Market Segment Definitions Author Joshua Mittler Overview In addition to product testing, NSS Labs quantitatively evaluates market size for each of the product categories tested. NSS provides metrics that include but are not limited to market size, forecasts for market growth, unit shipments, changes in average sales pricing, and vertical and horizontal analysis. In order to ensure that product categories are clearly defined, NSS has provided definitions of each of the market segments. These definitions will be updated as NSS coverage evolves to include more market segments or as market segments are merged.
High-Level Market Segments NSS currently tracks four high-level market segments: Infrastructure security Content security Security intelligence Endpoint protection Infrastructure Security Infrastructure security products are designed to sit at the perimeter of the network, or in the core of the data center, and protect against attacks. These products typically are deployed as an appliance (physical or virtual), and many vendors have specialized chipsets to ensure that traffic is not affected by the inspection. These products inspect individual packets as they pass through the network, and they manage this traffic by blocking or alerting based on rules and policies established by the organization. Infrastructure security includes the following product categories: Enterprise Firewall The enterprise network firewall market is composed primarily of purpose-built appliances for securing enterprise corporate networks. Products must be able to support single-enterprise firewall deployments and large and/or complex deployments, including branch offices, multi-tiered demilitarized zones (DMZs) and, increasingly, the option to include virtual versions. These products are accompanied by highly scalable management and reporting consoles, and there is a range of offerings to support the network edge, the data center, branch offices, and deployments within virtualized servers. The companies that serve this market are focused on the enterprise as demonstrated by the proportion of their sales in the enterprise and by the number of features in their tools that are dedicated to solving enterprise requirements. Next Generation Firewalls/Multifunctional Appliances As the firewall market continues to evolve, other security functions such as network intrusion prevention systems (IPS), application control, full stack inspection and extra firewall intelligence sources have found their way into security appliance. Many vendors refer to these products as next generation firewall (NGFW) or unified threat management (UTM). NSS considers this category to include devices that can perform firewall and IPS functions together and that can operate in conjunction with a centralized management system (CMS) to be the minimum requirements for an enterprise-class device. This also includes Secure Sockets Layer (SSL) virtual private network (VPN) devices, as most vendors have merged this functionality into these devices. Intrusion Prevention Systems (IPS) and Next Generation Intrusion Prevention Systems (NGIPS) NSS defines IPS devices as stand-alone appliances (hardware or virtualized) designed to decode and inspect every single packet passing through the device. These devices should allow legitimate traffic to pass through the device while blocking attacks and evasion techniques. IPS devices typically are placed behind the firewall and/or other security devices and provide the last layer of inspection before passing data to internal hosts. Key considerations for organizations evaluating IPS devices include security effectiveness, resistance to evasion, stability, performance, manageability, and overall value. 2
In the same way that the traditional firewall vendors transitioned to next generation firewall (NGFW) products, many IPS vendors began to add features in order to differentiate themselves as next generation IPS (NGIPS). Key features that differentiate traditional perimeter IPS products from NGIPS products include application control, user awareness, integration with threat intelligence, and integration of features from security tools such as network behavior anomaly detection (NBAD), security information and event management (SIEM), and packet capture analysis. Distributed Denial of Service Prevention Solutions NSS defines distributed denial-of-service (DDoS) prevention solutions as in-line devices (whether routing or transparent) or as out-of-band solutions capable of interacting with an existing routing and switching environment using industry-supported protocols (including routing protocols such as BGP). These solutions must detect both volumetric and application attacks, and devices should be able to scale quickly in order to continue processing the large amount of traffic during a DDoS attack. Breach Detection Systems A breach detection system (BDS) is a product or service that is deployed out of band and uses any number of techniques to dynamically detect previously unknown and/or highly targeted malicious content, and to identify indicators of compromise that alert to an existing breach. Network Access Control Network access control (NAC) authenticates users logging into the network and determines the access those users have through the deployment of policies determined at the time of access. It also examines the health of the user's computer or mobile device through an agent (usually installed temporarily at the time of inspection). Network access control is implemented either natively through the existing network infrastructure or via an appliance overlay solution that operates in conjunction with existing switches and routers. Content Security Content security products are typically located behind infrastructure security devices such as firewalls and IPS, and they inspect data as it flows to and from users. The principle difference between infrastructure and content security products is the data they are evaluating and the level at which they operate in the network stack (network or application layer). Content security products review user interaction and the content itself to determine whether action is needed. Secure Web Gateways Secure web gateway (SWG) solutions protect web surfing devices by filtering unwanted software/malware from user-initiated web traffic. They also enforce regulatory compliance and company human resource policies that restrict access to prohibited sites; for example, gambling sites and sites with adult content. At a minimum, an SWG should include URL filtering, malicious code detection and filtering, and application controls for popular web-based applications, such as instant messaging (IM) and Skype. Increasingly, native or integrated data loss prevention is also included. 3
Email Security Products NSS defines the secure email gateway (SEG) market as solutions that provide enterprise message transfer agent (MTA) capabilities; offer protection against inbound and outbound email threats (such as spam, phishing attacks and malware); and satisfy outbound corporate and regulatory policy requirements. SEG solutions are offered as software or appliances that are deployed on customer premises; hosted solutions that reside in solution providers data centers; multitenancy software as a service (SaaS) that exists in multiple data centers around the globe; or a combination of these often referred to as a hybrid deployment. Database Security Products Database security products allow for enterprises to centrally manage security and audit policy compliance and vulnerability management for databases and applications across the enterprise. These products monitor access to business-critical data in enterprise resource planning (ERP), customer relationship management (CRM), or supply chain management (SCM) systems, searching for signs of unauthorized access to data. Web Application Firewalls NSS defines web application firewalls (WAFs) as standalone or virtual appliances, or as self-contained software designed specifically to secure web-based traffic. WAFs employ a wide range of functions to work in conjunction with perimeter firewall and IPS technology in order to provide protections specifically for web applications. WAFs should include HTTP/HTTPS protocol enforcement and native signature detection along with additional protection mechanisms, including URL normalization and scanning; positive security functionality that enforces proper application operation and page logic flow; and adaptive learning modules that can update security policies on the fly. WAFs block attacks masked by HTTPS encryption by inspecting SSL sessions using the web server s private key; they detect policy violations and reset offending connections. These sessions are either passively decrypted and inspected or actively terminated and re-encrypted. WAFs should recognize and be configured to police the usage of specific web application elements and functions, such as web objects, form fields, and, most importantly, application session logic. Security Intelligence Security intelligence tools collect and correlate security data ranging from individual packets to flow data, logs, and user behavior. While basic security intelligence tools simply store data or provide simple indexing for search, more advanced security intelligence tools will correlate this data against security policies and known threats to provide near real-time notification of security incidents. By their nature, security intelligence products are reactive rather than proactive or preventative, but they are becoming important components of incident detection and response. 4
Continuous Forensic Analytics Continuous forensic analytics (CFA) products assist in the analysis of network traffic by providing valuable insights into undetected malware, zero-day malware, and targeted attacks. This technology provides a unique means to determine whether threats have bypassed defenses such as next generation firewalls (NGFW), intrusion preventions systems (IPS), intrusion detection systems (IDS), breach detection systems (BDS), antivirus/endpoint protection (including host IPS), and secure web gateways (SWG). CFA systems typically operate out of band, continuously recording and indexing network traffic and offering both automated and programmable queries for the investigation of patterns and payloads. Recording options include, but are not limited to, SPAN, SFlow, NetFlow, and network taps. Log Management Log management products automate the storage and retention of log files in order that they may be used for future actionable intelligence. At a minimum, these tools are capable of data log capture and storage. Log files contain crucial information about security events (for example, failed login attempts) and other auditable information that can identify exposure to potential threats, such as malware, network intrusion, unauthorized changes, issues relating to compliance, or breaches in security that can result in loss of revenue (or intellectual property). Enterprises are often inundated with huge amounts of log data generated from network devices, servers, endpoints, and applications. With a log management tool, log data may be parsed, filtered, sorted, queried, and exported. Log management platforms may be cloud-based, appliance-based, or a combination of both. Some solutions (when coupled with SIEMs or other security products) allow for log data analysis and are capable of automated remediation, i.e., they can monitor and respond to security events. Security Information and Event Management (SIEM) SIEM solutions aggregate and analyze event data produced by security devices, network infrastructure devices (switches and routers), and applications (for example, databases, email, and the web). Logs are the primary source of data, but today, most SIEM vendors can also process other forms of data (such as network flows). Event data is combined with contextual information about users, assets, threats, and vulnerabilities and then normalized so that it can be correlated and analyzed for specific purposes, such as network security event monitoring, user activity monitoring, and compliance reporting. The technology provides real-time security monitoring, historical analysis, and other support for incident investigation and compliance reporting. Threat Intelligence Threat intelligence comprises data feeds, reports, briefings, and other services that may provide additional insights into threat actors. Threat intelligence typically is delivered in threat (or data) feeds. Given the enormous amount of information that these feeds provide, NSS considers it necessary to distinguish between information and intelligence. The latter is actionable, meaning it is predictive, insightful (relevant), and current. Many IPS and SIEM products now incorporate third-party intelligence feeds into their analysis. 5
Endpoint Protection Products Endpoint protection (EPP) products combine endpoint device security functionality into a single product in order to deliver a combination of security functions, including antivirus, antispyware, personal firewall, application control, and other host intrusion prevention capabilities (for example, behavioral blocking) into a single and cohesive solution. The EPP landscape is changing, and vulnerability, patch, and configuration management capabilities are being integrated into more advanced EPP products for greater protection. Beyond fighting malware, modern EPP products are expanding to include data protection features, such as disk and file encryption, data loss prevention, and device control. The majority of the EPP market is focused on PC-type endpoints; however, these solutions increasingly are starting to encompass management and tracking of other mobile devices, such as tablets and smartphones. Reading List NSS Labs Methodologies Library. NSS Labs https://www.nsslabs.com/reports/categories/methodologies Change Log Date Description 05/05/2015 Added Security Intelligence section 10/30/2015 Clarifications to SWG and BDS definitions 6
Contact Information NSS Labs, Inc. 206 Wild Basin Rd Building A, Suite 200 Austin, TX 78746 USA info@nsslabs.com www.nsslabs.com This analyst brief was produced as part of NSS Labs independent testing information services. Leading products were tested at no cost to the vendor, and NSS Labs received no vendor funding to produce this analyst brief. 2015 NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, copied/scanned, stored on a retrieval system, e-mailed or otherwise disseminated or transmitted without the express written consent of NSS Labs, Inc. ( us or we ). Please read the disclaimer in this box because it contains important information that binds you. If you do not agree to these conditions, you should not read the rest of this report but should instead return the report immediately to us. You or your means the person who accesses this report and any entity on whose behalf he/she has obtained this report. 1. The information in this report is subject to change by us without notice, and we disclaim any obligation to update it. 2. The information in this report is believed by us to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at your sole risk. We are not liable or responsible for any damages, losses, or expenses of any nature whatsoever arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY US. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT, ARE HEREBY DISCLAIMED AND EXCLUDED BY US. IN NO EVENT SHALL WE BE LIABLE FOR ANY DIRECT, CONSEQUENTIAL, INCIDENTAL, PUNITIVE, EXEMPLARY, OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and/or software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet your expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners. 7