Our seasoned analysts couple their industry-leading B2B research with in-depth buyer intent data for unparalleled insights about critical technology markets.
Clients trust us across their GTMs—from strategy and product development to competitive insights and content creation—because we deliver high-quality, actionable support.
Browse our extensive library of research reports, research-based content, and blogs for actionable data and expert analysis of the latest B2B technology trends, market dynamics, and business opportunities.
Our seasoned analysts couple their industry-leading B2B research with in-depth buyer intent data for unparalleled insights about critical technology markets.
Clients trust us across their GTMs—from strategy and product development to competitive insights and content creation—because we deliver high-quality, actionable support.
Browse our extensive library of research reports, research-based content, and blogs for actionable data and expert analysis of the latest B2B technology trends, market dynamics, and business opportunities.
ESG’s Master Survey Results provide the complete output of syndicated research surveys in graphical format. In addition to the data, these documents provide background information on the survey, including respondent profiles at an individual and organizational level. It is important to note that these documents do not contain analysis of the data.
This Master Survey Results presentation focuses on modern network security challenges, plans, and strategies as organizations look to cloud-delivered solutions that provide centralized management and distributed enforcement.
ESG conducted an in-depth survey of 380 IT and cybersecurity professionals responsible for evaluating, purchasing, and managing endpoint security products, processes, and services. Survey participants represented midmarket (100 to 999 employees) and enterprise-class (1,000 employees or more) organizations in North America (United States and Canada).
Survey participants represented a wide range of industries including manufacturing, financial services, healthcare, communications and media, retail, government, and business services. For more details, please see the Research Methodology and Respondent Demographics sections of this report.
Network security at the perimeter has remained predominantly appliance-centric, despite the acceleration of cloud-delivered solutions in other parts of the stack. That is set to change as organizations look for stronger protection, improved performance, and a more consistent model across the increasingly distributed enterprise environment. Elastic cloud gateways are seeing significant interest as an approach to meet these business requirements through a converged, cloud-delivered network security architecture.
The first blog I wrote about elastic cloud gateways prior to Black Hat 2019 referenced next-generation firewalls relative to the shift to application-centric, Layer 7 scanning, and the massive impact that had on the network security market. What I didn’t appreciate at the time is how similar the trajectory of the two spaces would be. In the 10 months since Black Hat, we’ve witnessed a massive amount of momentum in this area. In fact, recently completed ESG research on elastic cloud gateways found that 94% of organizations reported usage of, or some level of interest in, these types of solutions. With secure access services edge (SASE) having become common terminology within the network security space, I’m often asked what the difference is between ECG and SASE. The fact is, there are many more similarities than differences; however, the differences that do exist are important.
XDR may succeed but XDR vendors face deployment challenges and competition on several fronts.
My colleague Dave Gruber and I are all over this new concept called XDR. Just what is this new acronym all about? In a recent CSO Online blog, I defined XDR as:
An integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection, and response. XDR unifies control points, security telemetry, analytics, and operations into one enterprise system.
Hmm, sounds interesting but is there a market for yet another type of security product? (more…)
To explore user perspectives around SASE solutions and elastic cloud gateway architectures, Enterprise Strategy Group recently completed a research study on the convergence of network security tools through a consolidated, cloud-delivered platform. The study explored pain points with current approaches and tools, interest in and important elements of an ECG approach, and what organizations expect to gain from implementing an ECG architecture. To explore some of the research, I invited my colleague Jon Oltsik to discuss the findings and what they mean.
In the video, Jon and I discuss:
ECG interest. Suffice it to say, very few organizations are not interested in an ECG type of network security approach, but we discuss how organizations are thinking about the deployment model and anticipated business outcomes associated with elastic cloud gateways.
The shift to cloud-delivered network security tools. I share some Enterprise Strategy Group research findings on where the market stands in the transition to cloud, and the reasons organizations are quickly moving to a cloud-delivery model.
How networking fits into the architecture. We discuss how organizations see networking, and specifically SD-WAN, fitting into security overall, and an ECG approach specifically. I explain that this is a longer transition and will likely vary from company to company.
My colleague Dave Gruber is such a great guest that I invited him back for an unparalleled SOAPA video part 3. In our final installment, Dave and I talk about:
XDR deployment models. XDR deployment will be an iterative process, rolling out on a security controls replacement basis. Dave describes how organizations will have to pick a starting point and then integrate additional controls for incremental architectural benefits over time.
Who needs XDR? Dave and I agree that midmarket and small enterprise organizations with small security teams will gravitate to XDR sooner rather than later. We may see some industry affinity as well, in verticals like state/local government, education, healthcare, and others.
XDR and the SOC. XDR won’t replace tried-and-true SOC systems like SIEM, SOAR, or threat intelligence platforms (TIPs) anytime soon so interoperability is key. The best XDR platforms will provide high fidelity alerts and forensic details to these traditional SOC technologies.
The future of SOAPA and XDR. As an architecture, Dave is bullish on SOAPA, believing it will continue to evolve and improve. XDR is a bit more of a wildcard, especially in the large enterprise market, but Dave and I agree that major technology suppliers are investing and resourcing XDR R&D and go-to-market efforts, so it’s likely to gain momentum. If XDR can fulfill its promise of improving security efficacy and operational efficiency, customers will come running.
Thanks for participating, Dave, old buddy, old pal. More SOAPA videos coming soon!
In part 2 of our SOAPA video, I welcome back my astute colleague, Dave Gruber. The conversation turns to XDR, a market segment that Dave and I collaborate on. I ask Dave about:
The definition of XDR. It’s a nebulous industry term but Dave nails it by explaining that XDR is a method for bringing controls together to improve security telemetry collection, correlation, contextualization, and analytics. There’s also an operational side of XDR to help coordinate response and remediation across multiple controls simultaneously.
Whether XDR is a product or an architecture. When Dave and I first put our heads together on XDR, we realized that it looks a heck of a lot like SOAPA. Since XDR is often presented as an integrated suite from a single vendor, it’s kind of a product. Alternatively, some vendors offer open APIs and a partner ecosystem, so it’s kind of an architecture as well. Regardless, it’s still definitely SOAPA!
Where XDR is today. Dave admits that it’s early on for XDR and current versions start with common data collection and correlation, acting as a data lake for security analysts. Many vendors are adding advanced analytics as well. The goal is to detect “low and slow” attacks that compromise systems, move laterally across networks, escalate privileges, and ultimately exfiltrate data. In theory, XDR can detect these campaigns as it has coordinated eyes on everything.
My SOAPA video with Dave was going so well that I invited him back for Part 3 of our video. Unprecedented! Stay tuned.
Back in March, I heard from several CISOs about how COVID-19 was disrupting their cybersecurity programs and changing their priorities. A few weeks later, I connected with some CISO friends, and got an update on phase 2 of their pandemic journeys.
While no one knows when the coronavirus impact will end, we are getting a good perspective on what the new normal will look like. Here are ten changes I anticipate (in no particular order):
Work from home (WFH) becomes the default model. This one is an obvious assumption, but one we can back up with data: According to ESG research, 79% of IT executives say that their organization will be more flexible about WFH policies after the pandemic subsides. Furthermore, WFH seems to be, well, working: 78% of knowledge workers report being either more productive working from home or having no change in productivity. Between productivity gains and real estate savings, WFH is a winner — and is driving lots of changes to security investment and priorities.
Any remnant of a security perimeter is now dead. When I started in security nearly 20 years ago, a group of financial services companies started an organization called the Jericho Forum, which pitched the concept of de-perimeterization. While most security professionals agreed with the idea, scaling security remained a challenge, so network perimeters remained and changed slowly over time. COVID-19 may be the final security perimeter coffin nail. To support a more distributed IT infrastructure, security controls will move wholesale to endpoints — users, devices, applications, data, etc. The good news is that cloud-based management planes will make this architecture much easier to scale and operate than in the past. What are the new perimeters? Users and devices (i.e., identities) and data.
Hail to the cloud. Cloud workload migration accelerated due to COVID-19 as it was easier to administer cloud infrastructure than on-premises servers, networks, and storage devices. To keep up, CISOs must ramp up cloud security hiring, training, and skills development on their teams. It’s also clear now that the public cloud is the de facto infrastructure for network security controls, consolidating SD-WAN and security services. The same is true for security analytics with data and analytics engines moving quickly to the cloud. Finally, security management planes are heading in the same cloudy direction. CISOs will need new skills for migrating data and tools and managing cloud subscriptions.
The mainstreaming of attack surface management (ASM). CISOs will need better ways to collect, process, and analyze data for cyber-risk management as users and assets become more distributed and remote. This should happen quickly since most organizations have no idea about all the connections to their network and regularly discover things like previously unknown devices, misconfigured servers, default passwords, partner connections, etc. ASM will evolve from an esoteric area to an enterprise requirement. Vendors like BitSight, Bugcrowd, CyCognito, Randori, and others will benefit from this transition.
Doubling down on policy management. With everything distributed, CISOs will need to work with business managers to determine who can do what from where and really (and I mean really) tighten up their security policies with granular and dynamic rule sets. Once policies are determined, they’ll also need the CIO’s help to build an infrastructure for policy enforcement and monitoring. There is a tremendous opportunity for security technologies here — vendors that build intuitive, flexible, and scalable policy management engines will clean up.
Identity management gets an overhaul. Distributed security controls and policy management must be anchored by a modern identity management infrastructure — not the organically grown patchwork we’ve kludged together over the past 20 years. To ease this migration, identity will also migrate to the cloud in a hurry. This is good news for JumpCloud, Okta, and Ping, but I believe cloud service providers like Amazon, Google, VMware, and obviously Microsoft will make a big play here as well.
Cyber threat intelligence at scale. COVID-19 is a global opportunity for the cyber-underworld, leading to a wave of new scams and attacks. To counteract this trend, organizations need to be able to operationalize, analyze, and hunt for threats at an unprecedented scale. This should represent a growth opportunity for threat intelligence platforms and investigation tools like Anomali, King & Union, Palo Alto Networks, RecordedFuture, ThreatConnect, and ThreatQuotient at the high end of the market. Smaller enterprises will likely dive deeper into threat intelligence services from the likes of Cisco, FireEye, IBM, and Secureworks.
AI and ML, the next generation. Security teams will need to make sense of more assets, more connections, more movement, and more threats — all at once. Business management’s push for a permanent WFH structure make this an absolute certainty, and there isn’t a security team on the planet that will be able to keep up with the new reality without help. We are currently driving up the AI/ML on-ramp, and we’ll need to get up to speed quickly. This is a wide open opportunity, but somehow, I think that companies like Devo, Google (Chronicle), IBM, Microsoft, SAS, and Splunk will play.
On to serious security training. WFH and coronavirus-related scams mean the days of security awareness training as a “checkbox” exercise are over. Moving forward, I believe security aptitude will be required for most employees with compensation incentives or penalties associated with performance. Business managers will also be accountable for employee education and penalized when their team’s ignorance leads to a security breach. On the supply side, vendors will need to supplement basic compliance training with more thorough course work designed for knowledge workers.
Tighter security and IT operations cooperation. Provisioning secure endpoints, cloud workloads, or network infrastructure will require security to be “baked in” rather than “bolted on.” Additionally, security policy enforcement and monitoring will need to be coordinated all over the place. In the past, security and IT operations teams had different objectives, metrics, and compensation structures. Given all the work ahead, it’s likely that organizations will measure these teams based upon common projects rather than disparate goals. This should be good news for vendors like ExtraHop, Netscout, ServiceNow, and Tanium, that have technologies and experience in both areas. Security vendors will need to improve their IT operations chops if they want to keep up.
There’s lots of changes and lots to think about. More soon from me as I’m following the impact of COVID-19 closely.
The SOAPA video series has featured a series of prolific industry beacons representing leading security operations technology vendors. That will continue, but I thought I’d shake up the format a bit by inviting my colleague and friend, Dave Gruber, to participate.
Aside from his movie star good looks, I invited Dave to participate because he spent several years at Carbon Black in the EDR market, and EDR has become a primary component of SOAPA. Furthermore, Dave and I are co-covering a burgeoning segment called XDR, which is sort of a vendor-driven turnkey SOAPA offering.
In part 1 of our video, Dave and I chat about:
The role of EDR. Dave talks about how EDR monitors endpoint telemetry and works with SIEM and SOAR to accelerate and automate incident response.
EDR integration. SOAPA is all about integration and interoperability for security operations. Dave says that EDR is often paired with network traffic analysis (NTA), cloud data, email security data, and other sources. Everything rolls up to the SOC for analysis, investigations, and remediation actions.
EDR adoption. Dave tells us about ESG research indicating that EDR is gaining market penetration, especially as part of new endpoint security suites.
EDR vs. MDR. I ask Dave what makes organizations buy and operate EDR as opposed to using a managed detection and response (MDR) solution. Dave explains that EDR has gotten easier and many customers want to “own” security analytics and operations. Nevertheless, MDR is a viable alternative or can be used to augment the security staff’s capacity and skills.
Great stuff! Look for more from Dave and I in part 2 of our SOAPA video soon.
It’s great to be back with the SOAPA video series, albeit in a remote format. Nevertheless, I was excited to interview Hugh Njemanze, CEO of Anomali, a leading threat intelligence platform (TIP). In part 2 of our video, Hugh and I yak about:
The impact of COVID-19. Hugh agrees that the global pandemic has led to a steep increase in cybercrime activity. Anomali researchers are closely following this, curating COVID-19 specific threat intelligence, and sharing it with customers and the general public.
Security operations technology integration. Back to SOAPA, I mention to Hugh that ESG research indicates that 84% of enterprise organizations are active or somewhat active with security operations technology integration. Anomali sees similar trends and is often integrated with security technologies like SIEM, SOAR, and NGFWs, adding the right threat intelligence for security analysis and process automation.
Security operations in the cloud. ESG research says that 58% of organizations prefer to purchase or are willing to purchase cloud-based security operations technologies. That’s fine with cloud-native Anomali. In the early days, Anomali assumed the role of cloud evangelist but Hugh says that SaaS-based TIPs are now mainstream. With the influence of the pandemic, threat intelligence SaaS platforms like Anomali will only gain momentum.
The future of security operations. Hugh believes SOAPA has a bright future, driven by the need for more integration, automation, and analytics. Security operations technologies will get simpler and more powerful.
Many thanks to Hugh and Anomali for participating in the SOAPA video series! Look for more videos soon.
It’s not surprising that IT is getting more complicated. Digital transformation initiatives are proliferating across industries, and building out hybrid and multi-cloud environments is gaining traction. The need for speed is essential—especially when it comes to networking.
With this in mind, Cisco and Google recently announced their joint turnkey networking solution—Cisco SD-WAN Hub with Google Cloud. Google Cloud is providing hybrid and multi-cloud services, connectivity and security solutions, and Cisco SD-WAN solutions are offering single pane-of-glass SD-WAN management and secure connectivity to the cloud, streamlining operations by automating routine tasks.