WIXLIB

Magic Quadrant for Intrusion PreventionSystems16 November 2015 ID:G00271823Analyst(s): Craig Lawson, Adam Hils, Claudio NeivaVIEW SUMMARYThe network IPS market continues being absorbed by next generation firewall placements at theperimeter. Next generation IPSs offer the best protection and are responding to pressure coming fromthe uptake of advanced threat defense solutions and the requirement to provide cloud placements.Market Definition/DescriptionThe network intrusion prevention system (IPS) appliance market is composed of stand alone physicaland virtual appliances that inspect defined network traffic either on premises or in the cloud. They areoften located in the network to inspect traffic that has passed through perimeter security devices, suchas firewalls, secure Web gateways and secure email gateways. While intrusion detection systems (IDSs)are still often used for certain use cases, most IPS devices are deployed in line and perform full streamreassembly of network traffic. They provide detection via several methods — for example, signatures,protocol anomaly detection, behavioral monitoring or heuristics, advanced threat defense (ATD)integration, and threat intelligence (TI). When deployed in line, IPSs can also use various techniques todetect and block attacks that are identified with high confidence; this is one of the primary benefits ofthis technology. The capabilities of leading IPS products have adapted to changing threats, and next generation IPSs (NGIPSs) have evolved incrementally in response to advanced targeted threats thatcan evade first generation IPSs (see "Defining Next Generation Network Intrusion Prevention").This Magic Quadrant focuses on the market for stand alone IPS appliances; however, IPS/IDScapabilities are also delivered as functionality in other network security products. Network IPSs areprovided within a next generation firewall (NGFW), which is the evolution of enterprise class networkfirewalls, and include application awareness and policy control, as well as the integration of networkIPSs (see "Magic Quadrant for Enterprise Network Firewalls"). IPS capability is available in unified threatmanagement (UTM) "all in one" products that are used by small or midsize businesses (see "MagicQuadrant for Unified Threat Management"). We have also begun to see basic IPS functionality providedby a small number of network ATD prevention vendors. Gartner observes that the maturity of IPSmodules embedded with ATD solutions has yet to be proven.So while the stand alone IPS market is slowly shrinking, the technology itself is more widely deployedthan ever before on various platforms and in multiple form factors. The technology is increasinglyubiquitous.In addition, some vendors offer IPS and IDS functionality in the public cloud in order to provide controlscloser to the workloads that reside there. Gartner is tracking the growth of these deployments carefully,and will monitor their efficacy.Stand alone IPS is deployed for the following use cases:When the staff managing the IPS does not manage the firewallsWhen best of breed protection is required or preferredAs an IDS on parts of the internal networkWhen high performance IPS throughput is requiredTo provide network segmentation on parts of the internal networkMagic QuadrantFigure 1. Magic Quadrant for Intrusion Prevention SystemsSTRATEGIC PLANNING ASSUMPTIONSToday, 40% of enterprises have implemented stand alone IPSs. By year end 2017, this will decline to 30%due to increased adoption of next generation firewallswith an embedded IPS capability.Less than 35% of Internet connections today aresecured using NGFWs. By year end 2018, this will riseto at least 85% of the installed base, with 90% of newenterprise edge purchases being NGFWs.In 2018, 10% of new stand alone IPS placements willbe in a public or private cloud.EVIDENCEGartner used the following input to develop this MagicQuadrant:Results, observations and selections of IPSs, asreported via multiple analyst inquiries with GartnerclientsA formal survey of IPS vendorsFormal surveys of end user referencesGartner IPS market research dataOASIS taking over the development of the STIX/TAXIIstandard:"OASIS Advances Automated Cyber ThreatIntelligence Sharing With STIX, TAXII, CybOX," oasis open, 16 July 2015.Details on STIX (http://stix.mitre.org/) and TAXII(http://taxii.mitre.org/)Wins Common Criteria: "Wins Technet Sniper IPS V5.0E2000 Certification Report" and Common Criteria:Certified ProductsHP divests the TippingPoint division to Trend Micro:"Trend Micro Acquires HP TippingPoint, EstablishingGame Changing Network DefenseSolution," Trend Micro, 21 October 2015.Intel Security divests its firewall products: S. Kuranda,"Intel Security to Sell McAfee NGFW, FirewallEnterprise Businesses to Raytheon/Websense," CRN,27 October 2015.EVALUATION CRITERIA DEFINITIONSAbility to ExecuteProduct/Service: Core goods and services offered bythe vendor for the defined market. This includescurrent product/service capabilities, quality, featuresets, skills and so on, whether offered natively orthrough OEM agreements/partnerships as defined inthe market definition and detailed in the subcriteria.Overall Viability: Viability includes an assessment ofthe overall organization's financial health, the financialand practical success of the business unit, and thelikelihood that the individual business unit will continueinvesting in the product, will continue offering theproduct and will advance the state of the art within theorganization's portfolio of products.Sales Execution/Pricing: The vendor's capabilities inall presales activities and the structure that supportsthem. This includes deal management, pricing andnegotiation, presales support, and the overalleffectiveness of the sales channel.Market Responsiveness/Record: Ability to respond,change direction, be flexible and achieve competitivesuccess as opportunities develop, competitors act,customer needs evolve and market dynamics change.This criterion also considers the vendor's history of

responsiveness.Marketing Execution: The clarity, quality, creativityand efficacy of programs designed to deliver theorganization's message to influence the market,promote the brand and business, increase awarenessof the products, and establish a positive identificationwith the product/brand and organization in the mindsof buyers. This "mind share" can be driven by acombination of publicity, promotional initiatives,thought leadership, word of mouth and sales activities.Customer Experience: Relationships, products andservices/programs that enable clients to be successfulwith the products evaluated. Specifically, this includesthe ways customers receive technical support oraccount support. This can also include ancillary tools,customer support programs (and the quality thereof),availability of user groups, service level agreementsand so on.Operations: The ability of the organization to meet itsgoals and commitments. Factors include the quality ofthe organizational structure, including skills,experiences, programs, systems and other vehiclesthat enable the organization to operate effectively andefficiently on an ongoing basis.Completeness of VisionMarket Understanding: Ability of the vendor tounderstand buyers' wants and needs and to translatethose into products and services. Vendors that showthe highest degree of vision listen to and understandbuyers' wants and needs, and can shape or enhancethose with their added vision.Marketing Strategy: A clear, differentiated set ofmessages consistently communicated throughout theorganization and externalized through the website,advertising, customer programs and positioningstatements.Source: Gartner (November 2015)Vendor Strengths and CautionsCiscoCisco, which is headquartered in San Jose, California, has a broad security product portfolio and hashad IPS offerings for many years. In 2013, Cisco acquired Sourcefire. Cisco has now completed thetransition to make the Sourcefire IPS its sole IPS engine. Cisco has executed on its end of sale plan forthe non Sourcefire IPS appliances, in keeping with the transition. The Sourcefire line currently does notshare a management console with other Cisco security products.Cisco has IPSs available under the FirePOWER brand in the 7000 and 8000 Series Appliances, and avirtual appliance (NGIPSv). The top model runs up to 60 Gbps of inspected throughput. The same IPS isavailable in the Cisco Adaptive Security Appliance (ASA), labeled as "with FirePOWER Services."Additionally, the software based IPS within the Cisco Internetwork Operating System (IOS) basedrouters and Integrated Services Routers (ISRs) is also capable of using the Sourcefire IPS engine. Ciscohas a phased plan aimed at introducing FirePOWER services across its Integrated Services Router (ISR)platforms. The Meraki platform also runs the Snort engine.Cisco is evaluated as a Leader because of its ability to lead the market with new features based on theformer Sourcefire products, and because it has the highest visibility in Gartner client shortlists for IPSs.StrengthsCisco's adoption of the Sourcefire technology as its standard IPS greatly improves the quality ofCisco's IPS offering and preserves market leading IPS capability. The combined lab teams providea large vulnerability and signature research capability. Gartner assesses the acquisition as havingbeen successful.Cisco has wide international support, an extremely strong channel and the broadest geographiccoverage. Enterprises that already have a significant investment in Cisco security products, or thatuse Cisco Security Manager (CSM), often consider Cisco IPSs as a possible solution.The Advanced Malware Protection (AMP) products provide a quicker path to adding advancedthreat capabilities to IPSs for Cisco than previous roadmaps. It is also now competing well againststand alone and established advanced persistent threat (APT) solution vendors.Cisco has a large market share for specialized IPS appliances, providing a rich collection mediumfor observing threats in the wild.CautionsCurrent Cisco IPS clients looking to transition to newer products can do so, provided theyaccommodate having to use a different console. This limits the advantages of incumbent Ciscocustomers. Gartner believes a unified console will be available by mid 2016.Gartner recommends that negotiations include a discussion on extensive discounting or inclusionSales Strategy: The strategy for selling products thatuses the appropriate network of direct and indirectsales, marketing, service, and communication affiliatesthat extend the scope and depth of market reach,skills, expertise, technologies, services and thecustomer base.Offering (Product) Strategy: The vendor's approachto product development and delivery that emphasizesdifferentiation, functionality, methodology and featuresets as they map to current and future requirements.Business Model: The soundness and logic of thevendor's underlying business proposition.Vertical/Industry Strategy: The vendor's strategyto direct resources, skills and offerings to meet thespecific needs of individual market segments, includingvertical markets.Innovation: Direct, related, complementary andsynergistic layouts of resources, expertise or capital forinvestment, consolidation, defensive or pre emptivepurposes.Geographic Strategy: The vendor's strategy to directresources, skills and offerings to meet the specificneeds of geographies outside the "home" or nativegeography, either directly or through partners,channels and subsidiaries as appropriate for thatgeography and market.