My colleague Lawrence Pingree and I just published a Competitive Landscape on the EDR market (see Competitive Landscape: Endpoint Detection and Response Tools ) and found a booming market that more than doubled in 2016, from $238 million in 2015 revenue to about $500 million in 2016. Just four vendors – Tanium, FireEye, CrowdStrike and Carbon Black – account for over half of the EDR revenues.
Nonetheless, these and other EDR vendors face stiff market challenges they must meet if they are to remain competitive going forward. Here’s a summary of the challenges and trends that we discuss in our research note:
- Endpoint Security Functionality
- Protection: Legacy EPP vendors in the $3.2 billion (2015) market are adding detection and response functionality to their products, and conversely EDR vendors must add endpoint protection to keep up. (Many already have).
- User behavior analytics: EDR applications examine processes but enterprises want user context and user roll ups for more meaningful and actionable alerts. Already, Gartner clients are using UEBA applications like E8 Security and Exabeam to ingest EDR data to make more sense of the reams of records therein. See Market Guide for User and Entity Behavior Analytics . Likewise, EDR vendors are planning to add UEBA functionality to their products so clients don’t have to go elsewhere.
- Data and information analytics: Vendors like ThinAir use endpoint agents to offer protection and detection capabilities around data and information, giving enterprises actionable information that goes well beyond and above the system process view. Indeed there’s an entire endpoint security market budding around information and data protection – see Market Guide for Information-Centric Endpoint and Mobile Protection
2. Managed Endpoint Security Services
- Time-stretched and resource-constrained CISOs and Security units simply don’t have the bandwidth to proactively wade through reams of EDR data hunting for threats and figuring out how to respond to them. Many CISOs are turning to managed threat hunting and response services, and EDR vendors need to offer these to stay competitive. Many already do, either on their own or through partnerships, e.g. Crowdstirke, Cybereason, and CarbonBlack.
- Our recent survey on buyer behavior shows that almost 60% of enterprises surveyed with an on premise EPP/MDM platforms plan to move to a managed endpoint security service in the next 24 months. See Survey Analysis: Trends in End-user Security Spending, 2017 for more information on this trend.
3. Market Consolidation
- We expect to see considerable consolidation in the endpoint security market going forward. Organizations with security budgets of $10 million or more use an average of 13 security vendors (the average across all enterprises is about 9 vendors), too high a number for most organizations. Indeed, about 90% of surveyed enterprises plan to consolidate the number of security vendors they use in the next 12 to 18 months.
Bottomline– As we point out in our Competitive Landscape report, the endpoint security market is growing but providers face increasing pressure from many corners of the market. In the end, users want simple-to-use products with actionable information that don’t require highly skilled staff to manage. That means endpoint security products need to elevate the information and alerts they provide to the user and data level and further automate their response and remediation capabilities. And even after they do all that, many enterprises will still prefer managed services.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.