TheInfoPro Security Study – Wave 3 n=198; Wave 4 n=161 (to date); Final Wave 4 n=220+ Smart...

TheInfoPro Security Study – Wave 3 n=198; Wave 4 n=161 (to date); Final Wave 4 n=220+

Smart Shopper: Rating Intrusion Detection & Prevention Vendors

Dr. David TaylorTheInfoPro

mailto:[email protected]


TheInfoPro’s (TIP’s) Background & Methodology

Created by alumni of Gartner, EMC, Giga, IBM & Bell Labs

• Founder of Gartner, Soundview and Giga on the Board and an investor

Transparency – “Voice of the Customer” intelligence, without bias or spin

IT Decision Makers at Global 2000 companies, pre-screened for domain expertise, are interviewed by TIP Researchers who collectively average 20 years of IT experience

Quantitative vendor ratings combined with in depth narrative commentary direct from buyers and investors

Customer spending plans, project plans, buying intentions, detailed by budget and by industry. Desired functionality, project timing and preferred vendors

TIP Triangulates the End User Value and Investor Confidence for the sector’s competitive landscape.



Information Security Studies Overview

Studies: Wave 1: Winter 2003 Wave 2: Summer 2003

Wave 3: Winter/Spring 2004Wave 4: Fall 2004

Population: Wave 1: 164Wave 2: 175

Wave 3: 198Wave 4: 220+

Content: Ratings and commentary on vendors and products in 15 information security market sectors, including:

- Anti-Virus, Anti-Spam (including Anti-Phishing)- Firewalls (including Application Proxy, Personal, Stateful and Packet)- Identity Management (including Provisioning, SSO and Directory)- Intrusion Detection & Prevention (including Host and Network-based)

- Security Management (including SIM, ESM and SEM) - Security Services (including Vulnerability Assessment and Audit Services) - Wireless Security (including WiFi and WLANs)

- Management Tools (including Patch Management and Mgmt Dashboards)- Access Control (including Tokens, Certificates and Encryption)

- Security Appliances



Industry Breakdown

11%

6%

8%

10%

10%

17%

17%

22%

0% 10% 20% 30% 40% 50%

Other

Energy/Utilities

Consumer Goods/Retail

Healthcare/Pharmaceuticals

Industrial/Manufacturing

Telecom & Technology

Government & OtherServices

Financial Services



Revenue Breakdown

17%

4%

9%

7%

11%

0% 10% 20% 30% 40% 50%

Less than $500Million

$500 Million toless than $1

Billion

$1 Billion to lessthan $10 Billion



$30 Billion ormore



Number of Enterprise Employees Breakdown

3%

10%

20%

18%

49%

0% 20% 40% 60% 80% 100%

Fewer than 100

100 - 999

1000 - 4999

5000 - 10,000

More than10,000



Most Needed Features, Services or Improvements

4%

6%

9%

10%

10%

13%

16%

17%

23%

39%

0% 10% 20% 30% 40% 50%

Make What We Have Work

Faster or Automated Updating

More/Better Services

Patch Management

Reporting Improvements

Intrustion Detection/Prevention Integration

Integrated Infrastructure Management

Support for Specific Technologies

Perimeter Performance Improvements

Automated Management Tools

Specific user demand for IDS/IPS integration



Wave 4

In Use Now81%

In Near-term Plan (Through year-end

2005)8%

Not in Plan9%

In Long-term Plan (2006 and beyond)

2%Wave 3

In Use Now76%

In Plan (1-12

Months)17%

In Long-term Plan (Mid-2005

and beyond)

3%

Not in Plan4%

Network Intrusion Detection Deployment Status



Wave 4In Use Now28%


2005)33%

Not in Plan24%


15%

Wave 3

In Use Now31%

In Plan (1-12

Months)24%


and beyond)

19%

Not in Plan26%

Network Intrusion Prevention Deployment Status



Wave 4 In Use Now20%


2005)24%

Not in Plan44%


12%

Wave 3 In Use Now17%

In Plan (1-12

Months)18%


and beyond)

13%

Not in Plan52%

Host-based Intrusion Prevention Deployment Status



Wave 4In Use Now28%


2005)9%

Not in Plan50%


13%

Wave 3

In Use Now33%

In Plan (1-12

Months)12%

Not in Plan44%


and beyond)

11%

Security Appliances Deployment Status



Technology Score Technology ScoreSecure Mobile/Wireless Access 100 Digital Certificates 55Intrusion Prevention - Network/Perimeter 98 Intrusion Detection - Network/Perimeter 51Firewalls - Personal 97 Enterprise Meta Directory 51Intrusion Prevention - Host-based (HIPS) 97 Web Content Filtering 51Security Information Management (SIM) 88 Firewalls - Application Proxy 48Identity Management - User Provisioning 88 File Integrity Assessment 47Identity Management - Self Service 83 Anti-Phishing 45Single (Simplified) Sign-On 83 Security Dashboard - for Executives 43Intrusion Detection - Host-based (HIDS) 82 Hardware Tokens / One-Time Passwords 43Identity Management - Integrated Suite 79 Security Alert (Monitoring) Service 42Audit Compliance Reporting 79 Anti-Virus Software - Enterprise Server 41Patch Management 76 Public Key Encryption - Data in Transit 41Wireless LAN Security 74 Firewalls - Packet Filtering 41Enterprise Security Management (ESM) 73 Firewalls - Stateful 41Personal Information Protection Tools or Services 71 Secure Instant Messaging 39Secure Messaging 70 Integrated Security Appliance 39SAN / NAS Stored Data Security 69 Managed Security Services 10Vulnerability Management 69 Biometrics + Smart Card 0Anti-Spam 65 Biometrics (Fingerprint or Retina Scan) 0VPNs - Based on SSL 60

Network & Host IPS and Host IDS are “Hot” Technologies



IDS & IPS Security Technologies In Use & In Plan

0% 20% 40% 60% 80% 100%

Intrusion Prevention -Network/Perimeter

Integrated SecurityAppliance

Intrusion Prevention -Host-based (HIPS)

Intrusion Detection - Host-based (HIDS)

Intrusion Detection -Network/Perimeter

In Use Now In Near-term Plan (through year-end 2005)

In Long-term Plan (2006 and beyond) Not in Plan

Only 10% of users plan new deployments in 2005

Network IPS to grow from 28% in use to over

60% in use by YE05



Commentary about the Transition from IDS to IPS“Perimeter IDS is old news. It doesn't work well and it doesn't stop the actual attack.” (Systems Executive – Healthcare Technology Company)

“We have IPS devices, but have them deployed only for detection right now. We want to watch them for a while and get a higher level of confidence in the prevention capabilities. We'll deploy for prevention in early 2005.” (IT Manager – Midsize Insurance Company)

“We pushed IPS deployment back from short-term to long-term plan since the last interview. We are actually looking at some of these vendors in our IDS space. I'm not certain that we will be ready for this in the near term, even as the market matures.” (Information Security Advisor – F1000 Insurance Company)

“IDS is just a piece of the puzzle. Best we can do to prevent intrusions. The IPS technology isn't quite there yet. I think that there are three areas, IDS, Intrusion Management like patches, and IPS. I'm really looking for a firewall that can do IPS and do it nicely.” (Manager of Enterprise Security – F1000 Telecommunications Company)



Top 10 Network IDS Vendors In Use or Being Considered

0% 10% 20% 30% 40% 50%

Nokia

VeriSign

Check Point

Juniper/NetScreen

Symantec

McAfee

Enterasys

Cisco

Open Source

ISS

In Use Now In Near-term Plan (through year end 2005)

No “Purple” = No Growth.VeriSign and Nokia are the only

vendors in line for new IDS projects

The “Top 10” vendors were those named by users (without prompting)

as in use or being considered for each project or technology

% of Firms Using / Planning Use the Vendor



Top 10 Network IPS Vendors In Use or Being Considered

0% 5% 10% 15% 20%

VeriSign

Fortinet

Nokia

Symantec

Check Point

Juniper/NetScreen

TippingPoint

ISS

Cisco

McAfee


Other Vendors Being Considered Include:

Lancope

Arbor Networks

Counterpane

Foundstone

Mirage Networks

Preventsys

Qualys

SonicWALL

TriGeo




0% 5% 10% 15% 20%

Sygate

CA

Zone Labs

NetIQ

McAfee

Symantec

Tripwire

Cisco

Open Source

ISS


Top 10 Host IDS Vendors In Use or Being Considered


Apani Networks

Check Point

EI

Sana

TriGeo


Big Cisco growth opportunity



Top 10 Host IPS Vendors In Use or Being Considered


Fortinet

BindView

EI

Enterasys

Microsoft

Sana

Symantec

TriGeo

Tripwire

Big Cisco growth opportunity

0% 5% 10% 15% 20%

Ecora

Homegrown

HPQ

IBM

Sygate

TippingPoint

Open Source

McAfee

ISS

Cisco




IDS/IPS Customer Planned Spending Change for 2005

0% 20% 40% 60% 80% 100%

Nortel

ISS

McAfee

VeriSign

Check Point

RSA

Symantec

Juniper/NetScreen

Cisco

Less Money About The Same More Money



Vendor/Product Customer Ratings – 8 Open-ended Questions

Is this vendor a strategic or a tactical vendor for your organization?

What are this vendor's (or product's) top 1-2 strengths, and why?

What are this vendor's (or product's) top 1-2 weaknesses?

What feature(s) would you most like to see added to this product?

About how much money did your enterprise spend with this vendor (for security) during 2004?

Approximately how much (what percentage) will your spending with this vendor change next year?

"Are you planning to switch from this vendor to another vendor? If so, to which vendor?"

Would you consider outsourcing this to a managed service provider? If so, what vendor would you consider first?



Vendor/Product Customer Ratings – 15 Ratings Criteria

The company's brand or reputation

Technical innovation

Management's strategic vision

Competitive positioning of the products or services

Interoperability with other vendors

Interoperability within the vendor's product line

Product features / functionality

Product manageability

Product reliability

Product quality

Value for the money

Sales force quality

Delivery of products as promised

Quality of technical support

Ease of doing business with the company



Wave 4 IDS/IPS Customer Ratings on 2 Strategic Criteria

I I

Check Point I 1 1 1 1 I 1 1 0 0

Cisco I 1 1 1 0 I 1 1 1 1

ISS I 0 0 0 0 I 0 0 0 0

Juniper/NetScreen I 1 1 1 1 I 1 1 1 1

McAfee I 1 1 0 0 I 1 0 0 0

Open Source I 0 0 0 0 I 0 0 0 0

RSA I 1 1 0 0 I 1 1 1 0

Symantec I 1 1 0 0 I 1 1 1 0

VeriSign I 1 0 0 0 I 0 0 0 0

Technical Innovation

Strategic Vision

“Snort works, but try getting support” is a

common issue

ISS is actually scoring better in

Wave 4 than Wave 3, but this doesn’t show it



Wave 4 IDS/IPS Company Ratings

I I

Check Point I 1 1 0 0 I 0 0 0 0

Cisco I 1 1 1 0 I 1 1 1 1

ISS I 0 0 0 0 I 0 0 0 0


McAfee I 1 1 0 0 I 1 0 0 0

Open Source I 0 0 0 0 I 1 0 0 0

RSA I 1 1 1 1 I 1 1 1 0

Symantec I 1 1 0 0 I 1 0 0 0

VeriSign I 1 1 1 0 I 0 0 0 0

Technical Support

Delivery as Promised

Lots of commentary



IDS/IPS Customer Commentary

“Symantec was chosen because it was our corporate standard. We have a corporate license with good conditions. We're more or less happy with it. We want improvement in reporting so that we know how many cleaned files are in a box. Other aspects are good.” (Information Systems Manager – Industrial Manufacturing Company)

“From a cost standpoint, the Open Source products are becoming almost as good and reliable for a lot less money from an IDS standpoint.” (Information Systems Manager – Industrial Manufacturing Company)

“ISS is a leader in this [IDS/IPS] market, though other IDS vendors will tell you that they are the top dog. ISS is starting to expand into other security areas like firewall IPS and filtering, but they are doing it smartly.” (Security Architect – Telecom & Technology Company)



Wave 4 IDS/IPS Product Ratings

I I

Check Point I 1 1 1 1 I 1 1 1 1

Cisco I 1 1 1 0 I 1 1 1 1

ISS I 1 0 0 0 I 0 0 0 0


McAfee I 1 1 0 0 I 1 1 1 1

Open Source I 0 0 0 0 I 1 1 1 0

RSA I 1 1 1 0 I 1 1 1 1

Symantec I 1 1 0 0 I 1 1 1 0

VeriSign I 1 1 1 0 I 1 1 1 1

Features/ Functions

Product Reliability

Lots of commentary



Wave 4 IDS/IPS Product Ratings

I I

Check Point I 1 1 1 1 I 1 1 0 0

Cisco I 1 1 1 1 I 1 0 0 0

ISS I 1 0 0 0 I 0 0 0 0

Juniper NetScreen I 1 1 1 1 I 1 1 1 0

McAfee I 1 1 1 0 I 1 1 1 0

Open Source I 1 1 1 0 I 1 1 1 1

RSA I 1 1 1 1 I 1 1 0 0

Symantec I 1 1 1 0 I 1 1 0 0

VeriSign I 1 1 1 1 I 0 0 0 0

Value for the Money

Product Quality

Pricing issues

/



IDS/IPS Customer Comments About Their Vendors/Products

“We have the Network Intrusion Detection device from Cisco. I prefer Network-based IDS. We've had it over two years. We can set it to shun all ranges of IP addresses.”

“Snort is a best of breed IDS product, despite not coming from a traditional vendor. Price is right and the application has scaled up with our needs.” (Federal US Government Agency)

“We bought IntruVert, before they were gobbled up by McAfee. They won the bake-off based on our architecture. They were the best fit into our architecture compared against Symantec and someone else.”

“We bought ISS because they are the leader in the market. They've been out there for awhile. It fits requirements. We're also using Qualys for host-based.”



Wave 4 IDS/IPS – Corporate Ratings Summary

I I I I I

Check Point I 1 1 1 1 I 1 1 0 0 I 1 1 1 0 I 1 1 0 0 I 0 0 0 0

Cisco I 1 1 1 0 I 1 1 1 1 I 1 1 1 1 I 1 1 1 0 I 1 1 1 1

ISS I 0 0 0 0 I 0 0 0 0 I 0 0 0 0 I 0 0 0 0 I 0 0 0 0

Juniper/NetScreen I 1 1 1 1 I 1 1 1 1 I 1 1 1 1 I 1 1 1 1 I 1 1 1 0

McAfee I 1 1 0 0 I 1 0 0 0 I 1 1 1 1 I 1 1 0 0 I 1 0 0 0

Open Source I 0 0 0 0 I 0 0 0 0 I 0 0 0 0 I 0 0 0 0 I 1 0 0 0

RSA I 1 1 0 0 I 1 1 1 0 I 1 1 1 1 I 1 1 1 1 I 1 1 1 0

Symantec I 1 1 0 0 I 1 1 1 0 I 1 1 1 0 I 1 1 0 0 I 1 0 0 0

VeriSign I 1 0 0 0 I 0 0 0 0 I 1 0 0 0 I 1 1 1 0 I 0 0 0 0

Technical Support

Delivery as Promised

Technical Innovation

Strategic Vision

Competitive Positioning



IDS/IPS Customer Comments About Their Vendors/Products

“[After testing various products, we found] the Enterasys Dragon product was one of the best IDS products out there. It worked with our network and could handle the extreme volumes, when we were out testing. Other systems would fail in a few minutes because they couldn't handle the volume.”

“We bought the Okena StormWatch, before Cisco bought Okena, but we're looking to replace it. With Okena, it's either all IDS or IPS, but with others you can kind of mix them a little bit, based on rules. We're looking at Sourcefire and ISS products.”

“We bought a commercial version of Sourcefire’s freeware because we had a mandate that we couldn’t use free products. We'll change to free products as management now allows us to use freeware. We made a lot of inroads last year with Open Source software.”



Wave 4 Product Ratings – Product Ratings Summary

I I I I I

Check Point I 1 1 1 1 I 1 1 1 1 I 1 1 1 1 I 1 1 1 1 I 1 1 0 0

Cisco I 1 1 1 0 I 1 1 0 0 I 1 1 1 1 I 1 1 1 1 I 1 0 0 0

ISS I 1 0 0 0 I 0 0 0 0 I 0 0 0 0 I 1 0 0 0 I 0 0 0 0

Juniper NetScreen I 1 1 1 1 I 1 1 1 1 I 1 1 1 1 I 1 1 1 1 I 1 1 1 0

McAfee I 1 1 0 0 I 1 1 1 0 I 1 1 1 1 I 1 1 1 0 I 1 1 1 0

Open Source I 0 0 0 0 I 0 0 0 0 I 1 1 1 0 I 1 1 1 0 I 1 1 1 1

RSA I 1 1 1 0 I 1 1 1 1 I 1 1 1 1 I 1 1 1 1 I 1 1 0 0

Symantec I 1 1 0 0 I 1 0 0 0 I 1 1 1 0 I 1 1 1 0 I 1 1 0 0

VeriSign I 1 1 1 0 I 1 1 0 0 I 1 1 1 1 I 1 1 1 1 I 0 0 0 0

Value for the Money

Features/ Functions

Product Manage-

ability

Product Reliability

Product Quality

/



Investor Commentary About IDS/IPS Vendors

“Check Point's strategy was a combination of good and bad – strong in its core and bad in emerging markets. It was behind companies like NetScreen. It was Check Point's share to lose and it lost it. It is now regaining by introducing new products, changing pricing strategies and re-engaging the channel. In short, the company is re-inventing itself with new products, successful sales execution, partnering, and filling in gaps. The company is up and coming and this is not fully reflected in the stock. It is going after small and medium size businesses with Intrusion Prevention, and opportunities to provide a deeper level of security. In its core, it will grow in line with the market.”

“Cisco’s move to put the security into the network is a winning strategy because it doesn’t make sense that network equipment is sold without being secure. Cisco’s entry puts pressure on Check Point and others. At the end of the day, network hardware companies that hardwire security onto the switch and the software companies that offer suites will be left standing.”



Investor Commentary About IDS/IPS Vendors

“ISS has introduced a good innovative product line in Proventia, with faster throughput and many less false detections. Intrusion Detection was a disappointment earlier and products were not as robust as they are now. This will be a growth area in 2004 and 2005. We have confirmation data that the sector will grow because Check Point and others recently introduced products. Even Nortel is introducing product.”

“McAfee had so many restatements that I don’t trust management. Maybe statements going forward are clean, but I will need to see this for awhile. They just restated a few months ago and it impacted as late as 2003 because revenues from 2001 and 2002 got pulled into 2003. It had a minor effect on 2003, but was still an issue.”



Conclusions & Recommendations

Network IDS is still growing, but reaching a saturation point at 81% in use.

Specific user demand for IDS/IPS integration and dissatisfaction with IDS will drive the IPS market, and stabilize (but not eliminate) IDS demand.

Both Network and Host-based IPS are “hot” technologies, and so is HIDS.

Nearly 50% of users say they don’t plan to implement Security Appliances.

Cisco and ISS are in use and/or under consideration for more Network and Host-based IPS projects than others, as users seek integrated and appliance-based products.

Customers planning to spend more on Cisco, Juniper/NetScreen and others, but ISS and Nortel customers say they’re planning to spend less on these vendors.

Cisco, Juniper/NetScreen and RSA received the strongest corporate ratings from current customers; ISS and Open Source received the weakest corporate ratings.

Juniper, RSA and Check Point received the strongest product ratings from current customers; ISS and Open Source received the weakest product ratings.



This presentation contains confidential information which is the property of TheInfoPro and is given to the recipient pursuant to a confidential relationship between the recipient and TheInfoPro. Such information shall not be copied,

disclosed to others, or used for any purpose other than that for which is given, without the written permission of TheInfoPro, Inc.

TheInfoPro™ & logo are registered trade marks and property of TheInfoPro, Inc.

© 2004 TheInfoPro, Inc. All Rights Reserved.

645 Madison Avenue, 22nd Floor, New York, NY 10022P > 212-672-0010 F > 212-688-6598 E > [email protected]

www.TheInfoPro.net


TheInfoPro Security Study – Wave 3 n=198; Wave 4 n=161 (to date); Final Wave 4 n=220+ Smart...

Documents

Transcript of TheInfoPro Security Study – Wave 3 n=198; Wave 4 n=161 (to date); Final Wave 4 n=220+ Smart...