McAfee is perhaps still best known as a force in antivirus tools, but the company's offerings today range from antispam to host intrusion prevention. Network World Editor in Chief John Dix recently caught up with McAfee President Gene Hodges for a company update and his view of how security is evolving.
Let's start with your view of security, how it is changing.
We see an awful lot more focus on "What am I getting for my money?" "How can I be sure that a security expense is going to help me be safer." That's a fair question because a lot of money has been spent but a lot of damage is still being done. It is fairly frustrating to business managers to have these security tools and then hear "Yes, but we need to do this other stuff."
There is also an important trend towards security being viewed as a critical component of regulatory compliance - everything from Sarbanes-Oxley to data privacy laws in Europe. These don't necessarily dictate one security strategy or another, but simply drive customers to put a lot more focus on security.
And I think the community, especially large businesses, are going to focus a lot more on, "How do I minimize my cost at a given level of acceptable risk." We haven't felt that pressure heavily in the past couple of years, but large companies have a fairly large set of defenses and I think they will start to emphasize some and de-emphasize others.
What we hear from Network World readers is they want fewer components to manage.
We think that is going to be a fairly heavy buying emphasis in 2006. On the system security side, we are releasing integrated suites which cover antivirus, anti-spyware, host intrusion prevention, application firewall and the system interface to network access control. This is the majority of the "keep the bad guys out" security componentry, all managed through one management infrastructure.
On the network side of the house there is a convergence of three separate technologies: intrusion prevention, firewalling and content management. And we have just shipped a series of integrated content management appliances that pull together all the mail filtering functions and all the Web filtering functions - we will integrate those intrusion prevention appliances for large enterprises and service providers next year.
I believe the desire for simplifying management, which is really part of the cost containment drive, is still not going to result in customer's accepting mediocre products. Best of breed or near best of breed is still going to be a requirement because there will be several vendors with fairly broad integrated offerings.
What percentage of your business is in the enterprise?
Is the rest of it consumer?
Yes. antivirus is still the biggest for us. IPS is the fastest growing in terms of dollar growth. That has been a market that has moved from bleeding edge to being one that is fairly well accepted.
All security vendors insist their customers use the automated response abilities of their tools, but on a recent Network World security tour most of the people in the room said they still don't turn them on. What's your experience?
Well, in our network intrusion prevention base of customers, and this is something we watch pretty closely, 75 percent have automated response enabled. Of that, I would say a fairly small amount, 10 percent to 20 percent, have all the automated responses enabled. If you go back two years ago, almost no one turned on any automated response.
What do customers tend to turn on first?
They turn on signatures first and that is done in an IPS system or a firewall or even a router because it has a high reliability identification of known attacks. When Zotob hit, for example, many customers had a Zotob signature already deployed.
When you go beyond the signature approach, into behavioral analysis, the first thing they tend to turn on is denial-of-service attacks because those have a fairly high success rate and a high impact. We generally lay out a step-by-step set of suggestions for the customers in terms of what we would suggest they turn on depending on the business environment.
You folks have close to US$1 billion in cash and short term investments. Any areas where you need to round out the portfolio?
There are several. We are very interested in compliance as an area, there are multiple facets to compliance, many of them industry specific. So we will probably end up doing several relatively small acquisitions.
In addition, we are interested in managed services in general. We just announced an online managed mail service which we are OEM-ing, and that might be an area we want to get into over time. Internet access control is an interesting area, and one that has not had a great deal of competition.
On the technology front, extrusion prevention ...
Is that what some refer to as the information leakage problem?
Yes. Information leakage is of interest and that falls in two broad categories: the transactional types of information, making sure the guys who are touching the SAP system haven't just compromised someone and gotten their password and their RSA token; and document oriented content, keeping contracts or confidential customer information from leaving the company. It is a market with a large number of pretty interesting companies for acquisition. I think all of the larger players will probably be relatively inquisitive.
Our perspective is the customers want to buy a solution, not piece parts. Suites that are collections of unintegrated products are less interesting to the customer than suites that are well integrated.
How do you define integration?
Management is the key. The basics of an integrated product are fairly easy to tell in terms of what pieces fit together. The management console needs to do more than just screen scrape. Integration at the management console level means a scheme that holds all the information so you can report using joins. I mean, you might want to ask what machines have had virus attacks and are vulnerable. That is information that will come from a vulnerability management product and from an antivirus product. So it means integrated structures, integrated process communication mechanisms.
Given that most of the big vendors are chanting the same integration story, what sets you apart?
The differentiation is on the capabilities of the specific products. For example on the systems side, we have customers with policy management systems that are deployed over a hundred thousand devices.
In a typical evolutionary market, Microsoft and Cisco are able to bring their balance sheet to bear, their marketing muscle to bear. But as the market evolves, the tough question for them is, can they keep up. That's what makes security a viable market for smaller companies. It is hard for the battleships to get the guns trained.
I think the relative balance between the T-rex's and the raptors is going to be driven heavily by the hacker community. If the pace of hacker innovations slows down, the big guys will be able to bring their financial resources to bear and they are going to do us a lot of harm. If the bad guys remain innovative and keep coming up with new, nasty things every six months or a year, that will make it a tough target to track.
Microsoft has bought a few companies and seems to be building a security story. What do you expect from them?
I think they will both acquire and attempt to organically develop, and Microsoft's objective is to be a very broad based security supplier. I think the only parts of the network where they don't have aspirations are in network intrusion prevention and maybe Internet access control. They are not net heads. They are systems guys.
They build and ship VPN's. That isn't competitive in large enterprises with Cisco or Juniper, but it is a very competitive product for small enterprises. So their objective is very broad ranging and I think they are extremely serious about applying resources.
From a competitive perspective, I think it is equally as foolish for us as a competitor to take them lightly as it is to assume their victory is preordained. They actually have to pass the test of stopping the hacker to earn corporate respect. And I think it will be a test even for mighty Microsoft. I mean, if it wasn't a test, why the hell are there holes in their operating system to start with?
How about competition with the core security guys, Symantec, Trend Micro, ISS?
It is different for each one. With Symantec, the differentiation is predominantly on integration. Symantec has a broader product set but their product set is not well integrated and does not scale nearly as well. So the management infrastructure and the integration with the various components is the key mechanism.
ISS is a very strong competitor in IPS and the competition is typically a technical knock down, drag out battle over who has the best IPS system with all the detailed aspects of evaluation.
Trend Micro is more focused on antivirus, so the competition within large enterprises is a knock down, drag out over detailed antivirus capabilities. In small enterprises it is much more about who does the channel best.
Any one you see more often than others?
It depends on the segment of the market. In IPS, ISS and Cisco are competitors in almost every deal. It is fairly rare that we win an IPS sale when one of those guys has not been involved. And in antivirus it is rare that Symantec is not involved. Trend Micro is not quite at the same level but they are clearly a global player in the antivirus market.
All of these guys are fairly high quality companies from a technology perspective. They are not producing junk.
What happens next in security?
The future of security is driven by the hacker. This is not simply a market where we anticipate technology to meet customer needs. The bad guy determines what next year's threat is going to be and when you look at the hacker community, the big change over the last two years has been its move from very bright individuals who were basically seeking fame, to organized groups driven by fortune.
We can't say with certainty what the next type of attacks are going to be. What we can say is these attacks are possible. And the level of organization of the hackers means that much more complex attacks and much more targeted attacks are possible.
If you wanted to spend $50,000 to $100,000 you could take out the infrastructure of your biggest competitor. Now we have never seen an example of that, but it is possible and that can be applied to angry people who have many different motivations, some of them financial, some of them religious, some of them political.
So the direction of the market is going to be determined very much by how aggressively these organized groups pursue these different avenues of attack.