NEW YORK (The Deal) -- The baffling, prolonged cyber-breach at Sony (SNE) highlights the frailty of corporate networks, if a string of high-profile attacks against Home Depot (HD) , Neiman Marcus, Target (TGT) , Bank of America (BAC) and others had not already made the vulnerability clear.
The Sony hack breaks the mold of some of the recent cases, in which cybercriminals looted troves of customer information and in some cases credit card details.
The breach kept Sony staffers from using computers for days and coincided with the pirated release of Sony's World War II feature "Fury" and forthcoming films such as a remake of "Annie." Confirmation that the hack is payback by North Korea for the Seth Rogan-James Franco flick lampooning Kim Jong Un would underscore the role that governments have increasingly played in online break ins.
A young Matthew Broderick in "War Games" is not quite the archetype.
"In the old days it was kind of like this social misfit hacker stereotype who was largely self-taught. A computer geek," said Norwest Venture Partners managing partner Matt Howard, who was the first general manager of security at Cisco Systems (CSC) . "Now it has become extremely professionalized."
Nation states and criminal groups have recruited sophisticated computer scientists. The goal is not to infect a legion of computers worldwide with a signature worm, but to target a select organization, inhabit its systems and collect sensitive data for political or financial ends.
To plug its breach, Sony reportedly hired Mandiant Corp., which FireEye (FEYE) purchased earlier this year for close to $1 billion.
Large tech groups like Cisco, IBM Corp. (IBM) , Hewlett-Packard Co. (HPQ) and Intel (INTC) have made acquisitions to bolster security. Private equity and venture capital firms from Norwest to Thoma Bravo and Providence Equity Partners have stepped in to finance the teams that conduct the war on cybercrime, and to benefit from the increasing share of corporate IT spending.
"Remember the old 'Spy vs. Spy' cartoons?" Howard asks, referring to the Mad Magazine comic strip depicting the endlessly resourceful spies in black and white hats and overcoats. "What's happening now is you have brilliant minds on both sides of the table."
The attack against Sony was oddly brash. Workers were greeted with a menacing image that contained vague threats against the company, attributed to a group called Guardians of the Peace.
"Last week, Sony Pictures was hacked in a breach that caused the company to shut down all computers and force employees to work using only pen and paper," Wells Fargo Securities Internet security analyst Gray Powell wrote in a Dec. 3 note. "Eight days later, Sony is still working to restore some compromised systems."
For more than a week, Sony was apparently incapable of even making a public statement acknowledging the attack, which was common knowledge from Hollywood to Pyongyang.
"The FBI shared an intrusion detection signature for the malware and language referenced by the file is in Korean," Powell wrote. "It has been suggested the attack originated from North Korea in retaliation for the upcoming movie 'The Interview,' a comedy about a CIA plot to assassinate Kim Jong Un."
While the Sony case has the elements of a Cold War thriller, the new crop of sophisticated hacks are often more stealthy than showy. Cybercriminals are more likely to emulate the networking behavior of their victims than to openly mock them.
FireEye announced in early December that it has been tracking the exploits of a group called Fin4, which had hacked into e-mails of public companies to gain confidential information on M&A, product announcements and other market-moving developments.
Healthcare and pharmaceutical companies, and their outside advisers, were the most frequent targets. The perpetrators used links to fake Microsoft (MSFT) Outlook Web logins, among other tactics.
"The genius of these guys isn't with their technology capabilities, it is with their social engineering and their access," said FireEye manager of threat intelligence Jen Weedon.
In a number of occasions, Fin4 had targeted specific parties engaged in talks about a deal that had not yet been reported. The group stole documents used in the deal discussions and "weaponized" them to gain additional usernames and passwords.
"They had somehow identified all of the relevant parties, probably through access to victim e-mails, and then specifically went after those individuals, tried to get their credentials as well through malicious macros," Weedon said.
The sophistication of Fin4's bogus e-mails is several grades above classic phishing e-mails from, say, the new deputy governor at the Central Bank of Nigeria seeking bank account numbers from senior citizens.
"A lot of times we see bad actors do phishing and it looks childish, or there are misspellings," Weedon said. "With these guys, you couldn't distinguish between a normal e-mail in a thread and their response. That was what was most remarkable to us."
The group played to corporate squeamishness about improper disclosures by employees at a public company or an adviser. In one message, the author expressed concerns about a posting by an employee on a public website, which of course had not happened.
"While I understand that the employee has the right to his opinion, perhaps he should have vented his frustrations through the appropriate channels before making his post. The link to the post is located here (it is the second one in the thread)," the message stated. The e-mail contained a link that, if clicked, would open the user to attacks.
Frost & Sullivan Ltd. consultant Jarad Carleton noted that the potential for high-level corporate eavesdropping and surveillance is not new. Security firm Rapid7 reported in 2012 that some of the videoconferencing gear used in boardrooms is set to automatically accept incoming video calls, leaving the systems open to hacking.
"Imagine someone hacking in during M&A discussions and what would happen to stock prices," Carleton said. "Or perhaps it's through some competitive bid where [a company is] trying to get business in a very difficult country such as China, and there is a government-sponsored effort to get into their teleconference system and e-mail."
Breaches are becoming far more common. "The number of attacks is going up every single year," said 451 Research senior security analyst Garrett Bekker. "They are coming from bad guys and criminals who are looking to steal valuable info so they can sell it on the black market for credit card information," he said. "You've got nation states getting involved in the act, trying to steal military secrets and intellectual property."
The modus operandi has changed from the days when hackers sought bragging rights by developing a virus that could take down as many computers as possible throughout the world.
"Now they are more selective on their targets," Bekker said. "They do research on who they want to go after, they know specifically what they want to go after, they do low and slow attacks that are designed to be undetected. They will sit inside a network for weeks if not months and look to steal data."
Hackers might gain access to a network through a low-level employee or a contractor. The latter was the case in the attack on Home Depot, which was accomplished with credentials from a heating and air conditioning contractor.
Once in the door, hackers will try to move up the food chain.
"They go from the access rights of an outside contractor to eventually try to get administrative privileges so they can get to the sensitive stuff," Bekker said.
Moody's Investors Service analyst Gerry Granovsky said there are two types of companies. "There is the kind who know they have been hacked," he said, "and the kind who have been hacked but just don't know it."
While security spending is increasing, it still accounts for a small portion of corporate funds. Wells Fargo analyst Powell estimated in a recent report that the typical company devotes 5% of revenue to its IT budget and 5% of IT spending to security, a grand total of .25% of revenue.
Target's breach last year, in which criminals accessed the company's systems using credentials from a heating and air conditioning contractor, underscores the stakes for management and for boards.
The attack cost Target CEO Gregg Steinhafel his job. The company described Steinhafel's dismissal as "an involuntary termination for reasons other than for cause" in its shareholder proxy. Interim chairwoman Roxanne Austin noted in the message to shareholders that there were other problems, such as disappointing financials and challenges in Canada.
The cyber attack "shook our guests' confidence in Target," Austin wrote, just before holiday shopping.
Security is no longer an issue just for IT departments; it now must be addressed by boards and top executives. Institutional Shareholder Services recommended that Target stockholders vote against the company's directors because of the extent of the hack. And when an attack on JPMorgan Chase (JPM) exposed contact information for 76 million customers, CEO Jamie Dimon said that the company would double its $250 million yearly security budget.
Rather than focus solely on preventing attacks, companies are developing their ability to discover incursions quickly and limit damage. "The other thing is to put controls in place so that if you are breached, the bad guys won't be able to get out your sensitive data," 451 Research's Bekker said. Protections can include extra logins, authentification, encryption and segmenting sensitive data in different parts of a network.
With the emergence of cloud applications, mobile devices and other forms of computing, the potential for attack points has grown exponentially. So has the market for security patches.
451 Research tracks 1,100 cyber security vendors, many of them are startups.
"It's almost like a farm system for security companies," Bekker said. "It seems that most of the best innovation and most of the new ideas come from startups."
In cloud security, CipherCloud raised $50 million from Transamerica Ventures, Delta Partners, Andreessen Horowitz and Deutsche Telekom's T-Venture in November.
Identity authentication is another niche that 451 Research follows. Kohlberg Kravis Roberts in September led a group investing $35 million in Ping Identity. In June, Okta raised $75 million from a group including Sequoia Capital, and ForeRock obtained $30 million from Meritech Capital Partners and others.
Bekker said that a number of companies provide cloud application controls and security services to corporate IT departments, which is a growing source of vulnerability. Skyhigh Networks, which has backing from Greylock Partners and Sequoia, estimated that at average corporation, staffers use 831 cloud applications. "Troublingly, 49% of IT professionals say they've been pressured into approving an app that didn't meet their company's security requirements," Skyhigh's latest report on cloud risk stated.
Other cloud application security companies include Elastica, with backing from Mayfield Fund; Adollom, a group founded by former members of the Israeli Intelligence Corps with funds from Sequoia and Index Ventures; and Netskope, which has raised money from Accel Partners and others. Reliance on mobile devices and tablets has introduced new security concerns.
Bekker pointed to mobile security outfit MobilIron (MOBL) , which went public in June, raising $100 million. VMware bought AirWatch, another mobile security form, for $1.2 billion in February.
Growth in data analytics has brought its own problems. Corporate data management company Cloudera bought Gazzang in June. Data security company Dataguise Inc. raised $13 million from Toba Capital in September.
Target's massive breach has drawn attention to the risks posed by third-party venders and contractors who may interact with a company's networks, another area that 451 Research tracks. BitSight Technologies, which assigns security ratings for companies, acquired Portuguese firm Anubis Networks this year, and raised $24 million from Globespan Capital Partners, Menlo Venture Partners, Flybridge Capital Partners and Commonwealth Capital Partners last year. Third-party security firm Prevalent Inc. raised $4 million from Fulcrum Equity Partners in June.
Bekker said that technology that tracks where data resides has become attractive to European companies following disclosures about National Security Administration snooping. "After Snowden," he said, "they are very concerned about where there data is being located."
With increased use of mobile computing, Frost's Carleton noted the seriousness of man-in-the-middle attacks, in which a person sets up a Wi-Fi hotspot to gain access to devices of unsuspecting users. A virtual private network by a company such as F-Secure can foil such attacks.
With all of the devices and security applications that IT departments have to manage. Norwest, Aspect Ventures and security investor Shlomo Kramer provided $10 million to data analytics security company Exabeam in June. The company uses data and behavioral analysis to find anomalies that could indicate breaches, and bring them to the attention of IT staff.
Small, privately-held startups are arguably better than large public companies at adapting to the evolving guerilla tactics of hacker groups.
"The bad guys, they are like special warfare," Howard said. "They don't have overhead. They probably don't pay taxes. They are morphing very quickly."
Coinciding technological innovations and macro economic trends may have made things more difficult for large public security outfits. Cloud computing and other nascent forms of communications emerged after the great recession, just as companies faced pressure to preserve cash and maintain profitability.
"Wall Street made it clear what they wanted from companies," Howard said. "Companies wanted to show Ebitda."
The small private groups were able to invest more in high-risk research and development.
"We can run these companies in the red for many years," he said, noting that Norwest-backed FirEye was founded in 2004, 10 years before it went public. "We take a lot of commercial risk," he said, "and we share in the rewards."
Meanwhile, the large, incumbent security companies have been evolving.
Cascadia Capital managing director Michael Orbach said that the incumbent security providers started with products that secured endpoints, or computers, laptops and servers that connect to networks. "How do I defend my perimeter against someone coming in?" he said. "How do I prevent some guy who is disgruntled, who has just been fired, from stripping all of my corporate data when he leaves?" The group includes Macafee (acquired by Intel in 2007), Symantec, FireEye, Proofpoint Inc. (PFPT) and Thoma Bravo-backed BlueCoat Systems Inc.
"The next phase was how do we defend the network itself, not just the endpoints," Orbach said. "That's when Cisco entered the fray."
Cisco bought security group NDS Group for $5 billion in 2012 and paid $2.7 billion for Sourcefire a year later.
Further reflecting the interplay between network technology and security, IBM brought Trusteer in 2013, reportedly paying about $1 billion.
Security firm Bluecoat purchased Solera Networks, which has a product that acts like a DVR for network traffic, allowing users to trace information about network usage.
As threats continue to evolve, the M&A and fundings from private equity or venture firms are likely to continue.
"The rate of attack is faster than the rate of innovation and production of defenses," he said. "In this situation the only way for the incumbents to do it is to consolidate through acquisition and strengthen their own set of offerings in response to this, or for one or two companies, maybe PE backed, to consolidate the space and reposition themselves as a new answer."
Trusteer is just one of many security purchases by IBM, as the company has shifted its emphasis from hardware to software and services. Over the past decade, IBM spent more than $2 billion to roll up a dozen security outfits such as Q1 Labs, Fiberlink Communications and others.
"We formed the Security Division in 2011 to design a new approach to security, one focused on moving away from reactive protection systems to a proactive, intelligence driven approach," Brendan Hannigan, the general manager of IBM Security Systems, wrote in an e-mailed statement.
In three years, Hannigan added, IBM's security business has become the third-largest global enterprise security software company and grew by 20% in the third quarter.
The company said it sees growth opportunities in a number of security niches.
"Without question, one area is cloud security," Hannigan wrote. In a 2014 survey of chief information security officers, IBM found that 60% plan to increase their cloud security budgets over three to five years.
"Another is the detection and prevention of advanced malware," he wrote, stating that Trusteer protects computers and mobile devices from malware that can initiate a fraudulent payment. Hannigan stated that IBM has become the top provider of security intelligence and analytics, another niche where the company said it expects growth.
Check Point Software Technologies CHKP acknowledged that it is looking for deals in its third-quarter earnings call in October.
"We are seeing a little bit more interesting acquisition opportunities," Gil Shwed, the founder, chairman and CEO, told investors.
The Tel Aviv-based company has nearly $4 billion in cash. Tal Payne, the chief financial officer, said the company will use about $200 million to buy back stock but would have resources to make purchase. "We distribute pretty close to our operating cash flow," Payne said. "The rest of the cash as of now we would like to continue and dedicate it for potential future [acquisitions]."
Symantec announced that it would break up its security and storage businesses in October, allowing the companies to focus more on the individual lines of business and perhaps giving them more flexibility to pursue deals.
The company produces Norton antivirus software, a venerated benchmark standard that has been outmoded by advances in cybercrime. A Symantec executive told the Wall Street Journal in May that antivirus software is "dead," missing more than half of malware attacks. The company is shifting toward detecting and thwarting attacks.
Symantec does have strengths. Its widely deployed software gives it 42 million attack sensors in more than 150 countries, which the company has dubbed "the world's largest civilian cyberintelligence threat network."
"We believe that the unmatched scale of our threat intelligence network gives us a major advantage in tackling the quickly evolving threat landscape," a company spokesman said in an e-mail. "We see and track 3.7 trillion 'threat indicators' annually across the Internet and continuously collect new telemetry from hundreds of millions of mobile devices, endpoints, and servers across the globe, a footprint unrivaled in the industry."
With the competition from startups and other security companies, Wells Fargo analyst Powell wrote in a recent report that Symantec "needs to increase investments in R&D and look to use excess cash to make smaller technology acquisitions to complement its portfolio."
The company bought mobile security outfit NitroDesk earlier this year to address wireless offerings. Cascadia Capital advised the seller.
"A lot of the large IT companies have holes in their offerings in respect to mobile security," Cascadia's Orbach said.
Small and medium-sized businesses, or SMBs, do not have the stores of cash and customer information that big corporations control. But they are targets as well.
Security company VendorSafe Technologies said it estimates that small businesses are the victims of more than 80% of cyberbreaches. Providence Equity Partners' growth equity division took a majority stake in the company in November.
"This is a market that is front page news," VendorSafe CEO Kevin Watson said regarding the new attention paid to security because of the outbreak of cybercrime.
VendorSafe's customers include retailers, fast-food outlets and grocery stories, though the Houston company said it plans to expand in healthcare, insurance and other markets. "This isn't just a problem for banks or for major retailers," he added. "This is a problem for doctors' offices, lawyers' offices, insurance companies, anybody who has any information they are collecting on their customer base."
Frost & Sullivan consultant Carleton said that the stakes can be higher for smaller businesses, even if the dollar amounts are lower.
"When you have an SMB that is attacked and they get banking log-on creditials so they can do monetary funds transfers, you have a situation were an SMB is literally faced with life or death," he said. A theft of $300,000 to $500,000 could prevent a company from making payroll.
"These are issues that are increasingly coming up," he said. "It's happening in part because there isn't enough security awareness in companies around the world."
Few words have been abused as thoroughly in recent years as "hacked." The term denoting sophisticated, deviant computer networking activity is applied to the unconventional use of pumpkin spice in frappuccinos and other mundane acts.
Actual hacking is poised to become even more pernicious with the spread of cloud and mobile computing, and the introduction of "big data" analysis and machine-to-machine communications. 451 Research analyst Bekker said that security has lagged behind leaps in technology, such as the move from from mainframes to servers, the introduction of the Internet and Web applications.
"Security is always after the fact. It's always a bolt on," he said. "People are in a rush to get these things to market and take their claim and make a land grab."
The networked home presents a number of new attack points.
Home alarms can connected to the Internet. Google (GOOG) has invested in connected home technology this year, paying $3.2 billion for smart-thermostat developer Nest Labs, and $555 million for home monitoring system developer Dropcam.
August Home Inc., which has backing from Maveron, Cowboy Ventures, Industry Ventures, Rho Ventures and SoftTech VC, markets door locks that are controlled by smartphones.
Companies such as LIFX, with funds from Sequoia Capital, sells Wi-Fi enabled light bulbs.
Education about the dangers is absent in the home and the workplace. "The weakest link in the security chain is the business user," Frost & Sullivan consultant Carleton said. Executives may be lax about connecting laptops that have been exposed to threats to corporate networks, or balk at using encryption to avoid entering another password. Companies typically have training for computer systems, sexual harassment or subjects, he observed, but often not for security.
Norwest's Howard suggested public education programs along the lines of the "Duck and Cover" drills during the Cold War or the "Click It or Ticket" seatbelt campaign.
"We have to get more creative," he said.
The hackers certainly are.