Yay - another industry review has come out for Endpoint security capabilities. I like diving into these reports, as it covers one area of cybersecurity that I don't have much view into - the competitive landscape and how these products compare. It is always a very interesting read on the competitive state of Endpoint Protection cybersecurity.

If you don't remember what EDR is vs EPP ... here are the blurbs from my Flavors of Security writeup.

  • Endpoint Protection Platform (EPP) = Service deployed on all endpoints for the monitoring and detection of malicious activity.  EPP is about protecting the device itself, not the traffic to and from it. That includes NGAV, to help prevent malware and virus attacks, and may include device mgmt and endpoint detection (EDR) capabilities. Remember, endpoint includes any system on a company's network -- each and every server, storage device, workstation, desktop, printer, laptop, mobile device, IoT device, camera, POS systems, etc.
  • Endpoint Detection & Response (EDR) = Continuous monitoring of endpoint usage to analyze, investigate and respond to advanced threats and broader attacks across many endpoints. Likely integrated with Endpoint Protection (EPP) features. Likely utilizes NTA and UEBA ML/AI algorithms.

Shorter version: EPP is the installed software app protecting the devices, and EDR is the monitoring & management over all those devices, and finding common attack patterns across them. Most of these companies in this space cover both sides of Endpoint Protection, but this report is just about EDR platforms in particular.

The Industry Report

Let's dig in to the report:  Forrester Wave report: Enterprise Detection & Response (EDR), Q1 2020

TL;DR: CrowdStrike is the top leader and is highest on "Strongest Strategy". CarbonBlack is falling behind [not a surprise, did anyone think VMWare was going to kickstart growth again?]. Elastic Security gets some misguided comments. McAfee, Cylance and Palo Alto are a joke at this point.

As a reminder, CrowdStrike is top leader in the prior Forrester's EPP report too (in a much more crowded market): Forrester Wave: Endpoint Security Suites, Q319.

Interesting tidbit in the report's key takeways, which, you may find, is CrowdStrike's biggest strength:

Security Analytics Is The Key Differentiator:
As the enterprise detection and response (EDR) space continues to evolve, security analytics will dictate which providers will lead the pack. Vendors that can differentiate with superior security analytics position themselves to successfully deliver detection, triage, and response capabilities to their customers.

CrowdStrike (CRWD)

Their overall thoughts:

CrowdStrike continues to lead on strategy and execution. It should come as no surprise that CrowdStrike Falcon is seldom purchased as a standalone product, since the company's adjacent services, such as threat hunting and cyber intelligence, are often the benchmark other client references use when describing capabilities they wish were available in their selected products. CrowdStrike has accomplished this by building service offerings designed to collect and enrich threat intelligence and feeding it back into their product and OverWatch service to ensure they're detecting even the most bleeding-edge attacks.

While clients rave about the detection capabilities CrowdStrike offers, it's not uncommon to hear from references and prospective customers that the macOS and Linux capabilities aren't quite on par. This is likely a state-of-the-market issue, as when clients leave, it's because something else was comparable and cheaper, as opposed to hearing the product has fallen behind competitors. Customers buy an EDR solution for its detection capabilities, and there simply are no other vendors in the space that have an intelligence organization of CrowdStrike's scale to enable the development and services to deliver that capability.Enterprises looking for strong detection capabilities, backed by threat intelligence and services, should consider CrowdStrike.

Clearly Forrester considers them #1 in the market, and having the best security analytical capabilities, the most important feature overall in their eyes. This is exactly what I was raving about in my Flavors of Security writeup for CrowdStrike -- their cloud-native approach changed the entire strategy for analytics over cybersecurity, by "crowdsourcing" the detection of threats over ALL customers' data at once, spotting trends and isolating coordinated attacks.

My take on their scores:

  • 3rd in "Current Offering". I don't worry about that. It was mostly due to lower scores in "Supported Systems" (some have had issues on Mac and Linux systems) & in the rather nebulous "Extended Capabilities" -- which we can see in their numbers isn't costing them any momentum in execution. Top competitor Microsoft in 2nd place is barely higher, but CrowdStrike wins overall on strategy; 1st was small upstart Cyberreason but they found their strategy lacking (and complained a bit about their UI, saying it was better for non-technical mgrs).
  • One "Current Offering" score that I want to see CrowdStrike get better at was "Response capabilities", where they only scored 3.0. Many competitors (Bitdefender, Cyberreason, and Microsoft) all got 5.0s. So their 3.0 score stands out as quite low for a company that has such a wealth of knowledge and talent in their extensive on-demand Incident Response services a customer can engage. Automation of response handling seems like the sticking point, so is an area they need to improve. (Something they can likely solve by improving API capabilities and building more integrations with response tools.
  • Highest in "Strategy" scoring. Officially they tied with SentinalOne, but the only low score for them was in "Planned Enhancements", so they feel they aren't signaling their upcoming features enough. One might say it might not be a negative if they are keeping their cards close to their chest in a highly competitive market... so I complete discount that and consider CrowdStrike the clear #1 in strategy & innovation.
  • Highest in "Market Presence" along w/ Microsoft. Yeah - we knew that. One does not grow customers 116% YoY and revenue 89% YoY on pipe dreams. Customers likely ramping up heavily from here, too, in the "everyone is remote" world we live in currently.

All in all - extremely impressive showing by CrowdStrike - and even more impressive that they are now TOP LEADER on both of latest EPP and EDR reports from Forrester. Forrester is not alone in ranking them #1 -- Gartner EPP Magic Quadrant had CrowdStrike and Microsoft as top leaders back in Aug 2019 too.

Elastic (ESTC) Security

Their overall thoughts:

Elastic is poised to disrupt this market if their commercial model doesn't kill them. The acquisition of Endgame by Elastic was exciting from a technology perspective due to the combination of an EDR with a security analytics platform. Unfortunately, by shifting its licensing to the much-maligned consumption model common in the enterprise SIM space, Elastic is creating downward pressure on adoption instead of encouraging people to broadly deploy its EDR solution. Endpoint products are long-term investments due to the difficulty of ripping and replacing them. This licensing model makes it difficult for enterprise buyers to buy into this licensing model and have a predictable budget.

Elastic is what happens when you get a bunch of hackers in a room together: You get good vision, what gets built is really interesting, but the total package feels less like a single product and more like a collection of really cool proof of concepts. Clients are extremely positive about the solution's detection capabilities, with configurability of what's being collected a frequently cited benefit. Elastic has a good solution for enterprises looking for mature endpoint capabilities with a strong vision for the future, if you can stomach the consumption model.

I DO NOT AGREE WITH THAT FIRST ENTIRE PARAGRAPH AT ALL. I do not understand their negative take on Elastic's pricing model. If you recall my Flavors of Security writeup on them, I found the pricing for Elastic Security to be a huge selling point for using it. Compared to per-device pricing of every other EPP/EDR provider, it could provide HUGE cost savings for companies which maintain their own infrastructure and have a high number of devices to maintain -- and even more-so if they were already using Elastic Stack or Cloud for monitoring or SIEM.

I think Forrester has bungled up their thought process here a bit, and has their views on pricing completely backwards. They are really hung up on consumption in particular, like it is a bad thing.

Their first mistake is that they are intermingling Elastic Cloud costs (consumption-based) vs the costs for using Endpoint Security in particular (requires you use Elastic Cloud, or have an "Enterprise" license for self-hosted clusters). Elastic Cloud is the part with consumption based charges, not the Endpoint Security portion of that. And if you were maintaining your own Elastic Stack cluster, your licensing pricing is PER NODE of Elastic Stack nodes used in the cluster, not consumption based -- which amounts to a fixed price for the entire cluster.

They are conflating the fact that Elastic Cloud likely drives a lot of Elastic Security deployments, translating into "it's the same thing" (by ignoring all the Enterprise license customers) so ipso-facto wham-bam, Endpoint Security is priced on consumption. Nope.

And, problem two -- even after conflating them as the same thing... they are getting really hung up on consumption. With a base overhead to maintain Elastic plus the consumption-based pricing, Elastic will be a really attractive option in many scenarios. Consumption-based pricing is going to eventually beat out per-device pricing SOMEWHERE on the cost-curve as the number of devices managed grows. For smaller pool of devices, the overhead of maintaining Elastic will not be worth it (if you were not already using Elastic). But let's jump to the other extreme - what about hundreds of thousands of devices being managed? Per-device costs would be astronomical at $16-19 per for CrowdStrike's upper packages. Elastic's "overhead+consumption" price would absolutely be significantly less.

At some point the cost-curve has to cross between these pricing models. But, alas, price isn't the only factor. As I have said many a time, I still see the big problem with Elastic's EDR solution being that their stack keeps the customer as their own island of data. They certainly have a strong analytic capabilities within Elastic Stack - but THE DATA being analyzed will never be as good as the "crowdsourced" cloud providers like CrowdStrike that are analyzing over EVERY customer at once instead of just ONE. But, sure, at some point, the cost-savings has to make "good enough analytics" enough for the especially cost-conscious customers that don't want to pay $16-19 per device, especially since Elastic's solution at high number of devices could easily make that under a dollar.

For all their bluster on the pricing model, their later point about it seeming like a group of products rather than a cohesive whole stings a bit. You cannot ignore the fact this was bolted on by acquiring a flailing EPP provider. However, they paired it with the extremely high-value use case of Elastic Stack as a SIEM tool for security & network monitoring, so this platform does have value. Ultimately, I think they can compete a LOT on price, especially for larger device pools and DIY tech companies. But know that it will always have inferior analytics due to being an "island" (running on a much smaller data set than the crowdsourced one, only looking over a single company's network of devices, not the 'big picture' across the globe).