Research Vice President, Security & Trust
Palo Alto Networks
The criticality of effective endpoint security has never been greater for enterprises. A principal reason is enterprises’ evolving IT footprint. Spurred by the COVID-19 pandemic, millions of office workers changed locations from onsite to work from home (WFH). While workers are gradually returning to the office, the workplace landscape for many organizations is unlikely to return to its pre-pandemic state. In addition, the usage of cloud applications surged during the pandemic as business leaders sought flexibility to support their immediate needs and to better compete in a digitally transformed future.
This dual shift of workers and applications to off premises has been a gift to threat actors. The exploitability of personal computers (PCs) of WFH employees increased. In addition to being situated outside office-based perimeter defenses, these devices were now on a full-time basis connecting through unmanaged home networks and with increasing potential, used for nonbusiness purposes and by other family members. The viability for threat actors to infect remote PCs, in essence, multiplied. And since users of these devices required access to cloud-based applications (custom and software as a service) and on-premises applications through a VPN to remain productive, the attractiveness of PCs as targets rose. Moreover, as worker remoteness increased along with access to both cloud and on-premises applications, business networks became flatter. Legacy approaches to use network segmentation as a security mechanism became less effective. Also a benefit to threat actors, their lateral movement from the first infected PCs to other PCs and connected IT systems encountered fewer barriers.
Not only have threat actors intensified their focus on endpoints, but they have also advanced their tradecraft. A decade ago, signature-based antivirus software was considered an adequate defense in identifying and removing malware from end-users’ devices. Times have radically changed. Threat actors no longer rely exclusively on dropping malware onto devices to carry out their attacks. Instead, they are more apt to manipulate legitimate software programs, tools, and files (i.e., living off the land attacks). Subsequently, identifying behaviors of malicious intent has become a requirement in mounting an adequate defense.
Identifying malicious behaviors, however, is no simple task. The varied, wide ranging, and complex nature of what end-user devices (PCs and smartphones) are equipped to do blurs the distinction between malicious and legitimate behaviors. In addition, threat actors will orchestrate a series of actions, each seemingly benign, to further disguise their presence. Assembling the trail of related actions has become essential in uncovering active attacks and then responding with speed and precision to blunt them.
Building up endpoint security is crucial. Modern endpoint security (MES) products, the combination of endpoint protection platforms (EPPs) for deterministic prevention and endpoint detection and response (EDR) for post-compromise reaction, are the latest evolution in endpoint security designed to combat threats aimed at endpoints. It is confirmed through IDC research that the demand for modern endpoint security is on the rise.
A modern endpoint security product, however, is not an island. Rather, it is a component in a constellation of complementary security technologies and operations that function together to fortify the security posture of endpoints and the resiliency of business functions. Given this more holistic view of modern endpoint security, enterprises should not limit their assessment of the independent merits of modern endpoint security products. They should also examine integration and workflow streamlining with and across other technologies that fortify security and enhance security and IT operations. A list of these technologies includes but are not limited to hardware-based device integrity checks and restoration, endpoint/IT hygiene management, file and data backup and recovery, and the evolution of EDR to eXtended Detection and Response (XDR).
Just as the threat landscape has evolved so too has the endpoint security market.
As the threat landscape has evolved with intensified focus on compromising endpoint devices, so too has the landscape of modern endpoint security vendors included in this IDC MarketScape. With this, enterprise endpoint security buyers have greater choice and opportunity to select a vendor that is best aligned with their circumstances and requirements. Our overarching advice is to evaluate vendors from the perspective of strategic fit. Selecting a vendor and its MES product is not only for combating the threats of today as they will be different tomorrow. Rather, the selection should be made from a long-term perspective on whether the vendor can adapt to the threats of the future while also reducing the cost and complexity of security operations.
More tactically, IDC offers this advice to enterprise MES buyers:
This section briefly explains IDC’s key observations resulting in a vendor’s position in the IDC MarketScape. While every vendor is evaluated against each of the criteria outlined in the Appendix, the description here provides a summary of each vendor’s strengths and challenges.
ESET is positioned in the Major Players category in the 2021 IDC MarketScape for modern endpoint security for enterprises.
Approaching 35 years since its founding and serving both the corporate/commercial and consumer segments, ESET is among the most tenured vendors included in this IDC MarketScape. From its origins in Europe, the company has diversified geographically, and its commercial customer base is evenly spread across sub-100 endpoint companies to firms with thousands of endpoints. Constant throughout its history is a research and technology-driven culture and stable leadership.
A private company, ESET is profitable and reinvests its profits into the disciplines that directly contribute to advancing its products, namely, software development, core threat research, and threat hunting.
Tailoring its support of its expansive base of customers across western, central, and eastern Europe, ESET engages with its customers in the prevalent languages of their countries. Local language support, either directly or through partners, applies to the other regions where ESET has a material presence, namely, North America, Japan, and Latin America.
Willing to put its endpoint security products to the test, ESET’s participation in independent EPP evaluations is among the upper tier of vendors. With its EDR capabilities introduced in 2018 via ESET Enterprise Inspector, ESET’s participation in EDR evaluations did not start as early as other vendors, but the company has since been highly participatory in EDR evaluations involving multiple testing firms.
With a security product portfolio that includes email, cloud-hosted business apps, cloud access, data, and identity, ESET has a solid position relative to other vendors to offer a broad and natively integrated cross-product platform solution.
Assisting customers in overcoming their skill gaps, ESET with its in-house talent and through its partners offers MDR and managed threat hunting services.
Previously stated, ESET offers security to the consumer segment. As with other vendors that are active in the consumer segment, ESET benefits from the unique threat data it collects and analyzes.
There are just a few capability areas where ESET is lacking. ESET does not have rollback remediation features, for example, to return ransomware-compromised user files and settings to pre-attack state. The company’s focus, however, has been noticeably present in ransomware prevention through a pair of ESET-developed technologies: Network Attack Protection and Ransomware Shield. ESET is also limited in its hardware-based security capabilities. Not the same as hardware based but related in protections below the application layer is pre-boot monitoring. In that regard, ESET added UEFI scanning as a standard feature. Its UEFI Scanner scans for threats that could launch prior to a device booting up.
ESET’s set of capabilities directed toward attack surface reduction are not as expansive as some other vendors in this market. ESET offers device control and host firewall management natively within its product. Vulnerability assessment and patch management are currently not part of ESET’s solution set, either natively or through third-party integrations.
Although ESET’s MES business is steadily growing, on a worldwide basis, ESET’s growth trails the overall market. The competitive risk to ESET is larger worldwide vendors crowding out ESET in POC invitations.
Existing ESET endpoint security customers should trial ESET’s EDR capabilities and consider upcoming road map functionality. ESET’s long history of feature expansion will likely narrow potential differences between the company’s capabilities and those of competitors. In addition, ESET, as previously stated, has security products in other disciplines that provide useful telemetry for threat detection and represent additional control points for policy enforcement (preventive and reactive). This is beneficial for enterprises that want to unify their security stack with fewer vendors and are also comfortable with separate vendors for vulnerability assessment and patch management. In evaluating unification, do pay attention to centralized management and its contribution to improving security staff’s productivity. The administrator and analyst experience and actual cross-product integration versus claimed integration matter. In addition, compare ESET’s partner ecosystem with your multivendor environment to ensure cross-vendor telemetry exchange and response orchestration meets your requirements.
Participating vendors met the following criteria:
For the purposes of this analysis, IDC divided potential key measures for success into two primary categories: capabilities and strategies.
Positioning on the y-axis reflects the vendor’s current capabilities and menu of services and how well aligned the vendor is to customer needs. The capabilities category focuses on the capabilities of the company and product today, here and now. Under this category, IDC analysts will look at how well a vendor is building/delivering capabilities that enable it to execute its chosen strategy in the market.
Positioning on the x-axis, or strategies axis, indicates how well the vendor’s future strategy aligns with what customers will require in three to five years. The strategies category focuses on high-level decisions and underlying assumptions about offerings, customer segments, and business and go-to-market plans for the next three to five years.
The size of the individual vendor markers in the IDC MarketScape represents the market share of each individual vendor within the specific market segment being assessed.
IDC MarketScape criteria selection, weightings, and vendor scores represent well-researched IDC judgment about the market and specific vendors. IDC analysts tailor the range of standard characteristics by which vendors are measured through structured discussions, surveys, and interviews with market leaders, participants, and end users. Market weightings are based on user interviews, buyer surveys, and the input of IDC experts in each market. IDC analysts base individual vendor scores, and ultimately vendor positions on the IDC MarketScape, on detailed surveys and interviews with the vendors, publicly available information, and end-user experiences in an effort to provide an accurate and consistent assessment of each vendor’s characteristics, behavior, and capability.
Modern endpoint security products protect personal computing devices (PCDs, such as workstations and laptops) from cyberattacks through the detection of malicious code and behaviors present or operating within the PCD and then facilitate a counteracting response (e.g., block, remove, or isolate). Modern endpoint security products contain two detect and response mechanisms differentiated based on elapsed time and human involvement. Endpoint protection platforms (EPP) reach detection verdicts and initiate responses in real time and autonomously (i.e., without human involvement). Endpoint detection and response (EDR) is a second stage of detection and response for cyberattacks that have evaded EPP detection. With EDR, the time to reach detection verdicts and initiate responses can span minutes to days. How fast the cyberattack unfolds, its sequence of steps, and its sophistication and uniqueness are factors that affect the elapsed time in detection and response. Automation and predefined workflows assist in reducing the elapsed time. Security analysts (humans) are typically involved, at minimum, to confirm detection and/or authorize response.