Microsoft, CrowdStrike Lead Endpoint Protection Gartner MQ
Endpoint Security , Open XDR , Security Operations
Cybereason Enters Leaders Quadrant While Trellix Falls From Leader to Niche Player Michael Novinson (MichaelNovinson) • March 16, 2023
Microsoft and CrowdStrike once again dominate Gartner’s Magic Quadrant for Endpoint Protection. Cybereason has risen to the leaders quadrant and Trellix has fallen to a niche player.
The endpoint protection market has rapidly matured in recent years – 80% of organizations have already adopted a cloud-based offering and half of businesses have already upgraded from antivirus software to endpoint detection and response, said Gartner Vice President and Analyst Peter Firstbrook. The remaining buyers tend to be less mature and need someone to manage the product on their behalf.
Clients increasingly want to integrate their endpoint protection technology into a broader security ecosystem via XDR, bringing endpoint telemetry together with that from network, email and identity settings, Firstbrook said. Sophisticated buyers are taking a more strategic approach to their endpoint protection purchases and want products that will help consolidate their technology stack and correlate data (see: CrowdStrike, Microsoft, Trend Micro Top EDR Forrester Wave).
“We’re tired of buying in siloes,” Firstbrook told Information Security Media Group. “It’s becoming less of a point purchase and more of a sophisticated play.”
Microsoft, CrowdStrike, SentinelOne, Trend Micro and Sophos were recognized by Gartner as endpoint protection leaders both this year and last, but their position within the quadrant has shifted. Last year, Microsoft and CrowdStrike sat way above the pack in execution ability, and Trend Micro was a distant third. The gap between the top two and everyone else has shrunk dramatically, and SentinelOne is now in third place.
Firstbrook said SentinelOne appeals to late-stage buyers in sectors such as manufacturing and retail where legacy operating systems are more pervasive and clients have environments that aren’t fully connected to the internet. And Trend Micro and Sophos are the only leaders who can bundle endpoint protection and robust network security technology together. Sophos excels in Europe and Trend in APAC.
“It’s becoming less of a point purchase and more of a sophisticated play.”
– Peter Firstbrook, vice president and analyst, Gartner
In completeness of vision, Gartner last year saw CrowdStrike and Microsoft as head and shoulders above everyone else. But this year, Microsoft barely beat SentinelOne for the silver, and Cybereason trailed closely behind in fourth place. Cybereason leapfrogged from the visionaries to the leaders quadrant due to dramatic improvements in execution ability, where the company jumped from 12th place last year to fourth this year.
A larger percentage of Cybereason customers are using MDR technology than any of its peers, and Cybereason has benefited from investments in the government vertical and a SecOps partnership with Google, Firstbrook said. CrowdStrike does well with sophisticated banks and financial institutions looking to secure the cloud, while Microsoft appeals more to smaller C-suite buyers than technical buyers, according to Firstbrook.
Trellix Tumbles From Leader to Niche Player
Moving in the opposite direction was Trellix, which was formed early last year through the combination of the FireEye products and McAfee Enterprise organizations. Although McAfee on its own had been recognized as an endpoint protection leader by Gartner, the combined organization only achieved niche player status due to what Firstbrook saw as challenges in integrating the two distinct product portfolios.
Trellix lags behind the market in making a unified XDR offering available to clients, and the company’s products are unlikely to appeal to people beyond the legacy McAfee and FireEye customer bases, Firstbrook said. The separation from Mandiant and the spinout of Skyhigh Security will make it harder for Trellix to deliver managed security services and help customers with consolidating their security stacks.
“They’re not super attractive for any new company that’s, like, ‘I don’t have anything in mind. What would you choose?’ You aren’t going to say, ‘Oh, yeah, Trellix is a perfect choice,'” Firstbrook told ISMG. “There’s nothing they do that really leads. They have a bunch of products that are kind of integrated, and we don’t know what their XDR is going to look like. They’ve got a lot of legacy technical debt.”
Trellix told ISMG it has greatly simplified its deployment and upgraded experience, policy management, threat alerting and investigation experience to provide a unified single pane of glass view. The company has a three-year strategic agreement with Mandiant for MDR services as part of a partner-led strategy and said both its business through Mandiant and its XDR revenue have increased by double digits (see: Trellix CEO on Unifying Endpoint, SecOps and Data Protection).
“Gartner’s MQ for EPP evaluation is based on demo recordings and data submitted in February 2022 for a report that was published in March 2023, creating an obsolete representation of Trellix’s strategic vision and our business and technological developments,” Trellix said. “We call for conversation and analysis to move toward new trends shaping the future of cybersecurity for SecOps and CISOs – XDR.”
How Does Market Share Data Align With Gartner’s Evaluation?
CrowdStrike and Microsoft’s domination of the endpoint protection market is reflected in IDC market share data, where each has double the share of any competitor and is growing much faster than the $8.65 billion market as a whole. Outside the top two, though, Gartner’s rankings diverge significantly with how much of the market each company controls today.
Three of the other companies recognized as leaders by Gartner – Trend Micro, Sophos and SentinelOne – are fourth, sixth and 10th in endpoint security market share, respectively, while Cybereason didn’t crack the top 10. Visionaries VMware and Broadcom are fifth and eighth in market share, challenger Eset is seventh, niche player Trellix is third, and Kaspersky, which is ninth, fell out of the Magic Quadrant altogether, IDC found.
Outside of the leaders, here’s how Gartner sees the endpoint protection market:
- Visionaries: Palo Alto Networks, Cisco, Broadcom, VMware, Fortinet
- Challenger: Eset
- Niche Players: Trellix, Bitdefender, WithSecure, Check Point, BlackBerry, Deep Instinct
Microsoft Bolsters Protection Beyond the Windows Ecosystem
Microsoft has over the past year released mobile network protection, debuted anti-malware capabilities for Linux, macOS and Android and rolled out support for device isolation, Corporate Vice President of Microsoft 365 Security Rob Lefferts wrote in a blog. The firm’s new approach to configuration makes it easier for customers to protect both managed and unmanaged devices from a single unified portal.
In addition, the company’s new alert suppression feature offers more granular controls for automating and streamlining alerts, which Microsoft said will save IT and security teams hours of manual labor. For small businesses, Lefferts said, the new Microsoft Defender for Business will provide enterprise-grade security at a price point that allows smaller organizations to thrive (see: Microsoft Security Sales Hit $20B as Consolidation Increases).
“For years, chief information security officers chose best-of-breed security tools with the highest protection at the time of an individual workload but these solutions were poorly integrated and so there was significant downside,” he wrote. “CISOs can now choose solutions that are both best of breed in areas such as endpoint security and tightly integrated – delivering better protection while saving costs.”
Gartner criticized Microsoft for lacking a full MDR service, providing limited support for older operating systems, being poorly suited for organizations without experienced security operations staff or MSSP partners, and having complex licensing and packaging for Defender for Endpoint. Microsoft declined an ISMG interview request.
CrowdStrike XDR Treats First-Party, Third-Party Data the Same
CrowdStrike’s XDR tool unifies endpoint, network, identity and cloud telemetry from multiple vendors in a way that goes far beyond how a SIEM incorporates third-party log sources and events, said President Michael Sentonas. The company’s threat graph structures data in the same way regardless of whether it’s from CrowdStrike or a third party, facilitating robust AI/ML models, threat hunting and automated responses.
The company uses artificial intelligence and machine learning rather than signatures for prevention, which Sentonas said provides the necessary visibility to thwart the 71% of attacks that don’t use any malware at all. CrowdStrike relies on its managed threat hunting and indicators of attack capabilities to determine if a pattern of behavior observed in a customer’s environment is malicious or benign, he said (see: CrowdStrike Goes Downmarket With Dell Pact, Small Biz Bundle).
“We’ve demonstrated having the leading strategy for a number of years now,” Sentonas told ISMG. “What gives us that score is our products, our strategy, demonstrated leadership, our innovation, our business model, our support offering and a global footprint.”
Gartner criticized CrowdStrike for high pricing, an immature approach to XDR and a lack of on-premises management for “air-gapped” or low-bandwidth environments. Sentonas said CrowdStrike’s focus on native cloud capabilities resonates well with customers and that the company provides better value and total cost of ownership than competing products even if CrowdStrike’s list price is higher.
“We’ve got 23 modules with an exciting road map, and we will release a number of new modules this year,” Sentonas said. “We demonstrated significant results in cloud and identity and other emerging products, whether it’s attack surface management through to LogScale. We will continue to innovate in those areas.”
SentinelOne Simplifies Analyst Experience Through Automation
SentinelOne has changed the underpinnings of its platform to ingest not only native data from its agent, Mac, Linux or virtualized environments, but also third-party data to enrich and enhance the experience for security operators, said Vice President of Competitive Strategy Grant Moerschel. Joining first-party and third-party data from firms such as Okta allows for a more robust set of actions and responses, he said.
The company also has invested in endpoint automation capabilities, allowing millions of puzzle pieces to be automatically assembled in real time for analysts without forcing humans to put the picture together themselves, Moerschel said. SentinelOne excels at helping clients determine what’s happening on their endpoint regardless of internet connectivity and has invested very heavily in cloud workload protection (see: SentinelOne CEO: Cloud Security May Be Bigger Than Endpoint).
“We’re putting more of the day-to-day operational componentry for cloud and for endpoints and now identity into one place to provide a much easier user experience,” Moerschel told ISMG. “Customers like the treatment they get from us alongside the actual product itself.”
Gartner chided SentinelOne for having low brand awareness and an evolving XDR product, lacking deep ties with network security solutions, and being unable to fully support on-premises deployments and systems not directly connected to the internet. Moerschel said customers will be able to pull in Cisco and Palo Alto logs and network telemetry later this year and will have a robust air-gapped on-premises tool by 2024.
“CrowdStrike and Microsoft are just larger companies, and they have massive marketing budgets,” Moerschel said. “We spend less money from a marketing standpoint than they do. But we are increasing marketing spend to further brand awareness. Having been here myself for over five years, I can say that we definitely have transitioned to a company that people know.”
Cybereason Doubles Down on Reducing Mean Time to Recover
Cybereason can deliver threat hunting, prevention, detection and response across modern and legacy Windows, Mac and Linux operating systems and mobile and cloud environments in both on-premises and SaaS environments, said CISO Israel Barak. The company has focused on decreasing the time needed to respond to incidents with its managed detection and response tool to reduce the impact of an attack.
Cybereason has introduced additional automation capabilities as part of its MDR service that tap into specific playbooks and response workflows to automate orchestration and response actions, Barak said. The company’s platform can be used by SOC teams and incident responders since it provides forensic data from compromised endpoints and can execute IR tools and scripts and remediation and containment (see: CEO Lior Div on Cybereason’s ‘Massive Investment’ Around XDR).
“An analyst in a SOC can quickly understand the full scope of an incident and what mitigation strategies they need to take,” Barak told ISMG. “Customers are looking to close and mitigate incidents as quickly as possible.”
Gartner criticized Cybereason for having limited language support, using a considerable amount of memory, hampering execution ability through layoffs, and lacking SSE, email, network and data protection. Barak said Cybereason intends to expand its user interface language coverage and integrate more use cases through its XDR architecture and has found its agent doesn’t use many resources or hamper operations.
Trend Micro Treats Endpoint as High-Value Sensor for XDR
Trend Micro wants to synthesize its endpoint, network and email security capabilities to blur the lines between point products and provide higher fidelity detection to customers, said Vice President of Market Strategy Eric Skinner. Endpoint is increasingly being treated as a high-value sensor for XDR, and vendors need to look across their entire environment to track threats accurately, Skinner said.
The company’s attack surface risk management tool capitalizes on Trend Micro’s endpoint presence, telemetry and visibility to provide organizations with a better understanding of the devices, endpoints and applications in their environment. Roughly half of attacks start with attackers exploiting unknown or misconfigured endpoints or servers, and ASM helps organizations get their environment in better shape.
“I think it’s really hard for an endpoint-only vendor in today’s landscape where they’re trying to plug into an endpoint base in the customer environment and then sit alongside a bunch of other security silos,” Skinner told ISMG. “I’m very comfortable with our huge focus on crossing silos and on synthesizing detections.”
Gartner criticized Trend Micro for having a large agent, a modest number of third-party integrations, a low market responsiveness score and limited adoption of its MDR tool. Skinner said the CPU and memory performance of its agent are on par with rivals even if its disk space utilization is a little higher, and the company has added more third-party XDR integrations and wants to get more customers on managed service deployments.
“For us, XDR is most powerful with the most important data sources – notably, endpoint, network, email and servers,” Skinner said. “Our first-party integration with those data sources goes way deeper than the third-party integrations that some of the other Magic Quadrant leaders have.”
Sophos Doubles Down on Detecting Attack Signals Sooner
Sophos has unveiled adaptive active adversary protection to detect signals indicative of an attack, which trigger an alert for an administrator and put a device into an isolated state, said Senior Vice President of Products Raja Patel. The company’s account health check makes it easier for customers to review and fix their best practices to ensure operating systems aren’t overrun with policy exceptions as time goes on.
Patel said the company has gone through an architectural evolution, reducing its agent footprint by 40% and its memory process by 30% to create a more lightweight tool for clients looking for just detection and response without prevention. Sophos has also integrated its zero trust network access module into its endpoint protection client to enable the tool on the device itself without more deployment needed (see: Sophos’ Kris Hagerman on Powering Cybersecurity as a Service).
“We’re the first endpoint security vendor to deliver MDR not only to support our products, but to be able to integrate with third-party products so we can meet a customer where they are,” Patel told ISMG. “The vast majority of our MDR business is with clients that decided to deploy our endpoint protection platform.”
Gartner criticized Sophos for having a conservative approach to marketing, not managing integrated third-party products and lacking on-premises and private cloud deployment options. Patel said Sophos focuses marketing efforts on channel partners, has rolled out SOC and MDR integrations, and eschews on-premises and private cloud since it doesn’t serve many manufacturing and government organizations.
“You’ll continue to see us not only innovate in the protection stack with the technology, but more and more around, ‘How do we manage that outcome?’ and ‘What do we do for customers on the detection and response side?'” Patel said.