800-Pound Gorilla Sits on AV

This is the third in a series of articles on the impact of Microsoft's entry into the security space.

As Microsoft today released the public beta version of its long-awaited software, the Big Three antivirus vendors continued to busily regroup and reinvent themselves before the other shoe -- Vista -- drops at the end of the month.

And at least publicly, Symantec, McAfee, and Trend Micro say they aren't losing sleep over Microsoft joining the party, but their actions speak differently. (See Microsoft Releases Forefront, The Vista-Forefront Security Two-Step, and Microsoft Beckons to Early Adopters.)

The writing is on the wall where consolidation is concerned. Microsoft is likely to own the antivirus and anti-spyware sector, first on the consumer side with OneCare Live, then possibly on the business side, too, with Forefront, industry experts say. "Microsoft is poised to make a huge dent in the $2.5 billion AV market," says Thomas Ptacek, a researcher with Matasano Security.

"The hot topic on everyone's mind is whether what Microsoft is doing is going to severely impact Symantec and McAfee, and it absolutely is," Ptacek says. "AV companies are worried that Microsoft is going to destroy the AV industry. That's definitely a reasonable concern."

Gone will be the days of a security vendor capturing 60 percent of the market, says Randy Abrams, formerly Microsoft's operations manager for its Global Infrastructure Alliance for Internet Safety, and now director of technical education for AV company Eset. Abrams says Microsoft's arrival will level the playing field for smaller companies like his, Sophos, Kaspersky Lab, Panda Software, and BitDefender, which can also more nimbly adjust to changes in the market. "There will be fewer mega-companies in the security space," he says, and more mergers and consolidation. (See AV Vendors Need Not Fear Microsoft.)

Meanwhile, this was a busy day for Microsoft. In addition to releasing five critical patches and one labeled as "important" for the monthly Patch Tuesday cycle, and releasing Forefront Client Security in beta, Microsoft also said today that it will begin shipping its Forefront Security for Exchange and Forefront Security for SharePoint -- both of which have been in public beta -- in December. It also added new application optimization features for its Intelligent Application Gateway, a combination SSL-based application access, Web application firewall, and endpoint security management product.

AV leaders Symantec, McAfee, and Trend Micro are banking on Microsoft's fashionably late and bare-bones version of the Forefront AV client to buy them a little time before they can get out of the way.

Other third-party security companies are doing all they can to distance themselves from AV and tout their differences and functions that go beyond what Microsoft can do at the desktop.

"Microsoft is going to commoditize malware," says Ross Brown, CEO of host-based intrusion detection vendor eEye Digital Security. "At the end of the day, you go wide: The problem is Microsoft is an 800-pound defensive tackle wearing rock-solid body armor, and if you go at them head to head, you're going to break your neck."

Brown says eEye's Blink product line is immune to Microsoft's PatchGuard restrictions in the Vista kernel, which have Symantec and McAfee up in arms. "We integrate at different layers. None of Blink relies deeply on kernel-hooking," he says of PatchGuard, which critics say limits the features AV vendors can offer atop Vista.

McAfee, for instance, says without sufficient access to the kernel, it won't be able to offer all the features in its IPS' heuristical behavioral detection, says George Heron, McAfee's chief scientist.

McAfee, Symantec, and Trend Micro meanwhile have been gradually broadening their security offerings for some time now in anticipation of Microsoft's arrival, but AV sales still represent most of their revenues, says Richard Stiennon, president of IT-Harvest. But they still hold a comfortable lead. "Their research and effectiveness will be better than Microsoft's for several years. They have plenty of time to stay ahead."

The big opportunities for major security vendors lie in premiere offerings for highly secure environments, he says, as well as hardware-based solutions and solutions that work across multiple platforms.

The multi-platform strategy is at the heart of Symantec's renaissance. The company plans to provide infrastructure security management across multiple vendor platforms, says Rowan Trollop, vice president of consumer engineering for Symantec. Trollop says Symantec's Security 2.0 initiative for enterprise security is to "remake sections of our company" in the next two years.

"You will see Symantec more woven into the fabric of the network." And that includes mobile devices, Trollop says. Its security software will be integrated with other vendors' devices as well as with ISP services, he says.

Symantec dismisses Microsoft's Forefront as late to the party. "We're not worried about [Microsoft]. The hackers will continue to move the stake, and we will continue to follow them," Trollop says." Microsoft's approach of a subpar [product] is not going to cut it."

"Their coming out with antivirus 10 or 15 years after the first viruses hit is almost laughable -- that's [viruses] a problem that's almost resolved," he says. "Symantec is moving on."

Trend Micro, meanwhile, which has traditionally been an enterprise AV vendor, may have a little more breathing room than Symantec or McAfee, which have a big chunk of the consumer space.

Lane Bess, global general manager of consumer products and services for Trend Micro, says Microsoft's security entry won't affect the company in the short term. But, he says, Trend has already shifted its attention to other areas: In 2007, for instance, Trend Micro won't be spending as much of its R&D dollars on AV, anti-spyware, and antispam. Its focus instead will be on Web-based threats.

"In the past, our R&D spending was 60 percent traditional antivirus, anti-spyware, and antispam. Now we've flipped that to two thirds on Web threats," he says.

And Trend, like Symantec and other security firms, is embracing the security-as-a-service model, a sector where Microsoft is no threat. "We will focus on Web threats... We see the market expanding into the cloud," Bess says. "This is where Microsoft hasn't been focusing."

And the reality is Microsoft really needs competitors in the desktop market, Bess says. "People will find vulnerabilities in the Vista platform and Microsoft does not want be out there all alone to respond," he says. "Microsoft benefits greatly by still having close partners and competition with security software vendors."

— Kelly Jackson Higgins, Senior Editor, Dark Reading