Magic Quadrant for Intrusion Prevention Systems 2013

Market Overview

According to Gartner market research, the worldwide IPS market in 2012 for stand-alone appliances grew approximately 6.1% to $1.21 billion, whereas, overall, the network security equipment market grew by 7.7% (see "Market Share: Enterprise Network Security Equipment and Routers, Worldwide, 2012"). Data collected from vendors for this Magic Quadrant (independently from the market report we cited above) validates this range. Factors driving those estimates include the following:

• The threat landscape is currently aggressive, but major IPS vendors were slow to address botnet and advanced targeted threats. Some spending that would have gone to IPS products instead went to advanced threat detection and network forensics products (see "Network Security Monitoring Tools for 'Lean Forward' Security Programs" and "Five Styles of Advanced Threat Defense").
• NGFWs are negatively impacting the stand-alone IPS market as NGIPSs are absorbed into firewall refreshes and become part of NGFWs.
• As market penetration advances, growth as a percentage will flatten.

Considering these factors, Gartner forecasts that the end-user total spending for the 2013 IPS market will grow by approximately 3.6% over 2012, and will reach approximately $1.25 billion.

As adjacent platforms continue to integrate better-quality IPS technology, growth in the stand-alone IPS market will continue to slow. By 2015, Gartner expects the stand-alone IPS market to show a slight decline, which will continue as more customers accept NGFWs with IPS incorporated. From 2012 to 2017, stand-alone IPS will have a compound annual growth rate of −2.6%.

NGIPS Is Real

IPS has had two primary performance drivers: the handling of network traffic at near-wire speeds, and the deep inspection of the traffic based on the signatures, rules and policy. The first generation of IPS was effectively a binary operation of "threat or no threat," based on signatures of known vulnerabilities. Rate shaping and quality of service were some of the first aspects that brought context to otherwise single-event views. As inspection depth has increased, digging deeper into the same silo of the traffic yields fewer benefits. This next generation of IPS applies fuller stack inspection, but also applies new sources of intelligence to existing techniques:

• Correlation — relating events to one another, internal and external to the IPS
• Context — bringing information to bear to better understand the observations
• Content — classifying executables

These advances are discussed in detail in "Defining Next-Generation Network Intrusion Prevention." Best-of-breed NGIPS is still found in stand-alone appliances, rather than NGFW. However, the gap is closing as NGFW IPS quality increases rapidly, and as some IPS vendors move to introduce NGFW.

Market Consolidation Continues

In 2013, McAfee acquired Stonesoft, and Cisco acquired Sourcefire. Both of these acquiring vendors had their own IPS technologies before they made their purchases. Gartner believes both vendors will eventually (and necessarily) streamline their IPS portfolios to offer one stand-alone solution; however, they will be challenged to ensure that the innovations they acquired make it into the portfolios and are not sidelined. As the IPS market flattens its growth rate, we expect the strongest NGIPS providers to grow their market shares, driving weaker players from the market and leaving buyers with a stable set of vendors from which to choose.

More IPS Gets Absorbed by NGFW; However, the Stand-Alone IPS Market Will Persist

With the improvement in availability and quality of the IPS within NGFW, NGFW adoption reduces the need for network IPS in many enterprises. However, the stand-alone IPS market will persist to serve several scenarios:

1. The incumbent firewall does not offer a viable NGFW option.
2. Separation of the firewall and IPS is desired for organizational or operational reasons (for example, data center security).
3. A best-of-breed IPS is desired, meaning a stand-alone NGIPS is required.
4. Niche designs exist (as in certain internal segmentation scenarios) where IPS is desired, but without a firewall.

HP

HP is a large, global, broad-based IT and service vendor. It has retained the TippingPoint brand name from the hardware IPS product line, which now includes the NX NGIPS product line. This runs up to 20 Gbps of inspected throughput, and has IPS blades that run in HP networking switches (which are not evaluated here). The software version is the HP TippingPoint Secure Virtualization Framework. HP does not have its own secure Web gateway or secure email gateway products. HP introduced an NGFW in 3Q13, but has a very small market share.

Strengths

• Customers continue to cite ease of installation as a positive in product evaluations, especially for deployments with many devices.
• Customers cite good signature quality and painless weekly signature updates.
• HP has strong channel support, and is carried by most midsize to large security channel players. Customers can benefit from HP's strong channel partner support.
• The TippingPoint IPS products have a broad model range of purpose-built appliances, and are known for low latency and high throughput.

Cautions

• While HP has released an NGFW, it has not articulated a strategy for addressing advanced targeted attacks beyond what it has in its NGIPS platform.
• Gartner has observed HP's placement of TippingPoint as part of the larger Enterprise Security Products group in its Enterprise Software business unit (as opposed to the HP Networking business unit), thereby raising go-to-market and innovation concerns in selling to the network operations buying center.
• HP tied for the company that is most often replaced by surveyed vendors.

McAfee

McAfee was a pure-play security vendor with a large product portfolio across network and desktop security, and has been a subsidiary of Intel since its acquisition in 2011. The McAfee Network Security Platform (NSP) is the stand-alone IPS model line, with single-appliance models that range from 100 Mbps to 40 Gbps of throughput. In addition, McAfee acquired Stonesoft in 2013, which provided another IPS product and an enterprise-ready NGFW. For the purposes of this Magic Quadrant, we are evaluating Stonesoft's technology separately as it transitions into McAfee's portfolio. McAfee also has IPS within the McAfee Firewall Enterprise; however, this is primarily legacy IPS from Secure Computing, and is not within the scope of this Magic Quadrant.

Strengths

• Clients rate manageability and ease of use extremely well. McAfee's IPS console scores well in competitive selections and independent tests.
• McAfee's mature NGIPS capabilities can make it attractive to enterprises that are using other McAfee security products.
• The addition of Stonesoft NGFW will strengthen McAfee's network security posture. Gartner expects McAfee to layer Stonesoft's anti-evasion technology into the NSP platform.
• McAfee is highly visible on Gartner client IPS shortlists, especially in government markets. It was the vendor listed most often in the survey to vendors regarding their greatest IPS competitor.

Cautions

• Gartner anticipates that the Stonesoft acquisition may prove to be distracting as McAfee works to integrate a Northern European product team, build a new unified road map, and rationalize three different IPS products across its portfolio.
• The McAfee brand is known more widely for desktop security offerings, and often isn't perceived by enterprises and channel partners as a strong network security provider.
• McAfee has not had a virtualized software appliance version of the NSP IPS product until its limited-availability offering was announced in August 2013.

Sourcefire (Cisco)

Headquartered in Maryland, the former pure-play security vendor Sourcefire was acquired by Cisco earlier in 2013. Historically, IPS was its primary market, and Sourcefire was well-known for being the commercial manager of the Snort open-source security products. The Sourcefire IPS has appliance models that provide up to 40 Gbps of throughput. The FirePOWER hardware can be a transition to include NGFW capabilities for incumbent Sourcefire IPS customers. Sourcefire also sells the Advanced Malware Protection (AMP) portfolio, which contains its advanced threat defense capabilities, to its customer base.

Strengths

• Sourcefire has leading NGIPS capabilities. It has also added network advanced targeted attack (ATA) detection with its FireAMP product, which can potentially add malware intelligence to the NGIPS.
• The FirePOWER hardware platform scores well on client shortlists. The FireSIGHT management console scores well in competitive selections and independent tests. Sourcefire is highly visible on Gartner client IPS shortlists, especially in the government market.
• Virtual IPS is available for the VMware, Red Hat KVM and Xen platforms.
• Sourcefire IPS products are now available to Cisco's skilled sales force and dedicated partner ecosystem. Eventually, this will give Sourcefire customers and prospects the ability to gain pricing negotiation leverage within Cisco's overall enterprise contracts.

Cautions

• Sourcefire may become distracted during the Cisco integration process, thereby diluting R&D and security research resources.
• Legacy Sourcefire customers and potential prospects are worried about the future of the FirePOWER product lines. Cisco Sourcefire customers should demand explicit road maps that outline the future of the FirePOWER platform.