NEW YORK (The Deal) -- The New Year has been auspicious for cyber security companies.
FireEye's (FEYE) agreement to pay nearly $1 billion for Mandiant in early January suggests that M&A activity will remain high in 2014. Companies such as KEYW Holding (KEYW), Palo Alto Networks (PANW), Imperva (IMPV), Proofpoint (PFPT) and Qualys (QLYS) have made double-digit percentage gains in share price since FireEye announced the purchase.
Meanwhile, the recent high-profile hacks of Target's (TGT) and Neiman Marcus' customer information, and of Yahoo!'s (YHOO) banner ads, underscore the capabilities of cybercriminals and the value of systems that can deter, detect and track data thieves.
"There is much need to innovate because the bad guys continue to innovate," said Imperva CEO Shlomo Kramer, who is a serial investor in the security industry. Kramer backed Trusteer, a malware and fraud protection software company that IBM (IBM) acquired last year. He holds stakes in companies such as WatchDox, Incapsula, Lacoon Security, TopSpin Security and SkyFence Networks and is a former investor in Palo Alto Networks, Sumo Logic and Check Point Software Technologies.
"Today the bad guys are the nation-states and organized criminals that are extremely sophisticated. There is a need to continue to innovate," Kramer said. "This makes information security a very dynamic environment with more segmentation and more acquisitions and more activity than other similar IT markets."
The pace of recent M&A has been steady. Following FireEye's purchase of Mandiant, Palo Alto Networks acquired Morta Security to improve its defenses against advanced persistent threats and campaigns intended to infiltrate a company's network in order to steal data.
Last summer, Cisco Systems (CSCO) bought network security SourceFire for $2.7 billion, a 30% premium to the closing price, paying nearly 10 times revenue.
IBM purchased Trusteer, which protects Web applications, computers and mobile devices, for a reported price of $700 million to $1 billion.
In short, more data stored in more places traveling to more devices will continue to draw more miscreants trying to steal it. The rapid development cycle of cyber attacks places a premium upon technology that defends against these new forms of incursions. The demand from businesses seeking that protection makes the price worth paying.
ONE OF THE PILLARS of the enterprise market is network security, Kramer said, with participants such as FireEye and Palo Alto Networks. Larger rivals such as Cisco, Symantec (SYMC), Check Point and Juniper Networks (JNPR) also provide network security.
Securing endpoint devices, such as smartphones, tablets and laptops, is another pillar. "Who knows where they have been?" Kramer asked, citing the proliferation of the devices that now connect to corporate systems. "They are expected to touch the most sensitive assets of the organization." Companies in this area include WatchDox and Lacoon.
The third pillar is data center security, which has grown in importance with cloud computing and mobile apps. Imperva and SkyFence are participants.
Another segment focuses on management and consulting, from identifying an attack to collecting the logs and managing the response, which would include outfits such as Splunk (SPLK), Sumo Logic and Q1 Labs, which IBM acquired in 2011.
Imperva CTO Amichai Shulman explained that organized crime is increasingly adopting techniques developed by state-sponsored groups.
Nation-states "really introduced good software engineering practices" into malware and attack methods, he said.
They might deploy a "lightweight initial infection engine" that would introduce additional modules as the attack developed. Proxy servers would hide the identity of the command-and-control server, which would send instructions to infected servers, computers or devices.
"This is kind of a military technology that is finding its way into the criminal world or the commercial hacking world," Shulman said.
"Once you have a foothold in an organization and you are able to download your functional modules a lot of the lateral movement within the organization and grabbing info and taking it out is done manually," he said. State organizations may send a large number of files to a drop server.
"Someone or probably many people are going through that information and trying to figure out what is the value of it," he said.
Criminal operations may not have the workforce to conduct these massive hauls and sift through the data without a clear commercial motive. Automation of that process could lead to larger criminal attacks.
FIREEYE CEO David DeWalt described the confluence of social media, mobile devices, cloud computing and "big data" applications as "a perfect platform of evil," in a call announcing the Mandiant purchase on Jan. 3.
"Compound this with the growing capability of nation-state actors, advanced criminal groups and cyber terrorists, [and] the ability to steal intellectual property and financial assets, as well as cyber-sabotage ... critical infrastructure, has never been easier or more real," he said.
The purchase of Mandiant makes FireEye a more formidable competitor. One analyst said that the company is "the best at detecting a cyber attack" in a network.
"The one knock is that, yeah you can detect it, but what do I do after I am attacked?" he said.
Mandiant is known for linking personnel in the Chinese military to a 2012 hack of the New York Times. The company's strength is forensic analysis and determining who made an attack, how much of the operation was compromised and how a target could clean its systems.
"Mandiant is the remediation piece," the analyst said. "FireEye has become an end-to-end advanced cyber security vendor."
Shares of FireEye closed at $41.13 on Jan. 2 before the company announced the Mandiant purchase. The following day the stock closed at $57.02. It has since hit $69.84.
FireEye is the most highly valued security stock covered by Nomura Group, which put the company's $7.5 billion enterprise value at about 32 times projected 2014 revenue. Larger network security competitors Symantec and Check Point trade at 2.2 times and 5.9 times Nomura's projected 2014 revenue, respectively.
FireEye has increased revenue to $83 million in 2012 from $33 million in 2011. UBS (UBS) projected that 2013 revenue will total $160 million and that the top line will expand to more than $400 million in 2014. The company is Ebitda negative, however.
One observer said the company is in a "customer land grab phase" and compared it to Facebook (FB) acquiring users earlier in its development. The company has to invest its cash in sales and products to expand its customer base.
The Mandiant deal has rippled through enterprise security valuations.
Since the deal, Hanover, Md., cyber security company KEYW is up more than 15%, to $27.76. The stock had gained 25% earlier in January.
Shares of Qualys of Redwood City, Calif., also increased 15% to $26.76.
Palo Alto Networks of Santa Clara, Calif., has gained 14% to $61.33. Redwood Shores, Calif.-based Imperva rose 13%, to $55.12.Sunnyvale, Calif., e-mail security company Proofpoint has risen 12%, to $36.36.
FireEye's acquisition of Mandiant was negative for Symantec, Wells Fargo Securities analyst Gray Powell suggested in a January report, because it highlighted the commoditization of the company's virus software.
"Most investors think that [Symantec] has no answer today for complex attacks and that [Symantec] needs to build or acquire technology to offset future share losses," he wrote. Symantec has traded at $23.20, down slightly from its close of $23.46 before news of the Mandiant deal.
The problem for the legacy security venders, another analyst said, is that they have spent billions to develop their systems yet hackers come up with new techniques for thwarting them.
"That's where more M&A needs to happen," the person said, suggesting that large companies will address evolving attacks by purchasing smaller companies.
"On the opposite end, where you have these niche Silicon Valley venders with cool tech but not an end-to-end solution," he said, "they may need to look to a larger shop to get than end-to-end play."
A RECENT REPORT from FireEye described prior attack vehicles such as worms, Trojan horses and phishing e-mails from deposed tyrants as "oldies but goodies."
At the vanguard are zero-day attacks, in which a hacker exploits a previously unknown vulnerability in an application. With the attack under way, executives at the target or programmers at the software publisher have zero days to prepare a patch.
An advanced persistent threat, or APT, is more of an orchestrated cyber campaign than a single piece of malware.
Last summer, a campaign that security experts dubbed Operation DeputyDog made use of flaws in Microsoft (MSFT) software to launch a zero-day attack on companies in Japan. Other campaigns adopted the techniques, which were discovered by FireEye, and launched their own advanced persistent threat attacks.
"It is not uncommon for APT groups to hand off exploits to others, who are lower on the zero-day food chain - especially after the exploit becomes publicly available," FireEye researchers Ned Moran and Nart Villeneuve wrote in a blog post. "Thus, while the exploit may be the same, the APT groups using them are not otherwise related."
Imperva's Shulman said that the recent attacks on Target were "old school commercial hacking" compared to the potential for future exploits.
The real danger comes when criminal organizations begin to automate the heavy lifting of sifting through large amounts of data and documents on servers that state organizations currently accomplish with manual labor.
"I really think this is a time bomb," Shulman said. "If they have an automated way to quickly find out within your network your [Securitied and Exchange Commission] filings a week before they are being submitted then they could quickly grab this information and monetize it by trading the stock."
The dispersion of corporate networks caused by cloud computing and bring-your-own-device policies that allow workers to use their own smartphones and tablets raises another issue. The complexity is compounded by the number of cloud applications that handle tasks such as customer relationship management, human resources and enterprise resource planning.
"The rate at which new endpoint technologies are introduced into the enterprise environment is much faster than we can adapt security solutions," Shulman said.
With the proliferation of mobile operating systems and the dispersion of cloud applications and data, he added, there is no "choke point" or gateway for the organization to monitor access to systems.
"In theory if you did not have any mobile devices you could monitor all access to cloud assets from your network through some kind of a gateway," Shulman noted.
"If I am accessing the [customer relationship management application] in the cloud from the U.S. and at the same time someone is accessing my [enterprise resource management] account from China, there is no way to identify this type of incident," he explained. "Because ERP is in one place with one vender and CRM is in another place with another vendor, you have zero visibility."
It sounds intimidating. At least the large tech groups that will have to protect their clients from increasingly devious attacks, while defending their revenue base from incursions by niche security companies, are cash rich.
Moody's Investors Service noted in a recent report that Cisco had $48 billion in cash and liquid investments at the end of the third quarter, trailing only Apple (AAPL), Microsoft and Google (GOOG) in the tech sector. IBM has $10 billion, which is more than Facebook. Juniper and Symantec have about $4 billion. So there is an arsenal of cash to bolster the defenses.