Palo Alto, Versa, Cisco Lead First-Ever SASE Tech Evaluation
Governance & Risk Management , Next-Generation Technologies & Secure Development , SASE
KuppingerCole Report Taps Broad Security Platforms, Pure-Play SD-WAN, SSE Vendors Michael Novinson (MichaelNovinson) • March 6, 2023
Secure access service edge is an emerging cybersecurity approach first outlined by Gartner in 2019, but since then, debate has raged about whether it’s better to rely on a single SASE vendor or integrate products from multiple vendors.
KuppingerCole just released the first-ever vendor evaluation of the SASE market, and topping the list were platform players such as Cisco and Palo Alto Networks, as well as pure-play vendors Lookout and Versa Networks.
See Also: OnDemand | Navigating the Difficulties of Patching OT
“You have to have a certain amount of longevity and weight in the market to really get into SASE,” KuppingerCole Director of Cybersecurity Research John Tolbert tells Information Security Media Group. “It’s not something that’s easy to launch right into. I don’t think the number of vendors in the field is as large as some of the other areas of security and identity.”
Versa Networks edged out Palo Alto Networks for the gold in product leadership, and Cisco was a distant third, KuppingerCole said in its new Leadership Compass. Palo Alto Networks dominated from an innovation perspective, and Versa Networks and Cisco were a distant second and third, respectively, KuppingerCole said. And in the market leadership category, Palo Alto took gold, Check Point Software took silver and Cisco took bronze.
Broadcom, Cisco, Palo Alto and Zscaler are the market share leaders in SASE, capturing 50% of what’s expected to be an $8 billion market in 2023, research group Dell’Oro Group found. Broadcom, Cisco and Zscaler account for 60% of worldwide security service edge revenue, while Fortinet, Cisco and VMware captured 50% of global sales in the SD-WAN market, Dell’Oro Group found (see: Fortinet, VMware, Cisco Drive SD-WAN Gartner Magic Quadrant).
“The long-term trend is to be able to offer as much from a single platform as possible,” Tolbert says. “I see this in a lot of other network and security areas where there’s a desire from the vendor perspective to try to be able to provide all the capabilities within their product portfolios.”
Gartner evaluated the SD-WAN and SASE markets separately in 2022 Magic Quadrants, but no analyst firm aside from KuppingerCole has ranked vendors across all of SASE. Cisco and Palo Alto Networks performed the strongest across both Magic Quadrants and were recognized by Gartner as leaders in SD-WAN and challengers in SSE, while Versa was recognized as a leader in SD-WAN and niche player in SSE.
Gartner named Lookout as a visionary in SSE but didn’t list the company in the SD-WAN Magic Quadrant. Cloudflare received an honorable mention from Gartner in SSE but wasn’t listed in the SD-WAN Magic Quadrant, while Check Point Software wasn’t featured by Gartner in either the SD-WAN or SSE Magic Quadrants.
“You have to have a certain amount of longevity and weight in the market to really get into SASE.”
– John Tolbert, director of cybersecurity research, KuppingerCole
In the coming year, Tolbert expects to see SASE vendors focus more on endpoint security and endpoint management given the extent to which bring-your-own-device policies have reduced corporate control over the endpoint. Organizations would benefit from knowing which machines connect to their network and what their patch levels are rather than relying on users to defend their own devices from malware.
“It’s definitely possible there will be some brand-new entrants into the SASE market,” Tolbert says. “But I expect to see more lateral movement from other vendors in the security space partnering up with networking providers and offering SASE that way.”
Outside of the top six, here’s how KuppingerCole sees the SASE market:
- Challenger: Cato Networks, Aryaka Networks, Ericom Software, Open Systems
- Vendors to Watch: Fortinet, Juniper Networks, Perimeter 81, Systancia, VMware, Zscaler
Fortinet, Juniper Networks, VMware and Zscaler were unable to participate in the KuppingerCole report, and Perimeter 81 and Systancia didn’t fully fit the market definition for SASE. Gartner named Fortinet and VMware as leaders in SD-WAN and Juniper as a challenger, but none made the SSE Magic Quadrant. Zscaler was recognized by Gartner as a leader in SSE but didn’t crack Gartner’s SD-WAN Magic Quadrant.
How the SASE Leaders Climbed Their Way to the Top
|Check Point Software||Avanan||$227M||September 2021|
|Check Point Software||Odo Security||Not Disclosed||September 2020|
|Check Point Software||Protego Labs||Not Disclosed||December 2019|
|Check Point Software||ForceNock||Not Disclosed||January 2019|
|Check Point Software||Dome9 Security||$175M||October 2018|
|Cisco Systems||Valtix||Not Disclosed||February 2023|
|Cisco Systems||Viptela||$610M||August 2017|
|Cisco Systems||Meraki||$1.2B||December 2012|
|Cloudflare||S2 Systems||$17.7M||January 2020|
|Lookout||CipherCloud||Not Disclosed||March 2021|
|Palo Alto Networks||CloudGenix||$402.7M||April 2020|
|Palo Alto Networks||Twistlock||$378.1M||July 2019|
|Palo Alto Networks||PureSec||$36.8M||June 2019|
|Palo Alto Networks||RedLock||$158.2M||October 2018|
|Palo Alto Networks||Evident.io||$292.9M||March 2018|
Palo Alto Networks Uses AI, ML to Thwart Machine Attacks
Palo Alto Networks’ new zero trust network access tool embraces continuous trust verification, meaning trust is revoked if device posture or user or application behavior changes during a session, says Kumar Ramachandran, senior vice president for SASE products. The firm’s SaaS security posture management tool supports more apps than rivals and automatically corrects incorrect security principles and policies.
The company has incorporated advanced URL filtering into its core SSE offering, using in-line machine learning rather than just a URL database to thwart zero-day threats and highly evasive machine attacks, Ramachandran says. Palo Alto Networks has also made huge investments around autonomous digital experience management to address home internet issues leading to latency during videoconferencing (see: Palo Alto’s Biggest Bets Around AppSec, SecOps, SASE & Cloud).
“Any data science starts with data, but to deliver great outcomes with data science, you have to solve for the three Cs of data: complete, correct and consistent,” Ramachandran tells ISMG. “Because we deliver all parts of SASE, we’ve been delivering incredible outcomes for users around AI and ML.”
KuppingerCole criticized Palo Alto Networks for a complex subscription model, lack of built-in remote browser isolation, and a lack of bundling with Cortex XDR. Ramachandran says Palo Alto Networks has released a subscription model that allows SD-WAN to be purchased like SSE and focused on partnering with industry-leading remote browser firms, but it hasn’t heard much demand for bundling Cortex XDR.
“You can now buy bandwidth allocated across all your branches in a very fluid and flexible manner,” Ramachandran says. “It turns out that nobody else in the industry does this right now. So we’ve been able to turn something that may have been a little complex to understand into an opportunity and strength for us.”
Versa Networks Strengthens Anomaly Detection, Automation
Versa Networks has doubled down on AIOps to streamline anomaly detection and correlation so that organizations don’t have to address the same alarm from dozens of different sites, says CEO Kelly Ahuja. The company now uses natural language processing to contact an internet service provider about websites that are down and to correlate information to determine if a DDoS attack is coming into the network, he says.
The company has also focused on anomaly detection for networks, users and applications to address use cases such as dramatic changes in user location or a malware-infected device reaching out to a rogue website, Ahuja says. By automating detection and policy enforcement and restricting user access when suspicious activity occurs, Versa hopes to accelerate mean time to detection and mean time to response (see: Versa Networks Raises $120M to Boost Cloud, Campus Products).
“Many of the other players in the market have actually gotten into the space by acquiring companies or building separate products,” Ahuja tells ISMG. “But the way they’ve actually built it is separate products that aren’t really integrated together. We’ve organically built a set of functions within this platform. It has a serious effect on how simple it is to configure things and how easy it is to operate.”
KuppingerCole criticized Versa Networks for a lack of network partnerships, limited IT service management connectors and an inability to quarantine email clients through remote browser isolation. Ahuja says Versa has the market’s most advanced open API and integration platform and hopes to do some innovation with its remote browser isolation offering as it gains more traction with customers.
“Our approach is different than most of the others because it’s a platform-based approach and not a portfolio-based approach,” Ahuja tells ISMG. “And we’ve organically built all of these capabilities. And we can check the boxes on all the key things that customers are looking for.”
Cisco Streamlines SASE Management for SMBs, Large Enterprises
Cisco has focused on streamlining policies for certain buying and operating personas, allowing SMB and commercial customers to build networking constructs and security policies from one console, says Cisco Security Chief Product Officer Raj Chopra. Defining networking and security policies on one console simplifies setup, allows for more automation and orchestration, and leaves little room for human error.
On the enterprise side, Chopra says, Cisco allows customers to easily stitch SD-WAN and SWG together, meaning clients can take segmented traffic from retail or business apps and abstract it with traffic that’s going to the internet or SaaS apps. Combining network and endpoint telemetry while preserving segmentation enables Cisco to quickly isolate threats and eliminate lateral movement, Chopra says (see: Jeetu Patel on Having a Consistent Design at Cisco Security).
“We have all of the capabilities at scale for running in complex environments today,” Chopra tells ISMG. “It’s not something we’re aspiring to do in the future. So our differentiation comes from that end-to-end architecture for all customers from the smallest to the largest and most complex.”
KuppingerCole criticized Cisco for selling secure endpoint separately, having limited enforcement actions with DLP and CASB, a lack of integration with data access governance and a lack of file encryption at the endpoint and key management in the cloud. Cisco added DLP assets to CASB and established perimeters for CASB enforcement in late 2022, and it expects to debut more enhancements in the coming quarter.
“I and my team of literally thousands of engineers are focused on not just parity, but how we are going a make a step-up difference for our customers,” Chopra says. “We’re focused on adding value for customers.”
Check Point Steps Up Branch, Application Protection
Check Point Software has emphasized building a SASE tool that’s comprehensive enough to cover the branches since hackers can use VPN or business applications to move laterally from the branch to an organization’s crown jewels, says Vice President of Product Management Eyal Manor. Customers need either a security appliance that fits at the perimeter or firewall-as-a-service capabilities to address this, he says.
Organizations must also protect access and data going to cloud and SaaS applications and ensure rogue or malicious data hasn’t been downloaded by facilitating more information sharing among telemetry points, Manor says. Check Point has rolled out API-based features to prevent the download of malicious files as well as faster connectivity and enhanced compliance requirements for internet access, he says (see: Check Point Finally Enters SD-WAN Space With Organic Product).
“At the end of the day, we’re comparing ourselves and customers are comparing us based on how we can prevent threats,” Manor tells ISMG. “They’re asking for less detections and less alerts and less false positives. They want to understand what threats are being prevented in real time. And we are doing that better than everybody else.”
KuppingerCole chided Check Point for not performing user and behavior analysis, having separate SASE and endpoint security agents, and not supporting an attribute-based access control model. Manor says Check Point plans to introduce UBA as part of its XDR platform, doesn’t see lack of ABAC support as an obstacle to adoption, and plans to offer SASE and endpoint security from a single agent by late 2023.
“Just having the ability to offer our customers SASE and endpoint is already a strong advantage for us to be able to protect customers from the greater attack surface,” Manor says. “Most SASE companies do not have endpoint solutions, EDR or XDR. They’re dealing with internet access and remote access.”
Lookout’s Split-Tunnel Architecture Streamlines Traffic
Lookout’s unified agent allows the company to deliver data and access security from a single endpoint agent, allowing public traffic to go to the nearest internet access point and private traffic to go to the closest application access point, says Chief Technology Officer Sundaram Lakshmanan. The split-tunnel architecture reduces the number of times traffic has to hop, resulting in better productivity, he says.
The company late last year augmented its secure web gateway with firewall as a service that focuses on microsegmentation and applications, rather than the data center or the enterprise network, Lakshmanan says. Unlike legacy firewalls that focus only on users, Lakshmanan says Lookout incorporates context around IP risk, user risk and device risk and has integrated its data security tools for private app access (see: Why Lookout Was Named A Security Service Edge (SSE) Visionary).
“While everybody has the same plumbing going, we have the intelligence on top of the plumbing to tell you the difference,” Lakshmanan tells ISMG. “Our core strength is in data security, understanding data with our powerful DLP and powerful integrations with Titus and Microsoft-type technologies.”
KuppingerCole criticized Lookout for having limited endpoint agents and lacking next-generation firewalls, virtualized or containerized gateways, and traffic acceleration. Lookout does some traffic acceleration, though the company is more focused on optimization to reduce latency, Lakshmanan says. He added that customers almost never ask Lookout for appliances since it’s a very legacy architecture.
“We are a new-generation vendor, and we don’t have the same limitations,” Lakshmanan says. “For the enterprises that we are talking to, it has not become a limitation. Otherwise, we would have addressed it.”
Cloudflare Strengthens Data Control, Traffic Configurability
Cloudflare has strengthened its data control capabilities through the acquisition of Vectrix, which has allowed the company to conduct data scanning on files in transit, says Vice President of Product Sam Rhea. Determining APIs across SaaS applications such as Salesforce, Microsoft 365 and Google’s G Suite can be incredibly tedious, and Rhea says Cloudflare delivers protection while minimizing false positives.
The company historically abstracted networking away from customers to maximize performance, security and availability, but recently it has given clients the ability to control and configure their network. Organizations increasingly want more control over how traffic flows into and out of their network, and Rhea says Cloudflare now allows control to configure which IP ranges and geographies traffic flows into (see: Cloudflare One Brings Email Security, DLP, CASB Together).
“This is our network. This is metal that we control where we can run any service anywhere, and we do,” Rhea tells ISMG. “That gives us the opportunity to deliver both security and connectivity features closer to the user wherever the enterprise operates. And that’s been a real advantage.”
KuppingerCole criticized Cloudflare for lacking sandboxing, encrypted traffic analysis, user and behavior analysis, agent-based data loss prevention and direct support for end users. Cloudflare used to abstract UBA away but now has bot management tools, plans to introduce sandboxing, and has a digital experience monitoring suite in beta that will help customers reduce help desk tickets and IT management.
“A lot of customers want to understand more about the nature of their connection to Cloudflare and to the internet,” Rhea says. “So we’re bringing a full digital experience monitoring suite to our SASE platform.”