Five security vendors--Cisco Systems, Check Point, IBM, McAfee, and Symantec--have spent more than $3.7 billion over the past two years acquiring companies and products to support their vision of holistic threat management. This frenzy stems from the spurious notion that your entire infrastructure, your applications, your policies, your processes, and your people can mesh into a unified threat management framework that will ward off intruders, malicious insiders, petulant auditors, and ignorant users.

It's a compelling vision and an ideal goal. It's also impossible.

Threats change, new compliance initiatives emerge, companies launch new businesses that entail new risks, and startups create innovative alternative products. As vendors spend billions of dollars to snap up new capabilities and stitch them together, the market continues to fragment.

Consider Symantec's Endpoint Protection Software, launched with great fanfare in September. Version 11, a complete overhaul of the vendor's host security software, tightly integrates a set of disparate functions--including malware blocking, a personal firewall, host intrusion prevention, application control, and device control--into a single agent.

Endpoint Protection 11 was designed to compete with McAfee's endpoint security software, thanks to improved integration of the various software components and a smaller footprint that consumes fewer system resources than previous versions. However, because version 11 must be installed and the previous version removed, other vendors have seized the opportunity: If a customer is going to pull a product off the desktop anyway, why not look at other options? Anti-malware vendor Sophos, for instance, announced in June that General Electric had chosen its Endpoint Security and Control 7.0 to run on up to 350,000 PCs and servers. What wasn't announced was that GE swapped out Symantec.

There's a strong undercurrent of discontent with the incumbent security vendors, strong enough that large customers are more open to products from what have been considered second-tier vendors, including Kaspersky Lab, Panda Security, and Sophos. "Everyone in the enterprise world is saying, 'I thought this was fixed,' but it isn't fixed," says Nick Selby, research director for the enterprise security practice of the 451 Group. "We are getting infected by things we've never been infected by before."

Big enterprises, Selby adds, can often get better customer service and faster support from smaller vendors, and even more "efficacious product."

A security executive at a publicly traded cosmetics company rattled off a litany of complaints against Symantec AntiVirus Corporate Edition 10.2, including difficulties keeping laptops updated when they were off the corporate network. With Sophos, he reports that 99% of his machines are up to date.

He also says the Symantec product's reporting was horrendous. "Simple things like how many machines are infected or how many viruses did we stop: Without Herculean effort, it was impossible to find that out," he says. Note that independent reviews of Endpoint Protection 11 have described significant improvements in management and reporting interfaces over previous versions.

To be fair, Sophos has also engaged in its share of FUD. John Shaw, the vendor's director of product management for endpoints, claims that customers can't run an older version of the Symantec software while they install version 11, leaving the machines unprotected. Symantec says that's simply not true.

Sophos will have to do more than make claims to topple Symantec, which still leads all security vendors on the desktop, with 38% of the worldwide market for antivirus software, according to Gartner. But GE's move is a punch in the gut for Symantec as well as McAfee, which also has lost at least one large customer to Sophos. And more blows may follow. "GE is just the tip of the iceberg," says Selby.

But the market is demanding far more than just classic antivirus protection as the very nature of threats has changed. Polymorphic viruses and malware can't be stopped by signature matching and require anomaly detection; data privacy regulations require that laptops and smartphones be locked down to prevent data loss, and enterprise customers want to manage it all with a single agent on a laptop run from a single management console.

Top Illustration By Mick McGinty