ANALYSIS: Security in the spotlight after Intel-McAfee buy

23 Aug 2010

Will businesses pay more attention to fighting malware after high-profile deal?

Security software in the spotlight

To any CIOs or IT chiefs with security projects in the pipeline: now might be a good time to look for board approval and budgets because security’s profile has been given a massive shot in the arm with news that Intel is acquiring McAfee.

Not only is the world’s largest chipmaker buying the No 1 antivirus and security software provider, it’s also paying a premium for the privilege. Intel said it will pay USS7.68bn or US$48 per share – a 60pc increase on McAfee’s closing price the day before.

While some are calling the deal a surprise, McAfee had been the subject of acquisition rumours and the company’s CEO Dave DeWalt has a history of buying and selling companies. During an interview with him in Cork last May, I put the acquisition question to him when the rumoured buyer at the time was HP, not Intel. DeWalt’s answer was a classic of the ‘ruling-nothing-in-but-ruling-nothing-out’ genre.

Security: built-in not bolt-on

Early analysis of the deal, helped by noises from both camps, is that this is an attempt to put security at the source of computing: building it into hardware from the start rather than bolted on afterwards which is how the problem is mostly tackled at the moment.

Gartner research vice-president Leslie Fiering said the acquisition makes sense when seen in those terms. “Bringing security down to the hardware level is particularly critical at a time when exploits at the OS level are getting more sophisticated on PCs and mobile OSes are still highly immature in the security arena,” she said.

Synergy for Intel

McAfee CTO George Kurtz blogged shortly after the deal was announced and maybe not surprisingly he too talked up the synergies. “You may be surprised that Intel has a software group, when you commonly think of them as a hardware company. In fact, McAfee is a perfect fit with the Intel acquisition of Wind River, a leader in embedded and mobile software. McAfee’s strategy of protecting the multitude of devices such as ATMs, printers, digital copiers, and cars fits with helping organisations better manage and protect the IP-enabled mobile and embedded devices that run Wind River embedded and mobile software.” According to Kurtz, the acquisition also dovetails with McAfee’s own purchase of Solidcore, a developer of dynamic whitelisting technology for embedded systems.

There’s no doubt that many more devices are becoming internet-enabled and PCs will soon be overtaken as the dominant means of accessing the internet (watch out for a certain German carmaker that will incorporate a wireless hotspot into one of its latest models). But while PC vulnerabilities are legion and their number is constantly growing, malware for mobile devices is nowhere near as common. A crucial difference is, the PC market is for all intents and purposes a monoculture (sorry Linux and Mac fans). This makes it a much easier target to attack. While no one is suggesting mobile devices should get a free pass in any business environment, CIOs and IT admins should be wary of buying too much protection against a threat that – so far – seems to be more hype than substance.

A history of software acquisitions and sales

All of which is to say, there’s no cast-iron guarantee this deal will catapult either party to success in a market that’s very different to their traditional strongholds. That’s possibly why you don’t have to go far to find others who are less bullish about the deal. Graham Cluley of rival security firm Sophos couldn’t resist a dig at Intel’s ‘hokey-cokey’ security strategy. He pointed out that the chipmaker had its own LanDesk Virus Protect product which it sold to McAfee’s chief competitor Symantec – albeit some 12 years ago, which in the IT industry is a lifetime.

Urban Schrott, cybercrime analyst with Eset Ireland, pointed out that Intel was already shipping its products bundled with various IT security tools from a range of vendors, not just McAfee. “A bunch of their business products were shipping with Eset as well. From what we know this isn’t to change any time soon,” he said.

He isn’t so sure the acquisition is motivated by security considerations above all others. “Though I agree it does help to shift focus to security issues a bit more. IT managers should already be pretty aware of the issues at hand, I only hope the joining of these two companies won’t result in any sort of complacency, as in, ‘well, nothing much for us to worry about, it’s all already taken care of’.”

Can this deal encourage more IT spend on security?

Robert McArdle, a lecturer at Cork Institute of Technology and senior threat researcher at Trend Micro, is unsure whether it will make life easier for IT staff trying to convince their boards to increase the security budget. “The Intel move clearly shows that they think the security industry is something that is absolutely fundamental to future technology services and products, and that in turn helps validate the calls of an IT manager for increased spending to better secure the company,” he said in an email.

However McArdle said the deal raises the question of which products IT manager should now invest in. McAfee’s short-term roadmap is likely to remain unchanged because products due to be launched over the next six months will already be in development. “Further down the line I’d expect McAfee to shift away from pure security products and into other areas, much like Symantec moved into backup after merging with Veritas,” he said.

While acknowledging his own biases, McArdle said the deal should make IT managers think seriously about where to invest long term in security products. “The direction of McAfee and Symantec are unclear – and to be honest I think that this announcement will see a shift towards Trend Micro and the other smaller competitors like Kaspersky,” he said.

Enterprise customers should be wary of McAfee commitment for now

McArdle’s assessment is echoed by Forrester’s security and risk specialist Andrew Jaquith. “Given the risks associated with this deal, enterprise customers should be wary of making long-term commitments to McAfee until Intel’s intentions are clearer. It would be best if McAfee was left to manage itself, largely as a standalone company.” (For the record, CEO Dave DeWalt has said McAfee will remain a standalone subsidiary, retaining its leadership team and expertise.)

Jaquith pointed out that the deal comes within months of a very embarrassing mistake when a faulty AV update from McAfee incorrectly labelled some Windows XP software as malicious, causing PCs to crash. He said this incident upset many customers that may now think twice about their allegiances to McAfee.

The competition smells indecision

So, while security may get some welcome time in the spotlight, it may not necessarily be to McAfee’s – and Intel’s – benefit. While the former may be the market leader in security, its percentage share doesn’t even run to double figures, as Dave DeWalt acknowledged in our interview this year. Competitors will be prepping their sales teams to take advantage of any hesitation on the part of long-standing McAfee customers. As for the poor old end user, we’ll have to hope the promise of more embedded security comes to pass.

Gordon Smith was a contributor to Silicon Republic