Microsoft's security program is lost in time.
While it works diligently to bring yesterday's antimalware solution to market with Microsoft Security Essentials (MSE), the company is completely losing the future of security definition to competitors, with recent evidence supplied courtesy of Google's Chrome OS announcement and Check Point's browser sandboxing feature. There are a few points where Microsoft security is losing time.
Refining yesterday's technology
MSE is a signature-based antimalware product that Microsoft intends to make free for consumers, requiring ForeFront Inc. management for commercial organizations. There is not a lot of leadership here. Comcast Corp. users can already get McAfee endpoint protection for free, or users can download free versions of AVG or Avast.
Also, AV-Comparatives applauds Microsoft for a 60% catch rate in its antimalware product. While that is better than McAfee Inc. (25%), Sophos plc (37%) and Symantec Corp. (35%), it still means that Microsoft's scan engine did not detect 2 out of 5 attacks. Even Symantec's Quorum project admits to the futility of yesterday's technology -- Microsoft is just losing time trying to improve it.
MSE joins ForeFront Stirling as security products on multi-year product cycles. MSE is now in public beta to 75,000 lucky people with release to manufacturing late this year, and inclusion into the ForeFront client in the first half of 2010. Meanwhile, threats have moved to Web-based attacks featuring spam, phishing and infected websites. Google may ship an entire OS in less time than Microsoft takes to ship an AV product for businesses.
Losing control of the future
The attractiveness of Google Chrome OS is not its claims to be more secure (Google's software applications do not inspire confidence), but rather in the logic of achieving better security through a new approach. Saving documents in the Google data center lessens the burden of endpoint data security, a barebones OS reduces the attack surface of privileged code to protect, and downloading trusted applications to execute on a temporary basis can simplify configuration management. Many customers are using virtual desktops from Ringcube Technologies Inc. and Virtual Computer Corp., as well as Citrix Systems Inc. and VMware Inc. to assure compliant endpoint configurations. While Symantec and Cisco Systems Inc. focus on reputation filtering, and Trend Micro Inc. tilts its product mix to cloud security services, Microsoft is silent in the dialog for the future of secure computing.
Google Chrome OS might be the best thing to get Microsoft security to push the state of the art. An endpoint consisting of a browser, network card, printer, user interface, Microsoft Office, and a handful of personal applications, probably satisfies 95% of the market and could disrupt the security model.
To be fair, Microsoft has made great strides in improving the security of its products. The SDL investments are paying off with solid products such as SQL Server, and they are to be commended for taking the vulnerability problem head on with Patch Tuesday and for attempting to make MSE antimalware ubiquitous on consumer endpoints. However, their security program is far from inspiring given their leadership potential. Bill Gates was able to turn Microsoft into an Internet company over night, but the company is stymied by the security challenges of obsolete approaches. Microsoft is a non-player in the security industry and it would be nice for all of us if that were not true.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to email@example.com.