enterprise endpoint security -...
TRANSCRIPT
EQUITY RESEARCH
INDUSTRY UPDATE
Oppenheimer & Co Inc. 85 Broad Street, New York, NY 10004 Tel: 800-221-5588 Fax: 212-667-8229
Shaul [email protected]
Tanner [email protected]
Disseminated: January 19, 2017 06:00 EST; Produced: January 18, 201717:18 EST
For analyst certification and important disclosures, see the Disclosure Appendix.
January 19, 2017
TECHNOLOGY/INFRASTRUCTURE SOFTWARE
Enterprise Endpoint SecurityEnding a Three-Decade TraditionSUMMARYThe number of users on the Internet has increased more than a thousand-foldsince 1990, but security technology on the endpoint has hardly ventured away fromtraditional antivirus programs. Catching and mitigating known malware may havebeen effective when endpoints were less ubiquitous and cyber-attacks were relativelyelementary; however, signature-based methods are gradually becoming less relevantin a quickly changing threat environment. The emergence of "next-generationendpoint" technology such as artificial intelligence (AI) is gaining mindshare fromboth organizations and assurance programs, potentially leading to a transition awayfrom conventional antivirus software. As malware authors continue to develop moredisruptive threats and plan attacks using lucrative extortion strategies, we believe therisks in purchasing less-effective solutions will soon outweigh the safety in a dynamicendpoint platform. We believe security budgets, driven by high-cost attacks, theconstant movement of data, and compliance changes, will be eyeing next-generationendpoint vendors.
KEY POINTS
■ The threat environment is more disruptive, costly, and complex, andantivirus is losing the fight. Over the past three decades, threat actors haveevolved from practical jokers to activists to full-time profit-driven criminals, andthe attacks reflect more drive and willingness to take risks. Cyber criminalsare resorting to more targeted attacks to increase success rates (spear-phishing campaigns increased 55% in 2015), using more extortion techniques(ransomware attacks increased 35% in 2015), and actors are winning the war(incidents increased 38% in 2015). The cost paid per record stolen increased from$145 in 2014 to $154 in 2015, or up 6%. According to Dell, 95% of successfulattacks begin at the endpoint because it is easier to trick an employee than exploitan organization's network. Traditional endpoint security solutions are becomingeasier to circumvent using threat reconstruction kits and complex malware, suchas memory-based attacks. Per Symantec, antivirus catches only 45% of cyber-attacks. We believe organizations will need to adopt more advanced endpointtechnologies outside the conventional signature-based antivirus, such as machinelearning/AI and memory protection, to prevent these increasingly complex attacks.
■ The European Union General Data Protection Regulation (EU GDPR) coulddrive growth in data security and advanced endpoint products. EU GDPR isa directive to significantly strengthen data protection laws for people in the EU. Webelieve the new regulation will expand security budgets and focus investmentsin data security and advanced endpoint products. We estimate the initiative willincrease endpoint security by $300 million over the next few years.
■ Product integration is an important feature as organizations consolidatevendors. The endpoint security market is a fragmented market; however, wesee the integration between compliance-required components as a major sellingpoint for organizations, particularly those understaffed with security personnel. Weexpect incumbents to benefit most from the endpoint transition.
■ Bottom Line: We believe the antivirus is becoming less relevant. We expectsecurity budget investments to focus on heightening data security and next-generation endpoint products, particularly those incorporating AI. We estimate theenterprise endpoint protection platform TAM to increase to ~$4.7B by 2020 witha five-year CAGR of 5.2%.
2
Contents ENDING A THREE-DECADE TRADITION _____________________________ 3
THROUGH THE MIND OF THE THREAT ACTOR 101 ....................................... 4
SECURING THE ENDPOINT _______________________________________ 6
THE PAST ................................................................................................. 6
THE PRESENT ........................................................................................... 9
THE FUTURE ........................................................................................... 12
PUBLIC COMPANIES __________________________________________ 19
CHKP .................................................................................................... 19
CYBR .................................................................................................... 19
FEYE .................................................................................................... 20
FTNT ..................................................................................................... 20
PANW ................................................................................................... 20
SYMC ................................................................................................... 21
VRNT .................................................................................................... 21
ADDITIONAL NOT COVERED COMPANIES .................................................. 21
PRIVATE COMPANIES _________________________________________ 21
AVAST .................................................................................................. 22
BROMIUM ............................................................................................... 23
CARBON BLACK ...................................................................................... 24
CROWD STRIKE ...................................................................................... 25
CYBEREASON ......................................................................................... 26
CYLANCE ................................................................................................ 27
DEEP INSTINCT ....................................................................................... 28
DIGITAL GUARDIAN ................................................................................. 29
LIGHTCYBER........................................................................................... 30
SENTINELONE ........................................................................................ 31
TANIUM .................................................................................................. 32
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
3
Report Statistic
2016 Ponemon Institute Cost of a Data Breach StudyThe average cost paid for each stolen record with sensative information increased
from $145 in 2014 to $154 in 2015, or up 6%.
The number of zero-day vulnerabilities in major applications rose 125%.
The number of spear-phishing campaigns increased 55% in 2015.
The number of Ransomware attacks increased 35% in 2015.
Approximately 38% more security incidents occurred in 2015 than in 2014.
The number of incidents associated to employees or business partners increased
22% YoY.
ITRC Data Breach Report - 2015 Year-End TotalsThe number of publically announced U.S. data breaches from hacking incidents
reached 227 in 2014, and 295 in 2015, or up 30%.
2016 Symantec Internet Security Threat Report
2016 PWC Global State of Information Security Report
Ending a Three-Decade Tradition The architecture of network infrastructures and endpoints has changed significantly over
the course of the past couple of decades. Relative to the technology today, an
infrastructure before the use of cloud services and virtualization was easier to manage
and maintain. The threat environment used similar themes but simpler methods with less
motivation. Endpoints primarily consisted of in-office desktops and on-premise servers
before the adoption of the cloud and desktop virtualization, which allowed users to access
the network from other vulnerable computers outside the network. As technology
progressed with a focus on productivity, the network map expanded and the web of
connected devices became complex. Moving into a more abstracted network technology,
we believe security solutions are approaching cyber threats with a number of new
methods that have yet to be adopted, though only a few will disrupt legacy solutions given
the constraints of IT budgets, compliance standards, and the future of the threat
environment. Today, robust infrastructure technology continues to progress in its adoption
while introducing an expanded attack surface that is more vulnerable to the proliferation of
modern-day cyber-attack techniques. Many organizations are either using legacy
technology or are not taking appropriate precautionary measures in securing their
network, and as a result, each coming year breach statistics appreciate.
Exhibit 1: Record Breaches Point to a Need for Stronger Data Security
Source: Ponemon Institute, Symantec, PWC, ITRC, Oppenheimer & Co.
The heightened number of data breaches can be attributed to the following: 1)
Administrators are too comfortable with outdated security technology; 2) Existing effective
solutions may not fit within budget; 3) Implementing the new feature could require a time-
consuming redesign or reconfiguration of a network that could ultimately expose the
organization to another vector of risks. Implementing a very highly effective (near 100%)
security stack requires resources and funds that are often highly restrictive in IT
departments. According to CyberEdge Group, 76% of organizations were breached in
2015. Experiencing a cyber-attack is not an anomaly; it is practically status quo. Before
the growth of cloud-based security services, enterprises invested in security appliances for
certain security features that could have been outdated in a few years, ultimately
preventing an organization from adopting up-to-date infrastructure technology. We believe
a pulse of spending in network appliances experienced last in 1H15 is now driving
investments in point solutions, such as endpoint and email, hence trends in the shift
toward subscription products. We visualized this shift by analyzing the growth in
subscription services and comparing it to the growth in appliance/product offerings
(Subscription Services, July 21, 2016).
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
4
Endpoint security technology has been trailing the progress of the threat environment, as
well as some other security technology, because focus on security has prioritized
compliance requirements and investment in protecting the data center’s core. According to
Dell, 95% of successful attacks begin at the endpoint. With the development of AI features
in technology, we are beginning to see a transition from traditional AV products to
advanced algorithmic-based endpoint threat protection methods. We believe the AI trend
is progressing in its adoption phase considering the recent acceptance by assurance
programs and the innovation movement by some incumbents. We find that many factors,
such as the lack of information security talent and the requirements by compliance
programs, are driving the need for certain functionality, for instance, the integration
between security products and automated responses. Although it usually exists in the form
of a partnership across endpoint point solution vendors, communication between a
network’s NGFW/UTM and endpoint platform would be an ideal immediate reaction in
terms of preventing attackers from entering the network from a different entry point.
Signature-based antivirus (AV) solutions are still a requirement for compliance programs
despite proven ineffectiveness (Symantec estimates AV prevents 45% of malware), but
AV “replacements” are beginning to be accepted. Given the flexibility of the cloud, we
believe an as-a-service endpoint security solution is the most plausible opportunity for
security vendors in the arena and one of the best (and easiest) approaches for
organizations to incorporate endpoint security in their portfolio. We envision solutions that
fit within compliance requirements, yet also proactively prevent threat actors from
disruption as compared to reactively detect malware in its tracks. We believe drivers and
recent market developments indicate the need to augment endpoint security in the coming
years, and the next-generation endpoint will need to replace legacy signature-based
solutions across all verticals to prevent the next generation of attacks.
Through the Mind of the Threat Actor 101
Understanding security from the perspective of the threat actor can help comprehend the
drive of security spending in the future. Some of today’s most used resources by attackers
were not developed or created until the past decade–and this had a profound impact on
the modern-day threat environment. Today, attackers often utilize the darknet, or the
“Deep Web,” which is a hidden world of the Internet inaccessible from the common
Internet browser. Users can easily access the darknet and remain completely anonymous
because its network traffic runs through untraceable arbitrary routes, creating a platform
ideal for illegal activity. When the darknet first began to take shape in the early 2000s, it
opened up opportunities for threat actors to share malware and potential attack strategies.
However, threat actors saw the real value of the Deep Web when the decentralized
cryptocurrency, Bitcoin, was pioneered in 2008. The digital currency’s blockchain
technology uses a cryptographic ledger to secure its transactions, leaving the involved
parties completely anonymous, which opens up a new opportunity to hide payments in the
virtual world. The introduction to the darknet and cryptocurrencies began the revolution of
modern-day threat-actor occupations.
We analyzed breach data categorized into four different breeds divided by their intent:
hacktivism, cybercrime, cyber espionage, and cyber warfare. Each breed has essentially
been in existence as long as the other, but the interests have shifted. Hacktivism
consisted of the majority of high-profile cyber-attacks before 2012 such as the attacks
from Anonymous and Lulzsec; however, cybercrime (which can be defined as profit-driven
cyber-mercenaries) eventually spiked to over 80% of today’s cyber-attacks. We believe
this spike was driven primarily by the widespread adoption of Bitcoin. Around this time,
threat-actor occupations began to take shape as hackers experimented with ways to profit
from their skills. Today, extortion techniques (such as ransomware and DDoS attacks) are
most popular among cybercriminals and can be used to extract payment in the form of
Bitcoin from the user/organization. Because tracing IPs is near impossible in the darknet,
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
5
threat actors can also profit by selling data or exploits in the black market, or performing
as-a-service cyberattacks in return for Bitcoin or other cryptocurrencies such as Monero.
Exhibit 2: XBT/USD and the Motivations Behind Cyber-attacks
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
$0
$200
$400
$600
$800
$1,000
$1,200
$1,400
2012 2013 2014 2015 2016
USD per Bitcoin
Cybercrime (as a % of All Attacks)
Hacktivism
Cyber Espionage
Cyber Warfare
Source: Hackmageddon.com, Coinbase.com, Oppenheimer & Co. research
Throughout the history of cyber-attacks, the attack objectives have shifted in priority (now
mostly profit-driven), and the techniques under each breed have changed tremendously.
Recall in the 1990s, the objective of cyber-attacks was more often vandalism and
advertisement-focused rather than the extortion-driven techniques we see today. In the
1990s, when a device was infected with malware (which consisted of a virus or adware),
interaction with the operating system was often disfigured or slow (virus). Profit-driven
threat actors in the 1990s used adware to generate a plethora of popups (adware) which
then eventually evolved into keylogging or the use of clients’ data to advertise toward
his/her interest (spyware).
After AV software started to advance in the early 2000s, attackers began focusing on
alternative strategies. DDoS attacks continue to develop (today there are over 40 different
types), and advance persistent threat (APT) techniques led to an increase in data dumps.
Industrial control systems (ICS) were a major area for potential destruction by nation-
states. Cyber criminals continued to use spyware/adware methods for profit, as well as
scams and trade (e.g., selling botnets) for an early form of electronic money such as e-
gold.
When the darknet and cryptocurrencies began to join forces at around 2010, black market
activity involving malware and black-hat-as-a-service offerings opened up a world of
opportunities for cyber criminals. Data dumps, DDoS attack services, zero-day exploits,
botnets, and spam email services became lucrative for threat actors, driving a rise in
cyber-criminal activity using hacktivism’s old techniques. Today, cyber criminals have
masterminded extortion methods, such as ransomware and DDoS while hiding behind the
curtain of cryptocurrency’s anonymous platform. New derivatives of cyber-extortion
continue to evolve, such as ransomware on personal devices (including the iOS platform).
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
6
Derivatives of this extortion technique are rapidly evolving, such as pyramid-scheme
ransomware. The threat environment is also seeing more usage of IoT devices as nodes
in a botnet to launch large-scale DDoS attacks. Threats have also become more complex
and have developed new breeds. For example, memory-based attacks, such as reflective
memory injection (RMI), are advanced methods to trick computers and AV programs with
buffer overflow methods (on a RAM level), allowing the program to download more
malicious malware from the Internet. Memory-based attacks are a serious threat to
organizations (potentially in the form of ransomware) because these methods can often
bypass traditional AV programs.
We believe we will continue to see the trend of extortion occur in both enterprises and
consumers by primarily entering the network via the most vulnerable points of the network,
which are the endpoint users. The advancement of productive technology may continue to
expand the attack surfaces in organizations. For example, the use of the cloud could be a
potential vulnerability from a data security perspective, given rogue employees/business
partners can steal information more easily (as seen in PwC’s statistic mentioning the
increase of “inside job” incidents). The use and early adoption of newer infrastructure
technology (such as containerization) could expose zero-day exploit opportunities. BYOD
(bring your own device) policies and IoT are expanding, meaning careless use of personal
devices could be a threat to an organization, thus requiring stricter uses of mobile device
management. In addition, mobile device malware is increasing, causing mobile devices to
present more opportunities to gain access to an organization’s network. As wireless LAN
advances (802.11ac wave 2) and becomes more widely adopted on the enterprise front,
attackers could either intercept unencrypted traffic or exploit IoT connections. All in all, we
believe the endpoint and its users remain the Achilles’ heel of an organization’s network.
Securing the Endpoint
The Past
Throughout the history of endpoint security, remediation strategies did not advance
significantly from its creation in 1987 up until the late 2000s. When malware began
infecting computers in the 1980s, organizations needed a solution that could erase the
virus without completely rebuilding the computer’s operating software. John McAfee
developed the antivirus (AV) in 1987 that automated the “cure” for the infected computer
and detected any malware based on a database of packet signatures. A packet signature
is a “stamp” created by the security companies that is used as a reference in determining
whether a packet contains malicious code. Security companies can generate a signature
based on certain criteria (e.g., number of bytes) or a cryptographic hash of the packet.
This signature is compared to a database of other malicious signatures and
removed/prevented from opening on the endpoint if the signature is flagged to be
malware. Because AV software proved its validity, it became a “must have” for
organizations to reactively detect malware in endpoints to an extent that the AV market
had near 100% penetration by the early 2000s. According to Gartner in 2006, the TAM for
AV (which included antispyware, and both consumer and enterprise) was approximately
$4.0B in 2005. Relative to 2015, organizations and consumers use AV incorporated in
endpoint protection platforms ($3.6B) and consumer security software ($5.2B).
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
7
Exhibit 3: Timeline of Threats and Security Solutions
Source: Ponemon Institute, Symantec, PWC, ITRC, Oppenheimer & Co.
The positive view on AV programs is how effective they are at preventing known malware
that makes up a large portion of attacks. For this reason, many compliance programs
require AV in their standards. However, malware authors continued to be creative in
developing malware that would bypass any protection layer. Hackers could use
construction kits that would auto-generate malware using old techniques but tweaked in a
way that would change the signature of the virus. While a majority of attacks were
prevented, unique malware undetected by AV programs could still find its way onto an
endpoint or into a network. In the early 2000s, antispyware software was created to
prevent keylogging, adware, and system monitoring. A few years after the adoption of
antispyware programs, security companies started bundling antispyware, AV, intrusion
prevention systems (IPS), network access control, and personal firewalls in their endpoint
security platforms. We believe this is when the AV market started to mature and the
product became a commodity. When packaged together (which is the endpoint security
“platform”), there were still some major flaws in the solution itself. For example, the
software received updates usually weekly with new signatures; however, if an end user’s
software wasn’t updated from when the newest virus was spread, then the endpoint could
still be infected.
The back half of the 2000s had a considerable number of disruptive technologies that
began the expansion of the network map. Amazon Web Services (AWS) began offering
EC2 instances in 2006, or the first compute-as-a-service product to disrupt the
infrastructure hardware and virtualization environment. Apple pioneered the first iPhone in
2007, which revolutionized the mobile platform. In 2007-2008, VMware and Citrix began
marketing virtual desktop infrastructures (VDI) enabling work-from-home policies. Security
vendors began launching additional features around 2008, when antivirus vendors began
offering endpoint platforms that included behavior-based analysis, host intrusion
prevention systems (HIPS), genetic heuristics, data loss prevention (DLP), application
control, and sandboxing techniques that prevent and protect endpoints from more
advanced zero-day threats. However, the progress of security technology was still lagging
behind the growing concern of the threat environment.
We believe Gartner’s 2010 Magic Quadrant for Endpoint Protection Platforms article
highlights this period accurately: “As far back as 2004, we have been saying that
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
8
enterprise anti-malware vendors are falling behind in dealing with the current security
threats. This year, they have fallen even further behind. Test after test has illustrated that
current solutions are less than 50% effective at detecting new variations of existing threats
and much worse at detecting targeted or low-volume threats, although testing
methodologies have also not kept pace with changing Enterprise Protection Platform
(EPP) suite capabilities.”
Exhibit 4: Number of Reported High-Profile Breaches from Hacking or Malware in the US
Source: Privacy Rights, Oppenheimer & Co.
From 2007 until 2012, enterprise endpoint solutions grew at a CAGR of 2.8% compared to
a high single-digit CAGR in information security. We believe endpoint security growth was
impacted by the weak state of the economy, as well as commoditization of products
leading to competition in pricing. Recall around this time, threats were transitioning toward
a more APT popular theme among hacktivists and some cyber criminals; however, the
security stack of endpoint security remained mostly unchanged. We believe the primary
focus for organizations in security spending was in network security (i.e., the introduction
to next-generation firewalls) and more advanced threat detection solutions because
proactively preventative solutions were just beginning to develop. Some endpoint vendors
began using existing advanced methods of security to prevent zero-day exploits (such as
sandboxing techniques) and were effective in preventing many unknown attacks, but
threat actors could figure out ways to work around the detour. For example, sandboxing
executes files and analyzes the behavior of the environment before reaching the endpoint;
however, malware authors began incorporating delay functionality in the exploits to
bypass sandboxes. Today, many sandbox products have advanced to execute even
delayed exploits in files and avoid other vulnerabilities from traditional sandbox methods.
We believe sandboxing methods fit comfortably with some security portfolios, though the
method could impact throughput and speed.
After security vendors started bundling endpoint security solutions into a “platform,” the
endpoint security stack remained undisrupted until the introduction of next-generation
endpoint solutions in the early 2010s with technologies from vendors such as Cylance
(founded in 2012) and SentinelOne (founded in 2013). The techniques behind the next
generation of endpoint can differ from vendor to vendor but usually consist of some
advanced machine learning method, such as behavior-based detection and/or a
mathematical approach to antivirus. Machine learning products can be effective in
preventing unknown malware, but the methods are still in process of being adopted.
Except for some of the incumbent vendors that have recently implemented machine
learning technology in their endpoint solutions (e.g., Palo Alto Networks and Symantec),
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
9
machine learning endpoint security offerings are just beginning to be fully
integrated/bundled with the necessary solutions of endpoints such as DLP and encryption.
There are a number of factors affecting the adoption of these solutions, such as
compliance requirements and integration with the endpoint platform, though we have seen
progress in its development within the past year. We believe this progress will mark the
beginning of machine learning or artificial intelligence in endpoint security products during
the expansion phase of its adoption.
Since 1987, or for almost 30 years, enterprises have been using signature-based AV to
prevent malware from infecting endpoints and spreading into the network. According to
Symantec in 2014, traditional signature-based AV software catches only 45% of malware
attacks. From a combination of the scare tactic from high-profile breaches, the changing
compliance environment, and convoluted infrastructures, we believe we will see traditional
AV products be replaced by next-generation endpoint security products in the next few
years. Over time, the cost of a breach will exceed the cost of upgrading the organization’s
endpoint security platform. Because of 2016’s point solution spending trends (as-a-
service, identity, etc.), we feel next-generation endpoint technology is adoption-ready.
The Present
Organizations can approach the next generation of endpoint security using a number of
techniques and stack on many complementary solutions. Despite the different methods,
the reality of the end goal for endpoint security is to prevent all malware, and when that is
unsuccessful, detect it as quickly as possible before any malicious activity occurs. Below
we analyze the typical solutions in the endpoint security stack:
Antivirus – AV software typically uses packet signatures as a fingerprint to look
up in a database of malicious signatures. AV software is a nearly 30-year-old
technology that is still used today due to requirements by many compliance
standards. While antivirus has been effective in preventing known malware, it is
not reliable on its own. Symantec mentioned in 2014 that AV software can detect
only 45% of malware attacks. Traditionally, an AV program needed to update on
a weekly basis to bring its signature database up to date; however, today, most
AV programs are based in a cloud environment and can provide real-time
updates. This does not stop attackers from remaining undetected. We feel
confident that the rise of the next-generation technology will eventually replace
legacy signature-based methods.
Antispyware/Anti-adware – Spyware and adware were some of the first
methods for threat actors to profit from malware distribution. Antispyware uses
similar signature-based techniques as AV, which ultimately led to the bundling of
these security technologies. We feel these legacy solutions will join AV and
eventually be replaced by next-generation security technology.
Intrusion Prevention Systems – Host-based intrusion prevention systems
(HIPS) intercept activity occurring on a single host and prevent anything that
seems suspicious. Similar to a firewall, “suspicious” activity is based on
guidelines defined by the HIPS such as automatically forfeiting AV scans or the
installation of devices that run priority. While HIPS are very useful in preventing
the most obvious of attacks, many threats can be manipulated in a way to
bypass its simple structure. Also, HIPS can often yield false positives. Despite
some of HIPS’s setbacks, we continue to see this protection method remaining
important (either at a network level or an endpoint level), particularly in a virtual
environment. This solution may not be offered with the endpoint security vendor
but rather integrated in the operating system or virtualization software.
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
10
Data Loss Prevention – Data loss prevention (DLP) began being offered in the
bundle of endpoint security solutions in around 2008. We believe data security
will continue to be paramount in preventing the next generation of threats (such
as ransomware and other data-related extortion themes), and DLP on the
endpoint is well positioned to benefit in this trend by protecting sensitive data in
use (DiU). DiU DLP solutions prevent data from being sent externally or
internally (if compliance rules prohibit communication between Equity Research
and Investment Banking, for example). DLP is required for some compliance
standards such as PCI DSS and ISO 27001. IDC estimates the DLP market to
grow at a CAGR of 7.9% from 2015 through 2020 ($1.14 billion market in 2020);
however, endpoint DLP is estimated to grow at a CAGR of 15.9% ($434 million
in 2020). We continue to see this solution thriving with the changing compliance
environment.
Encryption – Also part of the data security family, encryption is a necessary
function of protecting data and hiding sensitive information from malicious
actors. Heightened supervision and regulatory demands are driving demand for
encryption and key management solutions, such as the recent increase in
oversight fines by FINRA and HIPAA and the stricter data standards from the
European Union General Data Protection Regulation (EU GDPR). Many next-
generation endpoint security offerings are not stacked with encryption and key
management solutions; however, we envision this solution to be a key ingredient
to a security portfolio also required by most compliance standards. We believe
encryption will be a hurdle for smaller security vendors, and one of the leading
drivers for consolidation of next-generation endpoint security startups. IDC
estimated the endpoint encryption and key management TAM to be
approximately $2.0 billion by 2020 with a 2015-2020 CAGR of 9.7%.
Exhibit 5: Stricter Compliance Standards and Oversight Are Driving Spending in Encryption
Source: IDC, Oppenheimer & Co.
Firewall – The “personal” firewall on endpoints has been a necessary
component to the overall platform; however, the product has been commoditized
and will likely not be the selling point for many endpoint vendors (it is assumed).
We believe we will continue to see personal firewalls as an essential part of the
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
11
endpoint security stack, but used most often with consumer endpoint security
solutions.
Port and Device Control – Often a staple of the typical endpoint security
platform, port and device control allows IT administrators to define rules on the
type of devices that can be used on endpoints. For example, this prevents a
rogue employee from using a USB flash drive to steal sensitive data. This
solution will obviously not fade anytime soon, but it will remain as an additive
feature to endpoint security platforms.
Vulnerability Assessment – Vulnerability assessment (VA) is offered in many
endpoint security stacks and is required by select compliance standards such as
PCI DSS. VA solutions scan an endpoint machine for any misconfiguration or
out-of-date application that could be vulnerable to a known threat, and often
integrate with a network access control platform to solve the problem. VA is a
mature market for desktops and laptops and becoming easier to manage from
the growing adoption of containerization; however, VA on mobile and IoT is
emerging and could play a major role in advanced endpoint protection solutions.
Application Control – With the number of Web 2.0 applications accessible by
careless employees, IT administrators need a product that can limit or restrict
access on applications that could be a risk to the organization. Application
control can often give this level of controllability on a granular level. This can be
incorporated in secure web gateways alongside URL filtering, which we see
being more integrated (e.g., Symantec’s acquisition of Blue Coat). We continue
to see application control as an important part of the stack given the growing
trend of shadow IT, although offered on a cloud-based platform.
Mobile Security – On some endpoint platforms, mobile device management
(MDM) solutions allow IT administrators to control the configuration of mobile
devices and offer data protection capabilities such as file and disk encryption.
BYOD policies are augmenting the use of personal devices on an organization’s
network; however, the risk of careless or rogue employees could cause a data
leak or a costly ransomware situation. Some mobile devices platforms are
considered to be very secure hosts, where malware is less likely to infect the
device rather than a PC. Using the example of iOS (which we estimate to be
approximately 20% of the global mobile platform installment base), we believe it
is a more secure platform for the following reasons: 1) All applications are
approved by Apple (AAPL), and very few applications with malware are
approved; if malware is found, an identity is linked to the creator; 2) Because
AAPL created every aspect of the phone, including the hardware and kernel,
AAPL can patch exploits very quickly (which is not the case for most Android
devices minus Pixel); 3) iOS applications are run using a sandbox; 4) The kernel
of the device is based on a security-focused form of UNIX called BSD. Mobile
security (on some devices) is already host-based, and these platforms have
historically been less prone to malware; therefore, MDM solutions are more
geared toward allowing administrators to configure mobile devices, ensuring
they meet the organization’s standards. On the other hand, threat actors are
increasingly finding exploits on mobile systems. According to Symantec, in 2015,
528 (+214% YoY) vulnerabilities were found on mobile platforms. Organizations
have focused their mobile security attention on establishing a password to
unlock the device and data encryption; however, we expect the focus to pivot
toward a more detect-and-response platform as device management becomes
commoditized. Many endpoint security vendors do not offer any form of mobile
security or integrate their mobile offering with the endpoint platform. We envision
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
12
MDM joining endpoint security platforms driven by the ongoing adoption of
BYOD policies and the value-added aspect of MDM to an endpoint pipeline.
Sandboxing – Sandboxing is the emulation of an endpoint environment that
could open files (e.g., PDFs) and detect any abnormal activity resulting from its
execution. The software can then prevent the file from reaching the endpoint or
extract the malware from the file and still reach its destination. Sandboxing is a
solution to prevent unknown zero-day exploits from enterprises after running
through the AV programs. However, the use of sandboxing does have some
problems such as the complexity of attacks working around the sandbox, as well
as the delay of the file reaching its end destination. Although processing power
may be limited by using sandboxing techniques, the cloud may be a viable
option. We believe sandboxing is an effective method in preventing the next
generation of attacks and will continue to gain share alongside the cloud market.
Memory Protection – Memory-targeted attacks such as a reflective memory
injection (RMI) can be complicated and hard to detect. These types of attacks
are commonly found in APTs and can easily be whitelisted by security software
because the code attacks the kernel memory as compared to the application
code where exploits are most commonly executed. Memory protection prevents
these complicated attacks from occurring by restricting certain processes from
accessing memory. We believe memory attacks will continue to play a role in
APTs as security technology prevents existing less-complicated attacks. Many
endpoint platforms do not have advanced memory protection, although the
operating system typically has incorporated basic memory protection
functionality. We believe the shift to virtualization and containerization is a
growing threat for memory-based attacks due to the agentless nature and
isolation of memory.
AI – Artificial intelligence is a robust holistic approach to endpoint security, and
solutions have already come to fruition. The concept of AI can often be vague
with many different types (such as machine learning, deep learning, or machine
intelligence), but its use case is already being used by many endpoint security
vendors such as Cylance, SentineIOne, and Deep Instinct, as well as most
incumbents such as Cisco, Symantec, FireEye, and Palo Alto Networks. The
methods of use vary. For example, Cylance uses statistics to determine whether
a file contains a virus by comparing the DNA of a file to millions of other known
malware samples. SentinelOne uses a machine learning behavior-based
approach to detect sophisticated unknown attacks. Deep Instinct uses deep
learning that automatically extracts and breaks down millions of endpoint
datasets to predict attacks before they occur. We believe the algorithmic concept
of AI will likely be the future in preventing sophisticated zero-day attacks such as
ransomware as well as immediately responding to breaches that occur. Although
different types/techniques of AI can be embedded on a number of endpoint
platforms, we believe automated response will be the future of security. AI
endpoint solutions are quickly being adopted, as seen by the number of
compliance programs accepting them in replacement of AV. We envision
algorithmic techniques gaining solid traction in the coming years as the offerings
begin to integrate with other endpoint and network security products.
The Future
Throughout the history of cyber-attacks, we have learned that malicious threats have
outpaced cybersecurity. The costs and damage from cyber-attacks continue to increase
every year. Malicious actors are disrupting the cyber-attack world faster than
organizations are using disruptive cybersecurity technologies. We believe security
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
13
adoption laggards with outdated technology and organizations with understaffed security
teams are more likely going to be victims of an attack than organizations with a higher
spending budget and a fuller team. A quickly evolving threat landscape will continue to
drive security spending budgets up, and security vendors will need to consolidate or
continue to introduce disruptive technologies to remain players in the arena.
We feel advanced endpoint security is a sub-segment of cybersecurity that is in the tail
end of its expansion phase. If threats continue to evolve, we envision attacks (such as
memory-based attacks) circumventing traditional signature-based endpoint solutions and
damaging organizations that failed to adopt more advanced threat protection products.
Many of the incumbent vendors offer non-signature-based solutions such as the use of
sandboxing techniques, but as we mentioned in the previous section sandboxing has its
drawbacks, e.g., a delay trigger in malware causing it to remain undetected by sandboxing
programs. Advanced endpoint protection methods will garner wallet share in the next few
years given the adolescent phase of AI due to immaturity of compliance requirements,
though we are beginning to see a transition occur in its adoption. For example, incumbent
security vendors, such as Palo Alto Networks and Symantec, are deploying machine
learning in their endpoint threat protection products. These vendors are capable of offering
compliance-required solutions on top of machine learning capabilities, a step in the right
direction for the adoption of non-signature-based platforms.
Why AI? Compared to traditional AV products, AI offers real-time prevention and detection
mechanisms to prevent both known and unknown malware while simultaneously using
less bandwidth and memory on the endpoint. Generally, AI entails more compute power;
however, the development of more advanced cloud services has allowed endpoint
security offerings to relieve the endpoint from running the AI-based threat analysis.
Symantec claims to reduce bandwidth usage and definition file sizes by 70% over its
previous versions. Cylance’s AI endpoint security product (CylancePROTECT®) claims to
use “less than 1% of CPU” and requires no Internet connection or signature updates.
SentinelOne claims to add an average of only 0.4% of CPU usage per monitored process.
We believe the combination of real-time protection and optimized productivity is a
compelling formula, though we anticipate pricing to be relatively higher due to cloud
service expenses and vendors’ desire to maintain margins. Also, the cybersecurity talent
supply is very low and the gap has continued to widen, which drives our view in that
automation will be paramount in tomorrow’s security products. The decision-making
capabilities of AI will continue to grow in demand as organizations struggle to fill
cybersecurity positions. Big data analysis is increasingly relying on AI for decision making
and automation driven by the ongoing expansion of databases and the competitive edge
of interpreting data at a significantly faster rate. Guidance Software, provider of endpoint
security and other big data solutions, uses machine learning and automation in its
offerings. For example, the company provides big data eDiscovery analysis to analyze
and automatically process relevant data in litigation. Similarly, we believe the edge in
combating threats could lie within the development of AI in security. Machine-learning
techniques could be the stepping stone in endpoint security development. Considering
current market dynamics of vendor consolidation in addition to the growing number of
compliance requirements on the endpoint, we envision security incumbents gaining
market share during the expansion phase of the adoption of AI in endpoint security.
The two major advantages in using an incumbent endpoint security vendor are 1) the
ability to integrate the products with other offerings from the vendor and 2) the option to
meet all compliance standards with one vendor. The endpoint arena is a very fragmented
market, but only a few of these vendors offer solutions that can attack all ends of endpoint
security. Integration with other solutions, such as mobile management and the secure web
gateway for URL filtering and application control, is valuable to organizations to centralize
security into a single platform, particularly when the supply of information security
professionals is low. According to a Gartner survey, 40% of organizations are using a
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
14
single vendor for endpoint platforms or plan on consolidating in the near future. Increasing
the security stack with more advanced solutions can simultaneously overwhelm IT with
more alerts or maintenance. Although many of the niche vendors are effective and
innovative in preventing threats, we envision the communication between products being
a leading selling point for organizations.
Exhibit 6: Endpoint Security Vendors
Source: Oppenheimer & Co.
Exhibit 7: Gartner’s 2016 Magic Quadrant for Endpoint Protection Platforms
Source: Gartner
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
15
Exhibit 8: Market share of leading endpoint security vendors in 2015. According to IDC, growth was impacted by the global economic climate, geopolitical instability, and the emergence of smaller vendors with signatureless solutions.
Vendor 2014 2015 2014 Share (%) 2015 Share (%) 2014–2015 Growth (%)
Symantec $815.8 $764.2 18.8% 18.2% (6.3%)
Intel $749.0 $717.1 17.3% 17.1% (4.3%)
Trend Micro $488.1 $488.9 11.2% 11.7% 0.2%
ESET $267.9 $252.3 6.2% 6.0% (5.8%)
Sophos $242.9 $249.9 5.6% 6.0% 2.9%
Kaspersky Lab $242.3 $221.8 5.6% 5.3% (8.5%)
IBM $208.0 $219.5 4.8% 5.2% 5.6%
F-Secure $109.9 $88.6 2.5% 2.1% (19.3%)
Bit9 $63.9 $84.4 1.5% 2.0% 32.1%
Microsoft $79.2 $79.0 1.8% 1.9% (0.3%)
Check Point $70.3 $73.7 1.6% 1.8% 4.9%
AVG Technologies $57.3 $62.6 1.3% 1.5% 9.2%
Lumension Security $65.9 $57.3 1.5% 1.4% (13.1%)
Panda Security $51.6 $49.2 1.2% 1.2% (4.6%)
Webroot $35.9 $37.5 0.8% 0.9% 4.2%
Other $792.2 $742.1 18.3% 17.7% (6.3%)
Total $4,340.2 $4,188.1 100.0% 100.0% (3.5%)
Source: IDC, Oppenheimer & Co.
Compliance remains a leading factor in an organization’s decision process in choosing
vendors. We have found that more advanced endpoint solutions, such as AI, are starting
to become more widely accepted by compliance programs. For example, SentinelOne
announced its certification for HIPAA and PCI DSS compliance for malware protection and
AV requirements on April 27th
, 2016. Cylance announced its HIPAA compliance for
malware protection and AV requirements on December 1st, 2015. PANW announced its
Traps compliance with PCI DSS and HIPAA on October 4th
, 2016. Requirements and
vendor lists by other compliance programs, such as FINRA, remain unclear but require
“up-to-date” AV on all workstations. Because violation of these compliance programs can
lead to heavy fines, having a traditional AV program to satisfy requirements is more of a
priority than risking infrastructures with new solutions such as machine-learning next-
generation AV. Meanwhile, we believe machine learning endpoint solutions are quickly
gaining mindshare. Machine learning endpoint security may be different from advance
endpoint protection solutions (AEP) because AEP will use a version of AV while
incorporating some sort of zero-day threat prevention technique such as sandboxing. AI
techniques are still in the process of being fully adopted as an accepted replacement for
the 30-year-old technology of AV; meanwhile, we envision the AEP stack to continue its
success as a discounted endpoint platform. Industry-specific compliance programs are not
the only driver of security products. Regulations are becoming more strict and prudent in
different regions of the world.
The European Union General Data Protection Regulation (EU GDPR) is a change made
for data security in April 2016 by the European Commission to strengthen data protection
laws for people in the European Union. The rule is expected to come into force in May of
2018; however, we expect the regulation to drive security spending in 2017, particularly in
data security and endpoint. EU GDPR is a directive that requires disclosure of data breach
if either the organization or person is based in the EU. The required statements made by
organizations must include a description of the data breach, the number of data records
and categories affected, and a description of how the organization will address the breach.
In addition, if organizations fail to comply or are guilty of less serious error, they will incur a
penalty of 10 million EUR or 2% of annual revenues, whichever is higher. If the error is
deemed serious, organizations could be fined up to 4% of global revenues. EU GDPR
also affects any organization that is storing data belonging to individuals located in the EU,
additionally impacting organizations located outside the EU. Without a doubt, we envision
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
16
this new regulation being a major driver for security spending in the European region. We
believe budgets will focus on advanced endpoint and data security products.
We analyzed the nature of security spending in the EU region and compared it to the US
where data breach disclosure requirements are in effect (in most states). We used
information from the European Commission to find the number of active organizations in
the EU with ten or more employees. We used the U.S. Census Bureau website to find the
same information regarding the number of active organizations with ten or more
employees in the US. We used the regions’ GDP to compare average output per
organization to avoid the assumption that the average organization size could be larger in
one region (though we assume output per endpoint is the same). Then, we used Gartner’s
information security spending and enterprise endpoint spending estimates for Europe and
the US. By estimating the average number of endpoints per organization (the EU data
would be adjusted by the US/EU output ratio), we were able to compare estimates of the
average endpoint security cost per seat. When using Gartner’s estimates, we found that
the YoY growth estimates for “Enterprise Endpoint Platforms” in the US were at a CAGR
of 2.4% from 2015 to 2020. Endpoint growth estimates for Europe were figured at a CAGR
of 0.3%, which is below GDP growth for that region. Using Gartner’s data, the cost per
seat estimates were mostly stable for the US and decreasing for the EU. Near-term
demand for more advanced endpoint security and heightened IT budgets will drive up the
cost per seat. Although we believe advanced endpoint solutions will likely decrease in
TCO, late majority adopters will still increase average cost as a whole. We estimate the
combined European and US enterprise endpoint platform market to grow at a CAGR of
5.3% from 2016 through 2020 (vs. Gartner’s 1.5%), driven by compliance initiatives and
the need for heightened data security. IDC estimates that the opportunity for security
software from the EU GDPR initiative will be $811 million in 2016, growing to $1.8 billion
by 2019.
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
17
Exhibit 9: Comparison of Security Spending in the US vs. EU
* Total Information Security estimates were not adjusted
Source: data.worldbank.org, ec.europa.eu, census.gov, Gartner, Oppenheimer & Co. estimates
In Millions (Except Averages)
US 2015 2016E 2017E 2018E 2019E 2020E
US Active Organizations with 10+ Employees 1.27 1.29 1.31 1.33 1.35 1.36
US GDP (In Trillions) 17.95 18.29 18.66 19.03 19.41 19.80
GDP Growth 1.9% 2.0% 2.0% 2.0% 2.0%
Output per Organization $14.1 $14.2 $14.2 $14.3 $14.4 $14.5
Gartner US Organization Info Sec Spending $33,126 $36,536 $39,871 $43,324 $47,106 $51,145
YoY 10.3% 9.1% 8.7% 8.7% 8.6%
Average Dollars Spent on Info Sec Per Organization $26,084 $28,343 $30,384 $32,495 $34,913 $37,531
Gartner US Organization Endpoint Spending $1,231 $1,269 $1,303 $1,332 $1,362 $1,393
YoY 3.1% 2.7% 2.3% 2.3% 2.3%
Average Dollars Spent on Endpoint Per Organization $969 $984 $993 $999 $1,010 $1,022
Average Cost per Endpoint $14.91 $15.15 $15.28 $15.37 $15.53 $15.73
Average Number of Endpoints 65.0 65.0 65.0 65.0 65.0 65.0
Gartner US Organization Info Sec Spending* $33,126 $36,536 $39,871 $43,324 $47,106 $51,145
YoY 10.3% 9.1% 8.7% 8.7% 8.6%
Average Dollars Spent on Info Sec Per Organization $26,084 $28,343 $30,384 $32,495 $34,913 $37,531
Gartner US Organization Endpoint Spending $1,231 $1,310 $1,399 $1,469 $1,536 $1,613
YoY 6.4% 6.8% 5.0% 4.6% 5.0%
Average Dollars Spent on Endpoint Per Organization $969 $1,016 $1,066 $1,102 $1,138 $1,184
Average Cost per Endpoint $14.91 $15.63 $16.40 $16.95 $17.51 $18.21
Average Number of Endpoints 65.0 65.0 65.0 65.0 65.0 65.0
EU 2015 2016E 2017E 2018E 2019E 2020E
EU Active Organizations with 10+ Employees 1.68 1.70 1.71 1.73 1.75 1.77
EU GDP (In Trillions) 16.23 16.49 16.74 17.02 17.33 17.66
GDP Growth 1.6% 1.5% 1.7% 1.8% 1.9%
Output Per Organization $9.7 $9.7 $9.8 $9.8 $9.9 $10.0
US/EU Output Per Organization Ratio 1.5 1.5 1.5 1.5 1.5 1.5
Gartner Europe Organization Info Sec Spending $24,389 $26,128 $27,613 $29,187 $30,896 $32,741
YoY 7.1% 5.7% 5.7% 5.9% 6.0%
Average Dollars Spent on Info Sec Per Organization $14,518 $15,398 $16,112 $16,863 $17,673 $18,543
Adjusted Using US/EU Ratio $21,240 $22,483 $23,456 $24,475 $25,651 $26,940
Gartner Europe Organization Endpoint Spending $1,042 $1,056 $1,062 $1,064 $1,066 $1,069
YoY 1.4% 0.5% 0.2% 0.2% 0.3%
Average Dollars Spent on Endpoint Per Organization $620 $622 $619 $615 $610 $605
Adjusted Using US/EU Ratio $907 $909 $902 $892 $885 $880
Average Cost per Endpoint $13.96 $13.98 $13.87 $13.72 $13.61 $13.53
Average Number of Endpoints 65.0 65.0 65.0 65.0 65.0 65.0
Europe Organization Info Sec Spending* $24,389 $26,128 $27,613 $29,187 $30,896 $32,741
YoY 7.1% 5.7% 5.7% 5.9% 6.0%
Average Dollars Spent on Info Sec Per Organization $14,518 $15,398 $16,112 $16,863 $17,673 $18,543
Adjusted Using US/EU Ratio $21,240 $22,483 $23,456 $24,475 $25,651 $26,940
Europe Organization Endpoint Spending $1,042 $1,120 $1,190 $1,250 $1,308 $1,375
YoY 7.5% 6.3% 5.0% 4.6% 5.1%
Average Dollars Spent on Endpoint Per Organization $620 $660 $694 $722 $748 $779
Adjusted Using US/EU Ratio $907 $964 $1,011 $1,048 $1,086 $1,131
Average Cost per Endpoint $13.96 $14.83 $15.55 $16.13 $16.71 $17.41
Average Number of Endpoints 65.0 65.0 65.0 65.0 65.0 65.0
Summary
US 2015 2016E 2017E 2018E 2019E 2020E
Average Cost per Endpoint Using Gartner Estimates $14.91 $15.15 $15.28 $15.37 $15.53 $15.73
Average Cost per Endpoint Using Oppenheimer Estimates $14.91 $15.63 $16.40 $16.95 $17.51 $18.21
EU 2015 2016E 2017E 2018E 2019E 2020E
Average Cost per Endpoint Using Gartner Estimates $13.96 $13.98 $13.87 $13.72 $13.61 $13.53
Average Cost per Endpoint Using Oppenheimer Estimates $13.96 $14.83 $15.55 $16.13 $16.71 $17.41
Gartner Estimates
Oppenheimer Estimates
Gartner Estimates
Oppenheimer Estimates
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
18
Exhibit 10: Gartner’s Enterprise Endpoint Protection Platform Spending Estimates
Source: Gartner, Oppenheimer & Co.
Endpoint security spending will also be driven by the transition of enterprises to cloud
software and infrastructure solutions. The movement of data calls for the need of
encryption and data loss prevention. On the infrastructure side, we envision cloud service
providers being the majority provider for encryption, but IT administrators will also utilize
third-party vendors to have a centralized platform for a hybrid infrastructure. DLP will also
be an important component to the overall security portfolio given the flexible use of data in
the cloud. For example, in SaaS applications, users will be able to access data often
wherever and whenever they need to. While this is a positive for productivity, it is risky for
organizations to trust employees with this flexibility, as seen by the increase in the number
of incidents involving employees and business partners. CASB is a form of data security
that prevents leaks from occurring in the cloud space, but we believe CASB will be most
beneficial to organizations that use it in communication with other endpoint solutions. For
example, DLP on the endpoint usually consists of the prevention of employees sending
sensitive information via messaging, email, etc. A product that combines endpoint DLP
with CASB’s DLP would provide an organization with a more holistic and centralized
approach to preventing data from leaking beyond the organization’s perimeter. The
encryption functionality of CASB could integrate well with file/disk encryption within the
endpoint, allowing IT administrators to effectively consolidate key management systems in
a single location and minimize attack surfaces. Considering the lack of information
security workforce and the growing complexity of IT infrastructures, we believe ease of
use and centralization/integration of solutions will be considerable factors in product win-
rates.
The future of endpoint security will be influenced by the following: 1) The growing
complexity of cyber-attacks and spike in extortion techniques; 2) An adoption of signature-
based AV replacements such as AI by compliance programs including HIPAA and PCI
DSS; 3) The EU GDPR movement driving focus on data security and more advanced
methods of zero-day mitigation; 4) The migration of workloads to the cloud, which
expands the attack surface and escalates the movement of data, calling for a more
lightweight anti-malware product, communication between security solutions, and the
need for effective data security solutions. Advanced endpoint solutions such as the use of
sandboxing techniques are entering the ninth inning of their adoption expansion phase,
but the rise of algorithmic methods is beginning. We have already seen a sustainable
innovative shift of implementing machine learning techniques into their endpoint solutions
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
19
by incumbent security vendors such as Cisco, FireEye, Palo Alto Networks, and
Symantec. An interesting transition across vendors is the trend of offering subscription-
based products/services in lieu of perpetual licenses. We believe this benefits both
parties: the vendor has a more predictable revenue model, and the organization is not
bottlenecked by its investment down the road. We estimate AI endpoint solutions to be a
subscription of around $50 (e.g., Cylance) per endpoint, which is nearly three times more
than traditional AV perpetual licenses priced around $15 (e.g., ESET). While the price
point is higher (we believe it could decrease to around $25 in the next few years), we still
expect the solutions to be adopted given the growing cost of breaches and the benefit on
the reduced CPU of running the solutions (particularly in virtualized environments). We
expect next-generation endpoint solutions to migrate their pricing model toward a volume
metric rather than a per-seat metric as this has traditionally given the high deviations of
endpoint compute and their renewed SaaS approach. We believe enterprises will continue
to use a stacked security approach (e.g., AV plus sandboxing), though artificial
intelligence endpoint products could remain a significant driver for the sub-segment going
through 2020 when considering the SaaS (recurring) revenue model. Gartner estimates
the Enterprise Endpoint Protection Platform market to increase at a CAGR of around 2.7%
from 2015 to 2020; however, we estimate the CAGR to be approximately 5.2%. Gartner’s
calculation would suggest that slightly less than half of the endpoints would use advanced
endpoint products, which included a price decrease toward $25 per endpoint by 2020.
Excluding any adjustments to APAC estimates, we estimate the enterprise endpoint
protection platform total addressable market to increase to ~$4.7B by 2020.
Public Companies We overview the following companies we cover that could be participants in the next-
generation endpoint security market:
CHKP
CHKP entered the endpoint market in 2004 following the acquisition of
ZoneAlarm, and now offers endpoint as a software blade. The endpoint platform
under the antivirus software blade does not incorporate artificial intelligence. It
uses an algorithm-based analysis when its sensor triggers are activated, as well
as an anomaly-based detection technique under its ThreatCloud intelligence. For
detection of zero-day unknown signatures, it uses a sandboxing technique (threat
emulation). CHKP’s endpoint platform’s strong point is its presentation of critical
information for data analysis in a breach investigation or any endpoint
vulnerability issues. Because the company is a network security vendor, it can
synchronize its network security policies with those of its endpoints (such as URL
filtering capabilities). Another feature is CHKP’s ability to protect the mobile
environment (after its acquisition of Lacoon Mobile Security in April of 2015),
which we envision being an attention-grabber in the coming years as attacks in
the mobile field grow in number. We believe CHKP’s portfolio for endpoint
security is stacked with solid solutions but with room to grow its technology. The
company has recently mentioned a leading R&D priority (behind SandBlast) is
mobile security. CHKP is cash-heavy (~$3.7 billion in cash and equivalents), and
we believe the company has an easy opportunity to advance its solutions when it
sees fit.
CYBR
CYBR acquired Viewfinity in October of 2015, which put the company on the map
as an endpoint security provider, though complementary to other endpoint
solutions. Since the acquisition, the company unveiled Cyberark Endpoint
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
20
Privilege Manager (November 2016), a privilege management and threat
detection hybrid solution that can integrate with other security vendors such as
Check Point, FireEye, and Palo Alto Networks. The primary objective for CYBR’s
endpoint offering is to maintain productivity while simultaneously securing
privilege accounts. Offered through the cloud, the Endpoint Privilege Manager
provides application control, automated policy creation, and behavioral analysis
on endpoints to detect and block attempts to steal critical credentials. Following
the acquisition of Viewfinity, we view CYBR’s position in the endpoint arena as
unique. We believe the company has plenty of opportunity to garner mindshare
and further penetrate the endpoint privilege management market.
FEYE
Following the announcement (November) of its new platform, FireEye Helix, we
believe FEYE’s endpoint solution has a lot of potential in gaining market share.
Endpoint is the second largest area of focus for R&D (behind its MVX
architecture) and made some developments in 2016. While FEYE does not
market its endpoint product as machine learning or artificial intelligence (more so
“machine intelligence”), it uses similar techniques in preventing and detecting
known as unknown malware. Exploit Guard is a new feature (March 2016)
offered to existing customers for no extra cost that applies behavioral analysis
and machine intelligence to its HX (Endpoint) product. In the Helix
announcement in November, it was mentioned that over five million endpoints
under FireEye HX protection have turned on the feature. We believe FEYE’s
platform approach better integrates its network and endpoint solutions given the
ability to automate responses to compromised endpoints. In our view, FEYE’s
endpoint solution combined with its integration with NX product, intelligence from
iSight, automation from Invotas, and lowered TCO will position the company
positively in gaining market share within the endpoint market.
FTNT
Fortinet’s FortiClient product is a next-generation endpoint solution that
automates protection and detection using sandbox techniques (integrates with
FortiSandbox). The product fully integrates with its network security product
(FortiGate), security management (FortiManager), and event correlation and
response (FortiAnalyzer) to dynamically communicate and manage threats in the
entire network. FortiClient does not use artificial intelligence in its architecture,
rather only sandboxing techniques. We believe FTNT’s advantage is the ability to
communicate with the security fabric.
PANW
With new machine learning capabilities and compliance acceptance by PCI DSS
and HIPAA, we believe PANW can grow its endpoint platform (Traps)
significantly (currently has 600 Traps customers), particularly across its existing
installed base (~35,500 customers). PANW is one of a few vendors that can
integrate its machine learning endpoint platform with its network perimeter,
allowing admins to block and quarantine rogue endpoints and the corresponding
malware from entering the network simultaneously. PANW acquired Cyvera
($200 million) in 2014 which used sandbox and other advanced features to
prevent zero-day threat prevention. In August of 2016, PANW announced the
use of machine learning capabilities for static analysis of files, placing PANW in
the market beyond the traditional endpoint stack.
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
21
SYMC
We believe SYMC’s acquisition of Blue Coat and its recent moves could
slingshot the company back to growing market share in the enterprise endpoint
security market. SYMC can benefit from its vast installed base (including Blue
Coat’s) to cross-sell its recently announced (Sept. 13th, 2016) cloud-based
machine learning endpoint protection product (Symantec Endpoint Protection
Cloud), as well as the ability for this market share leader to integrate the full
endpoint stack (including solutions required by compliance standards) into one
solution. With the acquisition of Blue Coat, SYMC can integrate its market-
leading cloud-based secure web gateway solutions with the endpoint platform.
We believe SYMC can benefit from the migration of organizations to the cloud
given its CASB position (with the acquisition of Blue Coat) and its offerings for
cloud environments.
VRNT
VRNT leverages its expertise in big data and high-speed networks to detect and
resolve cyber-attacks on a network level as well as on the endpoint. Using a set
of integrated detection and forensics sensors, the company can provide
administrators with automated investigations and orchestrated responses to
analyze and protect an organization’s network. As attacks grow in number and
complexity, big data analytics for security could grow in relevance. We view the
company’s automation capabilities as a key component for security portfolios on
all points of an organization’s network.
Additional Not Covered Companies
Trend Micro offers an endpoint security platform through the cloud for all
infrastructure/endpoint environments. The company’s technology incorporates
machine learning and other threat protection techniques (such as behavioral
analysis) to protect against unknown malware. According to IDC, Trend Micro
has an 11.7% market share in the enterprise endpoint security market,
Guidance Software provides endpoint security as well as other big data solutions.
Its Encase Endpoint Security product can detect unknown risks and threats by
using anomaly and behavioral-based analysis. It provides automated responses
to threats after further malware analysis, and returns the endpoint back to trusted
state. According to Gartner (January 2017), Guidance Software holds the largest
market share (25%) of the Endpoint Detection and Response market by number
of licensed endpoints.
Private Companies The endpoint security arena is filled with a number of private players that constantly
challenge the technology of market share leaders. Some private companies have
approached endpoint defense using different detect/response tactics and AI techniques
that we feel have influenced the next generation of endpoint security. We believe the
development and innovation from these companies will be key drivers in tackling new
sophisticated attacks and will continue to be pertinent in a constantly changing threat
environment. Below, we highlight endpoint security vendors that could play a role in the
next generation of endpoint defense, particularly in a rapidly consolidating industry.
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
22
AVAST
Company Description
AVAST is a leading security software provider for computers, phones, and tablets offering
endpoint protection to consumers and businesses via the cloud. AVAST acquired leading
consumer endpoint protection vendor AVG in September of 2016, making the aggregate
number of users in its network approximately 400 million. The company was founded in
1988 by Pavel Baudiš and Eduard Kučera and is headquartered in Prague, Czech
Republic. Major competitors include vendors in the consumer and enterprise endpoint
security arena such as Symantec, ESET, Kaspersky, and Webroot.
Products for the Next Generation of Endpoint
AVAST, alongside AVG, has one of the largest endpoint networks in the security industry.
Paired with its cloud delivery strategy, the company has the ability to provide next-
generation techniques such as machine learning to its intelligent antivirus packaged in
other compliance-required endpoint security software. The company also provides
efficient sandboxing techniques through the cloud that will less likely impact performance
and speed. In the high-end AVAST endpoint security product (“Premier”), the stack
includes intelligent antivirus, home network security, real-time threat detection, firewall,
sandbox, password manager, anti-spam, and DNS security.
Senior Management
Vincent Steckler – CEO
Rene-H. Bienz – CFO
Pavel Baudiš – Founder and Director
Eduard Kučera – Founder and Director
Recent Series of Investments
Private Equity – $100 million in August 2010
Private Equity – Undisclosed in February 2014
Leading Investors
Summit Partners
CVC Capital Partners
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
23
Bromium
Company Description
Bromium offers micro-virtualization solutions for apps on enterprise endpoints to isolate
tasks and prevent malware from spreading. The company was founded in 2010 by Gaurav
Banga, Simon Crosby, and Ian Pratt, and is headquartered in Cupertino, CA. Competitors
include micro-virtualization vendors such as Menlo Security, Spikes Security, and tuCloud
Federal, as well as indirect competitors offering sandboxing such as Check Point,
Symantec, FireEye, and Palo Alto.
Products for the Next Generation of Endpoint
Bromium’s micro-virtualization capabilities isolate processes so endpoint users are not
immediately doomed upon downloading malware. Each task is isolated, meaning
breaches cannot escape and spread, whether the attack is known or unknown. Bromium’s
Advanced Endpoint Security solution operates using CPU-enforced isolation that can
proactively prevent malware utilizing a microvisor while running on a strict need-to-know
basis. Micro-virtualization is a unique approach to endpoint security that can be very
effective in preventing attacks that use the most frequented vehicles such as PDFs, web
attacks, and executables.
Senior Management
Gregory Webb – CEO
Ian Pratt – Co-founder and President
Simon Crosby – Co-founder and CTO
Earl Charles – CFO
Recent Series of Investments
Series A – $9.2 million in June 2011
Series B – $26.5 million in June 2012
Series C – $40 million in October 2016
Series D – $40 million in March 2016
Leading Investors
Andreessen Horowitz
Highland Capital Partners
Ignition Partners
Intel Capital
Lightspeed Venture Partners
Meritech Capital Partners
Silver Lake Waterman
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
24
Carbon Black
Company Description
Carbon Black offers an enterprise endpoint security platform to replace AV programs
using a simple-to-deploy, scalable, cloud solution. The company offers a “Next Generation
Antivirus” that uses a deep analytic approach to prevent some of the most complex
methods of attack including memory exploits and scripting. The company was founded in
2002 by Allen Hillery, John Hanratty, Todd Brennan, and Michael Viscuso and is
headquartered in Waltham, MA. Competitors include security incumbents such as
Symantec, Palo Alto, Check Point, Cisco, AVAST, et al., as well as other endpoint point
solution vendors.
Products for the Next Generation of Endpoint
Carbon Black’s Cb Endpoint Security Platform offers next-generation AV, incident
response and threat hunting solutions, application control, and attack analytics and
intelligence. The next-generation AV solution uses a deep analytic approach to inspect
files and identify malicious activity to prevent both known and unknown malware, including
more sophisticated attacks such as memory-based attacks and script-based attacks. Cb
Protection is an application control solution that can provide controllability of automatic
software execution across applications, maintaining the protection of sensitive data.
Carbon Black’s platform can be distributed across desktops, laptops, servers, and point-
of-sale devices.
Senior Management
Patrick Morley – President and CEO
Mark Sullivan – CFO
Michael Viscuso – Co-founder and CTO
Recent Series of Investments
Venture – $12.5 million in April 2011
Series D – $34.5 million in July 2012
Series E – $38.3 million in February 2014
Series F – $54.5 million in October 2015
Series G – $14 million in February 2016
Leading Investors
.406 Ventures
Atlas Venture
Highland Capital Partners
Sequoia Capital
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
25
Crowd Strike
Company Description
Crowd Strike provides a cloud-based next-generation endpoint protection platform as well
as intelligence and incident response services to prevent, detect, and mitigate complex
breaches in enterprises. The company was founded in 2011 by George Kurtz, Dmitri
Alperovitch, and Gregg Marston and is headquartered in Irvine, CA. Competitors include
security incumbents such as Symantec, Palo Alto, Check Point, Cisco, AVAST, et al., as
well as other endpoint security vendors.
Products for the Next Generation of Endpoint
Crowd Strike offers its Falcon Platform, which includes a next-generation AV product
(Falcon Host), Security-as-a-Service (Falcon Overwatch), and intelligence (Falcon
Intelligence), as well as DNS security solutions (Falcon DNS). Falcon Host is a next-
generation endpoint protection delivered through the cloud and was independently
validated for HIPAA compliance in September 2016. The product uses machine learning
to prevent malware breaches in real-time and analyze historical endpoint activity including
processes and threads. It’s “DVR”-like capabilities enable organizations to record and
retrace the footsteps of threat actors so IT leaders know where to plug in the holes of
vulnerabilities.
Senior Management
George Kurtz – Co-founder and President/CEO
Dmitri Alperovitch – Co-founder and CTO
Burt Podbere – CFO
Recent Series of Investments
Series A – $26 million in February 2012
Series B – $30 million in September 2013
Series C – $100 million in July 2015
Leading Investors
Accel Partners
CapitalG
Rackspace
Warburg Pincus
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
26
Cybereason
Company Description
Cybereason offers an endpoint security platform designed to detect malicious attacks and
distinguish the intent of the attackers using advanced artificial intelligence. The company
was founded by ex-Israeli Defense cybersecurity staff─Lior Div-Cohen, Yonatan Striem-
Amit, and Yossi Naar─in 2012 and is headquartered in Boston, MA. Competitors include
security incumbents such as Symantec, Palo Alto, Check Point, Cisco, AVAST, et al., as
well as other endpoint security vendors.
Products for the Next Generation of Endpoint
Cybereason uses sensors for endpoints and servers to detect anomaly behavior and
identify both known and unknown malware. Cybereason’s platform comes with a ”hunting
engine” that uses artificial intelligence, machine learning, and behavioral techniques to
hunt down cyber-attacks that come across the company’s sensors. The sensors are built
to run in user space, leaving no impact on productivity or user experience. The platform
allows IT administrators to respond efficiently and effectively by providing tools to simplify
the forensics and supporting evidence of attacks. In addition, Cybereason offers active
monitoring services (Security-as-a-Service) that can also help determine the right course
of action.
Senior Management
Lior Div – CEO & Co-founder
Yossi Naar – CVO & Co-founder
Yonatan Striem-Amit – CTO & Co-founder
Scott Ward – CFO
Recent Series of Investments
Series A – $4.63 million in May 2013
Series B – $25 million in May 2015
Series C – $59 million in September 2015
Leading Investors
Charles River Ventures
Spark Capital Partners
SoftBank Group Corp.
Lockheed Martin Corp.
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
27
Cylance
Company Description
Cylance is a next-generation Antivirus provider that uses artificial intelligence and machine
learning to identify and prevent both known and unknown cyber threats from executing on
endpoints. The company was founded in 2012 by Stuart McClure and Ryan Permeh and
is headquartered in Irvine, CA. Cylance is in the Visionaries quadrant of Gartner’s 2016
Magic Quadrant for Endpoint Protection Platforms. Competitors include security
incumbents such as Symantec, Palo Alto, Check Point, Cisco, AVAST, et al., as well as
other endpoint security vendors.
Products for the Next Generation of Endpoint
Cylance provides endpoint security by using advanced machine learning and artificial
intelligence techniques. CylancePROTECT® is a next-generation antivirus that can
prevent threats in real-time before any attack is made, including system and memory-
based attacks, zero-day malware, scripts, and unwanted programs. Because of its artificial
intelligence framework, the product uses less than 1% of CPU, and no signature updates
are required. The CylancePROTECT®+ThreatZERO™ platform includes services for
threat intelligence, deployment strategies, and best practices, ensuring an organization’s
environment is not already infected.
Senior Management
Stuart McClure – Co-founder and CEO/President
Ryan Permeh – Co-founder and Chief Scientist
Jeff Ishmael – CFO
Recent Series of Investments
Series A – $15 million in February 2013
Series B – $20 million in February 2014
Series C – $42 million in July 2015
Series D – $100 million in June 2016
Leading Investors
Blackstone Tactical Opportunities
Insight Venture Partners
DFJ Growth
Fairhaven Capital Partners
Khosla Ventures
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
28
Deep Instinct
Company Description
Deep Instinct (Fifth Dimension Ltd.) provides the first deep learning form of artificial
intelligence in protecting endpoints and mobile devices by breaking down objects into the
smallest parts to analyze and predict malware attacks before they happen. The company
was founded in 2014 by Guy Caspi, Doron Cohen, and Yoel Neeman, and is
headquartered in Tel Aviv, Israel. Deep learning AI may be categorized differently from
machine learning; therefore, indirect competitors include security incumbents such as
Symantec, Palo Alto, Check Point, Cisco, AVAST, et al., as well as other endpoint security
vendors.
Products for the Next Generation of Endpoint
Deep Instinct’s product differs slightly from other artificial intelligent endpoint detection and
response solutions in that it uses deep learning artificial intelligence as compared to
machine learning. The difference is that deep learning attempts to emulate the
functionality of the human brain (or “deep neural networks”). The technology trains on both
structured and unstructured datasets from multiple sources that result in a lightweight
predictive, detective, and preventive model for both known and unknown malware. As
malware continues to be developed by artificial intelligent authors, the continued
advancement of intelligence in endpoint to detect such malware is paramount. Deep
Instinct’s deep learning capabilities could be a stepping stone to the next generation of AI
security.
Senior Management
Guy Caspi – Co-founder and CEO
Dr. Eli David – CTO
Efrat Turgeman – CFO
Doron Cohen – Co-founder and Chairman
Yoel Neeman – Co-founder and Head of Corporate
Recent Series of Investments
Series A – Undisclosed amount in September 2015
Leading Investors
Blumberg Capital LLC
Columbus Nova Partners LLC
UST Global, Inc.
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
29
Digital Guardian
Company Description
Digital Guardian provides data security software and information protection solutions for
both endpoints and networks, enabling IT administrators to protect its data and better
manage its attack surface. The company was founded in 2002 by Allen Michels, Nicholas
Stamos, Seth Birnbaum, Donato Buccella, Tomas Revesz, Dwayne Carson, and William
Fletchner, and is headquartered in Waltham, MA. Digital Guardian is located in the
Leaders quadrant of Gartner’s 2016 Magic Quadrant for Enterprise Data Loss Prevention.
Competitors include other Data Loss Prevention vendors including Symantec, Forcepoint,
Intel Security, and GTB Technologies.
Products for the Next Generation of Endpoint
Between the abstraction of IT architectures and the expansion of egress points, sensitive
data can travel beyond the network using a number of pathways. The different breeds of
Data Loss Prevention (DLP) products are consolidating into a single platform, and Digital
Guardian is a leading provider of an integrated DLP package. In addition to DLP, the
company provides other security solutions such as data visibility and control, advanced
threat protection, and endpoint agents across Windows, Linux, Mac, and virtual systems.
Its platform additionally offers data protection for cloud storage providers such as
Accellion, Box, Citrix ShareFile, Egnyte, and Microsoft. We believe data visibility and
control solutions for the endpoint are fundamental for networks with expanding egress
points.
Senior Management
Ken Levine – President and CEO
Ed Durkin – CFO
Douglas Bailey – CSO
Salo Fajer – CTO
Recent Series of Investments
Venture - $12 million in March 2014
Venture - $66 million in December 2015
Leading Investors
Brookline Venture Partners
Fairhaven Capital Partners
General Electric Pension Trust
LLR Partners
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
30
LightCyber
Company Description
LightCyber provides behavior attack detection solutions to enterprises for both on-premise
and cloud infrastructures that give IT administrators the ability to identify malicious
executables on endpoints, verify any incidents, and terminate corresponding processes.
The company was founded in 2011 by Giora Engel and Micael Mumcuoglu and is
headquartered in Ramat Gan, Israel. LightCyber is unique in that it looks at endpoint
security at the highest level of the network; thus indirect competitors may include security
incumbents such as Symantec, Palo Alto, Check Point, Cisco, AVAST, et al., as well as
other endpoint security vendors.
Products for the Next Generation of Endpoint
LightCyber provides a behavioral anomaly detection solution that uses sensors and an
analytics engine. The company’s Magna platform has the ability to perform endpoint
analysis to augment network findings without the need to install agents on all endpoints.
Magna Pathfinder is an endpoint anomaly solution using agentless software that
automates the detection of attacks and uncovers the root cause of the attack, saving
administrators hours of investigation time. The platform can be deployed in both on-
premise and cloud environments.
Senior Management
Gonen Fink – CEO
Giora Engel – Co-founder and CPO
Michael Mumcuoglu – Co-founder and CTO
Yoni Mizrahi – CFO
Recent Series of Investments
Series A – $10.5 million in September 2014
Series B – $20 million in June 2016
Leading Investors
Access Industries
Amplify Partners
Battery Ventures
Glilot Capital Partners
Vertex Ventures
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
31
SentinelOne
Company Description
SentinelOne is a next-generation endpoint security provider that uses several layers of
attack prevention techniques, including behavior detection and machine learning, to block
threats from breaching an endpoint. The company was founded in 2013 by Tomer
Weingarten and Almog Cohen and is headquartered in Bnei Brak, Israel. The company is
located in the Visionaries quadrant of Gartner’s 2016 Magic Quadrant for Endpoint
Protection Platforms. Competitors include security incumbents such as Symantec, Palo
Alto, Check Point, Cisco, AVAST, et al., as well as other endpoint security vendors.
Products for the Next Generation of Endpoint
SentinelOne provides endpoint security leveraging behavior-based threat detection
techniques and can defend against sophisticated malware such as evasive malware. The
product allows SOCs to set polices that automate responses to breaches such as
quarantine and contain infected endpoints. Its machine learning technique under the hood
of the Dynamic Behavior Tracking engine can map and score suspicious activity until the
process is flagged as a threat. The product can be applied to both endpoints and servers
and “guarantees” complete Ransomware protection.
Senior Management
Tomer Weingarten – Co-Founder and CEO
Almog Cohen – Co-Founder and CTO
Sameet Mehta – CFO and Board Member
Ehud Shamir – Chief Security Officer
Recent Series of Investments
Series A – $12 million in April 2014
Series B – $25 million in October 2015
Leading Investors
Data Collective
Granite Hill Capital Partners
The Westly Group
Third Point Ventures
Tiger Global Management
UpWest Labs
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
32
Tanium
Company Description
Tanium is an endpoint security and management platform provider that leverages its IT
operation team to automate detection and remediation strategies when an organization
detects a breach. The company was founded in 2007 by David Hindawi and Orion
Hindawi and is headquartered in Emeryville, CA. Competitors include security incumbents
such as Symantec, Palo Alto, Check Point, Cisco, AVAST, et al., as well as other endpoint
security vendors.
Products for the Next Generation of Endpoint
Tanium provides endpoint security and systems management solutions using architecture
that can visibly analyze data and control an infected endpoint within 15 seconds. Tanium
Core is a platform comprising endpoint security capabilities such as threat detection,
incident response, vulnerability assessment, and configuration compliance, as well as
endpoint management capabilities such as patch management, asset inventory, software
distribution, and asset utilization. The platform allows SOCs to automate detection and
remediation strategies in an efficient manner when an attack is detected.
Senior Management
David Hindawi – Co-founder and Executive Chairman
Orion Hindawi – Co-founder and CEO
Eric Brown – CFO and COO
David Damato – Chief Security Officer
Recent Series of Investments
Series E – $90 million in June 2014
Series F – $64 million in March 2015
Series G – $117.5 million in September 2015
Series G – $30 million in September 2015
Leading Investors
Andreessen Horowitz
Franklin Templeton Investments
Geodesic Capital
Institutional Venture Partners
TPG
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
33
Stock prices of other companies mentioned in this report (as of 1/18/2017):
Guidance Software (GUID-NASDAQ, $7.18, Not Covered)
Trend Micro Inc. (4704-TYO, ¥4,220, Not Covered)
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
34
Disclosure AppendixOppenheimer & Co. Inc. does and seeks to do business with companies covered in its research reports. As a result,investors should be aware that the firm may have a conflict of interest that could affect the objectivity of this report.Investors should consider this report as only a single factor in making their investment decision.
Analyst Certification - The author certifies that this research report accurately states his/her personal views about the subjectsecurities, which are reflected in the ratings as well as in the substance of this report. The author certifies that no part ofhis/her compensation was, is, or will be directly or indirectly related to the specific recommendations or views contained inthis research report.Potential Conflicts of Interest:Equity research analysts employed by Oppenheimer & Co. Inc. are compensated from revenues generated by the firmincluding the Oppenheimer & Co. Inc. Investment Banking Department. Research analysts do not receive compensationbased upon revenues from specific investment banking transactions. Oppenheimer & Co. Inc. generally prohibits any researchanalyst and any member of his or her household from executing trades in the securities of a company that such researchanalyst covers. Additionally, Oppenheimer & Co. Inc. generally prohibits any research analyst from serving as an officer,director or advisory board member of a company that such analyst covers. In addition to 1% ownership positions in coveredcompanies that are required to be specifically disclosed in this report, Oppenheimer & Co. Inc. may have a long positionof less than 1% or a short position or deal as principal in the securities discussed herein, related securities or in options,futures or other derivative instruments based thereon. Recipients of this report are advised that any or all of the foregoingarrangements, as well as more specific disclosures set forth below, may at times give rise to potential conflicts of interest.
Important Disclosure Footnotes for Companies Mentioned in this Report that Are Covered byOppenheimer & Co. Inc:Stock Prices as of January 19, 2017Apple Inc. (AAPL - NASDAQ, $120.00, PERFORM)Box, Inc. (BOX - NASDAQ, $16.62, OUTPERFORM)Check Point Software Technologies (CHKP - NASDAQ, $90.39, OUTPERFORM)Cisco Systems (CSCO - NASDAQ, $29.99, OUTPERFORM)Citrix Systems, Inc. (CTXS - NASDAQ, $90.90, PERFORM)CyberArk Software Ltd. (CYBR - NASDAQ, $50.42, OUTPERFORM)FireEye, Inc. (FEYE - NASDAQ, $13.16, OUTPERFORM)Fortinet, Inc. (FTNT - NASDAQ, $31.70, OUTPERFORM)International Business Machines (IBM - NYSE, $167.89, PERFORM)Intel Corp. (INTC - NASDAQ, $36.80, PERFORM)Microsoft Corporation (MSFT - NASDAQ, $62.53, OUTPERFORM)Palo Alto Networks Inc. (PANW - NYSE, $138.45, OUTPERFORM)Symantec Corporation (SYMC - OTC, $26.20, OUTPERFORM)Verint Systems (VRNT - OTC, $37.45, OUTPERFORM)
All price targets displayed in the chart above are for a 12- to- 18-month period. Prior to March 30, 2004, Oppenheimer & Co.Inc. used 6-, 12-, 12- to 18-, and 12- to 24-month price targets and ranges. For more information about target price histories,please write to Oppenheimer & Co. Inc., 85 Broad Street, New York, NY 10004, Attention: Equity Research Department,Business Manager.
Oppenheimer & Co. Inc. Rating System as of January 14th, 2008:
Outperform(O) - Stock expected to outperform the S&P 500 within the next 12-18 months.
Perform (P) - Stock expected to perform in line with the S&P 500 within the next 12-18 months.
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
35
Underperform (U) - Stock expected to underperform the S&P 500 within the next 12-18 months.
Not Rated (NR) - Oppenheimer & Co. Inc. does not maintain coverage of the stock or is restricted from doing so due to a potential conflictof interest.
Oppenheimer & Co. Inc. Rating System prior to January 14th, 2008:
Buy - anticipates appreciation of 10% or more within the next 12 months, and/or a total return of 10% including dividend payments, and/orthe ability of the shares to perform better than the leading stock market averages or stocks within its particular industry sector.
Neutral - anticipates that the shares will trade at or near their current price and generally in line with the leading market averages due to aperceived absence of strong dynamics that would cause volatility either to the upside or downside, and/or will perform less well than higherrated companies within its peer group. Our readers should be aware that when a rating change occurs to Neutral from Buy, aggressivetrading accounts might decide to liquidate their positions to employ the funds elsewhere.
Sell - anticipates that the shares will depreciate 10% or more in price within the next 12 months, due to fundamental weakness perceivedin the company or for valuation reasons, or are expected to perform significantly worse than equities within the peer group.
Distribution of Ratings/IB Services Firmwide
IB Serv/Past 12 Mos.
Rating Count Percent Count Percent
OUTPERFORM [O] 296 55.53 111 37.50
PERFORM [P] 233 43.71 71 30.47
UNDERPERFORM [U] 4 0.75 3 75.00
Although the investment recommendations within the three-tiered, relative stock rating system utilized by Oppenheimer & Co. Inc. do notcorrelate to buy, hold and sell recommendations, for the purposes of complying with FINRA rules, Oppenheimer & Co. Inc. has assignedbuy ratings to securities rated Outperform, hold ratings to securities rated Perform, and sell ratings to securities rated Underperform.
Company Specific DisclosuresOppenheimer & Co. Inc. makes a market in the securities of AAPL, CHKP, CSCO, CTXS, FEYE, INTC, MSFT, SYMC andVRNT.
Oppenheimer & Co. Inc. expects to receive or intends to seek compensation for investment banking services in the next 3months from CYBR, GUID and VRNT.
Additional Information Available
Please log on to http://www.opco.com or write to Oppenheimer & Co. Inc., 85 Broad Street, New York, NY 10004, Attention: EquityResearch Department, Business Manager.
Other DisclosuresThis report is issued and approved for distribution by Oppenheimer & Co. Inc. Oppenheimer & Co. Inc. transacts business on all principalexchanges and is a member of SIPC. This report is provided, for informational purposes only, to institutional and retail investor clients ofOppenheimer & Co. Inc. and does not constitute an offer or solicitation to buy or sell any securities discussed herein in any jurisdiction wheresuch offer or solicitation would be prohibited. The securities mentioned in this report may not be suitable for all types of investors. This reportdoes not take into account the investment objectives, financial situation or specific needs of any particular client of Oppenheimer & Co. Inc.Recipients should consider this report as only a single factor in making an investment decision and should not rely solely on investmentrecommendations contained herein, if any, as a substitution for the exercise of independent judgment of the merits and risks of investments.The analyst writing the report is not a person or company with actual, implied or apparent authority to act on behalf of any issuer mentionedin the report. Before making an investment decision with respect to any security recommended in this report, the recipient should considerwhether such recommendation is appropriate given the recipient's particular investment needs, objectives and financial circumstances.We recommend that investors independently evaluate particular investments and strategies, and encourage investors to seek the advice
TECHNOLOGY / INFRASTRUCTURE SOFTWARE
36
of a financial advisor. Oppenheimer & Co. Inc. will not treat non-client recipients as its clients solely by virtue of their receiving this report.Past performance is not a guarantee of future results, and no representation or warranty, express or implied, is made regarding futureperformance of any security mentioned in this report. The price of the securities mentioned in this report and the income they produce mayfluctuate and/or be adversely affected by exchange rates, and investors may realize losses on investments in such securities, including theloss of investment principal. Oppenheimer & Co. Inc. accepts no liability for any loss arising from the use of information contained in thisreport, except to the extent that liability may arise under specific statutes or regulations applicable to Oppenheimer & Co. Inc. All information,opinions and statistical data contained in this report were obtained or derived from public sources believed to be reliable, but Oppenheimer& Co. Inc. does not represent that any such information, opinion or statistical data is accurate or complete (with the exception of informationcontained in the Important Disclosures section of this report provided by Oppenheimer & Co. Inc. or individual research analysts), and theyshould not be relied upon as such. All estimates, opinions and recommendations expressed herein constitute judgments as of the date ofthis report and are subject to change without notice. Nothing in this report constitutes legal, accounting or tax advice. Since the levels andbases of taxation can change, any reference in this report to the impact of taxation should not be construed as offering tax advice on the taxconsequences of investments. As with any investment having potential tax implications, clients should consult with their own independenttax adviser. This report may provide addresses of, or contain hyperlinks to, Internet web sites. Oppenheimer & Co. Inc. has not reviewedthe linked Internet web site of any third party and takes no responsibility for the contents thereof. Each such address or hyperlink is providedsolely for the recipient's convenience and information, and the content of linked third party web sites is not in any way incorporated intothis document. Recipients who choose to access such third-party web sites or follow such hyperlinks do so at their own risk.This research is distributed in the UK and elsewhere throughout Europe, as third party research by Oppenheimer Europe Ltd, which isauthorized and regulated by the Financial Conduct Authority (FCA). This research is for information purposes only and is not to be construedas a solicitation or an offer to purchase or sell investments or related financial instruments. This research is for distribution only to personswho are eligible counterparties or professional clients. It is not intended to be distributed or passed on, directly or indirectly, to any other classof persons. In particular, this material is not for distribution to, and should not be relied upon by, retail clients, as defined under the rules ofthe FCA. Neither the FCA’s protection rules nor compensation scheme may be applied. https://opco2.bluematrix.com/sellside/MAR.actionDistribution in Hong Kong: This report is prepared for professional investors and is being distributed in Hong Kong by OppenheimerInvestments Asia Limited (OIAL) to persons whose business involves the acquisition, disposal or holding of securities, whether as principalor agent. OIAL, an affiliate of Oppenheimer & Co. Inc., is regulated by the Securities and Futures Commission for the conduct ofdealing in securities, advising on securities, and advising on Corporate Finance. For professional investors in Hong Kong, please [email protected] for all matters and queries relating to this report. This report or any portion hereof may not be reprinted, sold, orredistributed without the written consent of Oppenheimer & Co. Inc.
This report or any portion hereof may not be reprinted, sold, or redistributed without the written consent of Oppenheimer & Co. Inc. Copyright© Oppenheimer & Co. Inc. 2017.
TECHNOLOGY / INFRASTRUCTURE SOFTWARE