resoure from Gartner RAS Core Research Note G00137641
Content monitoring and filtering products helporganizations address the problem ofsensitive data crossing the enterprise networkboundary over multiple channels and protocols.New vendors will enter the market, and existingvendors will consolidate or be acquired byestablished security vendors.
Content monitoring and filtering (CMF) is a relativelynew market for detecting and preventing informationleaks. While still adolescent, tools provide immediatevalue in protecting corporate intellectual assets andcustomer privacy. Customers can feel confident thatexisting tools, even from small vendors, do limitinformation loss; however, customers should expectsignificant market turmoil during the next twoyears as new vendors continue to enter themarket and existing vendors consolidate orare acquired by established security vendors.
Market Overview
CMF is an adolescent market, and a smallone, grossing $20 million to $25 million in2005. The market is forecast to grow to $40million to $60 million in 2006 because ofincreased customer demand. The market hasbeen around since 2001, but most vendorsare less than 2 years old. We expectsignificant activity during the next few years assome vendors shut down, are acquired or joinwith others. At least one large security vendorwill acquire a CMF pure-play vendor by yearend2006 (0.8 probability). CMF features arefound in other products, such as e-mailsecurity solutions, instant messaging, orendpoint monitoring solutions that are notstand-alone CMF products.Pure-play network CMF tools are the best andmost-comprehensive solutions for detectinginformation loss because they cover managedand unmanaged systems across the widestrange of network protocols. These productscan monitor multiple channels for specific inboundand outbound content based on rules or signatures.Host-based offerings are more difficult to manage,have much more primitive detection techniques andfail to protect unmanaged systems. Increasingly,single-channel filters, dedicated to just e-mail orinstant messaging (IM), are expanding into themultiple-channel market through partnership andacquisition, but they still usually lack the broadnessof coverage and centralized management andreporting of a pure-play network CMF product.Companies that offer host solutions include OakleyNetworks, Verdasys and Orchestria (which has acombined host-network model but was excluded fromthis Magic Quadrant because the host is mandatory).Single-channel vendors include IMlogic (acquired bychallengers leadersniche players visionariescompleteness of visionability to executeAs of October 2005VontuTablusVericeptProofpointPortAuthority TechnologiesReconnexIntrusion Fidelis Security SystemsPalisadeSystemsSource: GartnerMAGIC QUADRANTFigure 1. Magic Quadrant for Content Monitoring andFiltering, 20062The Magic Quadrant is copyrighted October 2005 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphicalrepresentation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure againstcriteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the MagicQuadrant, and does not advise technology users to select only those vendors placed in the “Leaders” quadrant. The Magic Quadrantis intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express orimplied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.© 2006 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permissionis forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warrantiesas to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequaciesin the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection ofthese materials to achieve its intended results. The opinions expressed herein are subject to change without notice.Symantec), Akonix Systems (IM), FaceTimeCommunications (IM/P2P [peer to peer]), CipherTrust(e-mail, moving into the CMF market this year),IronPort Systems (e-mail), TumbleweedCommunications (e-mail), and Clearswift (separatee-mail and HTTP products).
The CMF market is following a predictable evolutionthat consists of four stages:
1. Monitoring e-mail using basic keyword matchingor regular expressions
2. Monitoring multiple channels – typically IM, FTP,HTTP or generic TCP/IP – using more-advanceddetection techniques (the present state of themarket). Early filtering appears, typically first for email,then HTTP and then other protocols.
3. Analysis of static, stored sensitive data –Integration with document management systems,and basic endpoint agents without true contentanalysiscapabilities.
4. Successful blocking of all channels on the networkand hosts from which data can be stolen. Thiswould include host-based agents that can stopsomeone from downloading sensitive data – forexample, through a Universal Serial Bus (USB)drive – and printing it and walking out the door.
Steps 1 and 2 involve devices that sit at the edge ofthe network, while Step 3 includes deeper integrationwith internal traffic. Step 4, where this technology isheaded, involves agents that can sit on a local hostand allow, for example, a file with personal photos tobe transferred to a USB, but not a customer list. Step4 also includes much-deeper integration with internalinfrastructure, applications and servers for moremonitoring of internal traffic. However, the industry isstill some distance from that goal. Host-basedintegration with CMF will increase in 2006, with muchbroader deployment and capabilities in 2007, buthost-only solutions are not expected to succeed asCMF tools because of enterprise restrictions on thenumber of desktop tools and weak content-analysiscapabilities.
Market Definition/Description
Gartner defines CMF products as those that, as acore function, perform deep packet inspection oninbound and outbound network communicationstraffic, track sessions, and perform linguistic analysisto detect and/or block specific content based on rulesor policies. CMF products must monitor, at aminimum, e-mail traffic and at least one otherchannel, such as IM, FTP or HTTP. Linguisticanalysis must involve more than keyword matching(for example, the product must use advanced regularexpressions, perform document fingerprinting orBayesian analysis, or be capable of machinelearning). CMF depends on linguistic or statisticalanalysis, or other pattern matching techniques, toidentify content, track activity and potentially stop thecontent/transmission from being moved.
Many security managers believe that the value ofCMF lies in protecting intellectual property and othervaluable enterprise data, especially nonpublic privateinformation, from theft. However, we feel this is reallya secondary consideration: The true value of CMFlies in helping management to identify and correctfaulty business processes and accidental disclosures.In other words, CMF is better at helping you toidentify bad practices that put your data at risk, rather3than preventing malicious individuals from stealingyour data. Product features should be evaluated withthis in mind. Within two years, the technology willevolve to deal more directly with the problem ofmalicious attacks. At its present state ofdevelopment, CMF will stop only the most basic ofmalicious activities, but better attack protection isexpected by year-end 2007.
Completeness of Vision
The first CMF products appeared five years ago, butthe market rapidly entered the mainstream during thepast two years, and Gartner estimates overall marketrevenue grew more in 2005 than in all prior yearscombined. As a highly competitive new market,preference is given to vendors with the strongestproduct strategy, deepest market understanding, andbest ability to innovate and differentiate. Vendorswith the most complete product vision, anddemonstrated ability to follow that vision, rate moreSource: GartnerEvaluation Criteria WeightingProduct/Service highOverall Viability (Business Unit,Financial, Strategy, Organization) highSales Execution/Pricing lowMarket Responsiveness andTrack Record standardMarketing Execution standardCustomer Experience highOperations standardTable 1. Ability to Execute EvaluationCriteriahighly than those distracted by niche markets,“chasing the hype,” or a flawed vision. While Ability toExecute is weighted toward current product features,Completeness of Vision is weighted toward productstrategy for the future, market understanding, and avendor’s track record of innovation. Because Gartnerexpects more-established security vendors to enterand dominate the market through acquisition, moreemphasis is placed on the products rather than themarketing, sales or vertical strategies.Product vision should show a strong understandingof the business problem driving CMF – the protectionof corporate intellectual assets and nonpublicinformation. Emphasis should be placed on detectingand preventing information loss across all enterpriseassets, not just solving a specific technical problemor performing traditional network forensics.
Leaders
The CMF Magic Quadrant is new and has only oneentry in the Leaders quadrant – Vontu – and itsranking is based primarily on scalability andexecution in the marketplace. Vontu offers one of themost comprehensive feature sets and rates well inperformance, manageability and accuracy accordingto vendor-provided and independent references. Butthis is a maturing space, and the expectations forleaders will rise as more enterprises implement thesetools. Customers will be looking for more leaders with5enterprise scalability, channel coverage and blockingacross all channels. Expect more vendors to reachthe Leaders quadrant by supporting enhancedworkflow, encryption, discovery and host-basedcapabilities. To maintain the leader’s position, Vontuwill need to continue a high pace of innovation,significantly expand sales, and grow its sales andtechnical partnerships. Some features offeredthrough technical partnership will need to beincorporated into the base product to simplifydeployments and pricing. Many competitors havereleased or announced competitive features sincethe evaluation cutoff date of 1 November, and weexpect more offerings to join Vontu in the Leadersspace during the next update of this Magic Quadrant.
Challengers
Proofpoint is the only challenger. Proofpoint’s abilityto execute is enhanced by its experience in thesecure e-mail boundary (SEB) market and overlap inthe CMF segment with its core technology. Weexpect more challengers from the SEB market toappear during the next year as the CMF marketgrows. Challengers from the SEB area will need toenhance their multiprotocol offerings to becompetitive. Proofpoint’s vision is inhibited somewhatby its e-mail roots. It leads other SEB vendorswanting to enter the market but offers little innovationor leadership to the CMF market itself.
