Cybersecurity: Dumb Users and State-sponsored Cyberweapons
SEE LAST PAGE OF THIS REPORT Paul Sagawa / Tejas Raut Dessai
FOR IMPORTANT DISCLOSURES 203.901.1633/.901.1634
psagawa@ / firstname.lastname@example.org
September 17, 2019
Cybersecurity: Dumb Users and State-sponsored Cyberweapons
Cybersecurity remains a top priority for CIOs, but the nature of threats is changing. Traditional attacks are a known quantity, with prophylactic tech solutions (e.g. firewalls, encryption, etc.) largely commoditized and design, policy and data hygiene (e.g. employee compliance, vulnerability audits, etc.) matters of discipline rather than invention. Still, increasing complexity from hybrid cloud architectures and a proliferation of mobile access points create challenges for taxed enterprise IT orgs who are turning to AI-based continuous security monitoring and to comprehensive access management solutions to cope. An even greater concern today is “cyber-weapons”, typically developed by government intelligence but sometimes obtained by private hackers, designed to exploit specific HW and SW vulnerabilities before they can be patched. These attacks are nearly impossible to anticipate and may be undetected long after damage has been done. Very sophisticated organizations (e.g. GOOGL, CSCO, etc.) employ talented hackers to find vulnerabilities in their own tech (and sometimes in their rivals) before malicious actors can exploit them, quietly implementing patches to close holes. Less capable enterprises must rely on these patches and on 3rd party tools and services to close holes and to detect incursions as early as possible. We see significant upside for pure play cybersecurity names like PFPT, OKTA, CYBR, ZS and SPLNK, where expectations portend a sharp sales deceleration that we believe is unlikely. We are also interested in larger IT names, like IBM, CSCO and VMW, with modest expectations and strong exposure to security.
- Cybersecurity is a big and fast-growing market. The annual global cost of cybercrime is estimated at more than $600B, up 7.7% in 2018. Correspondingly, enterprise spending on cybersecurity is anticipated to rise 11.5% in 2019 to more than $130B, with ongoing growth in annual spending of better than 10% projected over the next 5 years. Within this market is a wide range of tools and services targeted at different aspects of the threat, but no standard holistic solutions for enterprises overwhelmed by the challenge of constructing a coherent defense from ad hoc products.
- Basic defense is straightforward but demands flawless execution. Most enterprises have already deployed standard prophylactic security tech – e.g. firewalls, access controls, data encryption, etc. – generally sufficient to cope with direct threats. However, the largest categories of cybercrime attack human vulnerabilities – unintentional conveyance (e.g. phishing, device theft, etc.), malfeasance (e.g. insider attacks), or negligence (e.g. security compliance failures, etc.) – and the most effective defense starts with organizational policy and discipline, and extends to all trusted parties with access. A single failure, such as a click on a phishing email or a firewall left unpatched, could be catastrophic.
- Fast discovery is key, but expensive. While a well-designed and disciplined cybersecurity system can greatly reduce the risk of a breach, it is impossible to eliminate threats entirely. For those inevitable failures, finding the intrusion, stanching the break, assessing the damage and correcting it as quickly as possible is critical. Left in place, malware can open wider holes, badly damage IT assets and slowly siphon data. Discovery is also difficult and costly – the largest component of security spending. AI tools for monitoring activity and inventorying HW and SW assets are gaining popularity.
- Enterprises must cobble together defense. No two IT implementations are alike, and, despite the demand, vendors have not been able to develop turnkey solutions or even widely adopted standards. Enterprises design their own cybersecurity from point products or rely on consultants to do so. This increases the risk that incompatibilities or misconfigurations could create vulnerabilities. We see substantial opportunity for security specialists to develop more comprehensive solutions that can be adapted to disparate network architectures.
- Hybrid cloud architecture and mobile access adds new challenges. Enterprises are shifting to hybrid cloud architectures that make use of public cloud platforms in concert with their own in-house datacenters. While AWS, Azure and GCP have industry best security, connections from the enterprise into these platforms creates new vulnerabilities that must be defended, and the complexity of hybrid solutions demands more sophisticated security solutions. Similarly, the ubiquity of mobile devices and the rise of unattended but connected IoT endpoints raises the threat exposure many-fold. New tools designed to help cope with these challenges are very promising.
- State sponsored cybercrime is a huge threat for some organizations. There is a breed of very sophisticated attacks that exploit vulnerabilities that have not yet been identified (much less patched) and that are exceedingly difficult to detect. Termed “zero-day” attacks, based on the lack of any forewarning, many of these threats are developed by national security agencies as weapons aimed at rival governments, financial markets, energy infrastructure and other politically and economically sensitive targets. In some cases, these cyber-weapons fall into the hands of thieves or saboteurs who use them to their own purposes. Defending against these threats is extraordinarily difficult. Tech vendors race to find their own vulnerabilities and issue patches to beat zero-day attackers to the punch. Comprehensive monitoring systems to quickly flag and assess unusual activity are emerging. Still, CIOs in vulnerable industries, such as banks, express concern that their best defensive efforts may be inadequate.
- Big opportunity for best of breed products and security consulting. Cybersecurity is really a tale of two markets. Traditional products, like firewalls, anti-virus filters, password authentication, file encryption, and others, are ubiquitous commodities, integrated into applications, network elements and user devices. However, new pressures and threats have created significant opportunities in emerging categories, such as monitoring tools (e.g. ZS, CRWD, SPLK, PFPT, etc.), access management systems (e.g. OKTA, MSFT, CSCO, IBM, etc.), and hybrid cloud integration (e.g. VMW, IBM, ACN, etc.). There are also government security specialists (e.g. LDOS, Palantir, etc.) who also will see major opportunities, but obviously less forthcoming about their work.
- Expectations for security pure plays are muted. While many security names carry hefty earnings multiples, growth expectations are surprisingly modest. Given evidence of strong spending intentions by enterprises, and the high GM nature of software businesses, we believe there is significant upside to stocks in the group. We highlight PFPT, OKTA, SPLK, CYBR, and ZS as particularly well positioned pure plays with very achievable expectations. We also believe that cybersecurity could provide upside for some IT stalwarts with broader businesses, such as CSCO, VMW and IBM. Finally, we see the security environment as beneficial for the leading cloud platform operators, AMZN, MSFT and GOOGL.
The Hacker’s Way
Hacking is nearly as old as computing. As soon as money became an electronic record rather than a physical object, people were contriving ways to steal with a keyboard (or punch cards) rather than a gun. Today’s security landscape is frightening, rife with garden variety cybercriminals phishing for credit card numbers and would-be saboteurs launching denial of service (DoS) attacks, along with even scarier state-sponsored hackers armed with “zero-day” cyberweapons that exploit previously unknown vulnerabilities in systems and can operate undetected for long stretches, siphoning off data or opening new, bigger vulnerabilities. Altogether, cybercrime is estimated to cause more than $600B in annual damage and growing.
Thus, spending on security is large and rising – $117B in 2018, up 12.4% from 2017. However, growth within the market is not uniform. Traditional security tech – firewalls, anti-virus filters, password authentication, data encryption, etc. – is now nearly ubiquitous. This broad acceptance has yielded fierce competition, with much of this functionality now integrated into devices, networking hardware and applications. While this level of cybersecurity can be excellent prophylactic defense against many types of attack, it only takes a single opening, such as a stolen device, a misconfigured firewall, a rogue employee, or a poorly considered click on a spam email, to undermine. The risk is exacerbated by the lack of comprehensive, turnkey solutions – each enterprise must build its own bespoke system of defense.
This puts the onus on execution, and many organizations struggle in the face of new wrinkles such as the transition to cloud computing, the proliferation of mobile devices, and the rise of unattended “Internet of things” sensors on enterprise networks. New AI-based systems can help to monitor traffic, audit user activity, and inventory possible vulnerabilities. Access management systems can organize user permissions and make the authentication process more robust. Consultants can add expertise to the design and implementation of security systems and policies. All of this can reduce the likelihood of successful breaches.
Of course, there is also a rising threat of zero-day threats that cannot be easily anticipated or blocked. The big cloud platforms employ teams of expert hackers to test their own defenses in search of vulnerabilities that can be closed before they are exploited, but few other enterprises can afford to follow suit. The hope is that tech vendors can offer patches to close holes and that if a malevolent actor gets into their network, the breach can be flagged, and the intrusion countered before too much damage is suffered. Even this is a tall order vs. the sophisticated government intelligence developed threats, and CIOs in the most at-risk enterprises – e.g. government agencies, financial firms, energy infrastructure, etc. – are ramping spending on advanced tools and 3rd party services to counter them.
We see significant growth in several cybersecurity categories. First, monitoring and auditing tools to assess security compliance and flag threats offered by companies like ZS, CRWD, SPLK, PFPT, and others. Second, access management systems – e.g. OKTA, MSFT, IBM, CSCO, etc. – and endpoint security solutions – e.g. FEYE, BB, PANW, CRWD, etc. Third, security focused hybrid cloud integration tools – e.g. VMW, IBM, GOOGL, MSFT, AMZN, etc. Fourth, security consulting services – e.g. IBM, ACN, CSCO and others. Finally, specialized products focused specifically on defending against zero-day threats, such as privileged access systems or data containment solutions – e.g. CYBR and others.
More than $117B was spent fighting cybercrime worldwide in 2018, as organizations worked to fend off attacks that cost them over $600B in direct costs and damage. In one sense, this is nothing new, as data theft, business disruptions and other effects of electronic aggression have been making news for decades. But the nature of the threat has changed over the years, with enterprise computing network vulnerabilities extending into the cloud and into employees’ pockets, and with government intelligence joining the fray with nearly unstoppable cyber-weapons. Against this backdrop, annual data security spending is projected to grow at a 9.8% rate to $205B over the next 5 years (Exhibit 1, 2).
Ex 1: Global Cybersecurity Spending Forecast, 2018 – 2024E
By now, most enterprises have taken the basic steps to defend their IT systems. This means firewalls to contain network traffic to designated local environments. It means access management systems with at least password protection (and increasingly, two factor and/or biometric authentication). It means anti-malware software to filter through files and messages sent into the organization. It means encryption for the contents of databases and for any enterprise traffic sent over public network facilities. The tools to provide this level of security are available from many vendors and, often, integrated directly into network gear, applications
Ex 2: Estimated Economic Losses due to Global Cybercrime, 2017 – 2022E
and devices, largely commoditizing the functionality. Still, this tech is largely sufficient to block most hackers trying to make a direct entrance into an enterprise network.
Of course, that is not all there is to it. 90%+ of successful hacks rely on the weakest links in the defense – humans. Devices can be stolen and broken. Passwords can be discovered. Users may click on malware ridden links, messages or website spoofs. Unauthorized software hiding trojan horse entry points might be uploaded to the system (Exhibit 3). Employees may be bamboozled by social scams that enable outside access. IT staffers may fail to keep protections current or leave openings unprotected. Disgruntled insiders may purposely execute or enable costly hacks. Trusted business partners – customers, suppliers, distributers, etc. – may fail to protect their own networks and in the process leave an opening to yours.
For these sorts of threats, the solution is generally not to buy another box or piece of software, but to redesign the policies overarching employee and partner access to the network, implement effective training procedures, and then, monitor and enforce compliance. However, tight policies and strict enforcement often yields inconvenience for users, and thus, dissent and non-compliance. Tech can play a role here. For example, consultants may help design a more rigorous approach and access management systems may reduce the bother associated with more rigorous authentication with biometrics and two or three-factor identification, but mostly, the commitment to cybersecurity must be part of the organization culture.
Ex 3: Enterprises Struggle with Common Vulnerabilities
The tech world changes in long cycles – the mainframe era transitions to the PC era, which now is transitioning to a cloud/mobile era. This generational shift, once largely complete, will eventually yield a period of relative architectural stability but for now, the change presents substantial challenges for cybersecurity, which must keep up or leave the organization vulnerable (Exhibit 4).
Hyperscale datacenters, run by commercial cloud platforms (i.e. AWS, Microsoft Azure and Google Cloud Platform), offer dramatic benefits (e.g. much lower costs, greater flexibility, world-class support, etc.). Most IT departments have begun a long process of shifting workloads into the cloud, typically bridging their on-line IaaS vendors to their existing internal datacenters. While the cloud operators offer best-in-class security to their customers, the expanding set of links in and out of the cloud are vulnerable. The recent CapitalOne data breach is an obvious example. CapitalOne is a banking industry leader in shifting its computing to the cloud and the stolen customer data was taken from AWS via a misconfigured firewall on CapitalOne’s internal network. Once inside, with pilfered credentials, the hacker(s) was able to access the private
Ex 4: Summary of major security breach incidents over the past 2 years
information stored in the commercial cloud. Not really a failure by AWS, but rather of CapitalOne’s struggles to keep pace with its own changing computing infrastructure (Exhibit 5, 6).
Mobile devices present a different challenge. Employees expect to be able to access their work via their smartphones and can be frustrated by elaborate login procedures. The recent addition of biometric authentication via fingerprints or facial recognition makes controlling access a bit easier in theory but going mobile still multiplies the sheer number of access points for the network. One lost phone with an easily guessed password or a phishing email sent to a personal account but opened on a device logged into an enterprise network could be a red carpet for malware or active hacking. Increasingly, applications are being implemented on a more modular basis, with micro-services providing elements of an application as needed to mobile users and team-ware making ad hoc connections between employees and 3rd party partners without central control. These innovations facilitate productivity but dramatically raise complexity for security solutions.
The “Internet of Things” (IoT), an emerging application area that leans on a multitude of unattended devices (e.g. embedded traffic counters, vending machines, weather monitors, fleet vehicles, physical security systems, id tags, etc.) equipped with sensors and connected to the network. These new endpoints could be hacked and require security. That these IoT connections will not be attended by humans leaves them especially vulnerable, as it only takes one access point for a hacker to get in.
Ex 6: Spending on Hybrid Integration Platforms is estimated to double in 5 years
Ex 7: The Top Hybrid Cloud Vendors are the Biggest Targets for Cybercrime
Ex 8: Deeply integrated applications increase the vulnerability factor exponentially
Ex 9: IoT End-Point Installed Base Forecast, 2018 – 2023E
These trends are substantially increasing the complexity of IT networks and thus, raising their vulnerability (Exhibit 7, 8, 9). Moreover, the many variables involved make it impossible for security vendors to develop truly turnkey solutions, leaving enterprises to cobble together their own holistic security solutions combining available building blocks or to hire 3rd party consultants to do it for them. This task is further complicated by a lack of clear broadly accepted standards for security products, introducing the potential for incompatibilities and demanding bespoke solutions for managing security as a single platform.
Over the past decade or so, a new type of hacking has risen to the forefront. Unlike the garden variety digital criminal, these sophisticated operations methodically search for vulnerabilities in their hardware and software products that make up the world’s computing infrastructure. It may be a flaw in the architecture of a chip, like the “Spectre” and “Meltdown” vulnerabilities that allowed rogue actors to access data being processed by an x86 CPU. It could be a minor inconsistency in an operating system that allows a malicious website to take control of devices that visit, like the one Google reported having found in Apple’s IOS. It could be an opportunity to place a piece of nearly undetectable malware, like the Stuxnet Worm, planted in 2007 and not discovered until 2010, that crippled Iran’s nuclear infrastructure. These sort of hacks, exploiting these previously unknown vulnerabilities, are known as “zero-day” attacks, as there is no
Ex 10: Top industries for cybersecurity spending growth based on 5-year CAGR
Ex 11: Federal cybersecurity spending has been experiencing double digit growth
forewarning and, thus, no time to implement a defense and no way have a specific counter ready to go. Insidiously, this class of hacks often operate in stealth mode, compromising the system but acting quietly, stealing data, monitoring activity, damaging assets and other malicious actions in secret.
Much of this is built by government intelligence agencies, with the US, China, Russia, Israel, Iran, North Korea, and others known to be active. The cyberweapons can be unleashed on any strategic target, with rival governments, financial institutions, energy and transportation infrastructure, media and tech standard bearers viewed as particularly attractive targets. Occasionally, this class of threat is developed or acquired by criminal organizations as well. All in, this is what keeps CIOs up at night (Exhibit 10, 11).
Combating state sponsored cyberwarfare is exceedingly difficult. Organizations with enough resources may fight fire with fire, hiring top-notch hackers to scour their technology (and sometimes that of their competition) for vulnerabilities so they can patch them before they can be exploited. The top cloud operations, led by Google, Microsoft, Amazon, Facebook, IBM and a few others, maintain large teams of truly elite security experts hoping to outmaneuver the bad guys. Google stands out as having a strong commitment here, testing not just its own tech but that of rival companies as well, quietly warning 3rd parties of vulnerabilities well in advance of revealing them. A few of the larger security tech vendors – Cisco, VMWare, Intel, and others – also devote significant resources to addressing the threats of state sponsored cybercrime.
Ex 12: Category wise enterprise spending on cybersecurity, 2017 – 2022E
Ex 13: CSCO security segment revenue has been growing by double digits
Ex 14: Snapshot of Financial and Valuation Metrics for Cybersecurity pure-plays
There are also government security specialists, such as Leidos, Palantir, and others, that work to protect government networks, amongst other things. Information on these players is difficult to source, and for the purposes of this piece, we will focus on the commercial market vendors.
Gartner projects overall spending on cybersecurity to grow at a 9.8% average annual pace over the next 5 years, with strength in cloud-based solutions, in access management systems, and in security services (Exhibit 12). IDC echoes this perspective. Against this viewpoint, a basket of 18 cybersecurity pure plays, largely focused in those growth areas, delivered nearly 30% top line growth in 2018, down only 200bp from 2017 and projected to maintain pace in 2019 (Exhibit 13, 14). However, looking forward, despite optimistic industry forecasts and meaningful leverage to the bottom line, consensus expectations drop sharply for 2020 and beyond. We believe that this is shortsighted and expect actual results to trend meaningfully above these estimates (Exhibit 15, 16).
Of this universe, we are fans of PFPT, SPLK, ZS, CBRK, and OKTA. We also see upside to larger IT concerns like CSCO, IBM and VMW, which have focused growth efforts on providing more comprehensive security solutions in the context of hybrid cloud networks (Exhibit 17, 18). We remain bullish on the top cloud platform operators, AMZN, MSFT and GOOGL, each of which has made considerable investment in security technology (Exhibit 19).
Ex 15: Avg. consensus sales estimates for cybersecurity pure-plays are conservative
Ex 16: Best of breed cybersecurity companies have a lot of room to beat estimates
Ex 17: Snapshot of Financial and Valuation Metrics for traditional IT vendors with sizable cybersecurity businesses
Ex 18: Strength in cybersecurity sales should translate in upside surprises for large IT vendors
Ex 19: Summary of Winners in Cybersecurity