Market Analysis. Overview 2013 INTRUSION PREVENTION SYSTEMS. Authors: Rob Ayoub, Andrew Braunberg, Jason Pappalexis

Transcription

1 Market Analysis 2013 INTRUSION PREVENTION SYSTEMS Authors: Rob Ayoub, Andrew Braunberg, Jason Pappalexis Overview Prior to 2013, the intrusion prevention system (IPS) market was viewed as heading towards extinction. Lack of innovation from all but a handful of vendors, high prices for a single security function, and the dominance of next generation firewall (NGFW) platforms caused many organizations to move away from installation of a pure- play IPS. Then, beginning in late 2012 and through 2013, the IPS market began to redefine itself. New product announcements by IBM and HP and the market- changing news of the acquisition of Sourcefire by Cisco Systems are among some of the developments that have heralded renewed interest (and innovation) within the IPS market. While it is not yet evident whether these developments will slow the migration to NGFW platforms, they most certainly have boosted this market, offering next generation IPS (NGIPS) platforms aimed at improving workflow, forensics, and prevention capabilities. From the perspectives of size and growth, the market is entering a renewed growth phase. NSS Labs estimates this market will reach a growth rate of nearly 5 percent for the forecast period ( ). The market had generated over US$1.3 billion in annual revenue by the end of 2013, and NSS expects this number to grow to more than US$1.7 billion dollars by the end of IPS technology still represents a healthy portion of the overall infrastructure security market at just over 10 percent of that market. The degree to which organizations deploy NGFW in place of IPS or choose to replace IPS with NGIPS products over the next few years will ultimately shape this market. For many smaller organizations, NGFWs have proven effective in achieving most of the basic security and application controls. IPS as a pure- play technology is still an important part of the security stack, providing protection against a diversity of attacks; however, as the growing market share (and impressive test results) for vendors such as SonicWALL and Fortinet illustrates, many organizations are beginning to view IPS as a commodity technology that can be included in the firewall rather than as a separate device in the network. The 2013 acquisition of Sourcefire by Cisco and the 2013 acquisition of StoneSoft by McAfee (now part of Intel Security) demonstrates that the IPS market is still a relevant component in the modern network, providing detection, prevention, and response. NGIPS products are focused on improving security workflow, and many of these products are now closely affiliated with security information and event management (SIEM) products as well as breach detection systems (BDS).

2 IPS will continue to evolve as a core security component and will remain relevant as evasion techniques and protocol attacks become more sophisticated. To maintain this relevance, however, the difference between NGFW and NGIPS must be clearly distinguished. NSS Labs Findings In 2013, the IPS market grew at a rate of 4.2 percent to US$1.35 billion. The IPS market is expected to grow at an overall rate of 4.9 percent through 2018, reaching a total addressable market size of US$1.7 billion. The acquisition of Sourcefire by Cisco fills a long- standing gap in Cisco s IPS portfolio, and early indicators are that Cisco is basing many technology initiatives on Sourcefire technology. Newer IPS products (also called next generation IPS or NGIPS) have distinguished themselves from NGFW by focusing on detection through signatureless methods, including sandboxing, contextual awareness, and other forms of traffic analysis. Many IPS vendors focus on integration with threat intelligence and SIEM products to provide increased value to enterprise organizations through improved workflows and actionable intelligence 2

3 Table of Contents Overview... 1 NSS Labs Findings... 2 Analysis... 4 Methodology... 4 Market Definition... 4 Top Market Drivers... 4 An Increasingly Complex Threat landscape... 4 The Need for Improved Correlation and Context- based Protection... 5 The Need for a Security Platform that will Improve Security Workflow... 5 Top Market Challenges... 5 IPS Devices Have a High Total Cost of Ownership (TCO)... 5 Integration of IPS Technology into Other Products... 5 Confusion of IPS with Other Technologies... 5 Total Market Size and Growth Forecasts... 6 Total Units Shipped... 7 Vertical Market Trends... 7 Horizontal Market Trends... 8 Mergers and Acquisitions... 8 Cisco acquires Sourcefire... 8 McAfee (Intel Security) acquires Stonesoft... 8 Extreme Networks Acquires Enterasys... 9 Vendor Market Share... 9 Reading List Contact Information Table of Figures Figure 1 IPS Total Market Revenues and Growth Rate, 2011 to 2018 (Base Year 2013)... 6 Figure 2 IPS Total Market Revenues and Growth Rate (Graphic Representation) (Base Year 2013)... 6 Figure 3 Average Selling Price Forecast, (Base Year 2013)... 7 Figure 4 IPS Vertical Market Distribution, Figure Market Share by Vendor

4 Analysis 2013 marked the beginning of a period of revitalization for the declining IPS market, and with growth rates for the forecast period expected to be around 5 percent, the market appears to have stabilized. It accounted for over US$1.3 billion in revenue at the end of 2013, and this number is expected to grow to more than US$1.8 billion by the end of Methodology The NSS Labs Market Analyses are created using a robust methodology that is designed to provide an accurate picture of the particular market being evaluated. Once a market has been identified by NSS as a candidate for a Market Analysis, the vendor landscape is evaluated to identify market participants, and a detailed questionnaire is submitted to vendors, resellers, and customers. Vendors have the opportunity to perform fact checking on any information that is published by NSS. NSS is using 2013 as the base year for all forecasts and financial data for this Market Analysis. Market Definition NSS defines IPS devices as stand- alone appliances (hardware or virtualized) designed to decode and inspect every packet or stream that passes through them. These devices should allow legitimate traffic to pass while blocking attacks and evasion techniques. IPS devices are typically placed behind the firewall and/or other security devices and will often provide the final layer of inspection before passing data to internal hosts (exceptions would be where additional inspection technologies such as breach detection systems are deployed). Key considerations for organizations evaluating IPS devices include security effectiveness, resistance to evasion, stability, performance, manageability, and overall value. In the same way that the traditional firewall vendors transitioned to next generation firewall (NGFW) vendors, many IPS vendors began to add features in order to differentiate themselves from the basic IPS products that were a part of NGFW offerings. These new IPS products are referred to as next generation IPS (NGIPS). Key features that differentiate traditional perimeter IPS products from NGIPS products include application control, user awareness, integration with threat intelligence, and improved workflow and forensics capabilities. Top Market Drivers While many of the factors driving the IPS market have not changed in years, new products being introduced by some of its largest participants reflect the changes that are occurring. The top market drivers are: An Increasingly Complex Threat landscape The threat landscape continues to evolve as tools become easier to use and attackers continue to profit from their attacks. High- profile attacks against retailers such as Target, Inc. are raising awareness of the damage that can be wrought by determined attackers. Advanced attacks, along with the challenges posed by bring your own device (BYOD), make security challenging for organizations of all sizes. 4

5 The Need for Improved Correlation and Context- based Protection As attacks have become more complex, signature- based defenses have diminished in their effectiveness. All security products must evolve or become irrelevant, and IPS technology is no different. In order to improve accuracy of detection, many IPS solutions integrate threat intelligence feeds along with cloud- based analytics in order to improve accuracy. The Need for a Security Platform that will Improve Security Workflow A key differentiator for many new IPS products is their ability to integrate several disparate components under a single platform in order to improve the security workflow. As security practitioners seek out a platform that is able to perform prevention, detection, and response, the IPS becomes the clear choice. And as more IPS products integrate with SIEM, incident response, and other technologies, the ability for an IPS to be the command center of security operations becomes a key advantage of the platform and can offset the costs of maintaining a variety of security products as part of a workflow. Organizations are also recognizing that IPS devices are key components of the operations environment. Not only must organizations protect against known and unknown devices inside the network, they must also protect against known and unknown devices that access the network from outside the perimeter. Because of this, organizations are turning to next generation IPS devices that can leverage existing data to make informed decisions about potential threats in diverse scenarios. Top Market Challenges Many market challenges have been challenges for years, while newer challenges have arisen as a result of the commoditization of IPS technology and improvements to integrated security platforms. IPS Devices Have a High Total Cost of Ownership (TCO) IPS devices are highly specialized and have a high TCO compared to other security products. In addition to traditional maintenance and support costs, most vendors require subscriptions in order to access the most current threat data and signatures. Further, most IPS devices require considerable tuning to maximize security effectiveness, which means that technical staff must spend more time maintaining these devices than other security products. Integration of IPS Technology into Other Products The most significant challenge to pure- play IPS products has been the integration of IPS technology into multifunction devices such as NGFW. For many small and mid- sized organizations, this integration has been adequate. Unfortunately, many pure- play IPS vendors were late to challenge products from NGFW vendors, incentivizing smaller organizations to investigate NGFW alternatives instead of remaining IPS customers. Confusion of IPS with Other Technologies IPS technology can provide granular visibility into traffic on the network based on the traffic s location and the type of information being analyzed. Many IPS devices can provide some protection against distributed denial- of- service (DDoS) and other advanced attacks. As organizations decide between different protection mechanisms on the network, IPS vendors must ensure that the value proposition of IPS is clear. 5

6 Total Market Size and Growth Forecasts Figures 1 and 2 depict the total market size, annual growth, and compound annual growth rate (CAGR) of the IPS market from 2011 to Year Revenue Growth Rate , , % , % , % , % , % , % , % CAGR 4.9% Figure 1 IPS Total Market Revenues and Growth Rate, 2011 to 2018 (Base Year 2013) By the close of 2013, the market for IPS products had reached US$1,349 million; this number is expected to grow at a compound annual growth rate (CAGR) of 4.9 percent during the forecast period. IPS is entering a renewed growth phase, and for a number of reasons, organizations are evaluating new IPS devices. For some organizations, NGFW products are just not adequate, while for others their security architectures require IPS devices to drive workflow and forensics decisions. $1,800 $1,600 $1,400 $1,200 $1,000 $800 $600 $400 $200 $ % 5.00% 4.00% 3.00% 2.00% 1.00% 0.00% Figure 2 IPS Total Market Revenues and Growth Rate (Graphic Representation) (Base Year 2013) 6

7 Total Units Shipped Figure 3 depicts the total number of units shipped during the forecast period. Year Revenue ($Millions) ASP Units Units Growth Rate 2011 $1,256 $65,403 19, $1,295 $66,738 19, % 2013 $1,349 $68,100 19, % 2014 $1,409 $70,824 19, % 2015 $1,473 $73,657 20, % 2016 $1,546 $76,603 20, % 2017 $1,625 $79,667 20, % 2018 $1,712 $82,854 20, % CAGR 0.8% Figure 3 Average Selling Price Forecast, (Base Year 2013) NSS calculations are based on 19,814 units sold in 2013 at an average selling price (ASP) of US$68,100. Over the course of the forecast period, NSS estimates that the number of units sold will increase to 20,666, and the ASP will increase to US$82,854. The features and additional functionality included in new products, the heightened focus on enterprise and data center customers, and the number of platform options offered for upsell all will contribute to this higher ASP. Vertical Market Trends Key purchasers of IPS technology traditionally have been governments, financial organizations, and other large organizations. Today, however, some vendors are observing shifts in purchasing as the differences between NGIPS and NGFW products become more pronounced. While the government and financial services verticals remain the strongest for IPS, other verticals are starting to move away from dedicated IPS solutions. Healthcare and education verticals in particular are favoring NGFWs over NGIPS products. Reasons for this shift include the integration of wireless and security policies directly into NGFWs, end user awareness, and cost. Healthcare and education verticals in particular suffer from a lack of security resources, and the integrated functionality provided by NGFW is appealing. NGIPS vendors saw an uptick in sales in the utilities, manufacturing, and retail verticals in particular, with some customers citing the end of Windows XP support (and thus an inability to quickly update mission- critical systems that rely on Windows XP) as their motivation. As more smart equipment is introduced into utilities and other critical infrastructure components, providers are reviewing security technology that will monitor these new sensors in order to detect attacks. In the case of the retail vertical, incidents such as the Target breach have highlighted the need for stronger breach detection and forensics capabilities. 7

8 Figure 4 illustrates the predicted vertical market distribution from Vertical Government 25% 25% 25% 25% 25% 25% Financial 23% 23% 23% 23% 23% 23% Retail 17% 17% 18% 19% 19% 20% Utilities 14% 14% 15% 14% 15% 15% Healthcare 12% 12% 11% 11% 10% 9% Other 9% 9% 8% 8% 8% 8% Figure 4 IPS Vertical Market Distribution, Horizontal Market Trends Unlike the IPS vertical markets, which have been relatively stable over time, the horizontal market for IPS has seen the most drastic changes in recent years. Historically, IPS has targeted companies positioned in the mid- market and up (>500 employees). Since 2010, NGFW has eroded what was once a key horizontal market for IPS. Today, the market for IPS is almost entirely focused on the large enterprise, although some vendors do still provide lower throughput boxes to extend security to secondary corporate locations. The expertise that is required to properly maintain IPS along with its integration with SIEM and other security functions have elevated pure- play IPS to an advanced security platform that is best suited for enterprises. Mergers and Acquisitions Three acquisitions affecting the IPS market were completed in 2013: Cisco Systems acquired Sourcefire, McAfee (now part of Intel Security) acquired Stonesoft, and Extreme Networks acquired Enterasys Networks. While the Sourcefire acquisition dwarfed the Stonesoft acquisition in terms of dollars, both acquisitions were important. Extreme s acquisition of Enterasys had little to do with security, but could impact a long- standing IPS product line and its customers. Cisco acquires Sourcefire Sourcefire was almost acquired by Check Point in 2005, but the large quantity of Sourcefire products in the federal government space gave rise to concerns that the acquisition would be blocked, and Check Point (which had offered US$225 million for Sourcefire) was forced to walk away. As the market evolved, it became clear that being the last pure- play IPS vendor in the market made acquisition inevitable for Sourcefire, and in 2013, Cisco paid nearly three times Sourcefire s revenue (close to US$2.7 billion) to do just this. There was no doubt that Cisco was getting a great company for its money, but the key question was whether Cisco could execute on the integration. At the time of this writing, Cisco has been quick to integrate the Sourcefire team; has ensured continuity of top management; and thus far appears to be making considerable overall progress in the integration effort. Cisco made other security acquisitions in 2013 and 2014 specifically aimed at bolstering technology related to the Sourcefire acquisition, namely Cognitive Security and ThreatGRID. McAfee (Intel Security) acquires Stonesoft The McAfee/Stonesoft acquisition was smaller in terms of revenues than Cisco/Sourcefire, but illustrated McAfee s desire to continue innovation in the IPS market. Based in Finland, Stonesoft was an IPS and NGFW vendor that had 8

9 received recognition for its technology. The company was acquired for roughly 5x revenue and brought new and innovative technology to a McAfee product line that has performed consistently well over the years. As with other innovation- driven acquisitions, the key issue for McAfee was the extent to which the StoneSoft technology would be integrated into its existing product line. So far, McAfee has moved quickly to integrate the Stonesoft product line into its own IPS product suite. Extreme Networks Acquires Enterasys The acquisition of Enterasys Networks by Extreme Networks had much more to do with switches and routers than security, but it will still affect customers and product lines that have been long been established in the IPS market. Through its acquisitions by Siemens and now Extreme, the Enterasys Dragon IDS/IPS product line has sold consistently, and even though this product line is small in terms of annual revenues, there is a larger install base that is waiting to see if Extreme will continue to support it. Vendor Market Share Figure 5 illustrates the 2013 IPS market share by vendor. NGFW revenue from Check Point, Dell SonicWALL, Fortinet, Juniper, and other NGFW vendors is not included but will be attributed in the NSS Labs 2013 NGFW Market Analysis. HP 14.7% Others 3.6% Cisco 39.5% IBM 16.8% McAfee 25.5% Figure Market Share by Vendor 9

10 Market share allocation can be misleading in the IPS market. Since this Market Analysis evaluates only stand- alone IPS platforms, the impact of NGFW devices is not captured in figure 5. However, it is clear that Cisco s acquisition of Sourcefire and McAfee s acquisition of Stonesoft have helped establish their leading positions. HP and IBM both demonstrated strong recoveries in sales during Furthermore, NSS testing reveals that many NGFW vendors offer highly effective IPS products. In the future, key differentiators for the industry will be contextual awareness and improved security workflow. Reading List Network Intrusion Prevention Systems (IPS): Test Methodology v7.2. NSS Labs intrusion- prevention- systems- ips- test- methodology- v72 Next Generation Firewall: Test Methodology v5.4. NSS Labs generation- firewall- test- methodology- v54 10

11 Contact Information NSS Labs, Inc. 206 Wild Basin Rd Building A, Suite 200 Austin, TX USA This analyst brief was produced as part of NSS Labs independent testing information services. Leading products were tested at no cost to the vendor, and NSS Labs received no vendor funding to produce this analyst brief NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, copied/scanned, stored on a retrieval system, e- mailed or otherwise disseminated or transmitted without the express written consent of NSS Labs, Inc. ( us or we ). Please read the disclaimer in this box because it contains important information that binds you. If you do not agree to these conditions, you should not read the rest of this report but should instead return the report immediately to us. You or your means the person who accesses this report and any entity on whose behalf he/she has obtained this report. 1. The information in this report is subject to change by us without notice, and we disclaim any obligation to update it. 2. The information in this report is believed by us to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at your sole risk. We are not liable or responsible for any damages, losses, or expenses of any nature whatsoever arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY US. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT, ARE HEREBY DISCLAIMED AND EXCLUDED BY US. IN NO EVENT SHALL WE BE LIABLE FOR ANY DIRECT, CONSEQUENTIAL, INCIDENTAL, PUNITIVE, EXEMPLARY, OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and/or software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet your expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners. 11