After a long agonizing process that involved plenty of conversations with vendors, enterprises and other analysts, I have settled on this generic name for the tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints: Endpoint Threat Detection & Response.
So, to summarize:
- Category name: Endpoint Threat Detection & Response
- Capabilities: see On Endpoint Sensing
- Use cases: see Endpoint Visibility Tool Use Cases
- Examples: Mandiant (MIR and MSO tools), CarbonBlack, Guidance Software (EnCase Cybersecurity [yes, that really is the name of the tool] and EnCase Analytics tools), RSA ECAT, CounterTack, CrowdStrike, etc.
The tools do have somewhat differing capabilities (such as the extent of data analysis performed on the agent vs the backend, collection timing and scope, integration of OOB indicators/intelligence, etc), but IMHO belong under the same general label.
By the way, a few other related tools may have broader functions and thus may justify a broader name – in their case the name “Endpoint Threat Detection & Response” can be applied to relevant tool capabilities and not to the entire toolset. Examples include Tanium, Bit9, HBGary, etc.
This name reflects the endpoint (as opposed to the network), threats (as opposed to just malware and officially declared incidents) and tools’ primary usage for both detection and incident response. While some may argue that “endpoint” label may be seen as applicable to workstations and not to servers, this minor loss of precision seems acceptable for the sake of brevity (others will say that four words is already too long).
These tools usually do not focus on full disk image acquisition and analysis (traditional computer forensics), but some can acquire such data as well as perform other forensic functions. On the other hand, the “next gen” endpoint prevention/blocking/isolation-focused tools should get their own category – but they are not my problem at this point 🙂
There you have it! Thanks to everybody who participated in this discussion.
UPDATE (2015): these tools are now known as “EDR”; more research Gartner research refers to them as EDR tools. In essence, ETDR (2013) = EDR (2015).
Posts related to the same project:
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
7 Comments
I think this title sums up the space pretty well. Thanks for your agonizing research efforts here!
Anton,
Thanks for the excellent research work on this. I am eager to learn to understand how the market is growing and the future holds for this market.
Quick question for you – Do you see products such as Invincea and Bromium fall in this category or do they fit better in a different endpoint security category?
The primary difference I see is that Bromium and Invincea specialize in protection and CB, Mandiant etc. specialize in detection and aid with IR.
Thoughts?
@naresh The purpose of this effort is to analyze the tools that are focused on investigations (primarily) and detection (somewhat) and NOT on blocking/isolation. So, these tools you mention do not full under the same label. Another analyst is looking at NG EPP and other advanced endpoint protection while I have my hands full with investigative tools.
@Anton, thanks for the clarification. Could you tell me who is looking at that space?
>who is looking at that space?
What do you mean? What types of organizations? Who at Gartner does? Or something else?
I mean, who at Gartner is researching that area? Who can I talk to, to learn more about that specific market?
@Naresh At this point, primarily myself – and to a lesser extent 2 other analysts (email me for the names)