New trends of endpoint protection

In the latest publication of Gartner’s annual marketing report, Magic Quadrant for Endpoint Protection Platforms, Kaspersky Lab is included into the ‘Leaders’ segment for the fifth consecutive year. It is very important for us that, regardless of the growing rate of security solution transformations and consequent changes to Gartner’s assessment criteria, we were able to preserve our position that we held last year.

No less important are “strengths” and “cautions” on our products that were mentioned by the analysts. This year they brought to light many advantages in Kaspersky Lab’s products and only a handful negatives (none of them could be considered a major drawback).

Moreover, the report serves as a perfect overview of the direction in which the security market will develop in the years to come.

What is the Quadrant?

Let’s start by explaining what the Gartner Magic Quadrant is and why it is important. First, it shouldn’t be viewed as another rating of security products. It is more of a tool that helps to choose which vendor fits organizations best for a particular business purpose. It is designed for CIO’s, decision makers, and IT-security specialists of the businesses.

If a company makes it into the Gartner Magic Quadrant, this fact alone proves it’s of value to the security industry as it offers compliant products which meet leading analysts’ requirements and excels in operations. Gartner evaluates companies against two key criteria: completeness of vision and ability to execute.  They’re then placed in four quadrants: Niche players, Visionaries (those who have vision of the market but are yet to bring their ideas to life), Challengers (they execute well in the operations but are seen as weak innovators) and Leaders (those having vision and bringing their breakthrough ideas to life). Of course, it matters where exactly a company is placed inside of each quadrant, but the general purpose of the Magic Quadrant is to show which segment a company belongs to.

Why is the Quadrant important?

A few years ago we conducted a survey to find out the key criteria large companies judge contestants against when choosing a security supplier. The survey showed that Gartner is perceived as the most trusted agency. Many enterprises make the short-list of suppliers by looking at the Leaders segment of the last Magic Quadrant report only.

Companies that did not make it to Gartner Magic Quadrant will find it extremely challenging to convince the prospect’s IT department to at least review their offer. Reliance on Magic Quadrant is especially characteristic of large enterprises that are after the most effective solutions, but want to minimize risk. For any company, presence in the Magic Quadrant, let alone in its Leaders segment, is a key requirement of effective B2B operations.

Where do they take the data?

It’s vital to understand that Gartner is not shaping the market, it solely tracks latest trends and shows the complete picture. The data is collected by means of standard procedures and comes from four sources:

1. A questionnaire, which is filled out by an applicant and includes information on technologies and the industry vision. At this stage, it’s totally unclear which criteria would be used to create this year’s quadrant.
2. A dedicated presentation in which a company overviews specific features of a product Gartner finds critical. As for Endpoint Protection Platforms, this feature is usually the management console. Analysts always ask follow-up questions, some of them very inquisitive.
3. Feedback from customers who use the company’s solutions. This data comes directly from clients, who are surveyed independently.
4. Third party requests to Gartner. If analysts do not sense general interest in the applicant’s products, there is not a good chance that the company is included into the Quadrant, let alone the Leaders section.

What are new trends?

Kaspersky Lab experts share the opinion that this year’s Quadrant is quite unconventional. As long as newer things become more important, Gartner analysts slightly changed their point of view on a worthy business-oriented endpoint security solution.

First, there is a visible shift in perception of EDR (Endpoint Detection and Response) importance. Second, analysts have changed their opinion on companies who advocate refusal of the “signature” detection methods.

As for EDR, our experts agree that these are crucial for resilient IT-infrastructure control systems and consider EDR one of the key trends in the domain of unknown threats detection. The technology itself is not new, and the term emerged in 2014. Gartner formulates three main requirements for the EDR solutions. They should make it possible to:

• Enable low-level visualization of all processes that are taking place on the endpoint, with the ability to build a retrospective map of those processes
• Allow to detect anomalies, incidents and new threats
• Gather data on detected threat’s behavior, form map of its expansion, conduct investigation of the incident and effectively eradicate the threat.

The last report shows that it is likely that the lack of EDR will be viewed by the Gartner’s analysts as a major drawback for the solutions that provide advanced threat detection in the nearest future. And this position is absolutely in line with our corporate vision and the product development strategy.

The second change in Gartner’s approach is even more interesting. Before, Gartner advocated the idea that signature-based antivirus engine is a basic technology which is a prerequisite of efficient multi-layer protection. This year, their view is somewhat dualistic. On the one hand, the ‘good malware detection capabilities’ criterion is still there, but on the other hand, some vendors who defy the necessity of analyzing malware were also in Gartner’s good books this year.

Our experts think that the choice of a single-technology security system over basic technology is an interesting, yet unproven concept. Unless the effectiveness of this method is proven by systematic tests, the approach cannot yet be viewed as viable in real-life scenarios. We think that Gartner’s approval of companies who pursue this concept is meant to motivate the industry to develop new, non-signature based methods.

We are assured that single-technology protection cannot be efficient enough on its own. In today’s threat landscape, attacks are increasingly multi-vectored, cybercriminals use various tactics and methods of penetration (via e-mail, external storages, software vulnerabilities, etc.), and various technologies for infection and protection avoidance (usage of the stolen digital signatures, obfuscation methods, or usage of “bodiless” malware). Thus the need for multi-layer security systems that combines various methods and technologies is paramount. Adversaries waste no time in searching for security bypass methods and when a security solution relies on a single method (however efficient and resilient it might be) the risks of compromise multiply.

If a security technology is new to the market, it predictably demonstrates better results, but as it becomes more ubiquitous, cybercriminals apply more effort in hacking it. Sooner or later, they will find a bypass method. This is why a multi-layer security approach is beneficial: several technologies back each other up, thus minimizing chances that adversaries will penetrate the defenses.

In other words, we are yet to see whether single-technology solutions prove their worth in real-life scenarios and independent tests. It is not unlikely that sooner or later their creators will understand the necessity of the multi-layered approach, raising a lot of bumps in the process. And not only to themselves, but to their first clients also. At this moment, our experts see this approach as inferior to multi-layer security systems, and can create significant problems for the end-users.