All Content IDC MarketScape: Worldwide Endpoint Specialized Threat Analysis and Protection 2017 Vendor Assessment
IDC MarketScape: Worldwide Endpoint Specialized Threat Analysis and Protection 2017 Vendor Assessment ? This analysis was conducted from September to December 2016 and follow up interviews with customers and vendors took place in the first three months of 2017. ? The primary detection and/or prevention method for Endpoint STAP products must be signatureless. The solutions must provide continuous endpoint monitoring and endpoint forensics to support rapid response and remediation. Some security vendors were excluded from this analysis because IDC considered the endpoint STAP product incomplete or lacking full integration into the overall offering for signatureless defense, security incident response, and remediation tools. For example, some products lacked advanced machine learning–based threat detection at the time of this analysis. ? IDC also exclude a minority of vendors that used containerization at the endpoint and may have required specific CPU or other specific hardware requirements. Those technologies have been widely adopted for smaller, targeted deployments. ? Finally, traditional, signature-based antivirus engines and other widely used threat detection and prevention technologies often continue to play a role with modern endpoint security offerings. These long-standing technologies are still used to reduce false positives and lessen the load on analytics engines and other innovative detection and prevention components. ESSENTIAL BUYER GUIDANCE The market is flooded with endpoint security technologies, incident response tools, threat intelligence feeds, and behavioral analytics. Know what the key requirements are before shopping for modern endpoint threat detection, prevention and/or response, and remediation solutions: ? Endpoint agent functionality: Modern endpoint security products should provide a kernelbased or hybrid agent that detects and can be configured to block regardless of endpoint device connectivity. Evaluate the space and CPU requirements of the endpoint client. Determine which detection and prevention capabilities are enabled by default. Some prevention capabilities must be carefully tested and tuned to avoid disrupting custom applications and scripts. Gauge the existing false positive rate, and compare how the new solution impacts it. Enabling prevention often causes an increase in false positives. ? Managed and professional services: Adding modern endpoint security products may impact internal incident response workflow and remediation processes. Organizations of all sizes are choosing to augment IT security with managed security services. Some vendors offer their own managed services. Others refer customers to managed services provider partners. Vendors also have various levels of professional services, such as risk assessments, penetration testing, incident response training, and boots-on-the-ground breach support retainer services to consider. ? Cloud based or on-premises: Determine the organization`s preferred deployment model for endpoint security, and examine the architecture of the vendors you are evaluating. Some security vendors provide a lightweight agent combined with cloud-based analytics and a webbased management console. Other providers require an on-premises management appliance for analytics and historical search for incident response. And other vendors provide a hybrid approach with cloud-based analytics, an on-premises management appliance, and an endpoint client. ? Live response and automation: Determine if your IT team can support solutions that provide live response and remediation tools and extensive endpoint forensics. Many security vendors sell a standalone endpoint security solution and a more extensive offering that supports active threat hunting and integrated live response and remediation tools. It may be more prudent to ©2017 IDC #US42385717e 3 adopt the lightweight, standalone solution to meet immediate requirements and then add more extensive components when they are needed. Before Evaluating Endpoint Security Products A few basic steps can make the difference between adopting a tool that isn`t the right fit and adopting one that supports existing requirements and can grow and be adapted to changes to the organization`s environment. Take the following steps before evaluating vendor products: ? Assess the organization`s existing endpoint security solutions and whether they are properly configured and maintained. Carefully evaluate the investments already made throughout the organization`s IT security architecture. Identify ways to bridge siloed security technologies to create a comprehensive approach for threat detection and prevention. ? Examine the existing security program to determine whether the security posture can be improved by fine-tuning common security best practices. Many data breaches stem from failing to patch highly used productivity software and poorly configured and managed network devices and applications. Enterprises often poorly communicate security policies or communicate them effectively but lack policy enforcement mechanisms. ? Cybercriminals target the human fallibility in all of us. A significant number of attacks are delivered through spam and phishing messages containing malicious file attachments or links to attack websites. Consider implementing a sustained security awareness training program. Evaluate the effectiveness of the enterprise`s messaging security technology. VENDOR SUMMARY PROFILES This section briefly explains IDC`s key observations resulting in a vendor`s position in the IDC MarketScape. While every vendor is evaluated against each of the criteria outlined in the Appendix, the description here provides a summary of each vendor`s strengths and challenges. McAfee McAfee is a Leader in this IDC MarketScape for endpoint STAP for its focus on automated response and remediation and its robust technology partner ecosystem and consistency in responding to customer requests for improvements. McAfee Endpoint Threat Defense and Response combines the company`s current endpoint security offering, which uses behavioral analysis and machine learning, with the optional McAfee Active Response (MAR), which provides SOC and incident responders with retrospective search functionality to identify the scope and root cause of a threat with live response capabilities, enabling investigators to collect data from infected machines for live searches as well as take actions to remediate the threat. The ability of administrators to set automated triggers to alerts, and the OpenDXL integration with other vendors, are what lofted McAfee into the leaders bracket in this analysis. The McAfee solution set is a solid choice for organizations that have invested in McAfee ePolicy Orchestrator and its technology partner products. At the time of this analysis, McAfee was building out a strong customer base with some large deployment in the tens of thousands of seats. Early adopter customers contacted by IDC highly praised the solution. A consistent messag Please complete the form to gain access to this content Access Now Related Resources Navigating the General Data Protection Regulation Mini Guide Die Herausforderung „Endgerätesicherheit“ meistern Machine Learning optimiert die Arbeit der Sicherheitsteams Cloud-Sicherheit: Schutzmaßnahmen unter der Lupe Threat Visibility and the Zero-Trust Virtual Data Center Cloud Security: Defense in Detail if Not in Depth 10 Ways to Accelerate Time to Detection and Response Beyond the General Data Protection Regulation (GDPR) Integrating SIEM into Your Threat Hunting Strategy Automation and Analytics versus the Chaos of Cybersecurity Operations Machine Learning Raises Security Teams to the Next Level IDC Expert ROI Spotlight Case Study: U.S. Bank Minimizes Security Risk with McAfee Security Atrius Health: Reducing Operational Costs and Combating Ransomware
? This analysis was conducted from September to December 2016 and follow up interviews with customers and vendors took place in the first three months of 2017. ? The primary detection and/or prevention method for Endpoint STAP products must be signatureless. The solutions must provide continuous endpoint monitoring and endpoint forensics to support rapid response and remediation. Some security vendors were excluded from this analysis because IDC considered the endpoint STAP product incomplete or lacking full integration into the overall offering for signatureless defense, security incident response, and remediation tools. For example, some products lacked advanced machine learning–based threat detection at the time of this analysis. ? IDC also exclude a minority of vendors that used containerization at the endpoint and may have required specific CPU or other specific hardware requirements. Those technologies have been widely adopted for smaller, targeted deployments. ? Finally, traditional, signature-based antivirus engines and other widely used threat detection and prevention technologies often continue to play a role with modern endpoint security offerings. These long-standing technologies are still used to reduce false positives and lessen the load on analytics engines and other innovative detection and prevention components. ESSENTIAL BUYER GUIDANCE The market is flooded with endpoint security technologies, incident response tools, threat intelligence feeds, and behavioral analytics. Know what the key requirements are before shopping for modern endpoint threat detection, prevention and/or response, and remediation solutions: ? Endpoint agent functionality: Modern endpoint security products should provide a kernelbased or hybrid agent that detects and can be configured to block regardless of endpoint device connectivity. Evaluate the space and CPU requirements of the endpoint client. Determine which detection and prevention capabilities are enabled by default. Some prevention capabilities must be carefully tested and tuned to avoid disrupting custom applications and scripts. Gauge the existing false positive rate, and compare how the new solution impacts it. Enabling prevention often causes an increase in false positives. ? Managed and professional services: Adding modern endpoint security products may impact internal incident response workflow and remediation processes. Organizations of all sizes are choosing to augment IT security with managed security services. Some vendors offer their own managed services. Others refer customers to managed services provider partners. Vendors also have various levels of professional services, such as risk assessments, penetration testing, incident response training, and boots-on-the-ground breach support retainer services to consider. ? Cloud based or on-premises: Determine the organization`s preferred deployment model for endpoint security, and examine the architecture of the vendors you are evaluating. Some security vendors provide a lightweight agent combined with cloud-based analytics and a webbased management console. Other providers require an on-premises management appliance for analytics and historical search for incident response. And other vendors provide a hybrid approach with cloud-based analytics, an on-premises management appliance, and an endpoint client. ? Live response and automation: Determine if your IT team can support solutions that provide live response and remediation tools and extensive endpoint forensics. Many security vendors sell a standalone endpoint security solution and a more extensive offering that supports active threat hunting and integrated live response and remediation tools. It may be more prudent to ©2017 IDC #US42385717e 3 adopt the lightweight, standalone solution to meet immediate requirements and then add more extensive components when they are needed. Before Evaluating Endpoint Security Products A few basic steps can make the difference between adopting a tool that isn`t the right fit and adopting one that supports existing requirements and can grow and be adapted to changes to the organization`s environment. Take the following steps before evaluating vendor products: ? Assess the organization`s existing endpoint security solutions and whether they are properly configured and maintained. Carefully evaluate the investments already made throughout the organization`s IT security architecture. Identify ways to bridge siloed security technologies to create a comprehensive approach for threat detection and prevention. ? Examine the existing security program to determine whether the security posture can be improved by fine-tuning common security best practices. Many data breaches stem from failing to patch highly used productivity software and poorly configured and managed network devices and applications. Enterprises often poorly communicate security policies or communicate them effectively but lack policy enforcement mechanisms. ? Cybercriminals target the human fallibility in all of us. A significant number of attacks are delivered through spam and phishing messages containing malicious file attachments or links to attack websites. Consider implementing a sustained security awareness training program. Evaluate the effectiveness of the enterprise`s messaging security technology. VENDOR SUMMARY PROFILES This section briefly explains IDC`s key observations resulting in a vendor`s position in the IDC MarketScape. While every vendor is evaluated against each of the criteria outlined in the Appendix, the description here provides a summary of each vendor`s strengths and challenges. McAfee McAfee is a Leader in this IDC MarketScape for endpoint STAP for its focus on automated response and remediation and its robust technology partner ecosystem and consistency in responding to customer requests for improvements. McAfee Endpoint Threat Defense and Response combines the company`s current endpoint security offering, which uses behavioral analysis and machine learning, with the optional McAfee Active Response (MAR), which provides SOC and incident responders with retrospective search functionality to identify the scope and root cause of a threat with live response capabilities, enabling investigators to collect data from infected machines for live searches as well as take actions to remediate the threat. The ability of administrators to set automated triggers to alerts, and the OpenDXL integration with other vendors, are what lofted McAfee into the leaders bracket in this analysis. The McAfee solution set is a solid choice for organizations that have invested in McAfee ePolicy Orchestrator and its technology partner products. At the time of this analysis, McAfee was building out a strong customer base with some large deployment in the tens of thousands of seats. Early adopter customers contacted by IDC highly praised the solution. A consistent messag
