World Patch Management Products Market

Transcription

1 World Patch Management Products Market January 2009

2 Disclaimer Frost & Sullivan takes no responsibility for the incorrect information supplied to us by manufacturers or users Quantitative market information is based primarily on interviews and therefore, is subject to fluctuation. Frost & Sullivan Research Services are limited publications containing valuable market information provided to a select group of customers in response to orders. Our customers acknowledge, when ordering, that Frost & Sullivan Research Services are for customers internal use and not for general publication or disclosure to third parties. No part of this Research Service may be given, lent, resold or disclosed to non-customers without written permission. Furthermore, no part may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the permission of the publisher. For information regarding permission, write to: Frost & Sullivan 2400 Geng Road, Suite 201 Palo Alto, CA United States 2009 Frost & Sullivan. All rights reserved. This document contains highly confidential information and is the sole property of Frost & Sullivan. No part of it may be circulated, quoted, copied or otherwise reproduced without the written approval of Frost & Sullivan. 2

3 Certification We hereby certify that the views expressed in this research service accurately reflect our views based on primary and secondary research with industry participants, industry experts, end users, regulatory organisations, financial and investment community, and other related sources. In addition to the above, our robust in- house forecast & benchmarking models along with the Frost & Sullivan Decision Support Databases have been instrumental in the completion and publishing of this research service. We also certify that no part of our analyst compensation was, is or will be, directly or indirectly, related to the specific recommendations or views expressed in this service. 3

4 Table of Contents Executive Summary Introduction 08 Market Dynamics 10 Market Forecast 12 Summary of Major Findings 13 Strategic Analysis of the World Patch Management Products Market Market Overview 15 Market Summary 16 Market Definitions 17 Market Engineering Analysis 20 Market Dynamics 21 4

5 Table of Contents (Contd ) Industry Challenges 22 Market Drivers 24 Market Restraints 27 Legal Trends 29 Technology Trends 31 Distribution Channels & Partnership Trends 32 Market Trends & Forecasts 36 World Market Forecasts 37 Regional Market Forecasts 39 Vertical Market Forecasts 48 Pricing Analysis 51 5

6 Table of Contents (Contd ) Competitive Analysis 52 Market Share Analysis 53 Competitive Landscape 56 Market Leader 57 Market Challengers 59 Market Contenders 63 Market Specialists 67 Database of Key Industry Participants 69 Strategic Recommendations 73 Strategic Recommendations 74 About Frost & Sullivan 75 6

7 Executive Summary 7

8 Introduction Patch Management Patching is a critical task in terms of both network security and IT operations. Software vendors are constantly releasing a wide array of software updates and fixes to correct security flaws or improve functionality. The number of security vulnerabilities reported has been at an overwhelming level and continues to rise year-over-year. The following chart shows the number of vulnerabilities reported by quarter from 2004 to The patching process has been well documented to include the tasks of acquiring, testing, and installing multiple patches on IT systems. Considering the number of unique systems in an organization and the number of available patches, it becomes clear that medium to large enterprises can incur steep labor costs to maintain these systems. The risk associated with neglecting this task and allowing the successful exploitation of a security vulnerability is far more costly. The value that patch management products provide has long been acknowledged, leading to steady and healthy growth. As an established necessity, the patch management market has reached a maturity stage that ensures stability at the expense of high growth rates. 8

9 Introduction (Contd ) Patch Management Products Market: Vulnerability Reports by Quarter (World), Number of Vulnerabilities Note: All figures are rounded; the base year is Source: Frost & Sullivan

10 Market Dynamics Key Market Drivers and Restraints The key market drivers for the patch management market are: Government and industry regulations specifically require a patch management solution Restricted security budgets favor more established technologies Manual patching is labor intensive for large organizations with hundreds of systems Increasingly mobile and remote workforce creates security issues Repetitive nature of patching requires an automated product The memory of successful, high profile attacks Necessity to enforce policy with technology The key market restraints for the patch management market are: The trend towards consolidation funnels revenues into other product categories Bear market makes investors more cautious about financial ventures Microsoft Windows Server Update Services (WSUS) is free and highly ubiquitous 10

11 Market Dynamics (Contd ) Key Market Drivers and Restraints (cont.) The maturity of this market makes it less appealing for new entrants Focus on regulatory compliance can create a false sense of security Mature markets are less funded for research and development efforts 11

12 Market Forecast Patch Management Products Market: Revenue Forecasts (World), Revenues ($ Million) Growth Rate (%) Revenues ($ Million) Growth Rate (%) Note: All figures are rounded; the base year is Source: Frost & Sullivan 12

13 Summary of Major Findings Key Highlights The patch management market generated revenues of $159.8 million in This is an increase of 9.8 percent from 2007, a healthy growth rate in a bear world market. The patch management market will grow to $261.1 million by The calculated annual growth rate of 7.3 percent over this period indicates that this market is in a period of reduced growth associated with the market stage and pressure from the world wide recession. The importance of system patching has not diminished and will remain a key staple of many security product lines. However, numerous vendors are combining this functionality with more comprehensive product lines. Thus, while the revenue growth does not seem high in comparison to other technologies, this revenue is simply being transferred to other markets. Customers are increasingly less interested in point solutions and are turning to more integrated, broad-scope solutions. As a result, distribution channels are critical for point solution providers. Patch management vendors must compete on features, accuracy and breadth of coverage, rather than on price. Market revenues are decreased by vulnerability management and security configuration management vendors that offer patching capabilities but do not price this separately. 13

14 Strategic Analysis of the World Patch Management Products Market 14

15 Market Overview 15

16 Market Summary Key Highlights The importance of system patching has not decreased and will remain a key staple of many security product lines. However, an increasing number of security vendors are integrating this functionality into more comprehensive product lines. Vulnerability management and security configuration management vendors that provide patching abilities but do not price it separately also contribute to this effect. Thus, while the revenue growth does not seem high in comparison to other technologies, this revenue is simply being transferred to other markets. The patch management products market is in the late growth stage and faces many economic challenges. The market is highly fragmented but the trend of consolidation and economic struggles foreshadow a market shakeout, which would push the market further towards maturity. Due to the trend of cross-product integration and the shift towards broad-scope products, channel sales to value-added resellers and diversified security companies will become the primary source of revenues. There is still a high degree of competition and patch management vendors have continued to improve their products with value-adding features. While the cost of basic patch management products has steadily been falling, the migration towards product suites and added features has caused the average deal price to increase. 16

17 Market Definitions Products Defined Patch management is the process of acquiring software changes (patches) and applying these patches to systems. These products must be capable of maintaining knowledge of available patches, deciding the necessary patches for a particular system, ensuring the patches are effective, testing systems, and documenting this process. Patch management products aide in this process as much as possible and may automate certain functions. This market study will include vendors with patch management products. In accordance with the above definition, only revenues generated directly from the sale of patch management products are counted in the market size and forecasts. Revenues from related products such as vulnerability management or configuration solutions are not included as Frost & Sullivan covers these markets in other market studies. In order to avoid double counting, Frost & Sullivan will only be counting revenues derived from the primary sale of patch management products through direct channels or to channel partners. Revenues from VARs and other distribution channels will not be included. The following chart illustrates how patch management fits into the world security and vulnerability management market in 2008, along with other technologies. 17

18 Market Definitions (Contd ) Security and Vulnerability Management Market: Market Segmentation (World), 2008 Security and Vulnerability Management Application Security Vulnerability Assessment IT Security Risk Management Patching & Remediation Security Information & Event Management Configuration & Compliance Management Note: All figures are rounded; the base year is Source: Frost & Sullivan 18

19 Market Definitions (Contd ) Geography Defined Forecasts are for the world market, which have been defined as the following: North America: United States and Canada EMEA: Europe, Africa and countries in the Middle East Asia Pacific: Countries in East and Southeast Asia such as Japan, Hong Kong and India. This region also includes countries in the Oceania region such as Australia. Rest-of-World: Latin America, South America, Russia and others not mentioned above Vertical Markets Defined Forecasts include revenues generated by the following market segments: Financial Government Healthcare Technology & Telecommunications Retail Education Others 19

20 Market Engineering Analysis Patch Management Products Market: Market Engineering Measurements (World), 2008 Measurement Name Measurement Trend Market stage Late growth stage Increasing Revenues (2008) $159.8 million Increasing Potential Revenues (2015) $261.1 million Stable Base year market growth rate (2008) 8.8% Decreasing Forecast period market growth rate (CAGR) 7.3% Stable Average base price $1,200 Decreasing Price range $1,200 - $10,000 Increasing Price sensitivity High Stable Competitors (active market competitors in base year) 32 Decreasing Market concentration (percent of base year market controlled by top five competitors) 40.9% Increasing Note: All figures are rounded; the base year is Source: Frost & Sullivan 20

21 Market Dynamics 21

22 Industry Challenges Patch Management Products Market: Industry Challenges Ranked in Order of Impact (World), Rank Challenge 1-2 Years 3-4 Years 5-7 Years 1 Building strong channel and reseller relationships High High Medium 2 The ability to provide a solution rather than a point product High Medium Medium 3 Increasing integration with security technologies Medium Medium High 4 Align reporting to vertical or regulatory specific requirements Low Medium Medium /High 5 Lowering production costs to achieve lower price points Low Medium Medium Source: Frost & Sullivan 22

23 Industry Challenges (Contd ) Key Factors The patch management industry faces cannibalization effects from other related security markets. Patch management functionality is also being integrated into IT operations management products. The defense against this trend is a strong network of resellers and distributors. Point solution vendors must begin building these relationships now. The ability to provide a more complete, end-to-end solution has been a key competitive factor across the security industry. Large software vendors have been integrating related technologies and will look to acquire or partner with point patch management vendors. Products that integrate well with other products are favored by customers that must maintain a wide array of network security technologies. Patching is a necessary evil for customers across all vertical markets, however, many products offer a uniform reporting feature. Providing vertical or regulatory specific reporting features can increase penetration in a particular market. Vendors may use this advantage to carve out a niche market opportunity. In a mature market, price is the key competitive factor. This is not yet a huge factor, but companies should keep this in mind for any long-term plans. 23

24 Market Drivers Patch Management Products Market: Market Drivers Ranked in Order of Impact (World), Rank Driver Government and industry regulations specifically require a patch management solution 2 Restricted security budgets favor more established technologies 3 Manual patching is labor intensive for large organizations with hundreds of systems 4 Increasingly mobile and remote workforce creates security issues Years 3-4 Years 5-7 Years High High Medium High Medium Low Medium /High Medium High Medium /High 5 Repetitive nature of patching requires an automated product Medium Medium High High High 6 The memory of successful, high profile attacks Medium /Low Medium Medium 7 Necessity of enforcing policy with technology Low Medium Medium Source: Frost & Sullivan 24

25 Market Drivers (Contd ) Key Factors Government and industry regulations require significant investments in network security technologies. Certain regulations specifically require patch management solutions. The patch management market is maturing and as a technology, it is well established. In times of economic recession, new and cutting edge products are shunned for the basic and reliable products. There are thousands of vulnerabilities reported each year. Medium to large enterprises have up to thousands of systems that require patching. This becomes a huge, complex job for IT staff. The increasingly remote workforce presents a number of security problems. In addition, modern enterprise networks are porous, and must accommodate laptops, mobile handheld devices, and contractors/guests. This further complicates the management of these systems, adding incentive for companies to invest in a patch management solution. The repetitive nature of patching further highlights the need for an automated solution. From Microsoft Patch Tuesdays to random patches released by third-party software vendors, the task of patching multiple system on a regular basis makes a strong case for a patch product. 25

26 Market Drivers (Contd ) Key Factors The memory of successful, high profile attacks such as the TJX Corporation security breach still live strong in the mind of CEOs and Directors. This effect is dissipating, however, another major security exploit will strengthen growth rates in the patch management market. Human nature requires companies to enforce policy with technology. The task of system patching is repetitive and unrewarding, therefore it is necessary to have an automated yet customizable solution for patching. 26

27 Market Restraints Patch Management Products Market: Market Restraints Ranked in Order of Impact (World), Rank Restraint 1-2 Years 3-4 Years 5-7 Years 1 The trend towards consolidation funnels revenues into other product categories Very High High High 2 Bear market makes investors more cautious about financial ventures 3 Microsoft WSUS is free and highly ubiquitous Medium /High 4 The maturity of this market makes it less appealing for new entrants 5 Focus on regulatory compliance can create a false sense of security High Medium Medium /High Medium 6 Mature markets are less funded for research and developments Medium /Low Medium Medium /High Medium High Medium Medium Low Medium Medium /High Source: Frost & Sullivan 27

28 Market Restraints (Contd ) Key Factors The trend of consolidation has caused reduced growth in the patch management market. Vendors with patching products in 2007 have bundled this functionality into other products, diverting revenues from the patch management market into other markets. Investors are less likely to pump funding into security companies in a period of economic recession. This reduces the ability of smaller patch management vendors to develop new products or marketing activities. Microsoft Windows System Updates Services (WSUS) is free to Microsoft customers. WSUS provides only the most basic patching capabilities for Windows operating systems, however, this may give customers a false sense of security, and deter them from further investment. This market is at a late growth stage, and new competitors would find market penetration difficult. In addition, other markets would promise lucrative returns-on-investment and would be more alluring to fresh competitors. Mature markets are less funded for research and development, guaranteeing that competition based on factors other than price will be a difficult prospect. 28

29 Legal Trends Key Highlights Regulatory compliance is a huge driver for this market. Here are some key regulations: Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act, regulates the transmission of consumer data for banking, insurance and financial organizations. Basel II, a part of the Basel Accords, provides security recommendations for banking and banking regulators in order to promote uniform security practices internationally. Federal Information Processing Standards (FIPS) is a set of standards for data processing such as encoding and encryption standards. Federal Desktop Core Configuration (FDCC) is a mandatory standard that requires configuring more than 300 settings that are required for all government agencies. This standard aims to harden government systems against cyber attacks. Federal Information Security Management Act (FISMA) of 2002 is a set of mandatory processes for securing government IT systems. FISMA also provides incentives in the form of yearly audits and certifications. Health Insurance Portability and Accountability Act (HIPAA) of 1996, Title II, is a set of standards that is designed to improve the effectiveness, efficiency and security of the U.S. healthcare system. HIPAA has had a diminished effect until mid-2008, when the first fines were handed out for non-compliance. 29

30 Legal Trends (Contd ) Key Highlights Payment Card Industry Data Security Standard (PCI DSS) is a set of technical and operational security standards developed by the PCI Security Standards Council. These standards are designed to reduce fraud and hacking activities. This regulation affects any organization that transmits, processes or stores credit card and cardholder data worldwide, but has had the biggest impact on the retail vertical market. PCI DSS has proven to be one of the most effective security standards, as non-compliance can result in audits, fines, or even the loss of credit card processing privileges with major brands such as American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. The newest release of PCI DSS, Version 1.2 is much more explicit about the security systems required. 30

31 Technology Trends Key Highlights The primary focus for technological advancement has been and will continue to be broadening the breadth of platform and systems coverage. Leading patch management vendors cover Microsoft operating systems and applications such as Internet Explorer, SQL Server, and Microsoft Office. Patch management products also cover third-party applications such as Apple Safari, Sun JAVA, Adobe Flash, and more. Patch management functionality is being integrated into IT operations or security configuration management. It is important for point product vendors to integrate their solution with related solutions in order to secure long-term channel relationships. Standard areas of focus such as performance and accuracy will gain importance while overall research and development budgets will be reduced for this technology. Research into reducing production costs has been gaining priority. This will continue as price becomes a more significant competitive factor. Leading patch management solutions should provide custom scripting abilities as well. A complete patch management solution will provision for patch assessment and deployment to virtual machines. 31

32 Distribution Channels & Partnership Trends Key Highlights There is an industry-wide trend of cross-product integration. Already, vulnerability management vendors and security configuration management vendors are offering patching capabilities as an added feature to their security offering. This funnels direct sales away from the patch management market and into a broader market. This shift simply means that the patch management market will evolve into a producer market; thus, point patch vendors must start building their reseller market now, license their products to security vendors or look to get acquired. Patching, as an IT function, is already a task that is necessary for security teams and IT operations alike. Thus, the patch management market will become a subset of configuration management or IT management products. This is already evident with large, diversified companies such as HP, Symantec and BMC. To highlight the above mentioned effect, slides provide a partial list of vendors for the world patch management products market in These patch management companies offer patching as part of a larger product suite, which can be categorized as IT systems lifecycle management, vulnerability management, or configuration management. They may also offer a stand-alone patch management product. These slides also show how much a vendor focuses on improving patching functionality as compared to their other product lines. 32

33 Distribution Channels & Partnership Trends (Contd ) Patch Management Products Market: Product Integration Comparison (World), 2008 Company Vulnerability Management IT Systems Lifecycle Management Configuration Management Lumension Security Microsoft Shavlik BigFix CA, Inc. LANDesk Inc. McAfee BMC Software, Inc. HP Patch Management is a core competency Path Management product offered but not core competency Note: All figures are rounded; the base year is Source: Frost & Sullivan 33

34 Distribution Channels & Partnership Trends (Contd ) Patch Management Products Market: Product Integration Comparison (World), 2008 Company Vulnerability Management IT Systems Lifecycle Management Configuration Management AdventNet, Inc. Autonomic Software BOSS, Inc. Configuresoft Fiberlink Communications Frontrange Solutions USA Inc. GFI Software Patch Management is a core competency Path Management product offered but not core competency Note: All figures are rounded; the base year is Source: Frost & Sullivan 34

35 Distribution Channels & Partnership Trends (Contd ) Patch Management Products Market: Product Integration Comparison (World), 2008 Company Vulnerability Management IT Systems Lifecycle Management Configuration Management GridApp Systems, Inc. ManageSoft Corporation New Boundary Technologies Novell PatchAdvisor, Inc. Scalable Software ScriptLogic Corporation Patch Management is a core competency Path Management product offered but not core competency Note: All figures are rounded; the base year is Source: Frost & Sullivan 35

36 Market Trends & Forecasts 36

37 World Market Forecasts Patch Management Products Market: Revenue Forecasts (World), Year Revenues ($ Million) Revenue Growth Rate (%) Compound Annual Growth Rate ( ): 7.3% Note: All figures are rounded; the base year is Source: Frost & Sullivan 37

38 World Market Forecasts (Contd ) Patch Management Products Market: Revenue Forecasts (World), Revenues ($ Million) Growth Rate (%) Revenues ($ Million) Growth Rate (%) Note: All figures are rounded; the base year is Source: Frost & Sullivan 38

39 Regional Market Forecasts Patch Management Products Market: Revenue Forecasts by Region (World), Year North America (%) EMEA (%) Asia Pacific (%) Rest-of-World (%) Note: All figures are rounded; the base year is Source: Frost & Sullivan 39

40 Regional Market Forecasts (Contd ) Patch Management Products Market: Revenue Forecasts by Region (World), Revenues (%) 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% North America EMEA Asia Pacific Rest-of-World Note: All figures are rounded; the base year is Source: Frost & Sullivan 40

41 Regional Market Forecasts (Contd ) Key Highlights The North America region accounted for 59.1 percent of revenues generated in the patch management market. The North American region is home to the majority of security companies. However, large competitors such as Microsoft, Symantec and CA have extensive international presence and are the primary source for high international penetration rates. The North American market is highly competitive and well saturated. As a result, more growth is expected from countries such as Japan, India, Israel and countries in Western Europe. Over 75 percent of revenues generated outside of the United States are channel-based. Certain regulations, such as Basel II and PCI DSS, apply to companies worldwide. Laws enacted in the United States also affect companies internationally, due to the importance of U.S. business to foreign economies. Higher growth rates are anticipated to come from outside the North America region. As a result, the percentage of revenues generated in North America will drop to 55 percent and international sales will rise to 45 percent by

42 Regional Market Forecasts (Contd ) Patch Management Products Market: Revenue Forecasts (North America), Year Revenues ($ Million) Revenue Growth Rate (%) Compound Annual Growth Rate ( ): 6.2% Note: All figures are rounded; the base year is Source: Frost & Sullivan 42

43 Regional Market Forecasts (Contd ) Patch Management Products Market: Revenue Forecasts (North America), Revenues ($ Million) Growth Rate (%) Revenues ($ Million) % 15% 10% 5% 0% Growth Rate (%) Note: All figures are rounded; the base year is Source: Frost & Sullivan 43

44 Regional Market Forecasts (Contd ) Patch Management Products Market: Revenue Forecasts (EMEA), Year Revenues ($ Million) Revenue Growth Rate (%) Compound Annual Growth Rate ( ): 8.4% Note: All figures are rounded; the base year is Source: Frost & Sullivan 44

45 Regional Market Forecasts (Contd ) Patch Management Products Market: Revenue Forecasts (EMEA), Revenues ($ Million) Growth Rate (%) Revenues ($ Million) % 15% 10% 5% 0% Growth Rate (%) Note: All figures are rounded; the base year is Source: Frost & Sullivan 45

46 Regional Market Forecasts (Contd ) Patch Management Products Market: Revenue Forecasts (Asia Pacific), Year Revenues ($ Million) Revenue Growth Rate (%) Note: All figures are rounded; the base year is Source: Frost & Sullivan Compound Annual Growth Rate ( ): 9.3% 46

47 Regional Market Forecasts (Contd ) Patch Management Products Market: Revenue Forecasts (Asia Pacific), Revenues ($ Million) Growth Rate (%) Revenues ($ Million) % 25% 20% 15% 10% 5% 0% Growth Rate (%) Note: All figures are rounded; the base year is Source: Frost & Sullivan 47

48 Vertical Market Analysis Patch Management Products Market: Revenues by Vertical Market (World), 2008 Vertical Market Market Share (%) Financial 17.8 Government 17.4 Healthcare 15.2 Retail 11.9 Technology & Telecommunications 12.7 Education 9.7 Others 15.4 Note: All figures are rounded; the base year is Source: Frost & Sullivan Note: Others includes utilities, manufacturing, insurance, media, transportation and professional services 48

49 Vertical Market Analysis (Contd ) Patch Management Products Market: Revenues by Vertical Market (World), 2008 Retail 11.9% Technology & Telecom 12.7% Education 9.7% Others 15.4% Healthcare 15.2% Government 17.4% Financial 17.8% Note: All figures are rounded; the base year is Source: Frost & Sullivan 49

50 Vertical Market Analysis (Contd ) Key Highlights Regulations such as Gramm-Leach-Bliley Act and Basel II have driven growth in the financial vertical market. In the face of fiscal irresponsibility and the resultant economic recession, the new President and his administration will look to regulate this industry more strictly. As a result, compliance will have a high impact on this market once again. The financial vertical market has traditionally been early adopters of security technologies as sensitive data and transactions are now more valuable than the contents of bank vaults. There are numerous laws that have driven growth in the government vertical such as FIPS, FISMA, and FDCC. Please see the Legal Trends section for more details. The U.S. government is highly committed to improving the economy by protecting e- commerce, financial transactions, and sensitive data. While far from perfect, U.S. government mandates have set a strong example for other country governments. The retail vertical market is primarily driven by PCI. Otherwise, retail organizations tend to be late adopters of security technologies. The healthcare vertical market has been driven by HIPAA. This vertical market is expected to grow more, after the first HIPAA-related fines were handed out in Patch management is a very vertical independent task and the market will continue to balance out. 50

51 Pricing Analysis Key Highlights The average base price for patch management products was $1,200. However, pricing depends on the number of systems requiring patching, while most companies also provide volume discounts. Patch management products typically ranged in price from $1,200 to $10,000. Price is becoming a critical competitive factor. As an exception, a few companies experienced price increases ranging from 200 to 300 percent. This was done by migrating to product suites, as opposed to selling point products. As a result, patch management base product prices are falling while the overall price range is increasing. 51

52 Competitive Analysis 52

53 Market Share Analysis Patch Management Products Market: Market Share by Company (World), 2008 Company Market Share (%) Lumension Security, Inc Microsoft Corporation 10.0 Shavlik Technologies, LLC 7.5 CA 5.6 BigFix, Inc. 5.3 LANDesk Software 5.0 McAfee, Inc. 3.9 BMC Software, Inc. 3.8 HP 3.8 Others 42.6 Note: All figures are rounded; the base year is Source: Frost & Sullivan Note: Others include AdventNet Inc., Autonomic Software, BOSS Inc., Configuresoft Inc., Criston, Dell Everdream, Diskeeper Corporation, Ecora Software Corporation, Fiberlink Communications Corporation, Frontrange Solutions USA Inc., GFI Software, GridApp Systems Inc., ipass Inc., Kaseya Corporation, ManageSoft Corporation, New Boundary Technologies, Novell, Numara Software Inc., PatchAdvisor Inc., RingMaster Software Corporation, Scalable Software LTD., Secure Elements 53

54 Market Share Analysis (Contd ) Patch Management Products Market: Vendors by Market Share (World), 2008 Shavlik 7.5% CA 5.6% BigFix 5.3% LANDesk 5.0% McAfee 3.9% BMC 3.8% HP 3.8% Microsoft 10.0% Lumension 12.5% Others 42.6% Note: All figures are rounded; the base year is Source: Frost & Sullivan 54

55 Market Share Analysis (Contd ) Key Highlights Lumension Security led the market with 12.5 percent market share. Companies that had large amounts of revenues from their patching solution in 2007 lost market share by bundling their patch management product with other solutions in These companies, such as Microsoft and CA, lost market share in the patch management market but gained in other markets, depending on what product suite the patch management product was integrated with. Microsoft played a significant role in this market with System Management Server. In 2008, Microsoft announced that Systems Management Server 2003 will be replaced with System Center Configuration Manager (SSCM). Shavlik, BigFix, CA and McAfee were all key competitors in this market as well. The Others category represents 42.6 percent. With 32 competitors, this market is still very fragmented. 55

56 Competitive Landscape Patch Management Products Market: Competitive Landscape (World), 2008 Lumension Security BigFix CA Shavlik Microsoft BMC McAfee GFI Software AdventNet HP LANDesk Note: All figures are rounded; the base year is Source: Frost & Sullivan 56

57 Market Leader Lumension Security Overview Key Offerings Market Presence Market Performance Lumension, formerly known as Patchlink, acquired Harris STAT Vulnerability Scanner and relaunched as Lumension Security in late Lumension Security now offers a comprehensive security management solution that emphasizes control of all enterprise endpoints, applications and devices. PatchLink Security Configuration Manager, Sanctuary Device Control, Sanctuary Application Control, PatchLink Scan, PatchLink Update, PatchLink Security Management Console Founded in 1991, Lumension has its roots in patch management and has expanded its offerings to remain competitive. As a company, Lumension now boasts 5,000+ customers in 150 countries. Lumension s network of 480 partners and key global distributors include industry giants such as WebSense, Microsoft, Cisco, Novell, and Juniper. Lumension has a history as one of the dominant participants in the patch management market and has maintained high revenue income from this product line. The strength of its patching product combined with newly acquired vulnerability assessment capabilities has greatly increased its value and relevance to customers. In 2008, Lumension led the patch management market with 12.5 percent market share. 57

58 Market Leader (Contd ) Lumension Security Over 5,000 customers worldwide use PatchLink Update to protect critical IT resources in complex, enterprise networks. PatchLink Update uses patented Digital Fingerprinting Technology to proactively eliminate operating system and application vulnerabilities. As a result, this subscription-based, automated product enables Lumension customers to decrease IT costs, maximize productivity and demonstrate regulatory compliance. The combination of PatchLink Scan and PatchLink Update provides customers with a complete, best-of-breed vulnerability management solution. Through a combination of intelligent acquisitions and organic growth, Lumension Security has demonstrated extremely high growth rates in recent years. Lumension Security is likely to make additional acquisitions to round out its product line, especially in the near-future, as struggling companies may look to generate immediate cash or cut costs. Lumension s partnerships with key global distributors and industry giants have been crucial to their success and Lumension will continue to build new relationships. Lumension, however, is leading the charge to unify vulnerability management point products as evident by the stronger focus they have had on product suites. This will reduce patch management revenues and may jeopardize Lumension Security s leadership position in this market. 58

59 Market Challengers Microsoft Corporation Overview Key Offerings Market Presence Market Performance Microsoft Corporation is a large, multinational software provider with products ranging from desktop and server operating systems to business applications and consumer multimedia products. Systems Management Server (SMS), System Center Configuration Manager (SCCM), Windows Server Update Services (WSUS) Microsoft operating systems are on most servers and the vast majority of desktops. This has made Microsoft s Windows operating systems and other Microsoft applications prime targets for hacking attacks. Microsoft provides basic patching services through WSUS, which is free of charge. For customers requiring a more comprehensive solution, Microsoft offers SMS and System Center Configuration Manager. SCCM will move Microsoft out of the patch management market and into the IT systems lifecycle management market. As a free product WSUS has the highest installation rate of any patching solution on desktop PCs but generates no revenue and covers strictly Microsoft software. However, WSUS can lead to sales in stronger products such as SMS. The migration from patch management to more of a systems management solution with SCCM is better for customers, and will translate to higher income growth in the future. 59

60 Market Challengers (Contd ) Microsoft Corporation Microsoft WSUS is a free service for users of Microsoft operating systems. Microsoft WSUS covers only Microsoft operating systems and applications, which may leave other points of attack unprotected. Microsoft also offers Systems Management Server (SMS), which provides a comprehensive solution for change and configuration management for Microsoft platforms. SMS enables organizations to quickly and cost-effectively provide relevant software and updates to users of both Microsoft and non-microsoft products. In 2007, Microsoft released System Center Configuration Manager as the next generation to SMS. System Center Configuration Manager is a systems management software solution for managing large groups of Windows-based computer systems. Configuration Manager provides remote control, hardware and software inventory, patch management, software distribution, and operating system deployment capabilities. Although revenues from System Center Configuration Manager fall outside the scope of this market definition, Microsoft will continue to generate revenues from SMS sales and support. More importantly, Microsoft is leading the trend of combining patch management functionality into PC lifecycle configuration management. Microsoft must expand the number of systems covered by Microsoft SMS and SCCM in order to stay competitive with other patch management vendors. 60

61 Market Challengers (Contd ) Shavlik Technologies Overview Key Offerings Market Presence Market Performance Since its founding in 2003, Shavlik has been the premiere provider of patch management products and has expanded this offering to include policy and compliance management and configuration management. Shavlik has enjoyed steady growth over the years and now protects critical systems for over 10,000 customers. Shavlik NetChk Protect, Shavlik Security Suite Shavlik is a key provider of patch management solutions. This is available as a standalone product or as part of a suite. In addition, Shavlik has licensed its technology to 20 security firms such as IBM, BMC, ipass and Symantec. By providing patching as part of a more comprehensive product suite and building a strong distribution network, Shavlik has defended itself against some of the major restraints to growth in this market. Shavlik demonstrated strong revenue growth in 2008 and subsequently outgrew the competition in terms of market share. 61

62 Market Challengers (Contd ) Shavlik Technologies Shavlik NetChk Protect is a comprehensive patch management solution with a single, userfriendly console. Using NetChk Protect, Shavlik customers can simplify the management of critical security patches and minimize the operational risks imposed by malware, spyware, and unwanted applications. Shavlik NetChk Protect enables customers to maximize productivity, resource availability and demonstrate compliance with governmental regulatory mandates. Shavlik s NetChk Protect has a number of features that make it one of the leading patch solutions. NetChk Protect provides comprehensive, remote network coverage and customers can choose an agent-based or agentless architecture. In addition, Shavlik NetChk Protect is the first solution to enable customers to patch offline, virtual machines. Shavlik even licenses its technology to more than 20 leading security companies such as IBM, BMC, Symantec, Juniper, Sophos and ipass. Shavlik s position as a primary solution provider will only grow stronger as other point solutions are bought or discontinued. Shavlik has also expanded its product line to include a policy and configuration management solution. The combination of these products provides customers the best value and has driven Shavlik s penetration rates in both markets and guaranteeing that Shavlik is well protected against the consolidation effects that this market is facing. 62

63 Market Contenders BigFix Overview Key Offerings Founded in 1997, California-based BigFix has gone from being a point patch management product vendor to providing comprehensive systems management products. BigFix has recognized the demand for integrated IT operations and endpoint security and has developed a product line that meets this demand. BigFix Discovery 7 Platform, BigFix Systems Lifecycle Management, BigFix Security Configuration and Vulnerability Management Market Presence Market Performance BigFix is the only vendor to offer patching as part of its IT systems lifecycle solution, configuration management solution and vulnerability management product suites. At the end of 2008, BigFix announced a mutually beneficial partnership with Trend Micro. This partnership will improve BigFix s endpoint security offering and penetration in the large enterprise segment. As a company, BigFix has demonstrated strong growth rates. This has primarily come from sales of its systems management suite. Cost saving features such as power management has given BigFix an advantage that other patch management vendors cannot match. 63

64 Market Contenders (Contd ) BigFix BigFix gives customers real-time visibility and control of globally distributed desktop and server computer infrastructures, as well as mobile devices. BigFix automates enterprise level malware defense, software distribution, asset inventory, vulnerability assessment, policy enforcement, power conservation, and patch management, without compromising network performance or end-user productivity. BigFix management console has built-in features such as a script language for custom automation and user-friendly wizards. BigFix recently announced a strategic partnership with Trend Micro that aims to unify endpoint security and systems management with a single agent-based solution. By integrating patch management with IT operations, endpoint security and configuration management solutions, BigFix appeals to large enterprises that seek to bridge the gap between IT operations and security teams. Traditionally, BigFix has had a strong presence in the patch management market but has seen strongest growth from IT operations management products such as configuration management and power management. It is likely that BigFix will dedicate most of its efforts towards developing its IT operations management product lines, as these products were most responsible for the company s strong growth in

65 Market Contenders (Contd ) CA Overview Key Offerings Market Presence Market Performance CA is a large, multinational IT management software vendor founded in 1976 and headquartered in New York. CA Patch Management (requires CA Asset Management and CA Software Delivery), CA IT Client Manager (includes patch management functionality) CA had a strong offering with CA Patch Management, but has decided to integrate it into CA IT Client Manager along with other CA products such as Asset Management, Asset Intelligence, Software Delivery, Remote Control and Desktop Migration Manager. This move will gradually shift CA from the patch management market into the IT systems lifecycle management market. CA recently released IT Client Manager, which offers numerous benefits such as automated discovery, maintenance duties, improved operational efficiencies and reduced risk. By integrating patch management into IT Client Manager, CA is providing a more holistic approach to client management. Thus, from a long-term perspective, CA IT Client Manager is more beneficial for CA and large enterprise customers as well. 65

66 Market Contenders (Contd ) CA Prior to being rolled into CA IT Client Manager, CA Patch Management was a profitable product with high year-over-year growth rates. CA IT Client Manager gives customers insight into critical IT assets and automates resource management tasks while reducing operational risks. CA IT Client Manager helps to efficiently and proactively manage all the client devices across an organization, enabling customers to shift their focus from daily operational processes and issues to strategic IT initiatives that bring competitive value to the business. For CA, the trend of consolidation that is common to the security industry (and many others) is perfectly illustrated with the integration of multiple products such as CA Asset Management, CA Asset Intelligence, CA Software Delivery, CA Remote Control, CA Patch Management and CA Desktop Migration Manager into CA IT Client Manager. This gives CA a more compelling product that appeals to larger enterprises. In addition, IT Client Manager will move CA into the IT systems lifecycle management market where IBM, HP and other industry giants are also moving or already competing. More importantly, this trend of product integration will help CA and other market competitors to align their product offerings to customers needs. While CA still reports undiminished sells of CA Patch Management, the customer demand for this product and revenues generated from this product are expected to gradually migrate to the IT systems/client management market. 66

67 Market Specialists McAfee Overview Key Offerings Market Presence Market Performance Since its founding in 1987, McAfee has grown into one of the largest security software firms. McAfee s 2008 acquisition spree, which includes Secure Computing, demonstrates its mission to provide a complete, end-to-end network and endpoint security. McAfee Remediation Manager, McAfee Vulnerability Manager McAfee Remediation Manager is McAfee s only footprint in this market. This product is designed to integrate with McAfee Vulnerability Manager and take corrective measures as recommended by Vulnerability Manager. This includes patch management, among other tasks. Remediation Manager enables customers to minimize risk as well as maximize their IT resources and security software investments. McAfee Vulnerability Manager has a strong legacy from its origins as Foundstone, to which McAfee Remediation Manager is the perfect complement. McAfee products are designed to integrate with epo, giving McAfee a huge advantage in each market that they compete in. 67

68 Market Specialists (Contd ) McAfee McAfee Remediation Manager is designed to help customers achieve compliance and boasts a library of more than 25,000 tested vulnerability remedies. Remediation Manager stays up to date on the latest vulnerabilities by collecting and compiling vulnerability data and creates new remedies that are downloaded via an automated delivery mechanism. Using Remediation Manager, McAfee customers can achieve compliance with government, industrial and internal security policies. Flexible reporting capabilities include summary reports for executives and detailed technical data for IT administrators. McAfee Remediation Manager has a number of strengths as opposed to other patch solutions such as the ability to integrate with McAfee epo, Policy Auditor, Vulnerability Manager (formerly McAfee Foundstone), Risk and Compliance Manager, and McAfee Network Access Control as well as third-party vulnerability scanners. However, McAfee Remediation Manager still requires its own separate agent, which can be hurting sales. Complete integration with the McAfee epo management console would ensure much stronger sales. Overall, McAfee has a solid position in this market with a very powerful and flexible product. The fact that McAfee plans keep this product line intact and sell it as a stand-alone product guarantees that McAfee will remain a key staple of the patch management market. 68