Unified Threat Management Systems Marketplace

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free

Unified Threat Management Systems

by James G. Barr

Docid: 00021368

Publication Date: 2109

Report Type: MARKET


Unified Threat Management (UTM) describes a category of security
appliances and cloud services that integrate network security functions
and features into a single network security platform. UTM appliances
typically combine firewall, gateway, anti-virus, intrusion prevention, and
more into a single solution. They are designed to protect enterprise
users from threats, including new and emerging blended threats, while
reducing complexity for the network engineers and system administrators
charged with maintaining them.

Report Contents:

Executive Summary

[return to top of this

In the nearly three decades since the Internet became an essential
resource for e-commerce and enterprise business operations, one persistent
and pernicious problem has plagued the World Wide Web: malware, or
malicious software. Whether in the form of computer viruses, worms,
Trojan horses, or increasingly sophisticated attack tools and information
grabbers like advanced persistent threats and botnets, enterprise
officials have been forced to erect higher and higher network barriers,
hoping to detect and deter the malevolent handiwork of hackers and other
cyber miscreants.

The whole affair has assumed the characteristics of a fencing competition
where the enterprise attempts to parry each hacker thrust with a
combination of hardware and software systems designed to keep the network
free of unwanted or unexpected elements. Many of the technologies
involved, including anti-virus, anti-spam, and intrusion detection (later
intrusion prevention) were only just invented, and, until recently, most
were delivered discretely through a set of specialized products or
services. In other words, the enterprise was compelled to procure and
integrate a variety of anti-malware solutions to affect a robust and
reliable network defense structure.

Erecting a network defense from so many disparate pieces, however, poses
a number of problems, including:

  • Inter-solution compatibility
  • Differing patch cycles and processes
  • Differing vendor support
  • The nagging concern that some virus or other bit of malware may be
    able to negotiate a path in and around this not-so-tightly-coupled
    collection of anti-malware solutions

Moreover, since every enterprise was availing itself of the same type of
anti-malware solutions (anti-virus, firewall, intrusion prevention, etc.),
customers began to clamor for a single integrated solution – a demand that
eventually manifested as Unified Threat Management.

Emerging around 2004, Unified Threat Management (UTM) describes a
category of security appliances and cloud services that integrate a range
of network security functions and features into a single network security
platform. (See Figure 1.) They are designed to protect enterprise
users from threats, including new and emerging blended threats, while
reducing complexity for the network engineers and system administrators
charged with maintaining them. 

Note: Some vendors refer to UTM as Universal Threat Management.

Figure 1. A Conceptual Representation of a UTM

Figure 1. A Conceptual Representation of a UTM

Source: Wikimedia Commons

Desired Features

While UTM capabilities vary according to the vendor, the ideal Unified
Threat Manager, as envisioned by Fortinet, offers the following:

Anti-virus to stop viruses, worms, Trojans, spyware, and other forms
of malware.

Anti-malware to block known malicious software. A Unified Threat
Manager “can … be configured to detect novel malware threats using
heuristic analysis, which involves rules that analyze the behavior and
characteristics of files. A UTM “can also use sandboxing as an
anti-malware measure.” A suspicious file is captured and confined to a
sandbox. “Even though the malware is allowed to run, the sandbox prevents
it from interacting with other programs in the computer.”

Firewalls to scan incoming and outgoing traffic for viruses,
malware, spam, phishing attacks, and other cyber threats.

Intrusion prevention to detect and deter cyber attacks. An
intrusion prevention system (IPS) “analyzes packets of data, looking for
patterns known to exist in threats. When one of these patterns is
recognized, the IPS stops the attack.”

Virtual private networking to establish "a private network
that tunnels through a public network, giving users the ability to send and
receive data through the public network without others seeing their data. All
transmissions are encrypted, so even if someone were to intercept the data, it
would be useless to them."

Web filtering to prevent users from visiting malicious,
questionable, or problematic websites.

Data loss prevention to detect data breaches and block “data
exfiltration,” or data removal, attempts.1

Market Dynamics

[return to top of this

Commonly Deployed Features

As reported by analyst Drew Robb, a Gartner analysis of UTM tools has
revealed the most commonly deployed features:

  • Firewall – 100 percent
  • URL filtering – 77 percent
  • Intrusion prevention – 70 percent
  • IP security – 63 percent
  • Web anti-virus – 51 percent
  • Secure sockets layer, application control, and virtual private
    networking – 46 percent
  • User control, quality of service, and anti-spam – 41 percent 2


Unified Threat Management vendors usually refer to their integrated
security solutions as Unified Threat Managers (UTMs) or Next-Generation
Firewalls (NGFWs).

As differentiated by WatchGuard Technologies, UTMs are engineered to
provide simplicity while NGFWs are designed to offer customization. “UTM
appliances provide out-of-the-box policies, management, and reporting
tools designed for ease of deployment and ongoing management while NGFW
appliances cater to organizations that wish to customize their security
policies and prefer manual reporting and management techniques.” 3

Hardware or Software

UTM solutions may be delivered as hardware appliances or virtual
(software) appliances, depending on which solution type best integrates
with a client’s IT and security infrastructure.

UTM Value Proposition

For prospective clients, the UTM value proposition is simple:

  • “One Stop Shopping” for anti-virus, firewall, intrusion prevention,
    and other security functions.
  • Ease of deployment, owing to the all-in-one structure of UTM.
  • Discount pricing, which is easier to negotiate when only one vendor is

Market Leaders

[return to top of this

        With a UTM, you can streamline the
way data is processed and use fewer resources at the same time.

        – Fortinet 5

Market leaders in the UTM space include:

  • Barracuda
  • Check Point
  • Cisco
  • Fortinet
  • HP
  • IBM
  • Juniper Networks
  • SonicWall
  • Sophos
  • WatchGuard

Check Point Threat Prevention

Broadly representative of enterprise UTMs, the Check Point Threat
Prevention solution includes security features such as:

  • Firewall
  • Intrusion prevention
  • Anti-bot
  • Anti-virus
  • Application control
  • URL filtering
  • Virtual private networking
  • Data loss prevention
  • Identity awareness
  • Anti-spam

As described by the vendor, Threat Prevention incorporates the Check
Point’s SandBlast Threat Emulation and Threat Extraction technology:

  • The Threat Emulation engine detects malware at the exploit phase,
    combining cloud-based CPU-level inspection and OS-level sandboxing to
    prevent infection.
  • The Threat Extraction engine removes exploitable content, reconstructs
    files to eliminate potential threats, and delivers sanitized content to

[return to top of this

Market Growth

MarketWatch expects the global Unified Threat Management market, valued
at approximately $5.17 billion in 2020, will reach $13.18 billion by 2027,
reflecting a robust compound annual growth rate (CAGR) of 14.3 percent
over the 2021-2027 forecast period.

Demand Surge

According to Transparency Market Research:

  • The continuing rise in cybercrime is fueling UTM spending, especially
    in the Defense; Telecom; and Banking, Financial Services, and Insurance
    (BFSI) sectors.
  • The integration of machine learning technology, with the promise of
    even smarter security, is attracting new customers.
  • The all-in-one convenience of UTM security is convincing more
    small-to-medium-sized businesses (SMBs) to invest.6

UTM Evolution

In the coming years, UTM vendors will likely double down on the UTM value
proposition, eventually creating a true need-nothing-else
appliance. Unfortunately, this will increase the resolve of hackers,
criminal gangs, even state-sponsored cyber criminals to penetrate UTM

Strategic Planning Implications

[return to top of this

Prior to Purchasing a UTM Solution

1. Narrow the potential provider pool to market-leading vendors.

2. Determine which security features the enterprise needs, and match
prospective products to those requirements.7

3. Identify three to five provider candidates and utilize the request for
proposal (RFP) vehicle to evaluate each provider and product. Critical criteria include:

  • Does the product satisfy enterprise compliance requirements, like
    adherence to the EU General Data Protection Regulation (GDPR), the US
    Health Insurance Portability and Accountability Act (HIPAA), or the
    California Consumer Privacy Act (CCPA)?
  • Does the provider have formal incident management and business
    continuity plans and procedures in place?
  • Is the product compatible with – and inter-operable with – existing
    enterprise software and hardware?
  • Once installed, can the product be removed without undue business
  • Can a custom service level agreement (SLA) be negotiated?

4. After exercising due diligence, select a UTM provider and solution.

After Implementing a New UTM Solution

1. Provide enterprise security and IT personnel with the training – and
periodic re-training – required to service the UTM product.

2. Activate UTM features and functions according to need (to prevent
performance bottlenecks).

3. Promptly test and apply provider-supplied software patches.

4. Enlist an ethical hacker (EH) to attempt to penetrate UTM defenses. If
the EH is successful, cooperate with the provider to plug all UTM security

5. Monitor and measure UTM performance. Make “course corrections” as

6. Keep up with UTM technology and solution developments by monitoring
the trade press, and visiting the US National Institute of Standards and
Technology (NIST) Computer Security Resource Center.


[return to top of this

[return to top of this

[return to top of this

About the Author

[return to top of this

James G. Barr is a leading business continuity analyst
and business writer with more than 40 years’ IT experience. A member of
“Who’s Who in Finance and Industry,” Mr. Barr has designed, developed, and
deployed business continuity plans for a number of Fortune 500 firms. He
is the author of several books, including How to Succeed in Business
BY Really Trying
, a member of Faulkner’s Advisory Panel, and a
senior editor for Faulkner’s Security Management Practices.
Mr. Barr can be reached via e-mail at jgbarr@faulkner.com.

[return to top of this