Webroot's big cloud gamble

CEO Dick Williams on the company's move to SaaS and competing for enterprise customers

Anti-malware vendor Webroot has bet the company on cloud.

In October of last year, the company stopped selling packaged software and moved to a software-as-a-service (SaaS) model. CEO Dick Williams says the switch improves the customer service model and takes the burden of managing updates off of the end user.

Will that approach help Webroot grow in the ultra-competitive software security market? As part of our ongoing IDG Enterprise CEO Interview Series, IDGE Chief Content Officer John Gallant spoke with Williams about cybercrime, the company's move to SaaS, expansion in the enterprise space, and more.

John Gallant: What is the unique positioning of Webroot in the security market? What makes Webroot different? We're taking all the work and hassle out of security, for individuals, for groups of individuals and larger groups of individuals. If you think about it, the security industry is really a lousy business. It's a miserable business in a lot of contexts, but mostly from the context of the actual users, the people who are supposed to be benefitting from it. The security industry is a big industry and yet what's the fastest growing industry in the world?

Dick Williams:

I assume it would be computer crime.

Cybercrime. It's actually the fastest growing industry in the world, and it's already larger than the security industry in total. And so there are more bad guys now than ever. There's more loss. There's more malicious activity going on. . So you step back from it and you say -- hey, wait a second, we're doing something wrong. The motivation now for a criminal to go online as opposed to stand in front of the bank is pretty significant, because the likelihood that they're going to be able to achieve their aims with a very low risk is very significant.

That tells me that the security industry is doing something fundamentally wrong.

[Also read Is cloud-based security really cheaper? on CSOonline.com]

It starts with the basic premise that the security industry, particularly the software security industry -- that it's the user's responsibility to ensure that they're well protected.

I'm going to give you a firewall that's going to be very chatty. It's going to be constantly asking you -- should I allow this or shouldn't I allow this? Most of us haven't got a clue, you know. I don't know if I should allow that or not. It's a name that I don't understand. I could block them all, I could look it up someplace but I haven't got time to do that. So most people just click, click, click. You have to keep it updated, and the updates are mammoth.

And yet if you step back from it, the updates aren't really protecting us because the threats themselves have changed fundamentally. The smart guys understand how we protect. They understand how we do things, they understand that it's fundamentally dependent upon us detecting a threat, then decoding it and then creating a signature and pushing that signature out. So most of your threats today are polymorphic threats, and they're very targeted threats. So it's a much smaller population that each one is targeting and [as soon as] they get through, the threat appears differently. And I'll guarantee you that nobody in this industry can create a signature and get that signature pushed out to all of their endpoints in less time than that. So why bother? Okay? And then the inevitable happens and you get infected. You contact one of us within the industry, and the response is -- well, you must have done something wrong, and for $100, $150, we'll clean you up. I mean that's a fundamentally broken model.

With everything prior to October 4th of last year, we were just like everybody else. We did things the same way. We licensed our antivirus engine from Sophos, up through October 3rd we were Sophos' largest OEM customer. And we said -- hey, wait a second. There has to be a better way. We have to take that burden off the user, assume that burden ourselves, and provide a solution that really is all encompassing for the user and doesn't compromise them, doesn't hassle them, let's them... So that's the basic premise and the fundamental difference in the way that we do things. So today now, we provide a single technological platform and a single solution across individual users, groups of users, to large groups of users. It's fundamentally a very lightweight client in cloud implementation and doesn't fundamentally rely upon signatures and certainly not signatures on the endpoint. So it fundamentally is looking for behavior and doing that analysis continually in real time to provide a level of protection that is previously unseen.

So Dick, when you say "looking for behavior" what do you mean?

Looking for the behavior of file activity on your system and asking ourselves -- does that behavior reflect good actions? Or does it reflect the actions of malware? So step back a little bit. Prior to October 4th, we were literally like everybody else. We had a very heavyweight desktop solution for consumers and then we had an enterprise series of products for email security, archiving, web filtering and then a business endpoint protection product, but they all were the same fundamental premise as everybody else. We used behavior analysis to a degree, but it was integrated within a signature-based solution.

And very dependent upon heavyweight clients on the desktop. The typical client on the desktop today is 400 to 500 megabytes. That's why your PC is so slow to start up, every time it does a scan you get bogged down and you can't get the activity you want, and you're very dependent upon constantly pushing those signatures out to the endpoint. Symantec and others take great pride on the number of signatures they create every year, which they should take pride in, but you bear the burden of that.

Right.

What we do today is our client literally is 640 kilobytes. Yet it's a very smart client, it downloads and installs in four seconds, does a complete in depth scan of your system, a total system scan in two minutes or less. In that period of time, it classifies every file on the system. What it does is it creates a hash of every file, sends that to the cloud, looks and determines -- is it known good, known bad or unknown? If it's known good, lets it go, lets it run. But it looks at that specific hash on a continuing basis, so if that file changes we know we have to look at it again. If it's known bad, we eradicate it and we let you know that. If it's unknown, we create a sandbox in your system and let it run in that sandbox. And then we observe the behaviors of that and do a hash of those behaviors, send that to the cloud -- known good, known bad, unknown again. And it's behaviors fundamentally that we're looking for and that we're protecting against. If it's unknown still, it could be a program that you created yourself. We'll let it continue to run in that sandbox, but we continually log all activity that that file does, whether it's registered changes or anything else, so that if you or we determine at a future point in time that it's bad, we just roll it back, rather than requiring a complete system reimagining.

It's amazing to me, having come to the industry seven or eight years ago, that companies today literally budget for reimaging systems.

You stand back from that and say -- wait a second, something isn't working here. Because that shouldn't have to be the default. That ought to be a rarity rather than a common everyday occurrence. And yet you take a look at enterprises and the cost of security and the cost of managing and maintaining that security, it is extraordinarily high today. Consumers are increasingly giving up on it and they don't see any great differentiation amongst the various providers because everybody is getting infected. And so increasingly they are going to the best default free solution, which is Microsoft. Okay? Enterprises have no choice. Enterprises have to protect themselves because the cost of an intrusion is so great and the liability of an intrusion is so great. And there's no CIO or CISO in the world that is willing to go to a CEO and explain how much money he saved by going with freeware now that he's been compromised. And I read an article yesterday that in effect said -- CEOs are not really that aware of the threat in security, and it's not top on their list, which is surprising in some ways, but when you think about all the things that a CEO has to deal with and you think of all the things that a CIO has to deal with, it's one of many. So increasingly, it's being treated as a cost. You ought to be able to take that cost away.

Where do you stand in migrating customers? How many of them are using this new approach and how many are still on packaged software side of things?

October 4th when we launched our Webroot SecureAnywhere consumer product offering, we made a 100% shift from the packaged software to the new online SaaS-based security solution.

So you brought packaged consumer customers over to that solution?

Yes. So we immediately quit selling the packaged product solution. In our 2011, what we called Version 7 of the product, we discontinued as of that day. We quit selling it, and the only thing we sell are Webroot SecureAnywhere consumer products, which is 100 percent cloud, 100 percent Saas solution, for individuals and groups. For existing customers, about three-quarters of them are migrated over. If a customer calls with a problem associated with a pre-existing or a legacy product, rather than fixing that, we merely migrate them.

Makes sense.

I know that's not typical, but from our perspective that made the most sense, because we frankly had to stand up and admit to the industry that what we and everybody else were doing wasn't working anymore. Once you come to that conclusion, I think you're forced to immediately migrate everybody to the new. Okay? And so we've been doing that just as rapidly as we can contact those customers and get those customers to make the migration. At the end of the day, I can't just turn the bits on them, but now that they're in a cloud they're updated every second, every hour of every day. And they don't have to worry about it. And there's no longer any signature files to push down or anything else.

We discontinued our email security line of products at the end of last year. And we did that simply because that whole landscape is changing dramatically. Increasingly email security is being provided by the email security providers, so that industry is rapidly commoditizing and consolidating, as it should. And we felt that the real value add that we could provide is much greater in terms of total endpoint and web protection as opposed to email security protection. So we discontinued that and we've been assisting those customers and those partners over to whatever solutions they want within the industry.

More IDGE Interview series

And then in February, we introduced the Webroot SecureAnywhere business endpoint product, which is a superset of the consumer product. And so it adds all of the administrative functionality and so forth that you would require from an enterprise class solution. So what we have now today, for the first time in the industry, is a common technology platform in a common product solution all the way from individuals to groups of individuals to large groups of individuals. Very much like Salesforce did when they came to market. If you remember Salesforce, they came to market focusing on relatively small workgroups or small companies, but the way that they had architected their solution was that there was no right-hand endpoint to it. So on that same common platform and solution, they could handle any size customer. That's exactly the way we've architected our solution. So come February 13th, when we released our business endpoint protection solution, for all intents and purposes, the consumer product came free. Because it is a complete subset of the business solution.

Now, I am fully aware that everybody tried that in the past -- Symantec, a lot of good people tried that in the past and failed. Nothing against them, it's a different point in time today. The threats are different, the malcreants are different, the technology is a whole lot more advanced today and you've got the cloud. For a true cloud implementation, what everybody else is talking about in terms of cloud, whether it's Symantec or anybody else, I call cloudwashing. Because it's not a true cloud implementation, you know, it's using the cloud as a storage or distribution mechanism, as opposed to the real intelligence. Our solution today is a data driven, database driven solution, and ultimately it's that data that becomes the most valuable commodity.

For an enterprise, if someone -- say a senior IT executive is unhappy with their current security solution, why is this the right approach for them to take right now?

Several reasons. Number one, it provides you a higher level of protection.

Higher meaning what?

1 2 3 Page 1
Page 1 of 3
7 hot cybersecurity trends (and 2 going cold)