World Patch Management Products Market

(1)

World Patch Management Products

Market

N521-74 January 2009

(2)

Disclaimer

• Frost & Sullivan takes no responsibility for the incorrect information supplied to us by manufacturers or users • Quantitative market information is based primarily on interviews and therefore, is subject to fluctuation.

• Frost & Sullivan Research Services are limited publications containing valuable market information provided to a select group of customers in response to orders. Our customers acknowledge, when ordering, that

Frost & Sullivan Research Services are for customers’ internal use and not for general publication or disclosure to third parties.

• No part of this Research Service may be given, lent, resold or disclosed to non-customers without written permission.

• Furthermore, no part may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the permission of the publisher. • For information regarding permission, write to:

Frost & Sullivan

2400 Geng Road, Suite 201 Palo Alto, CA 94303-3331 United States

© 2009 Frost & Sullivan. All rights reserved. This document contains highly confidential information and is the sole property of Frost & Sullivan. No part of it may be circulated, quoted, copied or otherwise reproduced without the written approval of Frost & Sullivan.

(3)

3

N521-74

Certification

• We hereby certify that the views expressed in this research service accurately reflect our views based on primary and secondary research with industry participants, industry experts, end users, regulatory organisations, financial and investment community, and other related sources.

• In addition to the above, our robust in- house forecast & benchmarking models along with the Frost & Sullivan Decision Support Databases have been instrumental in the completion and publishing of this research service. • We also certify that no part of our analyst compensation was, is or will be, directly or indirectly, related to the

(4)

Executive Summary

•

Introduction

08

•

Market Dynamics

10

•

Market Forecast

12

•

Summary of Major Findings

13 Strategic Analysis of the World Patch Management Products Market

•

Market Overview

15

•

Market Summary

16

•

Market Definitions

17

•

Market Engineering Analysis

20

(5)

5

N521-74

Table of Contents (Contd…)

•

Industry Challenges

22

•

Market Drivers

24

•

Market Restraints

27

•

Legal Trends

29

•

Technology Trends

31

•

Distribution Channels & Partnership Trends

32

•

Market Trends & Forecasts

36

•

World Market Forecasts

37

•

Regional Market Forecasts

39

•

Vertical Market Forecasts

48

(6)

Table of Contents (Contd…)

•

Competitive Analysis

52

•

Market Share Analysis

53

•

Competitive Landscape

56

•

Market Leader

57

•

Market Challengers

59

•

Market Contenders

63

•

Market Specialists

67

•

Database of Key Industry Participants

69

•

Strategic Recommendations

73

•

Strategic Recommendations

74

(7)

7

(8)

Introduction

Patch Management

Patching is a critical task in terms of both network security and IT operations. Software

vendors are constantly releasing a wide array of software updates and fixes to correct security flaws or improve functionality. The number of security vulnerabilities reported has been at an overwhelming level and continues to rise year-over-year. The following chart shows the

number of vulnerabilities reported by quarter from 2004 to 2008.

The patching process has been well documented to include the tasks of acquiring, testing, and installing multiple patches on IT systems. Considering the number of unique systems in an organization and the number of available patches, it becomes clear that medium to large enterprises can incur steep labor costs to maintain these systems. The risk associated with neglecting this task and allowing the successful exploitation of a security vulnerability is far more costly.

The value that patch management products provide has long been acknowledged, leading to steady and healthy growth. As an established necessity, the patch management market has reached a maturity stage that ensures stability at the expense of high growth rates.

(9)

9 N521-74

Introduction (Contd…)

0 20 40 60 80 100 120 140 160 180 200 1-20042-20043-20044-20041-20052-20053-200 5 4-200 5 1-20062-20063-20064-20061-20072-20073-20074-200 7 1-200 8 2-2008 Nu mb er o f V u ln erab ili ti e s

Patch Management Products Market: Vulnerability Reports by Quarter (World), 2004-2008

(10)

Market Dynamics

Key Market Drivers and Restraints

The key market drivers for the patch management market are:

• Government and industry regulations specifically require a patch management solution • Restricted security budgets favor more established technologies

• Manual patching is labor intensive for large organizations with hundreds of systems • Increasingly mobile and remote workforce creates security issues

• Repetitive nature of patching requires an automated product • The memory of successful, high profile attacks

• Necessity to enforce policy with technology

The key market restraints for the patch management market are:

• The trend towards consolidation funnels revenues into other product categories • Bear market makes investors more cautious about financial ventures

(11)

11

N521-74

Market Dynamics (Contd…)

Key Market Drivers and Restraints (cont.)

• The maturity of this market makes it less appealing for new entrants • Focus on regulatory compliance can create a false sense of security • Mature markets are less funded for research and development efforts

(12)

Market Forecast

Patch Management Products Market: Revenue Forecasts (World), 2005-2015

-50.0 100.0 150.0 200.0 250.0 300.0 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 R even u es ($ M il li o n ) 0.0 2.0 4.0 6.0 8.0 10.0 12.0 14.0 16.0 18.0 G ro w th Ra te (% )

Revenues ($ Million) Growth Rate (%)

(13)

13

N521-74

Summary of Major Findings

Key Highlights

• The patch management market generated revenues of $159.8 million in 2008. This is an

increase of 9.8 percent from 2007, a healthy growth rate in a bear world market.

• The patch management market will grow to $261.1 million by 2015. The calculated annual

growth rate of 7.3 percent over this period indicates that this market is in a period of reduced growth associated with the market stage and pressure from the world wide recession.

• The importance of system patching has not diminished and will remain a key staple of many

security product lines. However, numerous vendors are combining this functionality with more comprehensive product lines. Thus, while the revenue growth does not seem high in

comparison to other technologies, this revenue is simply being transferred to other markets.

• Customers are increasingly less interested in point solutions and are turning to more

integrated, broad-scope solutions. As a result, distribution channels are critical for point solution providers.

• Patch management vendors must compete on features, accuracy and breadth of coverage,

rather than on price.

• Market revenues are decreased by vulnerability management and security configuration

(14)

Strategic Analysis of the World Patch Management

Products Market

(15)

15

(16)

Market Summary

Key Highlights

• The importance of system patching has not decreased and will remain a key staple of many

security product lines. However, an increasing number of security vendors are integrating this functionality into more comprehensive product lines. Vulnerability management and security configuration management vendors that provide patching abilities but do not price it

separately also contribute to this effect. Thus, while the revenue growth does not seem high in comparison to other technologies, this revenue is simply being transferred to other markets.

• The patch management products market is in the late growth stage and faces many

economic challenges. The market is highly fragmented but the trend of consolidation and economic struggles foreshadow a market shakeout, which would push the market further towards maturity.

• Due to the trend of cross-product integration and the shift towards broad-scope products,

channel sales to value-added resellers and diversified security companies will become the primary source of revenues.

• There is still a high degree of competition and patch management vendors have continued to

improve their products with value-adding features.

• While the cost of basic patch management products has steadily been falling, the migration

(17)

17

N521-74

Market Definitions

Products Defined

• Patch management is the process of acquiring software changes (patches) and applying

these patches to systems.

• These products must be capable of maintaining knowledge of available patches, deciding

the necessary patches for a particular system, ensuring the patches are effective, testing systems, and documenting this process.

• Patch management products aide in this process as much as possible and may automate

certain functions.

• This market study will include vendors with patch management products. In accordance with

the above definition, only revenues generated directly from the sale of patch management products are counted in the market size and forecasts.

• Revenues from related products such as vulnerability management or configuration solutions

are not included as Frost & Sullivan covers these markets in other market studies.

• In order to avoid double counting, Frost & Sullivan will only be counting revenues derived

from the primary sale of patch management products through direct channels or to channel partners. Revenues from VARs and other distribution channels will not be included.

• The following chart illustrates how patch management fits into the world security and

(18)

Market Definitions (Contd…)

Security and Vulnerability Management Market: Market Segmentation (World), 2008

Security and Vulnerability Management

Configuration & Compliance Management

Patching & Remediation Vulnerability Assessment Application Security

IT Security Risk Management

Security Information & Event Management

(19)

19

N521-74

Market Definitions (Contd…)

Geography Defined

Forecasts are for the world market, which have been defined as the following:

• North America: United States and Canada

• EMEA: Europe, Africa and countries in the Middle East

• Asia Pacific: Countries in East and Southeast Asia such as Japan, Hong Kong and India.

This region also includes countries in the Oceania region such as Australia.

• Rest-of-World: Latin America, South America, Russia and others not mentioned above

Vertical Markets Defined

Forecasts include revenues generated by the following market segments:

• Financial • Government • Healthcare

• Technology & Telecommunications • Retail

• Education • Others

(20)

Market Engineering Analysis

Patch Management Products Market: Market Engineering Measurements (World), 2008

Measurement Name Measurement Trend

Market stage Late growth stage Increasing

Revenues (2008) $159.8 million Increasing

Potential Revenues (2015) $261.1 million Stable

Base year market growth rate (2008) 8.8% Decreasing

Forecast period market growth rate (CAGR) 7.3% Stable

Competitors (active market competitors in base year) 32 Decreasing

Market concentration (percent of base year market controlled by top five competitors)

40.9% Increasing

Price sensitivity High Stable

Average base price $1,200 Decreasing

Price range $1,200 - $10,000 Increasing

(21)

21

(22)

Industry Challenges

Patch Management Products Market: Industry Challenges Ranked in Order of Impact (World), 2009-2015 Rank Challenge 1 - 2 Years 3 - 4 Years 5 - 7 Years

1 Building strong channel and reseller relationships High High Medium

2 The ability to provide a solution rather than a point product High Medium Medium

3 Increasing integration with security technologies Medium Medium High

4 Align reporting to vertical or regulatory specific requirements Low Medium Medium /High

5 Lowering production costs to achieve lower price points Low Medium Medium

(23)

23

N521-74

Industry Challenges (Contd…)

Key Factors

• The patch management industry faces cannibalization effects from other related security

markets. Patch management functionality is also being integrated into IT operations

management products. The defense against this trend is a strong network of resellers and distributors. Point solution vendors must begin building these relationships now.

• The ability to provide a more complete, end-to-end solution has been a key competitive

factor across the security industry. Large software vendors have been integrating related technologies and will look to acquire or partner with point patch management vendors.

• Products that integrate well with other products are favored by customers that must maintain

a wide array of network security technologies.

• Patching is a necessary evil for customers across all vertical markets, however, many

products offer a uniform reporting feature. Providing vertical or regulatory specific reporting features can increase penetration in a particular market. Vendors may use this advantage to carve out a niche market opportunity.

• In a mature market, price is the key competitive factor. This is not yet a huge factor, but

(24)

Market Drivers

Rank Driver 1 - 2 Years 3 - 4 Years 5 - 7 Years

1 Government and industry regulations specifically require a patch management solution

High High Medium

2 Restricted security budgets favor more established technologies

High Medium Low

3 Manual patching is labor intensive for large organizations with hundreds of systems

Medium /High

High High

4 Increasingly mobile and remote workforce creates security issues

Medium Medium

/High

High

6 The memory of successful, high profile attacks Medium

/Low

Medium Medium

5 Repetitive nature of patching requires an automated product Medium Medium High

7 Necessity of enforcing policy with technology Low Medium Medium

Patch Management Products Market: Market Drivers Ranked in Order of Impact (World), 2009-2015

(25)

25

N521-74

Market Drivers (Contd…)

Key Factors

• Government and industry regulations require significant investments in network security

technologies. Certain regulations specifically require patch management solutions.

• The patch management market is maturing and as a technology, it is well established. In

times of economic recession, new and cutting edge products are shunned for the basic and reliable products.

• There are thousands of vulnerabilities reported each year. Medium to large enterprises have

up to thousands of systems that require patching. This becomes a huge, complex job for IT staff.

• The increasingly remote workforce presents a number of security problems. In addition,

modern enterprise networks are porous, and must accommodate laptops, mobile handheld devices, and contractors/guests. This further complicates the management of these systems, adding incentive for companies to invest in a patch management solution.

• The repetitive nature of patching further highlights the need for an automated solution. From

Microsoft Patch Tuesdays to random patches released by third-party software vendors, the task of patching multiple system on a regular basis makes a strong case for a patch product.

(26)

Market Drivers (Contd…)

Key Factors

• The memory of successful, high profile attacks such as the TJX Corporation security breach

still live strong in the mind of CEOs and Directors. This effect is dissipating, however, another major security exploit will strengthen growth rates in the patch management market.

• Human nature requires companies to enforce policy with technology. The task of system

patching is repetitive and unrewarding, therefore it is necessary to have an automated yet customizable solution for patching.

(27)

27

N521-74

Market Restraints

Patch Management Products Market: Market Restraints Ranked in Order of Impact (World), 2009-2015 Rank Restraint 1 - 2 Years 3 - 4 Years 5 - 7 Years

1 The trend towards consolidation funnels revenues into other product categories

Very High

High High

2 Bear market makes investors more cautious about financial ventures

High Medium Medium

/High

3 Microsoft WSUS is free and highly ubiquitous Medium

/High

Medium Medium

4 The maturity of this market makes it less appealing for new entrants

Medium Medium

/High

High 5 Focus on regulatory compliance can create a false sense of

security

Medium Medium Low

6 Mature markets are less funded for research and developments Medium /Low

Medium Medium

/High

(28)

Market Restraints (Contd…)

Key Factors

• The trend of consolidation has caused reduced growth in the patch management market.

Vendors with patching products in 2007 have bundled this functionality into other products, diverting revenues from the patch management market into other markets.

• Investors are less likely to pump funding into security companies in a period of economic

recession. This reduces the ability of smaller patch management vendors to develop new products or marketing activities.

• Microsoft Windows System Updates Services (WSUS) is free to Microsoft customers. WSUS

provides only the most basic patching capabilities for Windows operating systems, however, this may give customers a false sense of security, and deter them from further investment.

• This market is at a late growth stage, and new competitors would find market penetration

difficult. In addition, other markets would promise lucrative returns-on-investment and would be more alluring to fresh competitors.

• Mature markets are less funded for research and development, guaranteeing that

(29)

29

N521-74

Legal Trends

Key Highlights

Regulatory compliance is a huge driver for this market. Here are some key regulations:

• Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act, regulates

the transmission of consumer data for banking, insurance and financial organizations.

• Basel II, a part of the Basel Accords, provides security recommendations for banking and

banking regulators in order to promote uniform security practices internationally.

• Federal Information Processing Standards (FIPS) is a set of standards for data processing

such as encoding and encryption standards.

• Federal Desktop Core Configuration (FDCC) is a mandatory standard that requires

configuring more than 300 settings that are required for all government agencies. This standard aims to harden government systems against cyber attacks.

• Federal Information Security Management Act (FISMA) of 2002 is a set of mandatory

processes for securing government IT systems. FISMA also provides incentives in the form of yearly audits and certifications.

• Health Insurance Portability and Accountability Act (HIPAA) of 1996, Title II, is a set of

standards that is designed to improve the effectiveness, efficiency and security of the U.S. healthcare system. HIPAA has had a diminished effect until mid-2008, when the first fines were handed out for non-compliance.

(30)

Legal Trends (Contd…)

Key Highlights

• Payment Card Industry Data Security Standard (PCI DSS) is a set of technical and

operational security standards developed by the PCI Security Standards Council. These standards are designed to reduce fraud and hacking activities.

• This regulation affects any organization that transmits, processes or stores credit card and

cardholder data worldwide, but has had the biggest impact on the retail vertical market.

• PCI DSS has proven to be one of the most effective security standards, as non-compliance

can result in audits, fines, or even the loss of credit card processing privileges with major brands such as American Express, Discover Financial Services, JCB International,

MasterCard Worldwide and Visa Inc.

• The newest release of PCI DSS, Version 1.2 is much more explicit about the security

(31)

31

N521-74

Technology Trends

Key Highlights

• The primary focus for technological advancement has been and will continue to be broadening the breadth of platform and systems coverage.

• Leading patch management vendors cover Microsoft operating systems and applications such as Internet Explorer, SQL Server, and Microsoft Office.

• Patch management products also cover third-party applications such as Apple Safari, Sun JAVA, Adobe Flash, and more.

• Patch management functionality is being integrated into IT operations or security configuration management. It is important for point product vendors to integrate their solution with related solutions in order to secure long-term channel relationships.

• Standard areas of focus such as performance and accuracy will gain importance while overall research and development budgets will be reduced for this technology.

• Research into reducing production costs has been gaining priority. This will continue as price becomes a more significant competitive factor.

• Leading patch management solutions should provide custom scripting abilities as well. • A complete patch management solution will provision for patch assessment and

(32)

Distribution Channels & Partnership Trends

Key Highlights

• There is an industry-wide trend of cross-product integration. Already, vulnerability

management vendors and security configuration management vendors are offering patching capabilities as an added feature to their security offering. This funnels direct sales away from the patch management market and into a broader market.

• This shift simply means that the patch management market will evolve into a producer

market; thus, point patch vendors must start building their reseller market now, license their products to security vendors or look to get acquired.

• Patching, as an IT function, is already a task that is necessary for security teams and IT

operations alike. Thus, the patch management market will become a subset of configuration management or IT management products. This is already evident with large, diversified companies such as HP, Symantec and BMC.

• To highlight the above mentioned effect, slides 33-34 provide a partial list of vendors for the

world patch management products market in 2008. These patch management companies offer patching as part of a larger product suite, which can be categorized as IT systems lifecycle management, vulnerability management, or configuration management. They may also offer a stand-alone patch management product. These slides also show how much a vendor focuses on improving patching functionality as compared to their other product lines.

(33)

33

N521-74

Distribution Channels & Partnership Trends (Contd…)

Patch Management Products Market: Product Integration Comparison (World), 2008

Company Vulnerability Management IT Systems Lifecycle Management Configuration Management Lumension Security

●

Microsoft

○

CA, Inc.

●

McAfee

●

BMC Software, Inc.

○

Shavlik

●

BigFix

●

LANDesk Inc.

○

HP

○

●

Patch Management is a core competency

○

Path Management product offered but not core competency

(34)

Distribution Channels & Partnership Trends (Contd…)

Company Vulnerability Management IT Systems Lifecycle Management Configuration Management AdventNet, Inc.

○

Autonomic Software

●

Configuresoft

○

Fiberlink Communications

○

Frontrange Solutions USA Inc.

●

GFI Software

●

BOSS, Inc.

○

●

○

(35)

35

N521-74

Distribution Channels & Partnership Trends (Contd…)

Company Vulnerability Management IT Systems Lifecycle Management Configuration Management

GridApp Systems, Inc.

○

PatchAdvisor, Inc.

●

Scalable Software

○

ScriptLogic Corporation

○

ManageSoft Corporation

○

New Boundary Technologies

○

Novell

●

○

(36)

(37)

37

N521-74

World Market Forecasts

Year Revenues ($ Million) Revenue Growth Rate (%)

2005 118.0 --2006 133.8 13.4 2007 146.9 9.8 2008 159.8 8.8 2009 172.2 7.8 2010 185.4 7.7 2015 261.1 6.8 2011 199.2 7.4 2012 213.8 7.3 2013 228.7 7.0 2014 244.4 6.9

Note: All figures are rounded; the base year is 2008. Source: Frost & Sullivan

(38)

World Market Forecasts (Contd…)

-50.0 100.0 150.0 200.0 250.0 300.0 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 R even u es ($ M il li o n ) 0.0 2.0 4.0 6.0 8.0 10.0 12.0 14.0 16.0 18.0 G ro w th Ra te (% )

Revenues ($ Million) Growth Rate (%)

(39)

39

N521-74

Regional Market Forecasts

Patch Management Products Market: Revenue Forecasts by Region (World), 2005-2015

Year North America (%) EMEA (%) Asia Pacific (%) Rest-of-World (%)

2005 65.0 23.0 24.2 24.9 25.1 25.3 25.5 25.8 26.1 26.4 26.7 27.0 3.0 2006 62.5 9.0 10.1 11.0 12.4 12.6 12.8 13.1 13.4 13.7 14.0 3.2 2007 60.8 3.3 2008 59.1 3.4 2009 58.7 3.4 2010 58.2 3.5 2015 55.0 14.2 3.8 2011 57.6 3.5 2012 56.9 3.6 2013 56.3 3.6 2014 55.6 3.7

(40)

Regional Market Forecasts (Contd…)

Patch Management Products Market: Revenue Forecasts by Region (World), 2005-2015

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% R even u es ( % ) 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 North America EMEA Asia Pacific Rest-of-World

(41)

41

N521-74

Regional Market Forecasts (Contd…)

Key Highlights

• The North America region accounted for 59.1 percent of revenues generated in the patch

management market.

• The North American region is home to the majority of security companies. However, large

competitors such as Microsoft, Symantec and CA have extensive international presence and are the primary source for high international penetration rates.

• The North American market is highly competitive and well saturated. As a result, more

growth is expected from countries such as Japan, India, Israel and countries in Western Europe.

• Over 75 percent of revenues generated outside of the United States are channel-based. • Certain regulations, such as Basel II and PCI DSS, apply to companies worldwide.

• Laws enacted in the United States also affect companies internationally, due to the

importance of U.S. business to foreign economies.

• Higher growth rates are anticipated to come from outside the North America region. As a

result, the percentage of revenues generated in North America will drop to 55 percent and international sales will rise to 45 percent by 2015.

(42)

Regional Market Forecasts (Contd…)

Patch Management Products Market: Revenue Forecasts (North America), 2005-2015

2005 76.7 --2006 83.6 9.0 2007 89.3 6.8 2008 94.4 5.7 2009 101.1 7.1 2010 107.9 6.7 2015 143.6 5.7 2011 114.7 6.3 2012 121.7 6.0 2013 128.8 5.8 2014 135.9 5.5

(43)

43

N521-74

Regional Market Forecasts (Contd…)

Patch Management Products Market: Revenue Forecasts (North America), 2005-2015

0 50 100 150 200 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 R ev en u es ( $ M illio n ) 0% 5% 10% 15% 20% G ro w th Ra te (% )

(44)

Regional Market Forecasts (Contd…)

Patch Management Products Market: Revenue Forecasts (EMEA), 2005-2015

2005 27.1 --2006 32.4 19.3 2007 36.6 13.0 2008 40.1 9.7 2009 43.6 8.6 2010 47.3 8.5 2015 70.5 8.0 2011 51.4 8.7 2012 55.8 8.6 2013 60.4 8.2 2014 65.3 8.1

(45)

45

N521-74

Regional Market Forecasts (Contd…)

Patch Management Products Market: Revenue Forecasts (EMEA), 2005-2015

Note: All figures are rounded; the base year is 2008. Source: Frost & Sullivan 0 10 20 30 40 50 60 70 80 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 R even u es ( $ M il li o n ) 0% 5% 10% 15% 20% G ro w th Ra te (% )

(46)

Regional Market Forecasts (Contd…)

Patch Management Products Market: Revenue Forecasts (Asia Pacific), 2005-2015

2005 10.6 --2006 13.5 27.2 2007 16.2 19.6 2008 19.9 22.8 2009 21.7 9.3 2010 23.7 9.4 2015 37.1 8.4 2011 26.1 10.0 2012 28.6 9.8 2013 31.3 9.4 2014 34.2 9.2

(47)

47

N521-74

Regional Market Forecasts (Contd…)

Patch Management Products Market: Revenue Forecasts (Asia Pacific), 2005-2015

Note: All figures are rounded; the base year is 2008. Source: Frost & Sullivan 0 5 10 15 20 25 30 35 40 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 R even u es ( $ M il li o n ) 0% 5% 10% 15% 20% 25% 30% G ro w th Ra te (% )

(48)

Vertical Market Analysis

Patch Management Products Market: Revenues by Vertical Market (World), 2008

Vertical Market Market Share (%)

Financial 17.8

Government 17.4

Healthcare 15.2

Retail 11.9

Technology & Telecommunications 12.7

Education 9.7

Others 15.4

Note: Others includes utilities, manufacturing, insurance, media, transportation and professional services

(49)

49

N521-74

Vertical Market Analysis (Contd…)

Patch Management Products Market: Revenues by Vertical Market (World), 2008

Financial 17.8% Government 17.4% Healthcare 15.2% Retail 11.9% Education 9.7% Others 15.4% Technology & Telecom 12.7%

(50)

Vertical Market Analysis (Contd…)

Key Highlights

• Regulations such as Gramm-Leach-Bliley Act and Basel II have driven growth in the financial vertical market. In the face of fiscal irresponsibility and the resultant economic recession, the new President and his administration will look to regulate this industry more strictly. As a result, compliance will have a high impact on this market once again.

• The financial vertical market has traditionally been early adopters of security technologies as sensitive data and transactions are now more valuable than the contents of bank vaults. • There are numerous laws that have driven growth in the government vertical such as FIPS, FISMA, and FDCC. Please see the Legal Trends section for more details.

• The U.S. government is highly committed to improving the economy by protecting e-commerce, financial transactions, and sensitive data. While far from perfect, U.S. government mandates have set a strong example for other country governments.

• The retail vertical market is primarily driven by PCI. Otherwise, retail organizations tend to be late adopters of security technologies.

• The healthcare vertical market has been driven by HIPAA. This vertical market is expected to grow more, after the first HIPAA-related fines were handed out in 2008.

• Patch management is a very vertical independent task and the market will continue to balance out.

(51)

51

N521-74

Pricing Analysis

Key Highlights

• The average base price for patch management products was $1,200. However, pricing depends on the number of systems requiring patching, while most companies also provide volume discounts.

• Patch management products typically ranged in price from $1,200 to $10,000. • Price is becoming a critical competitive factor. As an exception, a few companies

experienced price increases ranging from 200 to 300 percent. This was done by migrating to product suites, as opposed to selling point products.

• As a result, patch management base product prices are falling while the overall price range is increasing.

(52)

(53)

53

N521-74

Market Share Analysis

Patch Management Products Market: Market Share by Company (World), 2008

Company Market Share (%)

Lumension Security, Inc. 12.5

Microsoft Corporation 10.0 Shavlik Technologies, LLC 7.5 CA 5.6 BigFix, Inc. 5.3 LANDesk Software 5.0 McAfee, Inc. 3.9 BMC Software, Inc. 3.8 HP 3.8 Others 42.6

Note: All figures are rounded; the base year is 2008. Source: Frost & Sullivan Note: Others include AdventNet Inc., Autonomic Software, BOSS Inc., Configuresoft Inc., Criston, Dell Everdream, Diskeeper Corporation, Ecora Software Corporation, Fiberlink Communications Corporation, Frontrange Solutions USA Inc., GFI Software, GridApp Systems Inc., iPass Inc., Kaseya Corporation, ManageSoft Corporation, New Boundary Technologies, Novell, Numara Software Inc., PatchAdvisor Inc., RingMaster Software Corporation, Scalable Software LTD., Secure Elements

(54)

Market Share Analysis (Contd…)

Patch Management Products Market: Vendors by Market Share (World), 2008

Lumension 12.5% BigFix 5.3% BMC 3.8% _3.8%HP Others 42.6% Shavlik 7.5% Microsoft 10.0% McAfee 3.9% CA 5.6% LANDesk 5.0%

(55)

55

N521-74

Market Share Analysis (Contd…)

Key Highlights

• Lumension Security led the market with 12.5 percent market share.

• Companies that had large amounts of revenues from their patching solution in 2007 lost

market share by bundling their patch management product with other solutions in 2008.

• These companies, such as Microsoft and CA, lost market share in the patch management

market but gained in other markets, depending on what product suite the patch management product was integrated with.

•Microsoft played a significant role in this market with System Management Server. In 2008,

Microsoft announced that Systems Management Server 2003 will be replaced with System Center Configuration Manager (SSCM).

• Shavlik, BigFix, CA and McAfee were all key competitors in this market as well.

• The Others category represents 42.6 percent. With 32 competitors, this market is still very

(56)

Competitive Landscape

Patch Management Products Market: Competitive Landscape (World), 2008

AdventNet GFI Software CA BigFix LANDesk McAfee HP BMC Shavlik Microsoft Lumension Security

(57)

57

N521-74

Market Leader

Lumension Security

Overview

Lumension, formerly known as Patchlink, acquired Harris STAT Vulnerability Scanner and relaunched as Lumension Security in late 2007. Lumension Security now offers a comprehensive security management solution that emphasizes control of all enterprise endpoints, applications and devices.

Key Offerings

PatchLink Security Configuration Manager, Sanctuary Device Control, Sanctuary Application Control, PatchLink Scan, PatchLink Update, PatchLink Security Management Console

Market Presence

Founded in 1991, Lumension has its roots in patch management and has expanded its offerings to remain competitive. As a company,

Lumension now boasts 5,000+ customers in 150 countries. Lumension’s network of 480 partners and key global distributors include industry giants such as WebSense, Microsoft, Cisco, Novell, and Juniper.

Market Performance

Lumension has a history as one of the dominant participants in the patch management market and has maintained high revenue income from this product line. The strength of its patching product combined with newly acquired vulnerability assessment capabilities has greatly increased its value and relevance to customers. In 2008, Lumension led the patch management market with 12.5 percent market share.

(58)

Market Leader (Contd…)

Lumension Security

Over 5,000 customers worldwide use PatchLink Update to protect critical IT resources in complex, enterprise networks. PatchLink Update uses patented Digital Fingerprinting Technology to proactively eliminate operating system and application vulnerabilities. As a result, this subscription-based, automated product enables Lumension customers to decrease IT costs, maximize productivity and demonstrate regulatory compliance. The combination of PatchLink Scan and PatchLink Update provides customers with a complete, best-of-breed vulnerability management solution.

Through a combination of intelligent acquisitions and organic growth, Lumension Security has demonstrated extremely high growth rates in recent years. Lumension Security is likely to make additional acquisitions to round out its product line, especially in the near-future, as struggling companies may look to generate immediate cash or cut costs. Lumension’s partnerships with key global distributors and industry giants have been crucial to their success and Lumension will continue to build new relationships. Lumension, however, is leading the charge to unify vulnerability management point products as evident by the

stronger focus they have had on product suites. This will reduce patch management revenues and may jeopardize Lumension Security’s leadership position in this market.

(59)

59

N521-74

Market Challengers

Microsoft Corporation

Overview

Microsoft Corporation is a large, multinational software provider with products ranging from desktop and server operating systems to business applications and consumer multimedia products.

Key Offerings Systems Management Server (SMS), System Center Configuration _{Manager (SCCM), Windows Server Update Services (WSUS)}

Market Presence

Microsoft operating systems are on most servers and the vast majority of desktops. This has made Microsoft’s Windows operating systems and other Microsoft applications prime targets for hacking attacks. Microsoft provides basic patching services through WSUS, which is free of

charge. For customers requiring a more comprehensive solution, Microsoft offers SMS and System Center Configuration Manager. SCCM will move Microsoft out of the patch management market and into the IT systems lifecycle management market.

Market Performance

As a free product WSUS has the highest installation rate of any patching solution on desktop PCs but generates no revenue and covers strictly Microsoft software. However, WSUS can lead to sales in stronger

products such as SMS. The migration from patch management to more of a systems management solution with SCCM is better for customers, and will translate to higher income growth in the future.

(60)

Market Challengers (Contd…)

Microsoft Corporation

Microsoft WSUS is a free service for users of Microsoft operating systems. Microsoft WSUS covers only Microsoft operating systems and applications, which may leave other points of attack unprotected. Microsoft also offers Systems Management Server (SMS), which provides a comprehensive solution for change and configuration management for Microsoft platforms. SMS enables organizations to quickly and cost-effectively provide relevant software and updates to users of both Microsoft and non-Microsoft products.

In 2007, Microsoft released System Center Configuration Manager as the next generation to SMS. System Center Configuration Manager is a systems management software solution for managing large groups of Windows-based computer systems. Configuration Manager

provides remote control, hardware and software inventory, patch management, software distribution, and operating system deployment capabilities. Although revenues from System Center Configuration Manager fall outside the scope of this market definition, Microsoft will continue to generate revenues from SMS sales and support. More importantly, Microsoft is leading the trend of combining patch management functionality into PC lifecycle configuration management. Microsoft must expand the number of systems covered by Microsoft SMS and SCCM in order to stay competitive with other patch management vendors.

(61)

61

N521-74

Market Challengers (Contd…)

Shavlik Technologies

Overview

Since its founding in 2003, Shavlik has been the premiere provider of patch management products and has expanded this offering to include policy and compliance management and configuration management. Shavlik has enjoyed steady growth over the years and now protects critical systems for over 10,000 customers.

Key Offerings Shavlik NetChk Protect, Shavlik Security Suite

Market Presence

Shavlik is a key provider of patch management solutions. This is available as a standalone product or as part of a suite. In addition, Shavlik has licensed its technology to 20 security firms such as IBM, BMC, iPass and Symantec.

Market Performance

By providing patching as part of a more comprehensive product suite and building a strong distribution network, Shavlik has defended itself against some of the major restraints to growth in this market. Shavlik demonstrated strong revenue growth in 2008 and subsequently outgrew the competition in terms of market share.

(62)

Market Challengers (Contd…)

Shavlik Technologies

Shavlik NetChk Protect is a comprehensive patch management solution with a single, user-friendly console. Using NetChk Protect, Shavlik customers can simplify the management of critical security patches and minimize the operational risks imposed by malware, spyware, and unwanted applications. Shavlik NetChk Protect enables customers to maximize

productivity, resource availability and demonstrate compliance with governmental regulatory mandates.

Shavlik’s NetChk Protect has a number of features that make it one of the leading patch

solutions. NetChk Protect provides comprehensive, remote network coverage and customers can choose an agent-based or agentless architecture. In addition, Shavlik NetChk Protect is the first solution to enable customers to patch offline, virtual machines. Shavlik even licenses its technology to more than 20 leading security companies such as IBM, BMC, Symantec, Juniper, Sophos and iPass. Shavlik’s position as a primary solution provider will only grow stronger as other point solutions are bought or discontinued. Shavlik has also expanded its product line to include a policy and configuration management solution. The combination of these products provides customers the best value and has driven Shavlik’s penetration rates in both markets and guaranteeing that Shavlik is well protected against the consolidation effects that this market is facing.

(63)

63

N521-74

Market Contenders

BigFix

Overview

Founded in 1997, California-based BigFix has gone from being a point patch management product vendor to providing comprehensive systems management products. BigFix has recognized the demand for integrated IT operations and endpoint security and has developed a product line that meets this demand.

Key Offerings

BigFix Discovery 7 Platform, BigFix Systems Lifecycle Management, BigFix Security Configuration and Vulnerability Management

Market Presence

BigFix is the only vendor to offer patching as part of its IT systems lifecycle solution, configuration management solution and vulnerability management product suites. At the end of 2008, BigFix announced a mutually beneficial partnership with Trend Micro. This partnership will improve BigFix’s endpoint security offering and penetration in the large enterprise segment.

Market Performance

As a company, BigFix has demonstrated strong growth rates. This has primarily come from sales of its systems management suite. Cost saving features such as power management has given BigFix an advantage that other patch management vendors cannot match.

(64)

Market Contenders (Contd…)

BigFix

BigFix gives customers real-time visibility and control of globally distributed desktop and

server computer infrastructures, as well as mobile devices. BigFix automates enterprise level malware defense, software distribution, asset inventory, vulnerability assessment, policy

enforcement, power conservation, and patch management, without compromising network performance or end-user productivity. BigFix management console has built-in features such as a script language for custom automation and user-friendly wizards.

BigFix recently announced a strategic partnership with Trend Micro that aims to unify endpoint security and systems management with a single agent-based solution. By integrating patch management with IT operations, endpoint security and configuration management solutions, BigFix appeals to large enterprises that seek to bridge the gap between IT operations and security teams. Traditionally, BigFix has had a strong presence in the patch management market but has seen strongest growth from IT operations management products such as configuration management and power management. It is likely that BigFix will dedicate most of its efforts towards developing its IT operations management product lines, as these

(65)

65

N521-74

Market Contenders (Contd…)

CA

Overview CA is a large, multinational IT management software vendor founded in _{1976 and headquartered in New York.}

Key Offerings

CA Patch Management (requires CA Asset Management and CA

Software Delivery), CA IT Client Manager (includes patch management functionality)

Market Presence

CA had a strong offering with CA Patch Management, but has decided to integrate it into CA IT Client Manager along with other CA products such as Asset Management, Asset Intelligence, Software Delivery, Remote Control and Desktop Migration Manager. This move will gradually shift CA from the patch management market into the IT systems lifecycle management market.

Market Performance

CA recently released IT Client Manager, which offers numerous benefits such as automated discovery, maintenance duties, improved operational efficiencies and reduced risk. By integrating patch management into IT Client Manager, CA is providing a more holistic approach to client

management. Thus, from a long-term perspective, CA IT Client Manager is more beneficial for CA and large enterprise customers as well.

(66)

Market Contenders (Contd…)

CA

Prior to being rolled into CA IT Client Manager, CA Patch Management was a profitable

product with high year-over-year growth rates. CA IT Client Manager gives customers insight into critical IT assets and automates resource management tasks while reducing operational risks. CA IT Client Manager helps to efficiently and proactively manage all the client devices across an organization, enabling customers to shift their focus from daily operational

processes and issues to strategic IT initiatives that bring competitive value to the business. For CA, the trend of consolidation that is common to the security industry (and many others) is perfectly illustrated with the integration of multiple products such as CA Asset Management, CA Asset Intelligence, CA Software Delivery, CA Remote Control, CA Patch Management and CA Desktop Migration Manager into CA IT Client Manager. This gives CA a more

compelling product that appeals to larger enterprises. In addition, IT Client Manager will move CA into the IT systems lifecycle management market where IBM, HP and other industry giants are also moving or already competing. More importantly, this trend of product integration will help CA and other market competitors to align their product offerings to customers’ needs. While CA still reports undiminished sells of CA Patch Management, the customer demand for this product and revenues generated from this product are expected to gradually migrate to the IT systems/client management market.

(67)

67

N521-74

Market Specialists

McAfee

Overview

Since its founding in 1987, McAfee has grown into one of the largest security software firms. McAfee’s 2008 acquisition spree, which includes Secure Computing, demonstrates its mission to provide a complete, end-to-end network and endpoint security.

Key Offerings McAfee Remediation Manager, McAfee Vulnerability Manager

Market Presence

McAfee Remediation Manager is McAfee’s only footprint in this market. This product is designed to integrate with McAfee Vulnerability Manager and take corrective measures as recommended by Vulnerability

Manager. This includes patch management, among other tasks. Remediation Manager enables customers to minimize risk as well as maximize their IT resources and security software investments.

Market Performance

McAfee Vulnerability Manager has a strong legacy from its origins as Foundstone, to which McAfee Remediation Manager is the perfect complement. McAfee products are designed to integrate with ePO, giving McAfee a huge advantage in each market that they compete in.

(68)

Market Specialists (Contd…)

McAfee

McAfee Remediation Manager is designed to help customers achieve compliance and boasts a library of more than 25,000 tested vulnerability remedies. Remediation Manager stays up to date on the latest vulnerabilities by collecting and compiling vulnerability data and creates new remedies that are downloaded via an automated delivery mechanism. Using Remediation Manager, McAfee customers can achieve compliance with government, industrial and internal security policies. Flexible reporting capabilities include summary reports for executives and detailed technical data for IT administrators.

McAfee Remediation Manager has a number of strengths as opposed to other patch solutions such as the ability to integrate with McAfee ePO, Policy Auditor, Vulnerability Manager

(formerly McAfee Foundstone), Risk and Compliance Manager, and McAfee Network Access Control as well as third-party vulnerability scanners. However, McAfee Remediation Manager still requires its own separate agent, which can be hurting sales. Complete integration with the McAfee ePO management console would ensure much stronger sales. Overall, McAfee has a solid position in this market with a very powerful and flexible product. The fact that McAfee plans keep this product line intact and sell it as a stand-alone product guarantees that McAfee will remain a key staple of the patch management market.

(69)

69

N521-74

Database of Key Industry Participants

Company Product

AdventNet, Inc. Security Manager Plus

Autonomic Software Autonomic Network & System Administration (ANSA)

BigFix Patch Management

BMC Software, Inc. Operations Manager / Patch Manager, Configuration

Management Business Oriented Software Solutions, Inc.

(BOSS)

DiagWin Professional

CA, Inc. CA Patch Manager

Configuresoft Security Update Manager (SUM), Enterprise

Configuration Manager (ECM)

Criston Precision Patch Management

Dell Dell Patch Management, Uptime Services Suite / Dell

Remote Monitoring

(70)

Database of Key Industry Participants (Contd…)

Patch Management Products Market: Database of Key Industry Participants (World), 2008

Kaseya Corporation Kaseya Patch Management

Diskeeper Corporation Sitekeeper, with Patchkeeper

Ecora Software Ecora Patch Manager 5.0

Fiberlink Communications Corp. Fiberlink Patch Management Service

Frontrange Solutions USA Inc. Enteo v6 Patch Management

GFI Software GFI LANguard Network Security Scanner, with

PatchManager

GridApp Systems, Inc. Patchworks

HP HP Server Automation software

iPass Inc. iPass Device Management

LANDesk Software Inc. LANDesk Patch Manager

(71)

71

N521-74

Database of Key Industry Participants (Contd…)

RingMaster Software Corporation RingMaster Automated Patch Management (APM)

Scalable Software WinINSTALL

Lumension Security, Inc. PatchLink Update

ManageSoft Corporation ManageSoft Security Patch Manager

McAfee McAfee Remediation Manager

Microsoft System Center Essentials 2007 / Windows Server

Update Services (WSUS)

New Boundary Technologies Prism Patch Manager

Novell Novell ZENWorks Patch Management

Numara Software, Inc. Numara Patch Manager

PatchAdvisor, Inc. PatchAdvisor Services

ScriptLogic Corporation Patch Authority Ultimate version 6.1

(72)

Database of Key Industry Participants (Contd…)

Secure Elements C5 Compliance Platform/ C5 Content Platform

Shavlik Technologies, LLC Shavlik NetChk Protect/ Shavlik Security Suite

(73)

73

(74)

Strategic Recommendations

Strategic Recommendations for Patch Management Vendors

• Point patch management vendors must expand their products lines to provide more value to

increasingly demanding customers. Leading patch management vendors have had success expanding into compliance and configuration management.

• Point product vendors must integrate their products with related technologies and should

seek a channel relationship with a company that is looking to improve its patch management offering.

• Large, diversified companies should add a patch management component to their product

suite. Patching is a fundamental IT operations and security task which – as an automated solution – provides high product value to customers. These companies should seek to acquire a best-of-breed solution from a competitor or license one of these products.

• Vendors must resist the temptation to compete on price. Leading patch management

solutions provide numerous features such as custom scripting tools. In addition, customers will choose a solution based on accuracy and performance rather than price.

(75)

75

(76)

Who is Frost & Sullivan

The Growth Consulting Company

• Founded in 1961, Frost & Sullivan has over 45 years of assisting clients with their decision-making

and growth issues.

• Over 1,700 Growth Consultants and Industry Analysts across 32 global locations

• Over 10,000 clients worldwide - emerging companies, the global 1000 and the investment community • Developers of the Growth Excellence Matrix – industry leading growth positioning tool for corporate

executives

• Developers of T.E.A.M. Methodology, proprietary process to ensure that clients receive a 360o

perspective of technology, markets and growth opportunities

(77)

77

N521-74

What Makes Us Unique

360o Perspective

Proprietary T.E.A.M.TM Methodology integrates all 6 critical research methodologies to significantly enhance the accuracy of decision making and lower the risk of implementing growth strategies.

Growth Monitoring

Continuously monitor changing technology, markets and economics and proactively address clients growth initiatives and position.

Trusted Partner

Working closely with client Growth Teams –

helping them generate new growth initiatives and leverage all of Frost & Sullivan assets to

accelerate their growth.

Exclusively Focused on Growth

Global thought leader exclusively focused on addressing client growth strategies and plans – Team actively engaged in researching and developing of growth models that enable clients to achieve aggressive growth objectives.

Industry Breadth

Cover the broad spectrum of industries and technologies to provide clients with the ability to look outside the box and discover new and innovative ideas.

Global Perspective

32 global offices ensure that clients receive a global coverage/perspective based on regional expertise.

(78)

T.E.A.M. Methodology

Frost & Sullivan’s proprietary T.E.A.M. methodology, ensures that clients have complete “360 Degree Perspective” from which to drive decision-making. Technical, Econometric, Application, and Market information ensures that clients have a comprehensive view of industries, markets and technology.

Technical Real-time intelligence on technology, including emerging technologies, new R&D breakthroughs, technology forecasting, impact analysis, groundbreaking research, and licensing opportunities.

Econometric In-depth qualitative and quantitative research focused on timely and critical global, regional, and country specific trends, including the political,

demographic, and socioeconomic landscapes.

Application Insightful strategies, networking opportunities, and best practices that can be applied for enhanced market growth; interactions between the client, peers, and Frost & Sullivan representatives that result in added value and

effectiveness.

Market Global and regional market analysis, including drivers and restraints, market trends, regulatory changes, competitive insights, growth forecasts, industry challenges, strategic recommendations, and end-user perspectives.

(79)

79

N521-74

Global Perspective

• 1,700 staff across every major market worldwide