August 02, 2012
—
CSO
—
Anti-malware vendor Webroot has bet the company on cloud.
In October of last year, the company stopped selling packaged software and moved to a software-as-a-service (SaaS) model. CEO Dick Williams says the switch improves the customer service model and takes the burden of managing updates off of the end user.
Will that approach help Webroot grow in the ultra-competitive software security market? As part of our ongoing IDG Enterprise CEO Interview Series, IDGE Chief Content Officer John Gallant spoke with Williams about cybercrime, the company's move to SaaS, expansion in the enterprise space, and more.
John Gallant: What is the unique positioning of Webroot in the security market? What makes Webroot different?
Dick Williams: We're taking all the work and hassle out of security, for individuals, for groups of individuals and larger groups of individuals. If you think about it, the security industry is really a lousy business. It's a miserable business in a lot of contexts, but mostly from the context of the actual users, the people who are supposed to be benefitting from it. The security industry is a big industry and yet what's the fastest growing industry in the world?
I assume it would be computer crime.
Cybercrime. It's actually the fastest growing industry in the world, and it's already larger than the security industry in total. And so there are more bad guys now than ever. There's more loss. There's more malicious activity going on. . So you step back from it and you say -- hey, wait a second, we're doing something wrong. The motivation now for a criminal to go online as opposed to stand in front of the bank is pretty significant, because the likelihood that they're going to be able to achieve their aims with a very low risk is very significant.
Continue reading this premium content and access hundreds more.
Sign up for FREE now!
August 02, 2012
—
CSO
—
Anti-malware vendor Webroot has bet the company on cloud.
In October of last year, the company stopped selling packaged software and moved to a software-as-a-service (SaaS) model. CEO Dick Williams says the switch improves the customer service model and takes the burden of managing updates off of the end user.
Will that approach help Webroot grow in the ultra-competitive software security market? As part of our ongoing IDG Enterprise CEO Interview Series, IDGE Chief Content Officer John Gallant spoke with Williams about cybercrime, the company's move to SaaS, expansion in the enterprise space, and more.
John Gallant: What is the unique positioning of Webroot in the security market? What makes Webroot different?
Dick Williams: We're taking all the work and hassle out of security, for individuals, for groups of individuals and larger groups of individuals. If you think about it, the security industry is really a lousy business. It's a miserable business in a lot of contexts, but mostly from the context of the actual users, the people who are supposed to be benefitting from it. The security industry is a big industry and yet what's the fastest growing industry in the world?
I assume it would be computer crime.
Cybercrime. It's actually the fastest growing industry in the world, and it's already larger than the security industry in total. And so there are more bad guys now than ever. There's more loss. There's more malicious activity going on. . So you step back from it and you say -- hey, wait a second, we're doing something wrong. The motivation now for a criminal to go online as opposed to stand in front of the bank is pretty significant, because the likelihood that they're going to be able to achieve their aims with a very low risk is very significant.
That tells me that the security industry is doing something fundamentally wrong.
[Also read Is cloud-based security really cheaper? on CSOonline.com]
It starts with the basic premise that the security industry, particularly the software security industry -- that it's the user's responsibility to ensure that they're well protected.
I'm going to give you a firewall that's going to be very chatty. It's going to be constantly asking you -- should I allow this or shouldn't I allow this? Most of us haven't got a clue, you know. I don't know if I should allow that or not. It's a name that I don't understand. I could block them all, I could look it up someplace but I haven't got time to do that. So most people just click, click, click. You have to keep it updated, and the updates are mammoth.
And yet if you step back from it, the updates aren't really protecting us because the threats themselves have changed fundamentally. The smart guys understand how we protect. They understand how we do things, they understand that it's fundamentally dependent upon us detecting a threat, then decoding it and then creating a signature and pushing that signature out. So most of your threats today are polymorphic threats, and they're very targeted threats. So it's a much smaller population that each one is targeting and [as soon as] they get through, the threat appears differently. And I'll guarantee you that nobody in this industry can create a signature and get that signature pushed out to all of their endpoints in less time than that. So why bother? Okay? And then the inevitable happens and you get infected. You contact one of us within the industry, and the response is -- well, you must have done something wrong, and for $100, $150, we'll clean you up. I mean that's a fundamentally broken model.
With everything prior to October 4th of last year, we were just like everybody else. We did things the same way. We licensed our antivirus engine from Sophos, up through October 3rd we were Sophos' largest OEM customer. And we said -- hey, wait a second. There has to be a better way. We have to take that burden off the user, assume that burden ourselves, and provide a solution that really is all encompassing for the user and doesn't compromise them, doesn't hassle them, let's them... So that's the basic premise and the fundamental difference in the way that we do things. So today now, we provide a single technological platform and a single solution across individual users, groups of users, to large groups of users. It's fundamentally a very lightweight client in cloud implementation and doesn't fundamentally rely upon signatures and certainly not signatures on the endpoint. So it fundamentally is looking for behavior and doing that analysis continually in real time to provide a level of protection that is previously unseen.
So Dick, when you say "looking for behavior" what do you mean?
Looking for the behavior of file activity on your system and asking ourselves -- does that behavior reflect good actions? Or does it reflect the actions of malware? So step back a little bit. Prior to October 4th, we were literally like everybody else. We had a very heavyweight desktop solution for consumers and then we had an enterprise series of products for email security, archiving, web filtering and then a business endpoint protection product, but they all were the same fundamental premise as everybody else. We used behavior analysis to a degree, but it was integrated within a signature-based solution.
And very dependent upon heavyweight clients on the desktop. The typical client on the desktop today is 400 to 500 megabytes. That's why your PC is so slow to start up, every time it does a scan you get bogged down and you can't get the activity you want, and you're very dependent upon constantly pushing those signatures out to the endpoint. Symantec and others take great pride on the number of signatures they create every year, which they should take pride in, but you bear the burden of that.
Right.
What we do today is our client literally is 640 kilobytes. Yet it's a very smart client, it downloads and installs in four seconds, does a complete in depth scan of your system, a total system scan in two minutes or less. In that period of time, it classifies every file on the system. What it does is it creates a hash of every file, sends that to the cloud, looks and determines -- is it known good, known bad or unknown? If it's known good, lets it go, lets it run. But it looks at that specific hash on a continuing basis, so if that file changes we know we have to look at it again. If it's known bad, we eradicate it and we let you know that. If it's unknown, we create a sandbox in your system and let it run in that sandbox. And then we observe the behaviors of that and do a hash of those behaviors, send that to the cloud -- known good, known bad, unknown again. And it's behaviors fundamentally that we're looking for and that we're protecting against. If it's unknown still, it could be a program that you created yourself. We'll let it continue to run in that sandbox, but we continually log all activity that that file does, whether it's registered changes or anything else, so that if you or we determine at a future point in time that it's bad, we just roll it back, rather than requiring a complete system reimagining.
It's amazing to me, having come to the industry seven or eight years ago, that companies today literally budget for reimaging systems.
You stand back from that and say -- wait a second, something isn't working here. Because that shouldn't have to be the default. That ought to be a rarity rather than a common everyday occurrence. And yet you take a look at enterprises and the cost of security and the cost of managing and maintaining that security, it is extraordinarily high today. Consumers are increasingly giving up on it and they don't see any great differentiation amongst the various providers because everybody is getting infected. And so increasingly they are going to the best default free solution, which is Microsoft. Okay? Enterprises have no choice. Enterprises have to protect themselves because the cost of an intrusion is so great and the liability of an intrusion is so great. And there's no CIO or CISO in the world that is willing to go to a CEO and explain how much money he saved by going with freeware now that he's been compromised. And I read an article yesterday that in effect said -- CEOs are not really that aware of the threat in security, and it's not top on their list, which is surprising in some ways, but when you think about all the things that a CEO has to deal with and you think of all the things that a CIO has to deal with, it's one of many. So increasingly, it's being treated as a cost. You ought to be able to take that cost away.
Where do you stand in migrating customers? How many of them are using this new approach and how many are still on packaged software side of things?
October 4th when we launched our Webroot SecureAnywhere consumer product offering, we made a 100% shift from the packaged software to the new online SaaS-based security solution.
You are previewing premium content. 
More Salted Hash with Bill Brenner
