In 2007, I was part of a research team that introduced the Endpoint Protection Platform (EPP) for Gartner — essentially a modular framework that provides![j0438810[1]](http://blogs.gartner.com/neil_macdonald/files/2009/03/j04388101.jpg)
multiple styles of security protection and controls to endpoints delivered by a single vendor. For example, rather than purchase and install a separate product for firewalling, antivirus, antispyware, host intrusion prevention, application control, device control, patch management and so on, a single vendor and framework could provide all of this. This approach offers significant potential cost savings and reduction in complexity.
In my discussions with clients on their 2009 EPP strategy, one of the questions I am asked quite often is “Doesn’t using a single vendor for all of these capabilities reduce my overall security because of a loss of Defense-in-Depth?”.
To understand the answer, let’s dig a bit deeper. DID is a layering strategy for security policy enforcement controls such that a failure in one layer of security controls (either because the control is not functioning or if the malicious activity evades the control) is backed up by the capabilities of other layers using a different method (or style) of protection.
In this EPP example, if a piece of malware gets past the EPP firewall and evades a signature-based scan, the EPP solution may be able to catch it at runtime based on its behavior. That’s DID. The fact that the platform comes from a single vendor doesn’t reduce the effectiveness of the combined protection styles (each of which operates differently). Further, the platform should be adaptable to address new threats over time with additional capabilities that ‘plug into’ the platform.
DID does not mean having to buy lots of point solutions from lots of different vendors to address each new threat.
Security vendors may want this. We don’t. We can’t. Not in this year of tight budgets.
7 responses so far ↓
1 Stiennon // Mar 5, 2009 at 12:41 pm
Probably Gartner’s biggest internal conflict that I am aware of is your stance, Neil, on end point protection and single vendor-multi function tools, and other analysts’ relegating of a similar approach to network security to the SMB market. The enterprise is already listening to the value proposition of doing IPS in the content inspection firewall, so, call it something other than UTM and get over it!
2 Neil MacDonald // Mar 5, 2009 at 6:55 pm
Richard, thanks for the comment. I don’t see the conflict. There is not a conflict on the vision of the EPP. I’ve linked to the research where we introduce the concept in the blog post. We used to maintain separate magic quadrants for antivirus and personal firewalls. These have been retired and subsumed by the EPP magic quadrant (by the way, an update is in process and this will be published by the end of March).
I believe what you are referring to is that a similar type of platform convergence is taking place in the network. For example, IPS and firewall functions coming together in what we call a ‘next-generation firewall’. We also research conceptually similar web security gateway platforms that bring together URL filtering, antivirus, antispyware and other capabilities. Likewise, we research email security gateway platforms which bring together antispam, antivirus, content filtering and other capabilities. So you are correct, the trend to move to security platforms is just as valid in the network as it is in the endpoint.
Your reference to a ‘UTM’ takes this platform convergence further. For some organizations (and for branch office scenarios), there is need for all of these capabilities — a “convergence of convergences” — that brings together all of these network-based protection styles into a network-based platform which Gartner research refers to as a ‘multi-function firewall’ and which some vendors refer to as ‘unified threat management’ (UTM). While we use a different name, I don’t see any disagreement that these multi-function firewalls exist. I believe the concerns are how well it can scale to meet the performance and latency requirements of a larger organization and whether a given organization will benefit from grouping these functions together — for example: they might have a separate group managing email or web security; the topology and placement needs for firewalling, email and web protection may be quite different; the contracts for each might be on different replacement cycles; the email and web security filtering might be performed ‘in-the-cloud’ ; and so on.
I’ll have my colleagues that focus on this area reply as well.
3 Don’t Confuse Convergence Trends Between Host and Network Security, and Enterprise and SMB // Mar 6, 2009 at 10:42 am
[...] Neil MacDonald blogged about the convergence trends in end point protection platforms (EPPs) here as part of defense in depth. Host and network security have very different needs, and the [...]
4 Adam Hils // Mar 6, 2009 at 1:16 pm
Richard,
We see “UTMs” used mostly in three use cases: SMB, enterprise branch office, and enterprise business-to-business (wherein an enterprise places machines at key partners and customers). We rarely see them in other use cases.
Don’t get hung up on the definition of SMB; Gartner calls “SMB” 20-1000 employees, but many companies with larger employee populations purchase and deploy like SMBs, and lots of financial services firms (for example) with, say, 750 employees, act like large enterprises.
If you remember, most enterprises did not adopt the first generation of EPPs, Management wasn’t well integrated, and they were performance hogs that slowed many a machine unacceptably. As vendors fixed problems in subsequent versions, the enterprise started adopting in greater numbers.
Multi-function firewalls/UTMs are, similar to early-generation EPPs, problematic to the enterprise except in certain use cases. Most large enterprises are unwilling to make the tradeoffs necessary to accept the challenges that come with a fully-deployed, everything-on UTM. As Neil mentions above, the buying centers for each function are different; the security safeguards are at different levels of operationalization; and large enterprises rarely have contracts for web, email, and network security that expire concurrently.
Exceptions exist. But they are exceptions.
We do not believe that all multi-function security platforms are bad for all enterprises. We will, however, draw distinctions between how suitable they are for different customer types, taking into account such factors as performance, features, management integration/sophistication, customer needs, etc. That’s our job.
5 Oops, I Spoke Too Soon. // Jun 25, 2009 at 8:39 am
[...] and paying for software assurance, you get this for “free” with BitLocker. More importantly, Endpoint Protection Platform vendors such as McAfee, Sophos and Check Point also offer full drive encryption and will often [...]
6 Yes, Macs are Vulnerable Too. // Sep 25, 2009 at 10:25 am
[...] My answer: Forget the OS. Do users download and install arbitrary code/applications? (don’t forget, this includes browser plug-ins as well). If so, I don’t care if you are running Macintosh, Linux, or Windows the answer is you need protection from malware, including signature-based mechanisms (historically referred to as AV…). Just like on Windows PCs signature-based detection mechanisms are not enough and we need to augment this with firewalling, application control and other styles of endpoint protection within an endpoint protection platform. [...]
7 Three Things for Thursday: A Big Week // Oct 1, 2009 at 7:54 pm
[...] us, including enterprise users. No one should be paying extra for antispyware in 2009. Demand your Endpoint Protection Platform vendors to deliver more at the same price – just like the rest of IT has gotten for years [...]
Leave a Comment