IDC

November 2021

Worldwide Modern Endpoint Security for Enterprises 2021 Vendor Assessment

Michael Suby

Michael Suby

Research Vice President, Security & Trust

Product Type:
IDC: MarketScape
This Excerpt Features: ESET

Michael Suby

Research Vice President, Security & Trust

Worldwide Modern Endpoint Security for Enterprises, 2021

Capabilities Strategies Participants Contenders Major Players Leaders

Contenders

BlackBerry

Deep Instinct

Major Players

Cisco

Cybereason

ESETFeatured Vendor

FireEye

Fortinet

Kaspersky

McAfee Enterprise

SentinelOne

Trend Micro

VMware

WatchGuard

Broadcom

Palo Alto Networks

Check Point

Sophos

Leaders

CrowdStrike

Microsoft

IDC MarketScape Methodology

IDC Opinion

The criticality of effective endpoint security has never been greater for enterprises. A principal reason is enterprises’ evolving IT footprint. Spurred by the COVID-19 pandemic, millions of office workers changed locations from onsite to work from home (WFH). While workers are gradually returning to the office, the workplace landscape for many organizations is unlikely to return to its pre-pandemic state. In addition, the usage of cloud applications surged during the pandemic as business leaders sought flexibility to support their immediate needs and to better compete in a digitally transformed future. 

This dual shift of workers and applications to off premises has been a gift to threat actors. The exploitability of personal computers (PCs) of WFH employees increased. In addition to being situated outside office-based perimeter defenses, these devices were now on a full-time basis connecting through unmanaged home networks and with increasing potential, used for nonbusiness purposes and by other family members. The viability for threat actors to infect remote PCs, in essence, multiplied. And since users of these devices required access to cloud-based applications (custom and software as a service) and on-premises applications through a VPN to remain productive, the attractiveness of PCs as targets rose. Moreover, as worker remoteness increased along with access to both cloud and on-premises applications, business networks became flatter. Legacy approaches to use network segmentation as a security mechanism became less effective. Also a benefit to threat actors, their lateral movement from the first infected PCs to other PCs and connected IT systems encountered fewer barriers. 

Not only have threat actors intensified their focus on endpoints, but they have also advanced their tradecraft. A decade ago, signature-based antivirus software was considered an adequate defense in identifying and removing malware from end-users’ devices. Times have radically changed. Threat actors no longer rely exclusively on dropping malware onto devices to carry out their attacks. Instead, they are more apt to manipulate legitimate software programs, tools, and files (i.e., living off the land attacks). Subsequently, identifying behaviors of malicious intent has become a requirement in mounting an adequate defense.

Identifying malicious behaviors, however, is no simple task. The varied, wide ranging, and complex nature of what end-user devices (PCs and smartphones) are equipped to do blurs the distinction between malicious and legitimate behaviors. In addition, threat actors will orchestrate a series of actions, each seemingly benign, to further disguise their presence. Assembling the trail of related actions has become essential in uncovering active attacks and then responding with speed and precision to blunt them.

Building up endpoint security is crucial. Modern endpoint security (MES) products, the combination of endpoint protection platforms (EPPs) for deterministic prevention and endpoint detection and response (EDR) for post-compromise reaction, are the latest evolution in endpoint security designed to combat threats aimed at endpoints. It is confirmed through IDC research that the demand for modern endpoint security is on the rise. 

A modern endpoint security product, however, is not an island. Rather, it is a component in a constellation of complementary security technologies and operations that function together to fortify the security posture of endpoints and the resiliency of business functions. Given this more holistic view of modern endpoint security, enterprises should not limit their assessment of the independent merits of modern endpoint security products. They should also examine integration and workflow streamlining with and across other technologies that fortify security and enhance security and IT operations. A list of these technologies includes but are not limited to hardware-based device integrity checks and restoration, endpoint/IT hygiene management, file and data backup and recovery, and the evolution of EDR to eXtended Detection and Response (XDR). 

Tech Buyer Advice

Just as the threat landscape has evolved so too has the endpoint security market. 

As the threat landscape has evolved with intensified focus on compromising endpoint devices, so too has the landscape of modern endpoint security vendors included in this IDC MarketScape. With this, enterprise endpoint security buyers have greater choice and opportunity to select a vendor that is best aligned with their circumstances and requirements. Our overarching advice is to evaluate vendors from the perspective of strategic fit. Selecting a vendor and its MES product is not only for combating the threats of today as they will be different tomorrow. Rather, the selection should be made from a long-term perspective on whether the vendor can adapt to the threats of the future while also reducing the cost and complexity of security operations. 

More tactically, IDC offers this advice to enterprise MES buyers:

  • Focus first on MES fundamentals: 
    • Protection efficacy. IDC buyer analysis revealed enterprises’ top consideration in choosing a MES vendor is its research into never-before-seen threats and attack tactics. But buyers are not content with just research, they want results. There is no better result than automatically and deterministically blocking new forms of attacks. Independent evaluations on protection efficacy are useful guides in this regard but are not the panacea. IDC recommends conducting proof of concepts (POCs). We further recommend that EPP POCs should become a routine activity. With existing vendors evolving their EPP capabilities and new vendors emerging with “next generation” approaches, comparative analysis in your environment is the best litmus test. Avoid the trap of being the enterprise that started its search for a more effective MES product after it suffered a serious security incident. 
    • EDR automation. Second on the list of buyers’ vendor selection criteria is incident investigation speed and ease. The unfortunate reality is some attacks will evade the immediate preventions of EPP and establish a footprint on endpoints. Security teams need to be prepared. But just having EDR functionality is not enough, human engagement is required. Concentrating human engagement more on decision making and less on investigatory processes is vital in lessening threat actors’ dwell time and the time required of your security personnel. Therefore, automation is essential and is present in various forms, such as assembling and cross-correlating relevant data, visualizing attack sequence, devising risk-rated responses, and executing on the chosen response(s). In addition, enterprises cited automated threat hunting as an important factor in considering a MES vendor. Conducting a proof of concept is the most effective means for evaluating the vendor’s level of automation and usability fit with your security personnel.
    • Device support. MES products can only deliver EPP and EDR capabilities on endpoint device types and operating systems (OS) that their software agents support. Obviously, you will want to confirm support for the device types and OS platforms that are in your environment. All vendors in this IDC MarketScape support recent OS versions of Windows and Mac. But Windows and Mac PCs are not the only device types attacked. Mobile devices, physical and virtual servers, and cloud workloads are also targeted. While vendors’ datasheets list supported device types and OSs, IDC recommends digging deeper into feature parity and feature distinction to ensure the vendor’s product is adequately equipped for all of your devices and provides unified management.
  • Examine cross-function integration. Endpoint security and endpoint management functions are intertwined. Unpatched and out-of-date software applications and OS versions are targets of exploitation by threat actors. When exploited, EPP and EDP become the next two layers of compensating security. Quite likely, your organization has a dedicated patch management solution in place. If that is the case, cross-vendor integrations should be examined for time-saving enhancements in workflows and acceleration in risk reduction. Alternatively, an increasing number of vendors offer patch management as part of their product suite. This too can be a suitable option if the feature set meets the varied needs of your IT estate. In addition, patch management is one of several functions that reduce an endpoint’s attack surface and, consequently, exploitability. Other functions include device control, host firewall management, vulnerability assessment, micro-segmentation, and application blacklisting, whitelisting, and process-level allow listing. In your consideration of MES vendors, comparing their collection of attack surface reduction capabilities with those of dedicated products may reveal an effective and possibly a more affordable approach to strengthening your security posture.
  • Evaluate XDR frameworks. Reaching a complete and speedy understanding of attacks affecting endpoints may require more than telemetry gathered from endpoints running a MES software agent. Telemetry from other sources (e.g., network sensors, perimeter defenses, email and web gateways, cloud access security brokers, and identity management services) can bring in beneficial context. Many of these sources can also be control points for applying attack-mitigating responses and in refining security policies. An oversimplified description, this is the realm of eXtended Detection and Response. Nearly all vendors in this IDC MarketScape have an XDR framework that encompasses their non-endpoint security product portfolios, ecosystem partners, or a combination of both. As part of your assessment of MES products, evaluate the vendor’s current state of XDR, future developments, and incremental security value and what a transition from EDR to XDR will entail (e.g., additional cost, technology upgrades, and staff training and augmentation).
  • Question ransomware defenses and recovery options. The consequences of ransomware incidents are a top-of-mind concern for business leaders, and for good reason. According to IDC’s July 2021 Future Enterprise Resiliency and Spending Survey, Wave 6, 75% of IT decision makers with organizations that experienced one or more ransomware incidents in the past 12 months indicated that significant extra resources beyond what internal staff handled were required to rectify. Ransomware, like other forms of malware, frequently enter business networks through endpoint devices. Subsequently, endpoint security products, like MES, are a vital line of defense. But just as ransomware has evolved to evade detection, and ultimately, increased the likelihood of payment and amount of ransom payment, MES products must also evolve to detect ransomware and prevent its execution (e.g., data exfiltration and file encryption) and propagation to other endpoints and critical systems. IDC recommends that you query MES vendors about their ransomware defenses and incident recovery options for returning affected files and endpoint configurations (e.g., changes to registry keys) to their previous known good state. As you do, assess these capabilities within the context of your overall business cyber-resiliency plans.
  • Gain perspective on incorporation of built-in device security capabilities. Worth repeating, threat actors will evolve how they conduct attacks. They will continuously probe for new avenues to enter and takeover endpoints. While not yet mainstream, attackers compromising the device’s firmware is a possibility. Rather than react to this possibility once it becomes reality, ask MES vendors about their approach to confirming firmware integrity and restoration. Also ask about leveraging the device’s chip-based processing features in conducting or augmenting MES functions. Eventually, the measuring stick for endpoint security solutions will entail the collaboration of built-in device security with overlay on-device security software augmented with cloud-powered features. To make security-maximized decisions on device and MES product purchases, ask MES vendors about their current and planned approaches to leveraging built-in device security features. 
  • Consider managed services options. Although MES vendors have and will continue to automate and simplify the use of EDR, experienced security professionals are needed to produce maximum return on EDR’s capabilities. IDC recommends that you consider the managed service options offered by MES vendors and/or their channel partners. As service needs vary by level of engagement (e.g., from on-demand collaboration to around-the-clock outsourcing) and tasks performed (e.g., threat monitoring, threat hunting, and threat response), seek a managed services arrangement that best aligns with your current needs and budget but is also flexible to adjust for changing circumstances.

Featured Vendor

This section briefly explains IDC’s key observations resulting in a vendor’s position in the IDC MarketScape. While every vendor is evaluated against each of the criteria outlined in the Appendix, the description here provides a summary of each vendor’s strengths and challenges.

ESET

ESET is positioned in the Major Players category in the 2021 IDC MarketScape for modern endpoint security for enterprises.

Approaching 35 years since its founding and serving both the corporate/commercial and consumer segments, ESET is among the most tenured vendors included in this IDC MarketScape. From its origins in Europe, the company has diversified geographically, and its commercial customer base is evenly spread across sub-100 endpoint companies to firms with thousands of endpoints. Constant throughout its history is a research and technology-driven culture and stable leadership.

Strengths

A private company, ESET is profitable and reinvests its profits into the disciplines that directly contribute to advancing its products, namely, software development, core threat research, and threat hunting. 

Tailoring its support of its expansive base of customers across western, central, and eastern Europe, ESET engages with its customers in the prevalent languages of their countries. Local language support, either directly or through partners, applies to the other regions where ESET has a material presence, namely, North America, Japan, and Latin America.

Willing to put its endpoint security products to the test, ESET’s participation in independent EPP evaluations is among the upper tier of vendors. With its EDR capabilities introduced in 2018 via ESET Enterprise Inspector, ESET’s participation in EDR evaluations did not start as early as other vendors, but the company has since been highly participatory in EDR evaluations involving multiple testing firms.

With a security product portfolio that includes email, cloud-hosted business apps, cloud access, data, and identity, ESET has a solid position relative to other vendors to offer a broad and natively integrated cross-product platform solution.

Assisting customers in overcoming their skill gaps, ESET with its in-house talent and through its partners offers MDR and managed threat hunting services.

Previously stated, ESET offers security to the consumer segment. As with other vendors that are active in the consumer segment, ESET benefits from the unique threat data it collects and analyzes.

Challenges

There are just a few capability areas where ESET is lacking. ESET does not have rollback remediation features, for example, to return ransomware-compromised user files and settings to pre-attack state. The company’s focus, however, has been noticeably present in ransomware prevention through a pair of ESET-developed technologies: Network Attack Protection and Ransomware Shield. ESET is also limited in its hardware-based security capabilities. Not the same as hardware based but related in protections below the application layer is pre-boot monitoring. In that regard, ESET added UEFI scanning as a standard feature. Its UEFI Scanner scans for threats that could launch prior to a device booting up.

ESET’s set of capabilities directed toward attack surface reduction are not as expansive as some other vendors in this market. ESET offers device control and host firewall management natively within its product. Vulnerability assessment and patch management are currently not part of ESET’s solution set, either natively or through third-party integrations.

Although ESET’s MES business is steadily growing, on a worldwide basis, ESET’s growth trails the overall market. The competitive risk to ESET is larger worldwide vendors crowding out ESET in POC invitations. 

Consider ESET When

Existing ESET endpoint security customers should trial ESET’s EDR capabilities and consider upcoming road map functionality. ESET’s long history of feature expansion will likely narrow potential differences between the company’s capabilities and those of competitors. In addition, ESET, as previously stated, has security products in other disciplines that provide useful telemetry for threat detection and represent additional control points for policy enforcement (preventive and reactive). This is beneficial for enterprises that want to unify their security stack with fewer vendors and are also comfortable with separate vendors for vulnerability assessment and patch management. In evaluating unification, do pay attention to centralized management and its contribution to improving security staff’s productivity. The administrator and analyst experience and actual cross-product integration versus claimed integration matter. In addition, compare ESET’s partner ecosystem with your multivendor environment to ensure cross-vendor telemetry exchange and response orchestration meets your requirements.

Methodology

IDC MarketScape Vendor Inclusion Criteria

Participating vendors met the following criteria:

  • From a single endpoint software agent, the vendor’s modern endpoint security product supports both endpoint protection platform and endpoint detection and response.
  • End-user personal computing device platforms supported by the modern endpoint security product must, at minimum, include the latest versions of Windows and macOS.
  • Vendor began selling modern endpoint security products to customers from January 2019 or earlier.
  • Sales to commercial and governmental customers of EPP (also referred to as antivirus or next-generation antivirus), EDR, and modern endpoint security products must, at minimum, totaled $30 million (following generally accepted accounting principles [GAAP]) in calendar year 2020.
  • At year-end 2020, the vendor’s percentage of customers with 2,500 or more protected endpoints exceeded 5%.

Reading an IDC MarketScape Graph

For the purposes of this analysis, IDC divided potential key measures for success into two primary categories: capabilities and strategies. 

Positioning on the y-axis reflects the vendor’s current capabilities and menu of services and how well aligned the vendor is to customer needs. The capabilities category focuses on the capabilities of the company and product today, here and now. Under this category, IDC analysts will look at how well a vendor is building/delivering capabilities that enable it to execute its chosen strategy in the market.

Positioning on the x-axis, or strategies axis, indicates how well the vendor’s future strategy aligns with what customers will require in three to five years. The strategies category focuses on high-level decisions and underlying assumptions about offerings, customer segments, and business and go-to-market plans for the next three to five years.

The size of the individual vendor markers in the IDC MarketScape represents the market share of each individual vendor within the specific market segment being assessed. 

IDC MarketScape Methodology

IDC MarketScape criteria selection, weightings, and vendor scores represent well-researched IDC judgment about the market and specific vendors. IDC analysts tailor the range of standard characteristics by which vendors are measured through structured discussions, surveys, and interviews with market leaders, participants, and end users. Market weightings are based on user interviews, buyer surveys, and the input of IDC experts in each market. IDC analysts base individual vendor scores, and ultimately vendor positions on the IDC MarketScape, on detailed surveys and interviews with the vendors, publicly available information, and end-user experiences in an effort to provide an accurate and consistent assessment of each vendor’s characteristics, behavior, and capability.

Market Definition

Modern endpoint security products protect personal computing devices (PCDs, such as workstations and laptops) from cyberattacks through the detection of malicious code and behaviors present or operating within the PCD and then facilitate a counteracting response (e.g., block, remove, or isolate). Modern endpoint security products contain two detect and response mechanisms differentiated based on elapsed time and human involvement. Endpoint protection platforms (EPP) reach detection verdicts and initiate responses in real time and autonomously (i.e., without human involvement). Endpoint detection and response (EDR) is a second stage of detection and response for cyberattacks that have evaded EPP detection. With EDR, the time to reach detection verdicts and initiate responses can span minutes to days. How fast the cyberattack unfolds, its sequence of steps, and its sophistication and uniqueness are factors that affect the elapsed time in detection and response. Automation and predefined workflows assist in reducing the elapsed time. Security analysts (humans) are typically involved, at minimum, to confirm detection and/or authorize response.

Related Research

  • Top Technology Integration Opportunities for Unified Endpoint Management (IDC #US48266821, September 2021)
  • Market Analysis Perspective: Worldwide Tier 2 SOC Analytics, 2021 — Where the Puck Is Going (IDC #US47394921, September 2021)
  • Market Analysis Perspective: Worldwide Corporate Endpoint Security, 2021 (IDC #US48208121, September 2021)
  • IDC’s 2021 Ransomware Study: Where You Are Matters! (IDC #US48093721, July 2021)
  • Which Criteria Rank Highest in the Evaluation of Modern Endpoint Security Products? (IDC #US48053021, July 2021)
  • Worldwide Corporate Endpoint Security Forecast, 2021–2025: On a Higher Growth Trajectory (IDC #US47957021, June 2021)
  • Worldwide Corporate Endpoint Security Market Shares, 2020: Pandemic and Expanding Functionality Propelled Market Growth (IDC #US47768021, June 2021)
  • Insights from IDC’s EDR and XDR 2020 Survey: Operational Challenges and Initiatives Are Abundant (IDC #US47357921, January 2021)

IDC MarketScape: Worldwide Modern Endpoint Security for Enterprises 2021 Vendor Assessment

This IDC study represents a vendor assessment of modern endpoint security for enterprises through the IDC MarketScape model.