Plausible Deniability

There’s more evidence of a shakeout in the antimalware space, as sources tell us that UK based Sophos landed a 120,000 seat deal for endpoint security software at defense contractor Northrop Grumman, displacing its larger competitor, Symantec. The deal is just the latest of this sort. We wrote last year about GE ousting Big Yellow in favor of Sophos, citing that company’s integrated NAC and endpoint agent.

Anecdotal evidence we’ve heard suggests you should expect to see more bloodletting in the months ahead — and not just at the tip of Sophos’s spear. McAfee, Kaspersky Labs and a whole host of other competitors tell us that they’re doing well at the expense of “Big Yellow”.

Why all this turmoil in enterprise accounts that were once pretty static? We think the antimalware software (fka “antivirus software”) industry is at the tail end of what has been a buoyant, decade-long run that saw well-positioned players like Symantec Corp. increase revenues from $472m in 1997 to $5.1 Bn in 2007. Today, the bedrock on which endpoint security was built is starting to crumble. The research teams that keep threat signature detection engines current are being overwhelmed by the volume of new viruses, worms, spam and other malicious programs. On the customer end, frustration is growing both with fat uber-agents that have developed in recent years, as well as with the cumbersome infrastructure of update servers and signature updates to support them. In short: enterprises have had it and are ready to look around, either at other endpoint security companies or at out of the box solutions like application whitelisting or patch and configuration management solutions that obviate threat detection.

Symantec’s acquisition -heavy strategy has left them particularly exposed in such an environment, with a mountain of “not developed here” code and huge integration challenges. Of course, those challenges are true of almost every acquisition, but it’s acute at Symantec because that company’s reliance on “buy” versus “build” in the last decade was, itself, so lopsided. How lopsided? Just for kicks, I did a search on The 451 Group’s M&A Knowledgebase. Since January 1, 2002, McAfee has completed 14 deals for around $869m, including the $350m purchase of encryption vendor Safeboot last year, and another $200m or so on IPS vendors Intruvert and Entercept back in 2003. During that same time period, Sophos has done two deals for a total of $48m — antispam outfit ActiveState Software and NAC firm Endforce. Trend Micro has done six deals for a paltry $21m since the start of 2002 ($15m of that was spent to acquire spyware and content filtering firm Intermute in 2005.) Symantec? Since 2002, the company has completed 25 deals totalling $16.7b. Even factoring out the $13.5b acquisition of storage vendor Veritas in 2004, Symantec has outspent its closest rivals by 3:1, spending twice as much on NAC startup Sygate, for example, as Sophos and Trend did on all their acquisitions during the same time period.

Is that a problem? Not at all — so long as Symantec’s bankroll and acquisitions have the effect of pushing its smaller competitors off the playing field. But just the opposite seems to be happening: smaller competitors — even private firms, like Sophos — are making inroads into large enterprise accounts that were once Symantec’s bread and butter. Sophos’s 100,000+ seat deal with GE was an icebreaker, now other large enterprises like Northrop are following suit.

Price is surely a deciding factor in many of these accounts. (Sophos gave GE a sweet deal to GE to claim that large enterprise scalp.) But its not the only one, and not adequate to explain the blood in the water in the antimalware space. Agent size, update size and frequency, quality of detection, management tools and feature set all play a part. Having wow features like anti data leakage and device control are great, but its more important that the stuff works without hosing the XP machines your employees need to be productive. History has shown that flying the Vontu banner at RSA is one thing, and getting the Vontu code baked into your agent is something very different.

Symantec, itself, seems to realize this. Newly appointed COO Enrique Salem is reportedly shaking up a corporate hierarchy that had become sclerotic and inefficient, abolishing the Group President position within the enterprise product groups and moving things around to try to encourage cross-product integration. Furthermore, the company’s Altiris acquisition could prove to be prescient, in a way that Veritas was not, as the endpoint security market tips toward better endpoint management and away from threat detection and blocking.