enterprise endpoint security -...

EQUITY RESEARCH

INDUSTRY UPDATE

Oppenheimer & Co Inc. 85 Broad Street, New York, NY 10004 Tel: 800-221-5588 Fax: 212-667-8229

Shaul [email protected]

Tanner [email protected]

Disseminated: January 19, 2017 06:00 EST; Produced: January 18, 201717:18 EST

For analyst certification and important disclosures, see the Disclosure Appendix.

January 19, 2017

TECHNOLOGY/INFRASTRUCTURE SOFTWARE

Enterprise Endpoint SecurityEnding a Three-Decade TraditionSUMMARYThe number of users on the Internet has increased more than a thousand-foldsince 1990, but security technology on the endpoint has hardly ventured away fromtraditional antivirus programs. Catching and mitigating known malware may havebeen effective when endpoints were less ubiquitous and cyber-attacks were relativelyelementary; however, signature-based methods are gradually becoming less relevantin a quickly changing threat environment. The emergence of "next-generationendpoint" technology such as artificial intelligence (AI) is gaining mindshare fromboth organizations and assurance programs, potentially leading to a transition awayfrom conventional antivirus software. As malware authors continue to develop moredisruptive threats and plan attacks using lucrative extortion strategies, we believe therisks in purchasing less-effective solutions will soon outweigh the safety in a dynamicendpoint platform. We believe security budgets, driven by high-cost attacks, theconstant movement of data, and compliance changes, will be eyeing next-generationendpoint vendors.

KEY POINTS

■ The threat environment is more disruptive, costly, and complex, andantivirus is losing the fight. Over the past three decades, threat actors haveevolved from practical jokers to activists to full-time profit-driven criminals, andthe attacks reflect more drive and willingness to take risks. Cyber criminalsare resorting to more targeted attacks to increase success rates (spear-phishing campaigns increased 55% in 2015), using more extortion techniques(ransomware attacks increased 35% in 2015), and actors are winning the war(incidents increased 38% in 2015). The cost paid per record stolen increased from$145 in 2014 to $154 in 2015, or up 6%. According to Dell, 95% of successfulattacks begin at the endpoint because it is easier to trick an employee than exploitan organization's network. Traditional endpoint security solutions are becomingeasier to circumvent using threat reconstruction kits and complex malware, suchas memory-based attacks. Per Symantec, antivirus catches only 45% of cyber-attacks. We believe organizations will need to adopt more advanced endpointtechnologies outside the conventional signature-based antivirus, such as machinelearning/AI and memory protection, to prevent these increasingly complex attacks.

■ The European Union General Data Protection Regulation (EU GDPR) coulddrive growth in data security and advanced endpoint products. EU GDPR isa directive to significantly strengthen data protection laws for people in the EU. Webelieve the new regulation will expand security budgets and focus investmentsin data security and advanced endpoint products. We estimate the initiative willincrease endpoint security by $300 million over the next few years.

■ Product integration is an important feature as organizations consolidatevendors. The endpoint security market is a fragmented market; however, wesee the integration between compliance-required components as a major sellingpoint for organizations, particularly those understaffed with security personnel. Weexpect incumbents to benefit most from the endpoint transition.

■ Bottom Line: We believe the antivirus is becoming less relevant. We expectsecurity budget investments to focus on heightening data security and next-generation endpoint products, particularly those incorporating AI. We estimate theenterprise endpoint protection platform TAM to increase to ~$4.7B by 2020 witha five-year CAGR of 5.2%.

2

Contents ENDING A THREE-DECADE TRADITION _____________________________ 3

THROUGH THE MIND OF THE THREAT ACTOR 101 ....................................... 4

SECURING THE ENDPOINT _______________________________________ 6

THE PAST ................................................................................................. 6

THE PRESENT ........................................................................................... 9

THE FUTURE ........................................................................................... 12

PUBLIC COMPANIES __________________________________________ 19

CHKP .................................................................................................... 19

CYBR .................................................................................................... 19

FEYE .................................................................................................... 20

FTNT ..................................................................................................... 20

PANW ................................................................................................... 20

SYMC ................................................................................................... 21

VRNT .................................................................................................... 21

ADDITIONAL NOT COVERED COMPANIES .................................................. 21

PRIVATE COMPANIES _________________________________________ 21

AVAST .................................................................................................. 22

BROMIUM ............................................................................................... 23

CARBON BLACK ...................................................................................... 24

CROWD STRIKE ...................................................................................... 25

CYBEREASON ......................................................................................... 26

CYLANCE ................................................................................................ 27

DEEP INSTINCT ....................................................................................... 28

DIGITAL GUARDIAN ................................................................................. 29

LIGHTCYBER........................................................................................... 30

SENTINELONE ........................................................................................ 31

TANIUM .................................................................................................. 32

TECHNOLOGY / INFRASTRUCTURE SOFTWARE

3

Report Statistic

2016 Ponemon Institute Cost of a Data Breach StudyThe average cost paid for each stolen record with sensative information increased

from $145 in 2014 to $154 in 2015, or up 6%.

The number of zero-day vulnerabilities in major applications rose 125%.

The number of spear-phishing campaigns increased 55% in 2015.

The number of Ransomware attacks increased 35% in 2015.

Approximately 38% more security incidents occurred in 2015 than in 2014.

The number of incidents associated to employees or business partners increased

22% YoY.

ITRC Data Breach Report - 2015 Year-End TotalsThe number of publically announced U.S. data breaches from hacking incidents

reached 227 in 2014, and 295 in 2015, or up 30%.

2016 Symantec Internet Security Threat Report

2016 PWC Global State of Information Security Report

Ending a Three-Decade Tradition The architecture of network infrastructures and endpoints has changed significantly over

the course of the past couple of decades. Relative to the technology today, an

infrastructure before the use of cloud services and virtualization was easier to manage

and maintain. The threat environment used similar themes but simpler methods with less

motivation. Endpoints primarily consisted of in-office desktops and on-premise servers

before the adoption of the cloud and desktop virtualization, which allowed users to access

the network from other vulnerable computers outside the network. As technology

progressed with a focus on productivity, the network map expanded and the web of

connected devices became complex. Moving into a more abstracted network technology,

we believe security solutions are approaching cyber threats with a number of new

methods that have yet to be adopted, though only a few will disrupt legacy solutions given

the constraints of IT budgets, compliance standards, and the future of the threat

environment. Today, robust infrastructure technology continues to progress in its adoption

while introducing an expanded attack surface that is more vulnerable to the proliferation of

modern-day cyber-attack techniques. Many organizations are either using legacy

technology or are not taking appropriate precautionary measures in securing their

network, and as a result, each coming year breach statistics appreciate.

Exhibit 1: Record Breaches Point to a Need for Stronger Data Security

Source: Ponemon Institute, Symantec, PWC, ITRC, Oppenheimer & Co.

The heightened number of data breaches can be attributed to the following: 1)

Administrators are too comfortable with outdated security technology; 2) Existing effective

solutions may not fit within budget; 3) Implementing the new feature could require a time-

consuming redesign or reconfiguration of a network that could ultimately expose the

organization to another vector of risks. Implementing a very highly effective (near 100%)

security stack requires resources and funds that are often highly restrictive in IT

departments. According to CyberEdge Group, 76% of organizations were breached in

2015. Experiencing a cyber-attack is not an anomaly; it is practically status quo. Before

the growth of cloud-based security services, enterprises invested in security appliances for

certain security features that could have been outdated in a few years, ultimately

preventing an organization from adopting up-to-date infrastructure technology. We believe

a pulse of spending in network appliances experienced last in 1H15 is now driving

investments in point solutions, such as endpoint and email, hence trends in the shift

toward subscription products. We visualized this shift by analyzing the growth in

subscription services and comparing it to the growth in appliance/product offerings

(Subscription Services, July 21, 2016).


https://opco2.bluematrix.com/sellside/EmailDocViewer?encrypt=7ce87428-6132-47a6-90b2-88cd981c9e8c&mime=pdf

4

Endpoint security technology has been trailing the progress of the threat environment, as

well as some other security technology, because focus on security has prioritized

compliance requirements and investment in protecting the data center’s core. According to

Dell, 95% of successful attacks begin at the endpoint. With the development of AI features

in technology, we are beginning to see a transition from traditional AV products to

advanced algorithmic-based endpoint threat protection methods. We believe the AI trend

is progressing in its adoption phase considering the recent acceptance by assurance

programs and the innovation movement by some incumbents. We find that many factors,

such as the lack of information security talent and the requirements by compliance

programs, are driving the need for certain functionality, for instance, the integration

between security products and automated responses. Although it usually exists in the form

of a partnership across endpoint point solution vendors, communication between a

network’s NGFW/UTM and endpoint platform would be an ideal immediate reaction in

terms of preventing attackers from entering the network from a different entry point.

Signature-based antivirus (AV) solutions are still a requirement for compliance programs

despite proven ineffectiveness (Symantec estimates AV prevents 45% of malware), but

AV “replacements” are beginning to be accepted. Given the flexibility of the cloud, we

believe an as-a-service endpoint security solution is the most plausible opportunity for

security vendors in the arena and one of the best (and easiest) approaches for

organizations to incorporate endpoint security in their portfolio. We envision solutions that

fit within compliance requirements, yet also proactively prevent threat actors from

disruption as compared to reactively detect malware in its tracks. We believe drivers and

recent market developments indicate the need to augment endpoint security in the coming

years, and the next-generation endpoint will need to replace legacy signature-based

solutions across all verticals to prevent the next generation of attacks.

Through the Mind of the Threat Actor 101

Understanding security from the perspective of the threat actor can help comprehend the

drive of security spending in the future. Some of today’s most used resources by attackers

were not developed or created until the past decade–and this had a profound impact on

the modern-day threat environment. Today, attackers often utilize the darknet, or the

“Deep Web,” which is a hidden world of the Internet inaccessible from the common

Internet browser. Users can easily access the darknet and remain completely anonymous

because its network traffic runs through untraceable arbitrary routes, creating a platform

ideal for illegal activity. When the darknet first began to take shape in the early 2000s, it

opened up opportunities for threat actors to share malware and potential attack strategies.

However, threat actors saw the real value of the Deep Web when the decentralized

cryptocurrency, Bitcoin, was pioneered in 2008. The digital currency’s blockchain

technology uses a cryptographic ledger to secure its transactions, leaving the involved

parties completely anonymous, which opens up a new opportunity to hide payments in the

virtual world. The introduction to the darknet and cryptocurrencies began the revolution of

modern-day threat-actor occupations.

We analyzed breach data categorized into four different breeds divided by their intent:

hacktivism, cybercrime, cyber espionage, and cyber warfare. Each breed has essentially

been in existence as long as the other, but the interests have shifted. Hacktivism

consisted of the majority of high-profile cyber-attacks before 2012 such as the attacks

from Anonymous and Lulzsec; however, cybercrime (which can be defined as profit-driven

cyber-mercenaries) eventually spiked to over 80% of today’s cyber-attacks. We believe

this spike was driven primarily by the widespread adoption of Bitcoin. Around this time,

threat-actor occupations began to take shape as hackers experimented with ways to profit

from their skills. Today, extortion techniques (such as ransomware and DDoS attacks) are

most popular among cybercriminals and can be used to extract payment in the form of

Bitcoin from the user/organization. Because tracing IPs is near impossible in the darknet,


5

threat actors can also profit by selling data or exploits in the black market, or performing

as-a-service cyberattacks in return for Bitcoin or other cryptocurrencies such as Monero.

Exhibit 2: XBT/USD and the Motivations Behind Cyber-attacks

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

$0

$200

$400

$600

$800

$1,000

$1,200

$1,400

2012 2013 2014 2015 2016

USD per Bitcoin

Cybercrime (as a % of All Attacks)

Hacktivism

Cyber Espionage

Cyber Warfare

Source: Hackmageddon.com, Coinbase.com, Oppenheimer & Co. research

Throughout the history of cyber-attacks, the attack objectives have shifted in priority (now

mostly profit-driven), and the techniques under each breed have changed tremendously.

Recall in the 1990s, the objective of cyber-attacks was more often vandalism and

advertisement-focused rather than the extortion-driven techniques we see today. In the

1990s, when a device was infected with malware (which consisted of a virus or adware),

interaction with the operating system was often disfigured or slow (virus). Profit-driven

threat actors in the 1990s used adware to generate a plethora of popups (adware) which

then eventually evolved into keylogging or the use of clients’ data to advertise toward

his/her interest (spyware).

After AV software started to advance in the early 2000s, attackers began focusing on

alternative strategies. DDoS attacks continue to develop (today there are over 40 different

types), and advance persistent threat (APT) techniques led to an increase in data dumps.

Industrial control systems (ICS) were a major area for potential destruction by nation-

states. Cyber criminals continued to use spyware/adware methods for profit, as well as

scams and trade (e.g., selling botnets) for an early form of electronic money such as e-

gold.

When the darknet and cryptocurrencies began to join forces at around 2010, black market

activity involving malware and black-hat-as-a-service offerings opened up a world of

opportunities for cyber criminals. Data dumps, DDoS attack services, zero-day exploits,

botnets, and spam email services became lucrative for threat actors, driving a rise in

cyber-criminal activity using hacktivism’s old techniques. Today, cyber criminals have

masterminded extortion methods, such as ransomware and DDoS while hiding behind the

curtain of cryptocurrency’s anonymous platform. New derivatives of cyber-extortion

continue to evolve, such as ransomware on personal devices (including the iOS platform).


6

Derivatives of this extortion technique are rapidly evolving, such as pyramid-scheme

ransomware. The threat environment is also seeing more usage of IoT devices as nodes

in a botnet to launch large-scale DDoS attacks. Threats have also become more complex

and have developed new breeds. For example, memory-based attacks, such as reflective

memory injection (RMI), are advanced methods to trick computers and AV programs with

buffer overflow methods (on a RAM level), allowing the program to download more

malicious malware from the Internet. Memory-based attacks are a serious threat to

organizations (potentially in the form of ransomware) because these methods can often

bypass traditional AV programs.

We believe we will continue to see the trend of extortion occur in both enterprises and

consumers by primarily entering the network via the most vulnerable points of the network,

which are the endpoint users. The advancement of productive technology may continue to

expand the attack surfaces in organizations. For example, the use of the cloud could be a

potential vulnerability from a data security perspective, given rogue employees/business

partners can steal information more easily (as seen in PwC’s statistic mentioning the

increase of “inside job” incidents). The use and early adoption of newer infrastructure

technology (such as containerization) could expose zero-day exploit opportunities. BYOD

(bring your own device) policies and IoT are expanding, meaning careless use of personal

devices could be a threat to an organization, thus requiring stricter uses of mobile device

management. In addition, mobile device malware is increasing, causing mobile devices to

present more opportunities to gain access to an organization’s network. As wireless LAN

advances (802.11ac wave 2) and becomes more widely adopted on the enterprise front,

attackers could either intercept unencrypted traffic or exploit IoT connections. All in all, we

believe the endpoint and its users remain the Achilles’ heel of an organization’s network.

Securing the Endpoint

The Past

Throughout the history of endpoint security, remediation strategies did not advance

significantly from its creation in 1987 up until the late 2000s. When malware began

infecting computers in the 1980s, organizations needed a solution that could erase the

virus without completely rebuilding the computer’s operating software. John McAfee

developed the antivirus (AV) in 1987 that automated the “cure” for the infected computer

and detected any malware based on a database of packet signatures. A packet signature

is a “stamp” created by the security companies that is used as a reference in determining

whether a packet contains malicious code. Security companies can generate a signature

based on certain criteria (e.g., number of bytes) or a cryptographic hash of the packet.

This signature is compared to a database of other malicious signatures and

removed/prevented from opening on the endpoint if the signature is flagged to be

malware. Because AV software proved its validity, it became a “must have” for

organizations to reactively detect malware in endpoints to an extent that the AV market

had near 100% penetration by the early 2000s. According to Gartner in 2006, the TAM for

AV (which included antispyware, and both consumer and enterprise) was approximately

$4.0B in 2005. Relative to 2015, organizations and consumers use AV incorporated in

endpoint protection platforms ($3.6B) and consumer security software ($5.2B).


7

Exhibit 3: Timeline of Threats and Security Solutions

Source: Ponemon Institute, Symantec, PWC, ITRC, Oppenheimer & Co.

The positive view on AV programs is how effective they are at preventing known malware

that makes up a large portion of attacks. For this reason, many compliance programs

require AV in their standards. However, malware authors continued to be creative in

developing malware that would bypass any protection layer. Hackers could use

construction kits that would auto-generate malware using old techniques but tweaked in a

way that would change the signature of the virus. While a majority of attacks were

prevented, unique malware undetected by AV programs could still find its way onto an

endpoint or into a network. In the early 2000s, antispyware software was created to

prevent keylogging, adware, and system monitoring. A few years after the adoption of

antispyware programs, security companies started bundling antispyware, AV, intrusion

prevention systems (IPS), network access control, and personal firewalls in their endpoint

security platforms. We believe this is when the AV market started to mature and the

product became a commodity. When packaged together (which is the endpoint security

“platform”), there were still some major flaws in the solution itself. For example, the

software received updates usually weekly with new signatures; however, if an end user’s

software wasn’t updated from when the newest virus was spread, then the endpoint could

still be infected.

The back half of the 2000s had a considerable number of disruptive technologies that

began the expansion of the network map. Amazon Web Services (AWS) began offering

EC2 instances in 2006, or the first compute-as-a-service product to disrupt the

infrastructure hardware and virtualization environment. Apple pioneered the first iPhone in

2007, which revolutionized the mobile platform. In 2007-2008, VMware and Citrix began

marketing virtual desktop infrastructures (VDI) enabling work-from-home policies. Security

vendors began launching additional features around 2008, when antivirus vendors began

offering endpoint platforms that included behavior-based analysis, host intrusion

prevention systems (HIPS), genetic heuristics, data loss prevention (DLP), application

control, and sandboxing techniques that prevent and protect endpoints from more

advanced zero-day threats. However, the progress of security technology was still lagging

behind the growing concern of the threat environment.

We believe Gartner’s 2010 Magic Quadrant for Endpoint Protection Platforms article

highlights this period accurately: “As far back as 2004, we have been saying that


8

enterprise anti-malware vendors are falling behind in dealing with the current security

threats. This year, they have fallen even further behind. Test after test has illustrated that

current solutions are less than 50% effective at detecting new variations of existing threats

and much worse at detecting targeted or low-volume threats, although testing

methodologies have also not kept pace with changing Enterprise Protection Platform

(EPP) suite capabilities.”

Exhibit 4: Number of Reported High-Profile Breaches from Hacking or Malware in the US

Source: Privacy Rights, Oppenheimer & Co.

From 2007 until 2012, enterprise endpoint solutions grew at a CAGR of 2.8% compared to

a high single-digit CAGR in information security. We believe endpoint security growth was

impacted by the weak state of the economy, as well as commoditization of products

leading to competition in pricing. Recall around this time, threats were transitioning toward

a more APT popular theme among hacktivists and some cyber criminals; however, the

security stack of endpoint security remained mostly unchanged. We believe the primary

focus for organizations in security spending was in network security (i.e., the introduction

to next-generation firewalls) and more advanced threat detection solutions because

proactively preventative solutions were just beginning to develop. Some endpoint vendors

began using existing advanced methods of security to prevent zero-day exploits (such as

sandboxing techniques) and were effective in preventing many unknown attacks, but

threat actors could figure out ways to work around the detour. For example, sandboxing

executes files and analyzes the behavior of the environment before reaching the endpoint;

however, malware authors began incorporating delay functionality in the exploits to

bypass sandboxes. Today, many sandbox products have advanced to execute even

delayed exploits in files and avoid other vulnerabilities from traditional sandbox methods.

We believe sandboxing methods fit comfortably with some security portfolios, though the

method could impact throughput and speed.

After security vendors started bundling endpoint security solutions into a “platform,” the

endpoint security stack remained undisrupted until the introduction of next-generation

endpoint solutions in the early 2010s with technologies from vendors such as Cylance

(founded in 2012) and SentinelOne (founded in 2013). The techniques behind the next

generation of endpoint can differ from vendor to vendor but usually consist of some

advanced machine learning method, such as behavior-based detection and/or a

mathematical approach to antivirus. Machine learning products can be effective in

preventing unknown malware, but the methods are still in process of being adopted.

Except for some of the incumbent vendors that have recently implemented machine

learning technology in their endpoint solutions (e.g., Palo Alto Networks and Symantec),


9

machine learning endpoint security offerings are just beginning to be fully

integrated/bundled with the necessary solutions of endpoints such as DLP and encryption.

There are a number of factors affecting the adoption of these solutions, such as

compliance requirements and integration with the endpoint platform, though we have seen

progress in its development within the past year. We believe this progress will mark the

beginning of machine learning or artificial intelligence in endpoint security products during

the expansion phase of its adoption.

Since 1987, or for almost 30 years, enterprises have been using signature-based AV to

prevent malware from infecting endpoints and spreading into the network. According to

Symantec in 2014, traditional signature-based AV software catches only 45% of malware

attacks. From a combination of the scare tactic from high-profile breaches, the changing

compliance environment, and convoluted infrastructures, we believe we will see traditional

AV products be replaced by next-generation endpoint security products in the next few

years. Over time, the cost of a breach will exceed the cost of upgrading the organization’s

endpoint security platform. Because of 2016’s point solution spending trends (as-a-

service, identity, etc.), we feel next-generation endpoint technology is adoption-ready.

The Present

Organizations can approach the next generation of endpoint security using a number of

techniques and stack on many complementary solutions. Despite the different methods,

the reality of the end goal for endpoint security is to prevent all malware, and when that is

unsuccessful, detect it as quickly as possible before any malicious activity occurs. Below

we analyze the typical solutions in the endpoint security stack:

Antivirus – AV software typically uses packet signatures as a fingerprint to look

up in a database of malicious signatures. AV software is a nearly 30-year-old

technology that is still used today due to requirements by many compliance

standards. While antivirus has been effective in preventing known malware, it is

not reliable on its own. Symantec mentioned in 2014 that AV software can detect

only 45% of malware attacks. Traditionally, an AV program needed to update on

a weekly basis to bring its signature database up to date; however, today, most

AV programs are based in a cloud environment and can provide real-time

updates. This does not stop attackers from remaining undetected. We feel

confident that the rise of the next-generation technology will eventually replace

legacy signature-based methods.

Antispyware/Anti-adware – Spyware and adware were some of the first

methods for threat actors to profit from malware distribution. Antispyware uses

similar signature-based techniques as AV, which ultimately led to the bundling of

these security technologies. We feel these legacy solutions will join AV and

eventually be replaced by next-generation security technology.

Intrusion Prevention Systems – Host-based intrusion prevention systems

(HIPS) intercept activity occurring on a single host and prevent anything that

seems suspicious. Similar to a firewall, “suspicious” activity is based on

guidelines defined by the HIPS such as automatically forfeiting AV scans or the

installation of devices that run priority. While HIPS are very useful in preventing

the most obvious of attacks, many threats can be manipulated in a way to

bypass its simple structure. Also, HIPS can often yield false positives. Despite

some of HIPS’s setbacks, we continue to see this protection method remaining

important (either at a network level or an endpoint level), particularly in a virtual

environment. This solution may not be offered with the endpoint security vendor

but rather integrated in the operating system or virtualization software.


10

Data Loss Prevention – Data loss prevention (DLP) began being offered in the

bundle of endpoint security solutions in around 2008. We believe data security

will continue to be paramount in preventing the next generation of threats (such

as ransomware and other data-related extortion themes), and DLP on the

endpoint is well positioned to benefit in this trend by protecting sensitive data in

use (DiU). DiU DLP solutions prevent data from being sent externally or

internally (if compliance rules prohibit communication between Equity Research

and Investment Banking, for example). DLP is required for some compliance

standards such as PCI DSS and ISO 27001. IDC estimates the DLP market to

grow at a CAGR of 7.9% from 2015 through 2020 ($1.14 billion market in 2020);

however, endpoint DLP is estimated to grow at a CAGR of 15.9% ($434 million

in 2020). We continue to see this solution thriving with the changing compliance

environment.

Encryption – Also part of the data security family, encryption is a necessary

function of protecting data and hiding sensitive information from malicious

actors. Heightened supervision and regulatory demands are driving demand for

encryption and key management solutions, such as the recent increase in

oversight fines by FINRA and HIPAA and the stricter data standards from the

European Union General Data Protection Regulation (EU GDPR). Many next-

generation endpoint security offerings are not stacked with encryption and key

management solutions; however, we envision this solution to be a key ingredient

to a security portfolio also required by most compliance standards. We believe

encryption will be a hurdle for smaller security vendors, and one of the leading

drivers for consolidation of next-generation endpoint security startups. IDC

estimated the endpoint encryption and key management TAM to be

approximately $2.0 billion by 2020 with a 2015-2020 CAGR of 9.7%.

Exhibit 5: Stricter Compliance Standards and Oversight Are Driving Spending in Encryption

Source: IDC, Oppenheimer & Co.

Firewall – The “personal” firewall on endpoints has been a necessary

component to the overall platform; however, the product has been commoditized

and will likely not be the selling point for many endpoint vendors (it is assumed).

We believe we will continue to see personal firewalls as an essential part of the


11

endpoint security stack, but used most often with consumer endpoint security

solutions.

Port and Device Control – Often a staple of the typical endpoint security

platform, port and device control allows IT administrators to define rules on the

type of devices that can be used on endpoints. For example, this prevents a

rogue employee from using a USB flash drive to steal sensitive data. This

solution will obviously not fade anytime soon, but it will remain as an additive

feature to endpoint security platforms.

Vulnerability Assessment – Vulnerability assessment (VA) is offered in many

endpoint security stacks and is required by select compliance standards such as

PCI DSS. VA solutions scan an endpoint machine for any misconfiguration or

out-of-date application that could be vulnerable to a known threat, and often

integrate with a network access control platform to solve the problem. VA is a

mature market for desktops and laptops and becoming easier to manage from

the growing adoption of containerization; however, VA on mobile and IoT is

emerging and could play a major role in advanced endpoint protection solutions.

Application Control – With the number of Web 2.0 applications accessible by

careless employees, IT administrators need a product that can limit or restrict

access on applications that could be a risk to the organization. Application

control can often give this level of controllability on a granular level. This can be

incorporated in secure web gateways alongside URL filtering, which we see

being more integrated (e.g., Symantec’s acquisition of Blue Coat). We continue

to see application control as an important part of the stack given the growing

trend of shadow IT, although offered on a cloud-based platform.

Mobile Security – On some endpoint platforms, mobile device management

(MDM) solutions allow IT administrators to control the configuration of mobile

devices and offer data protection capabilities such as file and disk encryption.

BYOD policies are augmenting the use of personal devices on an organization’s

network; however, the risk of careless or rogue employees could cause a data

leak or a costly ransomware situation. Some mobile devices platforms are

considered to be very secure hosts, where malware is less likely to infect the

device rather than a PC. Using the example of iOS (which we estimate to be

approximately 20% of the global mobile platform installment base), we believe it

is a more secure platform for the following reasons: 1) All applications are

approved by Apple (AAPL), and very few applications with malware are

approved; if malware is found, an identity is linked to the creator; 2) Because

AAPL created every aspect of the phone, including the hardware and kernel,

AAPL can patch exploits very quickly (which is not the case for most Android

devices minus Pixel); 3) iOS applications are run using a sandbox; 4) The kernel

of the device is based on a security-focused form of UNIX called BSD. Mobile

security (on some devices) is already host-based, and these platforms have

historically been less prone to malware; therefore, MDM solutions are more

geared toward allowing administrators to configure mobile devices, ensuring

they meet the organization’s standards. On the other hand, threat actors are

increasingly finding exploits on mobile systems. According to Symantec, in 2015,

528 (+214% YoY) vulnerabilities were found on mobile platforms. Organizations

have focused their mobile security attention on establishing a password to

unlock the device and data encryption; however, we expect the focus to pivot

toward a more detect-and-response platform as device management becomes

commoditized. Many endpoint security vendors do not offer any form of mobile

security or integrate their mobile offering with the endpoint platform. We envision


12

MDM joining endpoint security platforms driven by the ongoing adoption of

BYOD policies and the value-added aspect of MDM to an endpoint pipeline.

Sandboxing – Sandboxing is the emulation of an endpoint environment that

could open files (e.g., PDFs) and detect any abnormal activity resulting from its

execution. The software can then prevent the file from reaching the endpoint or

extract the malware from the file and still reach its destination. Sandboxing is a

solution to prevent unknown zero-day exploits from enterprises after running

through the AV programs. However, the use of sandboxing does have some

problems such as the complexity of attacks working around the sandbox, as well

as the delay of the file reaching its end destination. Although processing power

may be limited by using sandboxing techniques, the cloud may be a viable

option. We believe sandboxing is an effective method in preventing the next

generation of attacks and will continue to gain share alongside the cloud market.

Memory Protection – Memory-targeted attacks such as a reflective memory

injection (RMI) can be complicated and hard to detect. These types of attacks

are commonly found in APTs and can easily be whitelisted by security software

because the code attacks the kernel memory as compared to the application

code where exploits are most commonly executed. Memory protection prevents

these complicated attacks from occurring by restricting certain processes from

accessing memory. We believe memory attacks will continue to play a role in

APTs as security technology prevents existing less-complicated attacks. Many

endpoint platforms do not have advanced memory protection, although the

operating system typically has incorporated basic memory protection

functionality. We believe the shift to virtualization and containerization is a

growing threat for memory-based attacks due to the agentless nature and

isolation of memory.

AI – Artificial intelligence is a robust holistic approach to endpoint security, and

solutions have already come to fruition. The concept of AI can often be vague

with many different types (such as machine learning, deep learning, or machine

intelligence), but its use case is already being used by many endpoint security

vendors such as Cylance, SentineIOne, and Deep Instinct, as well as most

incumbents such as Cisco, Symantec, FireEye, and Palo Alto Networks. The

methods of use vary. For example, Cylance uses statistics to determine whether

a file contains a virus by comparing the DNA of a file to millions of other known

malware samples. SentinelOne uses a machine learning behavior-based

approach to detect sophisticated unknown attacks. Deep Instinct uses deep

learning that automatically extracts and breaks down millions of endpoint

datasets to predict attacks before they occur. We believe the algorithmic concept

of AI will likely be the future in preventing sophisticated zero-day attacks such as

ransomware as well as immediately responding to breaches that occur. Although

different types/techniques of AI can be embedded on a number of endpoint

platforms, we believe automated response will be the future of security. AI

endpoint solutions are quickly being adopted, as seen by the number of

compliance programs accepting them in replacement of AV. We envision

algorithmic techniques gaining solid traction in the coming years as the offerings

begin to integrate with other endpoint and network security products.

The Future

Throughout the history of cyber-attacks, we have learned that malicious threats have

outpaced cybersecurity. The costs and damage from cyber-attacks continue to increase

every year. Malicious actors are disrupting the cyber-attack world faster than

organizations are using disruptive cybersecurity technologies. We believe security


13

adoption laggards with outdated technology and organizations with understaffed security

teams are more likely going to be victims of an attack than organizations with a higher

spending budget and a fuller team. A quickly evolving threat landscape will continue to

drive security spending budgets up, and security vendors will need to consolidate or

continue to introduce disruptive technologies to remain players in the arena.

We feel advanced endpoint security is a sub-segment of cybersecurity that is in the tail

end of its expansion phase. If threats continue to evolve, we envision attacks (such as

memory-based attacks) circumventing traditional signature-based endpoint solutions and

damaging organizations that failed to adopt more advanced threat protection products.

Many of the incumbent vendors offer non-signature-based solutions such as the use of

sandboxing techniques, but as we mentioned in the previous section sandboxing has its

drawbacks, e.g., a delay trigger in malware causing it to remain undetected by sandboxing

programs. Advanced endpoint protection methods will garner wallet share in the next few

years given the adolescent phase of AI due to immaturity of compliance requirements,

though we are beginning to see a transition occur in its adoption. For example, incumbent

security vendors, such as Palo Alto Networks and Symantec, are deploying machine

learning in their endpoint threat protection products. These vendors are capable of offering

compliance-required solutions on top of machine learning capabilities, a step in the right

direction for the adoption of non-signature-based platforms.

Why AI? Compared to traditional AV products, AI offers real-time prevention and detection

mechanisms to prevent both known and unknown malware while simultaneously using

less bandwidth and memory on the endpoint. Generally, AI entails more compute power;

however, the development of more advanced cloud services has allowed endpoint

security offerings to relieve the endpoint from running the AI-based threat analysis.

Symantec claims to reduce bandwidth usage and definition file sizes by 70% over its

previous versions. Cylance’s AI endpoint security product (CylancePROTECT®) claims to

use “less than 1% of CPU” and requires no Internet connection or signature updates.

SentinelOne claims to add an average of only 0.4% of CPU usage per monitored process.

We believe the combination of real-time protection and optimized productivity is a

compelling formula, though we anticipate pricing to be relatively higher due to cloud

service expenses and vendors’ desire to maintain margins. Also, the cybersecurity talent

supply is very low and the gap has continued to widen, which drives our view in that

automation will be paramount in tomorrow’s security products. The decision-making

capabilities of AI will continue to grow in demand as organizations struggle to fill

cybersecurity positions. Big data analysis is increasingly relying on AI for decision making

and automation driven by the ongoing expansion of databases and the competitive edge

of interpreting data at a significantly faster rate. Guidance Software, provider of endpoint

security and other big data solutions, uses machine learning and automation in its

offerings. For example, the company provides big data eDiscovery analysis to analyze

and automatically process relevant data in litigation. Similarly, we believe the edge in

combating threats could lie within the development of AI in security. Machine-learning

techniques could be the stepping stone in endpoint security development. Considering

current market dynamics of vendor consolidation in addition to the growing number of

compliance requirements on the endpoint, we envision security incumbents gaining

market share during the expansion phase of the adoption of AI in endpoint security.

The two major advantages in using an incumbent endpoint security vendor are 1) the

ability to integrate the products with other offerings from the vendor and 2) the option to

meet all compliance standards with one vendor. The endpoint arena is a very fragmented

market, but only a few of these vendors offer solutions that can attack all ends of endpoint

security. Integration with other solutions, such as mobile management and the secure web

gateway for URL filtering and application control, is valuable to organizations to centralize

security into a single platform, particularly when the supply of information security

professionals is low. According to a Gartner survey, 40% of organizations are using a


14

single vendor for endpoint platforms or plan on consolidating in the near future. Increasing

the security stack with more advanced solutions can simultaneously overwhelm IT with

more alerts or maintenance. Although many of the niche vendors are effective and

innovative in preventing threats, we envision the communication between products being

a leading selling point for organizations.

Exhibit 6: Endpoint Security Vendors

Source: Oppenheimer & Co.

Exhibit 7: Gartner’s 2016 Magic Quadrant for Endpoint Protection Platforms

Source: Gartner


15

Exhibit 8: Market share of leading endpoint security vendors in 2015. According to IDC, growth was impacted by the global economic climate, geopolitical instability, and the emergence of smaller vendors with signatureless solutions.

Vendor 2014 2015 2014 Share (%) 2015 Share (%) 2014–2015 Growth (%)

Symantec $815.8 $764.2 18.8% 18.2% (6.3%)

Intel $749.0 $717.1 17.3% 17.1% (4.3%)

Trend Micro $488.1 $488.9 11.2% 11.7% 0.2%

ESET $267.9 $252.3 6.2% 6.0% (5.8%)

Sophos $242.9 $249.9 5.6% 6.0% 2.9%

Kaspersky Lab $242.3 $221.8 5.6% 5.3% (8.5%)

IBM $208.0 $219.5 4.8% 5.2% 5.6%

F-Secure $109.9 $88.6 2.5% 2.1% (19.3%)

Bit9 $63.9 $84.4 1.5% 2.0% 32.1%

Microsoft $79.2 $79.0 1.8% 1.9% (0.3%)

Check Point $70.3 $73.7 1.6% 1.8% 4.9%

AVG Technologies $57.3 $62.6 1.3% 1.5% 9.2%

Lumension Security $65.9 $57.3 1.5% 1.4% (13.1%)

Panda Security $51.6 $49.2 1.2% 1.2% (4.6%)

Webroot $35.9 $37.5 0.8% 0.9% 4.2%

Other $792.2 $742.1 18.3% 17.7% (6.3%)

Total $4,340.2 $4,188.1 100.0% 100.0% (3.5%)

Source: IDC, Oppenheimer & Co.

Compliance remains a leading factor in an organization’s decision process in choosing

vendors. We have found that more advanced endpoint solutions, such as AI, are starting

to become more widely accepted by compliance programs. For example, SentinelOne

announced its certification for HIPAA and PCI DSS compliance for malware protection and

AV requirements on April 27th

, 2016. Cylance announced its HIPAA compliance for

malware protection and AV requirements on December 1st, 2015. PANW announced its

Traps compliance with PCI DSS and HIPAA on October 4th

, 2016. Requirements and

vendor lists by other compliance programs, such as FINRA, remain unclear but require

“up-to-date” AV on all workstations. Because violation of these compliance programs can

lead to heavy fines, having a traditional AV program to satisfy requirements is more of a

priority than risking infrastructures with new solutions such as machine-learning next-

generation AV. Meanwhile, we believe machine learning endpoint solutions are quickly

gaining mindshare. Machine learning endpoint security may be different from advance

endpoint protection solutions (AEP) because AEP will use a version of AV while

incorporating some sort of zero-day threat prevention technique such as sandboxing. AI

techniques are still in the process of being fully adopted as an accepted replacement for

the 30-year-old technology of AV; meanwhile, we envision the AEP stack to continue its

success as a discounted endpoint platform. Industry-specific compliance programs are not

the only driver of security products. Regulations are becoming more strict and prudent in

different regions of the world.

The European Union General Data Protection Regulation (EU GDPR) is a change made

for data security in April 2016 by the European Commission to strengthen data protection

laws for people in the European Union. The rule is expected to come into force in May of

2018; however, we expect the regulation to drive security spending in 2017, particularly in

data security and endpoint. EU GDPR is a directive that requires disclosure of data breach

if either the organization or person is based in the EU. The required statements made by

organizations must include a description of the data breach, the number of data records

and categories affected, and a description of how the organization will address the breach.

In addition, if organizations fail to comply or are guilty of less serious error, they will incur a

penalty of 10 million EUR or 2% of annual revenues, whichever is higher. If the error is

deemed serious, organizations could be fined up to 4% of global revenues. EU GDPR

also affects any organization that is storing data belonging to individuals located in the EU,

additionally impacting organizations located outside the EU. Without a doubt, we envision


16

this new regulation being a major driver for security spending in the European region. We

believe budgets will focus on advanced endpoint and data security products.

We analyzed the nature of security spending in the EU region and compared it to the US

where data breach disclosure requirements are in effect (in most states). We used

information from the European Commission to find the number of active organizations in

the EU with ten or more employees. We used the U.S. Census Bureau website to find the

same information regarding the number of active organizations with ten or more

employees in the US. We used the regions’ GDP to compare average output per

organization to avoid the assumption that the average organization size could be larger in

one region (though we assume output per endpoint is the same). Then, we used Gartner’s

information security spending and enterprise endpoint spending estimates for Europe and

the US. By estimating the average number of endpoints per organization (the EU data

would be adjusted by the US/EU output ratio), we were able to compare estimates of the

average endpoint security cost per seat. When using Gartner’s estimates, we found that

the YoY growth estimates for “Enterprise Endpoint Platforms” in the US were at a CAGR

of 2.4% from 2015 to 2020. Endpoint growth estimates for Europe were figured at a CAGR

of 0.3%, which is below GDP growth for that region. Using Gartner’s data, the cost per

seat estimates were mostly stable for the US and decreasing for the EU. Near-term

demand for more advanced endpoint security and heightened IT budgets will drive up the

cost per seat. Although we believe advanced endpoint solutions will likely decrease in

TCO, late majority adopters will still increase average cost as a whole. We estimate the

combined European and US enterprise endpoint platform market to grow at a CAGR of

5.3% from 2016 through 2020 (vs. Gartner’s 1.5%), driven by compliance initiatives and

the need for heightened data security. IDC estimates that the opportunity for security

software from the EU GDPR initiative will be $811 million in 2016, growing to $1.8 billion

by 2019.


17

Exhibit 9: Comparison of Security Spending in the US vs. EU

* Total Information Security estimates were not adjusted

Source: data.worldbank.org, ec.europa.eu, census.gov, Gartner, Oppenheimer & Co. estimates

In Millions (Except Averages)

US 2015 2016E 2017E 2018E 2019E 2020E

US Active Organizations with 10+ Employees 1.27 1.29 1.31 1.33 1.35 1.36

US GDP (In Trillions) 17.95 18.29 18.66 19.03 19.41 19.80

GDP Growth 1.9% 2.0% 2.0% 2.0% 2.0%

Output per Organization $14.1 $14.2 $14.2 $14.3 $14.4 $14.5

Gartner US Organization Info Sec Spending $33,126 $36,536 $39,871 $43,324 $47,106 $51,145

YoY 10.3% 9.1% 8.7% 8.7% 8.6%

Average Dollars Spent on Info Sec Per Organization $26,084 $28,343 $30,384 $32,495 $34,913 $37,531

Gartner US Organization Endpoint Spending $1,231 $1,269 $1,303 $1,332 $1,362 $1,393

YoY 3.1% 2.7% 2.3% 2.3% 2.3%

Average Dollars Spent on Endpoint Per Organization $969 $984 $993 $999 $1,010 $1,022

Average Cost per Endpoint $14.91 $15.15 $15.28 $15.37 $15.53 $15.73

Average Number of Endpoints 65.0 65.0 65.0 65.0 65.0 65.0

Gartner US Organization Info Sec Spending* $33,126 $36,536 $39,871 $43,324 $47,106 $51,145

YoY 10.3% 9.1% 8.7% 8.7% 8.6%


Gartner US Organization Endpoint Spending $1,231 $1,310 $1,399 $1,469 $1,536 $1,613

YoY 6.4% 6.8% 5.0% 4.6% 5.0%

Average Dollars Spent on Endpoint Per Organization $969 $1,016 $1,066 $1,102 $1,138 $1,184



EU 2015 2016E 2017E 2018E 2019E 2020E

EU Active Organizations with 10+ Employees 1.68 1.70 1.71 1.73 1.75 1.77

EU GDP (In Trillions) 16.23 16.49 16.74 17.02 17.33 17.66

GDP Growth 1.6% 1.5% 1.7% 1.8% 1.9%

Output Per Organization $9.7 $9.7 $9.8 $9.8 $9.9 $10.0

US/EU Output Per Organization Ratio 1.5 1.5 1.5 1.5 1.5 1.5

Gartner Europe Organization Info Sec Spending $24,389 $26,128 $27,613 $29,187 $30,896 $32,741

YoY 7.1% 5.7% 5.7% 5.9% 6.0%


Adjusted Using US/EU Ratio $21,240 $22,483 $23,456 $24,475 $25,651 $26,940

Gartner Europe Organization Endpoint Spending $1,042 $1,056 $1,062 $1,064 $1,066 $1,069

YoY 1.4% 0.5% 0.2% 0.2% 0.3%

Average Dollars Spent on Endpoint Per Organization $620 $622 $619 $615 $610 $605

Adjusted Using US/EU Ratio $907 $909 $902 $892 $885 $880



Europe Organization Info Sec Spending* $24,389 $26,128 $27,613 $29,187 $30,896 $32,741

YoY 7.1% 5.7% 5.7% 5.9% 6.0%


Adjusted Using US/EU Ratio $21,240 $22,483 $23,456 $24,475 $25,651 $26,940

Europe Organization Endpoint Spending $1,042 $1,120 $1,190 $1,250 $1,308 $1,375

YoY 7.5% 6.3% 5.0% 4.6% 5.1%

Average Dollars Spent on Endpoint Per Organization $620 $660 $694 $722 $748 $779

Adjusted Using US/EU Ratio $907 $964 $1,011 $1,048 $1,086 $1,131



Summary

US 2015 2016E 2017E 2018E 2019E 2020E

Average Cost per Endpoint Using Gartner Estimates $14.91 $15.15 $15.28 $15.37 $15.53 $15.73

Average Cost per Endpoint Using Oppenheimer Estimates $14.91 $15.63 $16.40 $16.95 $17.51 $18.21

EU 2015 2016E 2017E 2018E 2019E 2020E

Average Cost per Endpoint Using Gartner Estimates $13.96 $13.98 $13.87 $13.72 $13.61 $13.53

Average Cost per Endpoint Using Oppenheimer Estimates $13.96 $14.83 $15.55 $16.13 $16.71 $17.41

Gartner Estimates

Oppenheimer Estimates

Gartner Estimates

Oppenheimer Estimates


18

Exhibit 10: Gartner’s Enterprise Endpoint Protection Platform Spending Estimates

Source: Gartner, Oppenheimer & Co.

Endpoint security spending will also be driven by the transition of enterprises to cloud

software and infrastructure solutions. The movement of data calls for the need of

encryption and data loss prevention. On the infrastructure side, we envision cloud service

providers being the majority provider for encryption, but IT administrators will also utilize

third-party vendors to have a centralized platform for a hybrid infrastructure. DLP will also

be an important component to the overall security portfolio given the flexible use of data in

the cloud. For example, in SaaS applications, users will be able to access data often

wherever and whenever they need to. While this is a positive for productivity, it is risky for

organizations to trust employees with this flexibility, as seen by the increase in the number

of incidents involving employees and business partners. CASB is a form of data security

that prevents leaks from occurring in the cloud space, but we believe CASB will be most

beneficial to organizations that use it in communication with other endpoint solutions. For

example, DLP on the endpoint usually consists of the prevention of employees sending

sensitive information via messaging, email, etc. A product that combines endpoint DLP

with CASB’s DLP would provide an organization with a more holistic and centralized

approach to preventing data from leaking beyond the organization’s perimeter. The

encryption functionality of CASB could integrate well with file/disk encryption within the

endpoint, allowing IT administrators to effectively consolidate key management systems in

a single location and minimize attack surfaces. Considering the lack of information

security workforce and the growing complexity of IT infrastructures, we believe ease of

use and centralization/integration of solutions will be considerable factors in product win-

rates.

The future of endpoint security will be influenced by the following: 1) The growing

complexity of cyber-attacks and spike in extortion techniques; 2) An adoption of signature-

based AV replacements such as AI by compliance programs including HIPAA and PCI

DSS; 3) The EU GDPR movement driving focus on data security and more advanced

methods of zero-day mitigation; 4) The migration of workloads to the cloud, which

expands the attack surface and escalates the movement of data, calling for a more

lightweight anti-malware product, communication between security solutions, and the

need for effective data security solutions. Advanced endpoint solutions such as the use of

sandboxing techniques are entering the ninth inning of their adoption expansion phase,

but the rise of algorithmic methods is beginning. We have already seen a sustainable

innovative shift of implementing machine learning techniques into their endpoint solutions


19

by incumbent security vendors such as Cisco, FireEye, Palo Alto Networks, and

Symantec. An interesting transition across vendors is the trend of offering subscription-

based products/services in lieu of perpetual licenses. We believe this benefits both

parties: the vendor has a more predictable revenue model, and the organization is not

bottlenecked by its investment down the road. We estimate AI endpoint solutions to be a

subscription of around $50 (e.g., Cylance) per endpoint, which is nearly three times more

than traditional AV perpetual licenses priced around $15 (e.g., ESET). While the price

point is higher (we believe it could decrease to around $25 in the next few years), we still

expect the solutions to be adopted given the growing cost of breaches and the benefit on

the reduced CPU of running the solutions (particularly in virtualized environments). We

expect next-generation endpoint solutions to migrate their pricing model toward a volume

metric rather than a per-seat metric as this has traditionally given the high deviations of

endpoint compute and their renewed SaaS approach. We believe enterprises will continue

to use a stacked security approach (e.g., AV plus sandboxing), though artificial

intelligence endpoint products could remain a significant driver for the sub-segment going

through 2020 when considering the SaaS (recurring) revenue model. Gartner estimates

the Enterprise Endpoint Protection Platform market to increase at a CAGR of around 2.7%

from 2015 to 2020; however, we estimate the CAGR to be approximately 5.2%. Gartner’s

calculation would suggest that slightly less than half of the endpoints would use advanced

endpoint products, which included a price decrease toward $25 per endpoint by 2020.

Excluding any adjustments to APAC estimates, we estimate the enterprise endpoint

protection platform total addressable market to increase to ~$4.7B by 2020.

Public Companies We overview the following companies we cover that could be participants in the next-

generation endpoint security market:

CHKP

CHKP entered the endpoint market in 2004 following the acquisition of

ZoneAlarm, and now offers endpoint as a software blade. The endpoint platform

under the antivirus software blade does not incorporate artificial intelligence. It

uses an algorithm-based analysis when its sensor triggers are activated, as well

as an anomaly-based detection technique under its ThreatCloud intelligence. For

detection of zero-day unknown signatures, it uses a sandboxing technique (threat

emulation). CHKP’s endpoint platform’s strong point is its presentation of critical

information for data analysis in a breach investigation or any endpoint

vulnerability issues. Because the company is a network security vendor, it can

synchronize its network security policies with those of its endpoints (such as URL

filtering capabilities). Another feature is CHKP’s ability to protect the mobile

environment (after its acquisition of Lacoon Mobile Security in April of 2015),

which we envision being an attention-grabber in the coming years as attacks in

the mobile field grow in number. We believe CHKP’s portfolio for endpoint

security is stacked with solid solutions but with room to grow its technology. The

company has recently mentioned a leading R&D priority (behind SandBlast) is

mobile security. CHKP is cash-heavy (~$3.7 billion in cash and equivalents), and

we believe the company has an easy opportunity to advance its solutions when it

sees fit.

CYBR

CYBR acquired Viewfinity in October of 2015, which put the company on the map

as an endpoint security provider, though complementary to other endpoint

solutions. Since the acquisition, the company unveiled Cyberark Endpoint


20

Privilege Manager (November 2016), a privilege management and threat

detection hybrid solution that can integrate with other security vendors such as

Check Point, FireEye, and Palo Alto Networks. The primary objective for CYBR’s

endpoint offering is to maintain productivity while simultaneously securing

privilege accounts. Offered through the cloud, the Endpoint Privilege Manager

provides application control, automated policy creation, and behavioral analysis

on endpoints to detect and block attempts to steal critical credentials. Following

the acquisition of Viewfinity, we view CYBR’s position in the endpoint arena as

unique. We believe the company has plenty of opportunity to garner mindshare

and further penetrate the endpoint privilege management market.

FEYE

Following the announcement (November) of its new platform, FireEye Helix, we

believe FEYE’s endpoint solution has a lot of potential in gaining market share.

Endpoint is the second largest area of focus for R&D (behind its MVX

architecture) and made some developments in 2016. While FEYE does not

market its endpoint product as machine learning or artificial intelligence (more so

“machine intelligence”), it uses similar techniques in preventing and detecting

known as unknown malware. Exploit Guard is a new feature (March 2016)

offered to existing customers for no extra cost that applies behavioral analysis

and machine intelligence to its HX (Endpoint) product. In the Helix

announcement in November, it was mentioned that over five million endpoints

under FireEye HX protection have turned on the feature. We believe FEYE’s

platform approach better integrates its network and endpoint solutions given the

ability to automate responses to compromised endpoints. In our view, FEYE’s

endpoint solution combined with its integration with NX product, intelligence from

iSight, automation from Invotas, and lowered TCO will position the company

positively in gaining market share within the endpoint market.

FTNT

Fortinet’s FortiClient product is a next-generation endpoint solution that

automates protection and detection using sandbox techniques (integrates with

FortiSandbox). The product fully integrates with its network security product

(FortiGate), security management (FortiManager), and event correlation and

response (FortiAnalyzer) to dynamically communicate and manage threats in the

entire network. FortiClient does not use artificial intelligence in its architecture,

rather only sandboxing techniques. We believe FTNT’s advantage is the ability to

communicate with the security fabric.

PANW

With new machine learning capabilities and compliance acceptance by PCI DSS

and HIPAA, we believe PANW can grow its endpoint platform (Traps)

significantly (currently has 600 Traps customers), particularly across its existing

installed base (~35,500 customers). PANW is one of a few vendors that can

integrate its machine learning endpoint platform with its network perimeter,

allowing admins to block and quarantine rogue endpoints and the corresponding

malware from entering the network simultaneously. PANW acquired Cyvera

($200 million) in 2014 which used sandbox and other advanced features to

prevent zero-day threat prevention. In August of 2016, PANW announced the

use of machine learning capabilities for static analysis of files, placing PANW in

the market beyond the traditional endpoint stack.


21

SYMC

We believe SYMC’s acquisition of Blue Coat and its recent moves could

slingshot the company back to growing market share in the enterprise endpoint

security market. SYMC can benefit from its vast installed base (including Blue

Coat’s) to cross-sell its recently announced (Sept. 13th, 2016) cloud-based

machine learning endpoint protection product (Symantec Endpoint Protection

Cloud), as well as the ability for this market share leader to integrate the full

endpoint stack (including solutions required by compliance standards) into one

solution. With the acquisition of Blue Coat, SYMC can integrate its market-

leading cloud-based secure web gateway solutions with the endpoint platform.

We believe SYMC can benefit from the migration of organizations to the cloud

given its CASB position (with the acquisition of Blue Coat) and its offerings for

cloud environments.

VRNT

VRNT leverages its expertise in big data and high-speed networks to detect and

resolve cyber-attacks on a network level as well as on the endpoint. Using a set

of integrated detection and forensics sensors, the company can provide

administrators with automated investigations and orchestrated responses to

analyze and protect an organization’s network. As attacks grow in number and

complexity, big data analytics for security could grow in relevance. We view the

company’s automation capabilities as a key component for security portfolios on

all points of an organization’s network.

Additional Not Covered Companies

Trend Micro offers an endpoint security platform through the cloud for all

infrastructure/endpoint environments. The company’s technology incorporates

machine learning and other threat protection techniques (such as behavioral

analysis) to protect against unknown malware. According to IDC, Trend Micro

has an 11.7% market share in the enterprise endpoint security market,

Guidance Software provides endpoint security as well as other big data solutions.

Its Encase Endpoint Security product can detect unknown risks and threats by

using anomaly and behavioral-based analysis. It provides automated responses

to threats after further malware analysis, and returns the endpoint back to trusted

state. According to Gartner (January 2017), Guidance Software holds the largest

market share (25%) of the Endpoint Detection and Response market by number

of licensed endpoints.

Private Companies The endpoint security arena is filled with a number of private players that constantly

challenge the technology of market share leaders. Some private companies have

approached endpoint defense using different detect/response tactics and AI techniques

that we feel have influenced the next generation of endpoint security. We believe the

development and innovation from these companies will be key drivers in tackling new

sophisticated attacks and will continue to be pertinent in a constantly changing threat

environment. Below, we highlight endpoint security vendors that could play a role in the

next generation of endpoint defense, particularly in a rapidly consolidating industry.


22

AVAST

Company Description

AVAST is a leading security software provider for computers, phones, and tablets offering

endpoint protection to consumers and businesses via the cloud. AVAST acquired leading

consumer endpoint protection vendor AVG in September of 2016, making the aggregate

number of users in its network approximately 400 million. The company was founded in

1988 by Pavel Baudiš and Eduard Kučera and is headquartered in Prague, Czech

Republic. Major competitors include vendors in the consumer and enterprise endpoint

security arena such as Symantec, ESET, Kaspersky, and Webroot.

Products for the Next Generation of Endpoint

AVAST, alongside AVG, has one of the largest endpoint networks in the security industry.

Paired with its cloud delivery strategy, the company has the ability to provide next-

generation techniques such as machine learning to its intelligent antivirus packaged in

other compliance-required endpoint security software. The company also provides

efficient sandboxing techniques through the cloud that will less likely impact performance

and speed. In the high-end AVAST endpoint security product (“Premier”), the stack

includes intelligent antivirus, home network security, real-time threat detection, firewall,

sandbox, password manager, anti-spam, and DNS security.

Senior Management

Vincent Steckler – CEO

Rene-H. Bienz – CFO

Pavel Baudiš – Founder and Director

Eduard Kučera – Founder and Director

Recent Series of Investments

Private Equity – $100 million in August 2010

Private Equity – Undisclosed in February 2014

Leading Investors

Summit Partners

CVC Capital Partners


23

Bromium

Company Description

Bromium offers micro-virtualization solutions for apps on enterprise endpoints to isolate

tasks and prevent malware from spreading. The company was founded in 2010 by Gaurav

Banga, Simon Crosby, and Ian Pratt, and is headquartered in Cupertino, CA. Competitors

include micro-virtualization vendors such as Menlo Security, Spikes Security, and tuCloud

Federal, as well as indirect competitors offering sandboxing such as Check Point,

Symantec, FireEye, and Palo Alto.


Bromium’s micro-virtualization capabilities isolate processes so endpoint users are not

immediately doomed upon downloading malware. Each task is isolated, meaning

breaches cannot escape and spread, whether the attack is known or unknown. Bromium’s

Advanced Endpoint Security solution operates using CPU-enforced isolation that can

proactively prevent malware utilizing a microvisor while running on a strict need-to-know

basis. Micro-virtualization is a unique approach to endpoint security that can be very

effective in preventing attacks that use the most frequented vehicles such as PDFs, web

attacks, and executables.

Senior Management

Gregory Webb – CEO

Ian Pratt – Co-founder and President

Simon Crosby – Co-founder and CTO

Earl Charles – CFO


Series A – $9.2 million in June 2011

Series B – $26.5 million in June 2012

Series C – $40 million in October 2016

Series D – $40 million in March 2016

Leading Investors

Andreessen Horowitz

Highland Capital Partners

Ignition Partners

Intel Capital

Lightspeed Venture Partners

Meritech Capital Partners

Silver Lake Waterman


24

Carbon Black

Company Description

Carbon Black offers an enterprise endpoint security platform to replace AV programs

using a simple-to-deploy, scalable, cloud solution. The company offers a “Next Generation

Antivirus” that uses a deep analytic approach to prevent some of the most complex

methods of attack including memory exploits and scripting. The company was founded in

2002 by Allen Hillery, John Hanratty, Todd Brennan, and Michael Viscuso and is

headquartered in Waltham, MA. Competitors include security incumbents such as

Symantec, Palo Alto, Check Point, Cisco, AVAST, et al., as well as other endpoint point

solution vendors.


Carbon Black’s Cb Endpoint Security Platform offers next-generation AV, incident

response and threat hunting solutions, application control, and attack analytics and

intelligence. The next-generation AV solution uses a deep analytic approach to inspect

files and identify malicious activity to prevent both known and unknown malware, including

more sophisticated attacks such as memory-based attacks and script-based attacks. Cb

Protection is an application control solution that can provide controllability of automatic

software execution across applications, maintaining the protection of sensitive data.

Carbon Black’s platform can be distributed across desktops, laptops, servers, and point-

of-sale devices.

Senior Management

Patrick Morley – President and CEO

Mark Sullivan – CFO

Michael Viscuso – Co-founder and CTO


Venture – $12.5 million in April 2011

Series D – $34.5 million in July 2012

Series E – $38.3 million in February 2014

Series F – $54.5 million in October 2015

Series G – $14 million in February 2016

Leading Investors

.406 Ventures

Atlas Venture

Highland Capital Partners

Sequoia Capital


25

Crowd Strike

Company Description

Crowd Strike provides a cloud-based next-generation endpoint protection platform as well

as intelligence and incident response services to prevent, detect, and mitigate complex

breaches in enterprises. The company was founded in 2011 by George Kurtz, Dmitri

Alperovitch, and Gregg Marston and is headquartered in Irvine, CA. Competitors include

security incumbents such as Symantec, Palo Alto, Check Point, Cisco, AVAST, et al., as

well as other endpoint security vendors.


Crowd Strike offers its Falcon Platform, which includes a next-generation AV product

(Falcon Host), Security-as-a-Service (Falcon Overwatch), and intelligence (Falcon

Intelligence), as well as DNS security solutions (Falcon DNS). Falcon Host is a next-

generation endpoint protection delivered through the cloud and was independently

validated for HIPAA compliance in September 2016. The product uses machine learning

to prevent malware breaches in real-time and analyze historical endpoint activity including

processes and threads. It’s “DVR”-like capabilities enable organizations to record and

retrace the footsteps of threat actors so IT leaders know where to plug in the holes of

vulnerabilities.

Senior Management

George Kurtz – Co-founder and President/CEO

Dmitri Alperovitch – Co-founder and CTO

Burt Podbere – CFO


Series A – $26 million in February 2012

Series B – $30 million in September 2013

Series C – $100 million in July 2015

Leading Investors

Accel Partners

CapitalG

Rackspace

Warburg Pincus


26

Cybereason

Company Description

Cybereason offers an endpoint security platform designed to detect malicious attacks and

distinguish the intent of the attackers using advanced artificial intelligence. The company

was founded by ex-Israeli Defense cybersecurity staff─Lior Div-Cohen, Yonatan Striem-

Amit, and Yossi Naar─in 2012 and is headquartered in Boston, MA. Competitors include

security incumbents such as Symantec, Palo Alto, Check Point, Cisco, AVAST, et al., as

well as other endpoint security vendors.


Cybereason uses sensors for endpoints and servers to detect anomaly behavior and

identify both known and unknown malware. Cybereason’s platform comes with a ”hunting

engine” that uses artificial intelligence, machine learning, and behavioral techniques to

hunt down cyber-attacks that come across the company’s sensors. The sensors are built

to run in user space, leaving no impact on productivity or user experience. The platform

allows IT administrators to respond efficiently and effectively by providing tools to simplify

the forensics and supporting evidence of attacks. In addition, Cybereason offers active

monitoring services (Security-as-a-Service) that can also help determine the right course

of action.

Senior Management

Lior Div – CEO & Co-founder

Yossi Naar – CVO & Co-founder

Yonatan Striem-Amit – CTO & Co-founder

Scott Ward – CFO


Series A – $4.63 million in May 2013

Series B – $25 million in May 2015

Series C – $59 million in September 2015

Leading Investors

Charles River Ventures

Spark Capital Partners

SoftBank Group Corp.

Lockheed Martin Corp.


27

Cylance

Company Description

Cylance is a next-generation Antivirus provider that uses artificial intelligence and machine

learning to identify and prevent both known and unknown cyber threats from executing on

endpoints. The company was founded in 2012 by Stuart McClure and Ryan Permeh and

is headquartered in Irvine, CA. Cylance is in the Visionaries quadrant of Gartner’s 2016

Magic Quadrant for Endpoint Protection Platforms. Competitors include security

incumbents such as Symantec, Palo Alto, Check Point, Cisco, AVAST, et al., as well as

other endpoint security vendors.


Cylance provides endpoint security by using advanced machine learning and artificial

intelligence techniques. CylancePROTECT® is a next-generation antivirus that can

prevent threats in real-time before any attack is made, including system and memory-

based attacks, zero-day malware, scripts, and unwanted programs. Because of its artificial

intelligence framework, the product uses less than 1% of CPU, and no signature updates

are required. The CylancePROTECT®+ThreatZERO™ platform includes services for

threat intelligence, deployment strategies, and best practices, ensuring an organization’s

environment is not already infected.

Senior Management

Stuart McClure – Co-founder and CEO/President

Ryan Permeh – Co-founder and Chief Scientist

Jeff Ishmael – CFO


Series A – $15 million in February 2013

Series B – $20 million in February 2014

Series C – $42 million in July 2015

Series D – $100 million in June 2016

Leading Investors

Blackstone Tactical Opportunities

Insight Venture Partners

DFJ Growth

Fairhaven Capital Partners

Khosla Ventures


28

Deep Instinct

Company Description

Deep Instinct (Fifth Dimension Ltd.) provides the first deep learning form of artificial

intelligence in protecting endpoints and mobile devices by breaking down objects into the

smallest parts to analyze and predict malware attacks before they happen. The company

was founded in 2014 by Guy Caspi, Doron Cohen, and Yoel Neeman, and is

headquartered in Tel Aviv, Israel. Deep learning AI may be categorized differently from

machine learning; therefore, indirect competitors include security incumbents such as

Symantec, Palo Alto, Check Point, Cisco, AVAST, et al., as well as other endpoint security

vendors.


Deep Instinct’s product differs slightly from other artificial intelligent endpoint detection and

response solutions in that it uses deep learning artificial intelligence as compared to

machine learning. The difference is that deep learning attempts to emulate the

functionality of the human brain (or “deep neural networks”). The technology trains on both

structured and unstructured datasets from multiple sources that result in a lightweight

predictive, detective, and preventive model for both known and unknown malware. As

malware continues to be developed by artificial intelligent authors, the continued

advancement of intelligence in endpoint to detect such malware is paramount. Deep

Instinct’s deep learning capabilities could be a stepping stone to the next generation of AI

security.

Senior Management

Guy Caspi – Co-founder and CEO

Dr. Eli David – CTO

Efrat Turgeman – CFO

Doron Cohen – Co-founder and Chairman

Yoel Neeman – Co-founder and Head of Corporate


Series A – Undisclosed amount in September 2015

Leading Investors

Blumberg Capital LLC

Columbus Nova Partners LLC

UST Global, Inc.


29

Digital Guardian

Company Description

Digital Guardian provides data security software and information protection solutions for

both endpoints and networks, enabling IT administrators to protect its data and better

manage its attack surface. The company was founded in 2002 by Allen Michels, Nicholas

Stamos, Seth Birnbaum, Donato Buccella, Tomas Revesz, Dwayne Carson, and William

Fletchner, and is headquartered in Waltham, MA. Digital Guardian is located in the

Leaders quadrant of Gartner’s 2016 Magic Quadrant for Enterprise Data Loss Prevention.

Competitors include other Data Loss Prevention vendors including Symantec, Forcepoint,

Intel Security, and GTB Technologies.


Between the abstraction of IT architectures and the expansion of egress points, sensitive

data can travel beyond the network using a number of pathways. The different breeds of

Data Loss Prevention (DLP) products are consolidating into a single platform, and Digital

Guardian is a leading provider of an integrated DLP package. In addition to DLP, the

company provides other security solutions such as data visibility and control, advanced

threat protection, and endpoint agents across Windows, Linux, Mac, and virtual systems.

Its platform additionally offers data protection for cloud storage providers such as

Accellion, Box, Citrix ShareFile, Egnyte, and Microsoft. We believe data visibility and

control solutions for the endpoint are fundamental for networks with expanding egress

points.

Senior Management

Ken Levine – President and CEO

Ed Durkin – CFO

Douglas Bailey – CSO

Salo Fajer – CTO


Venture - $12 million in March 2014

Venture - $66 million in December 2015

Leading Investors

Brookline Venture Partners

Fairhaven Capital Partners

General Electric Pension Trust

LLR Partners


30

LightCyber

Company Description

LightCyber provides behavior attack detection solutions to enterprises for both on-premise

and cloud infrastructures that give IT administrators the ability to identify malicious

executables on endpoints, verify any incidents, and terminate corresponding processes.

The company was founded in 2011 by Giora Engel and Micael Mumcuoglu and is

headquartered in Ramat Gan, Israel. LightCyber is unique in that it looks at endpoint

security at the highest level of the network; thus indirect competitors may include security

incumbents such as Symantec, Palo Alto, Check Point, Cisco, AVAST, et al., as well as

other endpoint security vendors.


LightCyber provides a behavioral anomaly detection solution that uses sensors and an

analytics engine. The company’s Magna platform has the ability to perform endpoint

analysis to augment network findings without the need to install agents on all endpoints.

Magna Pathfinder is an endpoint anomaly solution using agentless software that

automates the detection of attacks and uncovers the root cause of the attack, saving

administrators hours of investigation time. The platform can be deployed in both on-

premise and cloud environments.

Senior Management

Gonen Fink – CEO

Giora Engel – Co-founder and CPO

Michael Mumcuoglu – Co-founder and CTO

Yoni Mizrahi – CFO


Series A – $10.5 million in September 2014

Series B – $20 million in June 2016

Leading Investors

Access Industries

Amplify Partners

Battery Ventures

Glilot Capital Partners

Vertex Ventures


31

SentinelOne

Company Description

SentinelOne is a next-generation endpoint security provider that uses several layers of

attack prevention techniques, including behavior detection and machine learning, to block

threats from breaching an endpoint. The company was founded in 2013 by Tomer

Weingarten and Almog Cohen and is headquartered in Bnei Brak, Israel. The company is

located in the Visionaries quadrant of Gartner’s 2016 Magic Quadrant for Endpoint

Protection Platforms. Competitors include security incumbents such as Symantec, Palo

Alto, Check Point, Cisco, AVAST, et al., as well as other endpoint security vendors.


SentinelOne provides endpoint security leveraging behavior-based threat detection

techniques and can defend against sophisticated malware such as evasive malware. The

product allows SOCs to set polices that automate responses to breaches such as

quarantine and contain infected endpoints. Its machine learning technique under the hood

of the Dynamic Behavior Tracking engine can map and score suspicious activity until the

process is flagged as a threat. The product can be applied to both endpoints and servers

and “guarantees” complete Ransomware protection.

Senior Management

Tomer Weingarten – Co-Founder and CEO

Almog Cohen – Co-Founder and CTO

Sameet Mehta – CFO and Board Member

Ehud Shamir – Chief Security Officer


Series A – $12 million in April 2014

Series B – $25 million in October 2015

Leading Investors

Data Collective

Granite Hill Capital Partners

The Westly Group

Third Point Ventures

Tiger Global Management

UpWest Labs


32

Tanium

Company Description

Tanium is an endpoint security and management platform provider that leverages its IT

operation team to automate detection and remediation strategies when an organization

detects a breach. The company was founded in 2007 by David Hindawi and Orion

Hindawi and is headquartered in Emeryville, CA. Competitors include security incumbents

such as Symantec, Palo Alto, Check Point, Cisco, AVAST, et al., as well as other endpoint

security vendors.


Tanium provides endpoint security and systems management solutions using architecture

that can visibly analyze data and control an infected endpoint within 15 seconds. Tanium

Core is a platform comprising endpoint security capabilities such as threat detection,

incident response, vulnerability assessment, and configuration compliance, as well as

endpoint management capabilities such as patch management, asset inventory, software

distribution, and asset utilization. The platform allows SOCs to automate detection and

remediation strategies in an efficient manner when an attack is detected.

Senior Management

David Hindawi – Co-founder and Executive Chairman

Orion Hindawi – Co-founder and CEO

Eric Brown – CFO and COO

David Damato – Chief Security Officer


Series E – $90 million in June 2014

Series F – $64 million in March 2015

Series G – $117.5 million in September 2015

Series G – $30 million in September 2015

Leading Investors

Andreessen Horowitz

Franklin Templeton Investments

Geodesic Capital

Institutional Venture Partners

TPG


33

Stock prices of other companies mentioned in this report (as of 1/18/2017):

Guidance Software (GUID-NASDAQ, $7.18, Not Covered)

Trend Micro Inc. (4704-TYO, ¥4,220, Not Covered)


34

Disclosure AppendixOppenheimer & Co. Inc. does and seeks to do business with companies covered in its research reports. As a result,investors should be aware that the firm may have a conflict of interest that could affect the objectivity of this report.Investors should consider this report as only a single factor in making their investment decision.

Analyst Certification - The author certifies that this research report accurately states his/her personal views about the subjectsecurities, which are reflected in the ratings as well as in the substance of this report. The author certifies that no part ofhis/her compensation was, is, or will be directly or indirectly related to the specific recommendations or views contained inthis research report.Potential Conflicts of Interest:Equity research analysts employed by Oppenheimer & Co. Inc. are compensated from revenues generated by the firmincluding the Oppenheimer & Co. Inc. Investment Banking Department. Research analysts do not receive compensationbased upon revenues from specific investment banking transactions. Oppenheimer & Co. Inc. generally prohibits any researchanalyst and any member of his or her household from executing trades in the securities of a company that such researchanalyst covers. Additionally, Oppenheimer & Co. Inc. generally prohibits any research analyst from serving as an officer,director or advisory board member of a company that such analyst covers. In addition to 1% ownership positions in coveredcompanies that are required to be specifically disclosed in this report, Oppenheimer & Co. Inc. may have a long positionof less than 1% or a short position or deal as principal in the securities discussed herein, related securities or in options,futures or other derivative instruments based thereon. Recipients of this report are advised that any or all of the foregoingarrangements, as well as more specific disclosures set forth below, may at times give rise to potential conflicts of interest.

Important Disclosure Footnotes for Companies Mentioned in this Report that Are Covered byOppenheimer & Co. Inc:Stock Prices as of January 19, 2017Apple Inc. (AAPL - NASDAQ, $120.00, PERFORM)Box, Inc. (BOX - NASDAQ, $16.62, OUTPERFORM)Check Point Software Technologies (CHKP - NASDAQ, $90.39, OUTPERFORM)Cisco Systems (CSCO - NASDAQ, $29.99, OUTPERFORM)Citrix Systems, Inc. (CTXS - NASDAQ, $90.90, PERFORM)CyberArk Software Ltd. (CYBR - NASDAQ, $50.42, OUTPERFORM)FireEye, Inc. (FEYE - NASDAQ, $13.16, OUTPERFORM)Fortinet, Inc. (FTNT - NASDAQ, $31.70, OUTPERFORM)International Business Machines (IBM - NYSE, $167.89, PERFORM)Intel Corp. (INTC - NASDAQ, $36.80, PERFORM)Microsoft Corporation (MSFT - NASDAQ, $62.53, OUTPERFORM)Palo Alto Networks Inc. (PANW - NYSE, $138.45, OUTPERFORM)Symantec Corporation (SYMC - OTC, $26.20, OUTPERFORM)Verint Systems (VRNT - OTC, $37.45, OUTPERFORM)

All price targets displayed in the chart above are for a 12- to- 18-month period. Prior to March 30, 2004, Oppenheimer & Co.Inc. used 6-, 12-, 12- to 18-, and 12- to 24-month price targets and ranges. For more information about target price histories,please write to Oppenheimer & Co. Inc., 85 Broad Street, New York, NY 10004, Attention: Equity Research Department,Business Manager.

Oppenheimer & Co. Inc. Rating System as of January 14th, 2008:

Outperform(O) - Stock expected to outperform the S&P 500 within the next 12-18 months.

Perform (P) - Stock expected to perform in line with the S&P 500 within the next 12-18 months.


35

Underperform (U) - Stock expected to underperform the S&P 500 within the next 12-18 months.

Not Rated (NR) - Oppenheimer & Co. Inc. does not maintain coverage of the stock or is restricted from doing so due to a potential conflictof interest.

Oppenheimer & Co. Inc. Rating System prior to January 14th, 2008:

Buy - anticipates appreciation of 10% or more within the next 12 months, and/or a total return of 10% including dividend payments, and/orthe ability of the shares to perform better than the leading stock market averages or stocks within its particular industry sector.

Neutral - anticipates that the shares will trade at or near their current price and generally in line with the leading market averages due to aperceived absence of strong dynamics that would cause volatility either to the upside or downside, and/or will perform less well than higherrated companies within its peer group. Our readers should be aware that when a rating change occurs to Neutral from Buy, aggressivetrading accounts might decide to liquidate their positions to employ the funds elsewhere.

Sell - anticipates that the shares will depreciate 10% or more in price within the next 12 months, due to fundamental weakness perceivedin the company or for valuation reasons, or are expected to perform significantly worse than equities within the peer group.

Distribution of Ratings/IB Services Firmwide

IB Serv/Past 12 Mos.

Rating Count Percent Count Percent

OUTPERFORM [O] 296 55.53 111 37.50

PERFORM [P] 233 43.71 71 30.47

UNDERPERFORM [U] 4 0.75 3 75.00

Although the investment recommendations within the three-tiered, relative stock rating system utilized by Oppenheimer & Co. Inc. do notcorrelate to buy, hold and sell recommendations, for the purposes of complying with FINRA rules, Oppenheimer & Co. Inc. has assignedbuy ratings to securities rated Outperform, hold ratings to securities rated Perform, and sell ratings to securities rated Underperform.

Company Specific DisclosuresOppenheimer & Co. Inc. makes a market in the securities of AAPL, CHKP, CSCO, CTXS, FEYE, INTC, MSFT, SYMC andVRNT.

Oppenheimer & Co. Inc. expects to receive or intends to seek compensation for investment banking services in the next 3months from CYBR, GUID and VRNT.

Additional Information Available

Please log on to http://www.opco.com or write to Oppenheimer & Co. Inc., 85 Broad Street, New York, NY 10004, Attention: EquityResearch Department, Business Manager.

Other DisclosuresThis report is issued and approved for distribution by Oppenheimer & Co. Inc. Oppenheimer & Co. Inc. transacts business on all principalexchanges and is a member of SIPC. This report is provided, for informational purposes only, to institutional and retail investor clients ofOppenheimer & Co. Inc. and does not constitute an offer or solicitation to buy or sell any securities discussed herein in any jurisdiction wheresuch offer or solicitation would be prohibited. The securities mentioned in this report may not be suitable for all types of investors. This reportdoes not take into account the investment objectives, financial situation or specific needs of any particular client of Oppenheimer & Co. Inc.Recipients should consider this report as only a single factor in making an investment decision and should not rely solely on investmentrecommendations contained herein, if any, as a substitution for the exercise of independent judgment of the merits and risks of investments.The analyst writing the report is not a person or company with actual, implied or apparent authority to act on behalf of any issuer mentionedin the report. Before making an investment decision with respect to any security recommended in this report, the recipient should considerwhether such recommendation is appropriate given the recipient's particular investment needs, objectives and financial circumstances.We recommend that investors independently evaluate particular investments and strategies, and encourage investors to seek the advice


http://www.opco.com

36

of a financial advisor. Oppenheimer & Co. Inc. will not treat non-client recipients as its clients solely by virtue of their receiving this report.Past performance is not a guarantee of future results, and no representation or warranty, express or implied, is made regarding futureperformance of any security mentioned in this report. The price of the securities mentioned in this report and the income they produce mayfluctuate and/or be adversely affected by exchange rates, and investors may realize losses on investments in such securities, including theloss of investment principal. Oppenheimer & Co. Inc. accepts no liability for any loss arising from the use of information contained in thisreport, except to the extent that liability may arise under specific statutes or regulations applicable to Oppenheimer & Co. Inc. All information,opinions and statistical data contained in this report were obtained or derived from public sources believed to be reliable, but Oppenheimer& Co. Inc. does not represent that any such information, opinion or statistical data is accurate or complete (with the exception of informationcontained in the Important Disclosures section of this report provided by Oppenheimer & Co. Inc. or individual research analysts), and theyshould not be relied upon as such. All estimates, opinions and recommendations expressed herein constitute judgments as of the date ofthis report and are subject to change without notice. Nothing in this report constitutes legal, accounting or tax advice. Since the levels andbases of taxation can change, any reference in this report to the impact of taxation should not be construed as offering tax advice on the taxconsequences of investments. As with any investment having potential tax implications, clients should consult with their own independenttax adviser. This report may provide addresses of, or contain hyperlinks to, Internet web sites. Oppenheimer & Co. Inc. has not reviewedthe linked Internet web site of any third party and takes no responsibility for the contents thereof. Each such address or hyperlink is providedsolely for the recipient's convenience and information, and the content of linked third party web sites is not in any way incorporated intothis document. Recipients who choose to access such third-party web sites or follow such hyperlinks do so at their own risk.This research is distributed in the UK and elsewhere throughout Europe, as third party research by Oppenheimer Europe Ltd, which isauthorized and regulated by the Financial Conduct Authority (FCA). This research is for information purposes only and is not to be construedas a solicitation or an offer to purchase or sell investments or related financial instruments. This research is for distribution only to personswho are eligible counterparties or professional clients. It is not intended to be distributed or passed on, directly or indirectly, to any other classof persons. In particular, this material is not for distribution to, and should not be relied upon by, retail clients, as defined under the rules ofthe FCA. Neither the FCA’s protection rules nor compensation scheme may be applied. https://opco2.bluematrix.com/sellside/MAR.actionDistribution in Hong Kong: This report is prepared for professional investors and is being distributed in Hong Kong by OppenheimerInvestments Asia Limited (OIAL) to persons whose business involves the acquisition, disposal or holding of securities, whether as principalor agent. OIAL, an affiliate of Oppenheimer & Co. Inc., is regulated by the Securities and Futures Commission for the conduct ofdealing in securities, advising on securities, and advising on Corporate Finance. For professional investors in Hong Kong, please [email protected] for all matters and queries relating to this report. This report or any portion hereof may not be reprinted, sold, orredistributed without the written consent of Oppenheimer & Co. Inc.

This report or any portion hereof may not be reprinted, sold, or redistributed without the written consent of Oppenheimer & Co. Inc. Copyright© Oppenheimer & Co. Inc. 2017.


https://opco2.bluematrix.com/sellside/MAR.action

mailto:[email protected]

enterprise endpoint security -...

Documents