Impact Report

Analyst: Adrian Sanabria 2 Mar, 2015

Webroot's enterprise offering stretches across three security segments that have been skirting the issue of consolidation for years. Since most

next-gen anti-malware and incident-response-savvy threat detection and response (TDR – aka ETDR or EDR) vendors hit the market earlier this

decade, one question has lurked: when will this new technology replace traditional antivirus (AV)? Deploying two or even three agents to all endpoints

– for the sole purpose of protecting them from malware and attacks – isn't practical for enterprises in the long run. However, traditional AV vendors still

enjoy 100% market penetration, and the newer players have seemed forever doomed to 'complementary' status – the enterprise equivalent of the

'friend zone.' The question hasn't been whether consolidation would occur, but when and how. The most recent versions of Webroot's products begin

to answer these questions and threaten to bust up traditional AV's monogamy with the enterprise.

The 451 Take

Webroot's willingness to go back to the drawing board on an existing, even successful product line to better compete in the future says much

about the company. Tackling the 'Innovator's Dilemma' has allowed it to compete with existing startup innovations, but with the business

acumen and existing sales/marketing reach of an established business. Webroot's enterprise push is still in its infancy, so it's still too soon to

say whether the gamble has paid off. The company has shown that it intends to keep step with, even lead, the innovation we're seeing come

out of startups in the threat detection and prevention space. The challenge for Webroot is in deciding what's next. Continue innovating and

pushing for space on the endpoint in a saturated, but largely dissatisfied market? Or follow the likes of FireEye, Palo Alto, Cisco and a

smorgasbord of startups and expand its enterprise portfolio into a more holistic threat-focused offering with features such as malware-analysis

sandboxes, network forensics and 'big data'-backed security analysis engines?

Context

Webroot started out a very different company. With roots in Boulder, Colorado in the mid-to-late '90s, Webroot was the kind of company that created

products that solved the founders' needs – not because there was a gap in a market or to fill an enterprise need. As with other similar tech companies,

the individual need translated well to the consumer market. The company was built – the first time – on products such as Window Washer, which

addressed performance and privacy issues for general PC owners. The company had all sorts of interesting free tools available for download, including

one of the first freely available TCP/UDP port scanners.

In 2002, Webroot took its first step into the anti-malware market with a consumer product called Spy Sweeper. As spyware and adware began to run

rampant (basically commercial software borrowing techniques and strategies from malware), Webroot became recognized as one of the premier

anti-spyware vendors. The success of Window Washer and Spy Sweeper resulted in the company quickly growing from tens of employees to

hundreds over the next few years.

The company's second era was marked by three events. First, it boasted an eyebrow-raising $108m series A from Accel Partners, Mayfield Fund and

Technology Crossover Ventures. Second, an undisclosed portion went to the founders, who cashed out and left the company. Finally, Webroot,

essentially under new ownership with a decidedly more corporate culture, set its sights and ambitions on the big players in the AV industry. It launched

https://451research.com/report-short?entityId=84395&tmpl=print

1 of 4 3/2/2015 10:03 AM

its first full AV product in 2006, followed by a consumer security suite in 2008. Truly aiming for the big leagues, Webroot hired former McAfee and

Symantec execs. After growing the company to a level that was competitive with some of the largest AV vendors in the industry, Webroot entered its

third, current and most disruptive era.

In the late 2000s, Webroot faced what Clayton Christianson referred to as the 'Innovator's Dilemma' in his book of the same name. The basic premise

is that firms are often unwilling to uproot their current models or products for fear of losing their current market and profits. Many companies never

make the transition and then slowly die off or become irrelevant. One can make a strong case that this has occurred because the advanced

anti-malware and TDR markets wouldn't exist if traditional antivirus vendors effectively challenged these threats when they became commonplace.

Webroot realized that signature-based anti-malware approaches were ineffective and decided to rebuild its products from scratch.

In response to this 'dilemma,' Webroot made two key acquisitions in 2010 – BrightCloud and Prevx. BrightCloud's content classification and Web

reputation offering was already being used in OEM relationships by many of the top AV vendors, although the VC-funded startup only employed seven

people at the time. Prevx had just reached version 3.0 of its popular consumer anti-malware offering. The technology acquired from Prevx and

BrightCloud helped Webroot start rebuilding, and the company moved to a larger facility in Broomfield, Colorado; the third era had begun.

Within the current iteration of the company, Webroot has captured a sizable footprint in the consumer market and expanded into small business and

enterprise markets. The company claims 10 million direct customers and another 27 million through OEM partnerships and integrations. While the

company has only recently targeted the enterprise, it reports 1.5 million business endpoints running its products. With 385 employees, Webroot is a

ways away from Kaspersky Lab, Sophos or Trend Micro in size, but a 20% Y/Y growth might be sufficient to catch up in just a few years' time. It is

quite a trick to position an anti-malware company to compete with the incumbents and startups in the market at the same time.

Products

SecureAnywhere, Webroot's primary endpoint product, is interesting for a number of reasons. First, the company ships the same binary compiled from

the same code to consumers and enterprises. While the licensing determines which features are enabled, the same technology, engine(s) and

techniques used at the enterprise level exist at the consumer level. Additionally, a robust management layer is necessary to manage hundreds or

thousands of endpoints at the enterprise level. Second, the product has not relied on signatures since 2011, when the company rebuilt it from the

ground up. Finally, the product introduces a feature we call automated endpoint remediation that we feel is going to be a big hit with enterprises.

The key technology that enables automated endpoint remediation is SecureAnywhere's ability to record the actions of processes on the endpoint –

functionality most commonly associated with the TDR market. Once a process is determined to be malicious, Webroot allows administrators to 'undo'

or 'roll back' any changes made by that process – including removing the malware itself. This ability to restore an endpoint to a trusted state has the

potential to save enterprises hours of labor and productivity for each infected machine they no longer have to take away from a user to reimage.

Although this puts Webroot in competition with TDR vendors (which is typically complementary with AV and other anti-malware products), the company

is more focused on addressing malware on the endpoint as a whole than competing directly in this market. SecureAnywhere's ability to span multiple

categories in the endpoint security space allows it to sidestep what we often refer to as the 'curse of complementing.' We believe enterprises become

less willing to consider endpoint-based products with each additional agent that must be deployed; call it 'agent fatigue.' Clients are available for

Windows (embedded, desktop and server), Mac, iOS and Android.

Webroot offers device-based and user-based licensing models, both as per-year or per-month subscriptions. If licensed by device, a single license will

work on up to four devices simultaneously. We imagine the average user will install Webroot's endpoint protection on a corporate-owned

laptop/desktop, personal laptop/desktop, mobile phone and perhaps a tablet for the fourth device. In a world where shorter-term subscription models

are quickly replacing long-term contracts, we feel it makes sense to license by user rather than product. Sophos uses this approach as well and reports

success with it in its target SMB market. Furthermore, as we mentioned in part one of our 2014 state of the anti-malware market series, the lack of

consumer-grade grade 'anti-APT' products is a big concern, considering that work often happens on all of a user's devices, not just the

corporate-owned ones. If the attacker understands that work bleeds over into a user's personal devices, you can be sure that we'll see attacks

targeting them.

Aside from SecureAnywhere, the company also offers BrightCloud, which retains its name from the original company Webroot acquired in 2010.

BrightCloud is a portfolio of threat-intelligence offerings, all tightly integrated into everything the company does and sells. Existing products, whether

consumer, enterprise or OEM, feed BrightCloud with threat-related data. The product gathers intelligence in traditional ways as well, with on-staff

research teams tweaking and feeding it as it autonomously crawls the Internet, analyzing, sorting and ranking what it finds as it goes. Although Web

https://451research.com/report-short?entityId=84395&tmpl=print

2 of 4 3/2/2015 10:03 AM

classification and reputation were the main focus when the technology was acquired, it has been enhanced to include anti-phishing capabilities, mobile

app reputation, IP reputation and, perhaps most important for SecureAnywhere, file reputation. While SecureAnywhere doesn't require signatures to

determine threats, BrightCloud integration allows it to share what it learns about files and draw on the collective intelligence from a cloud-hosted

database fed from all other endpoints. This 'hive mind' approach has been quite popular in the advanced anti-malware product market and seems an

effective approach when backed by 'signatureless' capabilities – why waste the computational effort with analysis if we already know the file to be bad?

In addition to integrating with its own products, we've noted BrightCloud as one of the most popular threat-intel feeds integrated into security products.

The identity of more than 20 partners is publicly shared. Webroot has also packaged specific BrightCloud feeds specifically for next-generation

firewalls and SIEMs (including Splunk, depending on how you categorize that vendor's products).

Competition

The question of competition for Webroot crosses three markets. In 2014, we explored the anti-malware market and separated it into three categories:

traditional; endpoint and network anti-malware protection (aka anti-APT, advanced anti-malware prevention, breach detection, etc.); and threat

detection and response. Overlap between them is increasingly common, and we predicted a lot of consolidation across all three categories in the next

few years. We stand by that prediction in early 2015, and Webroot is a unique example of the change beginning to take place in this market.

The question remains – can an incumbent like Webroot upset the relationship status of traditional AV with the enterprise? Despite the well-documented

limitations of traditional signature-based AV, the latter still enjoys 'clubby' status within the enterprise – it's 100% deployed, and many firms are loathe

to rip it out. The company is pitching the product as a fully functional anti-malware product, taking the place of a traditional AV offering and what we

might call a next-gen or advanced anti-malware prevention product. While the company might not claim to supersede the best of the TDR offerings

available today, it is clearly headed in that direction.

In the traditional AV and endpoint-protection space, Webroot competes with McAfee, Symantec, Trend Micro, Sophos, Kaspersky, Microsoft, AVG and

a host of others. In the advanced/next-gen category, it competes with Palo Alto Networks (Cyvera), Triumfant, Bit9 + Carbon Black, Confer

Technologies, Cylance, Digital Guardian, Votiro and a few others. In the TDR market, its competitors include FireEye, ResolutionOne (formerly part of

AccessData), Bit9 + Cb, CounterTack, Cybereason, CrowdStrike, Fidelis, Hexis, Ziften, Tanium and SentinelOne.

Although Webroot has a ways to go before it can match the likes of Bit9 + Cb feature for feature, SecureAnywhere is one of the first products we've

seen that can say 'yes' to replacing the traditional AV vendor, while employing a signatureless approach comparable to the next-gen/advanced

anti-APT vendor and claim TDR capabilities as well. Most incumbent AV competitors such as Kaspersky, Trend Micro, Sophos, Symantec and McAfee

branched out extensively, adding everything from data-loss prevention to IDS/IPS and SIEM to product portfolios. It is notable, then, that Webroot has

so far chosen to stick to its core threat detection and prevention products and hasn't branched out beyond threat intelligence and a secure Web

gateway product.

As for the aforementioned automated endpoint remediation capabilities, the only vendors we've talked to that offer something similar include Guidance

Software and Triumfant. Of the next-gen anti-malware vendors, only Cylance claims to fully replace traditional AV while addressing advanced malware

capable of evading traditional defenses.

SWOT Analysis

Strengths Weaknesses

The ability to address the needs of traditional AV, advanced threats

and some endpoint incident response (TDR) capabilities in a single

product is rare, if not unmatched, at this point. Users can protect

multiple devices with a single license.

Webroot has no network-based malware sandboxing offering. It

has limited capabilities outside endpoint anti-malware, whereas

most incumbent competitors offer large integrated suites of

security products.

Opportunities Threats

The consolidation of anti-malware capabilities on the endpoint is a

significant goal, with the TDR market looking to be the final trophy.

From there, a multitude of expansion options are available –

network sandboxing, SaaS/cloud security and more

Webroot's core market, although largely dissatisfied, is

commodified and saturated. 451's TIP surveys reveal that

switching AV vendors is a challenging and labor-intensive process.

https://451research.com/report-short?entityId=84395&tmpl=print

3 of 4 3/2/2015 10:03 AM

Copyright © 2000-2015 The 451 Group. All Rights Reserved.

comprehensive mobile/BYOD/MDM coverage.

This report falls under the following categories. Click on a link below to find similar documents.

Company: Webroot

Other Companies: Accel Partners, AccessData Group, AVG, Bit9, BrightCloud, Carbon Black, Cisco, Confer Technologies, CounterTack, CrowdStrike,

Cybereason, Cylance, Cyvera, Digital Guardian, Fidelis Security Systems, FireEye, Guidance Software, Hexis, Kaspersky Lab, Mayfield Fund, Intel Security,

Microsoft, Palo Alto Networks, Prevx , SentinelOne, Sophos, Splunk, Symantec, Tanium, Technology Crossover Ventures, Trend Micro, Triumfant, Votiro, Ziften

Technologies

Analyst(s): Adrian Sanabria

Sector(s):

Security / Anti-Malware / Anti-virus

Security / Anti-Malware / General

Security / Anti-Malware / Anti-malware suites

https://451research.com/report-short?entityId=84395&tmpl=print

4 of 4 3/2/2015 10:03 AM