From 14-16 June, Quocirca attended the inaugural European NG (Next Generation) Security Summit in Lisbon, organised by GDS International (a company whose Events division exists primarily to organise such things).

Being the first such event, the main concern for Quocirca and many other attendees was, would it achieve the critical mass of attendees required to make it all worthwhile? In Quocirca's view it did.

The attendees that make an event like this worthwhile are the real world practitioners, which when it comes to IT security are CISOs (chief information security officers). The event attracted about 50 such individuals (or at least their underlings) from well-known banks, manufacturers, retailers, charities and other large users of IT.

For the CISOs (and guest analysts) it is a freebie and a chance to network with and learn how their peers are addressing the ever growing list of security issues posed by the use of IT.

However, someone has to pay for such events. Here GDS had done a good job of attracting some high-profile sponsors from the IT industry. These included Symantec, BlackBerry, Verizon and Intel.

These vendors were also taking a risk; would they achieve their goals, which were being associated with a worthwhile event and access to the CISOs? The presence of so many senior IT security professionals was the key to achieving the first and GDS ensured the second, by keeping the CISOs to their committed meetings with vendors.

The issues covered in the workshops and panel sessions that comprised the main body of the conference ranged across the whole gamut of IT security. Quocirca ran two of these.

The first was on end-point security, where there was general recognition of the growing tide of consumer devices entering the workplace and the security challenge this introduced (presentation available here).

The second was data leak prevention (DLP). About 25 per cent of the CISOs in the workshop had deployed specific DLP technology and all agreed it had a value, which corroborated the findings of Quocirca's 2010 DLP report, "You sent what?", published in 2010 and freely available here.

Other workshops that aroused interest were on brand protection (an increasing concern), next-generation identity management (owning your own identity) and cyber "warfare" (only call it war if it really is war).

Quocirca came away from the event with new ideas and insights into IT security and is glad to hear GDS already plans a second event in Dec 2011, details of which can be found here.

Bob Tarzey, analyst and director, Quocirca

Symantec revealed a new internal structure and new messaging to analysts at its recent worldwide analyst conference in New York.  The company is now structured along the lines of consumer/soho, SMB and enterprise lines, building from what it is terming the “three megatrends” of virtualisation, cloud and data growth.  This, in itself, is a move in the right direction, giving levels of consistency and commonality across a company that has often, in the past, looked more like a collection of independent fiefdoms with barely interconnected technologies.

However, the biggest change is in Symantec’s messaging.  Out goes the deep technical portfolio sell, and in comes a set of high level messages aimed at demonstrating what Symantec can do for the business.  The message is strongly focused on information – not on devices.

It seems that Symantec has realised that the devices, while requiring a level of security to be applied, are no longer a key business asset, and are actually reducing in value as the consumerisation of IT passes this value to the individual.  The real value is in the data and information, and if Symantec can provide the means of securing this, then the business will listen.

While Symantec still talks about what it can do for end-point management through its Altiris acquisition, and how its tools such as Backup Exec (BE) and Enterprise Vault (EV) (via its Veritas acquisition) can perform at a  technical level, it is now leading with messages around how tools such as data leak prevention, e-discovery (a new acquisition via a much talked-about Clearwell Systems), encryption (via its PGP acquisition) and identity management (via its Verisign acquisition) can maintain the fidelity and security of information at rest and on the move – and along the value network of mobile users, temporary workers, suppliers and customers.

Symantec is also “cloudifying” its entire portfolio in a step by step manner.  Using its MessageLabs acquisition as a base, along with the on-line backup services it bought via the SwapDrive acquisition, SaaS-based services such as EV.cloud, BE.cloud and storage.cloud are being rolled out.  The platform also holds the promise of being able to support other functions; whether Symantec goes for an Amazon AWS or salesforce.com Appexchange model of allowing third parties to host applications on the Symantec cloud will have to be seen.

This is very different for Symantec – but is a very sensible step. The technical sell is not the right one for a post-recession market.  Businesses need to be able to understand exactly what they are getting out of their IT investments – or will look to outside providers in the cloud to remove the complexities and problems of on-premise solutions.  Symantec now has the capability to cover all bases – on-premise, in the cloud or hybrid.

But, it may not be all plain sailing for Symantec.  Such a bold move puts it into competition with companies that may previously have seen Symantec as a partner or at least not as competition. Now, Symantec is going head-to-head with the likes of Amazon, as well as those in the information management space, such as Autonomy and with cloud storage providers such as Asigra as well as a host of others.

The acquisitive nature of Symantec will also be raising concerns at some of Symantec’s partners – for example Kayesa should be a little worried as Symantec gets closer to being able to provide more of what it offers.  Dell, although not being threatened by Symantec in its heartland hardware business, should still look to some of the appliances that Symantec has been bringing to market and ensure that it manages to deal with Symantec where competition occurs.

The biggest issue for Symantec, however, could well be the channel.  It has over 50,000 channel partners worldwide – many of which are archetypal “yellow box shifters”, selling copies of Symantec’s software in a very simple reseller model.

The new messaging does not fit this model well, and Symantec needs to be able to identify the 1-2% top performers who can fit into the new model and concentrate on getting them up to speed.  It should then be able to take the resulting model and cascade this down to maybe a further 5,000 partners.  Decisions may have to be made as to how much of the 40,000+ partners left over should remain – and where culling should be applied.

Although Symantec is trying to make its offerings available as both on-premise and cloud-based services, it will need to work with the channel on this as well.  A subscription-based model does not fit well with many sales people, as the compensation models tend to differ.  Where subscriptions can be annualised, there will be less problem, but in the SMB market where monthly subscriptions may be more of the norm, some financial help (as well as education of the channel in how subscription portfolio management can be done in a way that suits sales people) should be considered.

Overall, the messaging looks strong – and the acquisitions Symantec has made over the past few years are now looking very well positioned for the future.  The devil will be in the detail, however – and Symantec will need to keep a careful eye on those partners which are not happy with the direction of the new Symantec, and on the channel which may well struggle to deal with the new offerings.

Clive Longbottom, Service Director, Business Process Analysis, Quocirca

Today more and more IT security is being incorporated into IT infrastructure. But does this mean buyers can rely on what's provided by infrastructure suppliers or should they still be turning to IT specialists?
 
The largest acquisition during 2010 in the IT industry was that of security giant McAfee by Intel, at $7.7bn. This clearly underlines this trend of IT infrastructure suppliers adding security to their portfolios. So far Intel has taken a fairly hands-off approach with regards to McAfee, but it's said the company wants to ensure security is more tightly integrated with products at the chip level. However, this only makes sense for some McAfee products, such as anti-virus and end-point security. Other areas that McAfee operates in (such as content security and security management), would not be implemented purely at the chip level.
 
HP has also been marching back into the IT security arena over the past few years. Last year it acquired Fortify for code testing and ArcSight for security and information event management. It also picked up UK-based security services provider Vistorm when it acquired EDS in 2008 and TippingPoint for network security as part of 2009's 3Com acquisition.

IBM, meanwhile, added code testing to its portfolio last year when it acquired Ounce Labs. It already had a broad range of security products through its 2006 acquisition of Internet Security Systems and existing products in its Tivoli division for identity and access management and compliance. That was enhanced by another 2010 acquisition BigFix for end-point management. Such tools are required to deliver end-point security effectively and consistently.

Cisco, the world's leading networking supplier, has also been building on its established firewall business with acquisitions such as IronPort for email security in 2007 and ScanSafe for web content security in 2009. EMC, the world's largest storage supplier, acquired the major player in identity and access management, RSA, in 2006. Looked at through the lens of the joint venture – the Virtual Computing Environment (VCE) coalition – Cisco and EMC (along with VMware) can boast a broad, all-round security portfolio.

During 2010, Microsoft launched new versions across much of its Forefront security range, which has been built up over a number of years through the acquisition of various small and relatively unknown security suppliers. The motivation for Microsoft's long journey into IT security is clear: to make sure its customers can use its products more safely. Security was one of the key pillars of Microsoft's Trustworthy Computing initiative, launched in 2003. Many gauge that to have been a success, with Microsoft's products generally considered more secure than a decade ago. But Microsoft only protects Microsoft, often scrapping support for third-party products provided by suppliers it acquires.

Yet for most organisations, IT security needs to cover a wider range of heterogeneous platforms. The situation looks set to get worse as the diversity of devices and operating systems increases, particularly when it comes to end points. Although Microsoft continues to dominate the PC OS market for the moment, it is currently an also-ran when it comes to smartphones and tablets. It hopes to reverse this through its new partnership with Nokia, but only time will tell if it can succeed.

The need to secure and manage heterogeneous IT environments is the reason why security specialists exist in the first place. Whatever Intel chooses to do with McAfee, it would be crazy to focus on securing only Intel-based devices. McAfee once proudly claimed it was "the world's largest independent security supplier", a crown it took from Symantec only because the latter had diversified into storage software through the 2004 acquisition of Veritas. Despite its previous bluster, it seems likely McAfee will maintain its credentials as a specialist with the ability to manage security across much of its customers' infrastructure, just as Symantec and CA have done.
 
Following the loss of its independence last year, McAfee passed its crown to Japan-based Trend Micro, whose revenues for 2010 approached $1.1bn. Trend Micro has a fairly broad IT security portfolio, but it has started to diversify, for example into data protection with its 2010 acquisition of Humyo (rebadged SafeSync).

Israel-based Check Point, the original firewall supplier, is not far behind with 2010 revenues of $830m. Behind these two are a host of smaller security suppliers, including Blue Coat, SafeNet, Websense, Sophos, Webroot, SonicWALL and Kaspersky. All have their own focus, which generally needs to be supplemented with products from elsewhere. All are potential targets for infrastructure suppliers to plug further gaps or acquire market share. Who knows who will be wearing McAfee's former crown 12 months from now.

Buyers should evaluate what is available from their chosen infrastructure suppliers in the first instance, but this will rarely meet all requirements. More importantly, they must make sure they have in place a coherent IT security strategy across all their IT assets with the ability to manage it. Many will find it is still the IT security specialists who will enable them to best keep ahead of the rapidly changing threat landscape.
 
Bob Tarzey, Analyst and Director, Quocirca

In February, Symantec released a new version of its Endpoint Protection suite – SEP 12 and the associated small business editions SEP SBE 12. It contains all the usual stuff you would expect to find in such suites: antivirus/spyware, desktop firewall, intrusion prevention and so on. So what’s new?
 
Well, as ever, Symantec has focused on performance, to ensure that the product has minimal impact on desktop performance – a focus all desktop security vendors must have. It has also improved support for virtual desktops, where scans can have a big impact on the performance of the servers that run them if multiple scans are invoked at the same time. However, the feature Symantec was keenest to talk about was an upgrade to the way its Insight file reputation service works.
 
Insight is a cloud-based service that backs all Symantec malware protection products including Norton for consumers. Insight assesses the threat an executable file might represent based on a number of factors including prevalence, age, provenance and reputation, and returns a rating that can be used when setting security policies, sometimes called greylisting (as opposed to whitelisting = good, blacklisting = bad).

For example, a file over two months old with thousands of users is likely to be safe, while one created yesterday, with no known users, looks decidedly risky. With V12 it has made a change that allows security administrators to set policies rather than end users, as was the case in previous versions.
 
With Insight “executable” files include traditional EXE files, driver files (including printer drivers), screen savers, DLLs, OCXs, MSI Installer files, etc. Insight does not rely on file extensions to recognise such files but examines all files to see if they are known and, if not, checks to see if they are actually executable. At present Insight has a community-based security rating for 2.5 billon files – good, bad and grey. This data is collected by Symantec’s Global Intelligence Network, which consists of more than 175 million endpoints that run Symantec’s security software and have opted-in submission of threat data and from Symantec’s hosted services or gateway products.
 
All well and good, but all the major security vendors have protection networks and these all include file reputation services. So, is Symantec catching up with or jumping ahead of the competition? Here are three examples:
 
McAfee’s Global Threat Intelligence also includes file reputation. It catalogues known bad files and grey-lists files that might be bad. Like Symantec Insight it uses a file scoring algorithm, however McAfee does not whitelist. Quarantine thresholds can be configured depending on a given customer’s tolerance for risk. McAfee is not just relying on the file itself, but other information such as network connection reputation and mode of arrival, for instance is it attached to a “spammy” email.

Trend Micro’s Smart Protection Network (SPN) has been around for over five years and has included file reputation since 2008; it also greylists files as suspicious. To do this it looks at the file's behaviour and heuristic information.  Suspicious files are checked against white-lists to minimise false positives.  Information on new files is then fed back to SPN for analysis and confirmation as to whether they are truly malicious or not.

Blue Coat’s threat protection network is called Web Pulse. It has been profiling web traffic for over five years and it is central to all its security products. It greylists malware based on provenance, history, behaviour, mode of arrival and previous knowledge of a particular file.
 
The truth is, as Blue Coat’s spokesperson told Quocirca, threat protection networks are “table-stakes” for security vendors. You have to have one and it has to work. The vendors vary in the approaches but they all do the same sort of things. The speed at which new threats are discovered will depend on the size of the network, and as one of the biggest suppliers of security software to both businesses and consumers, Symantec’s is big.
 
Perhaps the biggest such network sits behind Microsoft Forefront security offerings and the Microsoft Malware Protection Centre (MMPC). But as Quocirca has reported before, Microsoft has other shortcomings when it comes to security, mostly to do with its inward focus – only protecting its own infrastructure. This is where specialist security vendors definitely have the upper hand, for example Symantec’s SEP 12 includes protection for Mac OSX and Linux. An on-going race will be to extend protection to smartphones and tablets with their new range of operating systems. SEP 12 does not address this, but then nor do most of its competitors.

Bob Tarzey, analyst and director, Quocirca

Back in December Microsoft released Forefront Endpoint Protection 2010 (FEP), a suite that provides protection for Windows PCs from malware etc. Used in conjunction with Microsoft System Center Configuration Manager 2007 (MSCCM) businesses can make sure their Windows PC user end points are up to date and secure. In conjunction with BitLocker, Microsoft’s full disk encryption capability, and other security features that come with Windows, such as the Windows firewall, Microsoft now has a comprehensive capability to protect and manage Windows PC end points.
 
A further worry for its competitors is that business take-up of Windows 7 since its launch in October 2009 has been fairly slow, but this is expected to accelerate rapidly during 2011. A Microsoft large account reseller (LAR), which provides end point management services, told Quocirca that many of its customers are asking to upgrade in the next 12 months. One thing seems certain; when they do this they will review their Windows end point security in light of the offerings from Microsoft. For example, one CISO Quocirca spoke to stated:
 
“When we move to Windows 7 we will include an evaluation of Forefront and BitLocker alongside existing end point security”
 
So is Microsoft set to take the end point security market by storm and see off the security specialists that dominate at present such as Symantec, Trend Micro, McAfee and Sophos? In Quocirca’s view probably not; Microsoft has three problems.
 
First, although Windows 7 is expected to do well in 2011, it is no longer true that Windows based PCs are the only end point most businesses have to worry about. Microsoft has failed to make much of an in-road into the smartphone market; its market share languishes at below 5%. Nokia/Symbian, Apple/iOS, Google Android and RIM are much more widely used and look set to remain so.
 
Furthermore, more tablet computers are increasingly being used to access business IT resources. Gartner predicts 55 million unit sales of Apple’s iPad in 2011 and other hardware vendors are entering the market, many using the Google Android operating system. A CISO from a diehard Microsoft shop, that was an adopter of the forerunner to FEP, Forefront Client Security, told Quocirca that even they now have a “few iPhones and iPads” to worry about.
 
Vendors that specialise in end point security and management struggle to keep up with this diversity, Microsoft is not even trying. Worse still, Microsoft does not even support old versions of its own products, FEP is only available for Windows XP and later (not too bad) but BitLocker is only in Windows 7 and Vista (few businesses adopted the later). As for Windows Mobile, don’t even bother – no FEP or BitLocker there. So if you are looking for a common security suite across all end points, Microsoft does not have the answer and it probably never will.
 
Microsoft’s second problem is that IT security is about much more than user end points. It is about servers, datacentres, networks and the increasing use of on-demand computing services. The revamped Forefront range includes offerings in these areas; Forefront Server Security (for Windows Server SharePoint, Exchange, Lync), Forefront Threat Management Gateway 2010 (was ISA Server) and Forefront Unified Access Gateway 2010 (was Intelligent Application Gateway). But, where businesses can no longer rely on the user end point devices being purely Microsoft, few have ever had such homogeneity at the backend. Most of those wanting a single vendor to cater for the majority of their security needs must look beyond Microsoft.
 
The third problem Microsoft faces is the channel. It is rolling out Forefront via a new value added distributor (VAD) programme. Its existing distributors are keen to join and capitalise on the Forefront opportunity. However, the resellers they must win over for this to succeed are less convinced. One told Quocirca:
 
“We always include Microsoft [security products] in a review but it has never come out on top”
 
Other resellers complain that there is little margin for them in Microsoft security products and they have to fall back on services, which at least there is a requirement for, as some find Microsoft’s products more complicated to deploy than those from other vendors. Furthermore, resellers have their existing relationships with security vendors whose products they have rolled out to their customers; Microsoft must overcome this double incumbency.
 
One final groan from resellers actually works in Microsoft’s favour. They complain that because Enterprise Agreements and Enterprise CALs (client access licences) – two ways larger businesses can license Microsoft technology – now include many Forefront products; their customers already have paid for the right to use them. When this is the case, there is no incremental product revenue for the reseller. End users must work out for themselves if they have such rights and if the Microsoft security products provide the protection they need – many resellers seem unlikely to highlight it for them.
 
Microsoft Forefront security will become more widely used in 2011, but there will be few organisations that will be able to rely solely on Microsoft for their IT security needs. There is plenty of opportunity left for the specialist security vendors.
 
Bob Tarzey, Analyst and Director, Quocirca