Ovum Decision Matrix: Selecting an Endpoint/Mobile Security Solution,

Transcription

1 Ovum Decision Matrix: Selecting an Endpoint/Mobile Security Solution, Publication Date: 14 Aug 2014 Andrew Kellett Product code: IT

2 Summary Catalyst Organizations are being targeted by ever more advanced and persistent malware, which continues to raise threat levels and increases the requirement for better endpoint/mobile device protection. Provision of real-time access to business systems from any available device is becoming a common user expectation. The devices we use may change, and are often a mix of corporate-owned and personal known as bring your own device (BYOD). PCs, laptops, servers, tablets, and smartphones all require connectivity, all need to be kept secure, and, if not properly protected, can all be used to put business systems and the data they hold at risk. The requirements for endpoint/mobile device protection are not consistent across all devices. The operating systems (OSs), applications, programs, and platform infrastructures differ, as do the security products needed to deliver primary protection. The base components continue to include personal firewalls, intrusion detection and protection systems (IDS and IPS), port and device management solutions, endpoint data protection and associated file and disk encryption, and anti-malware products. However, signature-based techniques are falling out of favor due to declining functionality, bringing a demand for more advanced protection capabilities including the use of security intelligence and analytics, application protection and control, and mobile device management (MDM). Ovum view Organizations continue to invest in established device and data protection products even though the effectiveness of many point and signature-based solutions is increasingly being called into question. Their success levels continue to decline when targeted by advanced and persistent malware, strengthening the argument for better and more proactive forms of endpoint/mobile device protection. However, although core protection technologies such as anti-virus and anti-spyware clearly have their limitations, none of the highly vaunted replacements have been successful enough to directly challenge or change the current position. They remain necessary as part of a defense-in-depth strategy to remove many basic vulnerabilities, allowing other, more proactive tools to focus on detecting the sophisticated malware activity that has not been found. Other maintenance techniques that remain important to an active defense of business systems and are often undervalued include support for rigorous and active patch management. There is good evidence that inconsistent and slow patch management leaves vulnerability opportunities for longer than is safe, and that companies that maintain a more comprehensive and automated approach across their operating environments and applications are safer and better protected against known vulnerabilities. This Ovum Decision Matrix focuses on identifying the leading endpoint/mobile device protection solutions and highlights the availability and use of new technology, important new approaches to service delivery, and new and innovative vendors. Nevertheless, none of this obviates the need to get the basics right. Controlling mobile and removable devices is now seen as an important part of the extended endpoint protection environment. It has rapidly become a vital area of endpoint/mobile security. Organizations need to know about all the servers, PCs, laptops, tablets, smartphones, and other devices that can Page 2

3 connect to their business systems and pass data across their networks. Better controls are needed to ensure there is visibility of connected devices, their access rights, and the data that flows to and from them. Therefore, organizations also need to deploy and maintain core data and network protection technologies, including port and device management solutions, network access control (NAC), and endpoint data protection facilities such as data loss prevention (DLP) and file and disk encryption. The more visibility the organization has of its mobile devices and how they interact with business systems, the better chance it has to control data flows into and out of the network and, as a result, enhanced levels of data breach protection can be maintained. Defense-in-depth is necessary for maintaining endpoint/mobile protection. Attack volumes, complexity issues, and threat persistence all drive the need for better levels of security. No single security solution can be expected to keep endpoint/mobile devices and their users safe; multiple defenses are needed to make it as difficult as possible for an attacker to succeed. This is why organizations are looking to consolidate their approach to endpoint/mobile protection around a smaller number of protection providers. Enterprises are typically looking to deploy centrally managed and integrated solutions rather than point-based products. Further consolidation and integration is required and continuing to happen. This is especially the case in the endpoint/mobile device markets where, from a technology standpoint, there is a horrendous disconnection between the various platforms. At the same time, end users do not recognize the difficult technology and security issues, seeing only the benefits and opportunities that endpoint/mobile device connectivity offers. Ovum research, using information gathered for Ovum s Enterprise Security Market Forecast Model, shows that the endpoint/mobile protection market was worth $4.12bn in Once all information is gathered, the figure is expected to be just above $4.5bn in 2014, and close to $5bn by the end of Significant levels of growth (CAGR rates of 10.7%) are attributable to the growing need for mobile device protection, the extended range of the security products needed to protect mobile devices and applications, and the need to protect users when accessing corporate systems using personal as well as corporate-owned devices. Key findings Endpoint/mobile device security continues to deliver core anti-malware protection while extending coverage to include software that protects users and their devices and applications, and it now crosses over into the MDM arena. The continuing growth in the use of tablets and smartphones and the shared-ownership overheads of BYOD have changed the endpoint security sector once and for all. Across their extended security platforms, Intel Security (McAfee) and Symantec provide the widest range of endpoint and mobile device protection products and services. Kaspersky Lab, Sophos, and Trend Micro are seen as malware protection specialists, as they provide core and extended anti-malware protection facilities. IBM provides a wide range of endpoint and security management products and services, while choosing to work with technology partners to deliver some of its core protection services. ESET provides a more limited range of endpoint security services than the market leaders, but its products, with their light usage footprint, are highly valued from a customer satisfaction standpoint. Page 3

4 AVG offers cloud-only endpoint protection to SME customers and is now adding a device management capability. F-Secure also offers a cloud-based service for the SME market, but it does not offer encryption. Webroot boasts the smallest of agent software footprints thanks to its approach to endpoint, but it, too, has no plans to offer encryption. Vendor solution selection Inclusion criteria The endpoint device protection market continues to evolve. From its anti-virus origins it now extends to the protection of mobile devices, and features an extensive range of protection products that comprises personal firewalls, IDS and IPS, port and device management solutions, endpoint data protection utilizing DLP technology and file and disk encryption, anti-malware products for spam, and spyware protection. It also includes the more recent additions for user, device, and application protection and control, and core MDM facilities. The sector is made up of a large number of vendors that provide either conjoined multiple endpoint protection products or, as in the case of the vast majority of smaller vendors, selected elements of device and data protection. This report focuses on vendors that cover most of the main elements of endpoint and mobile device protection, and specifically includes vendors that have the capabilities to provide user and device protection for PCs, laptops, tablets, and smart mobile devices. These capabilities include: core anti-malware protection web security central device management and control facilities targeted data protection that is relevant to each endpoint device, which includes endpoint DLP and data and file encryption protection for virtual clients and device lockers set up to protect business data on mobile devices control over mobile and removable devices, including the ability to disable and remotely wipe data from mobile devices the elements of wireless protection that support secure access. Exclusion criteria A large number of endpoint protection providers focus on just one or two specific areas. They specialize, and may be positioned as best-of-breed suppliers, in their own particular fields, but do not offer sufficient overall coverage to be included in this report. That notwithstanding, a number of the vendors that have been included in the report do not cover all areas of device protection, but do provide sufficient ranges of core protection services to be considered important. Vendors are excluded if they only provide a narrow range of endpoint or mobile device protection facilities Page 4

5 do not have the capacity to deal with web-related threats and protection services do not offer central device management capabilities do not provide sufficient mainstream platform or mobile device coverage for both endpoint and mobile device platforms do not provide the services to selectively remove or completely wipe business data from endpoint and mobile devices. Methodology Technology/service assessment The technology provided by the vendors included in this report comprises a number of core endpoint protection components, plus additional products that were previously seen as beyond this domain but now represent important areas for business when considering the merits of an endpoint and mobile device protection provider. Core anti-malware protection that covers areas such anti-virus, anti-spyware, anti-spam, anti-phishing, application blocking, and desktop firewall facilities is considered a fundamental requirement, whereas facilities such as host IPS, botnet protection, and protection against rogue dialers are provided by most of the vendors. Beyond these core malware security services, the vendors in the report were measured according to the range of endpoint and mobile platforms they support; their web protection capabilities; their ability to protect data at the endpoint and on the move between devices and the business, including the use of encryption facilities and secure channels; their support for virtual clients; their wireless protection; their removable media and remote device coverage; and their security management capabilities. The technology areas analyzed were: OS platforms supported, including PCs, laptops, smart mobile devices, and tablets depth of coverage for anti-malware protection web security protection for users while browsing using their chosen devices core components of central device management and control provision of endpoint DLP, which also includes the use of data encryption facilities support for virtualization on the client controls over connectivity to removable media and local equipment protection from security issues that relate to wireless access management and protection of mobile devices, including the ability to remotely manage, disable, and wipe data from mobile devices service delivery for on-premise, hosted, and software-as-a-service (SaaS) options. Execution In this dimension, Ovum analysts reviewed the capability of the solution around the following key areas: Maturity: The stage that the product/service is currently at in the maturity lifecycle, relating to the maturity of the overall technology/service area. Interoperability: How easily the solution/service can be integrated into the organization s operations, relative to the demand for integration for the project. Page 5

6 Innovation: Innovation can be a key differentiator in the value that an enterprise achieves from a software or services implementation. Deployment: Various deployment issues, including time, industries, services, and support. Scalability: The scalability of the solution across different scenarios. Enterprise fit: The alignment of the solution and the potential return on investment (ROI) period identified. Market impact The global market impact of a solution is assessed in this dimension. Market Impact is measured across five categories, each of which has a maximum score of 10. Revenues: Each solution s relevant global revenues are calculated as a percentage of the market leader's. This percentage is then multiplied by a market maturity value and rounded to the nearest integer. Revenue growth: Each solution s revenue growth estimate for the next 12 months is calculated as a percentage of the growth rate of the fastest-growing solutions in the market and rounded to the nearest integer. Geographical penetration: Ovum determines each solution s revenues in three regions: the Americas; Europe, the Middle East, and Africa (EMEA); and Asia-Pacific. These revenues are compared to the market leading solution s revenues in each region and the solution s overall geographical reach score is the average of these three values. Vertical penetration: Ovum determines each solution s market penetration in the following verticals: energy and utilities; financial services; healthcare; life sciences; manufacturing; media and entertainment; professional services; public sector; retail; wholesale and distribution; telecommunications; and travel, transportation, logistics, and hospitality. These are compared to the market leader's performance in each vertical and the solution s overall vertical penetration score is calculated across all sectors. Size-band coverage: Ovum determines each solution s performance across three company size bands: large enterprises (over 5,000 employees), medium-sized enterprises (1,000 4,999 employees), and small enterprises (fewer than 1,000 employees). Performance is calculated against the market leader in each company size band and calculated across all three. Ovum ratings Market Leader: This category represents the leading solutions that we believe are worthy of a place on most technology selection shortlists. The vendor has established a commanding market position with a product that is widely accepted as best-of-breed. Market Challenger: The solutions in this category have a good market positioning and are selling and marketing the product well. The products offer competitive functionality and good price-performance proposition, and should be considered as part of the technology selection. Market Follower: Solutions in this category are typically aimed at meeting the requirements of a particular kind of customer. As a tier-1 offering, they should be explored as part of the technology selection. Page 6

7 Ovum Decision Matrix Interactive To access the endpoint and mobile device protection Ovum Decision Matrix Interactive, an online interactive tool providing you with the technology features that Ovum believes are crucial differentiators for leading solutions in this area, please see the Ovum Decision Matrix Interactive tool on the Ovum Knowledge Center. Market and solution analysis Ovum Decision Matrix: Endpoint and mobile device protection, The requirement to enhance and improve endpoint/mobile device security is driven by the number and range of devices that have connectivity capabilities and are being used to access corporate information systems. It used to be possible to focus on the protection of company-owned devices. BYOD removed that particular comfort blanket. In addition, the need to provide end-user access for a more mobile and increasingly remote workforce adds further layers of complexity. Not only have there been significant changes in mobile device ownership, but there are also issues of multiple device usage, which need to be taken into consideration when setting up device usage controls and access policies. Many of the static PC and server elements of endpoint protection remain, but security needs to be enhanced to deal with advanced threats and malware strains that can remain undetected for extended periods of time. Endpoint and mobile device protection continues to evolve; advanced threat protection is driving the roadmap and security strategies of the leading security vendors. Mobility, BYOD, and multiple mobile device usage are changing the way that endpoint security and MDM services are combining and being delivered. The sharing of threat protection intelligence and the increasing use of cloud-based security services is improving the response and update capabilities of endpoint and mobile device protection. Page 7

8 Figure 1: Ovum Decision Matrix: Endpoint and mobile security Source: Ovum Figure 2: Expanded view of Ovum Decision Matrix: Endpoint and mobile security Source: Ovum Table 1: Ovum Decision Matrix: Endpoint and mobile security Market leaders Market challengers Market followers Kaspersky Lab F-Secure AVG Intel Security (McAfee) ESET Webroot Sophos IBM Symantec Trend Micro Source: Ovum Page 8

9 Market leaders: vendor solutions A large number of vendors provide elements of endpoint and mobile device protection. Most are specialists with specific areas of expertise; only a few offer the extended range of coverage needed to deal with the majority of endpoint and mobile device protection requirements. All the vendors included in this Ovum Decision Matrix provide most or at least some of the key areas of endpoint security that Ovum has identified for this analysis. Intel Security (McAfee), Kaspersky Lab, Sophos, Symantec, and Trend Micro all offer this level of coverage, and although none would claim a 100% position, they are closer than most across the core areas of device and malware protection. Intel Security (McAfee) continues to be strong in the key areas of malware protection, DLP, and web security. However, alongside most other endpoint protection specialists, more work is needed to build out its remote device control and disablement services and its application protection capabilities. Kaspersky Lab provided a strong performance across most key areas of endpoint and mobile device protection. Particular improvements in its mobile device protection capabilities were identified, as were its additional range of encryption facilities. Core to Kaspersky's continuing success are its recognized strengths in anti-malware protection and remediation. Sophos retains its position in the leading group because of its all-round consistent performance across all areas of endpoint security. Its malware protection services continue to match those of the top performers and it competes well across all elements of web and mobile protection. Symantec competes at the highest levels in the key areas of malware protection, DLP, encryption, and web security. However, it has areas of weakness: for example, it provides few direct wireless security facilities. Trend Micro offers core malware protection services that are as strong as those provided by the other market leaders. The company's solution now resides in the top tier because of its improved encryption, DLP, and web security coverage. Market challengers: vendor solutions The challengers group comprises F-Secure, ESET, and IBM: three well-respected security vendors with established endpoint and mobile device solutions. F-Secure has been offering its endpoint protection service since the mid-2000s. It does so entirely through partners, with one of the main strengths of the offerings being F-Secure's DeepGuard technology, a host-based intrusion prevention system that enables it to go beyond signatures and be proactive. It does not target enterprise customers. ESET is another well-established provider of anti-malware protection facilities. Its core market is the SME space, where its ability to protect lower-specification and often older machines is highly valued. There are some lack-of-coverage issues that prevent it from entering the market leaders group, such as very little DLP protection and less-than-average coverage in the management and protection of mobile and remote devices. IBM takes a pragmatic approach to endpoint and mobile device protection. It has an established security practice, but also chooses to work with best-of-breed partners to complete its range of malware protection services. The company competes strongly across all areas of security management, but currently provides only limited coverage in DLP, encryption, and web security. Page 9

10 Market followers: vendor solutions AVG and Webroot are positioned in the third tier because they do not offer the range of endpoint and mobile device protection solutions available within the market-leading platforms. They are strong in the core areas of anti-malware protection, web security, and central management, but offer only limited coverage in other areas that are considered important within enterprise environments, such as DLP and data encryption. AVG offers a cloud-based protection service for endpoints in the SME market. Through an acquisition made in 2013, it is now adding management capabilities for mobile devices, but says it currently has no plans to offer encryption. Webroot's claim to fame in this sector is the exceptionally small footprint of the on-device agent through which it delivers endpoint protection, which results from its very different way of approaching the problem. It too has no plans in the area of encryption. Market leaders Market leaders: technology Figure 3: Ovum Decision Matrix: Endpoint and mobile security market leaders technology Source: Ovum As expected, the vendors in the market leaders section of this Ovum Decision Matrix feature regularly at the top of each technology category. From OS platform support through to service delivery options, Intel Security (McAfee), Kaspersky Lab, Sophos, and Symantec dominate most of the technology leadership divisions. F-Secure and Trend Micro compete at the highest levels in the anti-malware protection category, with AVG, ESET, and Webroot not far behind. Page 10

11 AVG also competes at the highest levels for web security and central device management, and IBM features strongly in the central device management dimension. Because of IBM s software leadership position in other areas of the technology marketplace, it, along with F-Secure, features as a leader in the client virtualization and virtual machine (VM) dimension. Data protection in the form of endpoint DLP and encryption was firmly dominated by the market leaders. There were few challenges to their overall dominance, with the exception of ESET within the encryption dimension. Market leaders: execution Figure 4: Ovum Decision Matrix: Endpoint and mobile security market leaders execution Source: Ovum The market execution diagram, showing the ability to execute in line with business protection requirements, covers six essential components: product maturity, interoperability, innovation, deployment, scale, and enterprise fit. The leading performers in the maturity dimension, which takes into account the breadth and depth of the security technology of each vendor and how it is used and recognized by end-user clients, were Intel Security (McAfee), Kaspersky Lab, and Symantec. Interoperability and the operational ability to execute were a highly competitive area, and one where most of our vendors scored well. The top performers were Symantec and Trend Micro, but these were closely followed by Intel Security (McAfee), Kaspersky Lab, and Sophos. Innovation may not be seen as a natural byproduct of the traditional endpoint security market, but with extended protection requirements, which now include a new generation of smart mobile devices and the opportunities for advancement they provide, innovation and the ability to execute across these areas are an important differentiator. The constraints that the device manufacturers impose on the Page 11

12 security vendors continue to restrict progress, but progress on device, application, and user protection is nevertheless being made. In this area, Intel Security (McAfee), Kaspersky Lab, and Sophos were seen as having made the most headway. Deployment or deployability covers a wide range of often disparate business and infrastructure support requirements. Most vendors scored well, with Symantec and Trend Micro coming out on top. Scale and scalability are an area that all established vendors like to feel they have covered. However, in the endpoint/mobile device marketplace, there are those that target mainly enterprise clients, those for which the SME space is their comfort zone, and those that have a good range of clients in the small, medium, and large enterprise markets. The vendors that were seen to have the most comprehensive mix included F-Secure, Symantec, and Trend Micro. Enterprise fit provides recognition of the range and balance of mainstream industry verticals where each vendor has established a strong foothold. In this area the top performers were IBM, Kaspersky Lab, and Symantec. These vendors were closely followed by Intel Security (McAfee), Sophos, and Trend Micro. Market leaders: market impact Figure 5: Ovum Decision Matrix: Endpoint and mobile security market leaders market impact Source: Ovum Endpoint and mobile device protection is a market of extremes. For endpoint, a mature market exists where almost every SME and large enterprise has deployed security protection. At the other end of the scale, the smartphone and tablet device management and security markets and associated application protection sectors provide huge opportunities. The five dimensions of the market impact diagram provide opportunities for most of the vendors in the report to make a contribution. Unsurprisingly, the revenues dimension remains firmly in the control of the big two vendors in the security arena: Intel Security (McAfee) and Symantec. These behemoths of Page 12

13 the endpoint and mobile device protection space deliver revenue returns that are double the size of their nearest competitors. Both have endpoint and mobile device protection as a core revenue source and sell into both business and consumer markets. That said, the revenue growth dimension tells a completely different story. Some of the smaller, more fleet-of-foot players such as Webroot have reported very large percentage revenue growth figures, albeit from a very small base point growth figures that the established market leaders cannot hope to compete with. More reasonable revenue comparisons see Kaspersky Lab outshining the other market leaders. Kaspersky is followed by AVG, with its large customer base in the consumer and business markets (with free and paid-for offerings), Sophos, with its mainly business focus, and ESET, as the champion of the SME community. The other three market impact dimensions geographical penetration, size-band coverage, and vertical penetration also provide different leadership opportunities. The geographical dimension was led by Symantec, closely followed by Kaspersky Lab and Intel Security (McAfee). F-Secure was perhaps the surprise leader in the size-band coverage space alongside Intel Security (McAfee), with Symantec and Trend Micro also in contention. Vertical penetration was an evenly contested dimension, with ESET slightly ahead of Trend Micro, and Intel Security (McAfee), Kaspersky Lab, and Sophos close behind. Vendor analysis AVG (Ovum recommendation: Follower) Figure 6: AVG radar diagrams Source: Ovum Page 13

14 Ovum SWOT assessment AVG has been offering its CloudCare endpoint protection service to SMEs for just over a year. The solution has been built using the vendor s historic strength in anti-virus, with content filtering, filtering and archiving, and online backup all added as the service went from consumer-only to having a business-customer dimension. The company is now adding remote monitoring and management (RMM) capabilities for smartphones and tablets. However, it currently has no plans to add general endpoint and mobile device encryption facilities, and Ovum wonders whether it may need to review this position given the growing importance of encryption in the wake of the Edward Snowden revelations. Strengths AVG CloudCare goes beyond security-as-a-service. AVG CloudCare is a security-as-a-service offering, with the advantage of being part of an integrated platform offering access to a wide range of other IT management functions via the same central console. In addition to traditional edge security functionality (AV, anti-spam, anti-spyware, content filtering, firewall, and IPS) it offers archiving and backup, as well as encryption for sectors such as legal and healthcare. AVG is an established name in malware protection. AVG is a credible provider of edge security-as-a-service, given its long pedigree in malware protection. Furthermore, it has enhanced its offering through M&A activity and successfully integrated the acquired technologies into its portfolio. Weaknesses We need to hear more about advanced threats. AVG has yet to say anything about advanced threat protection, i.e., protection against the kinds of threats that have not yet been formally identified as such, so have had no signature developed for them. Other competitors in endpoint protection, including some in the security-as-a-service segment, already have the technology to meet this requirement. AVG s absence from the enterprise market reduces its overall reputation. AVG is well known in the IT industry, thanks in part to the pervasive nature of its freeware version. It is also a respectable name in the licensed software market, though it is not a heavyweight competing across the board it does not seek to address the high-end corporate market. Although this focus on SMEs is a differentiator, it does make it harder for the company to establish its credentials as a mainstream provider of endpoint protection. Opportunities An endpoint protection service can win hearts and minds right now. Endpoint protection is delivered by a large number of vendors, but currently not all of them have a credible service offering, which is particularly important in the SME segment. A simple, integrated service offering with credible anti-virus protection has greater resonance than on-premise technology. Endpoint protection is changing, opening the market for challengers. The market for endpoint protection technology is expanding as workforces of all sizes go more mobile. High-profile security breaches also increase the perception that enterprise vulnerability starts at the end-user device. SMEs are not necessarily looking to their existing edge security providers to provide endpoint protection across all the new device types, which creates an opportunity for displacement by another vendor such as AVG. Page 14

15 Threats It is easier to swap out a service than an on-premise platform. With the threat landscape in continuous evolution, there is a need for any endpoint protection technology platform or service to develop new functionality in order to remain relevant. Although AVG has made a good start with the CloudCare service, there is always the risk of another competitor coming along with something even more compelling. AVG understands that it tends to be easier to switch service providers than on-premise technology platforms, which is why it has worked hard to expand its offering to include stickier services, such as online backup and RMM. Staying ahead of the threat landscape is challenging. The Dutch-headquartered, NYSE-listed company reported net income of $63.7m on revenue of $407m in 2013, so it is not a small player in the IT security market, but neither is it among the largest. As such, it must allocate budget for research into new threats and attack techniques. It may be overtaken by either a larger entity with greater investment clout or a small start-up with a more focused approach to particular types of attack, as happened when FireEye stole on a march on more established vendors with its approach to advanced persistent threats (APTs). ESET (Ovum recommendation: Challenger) Figure 7: ESET radar diagrams Source: Ovum Ovum SWOT assessment ESET's Secure Enterprise and endpoint protection products offer heuristic-based detection technology with a light touch that does not slow down everyday business machines, leaving more resources for the business applications that need to draw on the available power. Page 15

16 The product set is relevant to large enterprises, but the core business market for ESET is the SME space, where it understands the protection requirements and the likely shortfall in support services. It also recognizes the threats faced by a sector that is often short on IT resources but has significant financial/intellectual property that requires protection. Customers mainly choose ESET because of its ease of use, small footprint, and high detection rates. Strengths ESET offers good levels of product integration and functionality. For business clients, ESET provides an integrated range of endpoint and gateway protection solutions. Anti-malware and anti-spam, intrusion prevention, web content filtering, and personal firewalling facilities are available, supported by the company's central user and device management ESET Remote Administrator console. Heuristic technology adds to the overall solution. Innovation and heuristic protection extend the range of core malware services that ESET is able to provide. As well as comparing potential malware to known virus signatures, ESET protection products use heuristics in detecting malware and associated security threats. ESET supports a broad range of business and consumer platforms. ESET supports Microsoft Windows, SharePoint, and Exchange; Mac OS; Linux; and Android for smartphones and tablets. BYOD has resulted in converged business and consumer protection requirements, which ESET supports. Low impact on endpoint resource is seen as a core strength. ESET describes its approach to endpoint and mobile device protection as fast and unobtrusive. Its emphasis is on providing security solutions that don't slow users down and leave more resources available for the applications. Weaknesses ESET often sits under the business user's radar. Although well respected by industry experts and analysts, the ESET profile remains far lower than many of its larger mainstream competitors, so it may miss out on being shortlisted by enterprise organizations and some SMEs looking to work with a market leader. Malware protection services need to be extended to include data protection. A lack of investment beyond core malware protection makes the solution less competitive. Leading players in the endpoint protection space often provide their own DLP and encryption solutions. ESET partners with DESlock to offer a range of encryption services; it does not provide DLP, but it does offer secure authentication facilities for accessing data from external locations. Opportunities Extending its market beyond EMEA provides opportunities for ESET. ESET has an established and substantial installed base across Europe, particularly in Eastern Europe. The company is now growing its presence in North America, focusing particularly on providing specialist solutions to two key industry verticals: healthcare and finance. SMEs need better control of mobile usage. The SME sector has a strong interest in the success of BYOD. BYOD usage opens up the market for vendors such as ESET that can provide device and user management controls that link users to their registered devices and control access to business systems. Page 16

17 Threats Lack of all-round coverage could restrict progress. Although ESET provides a good range of anti-malware protection solutions that are relevant to the SME sector, its lack of focus in associated markets such as DLP is likely to restrict further progress in the enterprise market. Increasing market focus on the use of security intelligence needs to be addressed. As the effectiveness of signature-based detection solutions continues to decline, more use is being made of security intelligence and analytical detection techniques. ESET supports its security operations from research centers in Montreal, Buenos Aires, and Singapore, and its largest research center at its company headquarters in Bratislava, Slovakia. To keep pace with market requirements, even more focus on these sources of security intelligence and analytics will be needed. F-Secure (Ovum recommendation: Challenger) Figure 8: F-Secure radar diagrams Source: Ovum Ovum SWOT assessment F-Secure has a long and respectable track record in combating malware, and its core Protection Service for Business (PSB) solution has now been in existence for nearly a decade. With its DeepGuard technology, F-Secure was among the first security vendors to identify the need to go beyond signatures. The PSB service is clearly crafted for the SME market, and Ovum believes that companies in this segment should consider it as a serious alternative, particularly if they are looking to move away from on-premise technology. Page 17

18 Strengths DeepGuard builds in proactive defense. DeepGuard enables PSB to get ahead of the curve in detecting potential security exploits, and F-Secure was among the first to recognize the need to be proactive about protection from malware: DeepGuard is currently at version 5.0. PSB has patch management free of charge. PSB comes with a Software Updater (SWUP) capability providing patch management, which the company considers to be a significant differentiator. SWUP is provided with the workstation version of the service at no extra cost to the customer. F-Secure is known as a channel player. F-Secure is renowned for its security research capabilities and has a longstanding commitment to the channel as its route to market. It also has well-established relationships with major telecoms operators from its consumer anti-virus business, making them natural candidates for delivering PSB to small businesses customers. Weaknesses PSB has no encryption. PSB does not currently offer encryption, and this may become a more pressing requirement in the wake of the Snowden revelations and the Target breach. Reliance on the channel is a double-edged sword. The challenge for F-Secure in offering an endpoint security service entirely through its channel is that it must manage its partner network well: a disgruntled or incompetent partner may sour the customer relationship, even though it is F-Secure s name that is on the service. Opportunities SMEs are more open to the attractions of a service. Endpoint protection is becoming an increasingly essential part of a company s IT security, whether a large enterprise or an SME. Smaller firms, however, have far smaller budgets so are more inclined to consider security delivered as a service, whereas the larger entities may still prefer an on-premise arrangement. Non-US customers look more kindly on local vendors after Snowden. The fallout from the Snowden revelations outside the US means that customers are liable to consider a non-us supplier with more enthusiasm than before. Ovum sees concerted efforts by tech vendors in countries such as Germany and France to capitalize on this sentiment, and, as a European company, F-Secure can and should do the same. Threats New types of threats to endpoints are emerging all the time. The threat landscape is in continuous evolution, with new threats, vectors, and methodologies emerging almost daily. Keeping up with the pace of change is challenging, and today s industry heavyweights can rapidly become tomorrow s has-beens. Other, nimbler technical solutions may come along and capture market attention, as happened with FireEye in the APT space. US competitors are larger and have deeper pockets. Vendors from outside the US must compete for business anywhere in the world with firms that have much bigger budgets for research and development, not to mention greater marketing clout. When competing in the US market itself, they also face the challenge that the customers tend to prefer a locally developed product far more than products developed in other parts of the world. Page 18

19 IBM (Ovum recommendation: Challenger) Figure 9: IBM radar diagrams Source: Ovum Ovum SWOT assessment IBM offers an extensive range of security products: it owns and is able to deploy more business protection solutions than most specialist security vendors. Product additions relevant to the security, management, and protection of endpoint and mobile devices include the recent Fiberlink MaaS360 acquisition, which helps broaden and define its enterprise mobility and security management strategy. The integration of WorkLight, which offers support and secure access to consumer and employee-facing applications across a broad range of industries, and the extension of AppScan capabilities, to deliver mobile security testing throughout the functional lifecycle of mobile and web applications, add to the overall value proposition. IBM is far too easily positioned as mainly a supplier of technology solutions to large enterprises. However, its infrastructure security services practice is experienced in providing protection solutions and security intelligence and monitoring services that are relevant to organizations of all sizes. Strengths IBM takes a holistic position on the security and management of mobile users. From core malware protection for endpoint and mobile devices through to the management of devices, the applications they are allowed to run, and user access to business systems, IBM has products and supporting services that are relevant to enterprises and their security support needs. Page 19

20 Fiberlink MaaS360 adds new levels of management and control. The addition of Fiberlink MaaS360 to IBM's mobile management and security capabilities provides enterprise organizations with the facilities to securely manage mobile devices, networks, applications, and content. WorkLight provides support and secure access for mobile users. Unified device and user management facilities are provided using the WorkLight product set, as is integration with, and access to, core enterprise services. Separation between business and personal use is a key issue. BYOD, and the ability to separate business and personal data when using a common device, is an issue that the security industry has so far struggled to address. IBM provides policy-based security controls that deal with dual persona requirements, separating personal and business information through a containerization approach to data protection. IBM X-Force security research provides insight into the latest security risks. IBM X-Force security research monitors and analyzes security issues from a variety of sources. Its information is made available to customer organizations and research partners to provide a better understanding of the latest security risks and emerging threats. Weaknesses The safe removal of business data from personally owned devices remains a problem. Although significant progress has been made in safely wiping business data from user-owned mobile devices, when looking to achieve a legally defensible position, IBM (like every other endpoint and mobile security vendor) has further work to do. It is looking to address this through the combination of facilities provided by the Fiberlink MaaS360 and Endpoint Manager products. Central management is part of the roadmap. A lot of work has already been done to integrate the most recent product acquisitions and provide a unified platform for endpoint and mobile device management. However, until this work is completed, the overall solution is not able to offer a single management console approach to user and device protection. Opportunities IBM has prepared a comprehensive roadmap strategy for endpoint and mobile security. IBM's single-vendor strategy for endpoint and mobile device protection is well advanced. It already has most of the pieces in place and provides the opportunity to build an integrated range of facilities and services that go beyond what most of the company's mainstream competitors are able to offer. Mobile device protection continues to improve. Mobile device protection and management services continue to improve, but progress is not universal across all platforms. Significant improvements in Android environments are being made, with many more innovations still to come. For ios and Windows Phone, the existing gateways maintain a more secure position, but at the same time they continue to restrict development opportunities for third-party providers. Threats Core protection services are provided by business partners. Anti-malware facilities are provided and made available through selected third-party products. This approach offers best-of-breed opportunities, but also makes IBM reliant on external partnerships and vulnerable to outside influences. Page 20

21 Future application protection requirements need to be addressed. Mobile applications are already being targeted by malware writers. This situation will only get worse as new vulnerabilities are found. The security sector is currently constrained in the levels of protection that can be provided by the gateway controls imposed by the ios and Windows Phone platforms. Intel Security (McAfee) (Ovum recommendation: Leader) Figure 10: Intel Security radar diagrams Source: Ovum Ovum SWOT assessment Intel Security offers an extensive range of endpoint/mobile device protection products. It would be the first to admit that there is no complete answer to business concerns caused by BYOD usage. However, in line with the company's mature range of endpoint security solutions, its mobile device protection and enterprise mobility management (EMM) coverage is advancing rapidly. Intel Security has a three-point strategy for dealing with endpoint protection that is relevant to SMEs as well as large enterprises. It looks to provide support for all devices irrespective of type or location, and security is available at all levels from chip to OS to the cloud, with epo delivering the management and control components. Strengths Enterprise management, scalability, and performance drive the Intel Security solution. Intel Security provides connected business security solutions that are appropriate for organizations of all sizes. Its core protection products and forensic security intelligence services address known and unknown threat activity, while epo deals with security management and links to associated helpdesk Page 21

22 and ticketing systems. Its cloud-based intelligence and support facilities deliver fast-to-deploy remediation services. Proactive protection and automation support the Intel Security service delivery message. Intel Security takes a proactive approach to endpoint protection. Its automated management services provide monitoring facilities that allow administrators to view the status of all endpoint devices, identify vulnerabilities, and prioritize remediation. Where vulnerable endpoint devices are identified, targeted updates are pushed out for delivery from the cloud. Intel Security links users to all their registered endpoint devices. The Intel Security epo security management solution allows appropriate security controls to follow each user, irrespective of the endpoint device or devices they choose to use. It maintains control over all registered endpoint/mobile devices and provides the management components that link users to their PCs, laptops, tablets, and smartphones. End-to-end device and data protection is maintained. Intel Security retains responsibility for all endpoint/mobile devices under its control and the data they hold. This is a full lifecycle relationship between each user and the business. It controls access rights, protects data during operational use, and ensures that identities can be disabled, business data wiped, and systems access revoked when users leave an organization or a device is declared lost or stolen. Weaknesses Security vendors are struggling to manage the BYOX generation. A realistic view of the MDM sector and the EMM market highlights shortfalls in today's mobile device protection services. There are limitations to the involvement that security vendors such as Intel Security are allowed to have on closed platforms such as ios. However, significant progress is being made in the levels of protection that are now being applied to open environments such as Android. Commoditization of core security products reduces differentiation opportunities. Commoditization and functional commonality within core components of the malware protection market reduces the opportunities to present individual security products as having significantly better features or levels of performance. This is highlighted by industry reports that tend to show performance differentiation between tier-1 vendors falling within a single percentage point. Opportunities Intel Security takes an open-market approach to business clients and their users. Intel Security clients operating in the public and private sectors range from small businesses to large enterprises. All have the opportunity to work with Intel Security as a single source of security protection or as a provider of specific security solutions that can operate alongside existing protection technology. Large enterprise organizations are looking for integrated protection. At the large-enterprise level, there is a growing interest in reducing the number of security vendors with which each organization needs to work. For Intel Security, with is enterprise-wide security platform, this provides the opportunity to be positioned as the single connected platform provider both for endpoint and network security and for the provision of a complete security management infrastructure. Endpoint data protection provides further integration opportunities. Intel Security offers an extensive range of host and network-based DLP and data encryption technology. Mobile device data protection extends to the use and management of secure containers. Initial encryption limitations have Page 22

23 been addressed and coverage now extends to native encryption protection across the Android environment, with other platform opportunities following on. Further improvements in application protection can be addressed. Intel Security already has mobile application control facilities that can be used to block or bar selected mobile applications by maintaining control over which apps are acceptable to the business. There are further opportunities to extend platform coverage, but the closed ios environment is likely to remain a challenge. Threats Protection solutions that rely on signature-based updates are becoming less effective. As with all mainstream protection providers, the components of the Intel Security solution that rely on signature-based updates have become less effective, and the value of the protection they provide is in decline. However, Intel Security has recognized these issues and is responding to the all-round protection requirements of businesses and their users through its extended range of user and data protection products, including its endpoint and server-level whitelisting facilities. Future application and mobile device protection requirements will need to be addressed. Mobile devices and the apps they use to deliver their services are already being targeted by malware writers a situation that will only get worse. The security marketplace is currently limited by market constraints in the levels of protection that can be provided. Intel Security has already made significant progress in its mobile protection services. It can scan devices and identify and deal with rogue apps, but full platform support is limited by the closed ios environment. Kaspersky Lab (Ovum recommendation: Leader) Figure 11: Kaspersky Lab radar diagrams Source: Ovum Page 23

24 Ovum SWOT assessment Kaspersky Lab is an endpoint/mobile device security specialist. The company retains its core strength in anti-malware protection by combining traditional signature-based security with the latest proactive and heuristic protection to deliver multi-layered, fast, and responsive defenses. The Security for Business Advanced edition of the product set includes vulnerability scanning, patch management, and data encryption services. At a time when business and personal device usage merges and overlaps, it is important for organizations to work with vendors that can protect corporate data alongside personal information that belongs to the individual. Kaspersky Lab provides security solutions for business and personal use, and in the business sphere it is relevant to small, medium, and large enterprises. Strengths Good malware detection performance remains a key advantage. Kaspersky Lab has a strong reputation for the quality and the effectiveness of its threat protection facilities, regularly appearing at the head of independent malware detection tables. Supported by a low-scanning footprint and proactive, cloud-assisted update services, the product maintains good performance rates when measured against direct competitors. Cloud-based research and analysis centers add security intelligence to endpoint protection. Kaspersky's global security management centers bring security and security intelligence from the cloud to the endpoint/mobile device protection arena. Kaspersky Lab expertize is used to identify new and malicious malware threats at the earliest opportunity and formulate rapid security responses before attacks take place. Customers get security information as well as faster updates using Kaspersky's cloud-based services. Whitelisting and blacklisting strengthens the Kaspersky Lab offering. Strong relationships with the software community allow a high percentage of business applications to be accurately classified as safe by Kaspersky Lab, enabling it to make effective use of whitelisting and blacklisting technology. This strengthens Kaspersky's overall security position and increases its levels of accuracy when identifying malware and determining what remedial actions need to be taken. Central management facilities control which users and devices are acceptable. Not previously recognized as the strongest area of the Kaspersky Lab offering, central management facilities now control user and device elements of endpoint/mobile security. This is particularly relevant because of the requirement to create rule and policy controls that can be applied to all users and their devices, and to which each device must comply before access to business systems is allowed. Weaknesses DLP remains outside the scope of this solution. The Kaspersky Lab Endpoint Security for Business solution includes disk and file-level encryption facilities to reduce data loss opportunities if an endpoint/mobile device is lost or stolen. However, Kaspersky Lab does not extend its data protection approach to include DLP technology during everyday use. The removal of business data from personally owned devices needs more work. Although Kaspersky Lab has made significant progress in the last two years in mobile data wipe technology and the separation/containerization of business and personal data on mobile devices, more development work is required. Like all other endpoint security vendors, it needs to find and maintain a legally sustainable position when separating personal and company data for secure removal. Page 24

25 Opportunities The mobile device and BYOD market continues to grow and evolve. As more organizations accept the reality of BYOD initiatives that allow employees and business partners to use their own devices to access corporate business systems, the requirement for device protection, management, and usage controls grows. Kaspersky Lab already offers its security and mobile management services and is extending these, but there are further opportunities for improvement when dealing with business access and data protection requirements. Maintaining Kaspersky's reputation will offer new opportunities. In the endpoint security marketplace, Kaspersky Lab has built up a solid reputation for providing no-nonsense, high-performance user and device protection systems. Its high malware-detection rates are being achieved in a market of declining performance. This puts the company in a strong position as it extends user and device protection to the growing range of mobile tablets and smartphones being used across business markets. Threats Endpoint protection that relies on signature updates offers few attractions. Even though Kaspersky's signature-based malware detection performance outstrips mainstream competitors, this is a declining market that offers performance efficiencies that will struggle to keep up with current and future threat levels. Kaspersky Lab acknowledges these issues and is responding using its extended range of user and device protection products. Mobile application protection will be the next battleground. The improvement of mobile application protection requirements will need to be addressed as malware writers look for new and softer targets. Because of the closed nature of ios and the Windows Phone platforms, mainstream security vendors are limited in the levels of security that can be provided. Significant improvements have been made on Android, but this also remains a difficult market. Page 25

26 Sophos (Ovum recommendation: Leader) Figure 12: Sophos radar diagrams Source: Ovum Ovum SWOT assessment Sophos offers an integrated range of endpoint security and EMM solutions. The products included in its Enduser Protection Suites bring together protection technology that focuses on the needs of business organizations and their users. It combines the use of on-site and cloud-based malware-detection technology with intelligence-led activity that monitors spam and malware and identifies vulnerabilities in applications and websites. Security rules affecting patch assessments, host intrusion prevention systems (HIPS), and application controls are maintained and updated centrally by SophosLabs analysts, based on daily threat analysis. This approach minimizes the impact on customers and supports ease of deployment. Strengths Sophos offers a range of integrated security products that address business needs. Sophos focuses on the protection of endpoint and mobile devices operating in business environments, the data they hold, and their users. It combines endpoint, server, and mobile device security with data protection and encryption services within a single platform solution. The company has also launched Sophos Cloud, which provides a unified solution for endpoint security (for Windows and Mac), web filtering, and mobile device management from a single cloud console. Platform coverage is extensive across endpoint and mobile devices and systems. Platforms protected include Windows, Mac, Linux, UNIX, and virtual endpoints, extending to SharePoint and Page 26

27 Exchange, and and web gateways, as well as leading mobile platforms including Android, Blackberry, ios (iphones and ipads), and Windows Mobile devices. Endpoint and mobile device protection share a common environment. Core endpoint protection for PCs and laptops sits alongside mobile device security and management facilities that support and enable BYOD services facilities for smartphones and tablets. Facilities include secure access to and data, policy application and usage controls, DLP and encryption, and secure device management for tracking, locking, and wiping lost or stolen devices. SophosLabs provides global security intelligence services, support, and expertise. Sophos has a good reputation for technical support and service, all of which is supported by the expertise on offer from SophosLabs. Its analysts provide constant monitoring and security intelligence services. Their role involves detecting vulnerabilities, offering security advice, and fine-tuning protection systems to address new and emerging threats. Weaknesses Sophos does not have the visibility that other mainstream competitors have achieved. Focusing almost entirely on the protection of business users has its drawbacks in terms of consumer market visibility. Sophos lacks profile and visibility compared to direct mainstream competitors that also compete in the consumer markets. It does, however, offer free products under the Sophos Anti-virus home edition for consumers. It retains its SME and mid-market profile. The core market for Sophos continues to be organizations with 100 5,000 users. Although it also has a number of large enterprise customers including Avis, Ford, Northrop Grumman, Toshiba, and Xerox, it continues to be mainly perceived as an SME player rather than a large-enterprise player. Opportunities Opportunities to expand within the mobile device security market continue to grow. Mobile device usage and BYOD initiatives continue to cause security and management problems across most business markets as more users and devices require business access and protection. Sophos already provides security and MDM facilities and is well positioned to extend its range of user, device, and data protection services. The recent acquisition of Cyberoam adds depth to the company's security portfolio. The Sophos protection platform brings together an integrated range of endpoint, server, mobile, data protection and encryption, , web, and network security solutions. The recent addition of Cyberoam's network and unified threat management (UTM) technology adds further depth to the company's security portfolio. Threats Reducing the reliance on signature-based protection is important. Even the best signature-based malware detection solutions struggle to maintain effective levels of performance against the latest generation of APTs. Sophos recognizes these issues and is responding through the increased use of security intelligence, monitoring, and device and application protection solutions, which it maintains alongside a robust line of UTM products. Industry-wide, more effective application protection solutions are needed. Mobile apps are already seen as a prime target for malware writers, and this situation will evolve as new mobile vulnerabilities are identified. More work is needed by all concerned in this area because, although Page 27

28 improvements continue to be made in the more open Android environment, the security sector is currently constrained in what it can achieve by the gateway controls imposed on the ios and Windows Phone platforms. Symantec (Ovum recommendation: Leader) Figure 13: Symantec radar diagrams Source: Ovum Ovum SWOT assessment Users, their devices, and the data they hold all need to be kept safe from malware. Endpoint and mobile device users with access to business systems are constantly being targeted by hackers hoping to steal valuable corporate information. The Symantec portfolio of security solutions enables organizations to take an enterprise-wide view of their protection requirements. Organizations that are looking to select a solution for infrastructure and data protection, endpoint management, enterprise security and mobility, and security/information intelligence can source all components and supporting management structures from a single supplier. Symantec offers a number of product bundles to help organizations simplify the selection process. Technology decision-makers can use a traditional on-premise approach, take SaaS options, or work with a managed security services (MSS) partner. Strengths Endpoint management covers the key components of client and server security. Symantec Endpoint Security provides the security and management controls to protect business systems and users, their endpoint devices, and the servers being accessed. It offers IT management, client and server management, and asset management services. Coverage extends to the delivery of security Page 28

29 updates and patch management, and can be underpinned by self-service and managed service-desk facilities. Enterprise mobility brings together business and personal protection. The Symantec mobile management suite secures and controls mobile devices and protects users. It integrates and combines MDM with mobile security management. It provides user and application protection facilities, and its security products protect personal and business use. Data protection is available and supported by information-centric security, governance, and usage policies. Infrastructure protection addresses critical systems as well as endpoint devices. Corporate infrastructure protection requirements are wide-ranging. Symantec coverage starts with critical system protection, takes in network-attached storage (NAS), SharePoint, and cloud services, and includes everyday endpoint devices. Data protection helps improve the security, risk, and compliance position. Symantec offers DLP, data encryption, and key management protection for data on the move, at rest on servers, endpoints, and mobile devices, and held in storage and backup vaults. Information and access is protected by a portfolio of risk and compliance management facilities including Symantec Control Compliance, Vulnerability Management, Risk Management, Vendor Risk Management, and Standards and Assessments Management. Weaknesses Mobile device, application, and user protection has matured but more work is needed. Improvements continue to be made to the levels of protection that can be afforded to mobile devices and mobile apps. BYOD and multi-device usage all add to the control issues, but there will remain limitations on what can be achieved by the security vendors for as long as suppliers such as Apple and Windows Phone maintain a closed platform approach. On the positive side, much-needed security improvements are being made in the protection space that can be applied to open environments such as Android. It matters little which anti-virus solution organizations choose. Most anti-malware products have a common look and feel. The perception is that there is little to choose between them in performance levels, speed of update, or effectiveness at dealing with new malware. Overall performance levels continue to decline, and industry reports show this to be a cross-industry problem, with little discernable difference between tier-1 vendors. Symantec looks to improve its own position with its Insight technology, which has access to information from over 200 million computers, and Symantec Online Network for Advanced Response (SONAR), a rules-based product that focuses on identifying suspicious behavior. Opportunities Symantec pushes forward with its managed adversary and threat-intelligence services. Symantec s latest subscription-based security intelligence and analytics service will offer new threat visibility services, delivering insight into the key risks posed against business assets. Its managed adversary information services provide priority reports on key threat actors. It offers information on the types of attack that are likely to affect each organization and confirms the remediation actions required. The service is scheduled for release in 3Q A new focus on ATP is set to improve detection and remediation rates. Symantec is developing its new ATP strategy to improve endpoint, , and gateway security. The focus is on improving Page 29

30 detection, remediation, and response capabilities. Two new services will be made available: the Dynamic Malware Analysis Service (DMAS), which provides a cloud-based multi-platform sandbox environment; and Synapse, which smooths and improves communications between endpoint, , and gateway systems. Threats Mobile device protection needs more focus on application vulnerability. Mobile apps are targeted as the next malware battlefield. Application protection shortfalls and a lack of management and control mean this situation will get worse. Across the security industry there are currently protection shortfalls, and while Symantec remains a market leader in the promotion of application protection, more needs to be achieved. Trend Micro (Ovum recommendation: Leader) Figure 14: Trend Micro radar diagrams Source: Ovum Ovum SWOT assessment Trend Micro has amassed a significant portfolio of endpoint protection technologies and related offerings for the edge of the corporate network (for , web, IM, and SharePoint security). Now it is simplifying the way these products are acquired and facilitating their use in hybrid on-premise and cloud deployments, making its Complete User Protection suite a compelling offering for its target customers in the midmarket. The Custom Defense portfolio, meanwhile, offers customers protection from the advanced/targeted threats that are constantly emerging. This currently entails further licenses for software and, in some cases, appliances, but there is no additional fee for integration with Complete User Protection or Page 30

31 intelligence sharing between the two product sets. Similarly, the Cloud and Data Center Security portfolio covers protection for servers, and again this will mean further licenses, but provides information sharing across the environments at no additional cost. Strengths Complete User Protection boasts extensive functionality and has now been further enhanced. In addition to traditional signature-based anti-malware, vulnerability protection, sandboxing, command-and-control server blocking, behavioral monitoring, device policy, DLP, device policy enforcement, web reputation (whitelisting and blacklisting) and encryption, Trend is this year adding application control and browser exploit protection to Complete User Protection. It is also expanding the capabilities of the Custom Defense portfolio with new software modules and appliances that fill out the feature set. Trend has deep expertise, and it has acquired further capabilities judiciously. Trend has a good track record in malware research and has acquired additional functionality, including DLP and encryption, while also engaging in ongoing internal development. It has been more successful in integrating the technologies it gained through M&A than some of its larger competitors. Weaknesses Full endpoint protection is spread across the three pillars. While Complete User Protection handles the bulk of endpoint protection requirements, advanced/targeted threats are addressed within Custom Defense, and server protection spans both the Cloud and Data Center Security portfolio and, to some extent, Custom Defense. Although this may make sense organizationally, it leaves Trend open to the criticism that multiple licenses are required, where other competitors can offer it all under a single contract. Trend is not at the top table everywhere. Trend lacks the market presence of some of its major competitors in some regions: the most recent Ovum security market survey ranks it in the global top-five security companies and puts it at number three in Asia-Pacific. Trend does not, however, make the top group in the all-important Americas markets. That said, some market surveys suggest it is in the top five in North America for endpoint protection, considered in isolation. Opportunities Enterprise mobility is expanding. As companies move to an increasingly mobile workforce that demands enablement, IT departments often have to bring on multiple new point solutions to manage and secure the devices, representing additional expense and complexity, with new consoles and servers to support mobile workers. The Complete User Protection portfolio combines mobile device management and security, which saves budget and streamlines user management and security. In addition, advanced threats are more likely to include mobile as an attack vector, so a single unified view of information from all endpoints allows IT managers to correlate data and identify advanced threats as they happen. There is clearly scope for technology such as Trend s. Many customers, particularly those in the midmarket, will already have some technology in place to provide security. However, as their estate of mobile devices becomes more diverse, with the additional of smartphones and tablets, for instance, they may seek another provider with more a more comprehensive offering, or they may simply be dissatisfied with their current provider s level of service. Page 31

32 Trend is an established name on most companies radars. If a midmarket customer is looking for an alternative to its current provider of endpoint protection, it is very likely that people in its IT department will at least be aware of Trend and know that it is in this space, so establishing its credentials should not be an issue in the way that it might be for a start-up. Now that it is simplifying its portfolio and making its licensing across on-premise and cloud more straightforward, there is an opportunity for channel partners to capitalize on this familiarity with its brand. Threats The threat landscape evolves quickly. The IT security market, just like the threats themselves, is continually evolving. As such, a new type of attack can emerge and flummox enterprise security vendors, creating a market opportunity for start-ups and new players (as with APTs and FireEye, for instance). To remain abreast of market needs, Trend must be continually alert to new developments in attack techniques and vectors, to avoid being rendered irrelevant until it can buy or build the new capability. So far it seems to be doing a fairly good job of evolving with the threats, as evidenced in the scores it achieved in the recent AV-Test report. Being well established can easily slip into looking outmoded. Trend is an established brand, which can work in its favor: its reputation precedes it. That said, there is always the risk in IT that younger, funkier companies will appear to steal the thunder of the older competitors, painting them as fustier and less agile. It therefore behooves Trend to continually update its image and keep it fresh. That does not equate to dressing younger than its age, but to maintaining a market perception of being relevant by its insight and expertise. Page 32

33 Webroot (Ovum recommendation: Follower) Figure 15: Webroot radar diagrams Source: Ovum Ovum SWOT assessment Webroot offers a different approach to endpoint protection: its lightweight agent does not rely on downloaded signatures, making it faster to deploy and easier to manage. It is more genuinely a cloud-based protection system: it carries out the analysis of anything new on the endpoint, as well as using Webroot s Threat Intelligence Network for contextual threat information. Strengths Webroot's small client footprint is a key differentiator. At 750KB, the software client for SecureAnywhere is not just much smaller than anything from the company s direct competitors in endpoint protection (the company reckons the nearest competitor is the Panda Cloud service from Spain s Panda Software, with a 128MB client). It reveals a fundamentally different approach to the problem of protecting endpoints: the on-device software does not rely on malware signatures downloaded from the vendor s database and compared with code that has found its way onto the endpoint via or web browsing. Instead, it sends a hash of whatever is different on the device from the last time it inspected it to a cloud-based service for scrutiny. Webroot focuses on the main requirements of endpoint security. Although it has been on the acquisition trail in recent years, Webroot is still a lot smaller and more focused than some of the leading competitors in endpoint security, which have assembled a dizzying array of technologies by frequent trips into the M&A market. As such, it does not run the risk of losing focus or being unable to manage the integration of its acquisitions. Page 33