Cybersecurity (Vol. II) 4 November 2016 - ChinaGoAbroad · important as a defence. ......

High quality research requires investment Please do not copy or forward © CM Research 2016

SYNC. Global investment themes: technology, media and telecoms Issue No. 139

Cybersecurity (Vol. II) 4 November 2016

Inside Players Trends Value chain Industry analysis Regulation M&A Timeline Stock watch list Private companies list Cybersecurity scorecard Technology briefing Glossary Related reports Cybersecurity (Vol. I) Report type Single theme Multi-theme Sector Scorecard Best Ideas

The world has entered the era of the Code War where every digital device, however small and innocuous, can be “weaponised” – as the recent Dyn cyber-attack aptly illustrated – to send “rogue code” deep into the Internet's engine room to create mayhem. Even the spooks are scared.

Today’s cybersecurity paradigm Cybersecurity is critical to almost every business. Yet it is a non-core competence for most boards. The frequency of high profile corporate data breaches will accelerate because CEOs are not sufficiently trained in cyber risk as they are in other business risks.

Almost every cyber-breach is an “inside job” – whether malicious or accidental – so real-time behavioural analytics is becoming increasingly important as a defence.

Meanwhile, the advent of new technology cycles such as the Internet of Things has dramatically extended the “attack surface” available to hackers. Overstretched IT managers are trying to manage too many piecemeal security products from too many suppliers. This yields an unmanageable volume of alerts to follow up and the curse of “false positives”.

Security vendor lists are likely to be slimmed down and Chief Information Security Officers (CISOs) are likely to choose broad-based security platforms rather than niche security vendors going forward.

How to invest in the cybersecurity investment theme By 2020, the global cybersecurity market is expected to be worth $170bn, up from $77bn in 2015. But the core issue is that companies need “better” rather than “more” security.

Inside, we look at the 12 most important cybersecurity technologies and conclude that the most important ones in terms of driving the cybersecurity industry’s revenues over the next two years are unified threat management, cloud security and artificial intelligence.

Our research indicates the winners in these high-growth cyber technology cycles over the next two years are as follows:

Unified threat management: Check Point Software, Cisco, Fortinet, IBM, Palo Alto Networks, SecureWorks, Sophos and Symantec

Cloud security: Barracuda Networks, Fortinet, Imperva, Micro Focus, Qualys and Sophos

Artificial intelligence: IBM, Microsoft, Alphabet, Splunk and Palantir (privately held but likely to IPO in 2017)

Cyrus Mewawalla Managing Director, Research [email protected] +44 (0) 20 3393 3866

Mike Orme Senior Analyst, Research [email protected] +44 (0) 20 3393 3867

Elgen Strait Managing Director, Sales [email protected] +44 (0) 20 3744 0105

www.researchcm.com

https://gallery.mailchimp.com/cdc4e6f44b93f73ea87a20e39/files/Sync_62_Cyber_Security.pdf

SYNC, Issue 139 Cybersecurity (Vol. II) 4 November 2016

www.researchcm.com 2

Contents

PLAYERS ................................................................................................................................................................................................ 4

TRENDS ................................................................................................................................................................................................. 5

Changing nature of cyber threats .................................................................................................................................... 5

Evolution of key cybersecurity technologies.................................................................................................................... 6

Industry growth drivers .................................................................................................................................................... 8

Corporate governance trends .......................................................................................................................................... 9

Wider industry trends .................................................................................................................................................... 10

VALUE CHAIN .................................................................................................................................................................................... 11

Where does cybersecurity sit in the Big Data value chain? .......................................................................................... 11

What are the key cybersecurity technologies? ............................................................................................................ 12

Network security ............................................................................................................................................................ 13

Unified threat management .......................................................................................................................................... 13

Artificial intelligence ...................................................................................................................................................... 14

Deception based cyber defences (subset of AI) ............................................................................................................. 14

Behavioural analytics (subset of AI) ............................................................................................................................... 15

Security information and event management ............................................................................................................... 15

Endpoint security ........................................................................................................................................................... 16

Mobile security (subset of endpoint security) ............................................................................................................... 16

Identity management..................................................................................................................................................... 17

Data security .................................................................................................................................................................. 17

Application security ....................................................................................................................................................... 18

Email security ................................................................................................................................................................. 18

Cloud security ................................................................................................................................................................ 19

Managed security services ............................................................................................................................................. 19

Post-breach consultancy services .................................................................................................................................. 20

Which of these cyber technologies are the most important? ....................................................................................... 21

INDUSTRY ANALYSIS ...................................................................................................................................................................... 22

Defining cyber risk.......................................................................................................................................................... 22

Investment landscape .................................................................................................................................................... 23

Today’s cybersecurity paradigm .................................................................................................................................... 23

Human factors ................................................................................................................................................................ 23

Deep learning as a cybersecurity solution ..................................................................................................................... 24



Regulation ................................................................................................................................................................... 25

USA ................................................................................................................................................................................. 25

Europe ............................................................................................................................................................................ 25

China .............................................................................................................................................................................. 26

Rest of world .................................................................................................................................................................. 26

Industry size and growth forecasts .............................................................................................................................. 26

M&A activity ............................................................................................................................................................... 28

TIMELINE ............................................................................................................................................................................................ 29

STOCK WATCH LIST ........................................................................................................................................................................ 30

PRIVATE COMPANIES ..................................................................................................................................................................... 35

OUR CYBERSECURITY SCORECARD ........................................................................................................................................... 38

Who’s who in our scorecard .......................................................................................................................................... 38

Thematic screen ............................................................................................................................................................. 39

Valuation screen ............................................................................................................................................................ 40

Risk Screen ..................................................................................................................................................................... 41

TECHNOLOGY BRIEFING ............................................................................................................................................................... 42

The NIST framework....................................................................................................................................................... 42

GLOSSARY ........................................................................................................................................................................................... 44

APPENDIX: OUR “THEMATIC” RESEARCH METHODOLOGY ............................................................................................. 47



Players This report looks at the big players in cybersecurity. We classify cybersecurity into 12 critical technologies: unified threat management, artificial intelligence, network security, security information & event management (SIEM), endpoint security, identity management, data security, application security, mobile security, email security, surveillance & behavioural analytics, cloud security and managed security services.

The table below identifies the market leaders and challengers in each technology category.

Who are the big players in the and where do they sit in the value chain?

Source: CM Research

Fortinet Barracuda Networks Ahnlab Juniper Networks BAE SystemsIBM Check Point Software Cisco Palo Alto Networks Aker SecuritySophos SecureWorks HP Enterprise Symantec Dell SonicWALL

IBM Alphabet Check Point Software Fortinet CylanceMicrosoft Forcepoint (Raytheon) Cisco HP Enterprise DarktracePalantir Splunk FireEye Micro Focus Deep Instinct

IBM Check Point Software BAE Systems Sophos AhnlabCisco Palo Alto Networks Dell SonicWALL Symantec Barracuda NetworksFortinet SecureWorks Forcepoint (Raytheon) WatchGuard Hillstone Networks

RSA (Dell/EMC) SecureWorks AlienVault Intel (49% Intel Security)HP Enterprise Splunk BAE Systems Micro FocusIBM Symantec Fortinet Trustwave (SingTel)

FireEye Check Point Software F-Secure Landesk Forcepoint (Raytheon)Microsoft Palo Alto Networks IBM Sophos Carbon BlackSymantec Trend Micro Qihoo 360 Kaspersky Lab CrowdStrike

Gemalto CyberArk Software CA Technologies Symantec Salesforce.comMicrosoft Giesecke & Devrient Safran Verint Systems ImageWare SystemsOberthur Okta IBM RSA (Dell/EMC) Nexus

IBM Symantec Informatica CA TechnologiesIntel Security Digital Guardian HP Enterprise ThalesOracle Forcepoint (Raytheon) Tata Consultancy ServicRSA (Dell/EMC)

F5 Networks Imperva Akamai Fortinet CloudFlareHP Enterprise Veracode Barracuda Networks Qualys Trend MicroIBM WhiteHat Security Citrix Systems Rapid7 Trustwave (SingTel)

Blackberry Mobile Iron HP Enterprise Fortinet SophosCisco VMware IBM Juniper Networks Dell SonicWALLCitrix Systems Gemalto SAP Microsoft Landesk

Cisco BAE Systems Sophos Dell SonicWALLMicrosoft Barracuda Networks Trend Micro Trustwave (SingTel)ProofPoint Fortinet WatchGuard Forcepoint (Raytheon)

Cisco Alphabet Symantec Carbon Black SecuronixVerint Systems Palantir Cloudera CloudLock E8 SecurityIBM Microsoft Bay Dynamics CrowdStrike Gurucul

Imperva Barracuda Networks Qualys Cyren CyberArk SoftwareCitrix Systems F5 Networks NSFocus CloudFlare CliQrAkamai Fortinet Trustwave (SingTel) CloudPassage CheckPoint Software

IBM Verizon AT&T OrangeSecureWorks BAE Systems BT WIPROSymantec Trustwave (SingTel) NTT Herjavec Group

Cybersecurity technology

Artificial Intelligence

Data Security

Mobile Security

Identity Management

Network Security

Application Security

Market leaders Challengers

Security Info & Event Mgmt (SIEM)

Endpoint Security

Email Security

Unified Threat Management

Surveillance and behaviour analytics

Cloud Security

Managed Security Services



Trends New technology cycles such as the Cloud, the Internet of Things, robotics and the latest social media fads all increase cyber risk. Below, we summarise the main trends we expect to see over the next two years in the cybersecurity industry.

Changing nature of cyber threats Trend What’s happening?

Ransomware Ransomware, in which a victim's most critical files are held hostage, is a newish form of cyber-attack that is on the rise: in 2016, Malwarebytes, a security company, surveyed 500 companies in four countries and found that a third had been the victim of a ransomware attack. Ransomware refers to malicious software which takes control of a computer and encrypts the data on it, rendering it inaccessible. The hackers then demand a payment, typically in the form of bitcoin, in exchange for handing over the encryption keys. Spear phishing remains the most common entry mechanism whereby an email from someone you trust asks you to inadvertently click on something that downloads the ransomware onto your computer. According to FireEye, there were 30 ransomware families in 2015, up from just 3 in 2012.

Botnets On the rise, too, are botnets (i.e. “robot networks”) which are created when a hacker temporarily takes control of millions of Internet-enabled devices such as security cameras or TV set top boxes by remotely infecting them with hidden malware. The botnet can then be used to mount distributed denial of service (DDoS) attacks by instructing the infected devices to send simultaneous data requests en masse to a single server, causing the server to overload and crash. Botnets are frequently rented out to criminals who use them to mine personal information or conduct DDoS attacks.

Protest groups In this fractious, increasingly populist world in which trust in the Establishment keeps sinking to new lows, there will be ever more attacks by protest groups such as Anonymous to bring down large institutions via DDoS attacks that temporarily eliminate the availability of web or email servers. Anonymous in alliance with Ghost Squad Attackers claims to have brought down several central banks in this way, including the Bank of Greece, the Federal Reserve Bank of Boston, the Bank of England and the Bank of France. The group also claims to have brought down the London Stock Exchange for over two hours in early June. There is a lot more to come, not just focused on banks.

Dyn hack On 21 October 2016, a number of popular US websites – including Airbnb, Amazon, Spotify, Netflix and Twitter – were rendered inaccessible following a massive distributed denial of service attack on the DNS servers of Dyn, a company which manages website domains and routes Internet traffic. It marked one of the largest DDoS attacks ever launched. The attackers had infected “tens of millions of connected devices with the Mirai botnet, a form of malware which scours the Web for “Internet of Things” (IoT) devices protected only by factory-default usernames and passwords and then assumes control of these enlisted devices to launch DDoS attacks. The compromised IoT devices flooded Dyn’s computers with junk data, causing them to be overloaded and eventually fail. This led to legitimate users, who used Dyn’s servers to direct their URL requests, being denied access to their intended websites. The compromised devices used in the attack appeared to include CCTV cameras, smart home devices and other hacked “IoT” devices. The webcams of a Chinese electronics manufacturer called Xiongmai were linked to the attack. The attack on Dyn shows the weakness of the Internet’s underlying infrastructure and the relative ease with which large scale attacks can be implemented with impunity. It also shows that the manufacturers of IoT devices are an integral part of the security equation and need to up their game.

State-backed hackers

Although they almost always deny it, governments are behind an increasing number of cyber-attacks. Most innovation in the cybersecurity industry takes place during a nation state to nation state attack. Criminals then become aware of the vulnerabilities exposed by the attack and copy them.



Trend What’s happening?

Industrial espionage

Corporate systems have long been hacked for industrial espionage purposes. But now a new type of threat, called “advanced persistent denial of service” (APDoS) has come onto the scene. According to a report by Radware, this kind of exploit involves automated, bot-based attacks that generate large volumes of attack traffic quickly and maintain a long-term attack strategy creating an “advanced persistent denial of service” with the express purpose of extracting sensitive corporate data rather than merely clogging up enterprise links (the traditional purpose of a DoS attack). By diverting the IT department’s attention to fighting off the APDoS attack, the attacker can launch multi-vector attacks against the true target, that go unnoticed.

Online fraud Online fraud is on the rise on the back of technology cycles such as P2P lending, mobile banking, ecommerce and the Internet of Things. Social media encourages the reckless dissemination of personal information on the web – which facilitates identity theft. Moreover, hackers have access to low cost tools and methodologies on the Internet and slim prospects of being caught. As more of our personal data ends up stored in the databases of Internet companies, specialist data resellers will create more and more Big Data algorithms that dice and slice this data for resale. Niche credit profilers such as Experian and Equifax are one set of beneficiaries. Online fraud detection companies such as IBM, Guardian Analytics, RSA (Dell/EMC) and Kount are another.

Source: CM Research

Evolution of key cybersecurity technologies Trend What’s happening?

Intelligence-led security

There is a move away from passive detection of cyber-attacks towards active hunting of threat actors using intelligence-led solutions. Increased emphasis on artificial intelligence will free up internal resources from the constant firefighting that is caused by chasing “false positives”: most cybersecurity solutions are good at creating lots of “alerts”, but bad at prioritising those alerts. Criminals are careful not to show where they are operating from. Thus “attribution” is becoming more important because it helps you detect who is targeting you and what is their objective, so that you can pre-empt the next attack. Companies like FireEye take a company’s security “alerts”, feed them into their intelligence engine and tell the IT manager what the real weaknesses are. The leading AI-based security companies are IBM, Splunk, Microsoft and Palantir.

Unified threat management

Corporate expenditure on cybersecurity has been slapdash over the past two years. Multiple vendors have sold a patchwork of security products without considering how well they work together. The result has been a lack of strategic direction and co-ordination within many companies’ IT departments. Now, corporations are cutting down on the number of security suppliers from several dozen to a core list of less than ten. Many niche security companies will go bust. At the top of the chain will be “unified threat management” systems powered by “intelligence engines” that take a risk based approach to security. By automating threat discovery, investigation, and response, unified threat management can reduce incident response times and enhance overall threat detection rates. The leading companies in unified threat management are Check Point Software, Fortinet, IBM, SecureWorks, Sophos and WatchGuard.

Behavioural analytics

Virtually every breach is an “inside job” – whether through malicious intent or negligence – so behavioural analytics are critically important as a cyber defence. The AI leaders – IBM, Google, Microsoft, Splunk and Palantir – are amongst the best placed to exploit this trend. But there are also a number of start-ups who specialise in behavioural analytics in the cybersecurity sector like Cloudera, Bay Dynamics, Carbon Black, E8 Security and Securonix.



Trend What’s happening?

Security-as-a-service

Cybersecurity is moving from the purchase of one-off software products (e.g. downloading Norton anti-virus software for your laptop) to “security as a service”. This is because one-off security products are designed for a specific purpose while the threat environment is constantly changing. So security products must be flexible enough to handle this. As with other software products, security-as-a-product represents the past. Security-as-a-service (SaaS) is the future. SaaS reduces one-off costs of purchasing on-premises equipment and replaces them with monthly subscriptions. It also enables corporations to ensure their IT security is constantly up-to-date without having to manually replace equipment or download the latest security patches. The leading cloud security companies are Barracuda Networks, Fortinet, Imperva, Qualys, Trustwave (SingTel), CloudPassage and CliQr.

Post-breach consultancy

After a cyber-attack, many CEOs can appear clueless about the source, severity and impact of the security breach because their internal IT systems failed to gather this information. Thus, there is a growing market for post-breach strategy consultancy services. Post-breach strategy focuses on gathering information about the cyber-attack as quickly as possible after the event and formulating a credible public relations strategy to demonstrate that management remain in control of their business and have taken all actions possible to protect critical digital assets. The leading post-breach consultancy services companies include IBM, Accenture, KPMG, PwC, FireEye, Herjavec Group and root9B.

Mobile device management

As employees access more corporate data from their smartphones and tablets, IT managers must manage data flows between more clouds, more operating systems and more data formats. Blackberry was once the king of mobile device management (MDM). But MDM is no longer sold as a stand-alone platform. Increasingly, it is part of a unified threat management strategy, which is putting MDM players at a competitive disadvantage. Companies like Cisco, IBM and HP Enterprise approach MDM in a more holistic, unified way – which represents the future.

Big Data The role of Big Data systems in detecting online fraud, money laundering and suspiciously behaving network traffic activity is growing. Leaders in using Big Data within the cybersecurity space include IBM, Splunk and Palantir. Alphabet, the world leader in Big Data, has not yet told us how it internally uses Big Data for cybersecurity purposes, but we believe that Google will one day have a formidable, intelligence-led cybersecurity product.

Biometric security

Amazon and MasterCard are amongst the first major payment players to use selfies as an alternative to security passwords. In October 2016, MasterCard announced the European rollout of Identity Check Mobile, a new payment technology application that uses biometrics (e.g. fingerprints or facial recognition) to verify a cardholder’s identity. The technology will be rolled out across the world in phases in 2017. Password security may one day become obsolete. Passwords offer poor security for most digital transactions and the time to replace them is overdue. Facial recognition and fingerprint technology companies should be a major beneficiary of this theme. Leaders here include Clarifai, 3M Cogent and Safran.

Managed Security Services

Fewer and fewer organisations have the skills base or nous to build cybersecurity defenses themselves or even make effective use of cybersecurity technology. This will increasingly tilt the balance in favour of managed security services, whereby a single security vendor manages an organisation’s cloud applications, compliance with data protection laws and other cybersecurity risks. Leaders in managed security services include IBM, Symantec, SecureWorks, WIPRO, BAE Systems, HP Enterprise and Trustwave (SingTel). Telcos like AT&T, BT, CenturyLink, NTT, Orange and Verizon also operate in the space.

Security at the chip layer

The high-speed networks and connectivity upon which business depends were built bottom-up for speed and openness, not security. It has not been possible hitherto to have all three at once. But now more and more security features will be baked into new and emerging hardware and software up the stack without unacceptable comprises on speed and openness. At the semiconductor level, ARM (acquired by Softbank), Intel and NXP (being acquired by Qualcomm) are already designing processors in which the software necessary to protect safety critical code is being partitioned off from the rest of the system.

Source: CM Research



Industry growth drivers Trend What’s happening?

Dwell times Average “dwell times” have fallen from 220 days in 2010 to 146 days in 2015, on a global basis, according to FireEye. “Dwell time” refers to the time from compromise to detection. Reducing the dwell time is important because it reduces the risk of a “zero-day threat” (a vulnerability that is exploited by a hacker before the security vendor becomes aware of its existence). 146 days is still a very long time for a corporation to be exposed to a “zero-day attack”. Most corporations (and their insurers) will want to get dwell times as close to zero as possible. The mere fact that dwell times are still so high demonstrates that growth prospects for the security industry remain extremely good. The main beneficiaries of this growth will be cybersecurity companies who not only detect zero day threats, but also focus on assessing threat context: determining where the bad guys are, whom they are targeting and what they want.

Cloud Large corporations are building private and hybrid clouds whilst small and medium sized ones are spending significantly on public cloud services. Both activities will open companies up to a higher risk of cyber-attack and will increase the demand for cloud security and web application security services. The leading cybersecurity companies that specialise in this field are Akamai, Barracuda Networks, Citrix Systems, F5 Networks, Fortinet, HP Enterprise, IBM, Imperva, Qualys, Rapid7, Trend Micro, CloudFlare, NSFocus, Trustwave (SingTel), Cyren, CloudPassage, CliQr, Veracode and WhiteHat Security.

Internet of Things

As more things become connected to the Internet, cybercrime will shift to connected fridges, connected cars, drones and industrial machines. In the race to create an “app” for every physical product, many companies are overlooking basic security features. The Internet of Things will lead to a dramatic extension of the ‘attack surface’ that hackers can target within a typical company. The Dyn attack (see page 5) is a sign of things to come.

Android fragmentation

Android handsets have long been susceptible to serious security breaches because Android is open source and Google does not control the software update process for most of the world’s Android smartphones. So when a security breach occurs, Google’s ability to “patch” it up quickly is limited. Instead, it is the device makers or the telecom operators that decide if, when and how to release software updates. In October 2016, Google took a big step to fix this “Android fragmentation” problem by introducing Pixel, a smartphone whose hardware and software is entirely controlled by Google. Over time, we expect Google to take Android proprietary, just like Microsoft Windows or Apple iOS. But that will take a few years. In the meantime, hundreds of millions of Android smartphones remain vulnerable to attack because their owners have not or cannot download the latest Android software updates form Google.

Insurance On 17 March 2016, insurance broker Marsh warned that only 10% of financial services companies had valid insurance cover for a cyber-attack, although 50% thought they did. Many companies will sign their first cyber insurance policy in 2016. But the risk is that they are not covered even on day one, because they may already have breached the terms of their policy – for example, their dwell times may be too high – but they are not aware of it. As more multinational companies obtain insurance cover for cyber risk, they will be told by their insurers to increase spending on cybersecurity services.

Cloud Security Alliance

The Cloud Security Alliance, to which most of the major technology companies belong, now operates in almost every country. It is an industry body whose aims are to share intelligence on cybersecurity issues in an open environment and to jointly create large-scale self-learning cybersecurity systems based on open standards. This will enable its collaborators to build a collective wall against emerging cyber threats. The more collaborators, the more data and the smarter and self-learning the system gets.

Source: CM Research



Corporate governance trends Trend What’s happening?

Regulation in Europe

The EU’s Directive on Security of Network and Information Systems (the EU NIS Directive) was adopted by the European Parliament on 6 July 2016. Member States have a further 21 months to transpose the Directive into their national laws and 6 months more to identify operators of essential services, to whom the law applies. The NIS directive harmonises EU cybersecurity regulations. It stipulates that breaches must be notified to a competent authority within 72 hours. Whilst the EU NIS Directive is mandatory for all EU member states the US’s NIST Cybersecurity Framework provides guidance only. This is likely to mean that, within two years, Europe will have the strictest cybersecurity compliance laws in the world: companies can be fined up to 2% or revenues or up to €20m for breaches of the EU Directive. Thus, European cybersecurity expenditure could rise significantly over the next two years.

Regulation in China

China’s new national security law aims to foster a “secure and controllable” Internet infrastructure. Initially, it was thought that the law would force many foreign technology companies to hand over their source code and submit to intrusive product testing. Some US companies indicated they would pull out of China altogether to avoid this. Since then, the Chinese government has watered down its proposals somewhat. If such laws are eventually enforced, the main beneficiaries would be domestic Chinese technology companies, operating in an even more protected environment than they have hitherto enjoyed.

Regulation in the US

Cybersecurity regulations in the US are lax compared to Europe or China. The National Institute of Standards and Technology (NIST), a unit of the U.S. Commerce Department, has a code of best practice called the NIST cybersecurity framework, but it is not mandatory. The SEC is, however, thinking about imposing greater disclosure requirements.

CISO Many established enterprises and data-driven start-ups have recently appointed their first Chief Information Security Officer (CISO). The CISO’s role is to protect a company’s assets (both physical and digital) from cyber-attack. JP Morgan did not have a CISO when it was breached in 2014. Sony’s had only been in the job three months when its media arm got hacked. The average life of a CISO, though, is under 1.5 years. Given the ignorance and generally lax nature of most board directors, the CISO is a function that is virtually guaranteed, at present, not to be able to deliver.

Board awareness

Business executives still think of the most important business risks as technology risk, human capital risk, interest rate risk, political risk, competition risk and regulatory risk. Cybersecurity has moved up on enterprise risk registers to the number 5 or 6 position. In the next couple of years it should rise to number one or two. The implication is that cybersecurity expenditure will rise across several industries.

Employee training

The single biggest vulnerability for an organisation is the Privileged User account, where a low-ranking employee – perhaps a data inputter – is given too much access to too much information. Edward Snowden fell into this category. Poorly trained employees offer hackers a way in through the organisation’s infrastructure, enabling them to access sensitive information and install disruptive malware. Breaches due to internal factors are on the up whether through careless behaviour (e.g. opening suspect attachments in emails), disgruntled employees leaking information for financial gain or poor internal controls that allow systems access to suppliers and customers who are not security compliant. Indeed, Forrester points out that all cybercrime is often an inside job – whether deliberate or negligent. Organisations will need to operate on the basis of zero trust with much stricter controls, especially over privileged user access.

Vendor lists Corporations are cutting down on cybersecurity vendors from several dozen – some have over 100 – to a core vendor list of less than 10. Prudence dictates that some redundancy is needed and buyers of cybersecurity services do not want to become over reliant on a single supplier. Nonetheless, some niche security companies will go bust. At the top of the chain will be “intelligence engines” that take a risk based approach to security.

Source: CM Research



Wider industry trends Trend What’s happening?

M&A The larger software conglomerates – IBM, Oracle, SAP, Microsoft and Alphabet – are all in a race to build software ecosystems. Cybersecurity remains their weakest link. For networking equipment makers like Cisco, security is also seen as a weak spot in their offering. We see continued M&A in the sector with the big software houses, Internet ecosystems and networking equipment makers strengthening their cyber-security capability, especially in unified threat management and artificial intelligence. As we highlighted in “Tech M&A Targets”, the following cybersecurity companies are likely to be acquired within the next couple of years: Barracuda Networks, Check Point Software, FireEye, Fortinet, Imperva, Palo Alto Networks, Qualys, Rapid7, SecureWorks, Sophos and TrendMicro.

Geopolitics Geopolitical tensions in the South China Sea, the Middle East, the Ukraine and elsewhere will mean the world is likely to see a new wave of cyber-attacks in 2017. Many will be zero day attacks, some state-sponsored. In October 2016, the US government formally accused Russia of attempting to interfere in the US presidential election scheduled for 8 November 2016 by hacking into Democratic Party emails and releasing them on WikiLeaks. Several governments are setting up new military cyber command divisions that will put cyber warfare on an equal footing with combat divisions in air, land, sea and space. The Edward Snowden revelations forced Silicon Valley’s technology firms to show the world that they are not the puppets of the US military. The result is that Silicon Valley co-operates much less with the US Department of Defense than at any time since the Vietnam War. Military contractors see this as an opportunity: the two military contractors branching out the fastest in the commercial cybersecurity space are BAE Systems and Raytheon (which owns ForcePoint).

Bug bounty programmes

In August 2016, Apple became the latest big tech company to introduce a “bug bounty” programme: it would pay cybersecurity professionals to find holes in Apple’s software and to report these “vulnerabilities” directly to Apple so that it can fix them before criminals use them to hack into Apple devices. Google, Microsoft and Facebook, amongst others, already have their own bug bounty programmes. As the Internet of Things – which refers to all things being connected to the cloud – takes off, more and more non-tech companies will become more vulnerable to cyber hacking. The scale of bug bounty programmes will rise in the coming years. The larger, cash-rich tech titans will be able to pay bigger bounties, enabling them to patch up holes in their software quicker than smaller rivals.

Privacy As the global threat of terrorism grows, lawmakers in the US, UK, and elsewhere often argue that better security requires some degree of infringement of privacy rights. But, in the wake of revelations by Edward Snowden and other whistleblowers, many of Silicon Valley’s technology giants are becoming more reluctant to work with the US authorities to help them thwart terrorists or criminals. Technology companies – especially Apple – are going out of their way to enhance security features on their products (e.g. WhatsApp encrypting its messaging services or Apple denying the FBI access to a terrorist suspect’s iPhone). Non-cooperation with the US authorities in stemming crime now seems to be a badge of honour for many technology titans. In a new “Message Privacy Ranking” report published in October 2016, Amnesty International looked at 11 messaging apps and concluded that whilst WhatsApp (Facebook) and Apple had end-to-end encryption on their messaging services, many companies such as Snapchat and Tencent’s WeChat failed to adopt basic privacy protections on their instant messaging services. It called on companies to apply end-to-end encryption to messaging apps as a default to protect users’ human rights.

Venture capital For the last five years, VC money flooded into the cybersecurity sector. This created too many niche cybersecurity start-ups. Now the trend amongst corporate IT departments is to slim down vendor lists. Only best in breed will survive. VC funding is thus drying up.

Source: CM Research

https://gallery.mailchimp.com/cdc4e6f44b93f73ea87a20e39/files/Sync_137_Tech_M_A_Targets.pdf



Value chain Any type of digital activity creates cyber risk – the risk that digital data can be misused by cyber criminals.

Data is generated from all our digital activities: consumers leave digital footprints when they browse the web, purchase items online, use email or interact with social media; businesses, in addition to generating similar data footprints, are also keen to gather and analyse as much “Big Data” as they can for their own commercial use.

Every industry generates “Big Data” – namely, extremely large data sets that, when analysed, will reveal patterns, trends and associations, especially relating to human behaviour and interactions.

Big Data can only be of value to consumers and businesses if it is reliable, robust and secure. It follows that cybersecurity is a critical part of the “Big Data” value chain.

Where does cybersecurity sit in the Big Data value chain? We split the Big Data value chain into four segments: Big Data production, Big Data Management, Big Data Product Development and Big Data Consumption.

Big Data production Big Data is produced by digital activity of all sorts: call records, emails, sensors, payments, social media posts, photos, videos and much more. Many of the technology cycles that are taking off now are driving this explosion in big data. These cycles include ecommerce, artificial intelligence, virtual reality, social media, Internet TV, MedTech and the Internet of Things (including the connected car, the automated home, wearable technology, ambient commerce and the industrial Internet).

Big Data management Big Data is managed in data centres – either in the public cloud, in corporate data centres or in end devices. These data centres deploy six key technologies to manage their data: analytics engines, databases, networking equipment, storage, cybersecurity and IT integration tools.

This report focuses on the “cybersecurity” component.

On the following page, we look at the key cybersecurity technologies that are likely to drive growth in the cybersecurity industry over the next two years.

Big Data needs to be reliable, robust and secure. It follows that cybersecurity is a critical part of the “Big Data” value chain.

Source: CM Research

Big DataProduction

Call records Calendars Databases Documents EmailGPS data LIDARMachinesMotion sensorsMusic Payments PhotosRFID tagsSensorsSocial media SpeechVideo Visual dataWeb crawlers Web robots

Big DataManagement

Insight Layer

DataLayer

Infrastructure Layer

Big DataProduct Development

Analytics

Network

Storage

IT integration

Database

Cybersecurity

Digital marketing

Business intelligence

Search

Machine performance

Big DataConsumption

Chief Marketing Officers

Chief Operating Officers

Data Scientists- internet search- AI engines- retail sector- banking sector- healthcare sector- military sector- agricultural sector- industrial sector- security services- scientific research- app developers- and more....

Artificial intelligence

Data mining



Big Data product development Once the data is stored, sanitised and secure it can be created into a raft of Big Data products: ad tech companies like Google and Facebook use it to sell digital marketing tools that target users based on their digital profiles; manufacturing companies like GE use it to monitor the performance of their machines; business intelligence tools by the likes of Oracle use data to make operational decisions; artificial intelligence engines such as IBM Watson use it to answer queries at phenomenal speed.

Big Data consumption These Big Data products are consumed by several categories of user. For example, Chief Marketing Officers use them to target advertising campaigns more effectively. Chief Operating Officers directors use them to run their business processes more efficiently. Chief Engineers use them to improve machine performance. And Chief Scientists use it for predictive analysis in research projects.

What are the key cybersecurity technologies? In this report, we focus on the “cybersecurity” component within the “Big Data management” component of the Big Data value chain. In the schematic below, we list the 12 key cybersecurity technologies that will drive growth in the cybersecurity industry over the next two years and identify some of the leaders in each category.

Which technologies will drive growth in the cybersecurity industry over the next two years? And which companies lead the way?

Source: CM Research

Check Point Software Fortinet Palo Alto NetworksCisco IBM SecureWorks

Check Point Software IBM SophosFortinet SecureWorks WatchGuard

IBM Microsoft Palantir

Palantir E8 Security SecuronixMicrosoft Symantec Carbon Black

HP Enterprise SecureWorks SymantecIBM Splunk RSA (Dell/EMC)

FireEye Palo Alto Networks Trend MicroMicrosoft Symantec Sophos

Blackberry Citrix Systems Mobile IronCisco Gemalto VMware

Gemalto Giesecke & Devrient OberthurMicrosoft Nexus Okta

IBM Oracle SymantecIntel Security Raytheon Digital Guardian

F5 Networks IBM VeracodeHP Enterprise Imperva WhiteHat Security

Cisco Microsoft ProofPoint

Akamai Barracuda Networks FortinetImperva F5 Networks Qualys

IBM SecureWorks Trustwave (SingTel)Verizon Symantec BT

Cyber security technology stack

Big DataManagement

Insight Layer

DataLayer


Analytics

Network

Storage

IT integration

Database

Cybersecurity

Leaders


Mobile security

Application security

Endpoint security


Data security


SIEM

Email security

Network security

Cloud security

Identity management

Managed security services



Below, we look at each of these cybersecurity technologies in turn.

Network security Network security involves the use of specialised hardware and software to protect the underlying networking infrastructure from unauthorised access, misuse, malfunction, modification or destruction, thereby creating a secure platform for computers, users and programs to perform.

It typically encompasses a wide range of technologies including firewalls (to block unauthorised access), virtual private networks (to secure remote access), sinkholes (to redirect suspicious network traffic to a safe area), anti-virus, anti-spyware and other functions.

As customers move much of their data from in-house corporate data centres to the public cloud, network firewalls must also be deployed within the public cloud infrastructure provided by the likes of Amazon Web Services, Microsoft Azure and Google Cloud.

Leaders include Check Point Software, Cisco, Fortinet, IBM, Palo Alto Networks and SecureWorks.

Unified threat management The problem most chief information security officers (CISOs) face is one of too many security vendors to manage. Some large companies have had up to 100 vendors. Each of these vendor security systems generates “alerts” that must be actioned, so many IT departments – who tend to be short staffed – are swamped with “false positives” from this wide array of niche security products that do not talk to each other.

Unified threat management (UTM) systems are the industry’s answer to this problem. UTM systems offer a single cybersecurity solution that combines multiple security functions – network firewalling, network intrusion detection, antivirus, anti-spam, VPN, content filtering, load balancing, etc. – within a single security system.

In recent years, UTM vendors, whose core clients are small and medium sized enterprises, have targeted the large enterprise market but with little success. These larger enterprises require mature next generation firewalls rather than UTM services, but in time UTM vendors will probably design products that can handle the complexity that large enterprises must deal with.

Leaders include Check Point, Fortinet, IBM, SecureWorks and Sophos.

Leaders in network security

Source: CM Research

Leaders in unified threat management

Source: CM Research

Check Point Software Ahnlab SymantecCisco BAE Systems Dell SonicWALLFireEye Barracuda Networks Hillstone NetworksFortinet HP Enterprise Forcepoint (Raytheon)IBM Juniper Networks StormshieldPalo Alto Networks Huawei Trustwave (SingTel)SecureWorks Sophos WatchGuard

Network security

Leaders Challengers

Ahnlab SymantecCheck Point Software BAE Systems Aker SecurityFortinet Barracuda Networks Dell SonicWALLIBM Cisco Hillstone NetworksSecureWorks HP Enterprise Forcepoint (Raytheon)Sophos Juniper Networks StormshieldWatchGuard Palo Alto Networks Trustwave (SingTel)

Huawei Untangle


Leaders Challengers



The process of trimming back vendor lists is well underway. As a result, market share will shift away from niche security vendors providing “point” solutions to “unified threat management” systems offering broad based security platforms deploying advanced big data analytics and cloud security.

Artificial intelligence The issue that keeps most chief information security officers awake at night is the risk of a zero-day attack.

Zero-day attacks are cyber-attacks against software flaws that are unknown to the security vendor at the time of exploit. It is very difficult to detect zero-day attacks precisely because it involves malware that the security vendor has never previously seen. Typically, cyber-attackers will plant malware in their victim’s systems which remains undetected for months, perhaps years, giving them plenty of time to prepare an attack. Average “dwell times” (i.e. the time from compromise to detection) for malware have fallen from 220 days in 2010 to 146 days in 2015, on a global basis, according to FireEye. But 146 days is still a long time to be unaware that you are vulnerable, let alone giving yourself sufficient time to fix the vulnerability.

There is a move away from passive detection of cyber-attacks towards active hunting of threat actors using intelligence-led solutions. These solutions use machine learning techniques to look for suspicious behaviour within a business’s network traffic or to identify anomalies. The aim is to pre-empt the next attack. The best AI-led solitons will hunt for programming weaknesses and fix them before a hacker exploits them.

Moreover, virtually every breach is an “inside job” – whether through malicious intent or negligence – so behavioural analytics are critically important.

Leaders in AI include IBM, Microsoft, Splunk, Alphabet and Palantir.

Within AI-based cybersecurity, there are two subsets: deception based cyber defences and behavioural analytics.

Deception based cyber defences (subset of AI) Some intelligence-led security systems use “deception-based” cyber defences whereby the system deceives would-be attackers with decoys that “imitate” a business’s true assets. Thousands of these “decoys” can be deployed, creating a virtual mine field for hackers, but alerting the IT manager to any malicious activity immediately. Deception based security is a subset of AI-based security but still a very nascent industry.

The best way to play this emerging security technology theme is via Rapid7. Other leaders are listed below.

Leaders in artificial intelligence

Source: CM Research

Leaders in deception-based security

Source: CM Research

IBM Check Point Software HitachiAlphabet Cisco HP EnterpriseMicrosoft FireEye Micro FocusPalantir Fortinet NECSplunk Darktrace Verint Systems


Leaders Challengers

Attivo Networks Allure SecurityCyberTrap ForeScoutCymmetria Illusive NetworksGuardiCore KEYWSpecter LogRhythmTopSpin Security Percipient NetworksTrapX Rapid7

Shape Security

Deception based security

Leaders Challengers



Behavioural analytics (subset of AI) Virtually all cyber breaches are “insider jobs” – whether malicious or accidental. Behavioural analytics involves studying the behaviours of internal employees and third party personnel while flagging up vulnerabilities across the organisation's assets that hold sensitive data – such as laptops, apps and servers. It detects and tracks employees or contractors sending private corporate information to unfamiliar outsiders; it checks whether their endpoint devices and apps have been compromised; and it assesses whether the activity is malicious or accidental so that appropriate action can be taken.

Many companies use behavioural analytics to help find cyber breaches. Gartner estimates that “user and entity behavioural analytics” (UEBA) is still a very small market, with global revenues likely to be under $120 million in 2016.

Leaders in pure behavioural analytics include E8 Security, Fortscale, LightCyber, Interset, Securonix and Gurucul. In addition, some endpoint security vendors such as Digital Guardian, CrowdStrike and Carbon Black also provide behavioural analytics. As do some data analytics companies like Cloudera and Palantir.

Security information and event management Security information and event management software aggregates all data produced by security devices, network infrastructure, IT systems and applications. It provides real-time analysis of security alerts generated by network hardware and applications. This data is used for the early detection of targeted attacks and data breaches as well as for forensic analysis, regulatory compliance and the management of serious incidents.

Leaders include RSA (owned by EMC, which is now owned by Dell), IBM, Intel Security (49% owned by Intel), SecureWorks, Splunk and Symantec.

Leaders in behavioural analytics

Source: CM Research

Leaders in security information and event management (SIEM)

Source: CM Research

BrightPoint GuruculIBM Carbon Black LightCyberAlphabet CloudLock NiaraPalantir CrowdStrike PalerraMicrosoft Cynet SASSymantec Digital Guardian SecuronixCloudera E8 Security SS8Bay Dynamics Endgame ThreatConnectVerint Systems FlowTraq Veriato

Fortscale Ziften


Leaders Challengers

RSA (Dell/EMC) AlienVaultHP Enterprise BAE SystemsIBM FireEyeIntel Security FortinetSecureWorks Micro FocusSplunk QualysSymantec Trustwave (SingTel)

Security information & event

management (SIEM)

Leaders Challengers



Endpoint security An endpoint device is any computer device connected to any Internet protocol (IP) network. Endpoint devices include desktop computers, laptops, smart phones, tablets, other wireless devices, printers, point of sale (POS) terminals and smart meters. Every endpoint device creates a potential entry point for security threats.

Endpoint security refers to the method used for protecting the network when it is accessed via endpoint devices. It typically comprises security software which sits on PCs, mobile devices, servers or gateways in the network. The server automatically updates the device software when required and certifies logins from the endpoints.

Endpoint security software includes malware detectors, anti-virus software, anti-spyware, anti-spam software and mobile device management software.

Leaders include FireEye, Microsoft, Palo Alto Networks, Symantec and Trend Micro.

Mobile security (subset of endpoint security) Mobile security addresses the specific threats to networks from wireless connections. It can be regarded as a subset of both endpoint security and network security, but we look at it separately here.

The Bring Your Own Device (BYOD) trend, whereby employees connect their own personal smart devices to a corporate network, means that IT managers must control access to corporate networks via multiple mobile ecosystems such as Blackberry, Apple iOS and Google Android, each of which has its own security weaknesses.

Blackberry used to be the king of mobile security, particularly in respect of mobile device management. However, in its latest earnings call, Blackberry management announced they will no longer make their own handsets, which somewhat weakens its competitive advantage. Other leaders in mobile security include Cisco, Citrix Systems, Gemalto, IBM, Mobile Iron and VMware.

Leaders in endpoint security

Source: CM Research

Leaders in mobile security

Source: CM Research

Bitdefender Intel SecurityCarbon Black Kaspersky Lab

FireEye Check Point Software LandeskMicrosoft Code42 PandaPalo Alto Networks CrowdStrike Qihoo 360Symantec EMC (RSA) Forcepoint (Raytheon)Trend Micro F-Secure Sentinel One

Heat Software SophosIBM Webroot

Endpoint security

Leaders Challengers

Blackberry FortinetCisco Juniper NetworksCitrix Systems MicrosoftGemalto SAPHP Enterprise SophosIBM Dell SonicWALLMobile Iron HuaweiVMware Landesk

Mobile security

Leaders Challengers



Identity management Identification management is the process used by IT managers to identify individuals or machines in an IT system and control their access to resources within that system by associating user rights and restrictions with each established identity.

The primary function of identity management software is to ensure that the right people (or machines) have access to the parts of the IT system they require to fulfil their role. This involves processes to properly authenticate user identities and authorise access to networks or services.

Passwords are a common form of user authentication technology, but inherently weak. A password of 8 letters can be hacked by a relative notice within 20 seconds. Multifactor authentication can help by adding an extra layer of protection for authentication over and above the user name and password to verify a user’s identity. Forms of multifactor authentication include remote dongles that require additional passwords or text messages sent to the user’s smartphone.

The inability of the FBI to initially access the iPhones of the terrorists involved in the 2015 San Bernardino terrorist attacks is a good example of strong user authentication controls. (The FBI later employed hackers to break into the phones).

The cyber-attack on Target, a US retailer, in December 2013 was, in part, a failure of identity management systems. The retailer’s point-of-sales (POS) systems were not properly segmented from other industrial systems connected to the network. Thus, the attacker (who accessed the control system for heating and ventilation) could move freely from the heating system to the POS system on the network, installing malware on nearly all of Target’s POS devices in stores across the country, thereby gaining access to over 70m customer credit card numbers. The identity management system failed on multiple factors: to identify the intruder, to restrict access to certain systems and to monitor which systems each user was accessing. Failings in network security and endpoint security, of course, also contributed to the breach.

Next generation user authentication will almost certainly come in the form of biometrics: finger print identification, face recognition, iris scanners or even DNA sensors.

Leaders in identity management include CyberArk Software, Gemalto, Microsoft, Giesecke & Devrient, Nexus, Oberthur and Okta. Some of the leaders in biometric authentication include 3M Cogent (owned by 3M), Morpho (owned by Safran) and ImageWare Systems.

Data security Data security refers to safeguarding data from loss, corruption, theft, misuse and unauthorised access.

The three most common elements to any credible data security strategy comprise authentication, encryption and backup. Authentication, as discussed in “identity management” above, involves ensuring the right people have access to the right data. Encryption involves scrambling the data into a code which requires a “key” to unlock. Backup involves storing copies of the data in another physical location on a regular basis.

Leaders in data security include IBM, Intel Security (49% owned by Intel), Oracle, Forcepoint (owned by Raytheon), Symantec, Digital Guardian and Informatica.

Leaders in identity management

Source: CM Research

CyberArk Software 3M ImageWare SystemsGemalto Apple LifeLockGiesecke & Devrient CA Technologies Ping IdentityMicrosoft IBM SafranOberthur Nexus SymantecOkta RSA (Dell/EMC) Verint Systems

Identitymanagement

Leaders Challengers



Application security Application security protects software applications from cyber-attack. It encompasses application firewalls, application encryption programs, anti-virus programs, anti-spyware programs and biometric authentication programs. Application vulnerability testing and application penetration testing software also exists to allow developers to see how secure their applications are before general release. In addition, apps are now deployed in the cloud, so web application firewalls are a critical element of application security too.

Leaders in application security include F5 Networks, HP Enterprise, IBM, Imperva, Veracode and WhiteHat Security.

Email security Email security refers to the collective measures used to secure the access and content of an email account or service.

Email is a common entry point for viruses, malware and ransomware.

The cyber-attack on Sony Pictures in November 2014 was a spear-phishing attack on senior executives via their email accounts. The attackers posted unreleased films and confidential emails online. Spear phishing emails are emails that target a specific individual and appear credible to the victim because they seem to originate from a friend or colleague and contain very specific information that only that friend or colleague could know. Strong email security can eliminate some spear phishing attacks, but spear phishing is not always conducted by email. Links posted on social networks like Facebook also put the victim in a place where they feel comfortable and so become vulnerable to exploits.

Email security helps guard against these kinds of attacks to some extent, but the only way to deal with attacks that involve human susceptibility such as spear phishing is to provide comprehensive security awareness training for all employees.

Proofpoint is the purest way to play the email security theme.

Leaders in data security

Source: CM Research

Leaders in application security

Source: CM Research

IBM CA TechnologiesIntel Security CamouflageOracle CompuwareForcepoint (Raytheon) DataguiseSymantec HP EnterpriseDigital Guardian Tata Consultancy ServicesInformatica Vormetric (Thales)

Data security

Leaders Challengers

F5 Networks Akamai Rapid7HP Enterprise Barracuda Networks Trend MicroIBM Citrix Systems CloudFlareImperva Fortinet NSFocusVeracode Qualys Trustwave (SingTel)WhiteHat Security

Application security

Leaders Challengers



Cloud security Cloud security protects IT systems that run on the public or private cloud. It combines all the security elements associated with on-premise IT systems and applies them to an environment where IT infrastructure, platforms and applications are run from a remote, off-premises data centre.

The Cloud Security Alliance (CSA), charged with promoting the use of best practices for providing security assurance within Cloud Computing, has a wide array of members including Accenture, Adobe, Atos, Avaya, Cisco, Citrix, eBay, Ericsson, Fortinet, Fujitsu, Google, EMC, HP Enterprise, Infosys, Juniper Networks, Microsoft, Nokia, Palo Alto Networks, PwC, Raytheon, Salesforce, Sophos, TCS, Trend Micro, Verizon, VMware and many others.

Some of the leaders in cloud security are listed below. Imperva specialises in this space.

Managed security services Securing a network is a business-critical function and requires a highly skilled workforce. Not all companies – even the largest enterprises – have these skills available in-house skills to do it well. So many companies outsource network security services to third parties.

Managed security services providers monitor and manage the IT security functions of a company from remote security operations centres (SOCs).

Leaders in this field include IBM, SecureWorks, Symantec and Verizon. Many telecom operators also provide managed security services including AT&T, BT, NTT, Orange, SingTel and Verizon.

Leaders in email security

Source: CM Research

Leaders in cloud security

Source: CM Research

Leaders in managed security services

Source: CM Research

BAE Systems Forcepoint (Raytheon)Cisco Barracuda Networks SophosMicrosoft Dell SonicWALL Trend MicroProofPoint Fortinet Trustwave (SingTel)

Intel Security WatchGuard

Email security

Leaders Challengers

Akamai AdNovum CyrenBarracuda Networks Citrix Systems Micro FocusF5 Networks CliQr NSFocusFortinet CloudFlare QualysImperva CloudPassage Trustwave (SingTel)Sophos Code42 Vormetric (Thales)

Cloud security

Leaders Challengers

IBM BAE Systems AT&TSecureWorks HP Enterprise BTSymantec SingTel NTTVerizon Wipro Orange


Leaders Challengers



Post-breach consultancy services CEOs do not want to look clueless in the immediate aftermath of a debilitating cyber-attack. During the cyber-attack on TalkTalk, a British telecom company, this year, for instance, management took too long to figure out what happened. For days, they were unable to answer basic questions. Who attacked them? What did they take? Why did they do it? And which customers were impacted?

In answering these questions, “attribution” is important because it helps you detect who is targeting you and what is their objective, so that you can pre-empt the next attack. Attribution involves using intelligence engines that examine the behaviour of attackers.

Post-breach consultants focus on gathering information about the cyber breach as quickly as possible and formulating a credible public relations strategy to demonstrate that management remain in control of their business and have taken all actions possible to protect critical digital assets.

Many of the cybersecurity companies that offer post-breach consultancy services operate like the CIA and other intelligence agencies – they have a global network of field operatives and “listening posts” whose job is to understand the enemy (i.e. the hackers in their assigned territory) and what drives them. Identifying the characteristics of a hacker in one breach can help pre-empt others.

The leading post-breach consultancy services companies include Accenture, IBM, KPMG, PwC, FireEye, Herjavec Group and root9B.

Leaders in post breach consultancy services

Source: CM Research

Accenture FireEyeIBM root9BKPMG Herjavec GroupPwC CrowdStrike

Post-breach consultancy services

Leaders Challengers



Which of these cyber technologies are the most important? At CM Research, we use a scorecard approach to help select stocks (see page 47 for an explanation of our research methodology).

Our cybersecurity scorecard is set out on pages 38 to 41 and covers our thematic screen, valuation screen and risk screen.

The thematic screen identifies the top ten technologies that will drive earnings in the cybersecurity sector over the next two years. We weight these cybersecurity technologies based on their relative importance as an earnings driver for the cybersecurity industry over the next two years. We then rank every stock in the cybersecurity sector against every technology, using a score of 1 to 5, where 5 indicates a technology leader and 1 indicates a technology laggard. By consolidating the scores for all technology cycles and taking account of weightings, our thematic screen ranks companies based on their technology leadership.

The weightings used for our thematic screen (see page 39) within our cybersecurity scorecard are as follows:

Cyber technology Weighting*

Network security 15%

Unified threat Management 15%

Artificial intelligence (including deception based defence and behavioural analytics) 15%

Security Information and Event Management (SIEM) 10%

Endpoint Security (including mobile security) 10%

Identity management 5%

Data Security 5%

Application security 5%

Email security 0%

Cloud security 15%

Managed security services 5%

Post-breach consulting services 0%

100% Source: CM Research * These weightings are applied to our thematic screen on page 39.

These weightings will change over time as the various cybersecurity technologies evolve and their relative importance to industry earnings growth changes.



Industry analysis Technological progress leads to a higher incidence of cyber-attacks. The big technology cycles of today – ecommerce, mobile payments cloud computing, big data, the Internet of things, artificial intelligence and social media – all increase cyber risk for users.

Meanwhile, the nature of the threats is becoming more diverse. They include advanced persistent threats (APTs), distributed denial of services (DDoS), viruses, worms, malware, ransomware, spyware, botnets, spam, spoofing, phishing, hacktivism and the potential for nation state to nation state cyberwarfare. (Note: many of these terms are explained in the glossary on page 44.)

Defining cyber risk To help us define “cyber risk”, we talked to the insurance industry because when corporations face new risks it is insurance companies that are typically the first group of professionals to quantify those risks.

Cybersecurity is difficult to insure precisely because it is difficult to define: the types of cybercrime differ, the motivations for these crimes differ, the assets targeted differ and the remedies differ.

Whereas most types of criminal activity have a single target (e.g. to steal money) and a single motive (e.g. to get rich), cybercrime is different. It has many motives, can come in many forms and can be committed by a host of different types of attackers (known as threat actors) – as the table below illustrates.

Cyber risk has many faces and many motives making cyber insurance policies highly complex.

Threat actors Motives Assets targeted Insurance implications

Thieves (normally in organised crime syndicates)

Data theft Infiltration of bank accounts

and credit cards Extortion, using threat of

attacking corporate websites

Personal information Credit card data Corporate IT

infrastructure

Physical assets can be insured, if identified

Brand loyalty and customer loss are more difficult and more expensive to protect with insurance

Hacktivists Seek attention for their cause

Senior executives’ digital footprints

Business critical assets Corporate websites Social media accounts

Companies may choose not to claim against insurance to avoid disclosure of cyber-attacks

Difficult to protect reputational damage

Terrorists Extortion Disruption or damage to

critical infrastructure assets Industrial espionage

Business critical assets Telecoms and power

networks Technological knowhow

War is not covered by most insurance policies, but at what point does cyber-warfare turn into a traditional war?

Terrorism needs to be specifically written into policies

Whilst patents can be valued R&D cannot

Malicious players Targeted: vengeance from disgruntled employee or customer

Untargeted: damage to IT infrastructure caused by a computer virus

Business critical assets Social media accounts Corporate property,

secrets and IP

Weak internal controls may invalidate the employer’s cover

Tangible costs like fines and litigation can be insured

Intangible costs like brand value are difficult to insure and can destroy shareholder value

Source: AIG, Marsh, KPMG The motives can range from extortion to theft to industrial espionage to revenge or simply attention seeking. Cybercrimes can be committed by a vast range of potential suspects from organised crime syndicates to hackers to disgruntled employees to terrorists to nation states. And they can target a wide array of assets from personal information on laptops to corporate IT infrastructure to commercial secrets to physical infrastructure to social media accounts. Add to that the technology dimension: for each new technological cycle – such as the Internet of Things, or artificial intelligence – there are associated new cyber threats.



Unsurprisingly, insurers tailor cyber-risk policies to individual companies, specifying what type of cyber-attacks are covered, what type of business-critical assets are covered and what internal controls the company needs to follow to validate the policy.

Investment landscape The cybersecurity sector became an event driven bull market between 2014 and June 2015. Some stocks rose by 100% before giving all or most of it back between June 2015 and March 2016.

In addition to frantic M&A in the sector since 2014, the “events” that caused the bull market were a series of high profile cyberattacks on leading institutions such as JP Morgan, Sony, Home Depot, Target, US Office of Personnel Management, TalkTalk, Ashley Madison and others. This, in turn, triggered a panic $150 billion spend on cybersecurity over the period.

Much of the spending, though, was slapdash: it encompassed patch-worked “point” security systems from too many suppliers against the backdrop of lax corporate cultures and a dearth of cybersecurity experts.

Between its inception in November 2014 and its peak in June 2015, the ISE Cybersecurity “HACK” ETF surged by 33%.

Since then, the lack of big, headline hacks have sobered the market and scepticism about “silver bullets” has reigned back the corporate spend trajectory. At the same time, vendor lists were being trimmed, which spooked investors.

The “hack” ETF has been flat this year, while still standing some 20% below its June 2015 peak.

A lot of market focus will be on the scope and prospects for M&A and roll-ups within a sector that begins to resemble the semiconductor sector in this respect, and the extent to which culling vendor lists and in-house shortages of cyber experts will combine to lead to increased outsourcing of IT security to the sector’s big, integrated suppliers over the next five years.

Today’s cybersecurity paradigm Cybersecurity is now a mission critical business risk, not just a technology problem. Yet it is a non-core competence for most boards. Breaches are therefore inevitable because CEOs are not sufficiently trained in this business risk as they are in other business risks.

Moreover, corporations cannot address cybersecurity risk on their own – they need law enforcement.

Criminals are attracted to cybercrime because of the low risk/high reward nature of the industry. The number of prosecutions for cybercrime is the lowest of all major crimes. This is because crimes are normally prosecuted in the jurisdiction in which they are committed, but most hackers deliberately attack corporations from an overseas territory. Because of the multi-jurisdictional nature of the problem, law enforcement agencies are doing little to address the growing threat of cyber-attacks.

Governments need to impose credible deterrents and hackers need to know they will be punished. Yet this is unlikely to be properly enforceable for several years.

Human factors Benjamin Franklin’s bon mot that “an ounce of prevention is worth a pound of cure” is as relevant to cybersecurity as it was to public health. We saw in “MedTech” how technology focused on the yield of “actionable data” is beginning to transform medicine and healthcare. The same will happen in cybersecurity and in many ways, cyber care is analogous to healthcare.

The human body is highly resilient. It is designed for a hostile world and to deal with multiple and constant viral and bacterial attacks. The skin forms an exterior defence which, when breached, triggers a complex array of defences – stemming the flow and monitoring infection to discern what is important and what is not, while white blood cells deal with what is already inside the body.

In public healthcare, lifestyle – a combination of diet, exercise, social intercourse, mental activity and pollution – is a vital factor in determining a body’s vulnerability to attack, resilience to infection and ability to recover: the “ounce of prevention”.

Organisations are not designed with anything like the same focus and armoury for a hostile world as the human body, and yet their networked, instant connectivity world is exceedingly hostile, bristling with threats, and is not built bottom-up to be secure.

https://gallery.mailchimp.com/cdc4e6f44b93f73ea87a20e39/files/Sync_135_MedTech.pdf



Just as “lifestyles” make human health more – or less – resilient, so, too, with corporations and the extent to which they are cybersecure.

The truth is that most individuals and most corporations lead “lifestyles” that are unhealthy, lacking in cyber hygiene. Yahoo’s 2014 data breach, in which 500m accounts were compromised, was only revealed in 2016 and, according to some reports, stemmed from a lack of the most basic cyber hygiene.

The attitude in board rooms all too often is that cybersecurity is for the “IT people”. It is. But it is also very much for the C-Suite and marketing, sales and logistics executives with access to privileged information, for they are the prime targets for hackers. Their jobs in today’s connected world are touched by security issues every day especially as they interact digitally with third parties.

There is a generational problem in play.

Many large and powerful organisations are run by “digital immigrants” whose MBA courses did not include a module on cybersecurity, who do not know the vocabulary and grammar of cybersecurity, who insist that it can only be understood by nerds, and who lack cyber discipline despite the best efforts of IT managers to impose it upon them.

These individuals are the entry points for many cyber-attacks.

Indeed, senior executives, employees, contractors and suppliers all must be regarded as part of the problem. The right culture needs to be created and nurtured top down to turn people at all levels into the first line of defence against cyber-attack.

If that were to become a reality, it is estimated that 90% of cyber-attacks would fail, and the cyber hackers and criminals would run out of opportunities.

Within ten years, three things will have changed: first, the “digital immigrants” will have started to give way to the “digital natives” (see “Generation Hashtag”) in the board room; second, intelligence-led, collaborative cybersecurity systems will have appreciably improved organisational cyber hygiene; and third, semiconductors will have security built in at the hardware level.

Until then, however, investors will need to sift through the myriad of cybersecurity companies out there to determine which technologies will be in demand in the next couple of years. Our research indicates that the key cyber technologies that investors should be exposed to are unified threat management and artificial intelligence.

Deep learning as a cybersecurity solution Deep learning is a hot topic for investors. (See “Artificial Intelligence”.)

Deep learning is a field of machine learning – a technology which allows AI programmes to learn for themselves. Deep learning systems are built using “artificial neural networks” which model the way neurons in the human brain talk to each other. According to Google, “an artificial neural network is trained by showing it millions of training examples and gradually adjusting the network parameters until it gives the classifications we want.” A properly trained neural network can therefore distinguish between signals and general noise. Deep learning – based on artificial neural networks – is likely to become the AI technology that allows AI systems to reach and then surpass the level of intelligence of the human brain.

There are plenty of reasons why AI – and, within it, deep learning – is beginning to make its way into the cybersecurity industry: a shortage of cyber engineering specialists, too many cybersecurity vendors, too many “false positives” and a growing army of hackers that are often better equipped, better funded and clever enough to exploit an ever-expanding attack surface.

Take the example of so called “APDoS” attacks whereby hackers use automated, bot-based attacks that generate large volumes of attack traffic quickly and maintain a long-term attack strategy creating an “advanced persistent denial of service”. The express purpose of an APDoS attack is to extract sensitive corporate data rather than merely bring down a website (the traditional purpose of a DoS attack). By diverting the IT department’s attention to fighting off the APDoS attack, the attacker can launch multi-vector attacks against the true target (e.g. confidential design blueprints) that go unnoticed.

Hackers have the advantage of the element of surprise. And often attacks go unnoticed for months or even years. Just ask the US Office of Personnel Management, Sony Pictures, Ashley Madison or Yahoo. Average dwell times – the time between an attacker compromising a system and being found out – were 146 days in 2015, according to FireEye, are likely to remain well over 110 days in 2016.

https://gallery.mailchimp.com/cdc4e6f44b93f73ea87a20e39/files/Sync_121_Generation_Hashtag.pdf

https://gallery.mailchimp.com/cdc4e6f44b93f73ea87a20e39/files/Sync_130_Artificial_Intelligence_Vol_II.01.pdf



Machine learning technologies promise to offer ways for an organisation to parse real time information from across their network, allowing them to see attacks before they hit. They will also uncover the areas where the network is most vulnerable. Artificial intelligence will help security professionals spend more time focussing on real threats and taking the right actions to remediate them.

However, there is an acute skills shortage for deep learning scientists.

At MIT, researchers are developing self-learning systems that automatically mine dark web markets for vulnerabilities and zero day attacks and report them back as software that automatically fixes bugs in code. MIT also claims marked progress in developing a platform that can predict up to 85% of cyber-attacks.

Machine learning has been used in the financial sector for some time and not just in cybersecurity. The large datasets collected on credit card use, for example, have allowed algorithms to learn how to recognise normal behaviour and thus to highlight anomalies.

IBM researchers working with a large US bank have claimed a 15% increase in fraud detection with a 50% reduction in false alarms and 60% increase in total savings.

The algorithms are still primitive, but are learning how to misdirect and confuse the attacker, which might persuade them to move on.

The future direction of AI as applied to network security will be largely determined by breakthroughs in unsupervised learning which can supersede supervised learning systems that require sample data for which the outcome is already known.

This approach learns the features of a data set and classifies it into a “cluster” of similar data – normal or abnormal.

But, and here’s the rub, AI hackers will almost certainly attack AI networks and indeed do so before AI defence networks are in place.

The game of high-level cat and mouse – human versus human, code versus code, network versus network, AI versus AI – is only just getting started.

Regulation As the world becomes more interconnected and the digital economy grows, regulators are scrutinising new technologies such as artificial intelligence, big data analytics, geolocation tracking, privacy and cybersecurity defences.

In 2016, a host of new requirements are either in effect or have been announced.

USA There are very few cybersecurity regulations in the US compared to Europe or China.

The 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA), addressed cybersecurity issues at a national security level, but imposed few regulations on corporations.

The National Institute of Standards and Technology (NIST), a unit of the U.S. Commerce Department, has a code of best practice called the NIST cybersecurity framework, but it is not mandatory.

The SEC is thinking about imposing greater disclosure requirements.

Europe The two primary regulations in Europe around cybersecurity are:

the European Union’s Directive on security of network and information systems (EU NIS Directive)

the General Data Protection Regulation (GDPR)

EU NIS Directive The EU NIS Directive is the first piece of EU-wide legislation on cybersecurity. It came into force in August 2016. By May 2018 it will have been transposed into national law in every member state.

The EU NIS applies only to operators of essential services such as energy infrastructure, transportation infrastructure, banking and financial market infrastructure, healthcare, Internet infrastructure companies and water utilities. Technology companies that provide digital infrastructure – such as Amazon Web Services or Equinix – must follow the directive.



The aim is to harmonise the EU’s cybersecurity capabilities across all EU Member States and ensure efficient exchange of information across borders so that Europe is resilient to future cyber-attacks. It also aims to embed cybersecurity into future EU policy initiatives from the start, especially for emerging sectors such as connected cars, smart grids and the Internet of Things (loT).

GDPR The EU’s GDPR is a key plank of the EU’s Digital Single Market (DSM). It will come into force in May 2018. It mandates that any organisation wishing to conduct business in Europe must follow five key GDPR requirements:

Mandatory data inventorying and record keeping of all processing of European personal data.

Mandatory data-breach notification to regulators and individuals whose information is compromised.

The right to be forgotten, which allows individuals to request that their personal data be erased.

Routine privacy impact assessments.

Mandatory data protection officers (DPOs).

Compliance with GDPR is likely to be challenging for most businesses. In the firing line will be digital advertising leaders like Google and Facebook who hold large amounts of user data.

In addition to GDPR, many US businesses will need to comply with Privacy Shield, the successor to the Safe Harbor framework that governs the transfer of personal data of EU citizens to the US. Privacy Shield membership will lead to greater scrutiny of the storage and transfer of personal data – from social media posts to online bank accounts.

Any business that fails to comply with GDPR could face fines as high as 4% of worldwide annual revenue or €20m, whichever is higher. European courts are also introducing a new precedent – privacy class actions.

China In China, a string of recent security-related laws has created a highly regulated digital environment.

A National Security Law designed to protect the Chinese government, facilitate national unity and shield the economy from cyber-attack has been criticised by many foreign governments for being protectionist. Telecom and networking equipment makers were at one point asked to provide their source code to the government to demonstrate it was safe, but these rules were temporarily suspended after foreign governments complained. A host of world leading Internet companies such as Google, Facebook, Twitter and Snapchat are already effectively banned from mainland China.

A counterterrorism law requires technology companies and financial institutions to store their data in China, submit to security checks and help the government with decryption if requested. As a consequence, many foreign players are entering into joint venture relationships with local Chinese partners.

In recent months, China is beginning to consult more with foreign businesses when defining cybersecurity standards in recognition of the global nature of cybersecurity risk.

In Hong Kong, the Personal Data (Privacy) Ordinance sets out rules for the collection and handling of personal data, including rules on transferring data overseas. Penalties for non-compliance include fines and prison sentences of up to five years. In addition, the Cyber Fortification Initiative, which may come into force in 2017, sets out rules to make banks more resilient to cyber-attack.

Rest of world The overall trend in cybersecurity regulation is one towards requiring personal data to be held within a country’s own borders so that local law enforcement can access the data (for national security reasons) and police how it is used.

South Korea’s Personal Information Protection Act (PIPA) includes fines of almost $100,000 for non-compliance as well as up to 10 years in prison.

Singapore has introduced similar laws on cyber resilience and data protection with associated prison sentences of up to three years.

Industry size and growth forecasts Worldwide, companies spent $77 billion per annum on cybersecurity products and services, according to Gartner, up from around $4bn a decade ago. By 2020, this figure could more than double to reach $170bn.



Within the next five years, expenditure on cybersecurity products and services is expected to double. The largest area of growth is security in the cloud. In 2015 Cloud security comprised 12% of total spend. This figure will rise to 20% by 2020.

Some interesting cyber statistics:

Lloyds of London has tripled the number of syndicates offering cyber insurance policies to 63 since 2013.

The cyber insurance premiums market is forecast to rise from $2.5 billion today to $18 billion by 2025.

Cybercrime cost global businesses at least $400 billion in 2015 alone, according to Lloyds of London.

Cybersecurity Ventures puts the damages caused by cybercrime at over $3 trillion in 2015, rising to $6 trillion annually by 2021.

The average cost per corporate breach is $3.8 million, according to the Ponemon Institute, with Sony Pictures at $15 million thus far and Target at $290 million since its 2013 breach.

IDC sees the hot areas for growth over the next five years as security analytics (growing at 10%), threat intelligence (10%), mobile security (18%) and cloud security (50%).

President Obama asked for $19bn for cybersecurity measures across the US government for the 2017 federal budget, up 36% from 2016.

JP Morgan, which suffered a cyber-attack affecting 76 million households in 2014, has doubled its annual cybersecurity budget to $500 million, while Bank of America says it has “an unlimited budget” when it comes to fighting cybercrime.

Cisco estimates that there were 1 million unfilled cybersecurity jobs in 2016 worldwide.

Every second, 9 new pieces of malware are discovered.

75% of organisations are infected with bots, according to Check Point Software’s 2016 Security Report.

By 2020, global cybersecurity revenues are expected to reach $170bn, up from $77bn in 2015. The proportion of that expenditure spent on cloud security (rather than on-premise) products will rise from 12% to 20%.

Source: Gartner, IDC, CM Research

-

20

40

60

80

100

120

140

160

180

2013 2014 2015 2016 2017 2018 2019 2020

Global cyber security product and service market

Cloud

On premise$bn



M&A activity We have long argued that the weakness in most software ecosystems has been cybersecurity and that his would result in an M&A boom in the cybersecurity sector. As the chart below illustrates, this M&A boom is already in full swing. But we believe more is to come. We expect a quarter of the cybersecurity stocks listed in our cybersecurity scorecard on page 38 to be acquired over the next three years.

Given the shortage of cybersecurity experts – Cisco estimates there are over a million unfilled job openings in 2016 – many of these M&A transactions will be about staff as much as software.

Significant cybersecurity M&A transactions over the last four years 2016 2015 2014 2013

Source: CM Research

0 2 4 6 8 10

Apple acquires AuthentecVerint Systems acquires Comverse Tech

Intel acquires Stonesoft OyjVista Equity Partners acquires Websense

Cisco acquires SourcefireIBM acquires Trusteer

Akamai acquires ProlexicFireeye acquires Mandiant

VMware acquires AirWatchPalo Alto Networks acquires Cyvera

Google acquires DropcamGemalto acquires Safenet

BAE Systems acquires SilverSkyRaytheon acquires Blackbird

Check Point acquires HyperwiseRaytheon acquires Websense

Cisco acquires OpenDNSBlackberry acquires Good Technology

SingTel acquires TrustwaveCisco acquires Lancope

Thales acquires VormetricTrend Micro acquires HP Tipping Point

Private investors acquires Qihoo 360Raytheon acquires Stonesoft (Intel Security)

Avast acquires AVGSymantec acquires Blue Coat

Cisco acquires CloudLockMicro Focus acquires HPE Software business

TPG acquires Intel Security (49%)Ant Financial acquires EyeVerify

Acquisition value $bn



Timeline Here are some notable events in the global cybersecurity landscape, both past and future.

Key milestones in the global cybersecurity landscape. 1971 The first computer virus, known as ‘The Creeper’ was purposely designed and released on ARPANET and copied

itself to the remote system displaying the words: “I am the Creeper: Catch me if you can.” 1982 The first large-scale computer virus outbreak was caused by “Elk Cloner”, a virus developed by a 15-year-old high

school student as a practical joke. Elk Cloner was spread by floppy disks and affected the Apple II operating system.

1986 The first Computer Fraud and Abuse Act was passed defining Federal computer related crimes and associated penalties.

1988 Cornell graduate Robert Morris created and deployed the first worm. An aggressive self-propagating virus that crippled 10% of the 88,000 computers on the Arpanet, which by 1990 became the Internet.

1999 The Melissa and ILOVEYOU worms infected tens of millions of PCs across the world causing email systems to fail.

2000 The council of Europe drafted a Cybercrime Treaty to promote the international harmonisation of laws against computer crimes.

2002 A distributed denial of service (DDoS) attack struck the 13 Domain Name System (DNS) root servers knocking out all but five. This was the first attempt to disable the Internet itself rather than individual hosts or enclaves.

2008 An employee at the US Central Command put a “candy drop” flash drive he found in the HQ car park into his laptop and exposed data on classified and unclassified systems.

2008 The National Cybersecurity Division of the U.S. Department of Homeland Security released the Common Attack Pattern Enumeration and Classification (CAPEC) resource, a publicly-accessible taxonomy of attack patterns.

2008 National Security Presidential Directive 54/Homeland Security Presidential Directive 23 formalised the Comprehensive National Cyber-Security Initiative (CNCI), intended to establish a frontline defence against a full spectrum of cyber threats.

2012 General Keith Alexander, the US’s cybersecurity chief said the loss of industrial information and intellectual property through cyber espionage constituted the "greatest transfer of wealth in history," referring to Chinese state-sponsored hackers.

2013 Target, a US retailer, suffered a data breach whereby the personal data of 40m credit card customers were compromised. Access was gained via a third-party air-conditioning supplier’s control systems, but exacerbated by Target’s weak internal segregation of network systems.

2014 Serious data breaches were suffered by Sony Pictures, JP Morgan and Apple’s iCloud servers in China. 2015 Serious data breaches were suffered by the US Office of Personnel Management (OPM), TalkTalk and Ashley

Madison. 2015 U.S. officials announced that Russian hackers gained access to White House and State Department emails in

2014. 2015 The deadline passed for EMV chip-card acceptance at the point of sale, prompting many warnings to e-commerce

merchants that fraudsters will step up their attacks against card-not-present transactions. 2015 The major card networks continued their push of tokenisation for securing mobile and online transactions,

including efforts to embed the technology in their own payment products, such as MasterCard’s MasterPass. 2016 Yahoo revealed a 2014 breach of 500m users’ personal details – the largest such breach in history. 2016 The EU Directive on security of network and information systems (EU NIS directive) came into force. 2018 The EU NIS Directive will be transposed into national laws in each EU member state 2018 The EU’s General Data Protection Regulation (GDPR) will enter into force 2021 The worldwide cybersecurity market is expected to reach $200 billion. Source: CM Research



Stock Watch List Our stock watch list below names the companies that we believe will see some positive earnings impact from the cybersecurity investment theme. Other investment themes, however, may have a negative impact. The stock ratings shown below reflect our assessment of the net impact of the most important investment themes, after taking account of valuation and risk. A fuller explanation of our investment research methodology is shown in the Appendix.

Company Rating Competitive position in the cybersecurity industry

Ahnlab

Ahnlab is a South Korean endpoint security vendor which also sells network security products. Its main market is South Korea, where it is well regarded amongst its small and medium sized enterprise (SMEs) customers. It also sells to Indonesia, Thailand and Vietnam and is trying to expand into Latin America. Its network firewall products lack many of the functions of world leading products such as SDN (software defined networking) support and multiple virtual firewall support.

Airbus Airbus Group manufactures jetliners, helicopters, defense and space systems. It is based in France and part-owned by European governments including that of France. Its Stormshield subsidiary provides unified threat management, network security, endpoint security and data security products. Its products are certified by NATO and the French government and are used mainly by European government institutions and defense organisations. Its specialty is to protect against APTs.

Akamai Sell Akamai is the world’s largest content delivery network. As video traffic grows, Akamai should theoretically benefit. But competition is rising and prices are falling. Whereas Apple, Google and Facebook were happy to rely on Akamai in the past, they are now building their own CDNs, as are many telcos. In addition, software defined networking technology poses a serious threat to Akamai because it will simplify CDN technology and make it open standard. Akamai is shifting focus to security, but that will take time to translate into upside.

BAE Systems BAE Systems is a global defence and aerospace company. It offers combat systems covering land, sea, air and space. It also has a sizeable Cyber and Intelligence division which sells mainly to governments, large enterprises and financial services companies. It is strong in unified threat management, network security, email security and managed security services.

Barracuda Networks

Buy Barracuda Networks is a security and storage vendor. It caters to the SMEs market. Its products include storage, email security, network security, data security, cloud security and application security.

Blackberry Sell Blackberry used to be the king of mobile security. However, mobile security is now a mere subset of endpoint security and the really important trend within cybersecurity is the move to unified threat management, where Blackberry simply does not feature as a major player. Moreover, at its most recent earnings, Blackberry announced it would no longer make handsets, reducing its security credentials further.

Check Point Software Technologies

Buy Check Point Software is a large security vendor providing network security, endpoint security, unified threat management and mobile security. The company specialises in modular blade products. It has recently moved into cloud security, offering its firewall for public cloud environments running over Amazon Web Services and Microsoft Azure. It has a strong reputation amongst larger enterprises with more complex security environments. In an industry not known for prudent management, Check Point stands out. The company eschews “growth at any cost” in favour of tight control of expenses. By market capitalisation, Check Point is the second largest pure play cybersecurity company after Symantec. Unlike many of its peers, it has a consistent track record of generating profits.

Cheetah Mobile

Cheetah Mobile offers smartphone apps for Android users, predominantly in China. Its best-known products include Battery Doctor, Clean Master, CM browser and CM Security. It’s Clean Master product makes Android handsets run faster.




Cisco Buy Cisco is fast becoming the industry’s main mover and shaker. At the last count, it had acquired 24 companies in and around the cybersecurity field, and spent $1.5bn-$2bn in so doing. There has been a special focus on cloud security with acquisitions of Cloudlock, Lancope and OpenDNS. While 45% of Cisco’s revenues still comprise switches and routers – where growth is flat – its services business comprises 25% of revenues and is growing at 10% per annum. Within services, cybersecurity is growing by more like 15%-17% and is a $2 billion a year business for Cisco. Security will be increasingly wired into Cisco’s hardware offerings as the company drives to integrate more software with hardware in its equipment. The company has almost certainly not finished rounding out its security offerings via further acquisitions – with FireEye and CyberArk widely thought to be in the frame.

CyberArk Software

Buy CyberArk provides identity management services and has cornered the market in privileged user access, especially where the cloud is involved. Over 90% of all cyber-attacks are via privileged access breaches. CyberArk counts Novartis, Barclays, Deloitte and BT among its customers and has US Department of Defense certification. Given its small cap status and its highly regarded specialist technology in a key segment of the cybersecurity market, expect it to be acquired.

F5 Networks Sell F5 Networks is one of the world’s leading application delivery networks (ADNs). If the Internet of Things takes off, F5 Networks should theoretically benefit. But on a two year horizon, we believe it faces serious threats. Many Internet companies and telcos are now building their own ADNs. In addition, software defined networking technology poses a serious threat to F5 Networks because it will simplify ADN technology and make it open standard.

FireEye

Buy FireEye provides unified threat management, AI-led security, endpoint security and post-breach consulting services. Its threat prevention and intercept technology is certified by the US Department of Homeland Security. The company is a sub-system supplier to HPE and Check Point among others and is a key member of CyberArk’s C3 privileged access protection alliance. It owns Mandiant, one the world’s leading cybersecurity consultancies. FireEye, the only cybersecurity company to appear in the MIT Tech Review’s ‘top 50 smartest companies 2016’, is not profitable and has a worrying cash burn rate. Its closest competitors are Palo Alto Networks and Fortinet. It is a credible M&A target.

Fortinet Buy Fortinet is the global market leader in unified threat management (UTM). It also offers high-end network security, email security, cloud security and SIEM solutions. It also offers a broad portfolio of switches and networking equipment. It has a global presence and is strong in the SMEs market. It also has a strong track record of innovation, often being the first to introduce new features that rivals then copy. Fortinet is particularly strong in Asia as well as its home market of North America.

F-secure F-Secure is a Finnish company that is a leader in endpoint security for PCs running Microsoft Windows. It also has mobile security apps for mobile phones. Its software focuses on identifying and removing viruses, malware, worms and spyware and monitors apps running in the cloud. It sells mainly within Europe.

Gemalto Sell Gemalto specialises in digital security for SIM cards, credit cards (EMV technology), ePassports, data encryption and NFC (Near Field Communication) and contactless payments. However, its security is looking dated. As Apple and Google find ways to bypass the operator-controlled Secure Element within a handset, Gemalto – the world’s largest maker of secure SIM cards – may start to issue profit warnings.

Gigamon Gigamon offers products which provide visibility and control of network traffic. It helps companies and Internet service providers improve the reliability, performance and security of their network infrastructure. Its products are used as part of many companies’ network security strategy.




Hewlett Packard Enterprise (HPE)

Hold HPE provides technology solutions including servers, storage, networking, converged systems, software and IT services. HP is a leader in network security and data security. Its ArcSight platform is a world leader in SIEM, but it appears that HPE is exiting the cybersecurity space. It has recently agreed to sell its entire software division to Micro Focus and its network security division, TippingPoint, to Trend Micro.

IBM

Buy IBM’s Cognitive Solutions Group – which generates $15bn of annual revenues –houses its cybersecurity and analytics businesses with security now thought to be accounting for half of that. IBM’s Bluemix cloud computing platform will host its cybersecurity service, which has been trained on Watson, IBM’s neurocomputer, for over a year with eight universities. So far, Watson’s resources are spread across healthcare, pharmaceuticals, education and finance. Watson’s revenues account directly for less than 2% of IBM revenues, but Watson could yield the Cognitive Solutions Group a leadership position in cybersecurity and pose a real threat to industry leaders like Cisco, Symantec, Microsoft, Palo Alto and Fortinet.

Imperva Buy Imperva is a leading vendor of data security and application security systems that protect critical business information in the cloud and on premise. The company let it be known in August 2016 that it was looking for a buyer.

Intel Hold Intel’s core business is the design and manufacture of chips for PCs and servers. In 2010, Intel acquired McAfee, the anti-virus and SIEM vendor, for $7.6bn and renamed it Intel Security. But in September 2016, Intel agreed to sell 51% of Intel Security to the private equity group TPG, keeping the remaining 49% itself. McAfee’s brand and reputation has lost status under Intel’s tenure.

Juniper Networks

Hold Juniper Networks is a global networking equipment manufacturer. It has a strong unified threat management product. Like Cisco, its rival, Juniper’s key competitive advantage is that its cybersecurity products are integrated with its networking hardware products. Juniper is known for working well with complex network infrastructures and for its strong customer support. However, it is losing market share in UTM to competitors.

KEYW

KEYW provides cybersecurity and geospatial intelligence solutions for US government intelligence agencies as well as defense customers and commercial enterprises. Its intelligence solutions are used to protect network infrastructure and for counter terrorism.

LifeLock

LifeLock provides identity-theft protection services for consumers and fraud and risk solutions for enterprises. It monitors identity-related events such as new account openings and credit-related applications, applying predictive analytics to provide actionable intelligence that helps protect against identity theft and identity fraud.

Micro Focus Micro Focus is a British software company that allows companies to develop, test and deploy business-critical enterprise applications. Its Sentinel SIEM product is well regarded amongst large enterprises and managed security service providers and is particularly good in cloud-based environments. In 2014 it acquired NetIQ, an identity management software company. Micro Focus has also agreed to acquire HPE’s software division (which includes Autonomy, the AI company) for $8.8bn.




Microsoft Buy Microsoft has been a sleeping giant under previous management, missing the mobile revolution. Under Satya Nadella, however, it is reinventing itself as a cloud services company. Mr Nadella has made clear that the company’s thrust is to develop a platform which prioritises security and privacy across on-premises and cloud environments. Microsoft has a major advantage over its competitors in security: its ability to amass and curate big data from PCs, web browsers (Explorer and Edge), emails (Outlook and Office 365), search (Bing), cloud (Azure) gaming (Xbox) and social media (LinkedIn). In combination, they represent a huge real-time dataset from which rich flows of “actionable data” for cyber professionals can be derived, increasingly from Azure cloud. If any company, aside from Google, can develop and apply advanced software, including machine learning, it is Microsoft. Like Cisco, Oracle, Symantec, IBM and Intel, Microsoft will also be looking to strengthen its software ecosystem by acquiring leading edge cybersecurity start-ups such as FireEye, Palo Alto Networks or Fortinet.

Mobile Iron

MobileIron is a leader in mobile security and data security. Like Blackberry, it offers a purpose-built mobile Information Technology platform for enterprises to secure and manage mobile applications, content and devices.

NetScout Systems

NetScout provides customers with visibility and control of their network traffic. Its cybersecurity division, Arbor Networks, protects against DDoS attacks and Advanced Persistent Threats by spotting suspicious behaviour in a company’s network traffic. Its products are used as part of many companies’ network security and network performance strategy.

Palo Alto Networks

Buy Palo Alto Networks is one of the world’s leading network security vendors. It is best known for its next generation firewalls, its innovations in application control, its endpoint security and its cloud-based malware detection. It works closely with VMware enabling its products to be used in virtualised data centres. Its products are more expensive than much of the competition but generally considered state of the art. Its recent entry into the endpoint security market has not gone well.

ProofPoint

Buy ProofPoint is focused on email security and social media security. It combines its email gateway solution with Targeted Attack Protection technology, catching and stopping cyberthreats from malicious links and attachments hours or even days before traditional defences.

Qualys

Qualys is an established security vendor. It is particularly strong in application security testing. The Qualys Cloud Platform offers a single view of a company’s security, compliance and IT posture in real-time. Qualys’s Web Application Scanning service – a cloud-based service to test applications for their security vulnerabilities – has been growing fast in recent years. The Qualys platform is not fully automated so significant manual input is required, often from third party cybersecurity experts.

Rapid7

Buy Rapid7 is a network security and application security vendor that is best known for its network and application vulnerability scanners such as AppSpider. Its products make it simple to unify operational data across multiple systems. Its closest competitor is Qualys.

Raytheon Raytheon makes defense systems for the US and other governments. Over the last four years, it has acquired several cybersecurity companies including Websense, Forcepoint, Stonesoft and Blackbird. Its cyber intelligence division operates under the Forcepoint brand name, selling to governments, defence organisations and commercial enterprises. It is a leader in network security, endpoint security, data security and email security.

SecureWorks Buy Spun out of Dell In 2016, SecureWorks is a leader in managed security services. It is also strong in network security and unified threat management.




Sophos

Buy Sophos is a British company which started as an endpoint security vendor. It now has a broad portfolio of security products and is particularly strong in unified threat management, as well as network security, cloud security, email security and mobile security. Its cybersecurity solutions are backed by Sophos Labs – a global network of threat intelligence centres. It is known for the user friendliness of its UTM console and is gaining market share rapidly. It is weak on network sandboxing – functionality that is both important for medium to large organisations and present in many competitor offerings.

Splunk Hold Splunk is a cloud-based analytics company that has branched out into enterprise security. As a leader in big data analytics, Splunk has built a platform that scales of many terabytes for searching, monitoring and analysing machine generated data. It is particularly strong in security information and event management and in user behavioural analytics. The company counts Adobe, BlackRock, Bosch, Cerner, Coca-Cola and Symantec among its global customers.

Symantec

Hold Symantec is the world’s largest pure play cybersecurity company by market capitalisation. Long plagued by management troubles and legacy technology, the company is moving fast to reinvent itself to counter threats from diversified platform rivals such as Cisco, IBM and Microsoft by moving beyond its hitherto core Norton anti-virus business. To this end it invested $4.7bn to acquire Blue Coat, a network security and cloud security company. In the process, it acquired one of the industry’s most respected strategists in Greg Clark, who is now Symantec’s CEO and is putting an aggressive plan in place to turn Symantec into the global leader in unified threat management.

Note: A caveat. It came to light in July that Google based bug hunter Tavis Ormandy found severe flaws in Symantec’s anti-virus products and the ease with which hackers can hijack a customer’s machine, including with ‘wormable’ or self-replicating viruses. Ormandy found similar vulnerabilities with FireEye, Trend Micro and Kaspersky offerings. It seems these companies were not securing their own code.

Trend Micro

Buy Trend Micro is an under-broked Japanese company that is a leader in endpoint security. It is also strong in network security, application security and email security. In 2015, it acquired TippingPoint, HPE’s network security business for $300m.

Verint Systems

Buy Verint Systems provides actionable intelligence solutions within three areas: video intelligence, cyber intelligence and customer engagement optimisation. Its products are used for fraud prevention, risk management and compliance purposes. It also supplies government intelligence agencies who use its products for counter terrorism.

Source: Company Data, CM Research



Private companies There are literally hundreds of privately funded cybersecurity companies. Given the shift from niche vendors to broad-based unified threat management platforms, much of the venture capital funding for the industry is likely to dry up. Below we select just a handful of the private players that we believe warrant further research for investors.

Company Country Competitive position within the cybersecurity industry

Aker Security

Brazil Aker Security Solutions is a network security vendor that is particularly strong in unified threat management. It also has secure web gateway and secure email gateway products. It operates mostly in Brazil and is one of the few security vendors that provides a graphical user interface in Portuguese as well as English. It faces fierce competition from the larger security vendors entering Brazil.

AlienVault USA AlienVault is a leader in security information and event management (SIEM). Its Unified Security Management solution uses many open source components. Its prices are extremely competitive and it offers a simple licencing model based on utilised appliances rather than the volume of events.

Avira Germany Avira provides endpoint security for computers, smartphones, servers and networks – delivered as both software and cloud-based services. Their client base is concentrated in Germany’s small office and home office market.

Bayshore Networks

USA Bayshore Networks offers security for the Industrial Internet of Things. They use deep packet inspection technology to look deep inside IoT networks searching for suspicious activity.

Carbon Black

USA Carbon Black is an endpoint security vendor. It detects malicious behaviour using behavioural analytics and other AI technologies. Its software consistently records all endpoint activity making it easier to track potential security threats and determine the root causes.

CloudFlare USA CloudFlare is a web performance and security company that helps websites manage heavy traffic and deal with cyber-attacks. CloudFlare CDN, its content delivery network, distributes content around the world to speed up websites while CloudFlare Security protects websites from a range of online threats including spam, SQL injection and DDoS.

Darktrace UK Darktrace is part of a new breed of intelligence-led cybersecurity companies in the emerging field of “Enterprise Immune System” technology, a new category of cyber solutions based on pioneering Bayesian mathematics developed at Cambridge University. Darktrace works on the assumption that every large organisation is breached and offers its Enterprise Immune System – a box that sits on top of the company's network, listens to what is going on, makes sense of the traffic and alerts IT security managers about suspicious behaviour or takes direct action itself to snuff out or slow down an attack. The company is co-founded by Mike Lynch, who famously sold Autonomy to HP, only to be caught up in a related accounting scandal.

Dell USA Dell is a computer manufacturer that is transforming itself into a data analytics company with the acquisition of EMC for $67bn in 2015. Dell itself was taken private in 2013. Dell’s SonicWall division offers a suite of cybersecurity services focused on network security. In 2016, Dell spun off SecureWorks, a leader in managed security services.




Demonsaw USA Demonsaw is an information sharing application that allows you to share your files securely and anonymously. With governments all around the world putting national security above user privacy, this product could not have come at a better time. Demonsaw uses multiple layers of asymmetric and symmetric encryption. All keys are created at runtime and never shared. Social Crypto makes security easy by leveraging shared knowledge (websites and files) to derive strong encryption keys. It is anonymous: there are no logins, no passwords and no registrations. Demonsaw is a fully decentralised, mesh-based network.

E8 Security USA E8 Security is a cybersecurity company that uses behavioural analytics to detect breaches. It helps enterprises analyse and detect advanced attacks and malicious insider activities.

HackerOne USA HackerOne matches companies with “white hat” hackers who test a company’s cyber defences by trying to hack into its networks. A hacker who successfully finds a vulnerability can be awarded a bounty of $200,000 and more. HackerOne has an alliance with Russia's high profile cybersecurity firm Kaspersky. Apple, Facebook, Microsoft, Tesla, Google and Yahoo and the US Department of Defence have all used HackerOne's services.

Herjavec Group

Canada Herjavec Group is an IT services group specialising in cybersecurity. Their cyber professionals ensure that security is integrated into a company’s value chain. It also offers managed security services.

Hillstone Networks

China Hillstone Networks is a network security vendor based in Beijing, China. Its primary customers are Chinese enterprises with a bias towards larger corporations. It has a strong unified threat management product. It is also branching into cloud security with a range of virtualised products.

Huawei China Huawei manufactures telecom and networking equipment, competing with Cisco, Juniper Networks, Ericsson and Nokia. Since 2009, it provided network security and unified threat management services to mainly Chinese customers. Recently it has starting selling its cybersecurity products overseas. Like Cisco, Huawei’s advantage is that it already makes the hardware that its cybersecurity products sit on.

Illusive Networks

Israel Illusive Networks offers deception-based cyber defense services. Illusive Network’s systems create an alternative reality for hackers: it installs decoy data on laptops, desktops, servers and in data centres which contain false information about the victim's network resources. The attacker is led into a false sense of security and the victim is given ample warning that its systems face an attempted breach.

Kaspersky Lab

Russia Moscow based Kaspersky Lab is a leader in endpoint security. Its malware research team is highly respected all over the world for detecting malware faster than rivals. Its solutions provide protection against malware, spam, DDoS attacks, cyber-espionage tools, and cyber-attacks on critical infrastructure.

Palantir USA Valued at $20bn, Palantir is an artificial intelligence company whose technology has many applications. Palantir’s systems mine massive, dispersed data sets and generate meaningful interpretations often between low frequency data. Within the cybersecurity sectors, its systems are used to detect potential vulnerabilities or actual breaches by matching low frequency data to identify suspect behaviour. Given its working relationship with the CIA and the Pentagon, it operates under a cloak of secrecy.

Qihoo 360 China Qihoo 360 Technology is a leader in endpoint security in the Chinese market. The company was taken private in a $9.3bn deal in December 2015. Qihoo provides an Internet search engine, a web browser, Internet services and cybersecurity services. It has little traction outside China, but inside China it is a leading consumer-focused software developer.




Tanium USA Tanium is a security and systems management solution that allows real-time data collection at enterprise scale. It is a bit like conducting a Google search for a company’s IT data. The company’s technology can “test the millions of computers that are attached to corporate networks, ask them questions, and patch them or shut them down in seconds, if need be.”

Untangle USA Untangle provides unified threat management products for the small offices/home offices (SOHO) market. Its products are also aimed at the consumer market under the “Total Defense” brand. Its main market is North America where it claims to have more than 40,000 UTM installations and is profitable.

Veracode USA Veracode is a cloud-based platform offering application security testing services.

WatchGuard USA WatchGuard Technologies is a network security vendor that is a world leader in unified threat management. It is strong in cloud security and is known for being quick to innovate in response to new technology cycles. Its cloud-based sandboxing is a deterrent to APTs and its centralised dashboard cloud service is easy to use.

WhiteHat Security

USA WhiteHat is a leader in application security. Its application security testing services are highly scalable and are capable of testing tens of thousands of applications a year. The company reviews all application security test scans by a human expert before delivery to the customer and even offers insurance to customers if its scans fail to pick up vulnerabilities that are later exploited by hackers.

ZeroFOX USA ZeroFOX enables organisations to identify, manage and mitigate social media based cyber threats. It specialises in protecting business and government against phishing attacks, information loss, account comprise and fraud emanating from social networks. Via its cloud-based platform, it processes millions of posts and accounts across the social media landscape – Facebook, Twitter, LinkedIn, Instagram, YouTube – and applies advanced analytics and remediation.

Source: Company data, CM Research



Our cybersecurity scorecard The three screens of our scorecard – thematic, valuation and risk – feature on the following three pages. The methodology behind our scorecard is set out in the Appendix on page 47.

Who’s who in our scorecard Below is a list of companies that feature in our cybersecurity sector scorecard.

Who does what in the cybersecurity space (Listed companies only)

Source: Company data, Bloomberg, Infinancials, CM Research

Security software(37 stocks)

Company TickerCM

Research Rating

Mkt cap (US$m) Sector Company description

Ahnlab 053800 KS - 469 Software (cyber security) Developer of antivirus software, online applications and security consultant

Akamai AKAM US Sell 11,761 Software (infrastructure) Leading provider of high performance content delivery systems, especially video

BAE Systems BA/ LN - 20,898 Software (cyber security) Defense contractor which manufactures military aircraft, surface ships, submarines, radar, avionics, communicati

Barracuda Networks CUDA US Buy 1,160 Software (cyber security) Cyber security company focused on storage and cloud servcies solutions

Blackberry BBRY US Sell 3,673 Telecom equipment (smartp Mobile handset manufacturer and corporate communications services provider

CA Technologies CA US - 12,886 Software (applications) Enterprise software developer

Check Point Software CHKP US Buy 14,658 Software (cyber security) Cyber security company focused on network security

Cisco CSCO US Buy 152,749 Networking equipment IP networking equipment manufacturer

Citrix Systems CTXS US Buy 13,050 Software (applications) Cloud computing services company with leading desktop virtualisation software

CyberArk Software CYBR US Buy 1,606 Software (cyber security) Cyber security company focused on user access control

F5 Networks FFIV US Sell 8,838 Software (infrastructure) Provider of IP application traffic management solutions

FireEye FEYE US Buy 1,921 Software (cyber security) Cyber security company focused on AI for preventing zero day attacks

Fortinet FTNT US Buy 5,371 Software (cyber security) Cyber security company focused on network security

F-Secure FSC1V FH - 534 Software (cyber security) Cyber security company focused on antivirus, network encryption, desktop firewall, anti-spam

Gemalto GTO NA Sell 4,771 Software (cyber security) Manufacturer of smart cards, chip cards and payment terminals

HP Enterprise HPE US Hold 36,675 IT Services Provider of enterprise servers and enterprise software and IT services

IBM IBM US Buy 144,482 IT Services Technology conglomerate

Imperva IMPV US Buy 1,154 Software (cyber security) Provider of security for databases and business applications

Intel INTC US Hold 163,969 Chips (foundry) World's largest integrated digital chip maker

Juniper Networks JNPR US Hold 9,632 Networking equipment IP networking equipment manufacturer

Keyw KEYW US - 424 Software (cyber security) Cyber security company focused on the defence industry

LifeLock LOCK US - 1,568 Software (cyber security) Provider of identify theft protection services

Micro Focus MCRO LN - 5,954 Software (infrastructure) Provider of enterprise software for assessing, managing and updating existing applications. (Acquired HPE's softw

Microsoft MSFT US Buy 462,607 Software (applications) Software conglomerate

Mobile Iron MOBL US - 316 Software (cyber security) Mobile device management software developer

Palo Alto Networks PANW US Buy 13,391 Software (cyber security) Cyber security company focused on network firewall security

ProofPoint PFPT US Buy 3,142 Software (cyber security) Cyber security company focused on e-mail filtering software

Qualys QLYS US - 1,275 Software (cyber security) Provider of security risk management solutions

Rapid7 RPD US Buy 572 Software (cyber security) Provider of software services to collect, contextualize and analyze security data to reduce threat exposure and de

Raytheon RTN US - 39,722 Software (cyber security) Defense contractor which provides electronics, mission systems integration, and other capabilities in the areas o

SAIC SAIC US - 3,001 Software (cyber security) Provider of mission-critical enterprise applications for government and enterprises

SecureWorks SCWX US Buy 953 Software (cyber security) Spun out of Dell, SecureWorks provides intelligence driven cyber security solutions

Sophos SOPH LN Buy 1,280 Software (cyber security) Developer of antivirus software and firewall hardware

Splunk SPLK US Hold 7,914 Software (data managemen Big data analytics engine focused on machine-to-machine (M2M) communications

Symantec SYMC US Hold 15,704 Software (cyber security) Software developer focused on cyber security, storage systems management

Trend Micro 4704 JP Buy 4,808 Software (cyber security) Cyber security company focused on network anti virus and internet content security

Verint Systems VRNT US Buy 2,305 Software (cyber security) Software developer focused on cyber security, voice/video interception and business intelligence



Thematic screen IBM is the strongest cybersecurity company thematically, by our estimates, while ProofPoint is the weakest. See the “Value Chain” section for more details about the weightings of each technology and individual company scores within the scorecard.

Our thematic screen ranks stocks on the basis of overall technology leadership in the ten technology cycles that matter most to the cybersecurity industry, generating a leading indicator of earnings growth.

Thematic

Leader

Thematic Laggard

Source: CM Research Key: 1 (red) implies this technology theme will have a negative impact on earnings over the next 12 months; 3 (amber) implies a neutral impact; and 5 (green) a positive impact. See page 47 for an explanation of our research methodology

Security software CM Research Thematic Screen(37 stocks) Weightings: 15% 15% 15% 10% 10% 5% 5% 5% 15% 5% 100%

Company Mkt cap (US$m)

CM Research

RatingCountry Network

security

Unified threat mgmt

AI

Security Info & Event Mgmt (SIEM)

Endpoint Security

Identity mgmt

Data Security

App security

Cloud Security


Thematic ranking

IBM 144,482 Buy USA 5 5 5 5 5 4 5 5 4 5 1

Palo Alto Networks 13,391 Buy USA 5 4 4 3 5 3 3 4 4 3 2

SecureWorks 953 Buy USA 5 5 4 5 3 3 3 3 4 5 3

Cisco 152,749 Buy USA 5 4 4 3 4 3 3 3 4 3 4

Fortinet 5,371 Buy USA 5 5 3 4 4 3 3 4 4 3 5

HP Enterprise 36,675 Hold USA 4 4 4 4 3 3 4 4 4 4 6

Check Point Software 14,658 Buy Israel 5 5 3 3 4 3 3 3 4 3 7

SAIC 3,001 - USA 4 4 4 4 3 3 3 3 4 4 8

Sophos 1,280 Buy UK 4 5 3 3 4 3 3 3 4 3 9

FireEye 1,921 Buy USA 4 4 5 4 4 3 3 3 3 3 10

Trend Micro 4,808 Buy Japan 3 3 4 3 5 3 3 4 4 3 11

Juniper Networks 9,632 Hold USA 4 4 3 3 4 3 3 3 4 3 12

Symantec 15,704 Hold USA 4 4 3 5 5 4 5 3 3 5 13

Barracuda Networks 1,160 Buy USA 4 4 3 3 3 3 3 4 4 3 14

Splunk 7,914 Hold USA 3 3 4 5 3 3 3 3 4 3 15

Micro Focus 5,954 - UK 3 3 4 4 3 4 3 3 4 3 16

BAE Systems 20,898 - UK 4 4 4 4 3 3 3 3 3 4 17

Rapid7 572 Buy USA 3 3 4 3 3 3 3 4 4 3 18

Raytheon 39,722 - USA 4 3 4 3 4 3 5 3 3 3 19

Microsoft 462,607 Buy USA 3 3 5 3 5 5 3 3 3 3 21

Intel 163,969 Hold USA 3 3 4 5 4 3 5 3 3 3 20

Citrix Systems 13,050 Buy USA 3 3 3 3 4 3 3 4 4 3 22

Imperva 1,154 Buy USA 3 3 3 3 3 3 3 5 5 3 23

F5 Networks 8,838 Sell USA 3 3 3 3 3 3 3 5 4 3 24

Akamai 11,761 Sell USA 3 3 3 3 3 3 3 4 4 3 25

Qualys 1,275 - USA 3 3 3 3 3 3 3 4 4 3 26

Ahnlab 469 - Korea 4 3 3 3 4 3 3 3 3 3 27

Gemalto 4,771 Sell Netherlands 3 3 3 3 5 5 3 3 3 3 28

Verint Systems 2,305 Buy Israel 3 3 4 3 3 4 3 3 3 3 29

Keyw 424 - USA 3 4 3 4 3 3 3 3 3 3 30

F-Secure 534 - Finland 3 3 3 3 4 3 3 3 3 3 31

Blackberry 3,673 Sell Canada 3 3 3 3 4 3 3 3 3 3 32

Mobile Iron 316 - USA 3 3 3 3 4 3 3 3 3 3 33

CyberArk Software 1,606 Buy Israel 3 3 3 3 3 5 3 3 3 3 34

CA Technologies 12,886 - USA 3 3 3 3 3 4 4 3 3 3 35

LifeLock 1,568 - USA 3 3 3 3 3 4 3 3 3 3 36

ProofPoint 3,142 Buy USA 3 3 3 3 3 3 4 3 3 3 37



Valuation screen Cisco is the cheapest stock in our security software universe, whilst SecureWorks is the most expensive.

Our valuation screen ranks stocks within the cybersecurity sector on consensus valuation metrics.

Cheap

Expensive

Source: InFinancials, CM Research. Key: Green denotes that the stock is cheap relative to its global peers; amber denotes it is within 15% of the sector median value; and red denotes that it is expensive relative to peers. See page 47 for an explanation of our research methodology.

Security software CM Research Valuation Screen(37 stocks) Weighting: 25% 20% 15% 20% 20% 100%Company Mkt cap

(US$m)CM Research

RatingTicker

EV/EBITDA 2016

EV/sales 2016 Div yield

Net Debt (Cash)/ Market Value

FCF yieldRelative

valuation ranking

Cisco 152,749 Buy CSCO US 6.7 2.3 3.6 -0.2 8.1 1

Trend Micro 4,808 Buy 4704 JP 9.1 2.7 3.5 -0.3 3.8 2

Juniper Networks 9,632 Hold JNPR US 7.3 1.9 1.6 0.0 7.1 3

Intel 163,969 Hold INTC US 7.2 2.7 3.1 0.0 7.1 4

CA Technologies 12,886 - CA US 7.9 3.0 3.3 -0.1 7.7 5

IBM 144,482 Buy IBM US 9.2 2.2 3.8 0.2 8.9 6

Blackberry 3,673 Sell BBRY US 13.6 1.8 -0.3 4.2 7

Symantec 15,704 Hold SYMC US 8.8 2.9 1.2 -0.2 3.3 8

BAE Systems 20,898 - BA/ LN 8.6 1.0 4.1 0.1 1.5 9

Gemalto 4,771 Sell GTO NA 7.7 1.5 1.2 0.1 3.8 10

F-Secure 534 - FSC1V FH 15.8 2.4 3.2 -0.2 4.9 11

Raytheon 39,722 - RTN US 11.3 1.7 2.2 0.1 4.8 12

SAIC 3,001 - SAIC US 11.4 0.9 2.0 0.3 6.9 13

HP Enterprise 36,675 Hold HPE US 5.2 0.9 1.0 0.2 0.9 14

F5 Networks 8,838 Sell FFIV US 10.1 4.0 -0.1 7.3 15

Microsoft 462,607 Buy MSFT US 11.3 4.3 2.7 -0.1 5.4 16

Verint Systems 2,305 Buy VRNT US 10.5 2.4 0.1 5.5 17

Barracuda Networks 1,160 Buy CUDA US 12.2 2.9 -0.1 3.6 18

Citrix Systems 13,050 Buy CTXS US 11.3 4.0 0.0 6.6 19

Fortinet 5,371 Buy FTNT US 21.0 3.6 -0.2 4.6 20

LifeLock 1,568 - LOCK US 15.2 2.0 -0.2 -1.2 21

Check Point Software 14,658 Buy CHKP US 14.2 7.8 -0.1 6.3 22

Micro Focus 5,954 - MCRO LN 11.4 5.4 2.9 0.2 4.0 23

Qualys 1,275 - QLYS US 17.1 5.5 -0.1 3.6 24

Mobile Iron 316 - MOBL US - 1.3 -0.3 -16.5 25

Akamai 11,761 Sell AKAM US 12.3 5.0 0.0 2.7 26

Keyw 424 - KEYW US 15.1 1.8 0.2 -0.3 27

CyberArk Software 1,606 Buy CYBR US 24.5 6.5 -0.1 3.6 28

FireEye 1,921 Buy FEYE US - 2.0 -0.2 -0.9 29

Palo Alto Networks 13,391 Buy PANW US 44.9 9.2 -0.1 4.4 30

Ahnlab 469 - 053800 KS - 3.1 -0.2 2.5 31

Imperva 1,154 Buy IMPV US - 3.6 -0.2 1.4 32

Sophos 1,280 Buy SOPH LN 22.5 3.0 1.2 0.2 0.4 33

Splunk 7,914 Hold SPLK US 87.8 7.6 -0.1 1.3 34

ProofPoint 3,142 Buy PFPT US 86.3 8.3 0.0 0.6 35

Rapid7 572 Buy RPD US - 3.1 -0.2 -1.1 36

SecureWorks 953 Buy SCWX US - 2.2 0.0 -2.0 37Median 11.4 2.9 -0.1 3.8Mean 18.0 3.4 1.1 -0.1 3.1



Risk Screen SecureWorks is the riskiest cybersecurity company, by our estimates, whilst Intel is the least risky.

Our risk screen ranks stocks within the cybersecurity industry on overall investment risk.

Low risk

High risk

Source: CM Research Key: green denotes low risk; amber denotes medium risk; red denotes high risk See page 47 for an explanation of our research methodology

Security software CM Research Risk Screen(37 stocks) Weightings: 20% 25% 25% 30% 100%Company Mkt cap

(US$m)CM Research

RatingCountry Corporate

governance risk

Accounting risk

Industry risk Political risk

Risk ranking

Intel 163,969 Hold USA 4 4 3 5 1

Barracuda Networks 1,160 Buy USA 3 3 3 5 2

CA Technologies 12,886 - USA 3 3 3 5 3

Citrix Systems 13,050 Buy USA 3 3 3 5 4

Fortinet 5,371 Buy USA 3 3 3 5 5

LifeLock 1,568 - USA 3 3 3 5 6

Palo Alto Networks 13,391 Buy USA 3 3 3 5 7

Sophos 1,280 Buy UK 3 3 3 5 8

Symantec 15,704 Hold USA 3 3 3 5 9

FireEye 1,921 Buy USA 2 3 3 5 10

Imperva 1,154 Buy USA 2 3 3 5 11

Keyw 424 - USA 2 3 3 5 12

ProofPoint 3,142 Buy USA 2 3 3 5 13

Qualys 1,275 - USA 2 3 3 5 14

Microsoft 462,607 Buy USA 4 5 4 4 15

HP Enterprise 36,675 Hold USA 4 4 2 5 16

Cisco 152,749 Buy USA 4 4 1 5 17

Akamai 11,761 Sell USA 3 3 2 5 18

F5 Networks 8,838 Sell USA 3 3 2 5 19

IBM 144,482 Buy USA 4 1 3 5 20

Micro Focus 5,954 - UK 3 3 3 3 21

Rapid7 572 Buy USA 3 3 3 3 22

SAIC 3,001 - USA 3 3 3 3 23

Juniper Networks 9,632 Hold USA 3 3 1 5 24

Splunk 7,914 Hold USA 2 2 4 5 25

Mobile Iron 316 - USA 2 2 3 5 26

BAE Systems 20,898 - UK 2 3 3 3 27

F-Secure 534 - Finland 2 3 3 3 28

Raytheon 39,722 - USA 2 3 3 3 29

Gemalto 4,771 Sell Netherlands 3 3 2 4 30

Ahnlab 469 - Korea 2 3 3 1 31

CyberArk Software 1,606 Buy Israel 2 2 3 3 32

Trend Micro 4,808 Buy Japan 2 2 3 3 33

Verint Systems 2,305 Buy Israel 2 2 3 3 34

Blackberry 3,673 Sell Canada 4 2 2 4 35

Check Point Software 14,658 Buy Israel 1 2 3 3 36

SecureWorks 953 Buy USA 3 2 2 3 37



Technology briefing When it comes to cybersecurity, what is best practice? The NIST framework sets it out better than anyone else.

The NIST framework The National Institute of Standards and Technology (NIST), a unit of the U.S. Commerce Department, created their own cybersecurity framework to establish standards, guidelines and practices to promote the protection of critical US infrastructure. Since then, many private sector organisations have made widespread use of the NIST security framework voluntarily.

The NIST cybersecurity framework sets out five asset classes to protect and five operational functions to perform.

NIST’s five asset classes The five asset classes are: Devices, Apps, Network, Data and People, as described in the schematic below.

NIST’s five operational functions The five operational functions are: Identify, Protect, Detect, Respond and Recover. Below, we explain them in more detail.

The five asset classes in the NIST Cybersecurity Framework

Source: National Institute of Standards and Technology, CM Research

The five operational functions in the NIST Cybersecurity Framework


Cyber security: Asset Classes

Apps

The software applications runningon the devices.

Devices

Workstations, servers, smartphones, tablets, wearable technology, drones, connected machines, network devices and critical infrastructure assets.

Network

Telecom infrastructure which enables devices and apps to exchange data.

Data

The information residing on, travelling through or processed by devices, apps or the network.

People

Those who create raw data; those who sanitise, store and analyse data; and those who use end data products

Cyber Security: Operational Functions

Protect

Protect access to data network.

Contain threat.Limit impact of breach."Harden" assets by reducing surface of vulnerability.

Identify

Take an inventory of assets.Measure attack surface.Baseline normal traffic parameters.Create risk profiles.

Detect

Discover events.Continuously monitorevents.Detect anomalies.Hunt for intrusions.

Respond

Act on anomalies.Eradicate intrusion footholds.Assess damage.Recontruct events forensically.

Recover

Return to normal operations.

Restore services.Document lessons learned.



Putting it all together By mapping the operational functions onto the asset categories, we can see, at a very high level, how the key cybersecurity technologies that we discussed in the Value Chain section (see pages 11 to 21) should interact with one another when best practice solutions are followed.

The NIST cybersecurity Framework is used voluntarily by many companies around the world.


Identify Protect Detect Respond Recover

Devices

Applications

Network

Data

People

Data back-up & recovery

Awareness training Behavioural analytics

Data security (e.g.

Deep web crawling

Digital rights management

Network security

App security

Anti-virus protection


Security Information & Event Management


Endpoint security

Internet fraud mitigation

Distributed denial of service (DDoS) mitigation

Identity management

Post-breach strategy

User authentication



Glossary Term Definition

Advanced persistent threat (APT)

An advanced persistent threat (APT) uses multiple phases to break into a network, avoid detection, and steal valuable information or cause damage to assets over the long term.

Advanced persistent denial of service (APDoS)

An exploit which involves automated, bot-based attacks that generate large volumes of attack traffic quickly and maintain a long-term attack strategy creating an “advanced persistent denial of service” with the express purpose of extracting sensitive corporate data rather than merely clogging up enterprise links (the traditional purpose of a DoS attack). By diverting the IT department’s attention to fighting off the APDoS attack, the attacker can launch multi-vector attacks against the true target that go unnoticed.

Antivirus Software designed to identify and remove computer viruses or other malware on an organisation’s devices or IT systems.

Attack surface The totality of different points where hackers could enter or extract data from an environment. Applies to software, networks, and humans, and represents the sum of an organisation’s security risk exposure.

Attribution The act of identifying the cyber-attacker. This is important if your goal is to launch a counter-attack as an active defensive strategy.

Authentication Process in which a user’s credentials are compared to what is listed in a database of authorised users’ information. (Two-factor authentication means signing in with known login information plus a second “factor” such as a physical token.)

Backup and recovery

Process by which a copy of data in an archive can be used to reconstruct the original data in the event of a loss, corruption, or disaster.

Big Data Extremely large data sets that may be analysed computationally to reveal patterns, trends, and associations, especially relating to human behaviour and interactions.

Bitcoin A decentralised form of digital currency created by software and held electronically, which allows for some level of anonymity. Attackers using ransomware, for example, may demand payment in bitcoins.

Botnet A network of private computers infected with malicious software and controlled as a group without the owners' knowledge.

CISO Many established enterprises and data-driven start-ups have recently appointed their first Chief Information Security Officer (CISO). The CISO’s role is to protect a company’s assets (both physical and digital) from cyber-attack. The average life of a CISO, though, is under 1.5 years.

Code injection An attack that introduces malicious code into a software application, which then executes the code when the application is opened. Examples: SQL injection, which can compromise or modify information in a database, and cross-site scripting, which can allow hackers to hijack user accounts or display fraudulent content.

Cybercrime Any crime that involves a computer and a network.

Dark Web Sites on the public Internet that hide their creators’ identity and server IP addresses using encryption. The sites are not indexed by conventional search engines and usually require software or authorisation tools to access. Used by hackers and others to communicate in a more anonymous way.

Distributed denial of service (DDoS)

A coordinated attack in which multiple connected machines in a botnet, usually infected with malware or otherwise compromised to co-opt them into the attack, flood a network, server, or website with so much data as to make it unusable.

Dwell time Duration, usually in measured in days, that a vulnerability or infection remains undetected within a network or environment. (Some also define it as the time between detection and remediation, or even total time from infection to remediation.)

Encryption A method for scrambling a message, file, or other data and turning it into a secret code. The code can only be read using a “key” or other piece of information (such as a long string of numbers), usually created with an algorithm.



Term Definition

Endpoint An Internet-capable computer hardware device on a TCP/IP network. Typically includes desktop computers, laptops, smart phones, tablets, thin clients, printers or other specialised hardware such point of sale (POS) terminals and smart meters.

Endpoint security A method for protecting the corporate network when accessed via remote devices such as laptops or other wireless and mobile devices. Each device with a remote connecting to the network creates a potential entry point for security threats.

Firewall A security system that blocks unauthorised access to a network. Firewalls typically monitor and control traffic between an internal network (trusted to be secure) and an external network (not trusted).

Hacker Someone who breaches computer security for malicious reasons.

Hacktivism Computer or Internet hacking activities motivated by social or political reasons.

Identity management

A method to identify individuals or machines in an IT system and control their access to resources within that system by associating user rights and restrictions with each established identity.

Incident detection The first step in dealing with an attack or threat, which is to identify it. May include network monitoring, behavioural analytics, and other ways to detect hacker behaviour.

Incident response An organisation’s structure for managing, mitigating, and resolving cybersecurity events (such as breaches). This involves people, processes, and technology, which includes workflow management, collaboration, process automation and orchestration, analytics, and reporting.

Internet of Things (IoT)

The network of all devices and objects that have electronics and can connect to the Internet. Includes smartphones, tablets, laptops, and servers, but also cars, buildings, and household items like doorbells, thermostats, toys, and faucets. A major security challenge, as any device can potentially be a target or conduit for an attack.

Kill chain A military-inspired term encompassing the various stages of a cyber-attack: reconnaissance, weaponisation, delivery, exploitation, installation, command and control, and action. Applies mainly to malware attacks, and was popularised by Lockheed Martin.

Machine learning As applied to security, this refers to artificial-intelligence techniques for helping computers adapt to evolving threats. Useful for understanding large amounts of data, detecting anomalies in networks or user behaviour, and could be central to predictive security approaches in the future.

Malware Malicious or hostile software used to attack or infiltrate a computer system or network. Often embedded in non-malicious files or programs, it includes things like computer viruses, worms, ransomware, and spyware.

Network security The process of using specialised hardware and software to protect the underlying networking infrastructure from unauthorised access, misuse, malfunction, modification, destruction, or improper disclosure, thereby creating a secure platform for computers, users and programs to perform.

Orchestration Establishing, centralising, and standardising threat detection and incident response procedures. Includes automation and integration of different security workflows, technologies, and tools.

Penetration testing “Pen testing” refers to techniques for actively testing an organisation’s computer or network security, usually by identifying potential vulnerabilities and weak spots and trying to exploit them.

Phishing A practice in which an attacker pretends to be a trusted entity by using fake emails and web sites in order to steal sensitive data such as passwords or credit card numbers.

Privileged account Credentials within an organisation that allow a user elevated access to things like operating systems, network devices, and key IT infrastructure. A popular target for hackers and malicious insiders.

Ransomware A type of malware that prevents access to the target’s computer system or data until a ransom is paid to the attacker. Often uses encryption to lock up files or IT systems, holding them hostage until a decryption key is paid for.

Remediation What an organisation does to limit or stop an attack once it is detected, as part of incident response. Includes things like blocking IP addresses, removing infected files or devices, and restoring affected systems to a known good state.



Term Definition

Resilience The ability of an organisation to manage cybersecurity incidents, recover from failure or damage, and keep running continuously despite growing threats.

Rogue wireless device

Unauthorised hardware that is connected to or near an organisation’s network or systems. Examples range from a wireless router to a laptop to a keystroke logger. The device can be used to gain access to sensitive data, send it back to an adversary, or connect other devices to a network.

Sandbox A security mechanism for separating running programs. It is often used to execute untested or untrusted programs or code from untrusted sources without risking harm to the host machine or operating system.

SIEM Security information and event management is the combined process of incident detection and incident response. Includes features such as alerts, analytics, dashboards, and forensic analysis.

Sinkhole A machine (e.g. a server) used to redirect traffic from its original destination to one specified by the sinkhole’s owner. The altered destination is known as the sinkhole.

SQL injection (SQLi)

A type of cyber-attack in which a hacker executes a malicious payload that controls a web application's database server.

Threat detection Methods for identifying system vulnerabilities and hacking behaviours. Can include any number of technologies, including machine learning, statistical modelling and network traffic monitoring.

Tor Known as “The Onion Router”, TOR is an open-source network software that disguises users’ identity and location by encrypting data and routing traffic around an intercontinental network of servers run by volunteers. Used by sites on the Dark Web, among others.

Trojan A malicious computer program which looks legitimate.


A cybersecurity solution that combines multiple security functions – network firewalling, network intrusion detection, antivirus, anti-spam, VPN, content filtering, load balancing, data loss prevention, on-appliance reporting – within a single security system.

Virtual private network (VPN)

A private network (e.g. a corporate network) that extends across a public network (e.g. the Internet). VPNs are used to allow secure remote access to documents across unsecured public networks.

Virus A type of malware that, when executed, copies itself and infects other computer programs by modifying them.

Vulnerability A weakness which allows an attacker to compromise an application, device or network.

Worm A type of malware that is standalone (unlike a virus, which is attached to another program) and spreads to other machines by replicating itself. Worms are capable of very targeted attacks, such as the Stuxnet worm allegedly used to disrupt Iran’s nuclear program in 2009-2010.

Zero-day attack A hack that exploits a vulnerability in software that is unknown to the security vendor at the time of exploit. The security vendor therefore has “zero days” to fix it.

Source: Cybersecurity for Dummies, CM Research



Appendix: Our “thematic” research methodology Fundamental equity research does a poor job of valuing technology stocks Traditional bottom-up valuation methodologies have a poor track record of predicting share prices in the technology sector. In part, this is because technology cycles these days move pretty fast and it is difficult to judge where you are on the growth curve. Also, valuations tend to be permanently high.

Introducing CM Research’s “thematic” valuation approach So we, at CM Research, have developed an entirely new three-screen valuation methodology for the technology, media and telecom sectors based on a thematic investment approach. This is how it works.

First, we split the global TMT industry into 18 subsectors – ranging from PCs to social media. Second, we identify and rank the top ten investment themes for each subsector. Third, we publish in-depth research on specific investment themes, identifying the technology winners and losers. The problem is that companies are exposed to multiple investment themes, all acting concurrently: some will send a stock up; others will send it down. So our fourth step is to create a thematic screen for each sector to calculate overall technology leadership rankings after taking account of all themes impacting that sector. Finally, we combine this thematic screen with valuation screen and a risk screen to generate a sector scorecard used to create investment ideas.

Each sector scorecard has three screens:

The thematic screen tells us who are the overall technology leaders in the ten technology cycles that matter most to this industry. Each company is scored on the basis of whether we expect earnings in the next 12 months to outperform or underperform consensus numbers on the back of each theme.

The valuation screen tells us which players are the most attractively priced, relative to their peers, using the consensus-based valuation metrics which we believe are most appropriate for each industry.

The risk screen tells us who the riskiest players in each industry are, based on four categories – corporate governance risk, accounting risk, technology risk and political risk.

How our research reports fit into our overall research methodology We produce four tiers of thematic reports to help our clients select stocks:

Single Theme: These reports offer in-depth research into a specific theme. They identify winners and losers based on technology leadership, market position and other factors. Recent themes include the Internet of Things, Internet TV, Big Data, Artificial Intelligence, Robotics and the Cloud.

All Themes: These reports cover all stocks and all themes within a sector, giving readers a strong sense of how everything fits together and how conflicting themes might interact with one another.

Sector Scorecard: Each sector scorecard has a thematic screen, a risk screen and a valuation screen. The thematic screen identifies overall winners and losers in a sector based on all themes impacting that specific sector. Live scorecards for each of our 18 sectors are available on our client portal, together with our up-to-date stock ratings.

Best Ideas Report: These reports include our high-conviction stock ideas.

Our five-step approach for generating investment ideas

Source: CM Research

Sectors Themes Technologies Thematic Screen Investment ideas

1. Split the global TMT 2. Identify and rank the 3. Identify technology 4. Calculate overall 5. Combine our 3 screens tosector into 18 subsectors. top 10 investment themes leaders and laggards technology leadership generate investment ideas.

for each subsector. for each theme. rankings for all themes.

Semiconductors Sector Scorecard =Storage & networking

Electronics Thematic screenSoftware +E-commerce Valuation screenSocial media +Music, film & TV Risk ScreenAdvertising….

2. Big Data

10. Robotics

1. MobileAlcatel Lucent AvayaCisco BrocadeEricsson LenovoHP Riverbed TechnologyJuniper Networks ZTE

CenturyLink (Savvis)Amazon Web Services Fujitsu

IBM (Softlayer)Verizon (Terremark)

Equinix 21 VianetRackspace HostingTelecity

BT NTTAT&T Level 3Deutsche Telekom Reliance GlobalcomOrange Tata CommsVerizon Telefonica

Big Data Management

Insight Layer

DataLayer


Analytics

Network

Storage

IT integration

Database

Security

Networking equipment

Data centres

Global network service providers

Market leaders

Challengers

Cloud infrastructure

Music, Film & TV CM Research Thematic Screen(38 stocks) Weightings: 30% 20% 15% 5% 5% 5% 5% 5% 5% 5% 100%

Company CM Research Rating

Internet TV

Content creation

(film)Mobile Gaming Big Data

E-commerc

e

Virtual reality

Ecosystems

Artificial intelligen

ce

Music distributio

n

Thematic ranking

Sony Buy 5 5 5 5 4 4 5 2 4 5 1

Eros Buy 4 5 3 3 3 4 3 3 3 3 2

Youku Tudou Buy 5 4 5 3 5 4 3 3 3 4 3

Walt Disney Sell 2 5 4 5 3 4 4 4 3 3 4

Netflix Sell 5 4 4 2 3 5 4 3 3 3 5

Lions Gate Entertainmen Buy 4 5 3 4 3 3 3 1 3 1 6

Zee Entertainment Hold 3 5 3 3 1 3 3 2 3 3 7

21st Century Fox Sell 2 5 3 3 3 3 3 4 3 3 8

Viacom Sell 2 5 3 3 3 3 3 2 3 3 9

Time Warner Sell 2 5 3 4 3 3 3 4 3 1 10

Dreamworks Buy 4 5 3 3 3 1 3 1 3 1 11

Nippon TV Sell 2 5 3 3 1 3 3 2 3 2 12

Starz Sell 2 5 3 3 1 3 3 2 3 1 13

Network 18 Media Hold 3 4 3 3 1 3 3 2 3 3 14

QVC Group Sell 4 3 3 3 3 5 3 3 3 3 15

Vivendi Sell 2 4 3 4 2 3 3 2 3 5 16

Grupo Televisa Sell 2 4 3 3 2 3 3 2 3 3 17

Sun TV Network Hold 3 5 2 3 1 3 3 2 3 1 18

Entertainment One Avoid 3 3 3 3 3 3 3 3 3 3 19

ITV Sell 2 4 3 3 1 4 3 2 3 1 20

Scripps Networks Interac Sell 2 5 2 3 1 3 3 2 3 1 21

Pandora Sell 3 2 4 1 5 5 3 3 3 5 22

RTL Sell 2 4 2 3 2 3 3 2 3 3 23

CBS Sell 2 4 2 3 1 3 3 2 3 3 24

Fuji Media Sell 2 4 2 3 1 3 3 2 3 1 25

Naspers - 2 1 3 3 3 4 3 3 3 1 26

Atresmedia Sell 2 2 3 3 2 3 3 2 3 2 27

AMC Networks Sell 2 4 1 3 1 3 3 2 3 1 28

ProSiebenSat.1 Sell 1 4 3 3 1 4 4 2 3 1 29

Discovery Communicatio Sell 1 4 3 3 1 3 3 2 3 2 30

Television Broadcasts Sell 2 3 2 3 1 3 3 2 3 1 31

Sirius XM Radio - 1 4 5 1 1 2 3 1 3 5 32

Modern Times Group Sell 1 4 2 3 1 3 3 2 3 3 33

TV Francaise (T.F.1) Sell 1 4 2 3 1 3 3 2 3 1 34

Mediaset Sell 1 1 3 3 1 3 3 2 3 1 35

M6-Metropole TV Sell 1 3 2 3 1 3 3 2 3 3 36

Cumulus Media - 1 3 4 1 1 1 3 1 3 4 37

ABS CBN broadcasting Sell 1 3 2 3 1 3 3 1 3 3 38

https://www.researchcm.com/client-login/

https://www.researchcm.com/client-login/



About CM Research CM Research is an independent research provider with a blue-chip list of institutional clients. We analyse emerging trends in the technology, media and telecoms sectors and develop them into global investment themes. We research these themes in detail and then feed the results into a scorecard system to quantify the impact of conflicting themes on individual stocks. Our focus is on disruptive technologies. Our stock coverage includes the top 500 global TMT stocks. Our clients include institutional investors, corporations, consultancies and governments. At a time when many of our competitors have had their reputations mired by conflicts of interest, we fiercely guard our independence. Our service is available exclusively to our clients.

Contact CM Research Cyrus Mewawalla Managing Director, Research [email protected] +44 20 3393 3866

Elgen Strait Managing Director, Global Sales [email protected] +44 20 3744 0105

Matt Barker Director, US Sales [email protected] +1 646 831 4649

Brian Kern Director, US Sales [email protected] +1 804 901 2202

17 Savile Row | Mayfair | London W1S 3PN | United Kingdom www.researchcm.com

Important Disclosures

This document is issued by CM Research (“CMR”) solely for our clients. This document may not be reproduced, redistributed or passed to any other person in whole or in part for any purpose without our written consent. This document is provided for information purposes only and should not be regarded as an offer, solicitation, invitation, inducement or recommendation relating to the subscription, purchase or sale of any security or other financial instrument. This document does not constitute, and should not be interpreted as, investment advice. It is accordingly recommended that you should seek independent advice from a suitably qualified professional advisor before taking any decisions in relation to the investments detailed herein. All expressions of opinions and estimates constitute a judgement and, unless otherwise stated, are those of the author and the research department of CMR only, and are subject to change without notice. CMR is under no obligation to update the information contained herein. Whilst CMR has taken all reasonable care to ensure that the information contained in this document is not untrue or misleading at the time of publication, CMR cannot guarantee its accuracy or completeness, and you should not act on it without first independently verifying its contents. This document is not guaranteed to be a complete statement or summary of any securities, markets, reports or developments referred to herein. No representation or warranty either expressed or implied is made, nor responsibility of any kind is accepted, by CMR, its directors, officers, employees or analysts either as to the accuracy or completeness of any information contained in this document nor should it be relied on as such. No liability whatsoever is accepted by CMR, its directors, officers, employees or analysts for any loss, whether direct or consequential, arising whether directly or indirectly as a result of the recipient acting on the content of this document, including, without limitation, lost profits arising from the use of this document or any of its contents. This document is provided with the understanding that CMR is not acting in a fiduciary capacity and it is not a personal recommendation to you. Investing in securities entails risks. Past performance is not necessarily a guide to future performance. The value of and the income produced by products may fluctuate, so that an investor may get back less than he invested. Investments in the entities and/or the securities or other financial instruments referred to are not suitable for all investors and this document should not be relied upon in substitution for the exercise of independent judgment in relation to any such investment. The stated price of any securities mentioned herein will generally be the closing price at the end of any of the three business days immediately prior to the publication date on this document. This stated price is not a representation that any transaction can be effected at this price. The material in this document is not intended for distribution or use outside the United Kingdom. This material is not directed at you if CMR is prohibited or restricted by any legislation or regulation in any jurisdiction from making it available to you. CMR and its analysts are remunerated for providing investment research to professional investors, corporations, other research institutions and consultancy houses. CMR, its directors, officers, employees and clients may have or take positions in the securities or entities mentioned in this document. Any of these circumstances could create, or be perceived as creating, conflicts of interest. CMR analysts are not censored in any way and are free to express their personal opinions. As a result, CMR may have issued other documents that are inconsistent with and reach different conclusions from, the information contained in this document. Those documents reflect the different assumptions, views and analytical methods of their authors. No director, officer or employee of CMR is on the board of directors of any company referenced herein and no one at any such referenced company is on the board of directors of CMR. “CM Research” is a trading name of CHM Research Limited. CHM Research Limited is registered in England, under company No. 07251947 and registered address Amaris, Hill Close, Harrow-on-the-Hill, Middlesex HA1 3PQ, United Kingdom. CHM Research Limited is authorised and regulated by the Financial Conduct Authority (Firm Reference Number: 579360).

© CHM Research Limited 2016.

This document, including the text and graphics, is subject to copyright protection under English law and, through international treaties, other countries. No part of the contents or materials available in this document may be reproduced, licensed, sold, hired, published, transmitted, modified, adapted, publicly displayed, broadcast or otherwise made available in any way without the prior written permission of CHM Research Limited. All rights reserved.

Analysts’ Certification

The analysts involved in the production of this document hereby certify that the views expressed in this document accurately reflect their personal views about the securities mentioned herein. The analysts point out that they may buy, sell or already have taken positions in the securities, and related financial instruments, mentioned in this document.

Cybersecurity (Vol. II) 4 November 2016 - ChinaGoAbroad · important as a defence. ......

Documents

Transcript of Cybersecurity (Vol. II) 4 November 2016 - ChinaGoAbroad · important as a defence. ......