Q U E S T I O N & A NSWER

May 12, 2006

Microsoft Poised To Take A Big Chunk Of The
Security Market
by Natalie Lambert
with Jonathan Penn and Robert Whiteley

EXECUT I V E S U M MA RY
The speculation is over: Microsoft is entering the security market. In 2006, Microsoft will launch a bevy of
client and messaging security products aimed at consumers, enterprises, and SMBs. However, despite its
progress on security, Microsoft will find it difficult to sell a security solution to consumers and businesses
that are skeptical of its ability to protect even its own operating system. Microsoft’s products will start off at
a functional disadvantage, which competitors will take advantage of by accelerating their evolution toward
integrated suites that manage a range of client and network security functions. Still, Microsoft is building
a credible offering that, like many of its other endeavors, will start by appealing most to buyers focused on
price and simplicity. Here we address security chiefs’ top questions about Microsoft’s new security forays.

QUESTIO N S
1. Where do these new security technologies come from?
2. What other security technologies are up Microsoft’s sleeve?
3. What is Microsoft’s Network Access Protection (NAP)?
4. Should I look to Microsoft to protect my PCs and servers when it can’t protect its own OS?
5. Isn’t Microsoft profiting from its own security issues by selling security products?
6. Will Microsoft forgo securing its OS in favor of releasing AV and firewall updates?
7. What is the impact of Microsoft’s entrance into the security market?
8. Is this the end of expensive AV?
9. How will Microsoft compete against the likes of McAfee and Symantec?
10. Will Microsoft end up owning a large part of the client security market?

TARGET AUDIENCE
Security and Risk Executive

MICROSOFT TAKES THE SECURITY SOFTWARE AND SERVICES PLUNGE

This year, Microsoft will enter the client security market with its Windows Live OneCare offering for
consumers and Microsoft Client Protection for businesses. The company will also enter the messaging
security market with Antigen security products for Exchange, Live Communications Server, and
SharePoint. And for customers seeking hosted messaging protection, the company offers Microsoft
Exchange Hosted Services.

Headquarters
Forrester Research, Inc., 400 Technology Square, Cambridge, MA 02139 USA
Tel: +1 617/613-6000 • Fax: +1 617/613-5000 • www.forrester.com
Question & Answer | Microsoft Poised To Take A Big Chunk Of The Security Market 2

With all of these new offerings, Microsoft embarks on the journey to become a security vendor.
Forrester’s most frequent client inquiries concerning Microsoft’s security offerings include:

1. Where do these new security technologies come from?

In 2003, Microsoft made its first client security technology acquisition — GeCAD Software, a
Romanian-based antivirus company.1 In December 2004, Microsoft acquired antispyware vendor
GIANT Company Software.2 Microsoft internally developed the remaining components of its client
security, including Windows Firewall and Microsoft Windows Malicious Software Removal Tool.

In 2005, Microsoft decided to further enhance its antivirus and security strategy by acquiring two
messaging security vendors — Sybari Software and FrontBridge.3 These companies brought antivirus,
antispam, content filtering, archiving, and encryption to multiple communication channels within an
organization’s information workplace, which Microsoft will offer as software and hosted options.4

2. What other security technologies are up Microsoft’s sleeve?

Microsoft will add multiple security features to Internet Explorer 7, which is already in public beta,
and to Windows Vista, the upcoming release of Windows. The new Internet Explorer will include
antiphishing capabilities that warn users if they visit a suspicious Web site, as well as improvements to
how ActiveX controls are handled that will help to protect users from Internet exploits.5 Additionally,
Windows Defender, which will ship as part of Windows Vista, will help protect computers against
spyware and other potentially unwanted software — all of which can lead to pop-ups, slow
performance, and other security threats.

In addition, Windows Vista will include a number of data protection features. BitLocker Drive
Encryption will free people from worrying about the data on computers tossed in the trash or stolen
by laptop thieves. Windows Vista will also ship with Rights Management Services (RMS) that will
secure data against unauthorized use. Furthermore, Windows Vista applications will run in a way that
hinders attackers from installing malware on PCs.6 However, the most awaited technology coming
from Windows Vista is Network Access Protection (NAP) — Microsoft’s proprietary network access
control solution.

3. What is Microsoft’s Network Access Protection (NAP)?

NAP is Microsoft’s network access control (NAC) solution, which will ship with the upcoming
Windows Server “Longhorn” release. NAC solutions help organizations control what devices — e.g.,
corporate-owned PCs running the latest antivirus or Windows updates — access their network.
Microsoft is hoping NAP will accomplish two things: 1) compete against solutions from vendors
like Cisco Systems and McAfee by being an easier-to-use, policy-based alternative baked directly
into various flavors of Windows Server; and 2) provide a framework for integrating multiple access
control enforcement mechanisms, including third-party mechanisms.7 Furthermore, Microsoft
has an obvious advantage: integrating with Active Directory to give added user identity context to
access control decisions.

May 12, 2006 © 2006, Forrester Research, Inc. Reproduction Prohibited

Question & Answer | Microsoft Poised To Take A Big Chunk Of The Security Market 3

But it’s not that simple. An overwhelming majority of organizations want to integrate multiple
network access control products. This would include those in software like Microsoft’s, as well as
appliance- and switch-based solutions that give better port-level control within the network fabric.
As a result, we expect Microsoft NAP to succeed as the “glue” for enterprise NAC, providing the
policy framework to keep all of these moving parts working together.

4. Should I look to Microsoft to protect my PCs and servers when it can’t protect its own OS?
Yes. Microsoft has made a lot of progress in securing its OS over the past two years, starting with
the release of Windows XP SP2 and its coding improvements through the Security Development
Lifecycle (SDL). Although many experts view Microsoft’s SDL — the process for creating and
releasing software code that has less security defects — as mere table stakes, Microsoft is committed
to improving its software development and has seen results from this effort.8

Beyond producing more secure products, Microsoft is giving customers what they have asked for —
additional PC security — in the form of security products. Why should these software and services
be considered? Because it is Microsoft and the company has put a lot of resources behind this.
Microsoft wants to be known as both a secure software provider and a security provider. It made
strategic acquisitions of strong technologies — in addition to the dedicated staffs that came along
with them — to get there. It can therefore assure customers that its solutions will be competitive.

5. Isn’t Microsoft profiting from its own security issues by selling security products?
Yes. However, it is also profiting from the rest of the software industry’s security issues. Software
vulnerabilities are not exclusive to Microsoft products, as seen in recent Apple and Unix/Linux
vulnerability announcements.9 In addition, in April 2006 Oracle released its quarterly patch update
with more than 30 software patches. That same month, Mozilla issued patches for its Firefox Web
browser, and Hewlett-Packard announced a flaw in certain printer software. Software vulnerabilities
are inevitable, which is why the antivirus market exists. Microsoft’s security products will help
protect customers from known malware targeting a multitude of applications, not just those
targeting the Microsoft OS.

6. Will Microsoft forgo securing its OS in favor of releasing AV and firewall updates?
No. An insecure operating system goes well beyond the world of “anti-X” defensive technologies.
Specifically, if Microsoft cannot develop a secure OS, then it cannot sell Microsoft SQL Server,
Microsoft IIS, Active Directory, and many other products. This will not be acceptable. Microsoft
cannot afford to skimp on OS security.

7. What is the impact of Microsoft’s entrance into the security market?

Competition from Microsoft forces other security vendors to innovate, and fast. On the client
security side, vendors will accelerate their move to integrated solutions in order to offer additional
functionality over their competitors. These solutions will bundle technologies that have not

May 12, 2006 © 2006, Forrester Research, Inc. Reproduction Prohibited

Question & Answer | Microsoft Poised To Take A Big Chunk Of The Security Market 4

traditionally been in client security suites — such as device control, digital rights management, and
patch management — into a much broader solution. On the messaging security side, vendors will
be quick to offer solutions that incorporate protection over multiple communication channels, such
as instant messaging, IP telephony, mobile devices, and videoconferencing (to name a few).10 For at
least 18 months, in these areas Microsoft will not be able to offer solutions that are as functionally
rich as its competitors. Nevertheless, Microsoft’s immediate influence and growing market share will
rapidly accelerate the maturation of these markets.

8. Is this the end of expensive AV?

Yes, although Microsoft is not the only force behind this. ISPs have already been transferring the
cost of client security from the consumer onto themselves to keep their own support costs down
and customers happy.11 We’ll now also have Windows Live OneCare, Microsoft’s consumer security
service, which will include antivirus, antispyware, personal firewall, backup, and computer tune-up
capabilities, as well as unlimited support, all for less than $50 a year for up to three computers in a
household.12 In addition, Microsoft will integrate Windows Defender, its antispyware product, into
Microsoft Windows Vista for free.

Consequently, security vendors in this market do have a lot to worry about, and the consumer
market is just the beginning. Although Microsoft has not released the pricing details of Microsoft
Client Protection or Microsoft Antigen, business customers can rest assured that Microsoft will be
front and center in any pricing wars. Microsoft may be late to the market, but it will commoditize
the market.

9. How will Microsoft compete against the likes of McAfee and Symantec?
The upcoming release of Microsoft Client Protection is starting at a functional disadvantage.
Incumbent client security vendors have integrated suites that span a plethora of technologies.
Currently, Microsoft lacks a host IPS (HIPS), a shipping network access control product, and
most importantly, an integrated solution that includes features beyond antivirus and antispyware.
Microsoft is least 18 months away from releasing a comparable client security suite. In addition,
Microsoft will not seek to provide security for non-Windows systems, making it harder for them to
enter sales negotiations with customers with diverse client and server environments.

Microsoft does have some competitive advantages, and Forrester expects that price will certainly be
among them. Microsoft is also in a position of strength given the presence it has in all enterprises.
This will enable Microsoft to undercut competitors significantly on price, especially with large
Microsoft shops. Cost is a large factor with security technology, so expect Microsoft to begin
to displace its competitors immediately due to this alone. In addition, Microsoft will evolve its
security products to offer seamless integration with the Windows OS, Active Directory, Microsoft
Management Console (MMC), Microsoft Operations Manager (MOM), Systems Management
Server (SMS), and NAP when it becomes available.

May 12, 2006 © 2006, Forrester Research, Inc. Reproduction Prohibited

Question & Answer | Microsoft Poised To Take A Big Chunk Of The Security Market 5

Within specific channels, Microsoft will have difficulties penetrating the ISPs. ISPs will look to other
vendors for partnerships, as Microsoft is a clear competitor in the Internet provider space. However,
the OEM channel will be an open market for Microsoft. Since OEMs compete on price, especially in
the consumer market, they will naturally offer Microsoft’s security products over “premium” products
from McAfee and Symantec. Nevertheless, security products from Microsoft will carry a significant
element of strength, given the inherent channels — including OEMs, VARs, and resellers — that
Microsoft provides. Microsoft is prepared to capitalize on this.

10. Will Microsoft end up owning a large part of the client security market?
Yes. Ultimately, Microsoft will provide customers with a product and price point they won’t be
able to refuse, but it will take at least two years for this to gradually reach a tipping point. On the
consumer side, Microsoft’s bundling of antispyware into Windows Vista forces pure-play vendors
to acquire or be acquired in order to integrate additional technologies. Furthermore, the consumer
security model will change from a software license model to a service model and will also see
significant price decreases thanks to Windows Live OneCare.

The enterprise market will take more time to penetrate, but Microsoft will eventually succeed.
However, first it must mature in both its product functionality and security provider expertise
to compete against the McAfees and Symantecs of the world. While Microsoft is playing feature-
function catch-up, these other security vendors are busy integrating additional technologies into
their client agents, integrating the management of their client and network security offerings, and
incorporating network access control — all to help organizations decrease the management burden.
This integrated market is as yet untouchable by Microsoft.

In this market, the advantages Microsoft has are price and integration with Microsoft infrastructure.
There is no doubt that organizations sensitive to these issues will turn to Microsoft despite its limited
offerings. However, the more demanding and more scrutinizing security organizations will prize the
greater functionality that McAfee, Symantec, and Trend Micro can provide.

ENDNOTES
1
At the time, Microsoft’s stated reason for the GeCAD acquisition was not only to help antivirus vendors
integrate better with Microsoft’s products, but also to build antivirus solutions of its own. The company was
vague about how such solutions would be packaged, although it seemed probable that it would ultimately
be integrated into Windows itself. See the June 13, 2003, IdeaByte “Microsoft Antivirus Is a Potential Long-
Term Factor.”
2
Microsoft’s acquisition of GIANT Company Software made sense; the move added antispyware software
to its portfolio. However, it will put significant pressure on smaller spyware vendors, such as Lavasoft and
Webroot Software, for which antispyware software is the sole product line. See the December 17, 2004,
Quick Take “Microsoft Rolls Anti-Spyware Into Platform.”

May 12, 2006 © 2006, Forrester Research, Inc. Reproduction Prohibited

Question & Answer | Microsoft Poised To Take A Big Chunk Of The Security Market 6

3
In February 2005, Microsoft remained tight-lipped about its wider antivirus (AV) strategy after announcing
plans to buy server antivirus and antispam vendor Sybari Software for an undisclosed sum. However,
Forrester believed that Microsoft would use the Sybari assets, plus its previous acquisitions of antivirus
vendor GeCAD Software, to ship host security features with both the Longhorn server and client OSes and
with Microsoft Exchange itself — we were right. See the February 10, 2005, Quick Take “Microsoft Gains
Antivirus Momentum With Sybari Acquisition.”
4
As communication channels multiply, organizations are still relying on the same old methodologies and
stovepipe solutions to secure communications. The result? Either stymied mobility and collaboration
or insecure communication, neither of which is acceptable to the CIO. Companies wanting to increase
collaboration but keep content under control need to take a step back to address a wider communication
challenge: Organizations should continue confronting imminent problems now but ensure that today’s
technology choices don’t complicate the securing of tomorrow’s communications. See the April 4, 2006,
Best Practices “Protecting Communication In The Emerging Information Workplace.”
5
In addition to the antiphishing functionality in IE7, the Microsoft Phishing Filter will also be made freely
available in MSN Search Toolbar and Windows Live Toolbar.
6
Source: Windows Vista features: Security (http://www.microsoft.com/windowsvista/features/foreveryone/
security.mspx).
7
Customers may use a variety of enforcement mechanisms with NAP, such as IPsec (host-based
authentication), 802.1x, VPN (ISA Server as third-party VPNs), and DHCP. There are more than 60 third-
party partners that have signed up to support the NAP solution.
8
According to the Common Vulnerabilities and Exposures (CVE) list, there were 75 references to Microsoft
vulnerabilities in 2002, 58 in 2003, 45 in 2004, and 46 in 2005. Through May 1, 2006, there have been 16
references to Microsoft vulnerabilities in 2006. Source: CVE Reference Map for Source MS (http://www.cve.
mitre.org/cve/refs/refmap/source-MS.html).
9
Sources: Common Vulnerabilities And Exposures for Apple (http://www.cve.mitre.org/cgi-bin/cvekey.
cgi?keyword=Apple), Unix (http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Unix), and Linux
(http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Linux).
10
As communication channels multiply, organizations are still relying on the same old methodologies and
stovepipe solutions to secure communications. The result? Either stymied mobility and collaboration
or insecure communication, neither of which is acceptable to the CIO. Companies wanting to increase
collaboration but keep content under control need to take a step back to address a wider communication
challenge: Organizations should continue confronting imminent problems now but ensure that today’s
technology choices don’t complicate the securing of tomorrow’s communications. See the April 4, 2006,
Best Practices “Protecting Communication In The Emerging Information Workplace.”
11
Free software and security packages provided by ISPs have dramatically increased consumers’ use of
firewalls and antispyware. See the September 21, 2005, Trends “Consumer Security Suites Gain Traction.”
12
Source: Windows Live OneCare (http://www.windowsliveonecare.com/).

Forrester Research (Nasdaq: FORR) is an independent technology and market research company that provides pragmatic and forward-thinking advice about
technology’s impact on business and consumers. For 22 years, Forrester has been a thought leader and trusted advisor, helping global clients lead in their markets
through its research, consulting, events, and peer-to-peer executive programs. For more information, visit www.forrester.com.
© 2006, Forrester Research, Inc. All rights reserved. Forrester, Forrester Wave, Forrester’s Ultimate Consumer Panel, WholeView 2, Technographics, and Total
Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Forrester clients may make one
attributed copy or slide of each figure contained herein. Additional reproduction is strictly prohibited. For additional reproduction rights and usage information,
go to www.forrester.com. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. To purchase reprints
of this document, please email resourcecenter@forrester.com. 39482