Cybersecurity: Trust No One
SEE LAST PAGE OF THIS REPORT Paul Sagawa / Artur Pylak
FOR IMPORTANT DISCLOSURES 203.901.1633 /.1634
psagawa@ / firstname.lastname@example.org
February 22, 2016
Cybersecurity: Trust No One
Cybersecurity attacks have been growing more sophisticated in recent years, making headlines with major breaches that have compromised the personal information of millions. However, beefed up spending on security hardware and software have done little to stop cybercrime, as more than 90% of successful breaches result from either human error or complicit insiders. Moreover, very few enterprises have the skills or resources needed to effectively deploy more than basic technology against incursion, and organizations strongly resist the stringent policies, disciplined enforcement and extensive user training that would be the most effective defense. Luckily, basic protections are falling in price and being integrated into general purpose systems, while the coming credit card tokenization may eliminate one of the most tempting targets for thieves. Moreover, SaaS application and IaaS hosting provider brings significant cybersecurity firepower to protect the client data in their care, relieving overtaxed IT departments as enterprises shift their focus to the cloud. With Gartner projecting that global security hardware and software spending growth will slow to just 6% through 2019, we believe consensus expectations for the 13 cybersecurity specialists with cap over $800M are optimistic, and, despite the substantial sell off over the past 6 months, we believe the stocks are generally overvalued. We are particularly concerned for companies with expectations for meaningful sales acceleration (VRSN, FFIV, QLYS), companies expected to sustain hyper-growth over the next 3 years (FTNT, FEYE), and companies expected to significantly expand margins in an increasingly competitive sector (CHKP, SYMC, VRSN).
- Hackers gonna hack. 2015 saw 781 high profile data breaches in the US, the 2nd most since the ITRC started tracking them in 2005. Theft for financial gain remains the overwhelming motivation, despite growing fear of hack-tivism and state-sponsored cybercrime. Increasingly, hackers are part of highly sophisticated organizations, able to quickly monetize breaches. Credit card theft is waning on heightened financial industry attention and should decrease further as tokenization becomes commonplace. In their place, social security thefts, which enable many avenues of illegal gains and are much more difficult for consumers to discover and resolve, are the new threat, with 164.4M records stolen in 2015, accounting for more than 40% of total breaches. In all, the annual cost of incursions is estimated at $400B by Lloyds of London, which last year underwrote $2.5B in policies to protect against cybercrime.
- IT security spending ineffective. Spending on data security hardware and software has grown at an 9.5% rate over the past 3 years to little avail. Most all organizations now protect their networks with basic measures – firewalls, anti-malware protections, spam filters and VPNs – products that are now largely commoditized. More elaborate defense tools are expensive and require dedicated skilled personnel to deploy and monitor properly. Few enterprise IT departments have these resources. In this context, spending on security products slowed in 2015, according to Gartner, and is expected to slow further in 2016 and beyond.
- The problem is people. More than 90% of successful breaches rely on human error or complicit insiders, bypassing external defenses through social engineering techniques, like phishing, to install malware that facilitates data theft. The best way to combat these approaches is through tight security protocols, disciplined enforcement and extensive user training. Unfortunately, the safest policies are also the most intrusive on employees and most organizations find enforcing them extremely difficult.
- Some help is coming. Moves toward credit card tokenization and biometric authentication make certain forms of cybercrime much more difficult and far less lucrative. We also believe that the shift toward SaaS applications and IaaS hosting have important advantages for data security. 1. Homogenous architectures that are MUCH easier to defend than enterprise nets. 2. Proprietary security software that is more difficult to probe for vulnerabilities. 3. The best security talent in the industry designing their security systems and policies, and available to quickly address threats. 4. Much greater discipline than enterprises in administering sound security policy. 5. Massive amounts of usage data for threat assessment analytics based on cutting edge AI techniques and huge computing resources. 6. Security is included within most SaaS and IaaS bundles, reducing costs. Given all of this, we believe security concerns will hasten the migration to the cloud, with high risk applications, like e-mail and customer record keeping, particular candidates.
- Security stocks risky. In this context, spending on commercial security hardware and software has begun to decelerate, with 6.4% annual growth forecast through 2019. This is in contrast to the 17.8% growth expected by consensus for the 13 largest security product specialists for 2016, every one of which is expected to expand margins as well. The market is even more bullish, assigning a rich 4.9x sales multiple to that group despite sharply slowing growth in 2015. Broadly, this is far too optimistic. Similarly, security products are a major part of the resurrection narratives pressed by old paradigm names like IBM, CSCO, JNPR, INTC, and EMC. We are skeptical.
- The biggest losers. We see risk outweighing opportunity for the group, with particular caution advised for stocks expected to show a sharp reacceleration in sales growth – VRSN, FFIV and QLYS. We are also concerned for high multiple data center security appliance makers expected to sustain their recent growth rates despite a deteriorating market – FTNT, FEYE. Finally, we are skeptical that older, slower growing security names – CHKP, SYMC, VRSN – can deliver against projections of sharply higher margins.
- Opportunities. While we see the cybersecurity market stalling, PANW and CYBR have been significant share gainers that have been able to buck recent trends toward deceleration and quarterly disappointment. Moreover, with traditional IT vendors like IBM, CSCO, and others looking to security as a growth driver for their otherwise moribund businesses, M&A remains a very realistic outcome for companies perceived as leaders. We also note that the inability of most enterprise IT shops to cope with the challenges of a holistic security strategy opens opportunity for 3rd party security services, a category projected to grow at a 9% CAGR. Here there are no pure play investments, but larger IT services organizations like ACN could see a boost.
All Your Base Are Belong to Us
Many enterprises are finding that data security cannot be easily bought. Last year, US organizations spent an estimated $32.2B on security, with the budget having risen at a 9.5% CAGR over the past 3 years. However, this spending seems to have done little to deter the bad guys – 2015 was the second worst year on record for data breaches in the US, with 781 major incursions and an estimated overall cost to the economy of $100B. Lloyd’s of London suggests the global cost of hacking and data breaches is $400B. Most enterprises have the basics – the penetration of firewalls (91%), spam filters (88%), anti-virus software (83%) and VPNs (81%), is high – but the challenges of mounting a more effective and comprehensive defense are formidable.
Modern enterprise networks are vast and heterogeneous, with many, many points of potential vulnerability. Cataloging and managing all of these entry and exit points is a huge job, even with the help of sophisticated software tools such as Security Information and Event Management (SIEM), Data Loss Prevention (DLP), or Advanced Threat Assessment systems, that could help organize the task. Few IT organizations report having the resources or the talent to use these tools appropriately. Moreover, 90% of successful breaches come from either human error or complicit insiders, difficult to prevent without very tight security policies with substantial burdens for employees and costs for monitoring.
In this context, and with evidence that commercial tools beyond the standard measures may be ineffective given organizational constraints, enterprise security budgets have begun to decelerate, with 3rd party services, that might help beleaguered IT departments make better use of the security products they already have, taking a bigger role vis a vis hardware and software. Gartner projects that the market for security hardware and software will grow at just 6.0%/yr through 2019, with services a bit faster at 9.8%. Meanwhile, expectations for security stocks remain aggressive, despite the 13 largest names by cap having sold off 13.9% over the past 6 months. These companies are projected to grow sales at an average of 17.8% in 2016, and carry an aggregate 4.8x sales multiple on typical operating margins of 6.8%, even after the selloff. 4Q15 earnings season highlighted the risk in the group, with weak guidance from the likes of FEYE, CYBR, FFIV and IMPV hitting the battered sector.
We expect more pressure this year, with a shakeout separating winners and losers. High priced software names, like SYMC, VRSN and QLYS, and data center security appliance makers, such as CHKP, FFIV, FTNT and FEYE, are likely to be vulnerable. Interestingly, we believe that disillusionment with commercial security solutions will become a major selling point for larger SaaS application vendors, such as CRM and MSFT, and for IaaS hosts, like AMZN and MSFT, as these companies have the sophistication, organizational discipline and resources needed to mount superior defense against cyber-threats and can bundle that protection with their hosted services. We also see security consulting services, often called in on a forensic basis after a major breach, as a sustainable growth market. Unfortunately for investors, most security consulting practices are private, or a small part of a much larger organization, like IBM, ACN, or CSCO.
Playing a Game That’s Already Lost
The Identity Theft Resource Center (ITRC) has been tracking publically acknowledged systems breaches since 2005. In 2015, there were 781 major incursions in the US, roughly flat YoY, but up more than 85% since 2011 (Exhibit 1). According to the ITRC, 2014 had been the “year of the credit card breach” with more than 64 million credit and debit card numbers stolen, spurring dramatic action by banks, card nets and merchants to plug the holes and restrict the ability of thieves to profit from stolen credentials. A year later, credit card thefts had fallen to less than a million card numbers, as hackers moved on to Social Security Numbers, bagging more than 164M SSNs in 338 breaches, including a brazen hack on the US Office of Personnel Management that nabbed the personal information for 22M US government employees and contractors.
Exh 1: Data Breaches by Type, 2007-15
Social Security Numbers are a goldmine for cybercriminals. Not only these credentials used as primary identity for billions of dollars of transactions, but SSN fraud typically takes much longer to discover and is much harder and more painful for consumers to resolve. Moreover, the financial industry moving toward tokenization, which would render stolen credit card information useless, while the US Government has no plans to provide greater security to its antiquated 9-digit SSN format. Notably, organized criminals used stolen archived tax returns to claim and intercept more than $50M in IRS tax refunds from nearly 350,000 US taxpayers in 2015 (Exhibit 2).
Exh 2: 2015 Major Hacking Incidents
While financial gain remains the primary motivation for cybercrime, enterprises must also be prepared for other types of attacks, including social warrior “hack-tivism”, industrial espionage and sabotage, and state-sponsored cyber-warfare. Impacts could involve the interruption of operations, the destruction of data assets, the theft of intellectual property, or even executive blackmail. The widely reported breach of the Sony Motion Pictures email system is an obvious example of this new type of threat.
He’s Got This Ultimate Set of Tools
Despite advances in computing technology over the past several decades, the majority of data breach incidents still rely on old-fashioned hacking techniques, most of which exploit human error or cooperating insiders. Verizon’s Data Breach Investigation report that covers 79,000+ incidents including 2,100+ confirmed data breaches across 70 organizations operating in 61 countries, found that 90% of all incidents were the result of human aided breaches (Exhibit 3). IBM’s study covering the same period contends the figure is even higher at 95%. PEBCAK (Problem Exists Between Chair and Keyboard) and ID-10T (Idiot Error) are security vulnerabilities that are very difficult to control for given an organization’s people typically have to interact with entities and systems both inside and outside the organizations.
Hacking at its core is a term used to describe the actions taken by a party to gain unauthorized access to a computer. Typically, it involves finding weaknesses or pre-existing bugs in the security configuration of system in order to gain access. It could also involve installing malware or a Trojan Horse to enable a backdoor to enter a computer and search for information. Large enterprises typically have thousands of entry points into their networks, consisting of hundreds of different device types, some of which may not be entirely under the control of the IT department. If known vulnerabilities are not immediately remedied across every device on the network, hackers can find them and lever their way in. Hardest to defend are the “zero-day” hacks, which attack previously unknown vulnerabilities, perhaps discovered by hackers who have backward engineered commercially available hardware or software.
Exh 3: Incident Classification Patterns, 2015
Social Engineering hacks attempt to gain access to systems through trickery. The most common type of social engineering is Phishing, which involves fake emails, texts, websites or other electronic communications that are designed to look like they are from authentic sources, often presented as a call for urgent action that would require entering confidential information, such as usernames and passwords, that could be used for broader access to the system. Social engineering can also be more direct – one major recent breach stemmed from a hacker who was able to convince an IT manager to open a data port by posing as the CEO over the telephone and using knowledge of the CEO’s travel schedule as a pretext. Hackers have been known to leave USB drives printed with the company logo in offices with hope that a curious employee plugs it into a computer to see what is on it.
Often social engineering is used as a vehicle to install Malware. These are compact software programs that interact with other software on a computer to change the functionality of the system, often providing an unobtrusive backdoor for a hacker to enter the system and work from there. Malware typically employs a combination of techniques to avoid detection, including fingerprinting the environment when executed, changing server used to confuse anti-malware software, deploying during vulnerable periods like the boot process, and obfuscating internal data. Increasingly, Ransomware, malware programs that lock computers and encrypt the data, has been common. Cybercriminals will demand ransom, typically to be paid in untraceable Bitcoin, to unlock and decrypt the systems.
Botnet describes a collection of software robots that infects an army of computers, aka ‘zombies,’ and are remotely controlled by the originator. Botnets can be used to send spam emails, spread malware, and could also utilize a computer to be used as a resource in a denial of service attack on another system. Like other hacking methods, this relies on an unsuspecting victim to click on a link.
Distributed Denial of Service Attack (DDoS) is when a malicious hacker can assemble a network of botnets (or unsuspecting computers) to sabotage a website or server. The hacker essentially has this network of botnets call on a website or server continuously with the aim of overwhelming the targets ability to respond to requests. The result is that legitimate users are locked out of using enterprise computer systems, often for hours at a time.
Attacks have grown more sophisticated. One campaign named “Dyre Wolf” by IBM researchers employed a complex mix of all of these tools. The attackers targeted individuals working at specific companies with emails containing malware that would lie in wait until it became obvious a user was trying to logon to a bank website. Once an unsuspecting user was trying to logon to their bank account, the malware would launch a fake screen telling the user the site was not available and instructing the user to call a phone number controlled by the hackers. Victims were fooled into believing they were calling their bank and shared banking details setting off large wire transfers. The hackers then moved the money between banks to avoid detection and launched DDoS attacks on the victims to make it impossible to uncover the theft until hours later.
The Bad Guys
Over the last decade, cybercrime has evolved from an activity typically carried out by individuals alone to an organized activity committed by groups of people with nefarious intentions and substantial financial resources. The landscape of threats now includes individuals, hactivists, organized criminal organizations, terrorists and even state actors. Each has different aims with most individuals and organized crime actors interested in financial gain. Some individuals are not as motivated by financial gain instead seeking to gain notoriety, visibility, or other intangible form of satisfaction. Terrorists meanwhile intend to degrade, destroy, disrupt, deny, or deceive their targets. Relatively new on the scene are state sponsored hackers who emerged in the over the past few years. Countries like Russia, China, as well as cartel-controlled Central America, maintain sophisticated hacking operations according to the intelligence community.
According to a paper from the RAND Corporation, hacker black markets have emerged offering a broad menu of goods and services including credit card data and services to facilitate a full lifecycle of an attack. Some of these underground organizations can reach 70,000-80,000 people, while others have hard to access tiers with vetted participants and strict rules. Within these markets the skill level of criminals varies from a person with basic computer literacy hacking an individual to a mastermind who can breach an organization and broker various pieces of information from a single breach to several parties. Like most legitimate organizations, the structure of a cyber-criminal organization follows a pyramid with highly skilled administrators and subject matter experts at the top. Intermediaries/Brokers who can vary in sophistication and knowledge of the operation are in the middle, while less sophisticated witting and unwitting mules make up the bottom.
Given the range of actors and speed at which cybercrime has evolved, public policy and laws have lagged in most jurisdictions. The US still lacks a comprehensive national strategy on cybercrime, with various agencies like the Departments of Defense, Homeland Security, and Justice taking different approaches. There is no lead investigative agency for cybercrimes and there is no unifying definition for cybercrime at the federal level. The term is broadly applied to activities of cyber criminals and malicious actors whether their motives are for profit, espionage, or terrorism. While the Department of Justice prosecutes some cases under the federal computer fraud statute, getting accurate statistics is difficult given cybercrimes are prosecuted under a myriad of laws including federal fraud, identity theft, illegal intercept of electronic communications, access device fraud, illegal access to stored communications, copyright infringement, and counterfeit products/trademark infringement statutes.
The Defensive Line
Gartner separates the $84B global data security market into hardware, software and services products. On a constant currency basis, spending has decelerated over the past two years, with further deceleration projected for this year to 8.5% growth (Exhibit 4).
Hardware is the smallest portion of the security market at about $10.7B and is comprised of security appliances like firewalls, unified threat management products, intrusion protection systems, VPN appliances and secure routers. Firewalls are systems that monitor and control the traffic entering and exiting an enterprise network, flagging and/or blocking data packets that do not adhere to preset rules. Typically, firewalls are implemented as dedicated hardware devices, although the functionality can be delivered as software running on generalized computing or networking hardware. Firewalls can also be combined with other security tools, such as anti-virus software, spam protection and content filters, in products categorized as Unified Threat Management (UTM). Most Firewall appliances now also integrate Virtual Private Network (VPN) capability, which extends on-premises security to remote users via real time wire speed encryption, damping the demand for stand-alone VPN hardware. More advanced security solutions may include secure routers, which feature dedicated encryption capability within the network and across VPNs and often integrate full firewall capability. More advanced firewalls may include Intrusion Protection Systems (IPS), which inspect not just the format and addressing of each data packet, but the contents as well, enabling much more sophisticated threat identification and resolution tools. Despite the increasing sophistication of the threats, NSS Labs reports that demand for stand-alone IPS equipment is shrinking, as enterprises lack the talent or budget to implement, monitor and maintain these systems.
Exh 4: Projected Global Security Spending, 2013-2019
Security Software spending was $22.9B in 2015, of which, $5.1B was for consumer security products. Of the $17.8B spent by enterprises, $3.4B was on Identity Access Management (IAM) products used to manage user accounts and authenticate user access across multiple systems. With the growth of cloud-based computing resources, IAM challenges are expanding and spending in the category is likely to grow. The remaining $14.3B in security software is categorized as Infrastructure Protection. Data Loss Prevention (DLP) software inspects content according to policies and can execute responses ranging from simple notifications to active blocking. Endpoint Protection includes anti-malware tools, personal firewalls, and mobile security apps installed at the device level. Security Information and Event Management (SIEM) products provide the ability to process near real-time data from security devices and systems to determine if events of interest occurred, as well as reporting and analysis tools to evaluate the performance of security systems. Gateways scan email and web traffic for viruses and malware, as well as blocking certain content according to company policy and monitoring for data leaks. Security testing software scans for application and source code vulnerabilities
Services is the largest category of spending, at more than $50B annually, and is expected to outgrow hardware and software investment by 300bp per year through the end of the decade. Services broadly include consulting, implementation, hardware support, and IT outsourcing. Consulting and Implementation are the largest but also least specific categories with over $33B in spending going to advise businesses on security strategies and customizing solutions. A portion of this spend includes diagnosing and responding to cyberattacks after they have happened. Much of this growth in services is expected to come from outsourcing contracts that give 3rd parties day-to-day responsibility for managing security assets and processes. Gartner reports that these contracts currently cover half of all spending on security hardware and software, a figure that is expected to expand to 80% by 2019.
Exh 5: Security Products in Use, 2015
What’cha Gonna Do When They Come for You?
The very large majority of enterprises have already deployed basic security measures – 91% report having firewalls covering all external ports, 88% employ spam filter gateways to quarantine questionable email, 83% run anti-virus software to seek and nullify known malware, and 81% use VPN technology to extend on-premises security to devices accessing the network over the internet (Exhibit 5). A 2015 study by the Poneman Institute found that 64% of companies surveyed used encryption to protect sensitive data, with 43% of US companies employing a consistent encryption strategy applied across their entire business. As penetration of these protections has risen, the cost to implement them has dropped, and many security functions have been integrated into system hardware, infrastructure software and applications.
More advanced tools, such as IPS hardware or SIEM software, are a different story. Most CIOs surveyed reported that they did not have sufficient resources to implement or manage these complex systems due to either budget constraints or an inability to find staff with the appropriate skills. Only organizations placing an unusually high priority on IT security, usually due to regulatory compliance requirements (e.g. financial services, health care) or previous breaches (e.g. the 2014 credit card thefts at major retailers), are typically willing to fund their security infrastructure at this level.
We note that the ongoing shift toward SaaS applications and IaaS cloud hosting will relieve IT departments of some of the responsibility for security. Cloud operators are well equipped to combat cybercrime, typically employing well designed proprietary security solutions including cutting edge AI-based predictive tools, crack security engineering teams and tight security policy discipline to defend their clients’ data. With time, we believe that the cloud era will seriously dampen demand for commercial security products.
Exh 6: Most Valuable Security Practices, 2015
Moreover, with 90% or more of all successful attacks hinging on either human error or complicit insiders, IT managers see end user security awareness training as the most valuable tool available to them, with a policy requiring strong (mix of lower case, upper case, numbers and symbols) passwords coming in a distant second (Exhibit 6). The problem is that IT managers may understand that the problem is in policies, rather than products, but monitoring employee behavior and enforcing tight data security processes meets strong resistance within many organizations. Strong passwords unique to each system are difficult to remember and cumbersome to re-enter when asked to reconfirm authorized credentials. Multi-factor authentication, using hardware generated one-time passcodes or biometric identification, is even more intrusive for users. Very strong filters may reject valid messages or web sites and slow down system performance, vexing to employees using computers on the network. Senior management must adopt data security policy as a priority and drive compliance through the organization – employees are likely to resist behavioral dictates from the IT department alone.
What Does It Mean?
The utility of more sophisticated security solutions is compromised by the unwillingness and inability of enterprises to staff IT departments sufficiently, and by resistance to more rigorous security protocols across the organization. In this context, the perception of demand by companies selling these products is colored by an enthusiasm from the IT department that is not backed by the broader leadership. Hence, consensus sales expectations for the top 13 data security technology companies, cued by confident guidance and management commentary, project 17.8% sales growth collectively for 2016 – far in excess of the 6.2% security hardware and software growth projected by Gartner and a sharp re-acceleration from the 14% growth that they delivered in 2015. This disconnect reminds us somewhat of the dynamic driving telecom equipment forecasts at the height of the Internet bubble. On one hand, network engineering departments were telling suppliers that they wanted more equipment, but on the other hand, budgets could not be funded to pay for it – POP!
Exh 7: Cybersecurity Names and Consensus Expectations
In this context, we believe that expectations and valuations for data security specialists are overly aggressive. In some cases – Verisign, F5 Networks, and Qualys – consensus projects sales to reaccelerate over the next 3 years, while others – Checkpoint Software, Fortinet and FireEye – are merely expected to sustain their trailing 3-year growth rate for another three years. Additionally, despite signs of commoditization in the highest volume areas of security, these 13 specialists are all expected to expand margins over the next three years, including relatively mature businesses like Checkpoint, Symantec, and Verisign. These are red flags in any circumstances, and particularly so, given top down forecasts for slower spending in the industry, the ongoing integration of security functionality into general purpose networking and computing platforms, and the shift to the cloud.
While the market has expressed concern for the group, taking the average market cap down 13.9% during the past 6 months amid the general TMT sell off, valuations remain rich considering the business risks. The average P/S multiple is 4.9x (Exhibit 8). Only 6 of the 13 delivered clear revenue beats in their most recently reported quarters, and of those, only Proofpoint, Arista Networks and Palo Alto Networks managed to cap their strong quarterly results with positive guidance.
Exh 8: Cybersecurity 6-mo Performance and Recent Quarter Surprise
The Cybersecurity Names
Check Point Software (CHKP) is the largest security pureplay trading at about a $14B cap. The company was established in 1993 focusing initial product development on firewalls and developed one of the world’s first VPN products. CHKP has been fairly active in M&A, acquiring Nokia’s security business in 2009 and taking out a handful of security startups over the past few years. The company’s alumni have gone on to found their own security companies including Imperva and Palo Alto Networks. CHKP offers a diverse set of security products including data center appliances such as firewalls and intrusion prevention systems, software products that include anti-malware, secure gateways, endpoint protection, policy management, threat prevention, zero-day protection, and DDoS protection. With about half of its revenue coming from hardware, we see the company as exposed. Trading at a 9.1x trailing P/S ratio with just 6.4% projected 3-year sales growth, we also see Check Point as particularly expensive.
Symantec (SYMC), which just completed the spin out of its Veritas information management business to Carlyle Group last month, focuses on security software and services. It has no hardware offerings and categorizes its products along the lines of Threat Protection, Information Protection, Cyber Security Services, Internet of Things, and Website Security. Products include traditional endpoint anti-malware software, data loss prevention, advanced threat protection suites, as well as consulting and outsourcing services. While the stock may see some near term upside because of the special dividend, Symantec’s core business is rapidly commoditizing. Consensus expectations anticipate substantial improvement in operating margins, potentially anomalous given simultaneous projections of declining sales. Symantec sports one of the lowest trailing P/S multiples in the group at 3.3x, but even so, may be overvalued.
Palo Alto Networks (PANW), which was founded in 2005 derives about half of its revenue from security appliances which include firewalls. Among its software offerings are endpoint and cloud protection software suites, dubbed Advanced Endpoint Protection and Threat Intelligence Cloud. The company also offers a range of consulting services including application traffic management, solution design and planning, configuration, and firewall migration services. Palo Alto is the fastest growing company in the sector, having just posted 55% sales growth over the past 12 months, with 44% growth anticipated for 2016. Its trailing sales multiple is the highest in the group at 11.8x, but its rapid growth puts its forward P/S below both Check Point and Verisign. While PANW is at risk to future group level sell-offs, we believe it is positioned to take considerable market share going forward.
Verisign (VRSN) is mostly known for being a domain registrar, but it also offers several security services given its expertise in domain names and management of 2 of 13 DNS root servers that carry the authority of assigning names on the Internet. Its security services are subscription-based and cover DDoS attacks, cyber intelligence, and managed DNS hosting that improves the availability of web-based systems. Aside from the managed DNS hosting, VRSN’s other offerings are not differentiated and compete with existing offerings and can be displaced by IaaS or SaaS solutions. Verisign has been on a run of late after delivering an upside surprise for 4Q15 and offering confident guidance for 2016. That said, an 8.3x sales multiple will depend on the company’s ability to expand its already rich 57% operating margins, given expectations for low single digit sales growth over the next 3 years.
F5 Networks (FFIV) is fundamentally an application delivery networking company that has focused on load balancing products and application delivery controllers, but also offers a range of cybersecurity products and services. Its BIG-IP DNS platform of hardware and software uses a proprietary traffic management operating system (TMOS) to deliver multiple functions on a single unified platform. BIG-IP product modules include application security management, edge gateways, access policy management, firewall management, malware protection, and IP intelligence. FFIV makes firewall and intrusion prevention system hardware and also distinct security products and services covering identity access management and data center security. In addition to secure web gateways, it offers DDoS protection, web fraud protection, intrusion prevention services and SSL protections. We see FFIV at risk as data center spending declines and webscale cloud operators design their own proprietary solutions. Expectations for the company came in after management issued soft 2016 guidance, but we remain concerned that forecasts for a reacceleration of sales growth beyond this year are optimistic.
Fortinet (FTNT) is a network security specialist offering a broad array of hardware, software and services to facilitate unified threat management. Founder Ken Xie is a well-known character in the security community having previously founded and sold several security companies, including NetScreen, which he sold to Juniper for $4B in 2000. FTNT’s Fortigate is the company’s flagship platform consisting of physical and virtual appliances that serve a broad range of security functions including firewall, VPM, anti-malware, intrusion prevention, application control, web filtering, anti-spam, document loss prevention, WAN acceleration, and WLAN control. It further offers secure gateways, DDoS protection, and identity management products. The company is notable for its series of share buyback programs, with the latest round of buybacks consuming nearly all free cash flow in the latest quarter. Buybacks against the backdrop of a growth company are a red flag. Consensus believes Fortinet can sustain near 20% sales growth while making a substantial leap from low single digit operating margins to almost 15% for FY16. We are very skeptical.
Arista Networks (ANET) is a networking solutions provider focused on software-defined networking (SDN) via proprietary software and switches. Its core offering is the Extensible Operating System (EOS), which along with switching hardware, offers some integrated security features such as traffic monitoring and firewall security rules. Arista is led by CEO Jayshree Ullal, CSCO’s former head of Data Center, Switching and Services. Not surprisingly, the company has been embroiled in a series of lawsuits from CSCO claiming patent infringement. Meanwhile, Arista’s sales have been humming along, up 43% last year and projected to rise 27% in 2016. The company has regularly thumped consensus forecasts, beating on both sales and earnings in each of the last 4 quarters. The P/S multiple is a sane 5.3x times trailing, perhaps depressed by the ongoing legal battles. We see a reasonable likelihood of Arista prevailing in its patent suits, and as such see it as a rare value in the group.
FireEye (FEYE) is a security pureplay offering vector-specific appliance solutions that provide threat protection from network to endpoint for inbound and outbound network traffic that may contain sensitive information. Its threat prevention solutions include appliances covering the Web, email, endpoint, file, and mobile threats. Additionally, the company provides Forensics analysis tools that allow forensics teams to manually execute and inspect advanced malware, zero-day, and other advanced cyber-attacks embedded in files, email attachments, and Web objects. It also offers a range of emergency and assessment services via Mandiant, which it acquired in 2013. FireEye has missed sales expectations for two quarters running, and its 2Q 15 guidance in July sparked the whole group to sell off. Despite the disappointments, consensus still expects big things of FEYE, forecasting sales growth of 25% per year through 2019 with losses turning to profits by 2017.
Proofpoint (PFPT) provides threat protection, incident response, regulatory compliance, archiving, governance, eDiscovery, and secure communication solutions. It offers SaaS and on-premise based security solutions, though focuses more on delivering via the cloud dubbing its offerings as Security-as-a-Service. It currently has partnerships with large strategic partners like IBM, Microsoft, and VMWare for distributing its products. Proofpoint has delivered very strong results – regularly surprising on sales to the tune of nearly 36% TTM sales growth – but has little room for error given expectations that it can sustain better than 30% growth annually through the end of the decade.
CyberArk (CYBR) develops, markets, and sells software-based security solutions to protect organizations from cyber attacks and focuses its offerings around privileged access solutions. Offerings include an enterprise password vault, secure SSH key manager, privileged session manager and privileged threat analytics. The company also provides an application identity manager and on-demand privileges manager to limit the breadth of access of Unix/Linux administrative accounts and restrict them from performing commands and functions. CyberArk has crushed both sales and earnings estimates over the past four quarters, has relatively reasonable consensus growth and margin targets, and trades at 5.5x forward sales multiple.
Imperva (IMPV) focuses its solutions on protecting business critical data and applications in the cloud or on premises. It offer three basic product lines: SecureSphere, Incapsula, and Skyfence. SecureSphere is a platform providing database, file, and Web application security in various data centers on premise and in the cloud. This platform offering also addresses regulatory compliance and data risk management needs. Incapsula is a cloud-based application delivery service protecting websites from distributed denial of service (DDoS) attacks, as well as firewall services, load balancing and and a content delivery network. Imperva’s Skyfence is a cloud access security broker that provides visibility and control over sanctioned and unsanctioned cloud apps. Imperva has been a fast grower, posting 43% sales growth in 2015, but was recently hit on soft guidance for 2016.
AVG Technologies (AVG) offers software and online services, such as security, PC optimization, online privacy, cloud-based desktop management, mobile security, content filtering, remote monitoring, and other products on various desktop and mobile operating systems. The company offers various consumer suites for core protection, including anti-virus, anti-spyware, anti-rootkit, social networking protection, identity protection and LinkScanner; chatting and downloading comprising shield for safe chatting and online shield for safe downloading. AVG sales were down double digits in 2015, but consensus expects a rebound for 2016. Still a significant miss in the most recent quarter has AVG trading at the lowest sales multiple of the group at 2.4x trailing. We would not be tempted.
Qualys (QLYS) provides cloud security and compliance solutions using a SaaS model. It’s flagship product is the Qualysguard cloud suite of solutions that includes vulnerability management, policy compliance, PCI compliance, web application scanning, malware detection, web application firewall, and website security testing. Qualys also offers both physical and virtual remote scanning appliances. The company has a number of partnerships to sell its products along with other security names like Symantec, Verisign, F5 Networks, and Imperva. It also has deals with integrators, managed service providers, and consultants like CA, HP, IBM, Dell, Verizon, and Accenture. Analysts expect Qualys to pick up the pace of its sales growth from 20% for 2016 to nearly 22% over the next 3 years, a scenario that we find unlikely.