Markets, M. Nicolett Research Note 24 March 2003 The IT Security Management Magic Quadrant Lacks Leaders Vendors in the Gartner 1H03 IT Security Management Magic Quadrant are being driven by the need for real-time security data analysis and faster reactions to security incidents. Core Topic Security and Privacy: Security Tools, Technologies and Tactics Key Issue Which vendors will emerge as leaders in the information security domain? Strategic Planning Assumptions By 2006, 50 percent of IT security management point solution vendors will exit the market by acquisition or business failure (0.7 probability). By year-end 2004, at least three of the network and systems management and broad-scope security vendors will meet IT security management functional requirements for security device and IT Infrastructure elements (0.8 probability). Vendors in the IT security management market provide technology to meet the needs of IT security operations personnel who require real-time analysis of security data from network devices, servers, PCs and applications to mitigate internal and external security threats and document the state of enterprise IT security (see "The Emerging IT Security Management Market"). The core value proposition of IT security management is the correlation of security data from multiple devices and systems to enable better security assessment and more-rapid corrective action (see "IT Security Management Technology Evaluation Criteria"). IT Security Management Market Trends The primary drivers of this evolving market are: The failure of intrusion detection systems (IDSs) to separate real threats from the background noise of ineffective probes, false alarms and normal system changes The need for enterprises to discover, investigate and mitigate internal and external security breaches and policy violations The need for enterprises to document and manage the general state of IT security to satisfy audit and regulatory requirements For more information on the IT security management market, see "IT Security Management Market Drivers and Inhibitors." The IT security management market is made up of small, immature, privately held point solution vendors, as well as security and systems management software vendors that have large installed bases for their primary products and diversified revenue streams. This market has passed the stages of early evolution and is poised for rapid growth from 2003 to 2005. Gartner Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.
There are signs of general convergence on a core set of capabilities. We expect significant market consolidation, primarily through the acquisition of point solution vendors by larger systems and security management vendors that lack core capabilities in this area. During 2006, we expect the IT security management market to be pressured by the removal of one of its primary drivers: the failure of IDS. During this period, we expect broad market acceptance of security platforms that provide intrusion prevention capabilities to replace first generation IDSs. We present Gartner's 1H03 IT Security Management Magic Quadrant in Figure 1. Figure 1 1H03 IT Security Management Magic Quadrant Challengers Leaders Ability to Execute IBM Tivoli Symantec NetIQ Computer Associates BindView Addamark Technologies Micromuse NetForensics Network e-security Intelligence Intellitactics OpenService ArcSight GuardedNet As of March 2003 Niche Players Visionaries Completeness of Vision Source: Gartner Research IT Security Management Magic Quadrant Evaluation Criteria Gartner's Magic Quadrant is a graphical portrayal of vendor performance in a market segment, based on viability, service/support, features and functionality, and technology. Ability to Execute: A vendor's ability to execute is how well Gartner expects it to perform. Key criteria for a vendor's ability to execute include its: Installed base and distribution channel Financial parameters 24 March 2003 2
Speed to market and time in market Support reputation Completeness of Vision: An IT security management vendor's completeness of vision is how well its offerings match current and emerging market requirements. It is also an indicator of how Gartner expects the vendor to do in the future, based on where the market is headed. For the "features, functionality and technology" evaluation, we heavily weighted the ability to collect and correlate data from network security devices, based on the relatively high percentage of client calls with this particular focus. We also believe that the direction of the technology must also be the integration of network threat information with server vulnerability assessment and policy compliance data. A smaller percentage of client calls have a focus on the analysis of data collected from the IT infrastructure and application layers (for example, nonsecurity devices, servers and applications); however, we have also assigned a high weight to this requirement, because the losses associated with internal security breaches exceed those from external intrusions. It is important to note that the most complete IT security management function with respect to the server and application layers is provided by a few of the larger network and systems management and broad scope security software vendors. Other technology-oriented evaluation criteria include: Correlation Scalability Real-time monitoring and displays Historical analysis and reporting Imbedded knowledge Magic Quadrants are meant to provide an understanding of vendor positioning and to set vendor performance expectations. Enterprises should not look to any one quadrant when selecting a vendor. Appropriate vendors might be found in each of the quadrants, not only the Leaders quadrant, and some vendors may be appropriate for only specific vertical markets. Leaders Gartner's 1H03 IT Security Management Magic Quadrant does not position any vendor as a leader. To be a leader with respect to completeness of vision, an IT security management vendor must provide aggregated and correlated historical reporting/analytics and real-time event management for the 24 March 2003 3
security device layer and the infrastructure layer (at least the network and host elements) for heterogeneous sources, packaged as an integrated offering; advanced correlation; proven scalability; and host analytics that satisfy audit, policy compliance and vulnerability assessment requirements. The evaluation of a vendor's ability to execute includes financial viability, the size of its installed base, installed base growth rate, visibility on enterprise evaluations and shortlists, support, product function and match of technology to market requirements. Visionaries The Visionaries Quadrant is populated with a number of IT security management point solution vendors that share a common set of strengths and challenges. Point solution vendors have well-developed correlation and network security device coverage, and they are challenged to leverage their venture capital funding to grow to critical mass and profitability. When compared to their larger competitors, the total installed base of a typical point solution vendor is small, but many point solution vendors have larger installed bases for IT security management products than their large competitors. NetForensics has the largest installed base and revenue stream of the vendors in the Visionaries quadrant. It has a long-standing partnership with Cisco Systems, which brings NetForensics into accounts that require security management. Cisco's recent acquisition of Okena (see "Cisco to Buy Okena, Try to Compete in Security Software") raises flags that Cisco will look to have an organic security management offering. NetForensics has been challenged by newer point solution vendors that provide broader network device support and more of a real-time orientation to event management. e-security has been in the IT security management market for a long time. It has recently embedded the Security Focus database to provide security intelligence data in the context of an incident response. The vendor supports the rapid integration of new data sources through its agent builder technology, which can be used by customers to define new sources. It is attempting to capitalize on a sales relationship and technology integration with Hewlett-Packard (HP) and HP's OpenView product. The differentiating characteristics of Intellitactics are its real-time graphical displays of threat activity, fully integrated reporting and the propensity of its installed base to integrate in-house data sources through an application programming interface. ArcSight is a relatively recent entrant with a small installed base that is well-funded and highly visible in the IT security market. Like Intellitactics, ArcSight has a taxonomy for correlation and real-time graphical threat displays. In contrast to e-security and Intellitactics, ArcSight's primary method of data source integration is rapid vendor-side agent 24 March 2003 4
development. GuardedNet has focused on ease of deployment and out-of-the-box functionality. The vendor is noted for its integrated service ticketing system and Host Investigative Toolkit. OpenService's ThreatManager is based on the OpenService NerveCenter event management technology, and the vendor is selling into the NerveCenter installed base. OpenService is one of the few vendors with advanced features for health and welfare monitoring for popular security appliances. Network Intelligence is unique in its focus on appliance-based security management solutions. Multiple appliances can be deployed for horizontal scalability, and query-based correlation is supported across appliances. Challengers IBM Tivoli is unique among the vendors in the Challengers quadrant in that its Risk Manager product has support for a large number of network security devices. The vendor has an opportunity to leverage its sizable Tivoli Management Environment installed base and also to sell the product as a stand-alone offering. Challenges include low visibility with security operations decision makers and a reputation for products that require extensive customization. NetIQ has welldeveloped server-centric security management products and has recently acquired PentaSafe Security Technologies, which had development initiatives under way in the areas of real-time correlation and network security device data collection. NetIQ is in the process of integrating the two sets of technologies. Symantec is in the midst of development initiatives that will soon provide a critical mass of IT security management function. The vendor already has a strong vulnerability assessment tool (Enterprise Security Manager), a framework for technology integration, and a well-developed incident management workflow (Incident Manager) that integrates Security Focus and additional content from Symantec's security research organization. Symantec must complete the late-stage development and testing of the Cyberwolf technology integration, which will provide network security data coverage. Because Symantec also provides many security technologies, there is the potential for internal pressure to focus on the management of its own products at the expense of competing products that must also be managed. Micromuse has leveraged its scalable event management and data collection infrastructure to provide a network-oriented security management product, but is challenged to build its small installed base and provide moreimbedded security knowledge. Computer Associates International has a broad portfolio of security products, and its etrust Security Command Center is in beta testing. The product will integrate current CA security technology (etrust Audit and etrust Policy Compliance) and CA common services (event 24 March 2003 5
management, repository and correlation) with a new security portal and additional data collectors. Niche Players Vendors occupy the Niche Players quadrant for a variety of reasons. BindView is very strong in aspects of IT security management, such as deep and comprehensive reporting of server configuration and policy compliance. Although BindView products can collect network security device log data, there is a lack of real-time monitoring and data correlation capabilities. Addamark Technologies is unique in its focus on security analytics against very large and compressed historical log information, but it has no support for real-time monitoring. Not Appearing in the Magic Quadrant HP's OpenView is widely used for managing network devices, but HP has not demonstrated an ability or desire to expand into the security management market. BMC Software has user provisioning and access management products, but it does not provide an IT security management function. Ponte Communications and Solsoft provide solutions for controlling security devices but don't provide any analysis capabilities. Cisco and Check Point Software Technologies provides limited IT security management functions for its own products. Microsoft does not provide IT security management products, but we expect the Microsoft Security Products group to develop function in this area. Internet Security Systems (ISS) SiteProtector provides log aggregation and correlation for ISS and a limited number of third-party products, but ISS does not position SiteProtector as an IT Security Management solution. Bottom Line: When evaluating IT security management vendors and tools, enterprises should consider the event management and data analysis requirements for protecting their perimeter, as well as their internal systems and applications. No one vendor provides complete functionality for all of these areas, but the market is rapidly converging on a common set of functions that apply to security devices, IT Infrastructure and applications. Therefore, enterprises should select IT security vendors whose products demonstrate a clear path to integrated management of IT security. 24 March 2003 6