One-Stop Security Shop Doesn't Appeal To AllOne-Stop Security Shop Doesn't Appeal To All

Microsoft says it will be some time before it builds antivirus capabilities into its applications and operating system even with its pending acquisition of an antivirus firm, and some IT security professionals say they're in no hurry to see Microsoft do this.

Gene Fredriksen, VP of information security for financial-services firm Raymond James & Associates, admits that buying many applications from a single vendor can help with manageability, but the tactic runs counter to his information-security philosophy. "One of the fundamental precepts ... is to build multiple layers," Fredriksen says. "And it's about accountability. I'm not going to have the same company that provides my tools provide the security for those tools. You have to separate duties and not put all of your eggs in one basket."

Microsoft's acquisition of Romanian antivirus firm GeCAD Software Srl. and its purchase earlier this year of security startup Pelican Security support its Trustworthy Computing initiative. That's the company's long-term plan to make its software and services more secure from attacks. Pelican's software attempts to determine the behavior of applications and then potentially stop malicious activity.

Microsoft platforms have been prime targets for virus writers because of their ubiquity. The worms and viruses with the greatest impact, from the ILoveYou virus in 2000 to Code Red, Nimda, and SQL Slammer worms, all targeted Microsoft applications. Analysts have pegged the cost of damage and cleanup at well into the billions of dollars.

Mark Johnson, global director of information security for financial-services software developer London Bridge Group Inc., says mergers defeat the approach of picking the best security app possible, rather than bundles of software that attempt to do everything. Johnson says he prefers to choose security products from companies that don't provide network gear or apps. "In security, you want best of breed," he says. "And all of these security mergers work against that."

Major antivirus vendors aren't fazed by Microsoft's latest move into their market. Computer Associates and Network Associates Inc. say their enterprise customers' environments are too complex, with various operating systems, for Microsoft to pose a real immediate threat. "A lot of the fundamental pieces of [antivirus] computing will become part of the operating system, and this appears to be a part of that trend. But companies need a way to manage their risk in terms of a bigger security picture," says Ian Hameroff, security strategist at Computer Associates. "It's about managing all of your risk, not just one piece of risk around one vendor."

Microsoft hasn't detailed its plans for incorporating GeCAD's antivirus technology, and other vendors say they're not concerned yet. Microsoft should use the acquisition not to enter the antivirus business but to provide more choice to customers, analysts say. Research firm Gartner says Microsoft should build an antivirus engine with an interface that security vendors could use to write antivirus signatures. Users would then subscribe to the security vendor to get antivirus updates. "That would be a reasonable outcome. It would be a more vendor-neutral move and something we'd be happy to consider working with them on," says Chris Belthoff, senior security analyst at antivirus vendor Sophos Inc.

Mike Nash, VP of Microsoft's security business unit, says the company will continue to work with antivirus vendors. "The key thing to realize is we're a long way off from having an offering," he says.

Perhaps security professional Johnson best sums up the scenario: "If I want interoperability, I go to Microsoft. If I want stability, I go to Unix. If I want antivirus, I go to the Network Associates or Symantecs of the world."