Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Symantec 2.0

John Thompson and Symantec are staking their claim as one of Silicon Valley's leading innovators. Will they succeed?

John Thompson and company are staking their claim as one of Silicon Valley's leading innovators. Will they succeed?

Silicon Valley is rife with companies famous for their technological innovations—Hewlett-Packard, whose founders essentially invented the valley's high-tech culture; Xerox, in whose famed Palo Alto Research Center lab was born much of the foundation for today's personal computers; Intel, whose co-founder Gordon Moore prophesied the huge technological gains of the last three decades—the list goes on and on. One company that would make almost no one's list of great innovators, Symantec, is in the midst of a quiet technological and cultural makeover designed to change that perception and cement the company's spot atop the security industry. Executing on a strategy of innovation and acquisition is Big Yellow's challenge.

Since its inception in the 1980s, Symantec has existed literally and figuratively in the shadow of its older and more established valley brethren. Sitting mere miles from the headquarters of HP, Xerox PARC, Intel and other members of the industry's ruling elite, Symantec has been best-known for its acquisitive tendencies and penchant for morphing and changing strategies every couple of years. Within a decade, the company evolved from a maker of basic computing utilities and productivity software into an antivirus vendor that also had some utilities, and then completed the transformation into a one-stop-shop for enterprise and consumer security products.

A new evolution is under way, one that began with the company's audacious acquisition last year of storage and backup leader Veritas, but is being pushed forward by a wave of internal innovation and product development unprecedented in the company's history. The goal is to turn Symantec—already a $5 billion company—into one of the dominant players in the software industry, on an equal footing with Sun, Oracle and even Microsoft.

Of Veritas and Vista
Symantec CEO John Thompson, a veteran of more than three decades in the software industry, has no illusions about the challenges facing his company. He knows that Microsoft is seriously attempting to make third-party antivirus software obsolete by building its own virus and spyware protections into Windows Vista. He knows that IBM, the company where he spent more than 20 years and whose culture of discipline he has brought to Symantec, is making noise in the security market with its recent acquisition of Internet Security Systems. And, he knows that critics in the financial community, his customer base and most of the security industry are convinced that the Veritas deal was a huge mistake, one that could prove to be as crippling to Thompson and Symantec as the HP acquisition of Compaq was to HP's then-CEO Carly Fiorina.

Thompson, a supremely confident man who leaves little to chance, has no patience for such criticism. (See "One-on-One")

"One of the things my team and I get paid to do is to think about where markets are going and what customer needs are likely to be; to try to anticipate that and move in that direction," he says. "That's clearly what we were doing with the Veritas transaction. Could we have done a better job of articulating the why more clearly, more concisely, more frequently and with greater vigor and zeal? No question about it. But because we were first movers, because we were far ahead of conventional wisdom, people tend to react more negatively. But, that's OK. We're certainly prepared to stick to our knitting, to stick to our beliefs and philosophies and move forward from there."

Jon Oltsik, senior analyst with Enterprise Strategy Group, believes the chance Thompson took with the Veritas deal appears to be paying off.

"It's been a big job integrating two $5 billion-plus companies. It's been overwhelming. [Symantec has] taken a lot of heat on this, and the upside has taken a while to emerge," Oltsik says. "Storage, security and data management are headed down the same path, and Symantec has been a pioneer [in this market]. It's all in the enterprise risk management area. There's more upside than downside, and I think you're seeing that now with the EMC and RSA deal."

Gordon Eubanks, Thompson's predecessor as CEO, knows a bit about integrating large acquisitions and pushing a company through often painful transitions. Eubanks says that managing such changes is all about having a clear goal and executing on the moves necessary to achieve it, regardless of outside praise or criticism.

"When the market is leveling, big players get into it and you have to make a change, the key is to pick an area where you can be successful, there's growth and you can be a leader," Eubanks says. "It isn't good enough to say that the market is big and, if I just get 10 percent of it, I'll be OK. That's a losing strategy. It never works because you don't have the scope and the scale. [Symantec] can't just stay where it is. That won't go on forever against Microsoft, and John knows that. He's a very smart, prepared and capable guy."

While customers and analysts like the direction Symantec is headed, there are still a number of challenges ahead for the company. Not the least of these is the looming specter of Microsoft and its OneCare security suite. OneCare is available now as an on-demand service for consumers, and it will be an integral part of Windows Vista. The offering includes both antivirus and antispyware software, placing it squarely in the path of the most lucrative part of Symantec's portfolio.

But it likely will be some time before OneCare makes much of a dent in the market, thanks to the large leads that Symantec, McAfee and others have on the desktop.

"Symantec definitely has a challenge from Microsoft on the desktop, but it's going to be more slow and steady than people think," Oltsik says. "I think Symantec is better off than people think. It's going to take enterprises in particular a long time to upgrade to Vista."


To Buy or Build
This new attitude and strategy at Symantec is not so much about securing systems and networks as it is protecting the data that resides on those machines and ensuring that only the appropriate people, applications and processes have access to it. The Veritas purchase fits neatly into that line of thinking, as do a number of advanced projects the company has in the works.

To help shape Symantec into the enterprise software provider he wants it to be, Thompson and his executive team are relying on their tried-and-true method of innovation through acquisition. But they're also putting much of their faith in the company's growing internal research team.

That team is the domain of Stephen Trilling, vice president of research and advanced development who runs the company's four research groups: core research, university, government and advanced concepts. Each group has its charter and operates somewhat independently, but they also work together occasionally and share ideas constantly. The more than 50 researchers the company employs get the chance to work on a lot of complex and interesting projects, but Trilling makes it clear that his is no pie-in-the-sky lab with indeterminate milestones and vague goals.

"We want every part of what we do to bring value to our customers," Trilling says. "Developing an entirely new product is expensive. We have millions of customers who expect a high level of quality. We keep tight reins on the projects, but we give people the freedom to innovate."

Probably the purest example of this idea is the advanced concepts research group. This team is designed to operate like a startup: Find a need for a product in an uncertain market, build it and ship it to a few adventurous customers to see how it holds up, and then see whether one of the Symantec business units is interested in adopting it.

Occasionally, one of the other research teams will transfer its projects to the advanced concepts group to get it customer-ready. One of the first products to emerge from this process is the company's forthcoming database security and auditing tool, an appliance-based offering that will hit the market in the next few months. The core research team created the technology and transferred it to advanced concepts, which got it into the hands of a few customers for evaluation.

The tool, Symantec Database Security, is essentially an out-of-band network sniffer that looks at a copy of the traffic going to and from the database. Like other similar tools, it has a learning mode in which it observes typical database traffic and learns which queries should be considered legitimate. It can then flag potentially malicious or abnormal database queries for follow-up. It also has a feature Trilling calls "extrusion detection" that can send up alerts whenever potentially sensitive data leaves the network. The first version will not be able to block malicious queries, however.

Although several vendors, including Lumigent Techno-logies and Tizor Systems, have had database security and auditing tools on the market for years, Thompson believes that building such technology in-house instead of going down the acquisition path has benefits for Symantec.

"[The research group] knew that no one was focused on that particular problem area and took a few of the technologies we had that were focused on the inside threat. The group said, 'Is there something we could do that would move our technology closer to where the data is being managed that would allow us to deliver better protection?'" says Thompson. "They came up with this idea, they prototyped it, they worked with some customers, and it's worked its way through the cycle and will become a part of a business unit. It's transferred from the research lab to the business unit, and they sustain it in the marketplace as part of the broader enterprise security strategy."

CareGroup Healthcare System, a Boston-based management company that runs three hospitals in the city, has been testing Database Security since its alpha phase, and administrators at the company are pleased with its simplicity and effectiveness. Thanks to HIPAA, the auditing and security requirements have multiplied exponentially in recent years, and Ayad Shammout, lead technical database administrator at CareGroup, was making do with a patchwork of native database tools and custom scripts he and his team had written over the years.

"We're trying to get to the point of maximizing security and availability without adding any overhead to the system. The big advantage [of Database Security] is that it runs in passive mode, so I don't have to worry if we add another server. It's automatically protected," Shammout says. "We've set up a custom policy that alerts us when someone queries a particular column or field with patient data in it, so we can go back and see who did that and when. It's very simple. You don't have to be a security expert."

A Billion dollar opportunity
Among Thompson's top lieutenants, Jeremy Burton is an anomaly. Most of Symantec's senior executives have been with the company for years; Burton came over as part of the Veritas acquisition. But he has quickly established himself as an integral part of the senior management and is the man mainly responsible for running what used to be the Veritas business. Integrating the company's data management, backup and storage business into Big Yellow has taken quite a bit of doing, but Burton and, more importantly, Thompson are satisfied with the results thus far.

Many observers, industry analysts and customers expected Symantec to integrate Veritas into the company in the literal sense, by actually combining products and technologies. However, that has not been—and likely will not be—the case for the most part. Instead, the company is working to bring together disparate approaches to problem-solving and product development, and is looking to apply various technologies to customer problems, whether they be security, storage or somewhere in the middle.

The common thread running through many of the initiatives is Symantec's focus on securing and managing the terabytes of unstructured data enterprises have sitting around in applications such as email and instant messaging. Burton, group president of the enterprise security and data management group, believes such data represents an enormous risk to enterprises, and also a huge opportunity for whomever can help them organize and protect it.

"The risk that exists in data stored on file systems and email is huge," Burton says. "There's a billion-dollar opportunity in building applications to go against unstructured data. You have to look at the data in real time and historical context, and understand the risk."

Seth Shestack, acting CISO at Temple University in Philadelphia, has the same concerns Burton does about the relative insecurity of tools like IM. Temple, like most universities, has several different networks—academic and research among them—and each has its own security and openness requirements.

"I would say it's impossible to protect everything, overall," Shestack says. "We use the island concept and protect each one individually. But we have things like IM that we have to allow because there's so much demand for it. I'm really looking at the IM security problem. We don't manage IM, and that's not something I'm comfortable with.

I'm interested in what we can do about that with IMlogic [which Symantec acquired this year]. Where these things fit together—integrated support from them—is great. It's a time- and money-saver.

"That's one of Symantec's strengths," Shestack says. "But it's another thing to fully integrate the products and merge the technologies."

One outgrowth of Symantec's effort to protect data in transit is a project aimed at developing an application that inspects HTTP traffic and identifies sensitive data or files leaving an organization. The project is still in the research phase, but Burton is optimistic about its future.

Also on the horizon is an increased emphasis on managed security and availability services. Both Thompson and Burton pointed to managed services as a key area of both investment and potential revenue growth for the company in the coming year. Symantec currently has a handful of managed security services, but as the costs of running data centers continue to shoot upward, executives expect many more companies to look for ways to reduce those costs by handing off some of the management duties to outside vendors. Burton points to online backup, antivirus, antispam and remote access as key areas where Symantec has an opportunity to make a serious dent.

"Delivering managed services for SMBs is going to be a big thing for us next year," Burton says. "We can probably do a better job of protecting data and do it at a lower cost than they can. We will have a following wind on the economics of this. The costs of storage and bandwidth are dropping, and it could be a billion-dollar business in the future."


Article 17 of 20

Dig Deeper on Security industry market trends, predictions and forecasts

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All