Microsoft adds security muscle

The Redmond, Wash., software giant announced this week that it is setting up security response and research operations in Ireland and Japan and launched a preview of a new online Malware Protection Center. The efforts are meant to make Microsoft, a security industry newcomer, more competitive.

"This is significant. It is part of the globalization of our research and response effort," Mark Miller, director of communications for security response at Microsoft, said on Wednesday.

Microsoft is taking on incumbents such as Symantec, McAfee and Trend Micro, the world's top three antivirus companies, to conquer part of the multibillion dollar security market. Industry watchers say Microsoft has done an impressive job building its security organization, though the scaffolding has yet to come off.

"Microsoft is entering a very competitive market and one that is new to them," said Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. "It will take several more months until Microsoft's products can be directly compared with those offered by Symantec, McAfee and Trend Micro."

Others think it will take much longer.

"It will take some years, perhaps five, for Microsoft to be up to par," said Andreas Clementi of AV Comparatives, an organization that tests antivirus products. "Microsoft's detection rates are still low compared to other products. OneCare today is more of a system utility." Clementi was referring to OneCare's backup and disk clean-up features.

Together with a team in Redmond, Wash., Microsoft's new Europe and Asia research locations will offer round-the-clock coverage of security incidents. Microsoft started selling its Windows Live OneCare consumer antivirus product almost a year ago. Its Forefront Client Security software for businesses is set to ship in the coming weeks.

The security research and response team at Microsoft, as at traditional antivirus providers, investigates and responds to threats. A primary response is developing the "fingerprints" of known threats, called signatures. These are then sent to customers so their machines can be protected against those risks.

Turning irritation into opportunity
Security used to be just something that Microsoft got hammered on, but five years after Chairman Bill Gates launched his Trustworthy Computing push, Microsoft now sees it as a market it had not previously tapped. Yet, the company recognizes that some may balk at what could be seen as Microsoft turning lemons into lemonade.

"Some of our customers view this a little controversially, in a sense that if we could solve these problems at the root, why is there a need for extra products," Microsoft Chief Executive Officer Steve Ballmer said this week. "We do live in a world in which the bad guys are also getting smarter all the time. It is important to be able to lock the core infrastructure and then protect around it in a way that is a bit more dynamic."

Microsoft first gained antivirus expertise in 2003 when it bought GeCad Software. It has continued to acquire companies and snatch people from established players to gain expertise in the area. The most recent hire is Dan Wolff, formerly of McAfee, who will run the research operation in Tokyo.

The Ireland operation in Dublin is being led by Katrin Tocheva, another recent hire who worked at F-Secure. Microsoft previously hired several other McAfee veterans, including Jimmy Kuo, now a Microsoft senior security researcher, and Vincent Gullotto, now general manager of security research and response at Microsoft.

Marx, who regularly tests antivirus software, has recently noticed "dramatic" improvements in the detection capabilities of Microsoft's OneCare. "In the past it could take days or even weeks for the Microsoft team to add detection of a new worm or bot sample. This has been reduced to a couple of hours," he said.

That's a much-needed improvement. OneCare earlier this year failed an independent test in which Virus Bulletin, backed by a team of U.K.-based researchers, pitted 15 antivirus software packages against a series of viruses. OneCare didn't catch them all.

Although Microsoft's leaps in antivirus detection capabilities may be impressive, they alone are not enough. Today's threats are much broader and include zero-day vulnerabilities, targeted Trojan horses, remote breaches and data loss. Microsoft is far behind in offering protection against those threats, experts said.

"The problem is that Microsoft's functionality is limited in nature," said Natalie Lambert, a Forrester Research analyst. "If it's really concerned about today's emerging issues, enterprise will be better off with a full-suite product from the likes of McAfee, Symantec and Sophos."

Marx also said that Microsoft lacks some key protection technologies.

"Microsoft has not even implemented an e-mail virus scanner in their OneCare product, not to speak about HTTP scanning or proactive detection technologies based on behavior analysis," Marx said. HTTP, or hypertext transfer protocol, is used for Web browsing and behavior-based detection is meant to catch new threats for which no signature exists.

Microsoft itself admits it isn't there yet.

"We're a credible voice in the industry, but we continue to have work to do in improving our response capacity and building out our global team," Miller said. "We're always under construction. The threat landscape is always changing, it is so quickly evolving. We're both built and under construction at the same time."