John Thompson On The Changing Face Of Security

Building the case for integration

John Thompson, chairman and CEO of Symantec, the Cupertino, Calif.-based security and data protection giant, is all about integration: getting security products to work together, getting storage products to work together, and getting security and storage to work together. But in addition to bringing his company's products together, he is not shy about taking apart competitors like EMC, Microsoft, and McAfee. Joseph F. Kovar, senior editor of ChannelWeb, recently had a chance to speak with Thompson about security, storage, and the future.

Last month, Microsoft was awarded a patent for a "System and method for proactive computer virus protection." Has Symantec had a chance to look at that?

I'm sure our guys at the research labs have. Candidly, when we saw the patent award, we were somewhat miffed because it looks like what we and others in the industry have been doing for a long, long time. It may just very well be part of a problem that we have observed for many years, which is that the Patent Office in Washington, D.C. is just overwhelmed. They are overwhelmed by the number of patent requests. They're understaffed, quite frankly, to evaluate a lot of these things. And so it remains to be seen whether or not what Microsoft has is unique, or if it's candidly stepping on patents or techniques or technologies that have already been deployed by many companies in the past.

So, at this point, it's still too early to know for sure?

Yeah, I mean until there is some assertion by them or someone else about someone violating their patent, I just think it's interesting chatter. That's all it is: chatter.

Symantec paid $350 million for Vontu for its data loss prevention technology. But as you look at the market, the technology seems to be starting to get commoditized.

Au contraire. . . .

You don't agree?

Vontu's approach to DLP (data loss prevention) is quite different than (that of) anyone else who is in the space. Arguably, one of the technologies that gets used for DLP is encryption. That clearly isn't what Vontu does. By contrast, what Vontu does is, it looks at the actual content and allows you to build specific policies around the content specific content that you want to protect.

So let's give an example. Let's assume you have a set of statistical drawings or set of documents that were very, very sensitive or had watermarks that are legends on (the documents). You could define through your policy that any time that a document or legend or watermark or image is either stored in an endpoint, stored on the network, or stored in a storage array, I want to know where it is. And I want to be able to control the flow of that because it's either proprietary or sensitive or important to the company. There's no other technology in the marketplace like that. We believe that, as security has evolved, you have to move the concepts of protection closer and closer to the actual content itself. [Vontu] understands the specific content of a data stream, and you can put policies around it about how you want to control it. It gives you a much more granular level of protection.

What about competition with Vontu technology?

There is no similar approach to data loss prevention. EMC bought a firm called Tablus. McAfee bought something called Onigma. It's been an "enigma" to us. I haven't seen it since they bought it. WebSense bought a little company. And each of these little companies, because it is a new area, have taken a slightly different approach.

We just happen to think, from the diligence work that we did, with customers in particular, that customers were truly, truly impressed with Vontu's capabilities. And more of them were deploying that than any other solution for data loss protection.

Symantec's Endpoint 11 seems like a complete overhaul aimed at fixing the performance of previous versions. Has it succeeded?

In the first two quarters after availability, we shipped more than 40 million endpoints. And it was truly a complete rewrite of our endpoint protection approach, to go from five or six agents down to one. [Customers] want granular-level protection without the overhead and performance degradations that are associated with running multiple agents. The want the ease of manageability and deployment of a single agent versus multiple agents. Symantec Endpoint 11 gives them all of what they want, plus better manageability, better performance, and an approach to deploying network admission control without having to deploy yet another agent on the device.

The biggest acquisition Symantec did was Veritas. How has the integration of security and management progressed?

That's a really good question. I think when we did that, people thought, sheesh, this is the craziest thing we every heard of. Now, page forward three years, and guess what? Our Backup Exec product has integrated within it our ThreatCon alerting capabilities, so as the threat level escalates or rises you'll be able to more frequently back up data. Now why is that important? Well, if you did a backup today versus a week ago, or an hour ago versus a day ago, the recovery time is one heck of a lot faster. And therefore it gets customers back on line a lot faster.

Concepts like data loss prevention were not at all on the radar screen for people three years ago. Well, guess what? Data loss prevention is [now] a very critical element of how customers layer security technologies onto their environment.

Security's always been about layering. In the 2003 to 2004 time frame, people thought layering was about firewalls, intrusion sensors, anti-virus agents. And what they've come to learn is, those technologies are necessary, but not sufficient. Now what you need are technologies that get closer and closer and closer to the data itself, where it's being used, where it's being stored, how it's being managed.

Well, we happen to manage 50 percent of the world's stored digital content. Our products, Backup Exec and NetBackup, lead the marketplace with almost a 50-percent share. You don't think we have better insight into how to protect and secure than someone else? I think we do.

In addition to Symantec's acquisition of Veritas, we also saw EMC's acquisition of RSA, along with a number of other moves EMC is doing to bring storage and security together. How do you contrast Symantec's moves versus EMC's?

Our approach is giving customers a hardware-agnostic, hardware-independent view of how to manage and secure their stored data. EMC's approach is about optimizing the EMC storage array. And so, it's more closed, it's more proprietary. If a customer has a combination of HP, Dell, and EMC storage involved, or has IBM and Hitachi and EMC storage involved, EMC is not interested in delivering a solution that is hardware-agnostic.

We are. We think that is, in fact, what distinguishes us from anyone else in the industry. And so, while EMC's done a nice job of validating what we set out to do in 2004, when we announced the acquisition of Veritas, EMC's moves don't vindicate us. We only vindicate ourselves by our actions. If you look at how our portfolio has advanced over the course of the last two years, it underpins this notion that, as people create more digital content, and create more information, they have to both manage it and secure it. And those processes can't be separated as they have been historically. They have to be more tightly integrated.

How confident are you about customer spending for the rest of the year?

We feel good about our business and its ability to weather any economic downturn. In good or bad times, you must back up your data. In good or bad times, you must secure the critical connections and the critical information you have as a part of your infrastructure. These are not deferrable expenditures. They are a part of running a well-managed IT operation.

Now, that being said, we're certainly not immune. As customers think about deployment across a broader number of servers, or the rollout of new applications that might require additional backup capabilities, as they defer those things, it could ultimately have an impact on us.

But the core business of security and backup and recovery is a very, very solid business in good or in bad times.

Software as a service is a big push for Symantec. What parts of the Symantec business have already been brought to market as a service, and what has not yet been done as a service?

What we have done is, first, deliver a SaaS platform which is a substrate of technology that does provisioning, metering, billing. It does all the things that any platform on which multiple services are delivered is expected to do.

And on top of that SaaS platform, we already deliver two distinct services. One is an online backup service, so if you are a subscriber of the service, and you decide that you want all or some portion of your data backed up on a regular basis as it changes, the system will automatically do that for you. It's browser-based, it's easy to implement, it's targeted at the small to midsized company market.

The second service is one that we sell with Backup Exec. In many instances, midmarket customers would like to have an ability for both onsite and offsite backup. So if ever I have a fire or a natural disaster of some sort, I'd have an offsite capability to automatically restore, or have disaster recovery provisioning to automatically restore [data]. And what that service does is link the service with the product to create a true disaster recovery capability.

As time goes on, we have said we will deliver incremental services on top of that substrate that are consistent with where we have expertise and knowledge.

Can you give an example?

Archiving. Many customers would prefer to have the archiving process managed offline, or managed by someone else. [Then] on top of the archive you could deliver e-discovery functions. Or messaging, or mail management. Many customers have certainly acknowledged that mail is a mission-critical application. But the management of the mail infrastructure, and the management of the updating and delivery of that infrastructure is not a critical IT task. That's not a strategic IT task. That is an operational task that clearly could be outsourced or out-tasked.

And then another would be endpoint protection. You could literally have us manage and secure the endpoints that are a part of your environment, delivering not just malicious content scanning and eradication, but also network admission control and a range of other things, if you will, that live and reside between the endpoint and somewhere in the cloud itself.

And so we think there's a really good roadmap to pursue a very, very large opportunity to deliver a number of our products as a service on top of this infrastructure or substrate that we have built, called SPN, or the Symantec Protection Network.

What are target times for some of these things?

Two are in the market now, and the others will roll out over the course of the next six to 18 months. I think the next service that is planned -- I get confused whether its archiving or messaging -- but one of those two is coming next.

One of the things brought up at the recent RSA Security conference is that there is more malware being created today than there are legitimate applications.


How does that impact the way people and companies go about their business. Is that a big concern?

It's a huge concern. A lot of malware is being "consumed," for lack of a better term, by individual users and small businesses who don't really have the same degree of sophistication or the same kind of tools or resources and skill that a large organization might have to deal with it.

We think there will come a moment in time where the notion of blacklist versus whitelist will flip.

Today, we determine that a piece of code is malicious, and we put the profile of that code in a blacklist. And any time it shows up, we block it.

In the future, it might very well be that you define those things that are good. And we put those things that are good in a whitelist. And any time those show up, you're allowed to run it. And if it's not on that list, you can't. In other words, it's pre-approved, pre-tested, pre-cleansed to be legitimate, because the rate and pace of growth of malicious content is becoming so significant that it will be difficult to keep up with.

Is that technology available today?

There are a couple of small firms that do it today. We have our own approach that we have developed in our labs.

Think about it this way. We sit on more than 100 million endpoints around the world. And so we see a lot of this malicious activity all the time. So our ability to not only sense what's bad but also what's good is probably stronger than anyone else's in the industry, given our penetration across so many endpoints.

And so we are building a network to sense and distribute both blacklists and whitelists, that will allow us to have both of those capabilities embedded within our products.

What are you looking at for the future?

There are a number of things we're focused on for this calendar or fiscal year. Perhaps the two biggest areas of our product engineering are on our Altiris [network-based endpoint management and service] platform, where we will ship Altiris 7 this Fall. It will have a much, much tighter integration of workflow technologies so customers can define processes that they want to implement and have them done automatically as opposed to having to have human-intensive or labor-intensive activities around the management of desktops and servers and laptops. The endpoint protection integration with Altiris will be a follow-on to Altiris 7.

The next of big opportunity for us this year is around compliance. More and more IT organizations are being asked to do more and more to validate the degree to which a company or an organization is compliant with whatever the rules or regulations or best practices might be. And we've had market-leading solutions for a long time that both agent-based -- in other words, an agent sits on a server or a drive -- or agent-less, which is a way to sit on a network and scan for compliance.

We're bringing those things together in a fully integrated suite that does assessment, definition, control, and remediation of all the relevant policy issues around policy compliance. And while there are many companies that do one or two pieces of it, we have the most complete arsenal of capabilities. And we'll have the most integrated functional suite when we deliver this in the fall of this year.