrator, IT management provider and MSSP, and has had a quiet presence in North America for several years. Integralis has recently begun expanding its North America presence, opening a second SOC on the West Coast, and has plans to expand to Asia/Pacific. Enterprises seeking international delivery capabilities and a broad range of MSS offerings should consider Integralis. Integralis recently expanded its North America presence, including better regional business hours support. It has a broad portfolio of security services offerings, including log management, security and authentication services. It is MSS SAS 70 Type II audited and international MSS certified. Uneven implementation and integration services have been reported by Integralis customers. Integralis has had limited visibility in the North America MSS market. The business climate may slow its expansion plans. Orange Business Services Orange Business Services offers global MSS coverage. Orange has invested heavily in process and service improvement efforts across its services, including a full set of managed security services. Orange is better known in Europe than in North America, but customers give it good marks for solid service delivery. Telecommunications customers of the company should consider it for MSS. Orange customers report effective service delivery for managed security. Orange undergoes SAS 70 Type II audits and has received ISO certification for international customers of its Cairo SOC. The correlation information and log management reporting available through the Orange portal lags behind its competitors. Orange has lagged in promoting ITC firewall services to North America customers. It has limited visibility as an MSS to customers looking for discrete managed security capabilities.

10 10 Perimeter Internetworking Perimeter Internetworking has focused on the SMB market, with a concentration of banking, and is expanding beyond that industry to other verticals, as well as the larger enterprise market. Perimeter offers several delivery modes, including hosted/itc, as well as customer-premises equipment monitoring/management. Its deployments are most typically compliance-focused, low-touch relationships, where customers have very limited internal security resources. SMBs looking for MSS with compliance-focus, easy deployment options and a relatively low-touch relationship with the service provider should consider Perimeter. Customers and references report strong satisfaction with Perimeter s services. Perimeter has a broad portfolio of security services beyond device monitoring and management, including ITC delivery options. Perimeter recently added to its management team to expand delivery and strategy experience. Perimeter must ensure that its offerings provide easy-tounderstand and easy-to-buy options for prospective customers. These include flexible contract length terms to address the requirements of customers involved in mergers and acquisitions. Perimeter s offerings span security buying centers. As Perimeter encounters enterprise prospects, it must address the issues of distinct decision makers, requirements and budgets across these buying centers. Perimeter has begun to add enterprises to its customer base, and must prove it can deliver the service levels demanded by enterprises while maintaining its SMB delivery capability. Savvis Savvis offers CPE-based, hosted and ITC-managed security offerings, and partners with other service providers for and vulnerability scanning services. Savvis offers MSS for customers of its network and hosting businesses, as well as to customers seeking stand-alone managed security services. Enterprises should consider Savvis MSS, as CPE or ITC deployments to augment Savvis hosting or network services. Savvis has steadily developed MSS capabilities during the past few years, resulting in services with several deployment options for its network and hosting customers, as well as enterprises that are looking for stand-alone services. Savvis s security expertise is enhanced by its Arca Common Criteria Testing Laboratory. It has on-premises appliance-based log management as well as hosted log management offerings. Savvis conducts an annual SAS-70 type II audit of its MSS operations. Savvis must improve the capabilities of its security portal to match those of competitors. Savvis sells MSS through direct sales, which may limit its ability to reach customers interested only in MSS deals, rather than in MSS plus hosting or network services. Savvis must raise its security services profile to be considered an MSSP by more enterprises and SMBs that are not already Savvis network or hosting customers. SAIC SAIC s MSS business is a part of a larger IT outsourcing and security services capability, and is often delivered as a component of a larger outsourcing relationship. Enterprises with MSS deployments that will involve significant implementation and integration work should consider SAIC s strengths to deliver those services in addition to ongoing monitoring, log management and information-sharing capabilities. SAIC demonstrates strong security expertise and integration capability in its consulting business, government and commercial, as well as through its certification lab. SAIC is well-known among U.S. government customers, and operates the Federal Computer Incident Response Center at the U.S. Department of Homeland Security. SAIC has some visibility to commercial enterprises via its Information Sharing and Analysis Center (ISAC). Gartner commercial enterprise customers looking for managed security have very limited exposure to SAIC s offerings. SecureWorks SecureWorks has two distinct market targets: SMBs requiring lowcost perimeter protection, and enterprise customers with moreextensive and demanding monitoring requirements. SecureWorks has managed to bring together its high-volume direct sales efforts,

11 targeting the first group and more relationship-driven sales efforts targeting the latter. Consider SecureWorks if your requirements include compliance-specific elements, and easy deployment options, or if your requirements include proactive and responsive service delivery with strong security expertise and analyst involvement. SecureWorks gets high praise from customers for strong service delivery, security expertise and commitment to customer satisfaction. SecureWorks has augmented its monitoring services with log management services in several delivery options, including hosted service and security-as-a-service models. SecureWorks has recently added channel partners in Canada and outside North America. It undergoes annual SAS 70 Type II audits and periodic FFIEC examinations. SecureWorks must upgrade the capacity of its isensor to support greater network throughput for enterprise customers. SecureWorks sells primarily through its direct sales force, and needs to add to its channel partners. The current business climate may slow plans to expand partnerships in Canada and outside North America. Solutionary Solutionary offers a range of security and compliance services under its ActiveGuard branding, including device monitoring and management, vulnerability scanning, and log monitoring and management. Solutionary also offers security program assessments with its SecurCompass SaaS offering and consulting services. Solutionary s customers are primarily midsize enterprises, but is adding customers in the SMB and the enterprise markets. Consider Solutionary if your requirements include flexible service packaging, strong service delivery and North America deployment. Solutionary customers give the firm good marks for flexibility in designing and deploying services around customer-specific requirements. Solutionary has increased its channel capabilities and now offers its MSS through several system integrators, as well as through direct sales. Solutionary has host and application monitoring capabilities, including hosted, on-demand services and a vulnerability scanning offering based on proprietary technology. Solutionary service has been audited under SAS-70 Type II. Solutionary has had uneven direct sales coverage and has not engaged in a persistent, visible marketing effort. Solutionary has limited visibility in the market, and must raise is profile to prospective customers. Solutionary must do a better job exposing its offerings as discrete services, so that buyers looking for vulnerability scanning or for server log monitoring will be able to discern that Solutionary offers these services. Sprint Sprint offers MSS to its government and commercial customers for bandwidth or network services. Sprint customers looking for MSS offerings with a known provider should consider Sprint for CPE and ITC deployments. Sprint s bandwidth and network services customers can extend their service relationships to include a range of MSS capabilities Sprint s MSS include ITC deployment options for firewall services. Sprint MSS capabilities are typically not known to Gartner customers seeking an MSSP. Sprint must improve its log management capabilities, and enable tighter integration between its log management and other security monitoring capabilities to achieve parity with competitor offerings. Sprint s compliance reporting capabilities are lagging those of competitors. Symantec Symantec has been a long-term provider of MSS, and has maintained a reputation as a premium provider to enterprises. Symantec s service portfolio was recently augmented with its purchase of MessageLabs for security. Enterprises looking for enterprise-focused security expertise and worldwide delivery capabilities should consider Symantec. 11

12 12 Symantec s broad MSS portfolio includes security intelligence research, as well as remote log management solutions. Symantec s MSS has a SAS 70 Type II audit and ISO (BS-7799:2005) certification. Symantec gets good marks from customers for MSS delivery. Trustwave s basic MSS capabilities are augmented by PCIspecific log monitoring and management services, and reporting. Trustwave s strong position in the payment card channel provides a steady stream of potential customers for its log monitoring capabilities. Trustwave gets good marks from reference accounts. Customers report some difficulty in negotiations with Symantec on service renewal, specifically regarding service flexibility or customization. Tata Communications Tata Communications introduced its MSS in North America in April 2008, and plans increasing operational presence and partnerships there. Tata s MSS offerings include monitoring and management services for market-leading firewalls, IDS and IPS. Tata is also developing several ITC service offerings. Log monitoring services are planned for future release. Existing customers of Tata s services, and enterprises looking for aggressive pricing for perimeter management and monitoring should investigate Tata s offerings. Tata Managed Security has developed a broad set of MSS offerings in a relatively short time frame. Trustwave s certifications include SAS 70, FFIEC examination and WebTrust. Trustwave s MSS portfolio is not as broad as many competitors, and lacks alerting capabilities. Trustwave s portal capabilities also lag in the areas of asset information and correlation. Trustwave s MSS visibility in the market is largely driven by, and dependent on, its position as a PCI assessor. To be considered for MSS business beyond the scope of PCI requirements, Trustwave must improve its ability to provide core MSS capabilities and portal features to improve its competitive positioning against MSSPs with more focus on supporting security operations. Tata gets good marks from references for efficient service implementation, and for exceeding contractual obligations and customer expectations. Tata s log monitoring and management services are lagging, compared with its competitors. Tata will need portal enhancements for asset information, correlation and scanning to bring its portal on a par with those of competitors. Tata must address potential concerns of buyers who may be wary of offshore monitoring or management of their security technology. Trustwave Trustwave was formerly known as AmbironTrustwave. It is known best for its extensive PCI audit and assessment business. Trustwave s MSS capabilities are focused on monitoring systems in the scope of PCI standards. Consider Trustwave when your security monitoring requirements are heavily weighted for meeting the specific requirements of the PCI standards. Unisys Unisys has a comprehensive MSS portfolio, outsourcing services, security consulting services and system integration capabilities. It has a full suite of MSS offerings, including on-premises and hosted log management. Unisys MSS is deployed across North America, Europe, the Middle East, Africa, Latin America and Asia/Pacific. Unisys has SAS 70 Type II audits and ISO certifications at multiple operations centers. Gartner customers and reference accounts have reported dissatisfaction with Unisys execution and service delivery in MSS. Unisys has indicated that it has renewed management focus on service delivery quality.

13 VeriSign On 31 January 2008, VeriSign announced that it was selling its MSS, consulting and idefense businesses. Gartner considers VeriSign a credible MSS provider, as long as potential customers establish contractual safeguards to ensure continuity and quality of service as the status of VeriSign s ownership evolves. VeriSign has been a strong MSS provider for several years, and has expanded its monitoring capabilities to include scanning, hosted Skybox, and log monitoring services. Consider VeriSign when your MSS requirements are weighted toward North America deployment and include strong security expertise. VeriSign gets good grades from customers for service delivery. Gartner has not received reports of a falloff in service quality from VeriSign MSS customers. VeriSign was among the first MSSPs to bring discrete log management offerings to market, and has log monitoring capabilities that include server, application, directory and database sources. VeriSign has a good reputation for security expertise in its MSS group and in its idefense security intelligence group. VeriSign s MSS has a SAS 70 Type II audit and Safe Harbor certification. VeriSign announced its intention to sell its security businesses more than a year ago, but has not announced a buyer. VeriSign s MSS portfolio, relationship with security product vendors, geographic delivery capabilities and a host of other issues hinge on the identity and plans of a new owner. Its service offering includes a full portfolio of MSS, including DOS protection. Log management/monitoring capabilities include server, directory, application and database support. Verizon gets generally strong marks from Gartner customers and from reference accounts. Verizon Business MSS SOCs have SAS 70 Type II, audit, and WebTrust and ISO 9000 certifications. Verizon must ensure that it continues to focus on continuity and quality of service as it brings customers from multiple MSS businesses onto a common service delivery platform. Wipro Technologies Wipro Technologies is a new entrant to the North America MSSP Magic Quadrant. Wipro MSS is delivered to customers of its IT outsourcing and services. Wipro is planning further expansion in North America, while maintaining an India-powered delivery approach. Consider Wipro for MSS if you are a customer of Wipro s other IT services, or if you have global security deployment and management and monitoring requirements. Wipro offers a broad range of MSS and other IT management services, as well as consulting services. Its log management capabilities include server, database, directory and applications. Wipro gets good marks from references for implementation and integration capabilities and for ongoing support. 13 Given the uncertainty of its ownership and direction, VeriSign needs to continue to actively address concerns regarding its future. Verizon Business Verizon Business gained MSS capabilities from its acquisition of MCI, then augmented those by acquiring Cybertrust in July Cybertrust had MSS and professional services capability in Europe, North America and Asia/Pacific. Consider Verizon Business security services when you are using other Verizon Business telecommunications services, or when your requirements include strong security expertise and global delivery capability. Wipro has ISO and 9001 certification, and undergoes SAS 70 audits on a customer-specific basis. Wipro s North American marketing efforts for MSS have not yet resulted in visibility to Gartner clients in North America. As a result, Wipro is seldom mentioned by Gartner customers in discussions about potential MSS providers. The current business climate may delay Wipro s North America expansion efforts, as well as plans to better market its MSS there. The core of the Cybertrust MSS and consulting group has remained largely intact in the transition to Verizon Business, and Verizon Business has been able to quickly introduce new service offerings. Wipro must address concerns of potential MSS customers regarding its India-based service delivery.

14 14 Acronym Key and Glossary Terms AV antivirus CPE customer premises equipment DDoS distributed denial-of-service FFIEC Federal Financial Institutions Examination Council FISMA Federal Information Security Management Act HIPAA Health Insurance Portability and Accountability Act Vendors Added or Dropped We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor. IAM IDP IDS IPS ISS ITC MSS MSSP PCI SMB SaaS identity and access management intrusion detection/prevention intrusion detection system intrusion prevention system Internet Security Systems in the cloud managed security service managed security service provider Payment Card Industry small or midsize business software as a service SAS 70 Statement on Auditing Standards No. 70 SIEM SLA SOC security information/event management service-level agreement security operations center

15 15 Evaluation Criteria Definitions Ability to Execute Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets and skills, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria. Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes an assessment of the overall organization s financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization s portfolio of products. Sales Execution/Pricing: The vendor s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel. Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor s history of responsiveness. Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization s message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This mind share can be driven by a combination of publicity, promotional initiatives, thought leadership, word-of-mouth and sales activities. Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on. Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Completeness of Vision Market Understanding: Ability of the vendor to understand buyers wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers wants and needs, and can shape or enhance those with their added vision. Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the Web site, advertising, customer programs and positioning statements. Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services, and the customer base. Offering (Product) Strategy: The vendor s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements. Business Model: The soundness and logic of the vendor s underlying business proposition. Vertical/Industry Strategy: The vendor s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets. Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. Geographic Strategy: The vendor s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the home or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.