Security 2014 and Beyond: An Evolving Threat Environment in a Mobile, Cloud, and Virtual World December 2013 Joel P. Fishbein, Jr BMO Capital Markets Corp. joel.fishbein@bmo.com (212) 885-4159 Brett Fodero BMO Capital Markets Corp. brett.fodero@bmo.com (212) 885-4019 Refer to pages 190 197 for Important Disclosures, including Analyst s Certification. For Important Disclosures on the stocks discussed in this report, please go to http://researchglobal.bmocapitalmarkets.com/company_disclosure_public.asp.
BMO Capital Markets Table of Contents...5 Security Industry View...6 Key Points...7 Security Market Backdrop: New, More Sophisticated Threats Driving Demand for Better Technologies...11 Cloud-Based Security Is Growing Much Faster Than The Traditional Model...27 Data and Application Protection...30 Cloud Computing Implications for Security...36 Cloud Application Control...37 End Point Security...41 Consumer Market Disrupted by Tablets and Freemium Model...42 Regulation Driving the Need for Compliance Checks...42 Evaluating Vendors Positioning to Benefit From Next-Generation Security...44 M&A Outlook...45 Key Drivers of Investing in Security...48 Summary of Covered Companies...49 Summary of Un-Covered Companies...54 Comparable Analysis of Public Security Companies...61 Key Private Security Companies to Watch...63 Glossary...121 Barracuda Networks...125 Company Overview...127 Balance Sheet and Capital Allocation...135 Current Outlook...135 Valuation...136 Risks...137 Financial Models...138 Check Point Software...141 Market Backdrop...143 Company Background...143 Appliances...144 Blades...144 New Products...145 Balance Sheet and Capital Allocation...145 Current Outlook...145 Valuation...146 Risks...147 Financial Models...148 Imperva...151 Company Overview...153 Balance Sheet and Capital Allocation...157 Current Outlook...157 Valuation...158 Risks...159 Financial Models...161 Qualys...165 Investment Drivers...166 Market Backdrop...168 Company Background...169 Balance Sheet and Capital Allocation...172 Current Outlook...172 Valuation...173 Risks...174 Financial Models...176 Symantec...179 Company Overview...182 Balance Sheet and Capital Allocation...184 Current Outlook...184 Valuation...185 Risks...186 Financial Models...187 A member of BMO Financial Group 3 December 18, 2013
BMO Capital Markets A member of BMO Financial Group 4 December 18, 2013
Industry Rating: Outperform December 18, 2013 Joel P. Fishbein, Jr 212-885-4159 BMO Capital Markets Corp. joel.fishbein@bmo.com Brett Fodero 212-885-4019 BMO Capital Markets Corp. brett.fodero@bmo.com Security 2014 and Beyond: An Evolving Threat Environment in a Mobile, Cloud, and Virtual World Despite billions of dollars having been spent over the past decade on stateful firewalls (any firewall that performs stateful packet inspection of network connections) and point solutions complementing them (IPS, web filtering, security web gateways, UTMs, and others), corporate breaches are at elevated levels, in our opinion. Today's cyber threat landscape is highly targeted and focused on acquiring something valuable and vital, such as sensitive personal information, intellectual property, as 95% of organizations are compromised by new sophisticated attacks that blend malicious techniques. These attacks can cost millions of dollars in lost revenue and compromise customer data, intellectual property, business reputation, and overall livelihood. A recurring theme in our conversations with customers, vendors, channel partners, and other industry participants is the need for protecting data regardless of its location and form. As spending on security initiatives remains a top priority with CIOs and CSOs, the key security concerns are securing mobile devices while enabling greater mobility and BYOD, dealing with advanced persistent threats, dealing with identity management, ensuring the security of customer data, and transaction security. Cybersecurity risk has increased significantly with the adoption of initiatives like cloud-based applications, social networking, virtualization, and BYOD, which provide more weaknesses in an organization s network. The corporate challenge is finding a balance between enhancing the productivity of its employees and securing its networks and sensitive data from attack. Today s goal for security vendors is to find known and unknown cyberattacks in real-time across all potential vectors. Summary Cyber crime has surpassed illegal drug trafficking as a criminal moneymaker. Today's cyber threat landscape is highly targeted and focused on acquiring something valuable, such as sensitive personal information, intellectual property, etc., as 95% of organizations are compromised by new sophisticated attacks that blend malicious techniques. Cybersecurity risk has increased significantly with the adoption of initiatives like cloudbased applications, social networking, virtualization, and BYOD, which provide more weaknesses in an organization s network. As spending on security intiaitives remains a top priority with CIO s and CSO s, we are taking a deep dive on each of the underlying markets and identifying the key investment themes and companies as well as identifying the BMO top 50 private security companies to watch. We are initiating on the Security space with Barracuda Networks (Outperform), Checkpoint Software (Market Perform), Imperva (Outperform), Qualys (Market Perform), and Symantec (Market Perform). Page 5 December 18, 2013
Security Industry View Despite billions of dollars having been spent over the past decade on stateful firewalls (any firewall that performs stateful packet inspection of network connections) and point solutions complementing them (IPS, web filtering, security web gateways, UTMs, and others), corporate breaches are at elevated levels, in our opinion. Solving the security vulnerability of corporate networks with traditional solutions results in security gaps because those solutions were not designed to address several major recent developments. Bottom line is that traditional network security solutions have insufficient ability to deal with a complex IT environment and a constantly evolving threat environment. Cyber crime has surpassed illegal drug trafficking as a criminal money-maker -- one in five people in the world will become a victim (source: Symantec). Cybercriminals and hackers are expending significant resources to acquire sensitive intellectual property and personal data, causing financial and reputational damage; nation-states are pursuing cyber espionage targeting critical infrastructure grids and highly sensitive information that can threaten national security and launch denial of service attacks. According to Verizon s 2013 Data Breach Investigations Report: 75% of breached were driven by financial motive, 66% of breaches took months to discover, 92% of breaches were perpetrated by outsiders; 14% committed by insiders, 37% of breached affected a financial organization, and 71% of breaches targeted devices Cybersecurity risk has increased significantly with the adoption of initiatives like cloud-based applications, social networking, virtualization, and BYOD, which provide more weaknesses in an organization s network. The corporate challenge is finding a balance between enhancing the productivity of their employees and securing their networks and sensitive data from attack. The security industry and new technologies have evolved as the world moves from detection to prevention, from blocking to trapping (sandboxing), from reactive to proactive. Today s goal for security vendors is to find known and unknown cyber-attacks in real-time across all potential vectors. We are initiating on the Security space with Outperform ratings on Barracuda Networks (CUDA) and Imperva (IMPV), and Market Perform ratings on Checkpoint Software (CHKP), Qualys (QLYS), and Symantec (SYMC). Page 6 December 18, 2013
Key Points A recurring theme in our conversations with customers, vendors, channel partners, and other industry participants is the need for protecting data regardless of its location and form. This indicates continued strong spending on security initiatives driven by the coalescence of several factors: A recurring theme is protecting the data regardless of its location and form. Recent growth of advanced persistent threats and data breaches is causing companies to upgrade their security systems. Continuing data center consolidation drives a need for new network security solutions such as high-end IPS and unified threat management (UTM). Growth of rich-media applications is causing a need for next-generation applicationaware network security solutions. Increasingly vulnerable perimeter defenses owing to inadequate existing network security tools are causing a need for next-generation network security solutions. New generation of internet applications are traversing the corporate network. Employees are accessing social and media sites, leaving sensitive and confidential content at risk of leaving the corporate network. Regulatory driven compliance mandates. Regulatory compliance is becoming an increasingly important component of IT, especially since the cost of compliance grows with each new regulation. As a result, compliance is becoming an increasingly hot topic with C-level executives. In the 2012 Gartner CEO Survey, regulatory risk was cited as the No. 1 business risk. With Dodd- Frank, healthcare reform, more stringent privacy rules, and the increasing need to regulate the internet, among other new and upcoming regulations, enterprises will likely turn to compliance standards as never before. This should continue to drive the need for compliance software over the long term. The transition to cloud computing has exposed organizations to additional security vulnerabilities, as has the adoption of other new technologies such as virtualization and mobile computing. This ultimately has expanded the number of endpoints that need to be monitored and managed in order to protect sensitive data and IT assets. In our opinion, legacy solutions, both network and endpoint, have proved to be insufficient. At the same time, we are seeing a significant increase in customer interest in new and improved data protection and nextgeneration technologies. As a result, existing vendors have been scrambling to add new detection and prevention technologies to protect market share and meet customer demand. Strong SaaS and virtual appliances adoption; virtualization is moving a lot faster than virtualization security. We believe that distributed enterprise security has had a natural evolution as a response to the increase in sophistication and scale of the threat environment, IT budget considerations, cost and complexity of previous generations of enterprise security, and most recently virtualization and the rise of cloud computing. Our conversations with customers indicate that while the majority of organizations are virtualizing and server virtualization penetration is well over 50%, only a minority are doing anything about virtual security Gartner estimates that by 2015, 40% of security controls used in enterprise data centers will be virtualized, up from less Page 7 December 18, 2013
than 5% in 2010, i.e., virtualization is moving a lot faster than virtualization security. We are seeing strong adoption of virtual appliances. Federal cybersecurity initiatives are an opportunity for many vendors, but budgeting could create near-term risks. We expect cybersecurity to be a major driver in 2014 and beyond, boosted in part by increased government spending. The number of attacks against federal networks has increased at a six-year CAGR of 45% to 48,562 in 2012 from 5,503 in 2006. The Obama administration is renewing its focus on cybersecurity, which should drive near-term spending on security at the federal level. We expect multiple vendors to benefit from this increased spending. However, near-term uncertainty to government budgets can be an overhang on some companies that have meaningful revenue coming from this vertical. Security company IPO market remains hot. There has been 12 security related IPO s over the past several years, up significantly versus a handful in previous years, driven by increased venture investment and new opportunities brought on by the increasing threat landscape. These include. Imperva, Proofpoint, Qualys, Palo Alto Networks, FireEye, Barracuda Networks, AVG Technology, and LifeLock. Renewed interest by venture capital. We have seen renewed interest by VCs in the security space to invest in next-generation network and endpoint technologies and increased customer interest in data protection and next-generation technologies. We believe these are opportune times for enterprising smaller and new vendors to gain meaningful market share at the expense of vulnerable incumbents lagging in technology or being acquired by incumbents seeking to fill technology gaps. Consolidation a recurring theme. We expect the consolidation to continue and potentially accelerate as companies look to bolster their security portfolios. M&A volumes have rebounded, driven by increased liquidity positions (equity and debt markets, cash heavy balance sheets) and pent-up demand to make acquisitions that increase growth. Over the next several years, we think it is likely that M&A activity will remain high, especially in the cloud and network-security space. Large-scale consolidation typically happens at the hands of the large players such as Cisco, Intel, IBM, EMC, Dell, Symantec, CA etc., as well as private equity. Additionally, the acquirers of security companies are broad including security, defense, enterprise software, digital media, and communications. Since the beginning of 2010, the average M&A transaction is done at ~3.4x sales. The largest acquisition in several years was Cisco in July buying Sourcefire for $2.8 billion. Sourcefire s FireAMP and FirePOWER network security appliances combine for advanced malware protection (and forensic data capture) on networks and endpoints. Cisco plans to use Sourcefire as an engine to re accelerate its security franchise. Page 8 December 18, 2013
Large and Growing Total Addressable Market Security Software makes up ~8% overall enterprise software spending. Gartner projects that by 2017, total security spending (total security spending less security services) will increase to $39.1 billion from $27.7 billion in 2012, representing a five-year CAGR of 7.2%. We expect Enterprise markets (7.7% CAGR through 2017) to outpace Consumer, which is only expected to grow 4.2% over the same time period. Exhibit 1. Security Spending by Segment ($ Millions) CAGR Security Spending by Segment ($, Millions) 2012 2013E 2014E 2015E 2016E 2017E 2012-2017E Identity Access Management 2,658 2,950 3,278 3,618 3,960 4,315 10.2% Other Identity Access Management 627 722 839 954 1,066 1,182 13.5% User Provisioning (UP) 1,397 1,549 1,720 1,898 2,089 2,295 10.4% Web Access Management (WAM) 634 678 719 766 805 837 5.7% Infrastructure Protection 12,001 12,887 13,963 15,100 16,298 17,533 7.9% Data Loss Prevention 573 731 941 1,203 1,515 1,877 26.8% Security Testing (DAST and SAST) 416 484 561 649 747 857 15.6% Security Information and Event Management (SIEM) 1,361 1,578 1,808 2,035 2,251 2,443 12.4% Other Security Software 2,762 3,021 3,273 3,524 3,801 4,099 8.2% Secure Web Gateway 2,033 2,158 2,327 2,505 2,683 2,855 7.0% Secure Email Gateway 1,678 1,725 1,774 1,820 1,857 1,884 2.3% Endpoint Protection Platform (Enterprise) 3,179 3,191 3,280 3,364 3,443 3,518 2.0% Network Security Equipment 8,110 8,649 9,256 9,883 10,543 11,221 6.7% VPN/Firewall Equipment 6,064 6,644 7,322 8,076 8,900 9,771 10.0% IPS Equipment 1,470 1,524 1,549 1,510 1,418 1,288-2.6% SSL VPN Equipment 576 481 386 297 224 163-22.3% Consumer Security Software 4,892 5,043 5,297 5,557 5,801 6,020 4.2% Total Security Software 27,661 29,529 31,794 34,158 36,602 39,089 7.2% Source: BMO Capital Markets estimates; Gartner (October 2013) Traditional enterprise security is a mature market, growing at a low rate because of high penetration. Higher-than-market growth for individual vendors can only come through market share shifts and vendors providing value by combining point products into suites and integrating high-value add functions. The fastest growth areas of security spending are expected to be emerging categories: Identity and Access Management (IAM), Data Loss Prevention (DLP), and Security Testing, albeit off smaller bases. Additionally, we expect Next Generations Firewalls (NGFW) to outpace overall networks security growth, as it cannibalizes spending from existing categories. Page 9 December 18, 2013
Exhibit 2. Security Spending by Segment ($, Millions) $7,000 $6,000 $6,064 27% 16% 30.0% 20.0% Market Size ($000), 2012 $5,000 $4,000 $3,000 $2,000 $1,000 10% 10% 12%6% 7% $3,179 2% 2% -3% $2,033 $1,678 $1,470 $1,397 $1,361-22% $634 $576 $573 $416 10.0% 0.0% -10.0% -20.0% CAGR 2012-2017 $- -30.0% Source: BMO Capital Markets; Gartner (October 2013). Select key drivers for current security buyers: Securing mobile devices and enabling mobility, Advanced persistent threats (APT) protection, Securing BYOD and cloud computing environments, and Adding security services to differentiate their IP solution Page 10 December 18, 2013
Exhibit 3. Security Consistently a Top 10 Priority for CIOs Source: Gartner. Security Market Backdrop: New, More Sophisticated Threats Driving Demand for Better Technologies Over the past decade, as the Internet has evolved, so too has the extent and scope of cyber threats. As a result, the threat landscape has changed significantly over the past decade in several dimensions, including 1) increased sophistication, maliciousness, and stealth; 2) increased scale and frequency; and 3) the convergence of threats. Advance persistent threats (APTs) are increasingly being used with the goal of achieving ongoing access. Furthermore, new technologies have increased the number of attack vectors, making organizations that much more vulnerable to an attack. More recently, the transition to cloud computing has exposed organizations to additional security vulnerabilities, as has the adoption of other new technologies such as virtualization and mobile computing. This ultimately has expanded the number of endpoints that need to be monitored and managed in order to protect sensitive data and IT assets. Advanced persistent threats (APTs) are increasingly being used to gain access to proprietary and confidential enterprise data with the goal to achieve ongoing access. Advanced persistent threats: Advanced Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal and often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Persistent Operators give priority to a specific task, and targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. Threat APTs are a threat because they have both capability and intent. The growing threat landscape has been made ever more apparent with the increasing number of high-profile data breaches that have occurred over the past several years. According to Symantec, there was a 42% increase in cyberattacks against US businesses last year, and according to a Page 11 December 18, 2013
recent report in the Telegraph, big banks are being hit with cyberattacks every minute of every day. Exhibit 4. Advanced Persistent Threats Source: Dell SecureWorks Within the computer security community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated hacking attacks aimed at governments, companies, and political activists, and by extension, to refer to the groups behind these attacks. In our opinion, legacy solutions, both network and endpoint, have proved to be insufficient. At the same time, we are seeing a significant increase in customer interest in new and improved data protection and next-generation technologies. As a result, existing vendors have been scrambling to add new detection and prevention technologies to protect market share and meet customer demand. In 2013, Mandiant presented results of its research on alleged Chinese attacks using APT methodology between 2004 and 2013 that followed similar lifecycle: Page 12 December 18, 2013
Initial compromise performed by use of social engineering and spear phishing, over email, using zero-day viruses. Another popular infection method was planting malware on a website that the victim employees will be likely to visit. Establish foothold plant remote administration software in victim's network, create network backdoors and tunnels allowing stealth access to its infrastructure. Escalate privileges use exploits and password cracking to acquire administrator privileges over victim's computer and possibly expand it to Windows domain administrator accounts. Internal reconnaissance collect information on surrounding infrastructure, trust relationships, Windows domain structure. Move laterally expand control to other workstations, servers, and infrastructure elements and perform data harvesting on them. Maintain presence ensure continued control over access channels and credentials acquired in previous steps. Complete mission exfiltrate stolen data from victim's network. In incidents analyzed by Mandiant, the average period over which the attackers controlled the victim's network was one year, with the longest being almost five years. The infiltrations were allegedly performed by Shanghai-based Unit 61398 of People's Liberation Army, and the Chinese officials have denied any involvement in these attacks. Damballa Failsafe automatically discovers unknown threats, confirms which devices are infected, and stops the threat communications. Its unique ability to rapidly determine which devices are infected enables enterprise IT security teams to focus on active and imminent threats preventing breaches with a robust advanced threat containment capability. The FireEye Threat Prevention Platform combats today's advanced cyberattacks with is patented Multi-Vector Virtual Execution (MVX) engine that provides state-of-the-art, signature-less analysis along with proprietary virtual machines within its core to identify and block cyber attacks that may leverage one or more threat vectors to infect a client (e.g., targeted emails with embedded URLs or malicious documents). Network Security: Spending to Remain Strong Through 2017 Our research shows continued strong spending intentions on network security. Gartner estimates that total network security equipment spending will increase 6.6% in 2013 to $8.6 billion, with VPN/firewall equipment making up approximately 75% of the total spend on network security. Spending on firewalls is also expected to be the fastest growing area in network security, growing at an estimated 10% CAGR through 2017. Additionally, we expect Next Generations Firewalls (NGFW) to outpace overall networks security growth, as it cannibalizes spending from existing network and infrastructure protection categories. Further, the rise of Next Generation Threat protection focused on APTs is likely to introduce a new market supplementing traditional security network security. Page 13 December 18, 2013
Network Security 3.0 As hackers discovered a way to penetrate the network perimeter despite the multiple security point solutions introduced with last generation network security technologies, and as insider threats grew, customers identified the need for deeper protection on all devices within the network. This emphasis on network security is driven by the confluence of several factors, including: Recent growth of advanced persistent threats and data breaches is causing companies to upgrade their security systems. Continuing data center consolidation drives a need for new network security solutions such as high-end IPS and unified threat management (UTM). Growth of media-rich applications is causing a need for next-generation application-aware network security solutions. Increasingly vulnerable perimeter defenses because of inadequate existing network security tools are causing a need for next-generation network security solutions. Service providers are increasing investments to handle Distributed Denial of Service attacks and mobile backhaul issues. Verticals such as retail and healthcare are setting higher security budgets to comply with the Payment Card Industry Data Security Standard and the Health Insurance Portability and Accountability Act, respectively. The financial services industry is increasing spending to reduce latency and minimize security breaches. Moreover, enterprises increasingly allowed employees to connect to the network through their laptops (ex: VPN). And hence, organizations extended their networks to accommodate these tools. As these endpoints roamed outside the network and reconnected, resilient security was needed to protect them. The agents installed on all of the devices within the network (and accessing remotely) needed to be updated regularly by some type of protection network and centralized management (ex: McAfee epo). On top of that, virtualization and the growing prevalence of the cloud have introduced new challenges to overall security. As such, today s network requires in depth defense, where: Perimeter security, such as the traditional firewall/ids/ips, remains at the front line, mainly defending against the outside-in attack attempts to penetrate the first line of defense from outside. Virtual appliances on the virtual network edge handle more granular security rules, especially related to application security and virtual shielding. This not only enhances perimeter security, but also reduces the frequency of changes made to perimeter devices. This layer also provides essential security in case a host security agent is not deployed. Advanced Persistent Threat services that perform automated, real-time analysis, across network traffic to detecting anomalies and stop compromised ports, IP addresses, and protocols. Page 14 December 18, 2013
A host-based security agent on each of the hosts dynamically senses and changes the security policy as the computing/workload moves, for example, from inside the corporate network, to roaming outside the corporate network, or to another data center or to the cloud. Next-Generation Network Security The biggest development in network security, in our view, has been the development of nextgeneration security, spearheaded by Palo Alto Network. Next-generation security (NGFW) is the convergence (as opposed to integration, i.e., UTM), of multiple security functions (firewall, IPS, secure Web gateway) on a single-engine appliance. The basis of NGFW is the evolution of firewalls to encompass IPS and secure web gateways. Currently, network security is at a crossroads as once viable solutions are now incapable of stopping the growing tide of data breaches owing to the multitude of vulnerabilities they leave that are taken advantage of by attackers; moreover, the quality and effectiveness of these attacks has increased significantly. Hacking has become a big business, including nation-state cyber wars and corporate espionage. According to a Symantec report published last year, cyber crime costs consumers $110 billion per year and affects 1.5 million people per day. As a result of the growing threat to people and businesses alike, the World Economic Forum named cyber attacks as one of the top five biggest global risks for 2012. Cyber criminals target applications' security gaps resulting from traditional IP-based/portbased/allow-block firewall technology, which has not developed much over the last 20 years. Modern applications are increasingly using various techniques like non-standard ports and tunneling to go around port-based firewalls. Attackers today do not go directly after the data center anymore, as all protection tends to be around the data center. They instead exploit vulnerabilities on the user devices. For example, SSL and internet protocol security (IPSec) do not protect the mobile machine when the machine is off the network and goes directly to the internet. Attackers can also penetrate perimeter defenses through applications like Facebook, youtube.com, Twitter, etc. Today, users IP addresses with IPv6 change every hour this has created the need to track the user and not the IP and for an enterprise-wide user management system. A theme that consistently arises during our conversations with industry participants is that regulations are not keeping up with the latest trends. Many we speak with believe that regulations make organizations spend money on compliance and not security, i.e., organizations spend money on outdated technologies like stateful inspection. Page 15 December 18, 2013
Exhibit 5. Next-Generation Network Security Positioning Positioning Vendor Legacy Notes Strong Palo Alto Pure play Intelligence Platform with policy based visibility and control is key differentiator Fireeye APT Multi Vector Virtual Execution (MVX) engine differentiation Barracuda Filtering/FW Well positioned to capture share in SMB market CheckPoint FW Small app control traction Fortinet UTM Tough to figure out NGFW traction, claims really fast FW, low presence with LEs Dell/SonicWall FW Making a push with lower end NGFW, traction is unclear Cisco FW Sourcefire acquisition likely to stem recent share losses Juniper FW SRX product line struggling after a strong start McAfee FW/IPS Unclear if McAfee network business strategic to Intel, mass exodus of employees IBM IPS Trying to re invigorate ISS, but seems a long shot HP IPS TippingPoint getting lost inside HP, no NGFW strategy Websense Web filtering Still viewed as a point vendor despite appliance push F5 ADC Nascent security efforts and strategy Weak EMC RSA Authentication Will be making acquisitions in security, but doubtful network security Source: BMO Capital Markets; Gartner. Key Characteristics of Next-Generation Network Security Contextual awareness. Security and networking vendors have been increasingly adopting the idea of contextual awareness, spearheaded by Palo Alto Networks. Contextual awareness refers to the ability to enforce security policies based on application, device type, location, user identity, and other attributes. These attributes broadly fall in three categories: applications, content, and identity. Gartner believes that by 2015, 90% of enterprise security solutions deployed will be context aware and in 2014 around 60% of firewall purchases will be next-generation firewalls. The main drivers of this trend are cloud computing, consumerization of IT, virtualization, and the rapidly changing threat landscape, which all make the traditional static security policy models less and less relevant and effective. Cloud computing trends, for example applications going to the public cloud and SaaS, make granularity vital to ensure that enterprise networks deal with the proper data. As IT loses control and ownership of IT assets and data, more context is needed when a security decision is made. This approach allows for better informed risk-based security decisions. Application-level protection. Next-generation security like Palo Alto Networks securely enables applications like Facebook and Twitter inside the enterprise. It also allows for getting more value out of applications like Sharepoint and Webex. It can be used for granular controls such as providing access to personal email by stripping attachments. Palo Alto s application firewall keeps track of 1,000+ applications, classifies unknown traffic and lets administrators decide what to do with it. Processing of encrypted traffic. Palo Alto s technology processes both encrypted and unencrypted traffic. Traditional IPS solutions only do un-encrypted traffic, which leaves wide gaps for encrypted malware. Same level of protection everywhere. This technology provides the same level of protection to all users everywhere whether the headquarters or the branch office. Traditionally, organizations have tended to under-invest in branch offices. Palo Alto Networks creates a virtual private cloud (GlobalProtect) using a small agent on devices whereby devices are logically there, no matter Page 16 December 18, 2013
where they are. For off-the-network devices, the agent re-directs traffic to the nearest firewall via SSL VPN. Proactive analysis of network traffic. With a continuous analysis of suspicious code throughout the attack life cycle and blocking of malware communications across multiple threat vectors, next-generation protections can stop advanced malware, zero-day exploits, and advanced persistent threats (APTs) from threatening sensitive data assets. This requires an additional layer of signature less security beyond traditional network technologies. FireEye leads here with its Multi-Vector Virtual Execution (MVX) engine. Surpasses UTMs in terms of performance. Next-generations security is different from UTMs in that UTMs suffer from the quality of their components as they are not as tightly integrated as NGFWs and also provide no or limited application awareness. For example, a UTM s IPS or content filter cannot compete with the point specialist leader. Palo Alto s technology allows for functionality performance to remain constant, in our opinion. According to Check Point, its products see 10%-20% performance degradation for additional functionality, with AV and antispam seeing more degradation, while IPS has smaller degradation. Having said that, we believe UTM vendors will benefit from the buzz created by NGWFs, as the value proposition of both center at least partly on security function consolidation. Traditional vendors start from a core product like a firewall and add on another security blade like IPS. The next-generation security is a device that extends the network security from web and email to the network. Migration to both a newer firewall or a next-generation firewall are difficult; however, nextgeneration technology is far more advanced and Palo Alto is seeing great traction. Around 25% of Palo Alto's business is driven by the data center, and the recently launched big PA-5000 should expand Palo Alto s presence there. Comprehensive scanning. Today organizations run traffic through anti-malware, IPS, DLP, content filtering, while next-generation network security does the same at the firewall level. URL filtering is deterministic, going after known malware. Reputation services produce a score used to determine which traffic needs to be scanned. Palo Alto s technology, however, scans everything all the time. Botnets, DDOS, and advanced persistent threats explore unknown vulnerabilities or exploit social networking. There is need for more signature-less, behavior detection to detect unknown threats we expect this area will grow significantly in the coming years. The role of signatures will likely decrease, but we believe they will be around for a while as a necessary but ancillary defense. Page 17 December 18, 2013
Exhibit 6. Pros and Cons of the Different Approaches to Next Generation Security Network Security Model PROS CONS Companies NGFW Improved application visibility and control Possible performance issues, according to Gartner, for customers Palo Alto Protection against threats, vulnerabilities, data leakage, abusive use, that deploy advanced NGFW policies on high speed heterogeneous traffic and targeted malware in real time NGFW might not compete well with small businesses where UTM High performance and low latency might be a better solution Simplified security infrastructure and lower TCO Deployment flexibility for any point in the network Legacy Firewall Familiar, simple to understand technology Not designed to deal with Web 2.0 social media, SaaS, and other CheckPoint productivity enhancing applications Cisco Does not work with non standard applications Juniper If the initial packets are allowed to pass, subsequent associated SonicWALL packets are not inspected because they are assumed to be safe Stateful inspection helpers Complements to capabilities of stateful firewalls Introduces additional complexity and cost BlueCoat Deep specialization in one security function can provide effective Offers only partial visibility and control HP Tipping Point security Lack of integration IBM ISS Can introduce significant network latency Sourcefire Often relies on disparate malware signature libraries and policies Websense UTM Addresses the complexity and cost issues of operating distinct helper Relies on stateful inspection technology preventing it from scanning Fortinet technologies all traffic and providing native application and user visibility Reduces network security complexity and cost by consolidating Performance can decline dramatically as additional security functions security functions into one product are turned on Application Control Blade Very cheap add on to legacy firewalls Identify appls only after the traffic is passed through the FW, carrying CheckPoint Does not rip and replace existing legacy firewall infrastructure the limitations of stateful inspection Traffic will no longer be identified after allowed or blocked Sequential traffic scan requires more processing power Can't look for apps on non standard ports Does not scan all traffic for applications Source: BMO Capital Markets; Company documents. Next-Generation Network Security Market Sizing Next-generation firewall (NGFW) is the convergence (as opposed to integration, i.e., UTM), of multiple security functions (firewall, intrusion prevention systems, secure Web gateway) on a single-engine appliance. The basis of NGFW is the evolution of firewalls to encompass IPS and secure web gateways. Gartner believes that by 2015, 90% of enterprise security solutions deployed will be context aware and that while less than 10% of internet connections today are secured using NGFWs, by year-end 2014 that will rise to 35% of the installed base, with 60% of new purchases being NGFWs. NGFWs can be used to meet the needs of 90% of most IPS use cases and that by 2015, more than 50% of IPS deployments will be part of an NGFW. According to Gartner, NGFWs that have secure web gateway capabilities will be used by less than 30% of the large enterprise market, and that outside of the small or midsize business (SMB)/unified threat management (UTM) area, NGFW and SWG markets will not converge before 2015. Page 18 December 18, 2013
Exhibit 7. Next Generation Firewall Market Sizing ($M) 2012 2013E 2014E 2015E 2016E 2017E CAGR (08 14) CAGR (12 17) Source/assumptions/notes Firewall/SSL VPN equipment $6,639 $7,125 $7,707 $8,373 $9,124 $9,933 3% 11% Gartner (September 2013) % NGFW 15% 35% 50% 60% 70% 78% 2014 Gartner assumption, rest BMO NGFW $996 $2,494 $3,854 $5,024 $6,387 $7,748 82% 67% IPS Equipment $1,470 $1,524 $1,549 $1,510 $1,418 $1,288 5% 3% Gartner (September 2013) % subsumed by NGFW 15% 30% 45% 55% 60% 63% BMO assumptions; 2015 >50% according to Gartner Delivered by NGFW $221 $457 $697 $830 $851 $811 84% 38% Secure Web Gateway (SWG) $1,383 $1,452 $1,536 $1,628 $1,717 $1,799 BMO est 2010 2016; Gartner 2008 2009 Secure Web Gateway: appliance $650 $706 $791 $877 $966 $1,056 BMO est 2010 2016; Gartner 2008 2009 Total $2,033 $2,158 $2,327 $2,505 $2,683 $2,855 8% 9% Gartner (September 2013) % subsumed by NGFW 5% 10% 15% 25% 38% 45% BMO assumptions; impact on SMBs in near term Delivered by NGFW $102 $216 $349 $626 $1,020 $1,285 59% 89% according to Gartner Total FW+IPS+SWG $10,142 $10,807 $11,583 $12,387 $13,226 $14,076 4% 9% % NGFW 13% 29% 42% 52% 62% 70% Total NGFW $1,318 $3,167 $4,900 $6,480 $8,258 $9,844 79% 65% Source: BMO Capital Markets estimates; Gartner. Within the NGFW market, Cisco held the largest share by our estimates with ~19% of the total market at the end of 2012. However, that declined from ~22% in 2010. As we mentioned above, we believe the Check Point, Cisco/Sourcefire, Fortinet, and Palo Alto will likely continue to benefit from the growing next-generation security market, which will likely be at the expense of incumbents that have not updated their security offerings at the same pace, like Cisco and Juniper. Cisco should benefit from its recent acquisition of Sourcefire pending a successful integration. (see exhibit below) Exhibit 8.NGFW Market Share (2010-2012) ($M) 2010 2011 2012 Share Share Share Cisco 21.9% 19.1% 19.2% CheckPoint 11.5% 12.5% 12.6% Juniper Networks 9.6% 8.6% 7.8% McAfee 5.5% 4.7% 4.7% Fortinet 3.6% 4.1% 4.5% BlueCoat 4.0% 4.1% 4.2% Websense 3.9% 4.0% 3.7% IBM 2.5% 2.6% 2.2% Palo Alto Networks 1.0% 1.9% 3.2% SonicWALL 2.0% 2.2% 1.7% HP 1.7% 2.2% 2.2% WatchGuard Technologies 1.5% 1.6% 1.5% Sourcefire 0.8% 1.0% 1.3% Others 30.4% 31.4% 31.4% Total 100% 100% 100% Source: BMO Capital Markets; Gartner Palo Alto Networks next-generation firewalls enforce network security policies based on applications, users, and content. Palo Alto Networks is redefining the network security market as legacy providers are unable to deal with a complex IT environment and a constantly evolving threat environment. The Check Point next generation firewall extends the power of the firewall beyond stopping unauthorized access by adding IPS and application control protections. Next generation firewalls come in many sizes and offer throughput of up to 110Gbps. Page 19 December 18, 2013
Dell SonicWALL next-generation firewalls use the SonicOS Platform, and deliver gateway protection, inspection for SSL encrypted sessions, and granular application intelligence and control. With Dell SonicWALL Next-Gen Firewalls, IT can visualize applications running across a network allocating bandwidth for what s essential and limiting or blocking what s not. The Barracuda NG Firewall is an enterprise-grade next-generation firewall. User identity and application awareness are used to select the best network path, traffic priority, and available bandwidth for business-critical traffic. Barracuda NG Firewall Vx is a virtual appliance providing, comprehensive features, and ease-of-use found in the Barracuda NG Firewall appliance. The Barracuda NG Firewall Vx integrates a comprehensive set of next-generation firewall technologies, including Layer 7 Application Control, availability, and traffic flow optimization across the wide area network, web filtering, antivirus, anti-spam, and network access control enforcement. Exhibit 9. Gartner Magic Quadrant for Enterprise Network Firewalls Source: Gartner Page 20 December 18, 2013
Intrusion Prevention (IPS): Convergence Taking Place Between Firewall and IPS Dedicated IPS network security devices have traditionally focused on identifying and blocking threats targeted at specific applications and systems. IPS is evolving to incorporate other functionality (virtualization, application-awareness, client protection), and is increasingly sharing more traffic data with firewalls and other security functions. IPS continues to be driven by compliance. Mimicking the evolution of next-generation firewalls, IPS solutions are becoming application aware, and vendors are adding detectors for applications and HTTP services, providing visibility and ability to connect user and data policy. First-generation firewall technologies, however, are becoming less effective as web/cloud architectures introduce new components that are making protocol-based policy enforcement less effective. Next-generation firewalls (NGFW) are a natural evolution of the two technologies, providing an integrated network platform that performs deep inspection of traffic and blocking of attacks. A NGFW would provide a firewall rule to block certain internet traffic based on IPS inspection of sites, while at the same time being aware that certain application components may still be in compliance. An example of this would include allowing a collaboration application to run, but eliminating a peer-to-peer file sharing component. This convergence is, in turn, taking spending from the primary IPS market and driving into the firewall market. This year, spending on IPS appliances is expected to decelerate to 3.6% y/y growth and begin to decline by 2015 with a CAGR of -2.6% through 2017. Purely looking at intrusion prevention systems, McAfee and Sourcefire are the clear leaders when it comes to their solutions. Sourcefire has IPS appliances that can provide up to 40 Gpbs throughput and virtual IPS is available for VMware, Red Hat, and Xen platforms. The company is transitioning into offering a more complete NGFW solution with its FirePower hardware and is currently seeing good traction around that product. Page 21 December 18, 2013
Exhibit 10. Gartner Magic Quadrant for Intrusion Prevention Systems Source: Gartner We believe that the standalone IPS market has largely been absorbed by legacy and next generation firewall vendors. In July 2013, Sourcefire, a world leader in IPS and next-generation network security, was acquired by Cisco to create one of the most comprehensive advanced threat protection portfolios, as well as a broad set of enforcement and remediation options available in the market. Secure Web Gateway: Convergence Taking Place With the Firewall Secure web gateways protect employees surfing the Web by providing URL blocking, inbound malware detection and blocking, application control, and related Web security services. The market is still dominated by on-premises (85%) solutions, but SWG-as-a-service is growing rapidly (26% in 2013E). Secure web gateway solutions protect web-surfing PCs from infection and enforce company policies. A secure web gateway is a solution that filters unwanted software/malware from userinitiated web/internet traffic and enforces corporate and regulatory policy compliance. These gateways must, at a minimum, include URL filtering, malicious-code detection and filtering, and application controls for popular web-based applications. Page 22 December 18, 2013
Overall, the secure web gateway market is one of the fastest growing subsectors within the security industry. This year, spending on SWG is expected to increase 7.1% y/y to $2.1 billion. By 2017, spending on SWG is expected to reach $2.9 billion representing a five-year CAGR (2012-2017) of 7.0%. The market has bifurcated into Enterprises and SMBs: Enterprise SWG standalone through 2015. Large-enterprise solutions provide protection against more advanced security threats, and some include the capability to detect targeted threats. Gartner believes that most large organizations will require separate firewall and SWG solutions through 2014, as more advanced attacks will mandate specialized security products. SMB SWG SMB solutions are optimized for ease of use and cost-effectiveness and provide security protection against basic threats. Within the SMB segment, standalone SWGas-a-service and UTM appliances are common forms of delivery. SWG-as-a-service enables better protection of mobile employees by proxying all internet access through cloud-based filtering services, and penetration is expected to increase to 28% by 2017. Consolidation by traditional appliance vendors has also been a recurring theme. Cisco acquired market leader ScanSafe, Barracuda Networks acquired Purewire. Symantec acquired MessageLabs, McAfee acquired MX Logic, and Google acquired Postini. Websense, now offering hosted web security, has been acquired by Vista Equity Partners. Page 23 December 18, 2013
Exhibit 11. Gartner Magic Quadrant for Secure Web Gateways Source: Gartner Some of the more interesting independent solutions are: Barracuda web filter lets organizations benefit from online applications and tools without exposure to web-borne malware and viruses, lost user productivity, and misused bandwidth. As a comprehensive solution for web security and management, it unites award-winning spyware, malware, and virus protection with a powerful policy and reporting engine. Blue Coat Secure Web Gateway Virtual Appliance (SWG VA) combines the marketleading security capabilities of Blue Coat ProxySG with the flexibility of virtualization to provide a cost-effective enterprise branch office solution. Proofpoint Enterprise Protection (patented MLX Threat Classification Engine) provides email security threat classification and email security management solution against phish, virus, spam emails, and other email borne malware. zscaler, launched in August 2008, is already considered the most visionary SWG vendor. Its as-a-services (direct-to-cloud) offering is +50% less expensive than competitive Page 24 December 18, 2013
appliances and offers lower latency, resulting in competitive displacements versus onpremise market leaders. Email Security Market Overview: Mature and Saturated as a Standalone The email security market is very mature, and buying activity is limited to organizations that are replacing aging appliances or are at contract termination. The total market was an estimated $1.7 billion in 2012, and is estimated to grow at a 2.3% CAGR through, owing to market saturation, increased bundling/suite deals and intense competition among market leaders. Global spam volumes declined again slightly in 2012, shifting to other mediums such as social networks, but spam represents as much as 69% of email. Basic spam and virus detection effectiveness is 99% or more for almost all the vendors, and targeted phishing detection, outbound email inspection, encryption, and delivery form factor are the major differentiators. Appliances and security-as-a-service are the most popular, but the availability of hybrid (combination of on-premises and as-a-service) and virtual appliances is increasing. Email antivirus services were the first adopted security-as-a-service offering because many companies already used third-party email services, and these services can tolerate latency and can be largely self-administered via a web interface. Market penetration for as-a-service delivery is expected to increase from 40% in 2011 to 53% in 2015. Page 25 December 18, 2013