MagicQuadrantforIntrusionPrevention

Systems
16November2015ID:G00271823
Analyst(s):CraigLawson,AdamHils,ClaudioNeiva

VIEWSUMMARY
ThenetworkIPSmarketcontinuesbeingabsorbedbynextgenerationfirewallplacementsatthe
perimeter.NextgenerationIPSsofferthebestprotectionandarerespondingtopressurecomingfrom
theuptakeofadvancedthreatdefensesolutionsandtherequirementtoprovidecloudplacements.

MarketDefinition/Description
Thenetworkintrusionpreventionsystem(IPS)appliancemarketiscomposedofstandalonephysical
andvirtualappliancesthatinspectdefinednetworktrafficeitheronpremisesorinthecloud.Theyare
oftenlocatedinthenetworktoinspecttrafficthathaspassedthroughperimetersecuritydevices,such
asfirewalls,secureWebgatewaysandsecureemailgateways.Whileintrusiondetectionsystems(IDSs)
arestilloftenusedforcertainusecases,mostIPSdevicesaredeployedinlineandperformfullstream
reassemblyofnetworktraffic.Theyprovidedetectionviaseveralmethodsforexample,signatures,
protocolanomalydetection,behavioralmonitoringorheuristics,advancedthreatdefense(ATD)
integration,andthreatintelligence(TI).Whendeployedinline,IPSscanalsousevarioustechniquesto
detectandblockattacksthatareidentifiedwithhighconfidencethisisoneoftheprimarybenefitsof
thistechnology.ThecapabilitiesofleadingIPSproductshaveadaptedtochangingthreats,andnext
generationIPSs(NGIPSs)haveevolvedincrementallyinresponsetoadvancedtargetedthreatsthat
canevadefirstgenerationIPSs(see"DefiningNextGenerationNetworkIntrusionPrevention").
ThisMagicQuadrantfocusesonthemarketforstandaloneIPSapplianceshowever,IPS/IDS
capabilitiesarealsodeliveredasfunctionalityinothernetworksecurityproducts.NetworkIPSsare
providedwithinanextgenerationfirewall(NGFW),whichistheevolutionofenterpriseclassnetwork
firewalls,andincludeapplicationawarenessandpolicycontrol,aswellastheintegrationofnetwork
IPSs(see"MagicQuadrantforEnterpriseNetworkFirewalls").IPScapabilityisavailableinunifiedthreat
management(UTM)"allinone"productsthatareusedbysmallormidsizebusinesses(see"Magic
QuadrantforUnifiedThreatManagement").WehavealsobeguntoseebasicIPSfunctionalityprovided
byasmallnumberofnetworkATDpreventionvendors.GartnerobservesthatthematurityofIPS
modulesembeddedwithATDsolutionshasyettobeproven.
SowhilethestandaloneIPSmarketisslowlyshrinking,thetechnologyitselfismorewidelydeployed
thaneverbeforeonvariousplatformsandinmultipleformfactors.Thetechnologyisincreasingly
ubiquitous.
Inaddition,somevendorsofferIPSandIDSfunctionalityinthepubliccloudinordertoprovidecontrols
closertotheworkloadsthatresidethere.Gartneristrackingthegrowthofthesedeploymentscarefully,
andwillmonitortheirefficacy.
StandaloneIPSisdeployedforthefollowingusecases:
WhenthestaffmanagingtheIPSdoesnotmanagethefirewalls
Whenbestofbreedprotectionisrequiredorpreferred
AsanIDSonpartsoftheinternalnetwork
WhenhighperformanceIPSthroughputisrequired
Toprovidenetworksegmentationonpartsoftheinternalnetwork

MagicQuadrant
Figure1.MagicQuadrantforIntrusionPreventionSystems

STRATEGICPLANNINGASSUMPTIONS
Today,40%ofenterpriseshaveimplementedstand
aloneIPSs.Byyearend2017,thiswilldeclineto30%
duetoincreasedadoptionofnextgenerationfirewalls
withanembeddedIPScapability.
Lessthan35%ofInternetconnectionstodayare
securedusingNGFWs.Byyearend2018,thiswillrise
toatleast85%oftheinstalledbase,with90%ofnew
enterpriseedgepurchasesbeingNGFWs.
In2018,10%ofnewstandaloneIPSplacementswill
beinapublicorprivatecloud.

EVIDENCE
GartnerusedthefollowinginputtodevelopthisMagic
Quadrant:
Results,observationsandselectionsofIPSs,as
reportedviamultipleanalystinquirieswithGartner
clients
AformalsurveyofIPSvendors
Formalsurveysofenduserreferences
GartnerIPSmarketresearchdata
OASIStakingoverthedevelopmentoftheSTIX/TAXII
standard:"OASISAdvancesAutomatedCyberThreat
IntelligenceSharingWithSTIX,TAXII,CybOX,"oasis
open,16July2015.
DetailsonSTIX(http://stix.mitre.org/)andTAXII
(http://taxii.mitre.org/)
WinsCommonCriteria:"WinsTechnetSniperIPSV5.0
E2000CertificationReport"andCommonCriteria:
CertifiedProducts
HPdiveststheTippingPointdivisiontoTrendMicro:
"TrendMicroAcquiresHPTippingPoint,Establishing
GameChangingNetworkDefense
Solution,"TrendMicro,21October2015.
IntelSecuritydivestsitsfirewallproducts:S.Kuranda,
"IntelSecuritytoSellMcAfeeNGFW,Firewall
EnterpriseBusinessestoRaytheon/Websense,"CRN,
27October2015.

EVALUATIONCRITERIADEFINITIONS
AbilitytoExecute
Product/Service:Coregoodsandservicesofferedby
thevendorforthedefinedmarket.Thisincludes
currentproduct/servicecapabilities,quality,feature
sets,skillsandsoon,whetherofferednativelyor
throughOEMagreements/partnershipsasdefinedin
themarketdefinitionanddetailedinthesubcriteria.
OverallViability:Viabilityincludesanassessmentof
theoverallorganization'sfinancialhealth,thefinancial
andpracticalsuccessofthebusinessunit,andthe
likelihoodthattheindividualbusinessunitwillcontinue
investingintheproduct,willcontinueofferingthe
productandwilladvancethestateoftheartwithinthe
organization'sportfolioofproducts.
SalesExecution/Pricing:Thevendor'scapabilitiesin
allpresalesactivitiesandthestructurethatsupports
them.Thisincludesdealmanagement,pricingand
negotiation,presalessupport,andtheoverall
effectivenessofthesaleschannel.
MarketResponsiveness/Record:Abilitytorespond,
changedirection,beflexibleandachievecompetitive
successasopportunitiesdevelop,competitorsact,
customerneedsevolveandmarketdynamicschange.
Thiscriterionalsoconsidersthevendor'shistoryof

responsiveness.
MarketingExecution:Theclarity,quality,creativity
andefficacyofprogramsdesignedtodeliverthe
organization'smessagetoinfluencethemarket,
promotethebrandandbusiness,increaseawareness
oftheproducts,andestablishapositiveidentification
withtheproduct/brandandorganizationintheminds
ofbuyers.This"mindshare"canbedrivenbya
combinationofpublicity,promotionalinitiatives,
thoughtleadership,wordofmouthandsalesactivities.
CustomerExperience:Relationships,productsand
services/programsthatenableclientstobesuccessful
withtheproductsevaluated.Specifically,thisincludes
thewayscustomersreceivetechnicalsupportor
accountsupport.Thiscanalsoincludeancillarytools,
customersupportprograms(andthequalitythereof),
availabilityofusergroups,servicelevelagreements
andsoon.
Operations:Theabilityoftheorganizationtomeetits
goalsandcommitments.Factorsincludethequalityof
theorganizationalstructure,includingskills,
experiences,programs,systemsandothervehicles
thatenabletheorganizationtooperateeffectivelyand
efficientlyonanongoingbasis.
CompletenessofVision
MarketUnderstanding:Abilityofthevendorto
understandbuyers'wantsandneedsandtotranslate
thoseintoproductsandservices.Vendorsthatshow
thehighestdegreeofvisionlistentoandunderstand
buyers'wantsandneeds,andcanshapeorenhance
thosewiththeiraddedvision.
MarketingStrategy:Aclear,differentiatedsetof
messagesconsistentlycommunicatedthroughoutthe
organizationandexternalizedthroughthewebsite,
advertising,customerprogramsandpositioning
statements.

Source:Gartner(November2015)

VendorStrengthsandCautions
Cisco
Cisco,whichisheadquarteredinSanJose,California,hasabroadsecurityproductportfolioandhas
hadIPSofferingsformanyyears.In2013,CiscoacquiredSourcefire.Ciscohasnowcompletedthe
transitiontomaketheSourcefireIPSitssoleIPSengine.Ciscohasexecutedonitsendofsaleplanfor
thenonSourcefireIPSappliances,inkeepingwiththetransition.TheSourcefirelinecurrentlydoesnot
shareamanagementconsolewithotherCiscosecurityproducts.
CiscohasIPSsavailableundertheFirePOWERbrandinthe7000and8000SeriesAppliances,anda
virtualappliance(NGIPSv).Thetopmodelrunsupto60Gbpsofinspectedthroughput.ThesameIPSis
availableintheCiscoAdaptiveSecurityAppliance(ASA),labeledas"withFirePOWERServices."
Additionally,thesoftwarebasedIPSwithintheCiscoInternetworkOperatingSystem(IOS)based
routersandIntegratedServicesRouters(ISRs)isalsocapableofusingtheSourcefireIPSengine.Cisco
hasaphasedplanaimedatintroducingFirePOWERservicesacrossitsIntegratedServicesRouter(ISR)
platforms.TheMerakiplatformalsorunstheSnortengine.
CiscoisevaluatedasaLeaderbecauseofitsabilitytoleadthemarketwithnewfeaturesbasedonthe
formerSourcefireproducts,andbecauseithasthehighestvisibilityinGartnerclientshortlistsforIPSs.
Strengths
Cisco'sadoptionoftheSourcefiretechnologyasitsstandardIPSgreatlyimprovesthequalityof
Cisco'sIPSofferingandpreservesmarketleadingIPScapability.Thecombinedlabteamsprovide
alargevulnerabilityandsignatureresearchcapability.Gartnerassessestheacquisitionashaving
beensuccessful.
Ciscohaswideinternationalsupport,anextremelystrongchannelandthebroadestgeographic
coverage.EnterprisesthatalreadyhaveasignificantinvestmentinCiscosecurityproducts,orthat
useCiscoSecurityManager(CSM),oftenconsiderCiscoIPSsasapossiblesolution.
TheAdvancedMalwareProtection(AMP)productsprovideaquickerpathtoaddingadvanced
threatcapabilitiestoIPSsforCiscothanpreviousroadmaps.Itisalsonowcompetingwellagainst
standaloneandestablishedadvancedpersistentthreat(APT)solutionvendors.
CiscohasalargemarketshareforspecializedIPSappliances,providingarichcollectionmedium
forobservingthreatsinthewild.
Cautions
CurrentCiscoIPSclientslookingtotransitiontonewerproductscandoso,providedthey
accommodatehavingtouseadifferentconsole.ThislimitstheadvantagesofincumbentCisco
customers.Gartnerbelievesaunifiedconsolewillbeavailablebymid2016.
Gartnerrecommendsthatnegotiationsincludeadiscussiononextensivediscountingorinclusion

SalesStrategy:Thestrategyforsellingproductsthat
usestheappropriatenetworkofdirectandindirect
sales,marketing,service,andcommunicationaffiliates
thatextendthescopeanddepthofmarketreach,
skills,expertise,technologies,servicesandthe
customerbase.
Offering(Product)Strategy:Thevendor'sapproach
toproductdevelopmentanddeliverythatemphasizes
differentiation,functionality,methodologyandfeature
setsastheymaptocurrentandfuturerequirements.
BusinessModel:Thesoundnessandlogicofthe
vendor'sunderlyingbusinessproposition.
Vertical/IndustryStrategy:Thevendor'sstrategy
todirectresources,skillsandofferingstomeetthe
specificneedsofindividualmarketsegments,including
verticalmarkets.
Innovation:Direct,related,complementaryand
synergisticlayoutsofresources,expertiseorcapitalfor
investment,consolidation,defensiveorpreemptive
purposes.
GeographicStrategy:Thevendor'sstrategytodirect
resources,skillsandofferingstomeetthespecific
needsofgeographiesoutsidethe"home"ornative
geography,eitherdirectlyorthroughpartners,
channelsandsubsidiariesasappropriateforthat
geographyandmarket.

oftheconsolewherethecurrentCiscosecuritymanagementproductsarealreadyinplace,
consideringthatthedualconsoleadoptionwilllikelybetemporary.
SomeclientshavereferredtoperformanceimpactswhenenablingAMPforNetworksserviceson
existingsensors.

HewlettPackardEnterprise
BasedinPaloAlto,California,HewlettPackardEnterprise(HPE)isalarge,global,broadbasedITand
servicevendorthathasnowcompleteditssplitfromHP.On21October2015,HPEannouncedthatitis
divestingtheTippingPointdivisiontoTrendMicro.TheEnterpriseSecurityProducts(HPEESP)groupis
wheretheTippingPointbusinessresidesuntilthedivestiturebecomesfinal.HPEESPisalreadyaTrend
Micropartner,packagingitsDeepDiscoveryadvancedthreatsoftwareonanHPEapplianceunderthe
nameTippingPointAdvancedThreatAppliance.HPEESPhasannounceditsintentiontocontinueto
partnerwithTrendMicroafterthedivestiturebecomesfinal,tohelpserveitscustomers'network
securityneeds.
ThetopIPSmodelonlyrunsupto20Gbpsofinspectedthroughput,andhasIPSbladesthatruninHPE
networkingswitches(whicharenotevaluatedhere).TheTippingPointIPSisalsodeliveredinits
enterprisefirewall,firstreleasedin3Q13,usinganIntelbasedplatform.Thisisamoveawayfromthe
traditionalnetworkprocessingunit(NPU)architectureusedforadecade.Thismovefromcustomto
morecommodityIntelCPUsisalsomovingthroughtheIPSlineaswell.IPScontentupdatesare
providedthroughTippingPoint'sDigitalVaccineLabs(DVLabs)filters.TheDVLabsteamrunstheZero
DayInitiative(ZDI)program,whichcontinuestobeanexcellentsourceofvulnerabilityinformationfor
TippingPointproducts,whilealsosupportingindependentvulnerabilityresearchers.
WeexpectthemoveofTippingPointtoTrendMicrotobeanoverallnetpositiveforTippingPoint
customers,astheirIPSplatformswillgainnativelyintegratedadvancedthreatcapabilities,a
significantlylargerchannelwithmoreexpertiseinsellingsecurityandaccesstoTrendMicro'ssignificant
researchresources.TrendMicrowillentertheIPSmarketwithacompetitivesolution.
TippingPointisassessedasaChallengerbecauseHPEhasnotexecutedwelloperationallyoronits
roadmapwithTippingPoint.ItalsohasnotyetpositioneditsIPSwithinacoherentoverallnetwork
securitystorywithinthegreaterHPE,andhasnowdivestedittoTrendMicro.
Strengths
Customersdescribeeasy,confidentdeploymentofthisIPSinblockingmode.
Customerscitehighquality,timelymalwaredetectionandfilterupdates.
Customersupportearnshighmarkswithcustomers.Supportpercentageisbasedonsalesprice,
notlistprice,providingpotentialsupportsavingsforcustomers.
TheabilitytointegratethirdpartyvulnerabilityscanningdatatospeedupIPSpolicyworkflowand
theThreatLinQuserportalforpolicyassistancearewellregarded.
TheSMSmanagementconsolenowhastheabilitytotakeandexploreflowdatafrommanaged
IPSs,givingusersbettervisibilityintothenetwork.
ThedivestitureofTippingPointwillbeanetpositive,forthisbusinessisgoingtoasecurity
focusedcompanywithalargeresellerchannelwithnooverlapintheirexistingproductsets.
Cautions
TippingPointhastakentheOEMandthirdpartyintegrationroutewithitsadvancedthreatoffering,
relyingonmultiplethirdparties.
HPlackedastrongnetworksecuritychannel,leavingsomecustomerswithouttheoptionfor
strongvalueaddedreseller(VAR)providedtechnicalsupport.WeexpectTrendMicrowillfurther
buildoutitsnetworksecuritychannel,providingTippingPointcustomerswithstrongerchannel
supportinthemidterm.
ThehighestthroughputTippingPointIPSappliancehas20Gbpsthroughput,whichmakesitoneof
thelowestthroughputhighendboxes.ThisdisqualifiesTippingPointforsomespecifichigh
throughputusecases.
TheTrendMicroacquisitionwillbeabigshiftforTippingPointstaffandmaycausetheIPS
roadmaptochange.

Huawei
HeadquarteredinShenzhen,China,Huawei,withacorestrengthinnetworking,offersarangeof
networksecuritycontrols,includingIPS,firewallanddistributeddenialofservice(DDoS)mitigation
appliances.HuaweiintroduceditsIPSproductline,calledNetworkIntelligentProtection(NIP)System,
in2004.NIPincludeseightphysicalappliances,rangingfrom800Mbpsto15Gbps.Huawei'sIPS
currentlydoesnotcomeintheformofavirtualappliance,thoughthisisexpectedtochange.Secure
SocketsLayer(SSL)decryptionforvisibilityandthreatintelligence(reputation)basedblockingis
supported.
HuaweiisevaluatedasaNichePlayerbecauseitoperatesmainlyinonecountryorwithintheexisting
Huaweiclientbase,addressingaspecificsegmentoftheIPSmarket.
Strengths
CustomersliketheNIPManagerinterface,especiallytheeaseofinstallationandpolicytemplates.
HuaweihasastrongpresenceamongChinesemidsizeorganizationslookingforcosteffectiveIPS
solutions.
Usersreportgoodperformanceintheproductionenvironment,whichisinlinewiththevendor's

marketingmaterial.
Cautions
DespitealargechannelinEMEA,HuaweidoesnotoftenappearinshortlistsoutsideofChina.
PotentialcustomersfromotherregionsshouldfirstchecklocalchannelexperiencewithNIP.
Huawei'sIPSoffersalowernumberofIPSsignaturesandcategoriescomparedwithleading
vendors.Whilegenericapproachesareagoodreasonforlownumberofsignatures,thiscould
translateintolessflexibilityandacoveragegapforclients.
Huaweihasundertakensignificantstepsinthepasttoaddressconcernsaboutrelyingon
technologydevelopedinChinahowever,formanyprospectivecustomersintheU.S.,those
concernsremain.
Huaweidoesnothaveanembeddedorcloudbasedadvancedthreatdetection,andsandbox
optionsarenotavailable.

IBM
IBM,headquarteredinArmonk,NewYork,hastheIBMSecurityNetworkProtectionXGSandNetwork
IntrusionPreventionSystemGXproductspositionedwithinarecentlyunifiedproductandservices
division.ThedivisionisheadedbytheformerQ1LabsCEO.Thisapproachofasinglesecuritygroupfor
allIBMsecurityproductsandservicesisasignificantdevelopment,anditwillimproveIBM'sfocusand
competitiveness.TheNetworkIPSproductshasseenasubstantialupdatewiththenewerXGSrange
(withfourmodels)andinninemodelsofapplianceswithintheheritageGXSeries(whichisinthe
processofbeingreplacedbytheXGSrange),withinspectedthroughputrangingfrom800Mbpsto25
Gbps.IBMnowhastheXGS3100,4100,5100and7100,whichincorporateNGIPScapabilitiesatupto
25Gbpsofinspectedthroughput.ThevirtualnetworksecurityplatformisavailableasaVMwarevirtual
applianceandisnowbasedontheXGSproductline.IBMdoesnothaveitsownfirewallyet,butis
movingtoimplementbasicroutingandNATfunctionalityintheXGS,allowingittobeusedfor
additionaldeploymentusecases,suchasdatacentersegmentationandcloud(infrastructureasa
service[IaaS])deploymentscenarios.
IBMisratedasaLeaderbecauseithassolidNGIPSfeaturesandexecuteswellinmakingintegrated
securitysalesintheIBMcustomerbase.
Strengths
IBM'sProtocolAnalysisModule(PAM)IPSengineisstillleadingthemarketinitsabilitytoprovide
lowfalsepositivesandprotectionforentireclassesofvulnerabilities,withthesmallestnumberof
signaturesinthemarket.
CustomersoftenbuyIBMIPSinconjunctionwithQRadarsecurityinformationandevent
management(SIEM)toachievedeeperlevelsofsecurityintelligenceintegration.
IBMhasawidesalesanddistributionnetwork,andcustomerswithastrongIBMrelationshipare
generallypleasedwiththeIPSsupporttheyreceive.
ClientshaveremarkedonIBM'sthoroughreporting,eventmetadataandrichlevelofsecurity
eventdetailforeventleveldrilldown.
Cautions
IBMIPS'spresenceontheIPSshortlistsofGartnercustomershasnotbeencomparabletoother
Leaders.ManyGartnerclientsdonotperceiveIBMasastrategicsupplierofnetworksecurity
products.
IBM'shighestthroughputIBMIPSappliancehas25Gbpsthroughput,whichmakesitoneofthe
lowestthroughputhighendboxes.ThisdisqualifiesIBMforsomespecifichighthroughputuse
cases.
IBMdoesnothaveanNGFWoffering,whichcausescustomerstomigratetoperimeterNGFW
offeringsfromothervendorsthatcanofferamorecomprehensiveproductset.
IBMdoesnothaveitsownATDsolutionandreliesonanOEMandotherthirdpartyintegration
opportunities.
Thecentralizedmanagementsolution(SiteProtector)hasnothadacredibleupdateforsometime,
anditisdeemeduncompetitiveincomparisonwithotherLeaders'tools.

IntelSecurity(McAfee)
SantaClara,CaliforniabasedMcAfee,nowpartofIntelSecurity,isalargesecurityvendorwitha
significantproductportfolioacrossnetwork,server,content,SIEM,vulnerabilityassessmentand
endpointsecurity.TheMcAfeeNetworkSecurityPlatform(NSP)isthestandaloneIPSmodelline,with
appliancemodelsthatrangefrom100Mbpsto40Gbpsofthroughput.Inaddition,IntelSecurity
(McAfee)acquiredStonesoftin2013,whichprovidedanotherIPSproductandanenterpriseready
NGFW.Presently,IntelSecurityissellingtheStonesoftIPSonlyasacomponentintheNGFW,soonly
theNSPisevaluatedinthisresearch.IntelSecurityalsohasanIPSwithintheMcAfeeFirewall
Enterprise.However,thisisprimarilyalegacyIPSfromSecureComputing,andisnotwithinthescope
ofthisMagicQuadrant.IntelSecurityoffersthreevirtualVMIPSmodels.Intelnowhastransitioned
mostofitsproductlinetoIntelCPUbasedtechnologyandhasbeenaggressivelyexecutingonits
roadmap.
IntelSecurity(McAfee)isevaluatedasaLeaderbecauseofitscontinuedpresenceoncustomer
shortlistsanditsfeatureleadership.
Strengths
Clientsratemanageabilityandeaseofuseextremelywell,andtheIPSconsolescoreswellin

competitiveselectionsandindependenttests.
CustomersciteIntelSecurity'sthoroughintegrationwithotherIntelSecurityproducts,including
AdvancedThreatDefense(ATD)andtheThreatIntelligenceExchange(TIE),asastrongpositive.
Inorganizationsconcernedwithfalsepositiveratescomingfromheavyuseofsignatures,Intel
Security'smultiplesignaturelessinspectiontechniquesgiveitanadvantageovermoresignature
basedIPStechnologies.
IntelSecurityishighlyvisibleonGartnerclientIPSshortlists,especiallyingovernmentmarkets.
AccordingtotheMagicQuadrantvendorsurvey,IntelSecurityisregardedasaleadingcompetitor
byamajorityofitsrivals.
Cautions
ThenecessityofdeployingdifferentmanagementplatformsfortheIPS(NetworkSecurity
Manager)andtheNGFW(NetworkSecurityManagementCenter)formixeddeploymentscauses
somecustomerstoconsiderothervendorsastheytransitiontoNGFWs.Moreover,IntelSecurity
hasyettounifytheIPSfunctionintoasinglecodebase.
TheIntelSecurityandMcAfeebrandsareknownmorebroadlyfordesktopsecurityofferings,and
oftenarenotperceivedbyenterprisesandchannelpartnersasastrongnetworksecurityprovider.
NowthatMcAfeehasbeenrebrandedasIntelSecurity,itislesslikelytobeperceivedasa
networksecuritybrandinthemarket.
Somereferencecustomersreportedthatcustomerserviceneedsimprovement.
IntelSecurity'sannouncedmovetodivestitsmultiplenetworkfirewallproducts(toRaytheon,
announcedinlateOctober2015),whilekeepingtheIPSproductline,makestheIPSrange
vulnerabletocombinedfirewallplusIPSreplacementsfromvendorssuchasCisco,anddilutes
IntelSecurity'soverallnetworksecuritybrand.

NSFOCUS
NSFOCUSisheadquarteredinBeijing,China.NSFOCUStodayisalargeregionalsecurityvendorfor
Asia.Itisexpandingglobally,andoffersDDoS(calledAntiDDoSSystem,orADS),secureWeb
gateway(calledWebVulnerabilityScanningSystem,orWVSS),Webapplicationfirewall(WAF)and
vulnerabilitymanagement(calledRemoteSecurityAssessmentSystem,orRSAS).ItalsooffersMSSon
anumberofitsproducts.ItsIPSwasreleasedin2005.TheNSFOCUSIPS(NIPS)hasalargerangeof
appliancesof12models,rangingfrom100Mbpsto20Gbpsofthroughput,andavirtualappliance.
NSFOCUS'IPSincludessandboxingcapabilities,applicationcontrolandantimalware,andcanalso
utilizereputationbasedcontrols.
NSFOCUSisassessedasaNichePlayerbecauseitsellsitsIPSalmostexclusivelyinoneregion.
Strengths
NSFOCUShasfaithfulbaseoflargeChineseorganizationsandoftenappearsinfinalshortlistsin
theAsia/Pacificregion.
TheNXSeriesintegrateswithNSFOCUSDDoSprotectionsolutions.
NSFOCUScustomerslikethevendorsupporttimelinessandabilitytoprovideextensiveanswers.
NSFOCUShasanumberoffeaturesthatresonateintheirprimaryregionsofoperation,suchas
advancedthreatprotection,URLfiltering,applicationcontrol,antimalwareandtrafficshaping.
Cautions
NSFOCUSismostlyvisibleinAsia/Pacific,andhasyettobuildalargechannelforitsIPSinthe
U.S.andotherregions.
NSFOCUSdoesnotofferlowendIPSappliancesatalistpricethatappealstomidmarket
customers.
NSFOCUShaslaggedbehindseveralcompetitorsintheintegrationofsandboxing,andhaslittle
productionexperiencewithit.
Gartnercustomersreportthatthereportingandalertviewcouldbeimproved.

Wins
WinsisheadquarteredinSeongnam,GyeonggiProvince,SouthKorea,anditwasestablishedin1996.
ItsIPSwasreleasedonorbefore2005.Winshaspreviouslyachievedcommoncriteriacertificationsfor
itsIPStechnology.Itisshippingsixappliancesbetween400Mbpsto40Gbpsinitsrange.TheSniper
OneseriesalsosupportsSSLdecryption.GartnerwasunabletocontactWinsforthisresearch.
WinsisassessedasaNichePlayerbecauseitsellsitsIPSinoneregionandlacksvisibilitywithGartner
clients.
Strengths
WinsissuccessfulintheSouthKoreaandJapanregion,whereitsSniperIPSismarketed.
ItisoneofthefewIPSsthathassupportforsomecarriermobileprotocolsaroundinspecting
3G/LTEencapsulatedtraffic.
WinssupportstheSnortstandard,whichallowsclientstocreatecustomsignaturecontentandto
alsoreusepubliclyavailablecontent.
Cautions
WinsistodayregionallyconstrainedtospecificareasinAsia.
Winsdoesnotappeartodiscoveroriginalvulnerabilities,makingitmoreofa"fastfollower"in

termsofsecuritycontentcreation.
Thechassisinitslineupdonotsupportahighphysicalportdensity.

VendorsAddedandDropped
WereviewandadjustourinclusioncriteriaforMagicQuadrantsandMarketScopesasmarketschange.
Asaresultoftheseadjustments,themixofvendorsinanyMagicQuadrantorMarketScopemay
changeovertime.AvendorappearinginaMagicQuadrantorMarketScopeoneyearandnotthenext
doesnotnecessarilyindicatethatwehavechangedouropinionofthatvendor.Thismaybeareflection
ofachangeinthemarketand,therefore,changedevaluationcriteria,orachangeoffocusbyavendor.

Added
Wins

Dropped
StonesofthasbeenacquiredbyMcAfee,anditsIPSlinehasbeendeprecatedinfavoroftheIntel
(McAfee)NSP.
FireEye'srecentadditionofIPStotheNXrangehasnotyetmettheminimumrevenuecriteriafor
inclusioninthisresearch.
BricataisanewentranttotheenterpriseIPS/IDSmarket,andhasnotyetmettheminimum
revenuecriteriaforinclusioninthisresearch.
RadwarehaschangeddirectionitisexclusivelyusingitsIPStechnologyforWAFandDDoSuse
casesandnolongermarketsanIPSoffering.

InclusionandExclusionCriteria
Onlyproductsthatmetthesecriteriawereincluded.Theymust:
MeetGartner'sdefinitionofanetworkIPS.
Operateasaninlinenetworkdevicethatrunsatwirespeeds.
Performpacketnormalization,assemblyandinspection.
Applyrulesbasedonseveralmethodologiestopacketstreams,including(ataminimum)protocol
anomalyanalysis,signatureanalysisandbehavioranalysis.
Dropmalicioussessionstheydon'tsimplyresetconnections.Thedropmustnotbeablockofall
subsequentusertraffic.
HaveachievednetworkIPSproductsalesduringthepastyearofmorethan$4millionwithina
customersegmentthatisvisibletoGartner.
SelltheproductasastandaloneIPS.
Productsandvendorswereexcludedif:
ThecompanyhasminimalornegligibleapparentmarketshareamongGartnerclients,oritisnot
activelyshippingproducts.
Theproductisofferedonlyorchieflyasamanagedsecurityservice.
ThecompanyhostsIPSsoftwareonserversandworkstations,ratherthanonaninlinedeviceon
thenetwork.

EvaluationCriteria
AbilitytoExecute
Productorserviceandcustomersatisfactionindeployments:Performanceincompetitive
assessmentsandhavingbestinclassdetectionandsignaturequalityarehighlyrated.Avendor
shouldcompeteeffectivelytosucceedinavarietyofcustomerplacements.
Overallbusinessviability:Thisincludesoverallfinancialhealthandprospectsforcontinuing
operations.
Salesexecution/pricing:ThisincludesdollarsperGbps,revenue,averagedealsize,market
sharechange,installedbase,presenceinclouddeploymentsandusebymanagedsecurityservice
providers(MSSPs).WinningincompetitiveshortlistsversusotherIPSvendorsisalsohighly
weighted.
Marketresponsiveness/record:Thisincludesdeliveringaspromisedonplannednew
customervaluedfeatures.
Marketingexecution:Thisincludesdeliveringonfeaturesandperformance,customer
satisfactionwiththosefeatures,andthosefeaturesbeatingcompetitorsinselections.Delivering
productsthatarelowlatencyandmultiGbps,havesolidinternalsecurity,behavewellunder
attack,havehighavailability,andhaveavailableportsthatmeetconnectivitydemandsarerated
highly.Speedofvulnerabilitybasedsignatureproduction,signaturequalityanddedicatinginternal
resourcestovulnerabilitydiscoveryalsoarehighlyrated.
Customerexperience:Thisincludesmanagementexperienceandtrackrecord,aswellasdepth
ofstaffexperience,specificallyinthesecuritymarketplace.Alsoimportantarelowlatency,rapid
signatureupdates,overalllowfalsepositiveandfalsenegativerates,andhowtheproductfared
inattackevents.Postdeploymentcustomersatisfaction,wheretheIPSisactivelymanaged,is
anotherkeycriterion.
Operations:Theabilityoftheorganizationtomeetitsgoalsandcommitments.Factorsinclude

thequalityoftheorganizationalstructure,includingskills,programs,systemsandothervehicles
thatenabletheorganizationtooperateeffectivelyandefficientlyonanongoingbasis.

Table1.AbilitytoExecuteEvaluation
Criteria
EvaluationCriteria

Weighting

ProductorService

High

OverallViability

High

SalesExecution/Pricing

Medium

MarketResponsiveness/Record

Medium

MarketingExecution

Medium

CustomerExperience

High

Operations

Medium

Source:Gartner(November2015)

CompletenessofVision
Marketunderstanding:Theseincludeprovidingthecorrectblendofdetectionandblocking
technologiesthatatleastmeetandideallyexceedtherequirementsforNGIPS.Innovation,
forecastingcustomerrequirements,havingavulnerabilityratherthananindividualexploitproduct
focus,beingaheadofcompetitorsonnewfeaturesandintegrationwithothersecuritysolutions
(suchasadvancedthreatdefense)arehighlyrated.Alsoincludedisanunderstandingofand
commitmenttothesecuritymarketand,morespecifically,tothenetworksecuritymarket.
Vendorsthatrelyonthirdpartysourcesforsignatures,haveweakor"shortcut"detection
technologies,andhavelimitedATDapproachesscorelower.
Marketingstrategy:Aclearanddifferentiatedsetofmessagesconsistentlycommunicated
throughouttheorganizationandexternalizedthroughtheWebpresence,advertising,customer
programsandpositioningstatements.
Salesstrategy:Thisincludesprepurchaseandpostpurchasesupport,valueforpricing,and
providingclearexplanationsandrecommendationsforaddressingdetectionevents.
Offering(product)strategy:Thisincludesanemphasisonproductroadmap,signaturequality,
performanceandacleardifferentiatedadvancedthreatdetectionstrategy.Successfully
completingthirdpartytestingsuchastheNSSGroupIPStestsandCommonCriteria
evaluationsisimportant.Vendorsdonotscorewelliftheycommonlyreissuesignatures,are
overreliantonbehavioraldetectionandareslowtoissuequalitysignatures.
Businessmodel:Thisincludestheprocessandsuccessrateofdevelopingnewfeaturesand
innovation.ItalsoincludesR&Dspending.
Vertical/industrystrategy:Thetechnologyprovider'sstrategytodirectresources,skillsand
offeringstomeetthespecificneedsofindividualmarketsegments,includingverticalmarkets.
Innovation:ThisincludesR&Dandqualitydifferentiators,suchasperformance,management
interfaceandclarityofreporting.Featuresthatarealignedwiththerealitiesofnetworkoperators,
suchasthosethatreduce"graylists"(forexample,reputationandcorrelation),areratedas
important.TheroadmapshouldincludemovingIPSintonewplacementpointsandbetter
performingdevices,aswellasincorporatingadvancedmalwaredetection.RichNGIPSfeatures
(beyondonlyreputationfeed)arehighlyweighted,asarerobustnetworksandboxingcapabilities
andtheabilitytoprovideplacementsinthecloud.
Geographicstrategy:Thetechnologyprovider'sstrategytodirectresources,skillsandofferings
tomeetthespecificneedsofgeographiesoutsidethe"home"ornativegeography,eitherdirectly
orthroughpartners,channelsandsubsidiaries,asappropriateforthatgeographyandmarket.

Table2.CompletenessofVision
EvaluationCriteria
EvaluationCriteria

Weighting

MarketUnderstanding

Medium

MarketingStrategy

Low

SalesStrategy

Medium

Offering(Product)Strategy

High

BusinessModel

Medium

Vertical/IndustryStrategy

NotRated

Innovation

High

GeographicStrategy

Low

Source:Gartner(November2015)

QuadrantDescriptions
Leaders
Leadersdemonstratebalancedprogressandeffortinallexecutionandvisioncategories.Theiractions
raisethecompetitivebarforallproductsinthemarket,andtheycanchangethecourseoftheindustry.
ToremainLeaders,vendorsmustdemonstrateatrackrecordofdeliveringsuccessfullyinenterpriseIPS
deployments,andinwinningcompetitiveassessments.LeadersproduceproductsthatembodyNGIPS
capabilities,providehighsignaturequalityandlowlatency,innovatewithoraheadofcustomer
challenges(suchasprovidingassociatedATDtechnologiestomakeenrichedIPSintelligence),andhave
awiderangeofmodels,includinghighthroughputmodels.Leaderscontinuallywinselectionsandare
consistentlyvisibleonenterpriseshortlists.However,aleadingvendorisnotadefaultchoiceforevery
buyer,andclientsshouldnotassumethattheymustbuyonlyfromvendorsintheLeadersquadrant.

Challengers
Challengershaveproductsthataddressthetypicalneedsofthemarket,withstrongsales,largemarket
share,visibilityandcloutthatadduptohigherexecutionthanNichePlayers.Challengersoftensucceed
inestablishedcustomerbaseshowever,theydonotoftenfarewellincompetitiveselections,andthey
generallylaginnewfeatureintroduction.

Visionaries
Visionariesinvestinleadingedge/"bleeding"edgefeaturesthatwillbesignificantinnextgeneration
products,andthatgivebuyersearlyaccesstoimprovedsecurityandmanagement.Visionariescan
affectthecourseoftechnologicaldevelopmentsinthemarket,especiallynewNGIPSsornovelanti
threatcapabilities,buttheylacktheexecutionskillstooutmaneuverChallengersandLeaders.

NichePlayers
NichePlayersofferviablesolutionsthatmeettheneedsofsomebuyers,suchasthoseinaparticular
geographyorverticalmarket.NichePlayersarelesslikelytoappearonshortlists,buttheyfarewell
whengiventherightopportunities.Althoughtheygenerallylacktheclouttochangethecourseofthe
market,theyshouldnotberegardedasmerelyfollowingtheLeaders.NichePlayersmayaddress
subsetsoftheoverallmarket(forexample,thesmallormidsizebusinesssegment,oravertical
market),andtheyoftendosomoreefficientlythanLeaders.NichePlayersfrequentlyaresmaller
vendors,anddonotyethavetheresourcestomeetallenterpriserequirements.

Context
CurrentusersofnetworkIPSshighlyprioritizenextgenerationnetworkIPScapabilitiesatrefresh
time.
CurrentusersofNGFWslookatanextgenerationnetworkIPSasanadditionaldefenselayer,and
expectbestofbreedsignaturequality.
EnterpriseswithtraditionalnetworkIPSandfirewallofferingsshouldbuildandplantoexecute
migrationstrategiestoproductsthatcanidentifyandmitigateadvancedthreats.

MarketOverview
AccordingtoGartnermarketresearch,theworldwideIPSmarketin2014forstandaloneappliances
was$1.53billion.WeforecastthattheIPSmarketwillstarttodeclineinstandalonerevenuenow,
from$1.48billionin2015to$1.1billionby2018(see"Forecast:InformationSecurity,Worldwide,
20132019,2Q15Update.")DatacollectedfromvendorsforthisMagicQuadrantvalidatesthisrange.
Factorsdrivingthoseestimatesincludethefollowing:
Thethreatlandscapeiscurrentlyaggressive,butmajorIPSvendorswereinitiallyslowtoaddress
botnetandadvancedtargetedthreats.SomespendingthatwouldhavegonetoIPSproducts
insteadhasgonetoadvancedthreatdetectionandnetworkforensicsproducts(see"FiveStylesof
AdvancedThreatDefense").
NGFWsaretakingasignificantportionofthestandaloneperimeterIPSmarketasNGIPSsare
absorbedintofirewallrefreshesandbecomepartofNGFWs.
SomeorganizationsareadoptingpubliccloudIaaSplatforms,reducingIPSvendorappliance
revenueopportunity.
AsmarketpenetrationfortheseintegratedandcloudresidentIPSformfactorshasadvanced,the
IPSappliancemarkethasbeendeclining.
ThreatintelligenceintegrationisnowalmostpersuasiveintheIPSmarket.Thishasadded
significantcontextandvisibilitytobothtraditionalandadvancedthreats.Ithasalsoaddedtothe
abilityforthirdpartyintegrationstooccur,extendingthelifeofNGIPSbyallowingittoperform
the"blockandtackling"roleofoutbounddataexfiltrationdetectionandprevention.
IDSisstillavalidusecase,andGartnerisconsideringthefurtherinclusionofnewerdelivery
methodsforexample,fullymanagedandcloudthatarenotcurrentlyunderconsiderationfor
thisMagicQuadrant.
AsadjacentplatformscontinuetointegrateIPStechnologyofvariouslevelsofefficacy,growthinthe
standaloneIPSmarketwillcontinuetoslow.

NGIPSIsAvailableFromLeadingVendors
TheNGIPShashadtwoprimaryperformancedrivers:thehandlingofnetworktrafficatnearwire
speeds,andthedeepinspectionofthetrafficbasedonmorethanjustsignatures,rulesandpolicy.The
firstgenerationofIPSswereeffectivelyabinaryoperationof"threatornothreat,"basedonsignatures

ofknownvulnerabilities.Rateshapingandqualityofserviceweresomeofthefirstaspectsthatbrought
contexttootherwisesingleeventviews.Asinspectiondepthhasincreased,diggingdeeperintothe
samesiloofthetrafficyieldsfewerbenefits.ThisnextgenerationofIPSsapplyfullerstackinspection,
butalsoapplynewsourcesofintelligencetoexistingtechniques:
StandardfirstgenerationsignaturesDevelopanddeployrapidlyinresponsetonew
threats,andareexploitspecific
VulnerabilitygenericsignaturesFocusentirelyonprovidingcoverageoftheunderlying
vulnerability,andnotthemultitudeofvariantsofexploitsthatareoftencreatedforthatspecific
vulnerability
ProtocolanalysisInspectstrafficforthreats,regardlessoftheportthatthetrafficis
traversingover
ApplicationawarenessProvidesspecificapplicationidentification
ContextawarenessBringsmultiplesourcestogethertoprovidemorecontextaround
decisionstoblocksessions
ThreatintelligenceservicesProvideintelligenceonmaliciousordisruptiveactivitythatcan
thenbeactedupon
ContentawarenessInspectsandclassifiesinboundexecutablesandothersimilarfiletypes,
aswellasoutboundcommunications
UserextensibilitySupportsusergeneratedIPSsignaturecontent
AdvancedthreatdetectionIdentifiesandsendssuspiciouspayloadstoanotherdeviceor
cloudsandboxtoexecuteandidentifypotentialmaliciousfiles
Theseadvancesarediscussedindetailin"DefiningNextGenerationNetworkIntrusionPrevention."
BestofbreedNGIPSisstillfoundinstandaloneappliances,buthasrecentlybeenincorporatedin
someNGFWplatforms.

AdvancedThreatDetectionIsNowAvailableFromNGIPSs
AlongwithSSLdecryption,GartnerIPSMagicQuadrantcustomerreferencesmostoftenmentioned
advancedthreatdetectionasthekeyfeatureinfutureIPSselections.Tocompeteeffectively,NGIPS
vendorsmustmoredeeplyintegrateadvancedthreatdefensecapabilitiestostepuptheirtargeted
attackdetectioncapabilitiesformalwaredetection,anomalydetection,andalsoforoutgoing
communicationwithcommandandcontrolserversfrominfectedendpoints.
GartnernotesthatFireEye,awellknownvendorinthespecializedadvancedthreatdetectionarea,has
evolveditsproductcapabilitiestodeliververybasicnetworkIPScapabilitiestocomplementits
advancedthreatsolutions.IfFireEyeorotheradvancedthreatvendorsbring"goodenough"IPS
capabilitiestomarket,clientswillhavemoreoptionsandnewIPSapproachestochoosefrom.

IPSApplianceMarketConsolidationContinues,butCloudandPureManaged
SecurityServiceOfferingsGainTraction
In2013,McAfeeacquiredStonesoft,andCiscoacquiredSourcefire.Bothoftheseacquiringvendorshad
theirownIPStechnologiesbeforetheymadetheirpurchases.BothvendorshavestreamlinedtheirIPS
portfoliostoofferonestandalonesolution.Additionally,bothhavecontinuedtoexecutewellintheIPS
marketdespiteotherchangesandacquisitionsintheirrespectivebusinesses.BricataisanewIPS/IDS
vendorthathasanadditionalfocusonpostbreachfeaturesbysupportinglargeamountsofonchassis
storagecapacity,allowingforinvestigationusecasesandtheabilitytoreplayoldtraffic,butwithupto
datesignaturesandintelligencetohelpdetectbreaches.
AstheIPSmarketgrowthrateslowlydecreases,weexpectthestrongestNGIPSproviderstogrowtheir
marketshares,drivingweakerplayersfromthemarketandleavingbuyerswithastablesetofvendors
fromwhichtochoose.
MostlycloudbasedIDSsolutions,suchasAlertLogic,aretodayoutsidethescopeofthisMagic
Quadrant'sselectioncriteria,asarepureIPSmanagedsensors,suchasthosefromDellSecureWorks
andTrustwave.Suchsolutionsaregainingmomentum,andGartnerwillmonitortheirprogress.Weare
consideringtheinclusionofsuchoptionsinfutureIPSMagicQuadrants.

MoreIPSsGetAbsorbedbyNGFWsHowever,theStandAloneIPSMarket
WillPersist
WiththeimprovementinavailabilityandqualityoftheIPSwithintheNGFW,NGFWadoptionreduces
theneedforanetworkIPSinmanyenterprises.However,thestandaloneIPSmarketwillpersistto
serveseveralscenarios:
TheincumbentfirewalldoesnotofferaviableNGIPSoption.
ClientscontinuetoreportsignificantperformanceimpactofenablingIPSintheirNGFWs.This
impact,inrealworldfeedbackfromGartnerclients,isfrequentlyinthe40%to80%range,
dependingonthetrafficprofile.Forenvironmentsthatrequiresustainedthroughputof10Gbpsto
20Gbpsandhigher,aseparateNGFWandNGIPSisasensiblearchitecturetopursue.
SeparationofthefirewallandIPSisdesiredfororganizationaloroperationalreasons,suchas
wherefirewallsareanetworkteamfunctionandIPS/IDSisrunbythesecurityteam.
AbestofbreedIPSisdesired,meaningastandaloneNGIPSisrequired.
Nichedesignsexist(asincertaininternalsegmentationscenarios)whereanIPSisdesired,but
withoutafirewall.

Forinternalsegmentationprojects.NGIPSdeploysatLayer2transparently,withmorereliability
andhigherqualitysecuritycontentthanatransparentNGFW,andthereforeisconsiderablyeasier
todeploywhileprovidingthebestprotectionavailable.
WhilethetrendistowardIPSconsolidationonNGFWs,Gartnerseesanecdotalexamplesof
organizationsswitchingbackfromanNGFWtoastandaloneIPS,whereimprovedblockingqualityand
performancearerequired.

IDSIsStillWidelyDeployedandEffective
GartnercontinuestoseeacrediblepercentageofuserorganizationsthatarestilldeployingIDS(or
IPSsinIDSmode)technologypurelyformonitoringandvisibilityusecases,andnotforblocking,
especiallyinthenetworkcoreorwhereanIPScannotbedeployed.
Whilegoing"inline"withthistechnologyispreferredasitatleastoffersthecapabilitytoblockshould
theneedarise,IDSisstillastapleinalargenumberofenvironments.Astheadaptivesecurity
architecturehighlights(see"DesigninganAdaptiveSecurityArchitectureforProtectionFromAdvanced
Attacks"),detectionisacriticalcapability.Thenumberofbreachesinrecenthistoryhighlightsclearly
thatorganizations,largeandsmall,arefailingintheirabilitytoperformdetectionandresponseonce
threatsareactiveinsidethenetwork.IDSisstillveryeffectiveatdeliveringthreatdetectioncapabilities
infamiliarwaystoorganizations'securityteams.
SomeorganizationsaregettingadditionallifeoutofolderIPS/IDSinvestments(orbymakingnew
investmentsinIDS)byenablingIPSintheNGFWandmovingtheirIPS/IDSelsewhereinthe
environment.SoratherthandecommissionstandaloneIPSs,theyinsteaddeployin"IDSmode"
internallyonotherpartsofthenetworkformonitoringofwhatisgenerallycalled"east/westtraffic,"
versusthetraditionalnetworktrafficprofileofnorth/southclosetotheInternetperimeter.Detecting
vulnerabilityexploitation,servicebruteforcing,botnetcommandandcontrolchannelactivity,
applicationidentification,andsoon,areallstandardfeaturesofmodernIPS/IDSsandstillhaveutility.

DevelopmentsinThreatIntelligenceHaveImplicationsforIPS/IDS
Threatintelligenceorreputationfeedshaveprovidedmuchneededadditionalvisibility,threatcontext
andblockingopportunitiesforIDS/IPSdeployments.Inthelastfewyears,allIPSvendorshaveadded
these"feeds"totheirexistingproductlines.TIfeedshavethefollowingstrengthsandchallenges:
Strengths:
Timetocoverageforexample,apieceofmalwarecanbeinspectedandTIfeedsupdated
withdetection/blockingmetadatalikeIPaddress,DNShostnameorURL,whichis
considerablyfasterthanthedeepsoaksignaturetestingcyclethatIPSvendorsrequireto
shipIPSsecuritycontent.
Improvedcontextandvisibilityonthethreatlandscapeforfastmovingthreats,particularly
malwareandbotnets.
Mostfeedshavetheconceptofnotonlythethreat(botnet),butalsoascore(oftenfrom0to
100,forexample),allowinguserstodefinethethresholdofwhenalertingversusblocking
occurs.
AllowfortheuseofrelativelyaccurategeographicIPdetailsforcontextandblocking
opportunities.
AllowforthirdpartyintegrationviaIPSvendorAPIsofotherfeeds.Thisnormallyrequires
additionalwork.
Challenges:
TIfeedsareproprietaryinnature,anduserscannotuseopenstandardssuchasStructured
ThreatInformationExpression(STIX)/TrustedAutomatedExchangeofIndicatorInformation
(TAXII)withoutadditionalsoftware.
Likeallsecuritycontent,TIfeedsarepronetoaleveloffalsepositives,meaningclientsoften
havetotunepoliciestoavoidblockingnonmalicioustraffic
Mostvendors,withoutthirdpartiescreatingtheirownintegrationsorfromadditional
products,generallyonlyusetheirownTIfeeds.Thesearelimitedinscopeandcoverageof
thethreatlandscapefromthatvendoronly.
STIX/TAXIIstandardsarenowatapointthattheyhavethemomentumofsecurityorganizations,
includingComputerEmergencyResponseTeams(CERTs),globalinformationsharingandanalysis
centers(ISAC),vendors,andendusers.Whilenascent,inthecomingtwotothreeyears,weexpectto
seeanaccelerationof"blockandtackle"vendorssuchasfirewall,intrusionprevention,secureWeb
gateway(SWG),endpointthreatdetectionandresponse(ETDR),andSIEMtoolsallsupportingfull
implementationsoftheseopenstandards.Thesetwostandardsinparticularwillacceleratetheabilityto
consumethreatinformationandthenactonitattimescalesnotpreviouslypossible,andwilldosoin
anenduser'senvironmentthathasamixedecosystemofvendors.
Finally,whilenotmeetingthedefinitionofNGIPS,andthereforeinclusioninthisresearch,inline
"threatintelligence"applianceshaveappearedonthemarket.ThesearenotfullyfeaturedIPS/IDSsper
setheyonlyofferblockingaroundsource,destinationIPaddress,DNSandURLs,meaningtheyare
basedpurelyonTIfeeds.However,theyoftensupportmuchlargerTIdatabasesthanavailablefrom
leadingIPSvendors.ExamplevendorsareCentripetalNetworksandNorse.

2015Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.oritsaffiliates.Thispublicationmaynotbereproduced
ordistributedinanyformwithoutGartnerspriorwrittenpermission.Ifyouareauthorizedtoaccessthispublication,youruseofitissubjecttotheUsageGuidelinesfor
GartnerServicespostedongartner.com.Theinformationcontainedinthispublicationhasbeenobtainedfromsourcesbelievedtobereliable.Gartnerdisclaimsall

warrantiesastotheaccuracy,completenessoradequacyofsuchinformationandshallhavenoliabilityforerrors,omissionsorinadequaciesinsuchinformation.This
publicationconsistsoftheopinionsofGartnersresearchorganizationandshouldnotbeconstruedasstatementsoffact.Theopinionsexpressedhereinaresubjectto
changewithoutnotice.AlthoughGartnerresearchmayincludeadiscussionofrelatedlegalissues,Gartnerdoesnotprovidelegaladviceorservicesanditsresearch
shouldnotbeconstruedorusedassuch.Gartnerisapubliccompany,anditsshareholdersmayincludefirmsandfundsthathavefinancialinterestsinentitiescovered
inGartnerresearch.GartnersBoardofDirectorsmayincludeseniormanagersofthesefirmsorfunds.Gartnerresearchisproducedindependentlybyitsresearch
organizationwithoutinputorinfluencefromthesefirms,fundsortheirmanagers.ForfurtherinformationontheindependenceandintegrityofGartnerresearch,see
GuidingPrinciplesonIndependenceandObjectivity.

AboutGartner|Careers|Newsroom|Policies|SiteIndex|ITGlossary|ContactGartner