Symantec

At long last, those consolidation watchers can finally exhale, since SYMC has finally gotten the Vontu deal over the finish line. The deal was announced this afternoon as a $350 million dollar cash deal. It's a pretty decent multiple, which I estimate to be about 7-8x trailing twelve month bookings. Not as expensive as Brightmail, nor as cheap as Whole Security.

You can also read SYMC's "rationale" on how Vontu fits into their Security 2.0 strategy and introduces a new tagline "information-centric security."

The reality is Symantec needed to have some type of presence in the DLP space. Their big competition on the storage side is EMC and they have a widget in Tablus. Their main competition in the security space are also well represented, as McAfee, Websense and Trend have acquired companies in the space as well. I've been saying for a while that DLP is more of a storage and information function, than it is core security - so the fit with Symantec is pretty good. The question is whether this provides the "glue" that finally makes Symantec's security and storage capabilities kind of hold together.

And that brings up the huge blind spot in this deal, which is whether SYMC will be able to maintain Vontu's momentum in the large enterprise. They say Vontu will be run as a stand-alone entity, but I'm not sure if that's a good thing or a bad thing. They also plan to integrate Vontu into all of SYMC's existing offerings, given there is a piece of DLP in every aspect of SYMC's business. But to be skeptical (I know it's shocking for me), it hasn't happened in Big Yellow land with any other deal, so there is nothing that leads me to believe it will happen now.

Of course, there is always risk for existing Vontu customers that the deal won't go well and there will be a huge loss of Vontu brain power. But those are always risks in any deal.

Those most exposed are storage folks like Sun and NetApp, and big tech like Microsoft, Oracle, IBM and HP - who currently have no DLP strategy and may get left with 3rd tier pickings if they wait too long. Since DLP is clearly a feature of a bigger data security strategy, any player who says they manage data needs to have a story around DLP. There are also risks for start-ups who have not been spoken for, like Vericept, Code Green and Reconnex. You know the story of the company that holds on too long, waiting for that bigger, better deal. It usually ends as a fire sale. Though anyone independent now has some running room as the inevitable integration hiccups will provide a small window of opportunity.

So to net it out and not belabor the point, strategically the deal makes sense. Now it's all about executing the integration well and that really hasn't been Symantec's strong suit over the past few years.

 

Once again, no demos. This is an interesting trend. Everyone is taking a step back and trying to think strategically about where the business is going. NO product stuff. NO demos. Is this RSA?

John Thompson starts up by talking about how things are changing. More collaboration and online transactions. The user is in charge. More NSS.

IT systems are drivers of collaboration and growth. CONFIDENCE is the key value in this new world. Amazingly enough isn't Norton's new consumer product called "Norton Confidential." Coincidence?

Symantec announced a new identity initiative last week at Demo (link here). I didn't cover it because it is at least 12 months off and requires a lot of folks to play along, which has proven very very hard in the past. I don't think Symantec is the right player to drive an independent Identity Network.

Thompson says, the role of security officers must evolve to encompass "risk management." Identifying and quantifying company risk vs. company return. Risk to the availability of data and compliance. This sounds pretty Pragmatic too!

He's laying a lot of FUD. $2 billion in opportunity cost in e-commerce because people are scared. GPS malware. John wears a fancy suit (black mock turtleneck is killer), but he's talking like chicken little nonetheless.

SO what's the answer? AV and firewalls a first line of defense (shocker). But you need more. Like a "less vulnerable" operating platform will still be vulnerable over time. Guess you better renew your AV subscription, no?

But identity is the key challenge. Identity management is about operational streamlining, NOT adding new capabilities. He actually said "user-centric" identity.

Now we have McAfee trying to take the high ground with security risk management, which is a term that's been around for ever. Now the Big Yellow is focusing on trying to co-opt "user centric" identity. This is highway robbery and Microsoft should be pissed. Of all the big technology companies, Microsoft has been on the front end of the Identity 2.0 developments.

Not only is CA and IBM now the competition, he's going after Microsoft too on the identity front. But Symantec doesn't have any real identity assets. They should just buy something (maybe authentication) and start really playing. How about Entrust? That could be an interesting combination.

Now he's transitioning to talk about security "intelligence" and it's ability to let you know what's coming. I do believe in this capability and it's importance to staying out ahead of the bad guys. Got to give props to Symantec on this, they continue to make the investments in research.

It's all about user-centricity for the Big Yellow. Very interesting. So, are they not focused on the enterprise anymore? This sounds like Microsoft, but I guess Symantec needs an excuse on why customers should keep their agents implemented on their devices.

But my nagging question is whether this is enough? Symantec is under siege on all fronts, will focusing on identity and users going to happen fast enough to deal with the inevitable erosion of their core business? Let's just say, I don't have a lot of confidence that it'll be enough.

 

In the last post, I went into Symantec's big Security 2.0 strategy and am pretty favorable to where they are going. Not to be outdone, McAfee makes a big strategic statement this week. Glad they didn't have a big shindig scheduled in NYC, as they would have had to make it into a funeral for their senior management. But I digress.

McAfee is calling their initiative "security risk management" and as I mentioned on Tuesday AM - I'm not a huge fan of taking two nebulous categories (security and risk) and mashing them together to get something meaningful. So I'm not a big fan of this tag line either, but these are pretty minor nits compared to the strategy.

The world according to McAfee breaks up into two domains: threat prevention and compliance. NAC is in there two, but it's not clear how it relates to the other domains quite yet. This is wrong because they don't factor in identity or information/data security - but they don't have those pieces yet - so I'll forgive them. But if you are going to make a strategic statement about how security needs to be done - you can't really leave anything out.

Threat prevention is the traditional McAfee business - AV, IPS and anti-spyware. Throw a little SiteAdvisor magic dust in and the business is pretty competitive. They'll need to add application control to make a complete story for threat prevention from end to end, but those pieces are pretty much there.

Compliance is a conglomeration of what McAfee's shopping spree has yielded of late. By aligning the original Foundstone stuff, with the newly acquired Preventsys and Citadel technologies, McAfee can now set a policy, find broken stuff, and fix it. That's pretty slick.

Of course, it'll take some integration - but not a brain transplant. Why? Because McAfee has always built management of their disparate products into the ePO management console. This is a huge advantage tactically over Symantec, who has never delivered on any kind of console to speak of. ePO is McAfee's secret weapon, and they are acknowledging it - which is a good thing.

As I mentioned above, the weakness is really more about not having all the pieces, rather than anything relative to the strategic direction. McAfee must do more on the content/data/information side and they need something in the identity space as well.

So how do they get there? I suspect they don't. Now with the options overhang gone, the old management cleaned out, and a lot of the pieces assembled - McAfee is clearly a target for a HP, Juniper or even Cisco. The synergies with HP are pretty obvious. Plug ePO right into OpenView and combining that with the newly acquired Mercury on the application side and you've got a very complete story.

Given these new strategic initiatives from both Symantec and McAfee, big is the new small strikes with a vengeance. The second tier AV vendors find themselves that much further behind as the desktop suites become increasingly part of a larger security story. These folks (Trend, Sophos, Panda, Kaspersky, et al) need to either get out the check books and start buying their way to a broader offering, or put on their Sunday best, paint some lipstick on the pig and try to get a deal done.

It's about time the Big AV players acknowledged that their business is fundamentally changed. Over the past two weeks, both Symantec and McAfee announced new strategies, extending beyond milking the AV cash cow - into trying to solve broader security and risk problems for customers. I'll do two pieces examining both Symantec and McAfee's new strategies.

Both Symantec and McAfee have done a lot of acquisitions over the past couple of years, but neither did a very convincing job of how and why these deals made sense. I put them largely in the bucket of "put more crap in the bag" strategies of giving reps more to sell and pray they can figure out what to sell and when.

But, I like the strategies that both have put in place for moving forward. Symantec finally has a story that starts to integrate the VERITAS storage management products into the Big Yellow. McAfee also does a nice job of reconciling their recent acquisitions as well.

Let's dig into the Big Yellow's plans a bit more. Symantec is calling their initiative "Security 2.0." I hate it. Well, the name anyway. It makes their approach seem more like a fad, rather than a sea change of how security should be done. I get that part of their offerings are protecting the identity of users online and Web 2.0 is all about user-generated content, but it feels icky to me. Kind of like a used car salesman.

Which is too bad because Symantec has filled a couple of big holes in their offerings - in the identity space, leak prevention and database/data center security. By partnering with VeriSign and hooking the new Norton Confidential consumer anti-fraud and anti-phishing product to VeriSign's VIP network - we see the potential of the first broad Identity Service Provider.

Will it happen? I've got no clue. Having hooks to the VIP Network on the hundreds of millions running Symantec's AV will give it broad distribution. But we also thought that having Cisco's Trust Agent distributed with the AV products would help spur adoption of the C-NAC Framework - which didn't happen. So we'll see, but it's a good partnership on both sides.

Secondly, Symantec has upgraded their mail security offerings to do outbound content filtering. It's about time on that one. Folks like CipherTrust (now Secure Computing) and ProofPoint have been doing this for years and it's becoming increasingly important. Outbound email is also a logical first place to start with leak prevention because that's where many users feel the most pain. Of course, Symantec needs to make a broader statement about supporting multiple protocols, which will likely involve buying something that's a bit broader.

Next, they announced a database security product and initiative that finally gives all of those VERITAS folks something else to sell to their data center customers. It's a new product and will take some time to mature, but that's fine - database security is still an early market. Any success that Symantec has in this space will likely kick off yet another feeding frenzy to acquire the myriad of database security players out there.

Finally, Symantec announced a strategic relationship with Accenture. I had initially overlooked this deal when I did my quicky analysis last week, but this is actually the most important part of the strategy. Why? Because Symantec is not credible with the CIO. They think they are because they are big, but they aren't. CIO's don't care about AV. They don't care about optimizing storage. They have folks to do that for them.

CIO's care about how to leverage technology for competitive advantage. That's what Accenture does. They've got the relationships to get Symantec an audience with the right people, and if the partnership gets any traction - they'll be built into Accenture's huge projects as the security component. Of course, this is easier said than done - given the loose partner-driven fiefdom model of all of the big integrators - but it's a start.

But most of all, I like that Symantec finally has pieces along all parts of the Pragmatic Security Architecture. Adding the identity piece (even if it's a start) and a presence in information/data security gives Symantec a much broader, more coherent and more strategic story. They still spout the compliance word and that's fine.

So two years (and countless senior managers) later, the pieces are starting to come together for Symantec. It's about execution now, The big hole is still integration of all these disparate pieces, something that McAfee's ePO does well. It's not enough to have everything in a yellow box, all of these products need to work together and provide the CSO with a more compelling "dashboard" to manage policy and remediate broken stuff.

But those are just details, eh? McAfee's up next.

One of my most treasured memories from college was the time my buddy Alex and I went to a fraternity rush event where they were serving Tom Collins. Lots of Tom Collins. Neither one of us could make it back to the dorm on our own, so we basically leaned on each other, took one ginger step at a time, and made it back in one piece. We were literally two drunks holding each other up and remain very close friends 20 years later. To this day I cannot drink Gin.

I get the same feeling looking at the Symantec/Juniper announcement this morning (here). I can imagine Scott Kriens of Juniper and John Thompson of Symantec meeting at one of those cocktail parties where your personal net worth needs to be in the 9 figure range to get in, and one goes to the other: "Hey, you're not Cisco! We should do something together."

I'm not sure how much wine they each had at that fateful party, but this is clearly two vendors who are not Cisco trying to prop each other up.

On the surface, I'm not as negative as Stiennon on this deal (here), but I think the impact will be largely at the product level and transparent to customers. Juniper gets to build in some of Symantec's "intelligence" into their perimeter network security gear. Symantec gets to reference sell a legitimate perimeter platform.

I do agree with Richard that this is clearly a reactive deal driven by the fact that Cisco has a better story, bigger channels, and more momentum in the security space. Neither could do an outright acquisition, so this is what they are left with. I concur that the channel stuff is going to be hard to navigate, especially for the Juniper folks - that don't really understand the enterprise and don't really understand security either (many of their Netscreen folks have left).

But adding Symantec's anti-spam, IPS signatures, and vulnerability research to Juniper's products will make them better and I think it will actually happen. Why wouldn't Juniper do this, given they are pretty much irrelevant in the IPS space and don't really have a compelling UTM platform? They've got nothing to lose.

And Symantec gets access to a legitimate perimeter security platform. After killing their own platform a few months back, this is the other piece of the puzzle they couldn't answer back then. Clearly they couldn't abandon the market, but they also didn't want to continue investing in a non-competitive platform. This solves those problems IF (and that is a huge IF) they can execute, which certainly hasn't been Symantec's forte of late.

So I would be positive on this deal if it involved money changing hands. Or an asset transfer (like SYMC bought the Netscreen business). Or anything besides a press release in a purple suit. But it doesn't, so I'm negative and skeptical.

But clearly both Kriens and Thompson now can proudly display their ABC (anyone but Cisco) membership cards. That's what this is all about.

 

I was heavily quoted in Bill Brenner's analysis of Symantec's strategy on SearchSecurity.com last week. The link is here. Anybody who's been reading for more than a week or two knows that I think Symantec has a lot of work to do to execute amongst a number of strategic blunders. Bill does a good job of laying out the issues and substantiating the points in the article.

The news continues to get worse for SYMC, especially if you are a shareholder. As SYMC announces their Q1 (June) results this afternoon, Merrill Lynch pre-emptively piled on by downgrading them ahead of the curve. The kind folks at ML send me their research and their analysts, Ed Macuire and Garrett Bekker bring up a number of pretty good points, all of which I agree with.

Basically they are concerned about how Symantec is going to compete in a tougher environment, both on the consumer side (where competitors are going to have new products well in advance of SYMC) and on the enterprise side (where the sales cycle is more complicated and the fragmented market makes achieving scale harder).

ML also points out that Symantec doesn't really have any identity "glue" to hold together their security and storage offerings. That's something I wrote about when discussing the EMC/RSA deal (links here and here).

One point of contention is that I still fundamentally believe that customers want integrated solutions. Just because Symantec has failed to deliver them, doesn't mean that customers don't want them. Sure there are lots of start-ups to complicate matters, but "Big is the new small" still holds, with the major caveat being - ALL OTHER THINGS BEING EQUAL.

Customers will buy "good enough" if it's integrated. They won't buy not good enough. It seems Symantec is finding that out the hard way.

If there is anything interesting in the earnings results I'll post after the bell. If not, I'll cover it in tomorrow's TDI.

 

In today's TDI, I mentioned a different perspective - offered by Dave Goldsmith of Matasano - showing a positive view of the Symantec study of Vista's network attack surface (link here). Sure enough Dave's colleague Thomas weighed in to clarify some stuff. It because a pretty interesting interchange between the two of us and one that warrants a deeper discussion. Since many of you don't get access to the comments via RSS, I thought I'd cut and paste a bit to keep you clued in. I did edit Thomas' comments a bit because this is a family blog. HA!

The Symantec Study

Submitted by Thomas Ptacek (not verified) on Thu, 2006-07-20 10:15.

The mistake you're making with the Symantec report is believing that the work was driven by top-down strategy inside the company. It isn't.

I've known Oliver Friedrichs, the manager of what SYMC calls "Advanced Threat Research", since 1995. I worked directly alongside him at Secure Networks, where he co-founded the industry's first professional vulnerability research lab, along with Tim Newsham, Dave Sacerdote, and Ivan Arce.

Oliver Friedrichs is not f***ing [MSR edit] around. SYMC has the resources and the talent to build a top-calibre security research team. If there's any top-down decision-making at SYMC, I'm sure it's simply to go do that. "Oliver, kick Cisco and ISS's ass and seize the mindshare around research that Symantec has ceded over the past 6 years".

Once you get to that point, the Vista study is pretty obvious. You've got access to some of the best vulnerability research talent in the industry. What are you going to aim it at? I don't think the board, John Thompson, or even Oliver's immediate manager had to be involved in the decision to spend some resources poking the Vista TCP/IP stack.

I don't mind the accusation that you're leveling at Symantec. They're in business to win and they're not all nice people. But I don't think you make yourself look more credible when you cast Oliver's group in this light; people who know vuln research will scratch their heads at your assertion.

Thanks for noticing us, though! =)

For a change, the Matasano guys adding value to the discussion. Here is my response:

How much they publicize it is a corporate decision

Submitted by Mike Rothman on Thu, 2006-07-20 10:26.

Thomas,
I hear your point and that's more good perspective. But I also don't think that Oliver was out there humping his work in the press this week. That would be uncharacteristic given what I know about "most" vulnerability researchers. It's plausible that Oliver has free reign over what gets researched, but I highly doubt he has much to say about what Symantec's PR machine decides to push.

If their objective is to regain lost ground on the research side, your friend Oliver is going to find himself a pawn in a very high profile game. Maybe he knows this, maybe he doesn't. Since I don't know him I can't say. But when his group finds something of interest (like they did this week), the Big Yellow PR machine will try to bend it to their own devices.

I'm not doubting that the research was genuine. But I'm very comfortable in my assessment of what their PR aims were.

And this is where it gets interesting. Clearly there is something here and now we need to figure it out. Thomas weighs in a final time:

SYMC's Vulnerability Strategy

Submitted by Thomas Ptacek (not verified) on Thu, 2006-07-20 10:59.

You say, "If their objective is to regain lost ground on the research side, your friend Oliver is going to find himself a pawn in a very high profile game". I say, THAT's the interesting discussion to have about this.

Write something explaining the point you're making; I want to hear more about it. What's the "high profile game" around vulnerability research?

Your point about PR vs. research calendar is well taken. I can split the difference. Oliver's group owns their calendar, bottom-up. SYMC PR is probably top-down.

So let's dig a bit deeper here. What is the value of vulnerability research? Clearly in the early stages it was mostly for PR purposes. Folks like RipTech (which was subsequently bought by Symantec) had reams of data and they did some interesting analysis on it. Their real innovation was packaging it up in a report and starting the media frenzy about the increasing vulnerability landscape. They got very broad media coverage for the report and it really put RipTech on the map.

But now it seems that every vendor has it's own version of the report. Every big one anyway. ISS and VRSN have gotten their research groups a lot of ink driven by these quarterly reports. So it's not really differentiating anymore, is it?

At the same time, you see security vendors being attacked and vulnerabilities in their code being disclosed pretty regularly. Some patch things and forget to tell folks (ahem, McAfee) and it seems every month or so you hear about Symantec and Cisco patching things as well. So now the cottage industry seems to be finding the holes in other folks stuff.

This is both a PR strategy - pioneered very effectively by eEye (3rd party patching anyone) and new entrants like Mu Security that have boxes that are designed to find holes - as well as a competitive lever. Security is about credibility at the end of the day. If you have really smart guys that can find stuff broken in other people's software - then they must do a good job of protecting their own, no?

Well, not exactly. But close enough - especially to a customer that is looking at 3 products that are totally undifferentiated. I'm talking about pretty much every security market, by the way. Who do they pick? Maybe the one from the guys that seem the smartest. That's one plausible scenario anyway.

But, back to the topic. As Thomas speculates above, it's unlikely that anyone in Symantec specifically told their vulnerability research team to go find something broken in Vista. It could have happened, but I agree with Thomas - it's more likely bottoms-up. But once they found that data, I believe the Big Yellow PR team smelled a big opportunity to poke Microsoft in the eye. And they took it. And many of us bit. At least I can say I questioned their motives, as opposed to questioning their findings. Again, kudos to Dave G for doing the derivative analysis.

So what? Basically, I figure we are going to see vulnerability researchers let loose on competitor's security software. The Symantec-Microsoft deal may have been bottoms-up, but in a market this competitive, with folks looking for literally ANY advantage - it's just a matter of time before this becomes a big part of competitive analysis moving forward. And the PR teams will be orchestrating, on one hand working to seem on the up and up - just doing a service to the community - don't cha know. But on the other hand trying to stick it to the competition when they can. That's a high wire act for sure.

But it puts the researcher in the precarious position of trying to do the right thing, but more often than not becoming the finger poking some competitor. As I mentioned in my response, some will be cool with that and others...not so much. Interesting times to be a vulnerability researcher, that's for sure.

You know how that old nursery rhyme ends, right? It seems that the rumor mill is pumping about the possibility of EMC acquiring RSA for about $1.8 billion. There also seems to be another bidder in the picture, which could drive the price even higher. RSA has confirmed the strategic discussions, but predictably hedged as to whether a deal was going to get done. The fact they acknowledged the discussions means something is close, very close.

TheStreet.com has a pretty comprehensive story on the potential deal here.

It's been no secret that I think RSA is once again in the right place at the right time (here and here). LIghtning usually doesn't strike twice, but given the renewed interest in authentication and some savvy acquisitions - RSA is a plum property. But why sell now?

There's an old adage about how no one ever went broke by selling too soon, and that's exactly right in RSA's case. Sure they are hot and sure things look pretty good, but security is notoriously fickle and to monetize today wouldn't be a bad thing. And Art Coviello could ride off into the sunset as a hero.

But why is EMC interested? Is Symantec's John Thompson right in that security and storage are inextricably linked now? Has NetApp's increased interest in security (they acquired Decru a while back) shown the shape of things to come? Actually the answer is yes and yes.

It gets back to the Pragmatic Security model. Securing the infrastructure and securing the information that rides on top of it are DIFFERENT things. It will not be the same vendor that dominates both, that is clear because they are different buyers. The network or desktop guys buy information security. The application or database guys buy information security. How many more ways can I say different?

Though RSA gets most of it's notoriety nowadays from authentication, remember what RSA stands for - and that's encryption. EMC is all about "information lifecycle management" and that MUST include data security. They dipped their toes in the water by acquiring Authentica a while back, but you had to figure there would be more where that came from. RSA would give them instant credibility in the security space, a hot authentication product family, and most importantly a really big story regarding persistent control of data that no other vendor can match.

That's right, not even Symantec will be able to play at the same level. Symantec's entire security perspective is focused on the infrastructure. They do pretty much nothing (with the exception of some messaging security) in the application/information or identity space. In one fell swoop, EMC would become the horse to beat on the information side of the Pragmatic Security equation. John Thompson would have another reason to bury his head in the sand.

So who would the other bidders be? Thestreet.com indicates potentially CA or even Symantec. CA is pretty much in shambles right now, so I'd be very surprised if they could get their act in gear to do a big deal, though strategically it makes sense. But clearly Symantec would be the dark horse. For every reason this deal makes sense for EMC, it makes even more sense for Symantec. It gives the Veritas group some encryption and identity mojo and provides the glue to make the Symantec/Veritas deal work. Additionally, the tokens would fit very nicely into Symantec's security business giving them another cash cow to milk for a while.

But could John Thompson pull that off? They did just raise a bunch of money in a convertible offering, so the cash is there. I'd have some operational concerns given that Symantec has a poor track record of retaining talent and that's critical to make a growth deal work, but the potential of a Symantec/RSA combination is very interesting.

Stay tuned. It should be an interesting couple of days.

eEye has found a pretty serious vulnerability in Symantec's AV software. You've probably already read about it (Stiennon covered it - http://blogs.zdnet.com/threatchaos/?p=334 and here is the AP link). The fact that the vulnerability exists is not what's interesting.

It's that eEye has disclosed that it found the vulnerability this week, notified Symantec and is not telling anyone any specifics until the patch is released. It kind of turns the public relations aspect of vulnerability hunting on its ear.

Clearly not satisfied with getting credit at the bottom of the security alert, eEye disclosed the vulnerability to get full credit now and also to make the public point that their host intrusion protection product protects against the flaw. That leads me to believe that most HIPS products will stop the attack.

Of course, this attack is already a non-issue because once Symantec patches the hole, the updates will be automagically distributed to all of the vulnerable software. So everyone is getting worked up about an exposure that will be patched before any real details come to light. 

I'm not sure I'm cool with this "I found something but I'm not telling you about it" approach. It is clearly better than fully and publicly disclosing the issue (and how to exploit it) with no warning. Since this is a PR strategy for eEye, they couldn't have waited until the patch was out,  then their ability to say that their HIPS product stops the attack is gone.

So I guess we'll need to get used to this. Vulnerabilities will be found and sort of disclosed, but without enough information to cause damage. And PR folks will stay very busy working the media up into a frenzy for an attack that will never amount to anything.

 

Since I've left the anti-spam business about 9 months ago, it's nice to see that it's still a brutally competitive market where everyone sounds the same. It does seem that innovation on email hygiene (meaning inbound mail) has slowed. I can't recall anyone really introducing a new, important capability over the past 6 months. It's been a lot of point releases aimed at either adding better enterprise management capabilities, scalability or broadening the product scope beyond just inbound email. So now things like IM and compliance/encryption are becoming the battleground - the differentiation so to speak.

At the tail end of my anti-spam tenure, reputation services were all the rage. The concept is that if you know a lot about the sending IP address, you can tell whether they are very likely to be sending spam or good mail. IronPort was the reputation innovator with SenderBase and CipherTrust came later with TrustedSource. Standard disclaimer: I used to work for CipherTrust and am a shareholder (because I can't sell the stock).

Folks like Symantec and Postini always said they had reputation services under the covers, but never really made them visible enough to prove it. Recently (like within the last two weeks), BorderWare (link here) and Habeas (link here) have introduced their own reputation services. Either broader, BorderWare's tracks IP and VoIP data, or larger, Habeas claims 60 million IP addresses in their database - which may or may not be true. I'm sure they have 60 million things in a database. What those things are is subject to interpretation. You have to love marketing.

But if you are a customer looking at these solutions, does it matter? The vendors will try to paint their reputation stuff as broader, more accurate, bigger and will let you drop more bad messages at the gateway. Who do you believe? I say believe none of them. Reputation is now a standard part of the game and its certainly under the covers. You don't buy an anti-spam product because of a reputation service. You buy it because it stops your bad mail.

Content security is a different animal. That is hard for many to believe that have grown up in the network security space, where an attack is an attack is an attack. Maybe 50% of spam is ridiculous. Dealing with nasty inappropriate stuff or prescription drugs, all the products catch that stuff - or they don't get to play.

It's the borderline stuff that is very difficult to categorize. One man's spam is another man's gold. A lot of spam is subjective, so it's very hard to say in absolute terms whether a message is really spam. That's why end user quarantine is so important, then the users at least get to see if there are false positives in the mix. Then you've got the language issue. Non-English spam provides a lot of variability in results. You can't just drop a US anti-spam product into the Far East. It's not a firewall.

But getting back to reputation, your definition of spam may be different and your traffic is going to be different. So you'll need to figure things out for yourself. In the content security space, the eval is everything. You need to test these products out. Maybe the specific vendor's reputation database works great for you. But it may not. And the only way you'll find out is by running the products against actual mail. That's right, run the email gateways against a subset of your live mail flow.

Theoretically, reputation should still be a differentiator. But folks like Proofpoint and MailFrontier/SonicWall continue to stop spam without it. So maybe it doesn't matter. Unfortunately I can't answer the question for you. You'll need to be the judge.