Ellen Messmer of NetworkWorld posts on Friday (here) about Microsoft's eventual impact and potential domination of the anti-spyware business. Why? They are bundling Windows Defender (the new name for their anti-spyware) with IE 6 and 7 and Vista. So within a year or two, it will just be there on a majority of PCs. Since it will likely be good enough, why would someone pay for anything else?

The answer - they won't. But not necessarily because everyone will use Microsoft's stuff. I don't think that is the case. Customers will not pay for anti-spyware because it is a feature of their anti-virus and/or desktop security suite. So it may not be Microsoft that gets all the business (though they will get there share), but Symantec, McAfee and Trend will also benefit. Anti-spyware capabilities will be integrated into the unified threat management (UTM) equipment on the perimeter, so the gateway opportunity is not long lived either.

Mark Shavlik posts on his blog as well about the topic (here), even working in a cool Brady Bunch analogy. He maintains that Microsoft will dominate the consumer end of things, but that Microsoft is not going to provide what's needed for enterprises. I do agree with the fact that Microsoft is not going offer anti-spyware for Linux or Mac, and as usual their first couple of releases leave a lot to be desired. But that doesn't mean there is a large opportunity for stand alone anti-spyware vendors.

He goes on to mention some of the functionality that will be in Shavlik's anti-spyware offering:

Our corporate customer focus groups are driving what our Spyware product does, we are being asked for deep clean up, admin level control, enterprise features such as machine grouping and reporting, fast database back-end support, large network support, remote site management all things Microsoft is not providing.

Our corporate customers (we do not sell consumer products) are not comparing us to Microsoft, they are comparing us to the Anti-virus products because those products have the management tools needed.  We tie patching and spyware together, the AV vendors tie AV and Spyware together.  We will add AV management to our line soon to make the choice easier for customers.

So, there you have it. Enterprise customers want enterprise management. Shocker! And Microsoft's product is not really enterprise capable right now. Duh!

More interesting to me is the 2nd paragraph. Shavlik sees themselves as an AV vendor with the differentiation being patching and compliance (whatever that means). Man, that will be a tough road to hoe. Sure, you've got to do something since stand alone patching is not a long term answer either, and Shavlik's reputation on the patch side is sterling. BUT, that does not translate into being able to compete effectively with the folks milking the cash cows. But Shavlik is a privately held, self-funded company, so they very well may be able to build a nice business scraping the barnacles off of Symantec's and McAfee's oceanliners (Sophos and Kaspersky certainly do). 

To be clear, there are some organizations that will want to use stand alone anti-spyware offerings. Just as with every security market, some buyers opt for best of breed, even when the stand alone product isn't very differentiated. That's basic religion and these customers will never move towards a suite approach. They believe their value is in integrating lots of different solutions, thus providing job security because they've built an environment that is too complex for anyone else to manage.

Yes it's cynical. But it's also true. These folks should realize their value is in pushing forward a security agenda, and focusing on high value projects. Not on integrating disparate point products.

OK, back to the topic. I don't believe best of breed anti-spyware is the mass market. Per my ranting in "More Stupid Marketing Sizing Numbers" it's clear to me that anti-spyware is not a stand-alone market. No one seems to be disagreeing with that.

So that means some ferocious consolidation and erosion in that space will happen in the coming 12 months. End users need to choose carefully because there is a great likelihood whichever independent you choose today will be gone (or merged) tomorrow.

As discussed in Friday's post about StopBadware.org, I believe that building and maintaining a database of known "badware" is important. The missing piece of StopBadware.org is a way to caution users before they do something stupid like download a known bad application.

Another way to prevent the spread of spyware is to make sure that anti-spyware products use common terminology and meet a lowest common denominator level of effectiveness. I'm reasonably excited about an initiative announced this morning by McAfee, Symantec, Trend Micro, ICSA Labs, and Thompson Cyber Security Labs (who?).

A clip from the press release really underscores the need for this type of activity:

When publishing results and product recommendations, few product testers currently document their test samples or methodology, and many use very small sample sets in their testing environments. As a result, there is no distinguishable benchmark for comparison of anti-spyware product vendors, leaving customers unclear as to the most effective products and solutions for their environments.

This is exactly right. The industry needs a benchmark to define this moving target called anti-spyware. ICSA Labs' involvement means it may actually get done. Having worked at TruSecure, I am very familiar with the capabilities of ICSA Labs (since TruSecure, now CyberTrust, owns them). This is a significant opportunity for ICSA Labs, which has not really had another "hit" in terms of a program that users deemed a requirement for their vendors to be tested since the AV and firewall programs launched years ago. Of course, my friend George Japak (who runs the Labs) may disagree, but it is what it is.

Given the confusion around what anti-spyware is and what it isn't and whether it makes more sense to stop it at the perimeter (via a gateway appliance) or on the client or both, having a common, agreed upon testing methodology will help. ICSA Labs has built certification programs for every significant security market, so they get how to standardize the terminology and put in place a structured, repeatable process to ensure the anti-spyware products remain effective in the face of rapidly evolving threats. It won't be long before ICSA Labs rolls out a formal certification program, so that vendors can prove they meet an acceptable level of effectiveness. This will be a big positive for everyone.

Since Microsoft is giving away their anti-spyware solution, it will be interesting to see how they fare relative to the testing methodology. Microsoft is also conspicuous by their absence in this initiative. That also begs the question about Webroot, Blue Coat and Sunbelt Software. These folks (among others) should have a hand in this as well. Hopefully this is not a transparent attempt by ICSA and their anti-virus buddies to try to protect their turf. Like any of them can really stop Microsoft. Alternatively, this could be another example of Microsoft's arrogance in not thinking they have to play in the sandbox with the rest of the industry. Ultimately, this initiative must get broader industry support to have a chance of sticking. 

As with everything, there are lots of things that can go wrong, but in the meantime users should enjoy the good news today. Help is on the way to ease some of the confusion around anti-spyware defenses.