Shares of cyber security company FireEye (FEYE - Get Report) jumped on Thursday as Goldman Sachs (GS - Get Report) upgraded the stock from sell to buy, citing a faster-than-expected shift to recurring revenue and citing new details on the company's key Helix product. The news follows an upgrade from Bank of America Merrill Lynch (BAC - Get Report) earlier in the week.
FireEye stock gained nearly 7.5% to $12.35 in mid-day trading on Thursday. While FireEye's projections that it will return to growth and profitability later this year have met with some skepticism, the upgrades may indicate that Wall Street is giving the message more credence. The U.S. government's recent indictments of Russian officials and hackers for attacks on Yahoo! (YHOO) may provide a reminder of the increasing geopolitical stakes in cyber crime.
CEO Kevin Mandia has said that Wall Street has been slow to recognize the improvements that the company has made, including FireEye's expansion from fending off sophisticated attacks into a broader array of security services. "That's about a tenth of what we're building here," he said in an interview before the upgrades, referring to its previous focus.
The company likens its signature Helix portal product to a Bloomberg terminal for cyber security that can process data and alerts from FireEye's systems. Helix can also incorporate alerts and data from other security companies's applications that a client has in the same way that software by Oracle (ORCL - Get Report) might be able to draw on data in applications by another developer.
Helix also includes adds reports on cyber data from staffers of Isight, which FireEye acquired last year. The company also bought software developer Invotas last year to automate responses to attacks. And a web chat function will allow clients to tap the knowledge of its forensic experts and others.
"When someone thinks they've been breached, the first question the CEO has is what is the worst case scenario?" Mandia said. Helix would allow a client to track an IP address and get data and intelligence about the attackers. For example, Mandia said, they could say "It's North Korea, they just broke into your network. Here's what they normally do."
The upgrades and the new products come as a new wave of attacks and responses from the U.S. government have heightened attention on cyber security. While Russian state-sponsored hackers traditionally focused on gaining access to defense technology, Kevin Mandia, CEO of cyber security company FireEye (FEYE - Get Report) , says their interest has more recently turned to the public sector and to politicians. That has led to a major change in who needs protection, and what level of security they require.
"You're going to have a lot of companies who say I've got to have solutions that can actually stop nation state-grade attacks. Most industries didn't feel they didn't need to do that in the past," Mandia said. Meanwhile politicians are in the cross-hairs of hackers. "If you're an elected official, you've got a government trying to hack you, get into your email," he added. "That's a little weird."
The U.S. government's indictment of Russian officials alongside private sector cyber crooks last week in the Yahoo! case reflects the growing tension between the Cold War foes. "We'd never done a public shaming of Russia like we did with China," Mandia said. "The government has never called out Russia and said, hey this is starting to be intolerable you're starting to do things that are different from the 20 years of rules of engagement that we've both followed until the indictment," he said.
Founded in 2004, FireEye's early roots were in detecting advanced persistent attacks, or APTs. The company developed a virtual machine to detect sophisticated attacks that evaded traditional prevention techniques. Mandia founded Mandiant Corp., which FireEye acquired for about $1 billion in 2014, as a forensic consulting and remediation outfit that comes in to develop a response to attacks. "We're the 'Oh crap!' button," Mandia said. The acquisition of Mandiant added response and remediation to FireEye's advanced detection services.
Because Mandiant's response teams get to see how attackers get into systems, Mandia says FireEye's other products benefit. "We have 300 responders who are operating full-bore, responding to breaches right now," he said. "We think it is strategically important to own that moment of responding to those breaches, because we get to see...what the bad guys are doing."
Mandia said, FireEye has expanded prevention, detecting, analyzing and responding to attacks on both networks and end points such as computers and devices.
Editors' pick: Originally published March 23.
While acknowledging bumps in the road, Mandia suggests that Wall Street has not fully appreciated changes the company has gone through since the beginnings of its APT business. "We didn't do what we said we were going to do in Q4 and we got beat up for it," Mandia said. "The reality is it was the most efficient business we've ever run in the history of FireEye."
Revenues of about $185 million were down less than 1% from the prior but missed company guidance of $187 million to $193 million. FireEye reported a $1.4 million operating loss.
Mandiant's first anniversary as CEO of FireEye approaches in June. Amid the heightened geopolitical cyber tension, FireEye aims for a return to growth in the second half of the year, and says it will hit profitability in the fourth quarter.
The Bank of America Merrill Lynch upgrade on Monday helped drive the stock up 8.6% to $11.66. Despite the recent gains, however, the stock is well off its 52-week high of $19.17, particularly after missing its targets for the fourth quarter.
In the past, government-backed Russian hackers typically targeted defense-sector intellectual property at universities or contractors, said Mandia, who has tracked hackers from Russia, China and other points of origins for more than two decades. Before founding Mandia in 2004, the FireEye CEO worked for the U.S. Air Force and a unit of Lockheed Martin (LMT - Get Report) , among other experience.
"If we did catch them, they'd go away politely for three months and then they'd hack back in," said Mandia.
About two years ago, in August and September 2014, however, the rules changed. "All of the sudden they let us observe them," Mandia said. "They stopped doing the manual steps [to avoid detection] that I'd seen them do my whole career," Mandia added, such as editing network logs and deleting lists of files they had downloaded. "I think that's because they are operating on a scale and scope they'd never operated on before and they said, 'Screw it we're not going to spend the time.'"
For all of the investment and engineering that goes into cyber security, however, the fundamental challenges can't be addressed through code, according to Mandia. "In the majority of breaches we're responding to, it's the human beings not the software," he said. "I'm getting you to run something that is bad on your machine."