In the first part, I covered the basics of cybersecurity, as well as where its been and where its going. As you read this post and don't recognize an acronym or term, refer back to that intro, in particular the Flavors of Security section that explains the various solutions. It was a long introduction, but I wanted folks here to understand the terms and acronyms, and the whys and wherefores behind this massive shift in strategy taking place.
Now let's talk about the pillars of Zero Trust & CARTA, and what is driving hypergrowth within it. Then I will break down the technological landscape of each of these hypergrowth companies in this space: Okta, Zscaler, CrowdStrike and Elastic.
With so many attack vectors and so many security solutions, how is every single company expected to be a master over all of this? SECaaS services are there to provide that expertise. Per Statista, the SECaaS sector as a whole is projected to grow 80% over the next 4 years (CAGR 15.83%). Traditional networking gear is a commodity, while SECaaS is just getting started. There are a lot of old-school players in this field (McAfee, Symantec, Cisco, Juniper, Ciena, Palo Alto) that have a lot of disruption coming from all angles.
Silos cannot compete
Ultimately, analytics via ML/AI are the key to better security management and breach detection -- which is why EVERY provider is now heavily featuring it in product lines (and especially their marketing). But those services that have a COMPLETE view of the entirety of their global customer base will gain the most leverage from it. That means the cloud-based SECaaS providers have a huge advantage -- on-premise- or hardware-focused providers will never have the complete view.
I believe that SECaaS providers that focus on these clear goals are going to have a higher rate of success over the legacy players:
- They have a complete view of their own network security as well that of all of their customers, and are able to utilize ML/AI to assist in identification of threats and allow for adaptive response.
- Have proven cost reduction by showing customers that they can reduce costs by having fewer staff to hire or networking equipment to buy, secure, and maintain. These services more than pay for themselves.
- Are building an ecosystem of related products around a core competency, with a high level of integration and orchestration between their platform and other security services. This gives customers the ability to start with a lead-in service and expand from there, plus have it talk to their existing tools.
- Are helping customers embrace Zero Trust (no perimeters) and CARTA (adaptive security), as those strategies are providing better overall security than the prior ones.
But know too that this is always an industry that can be disrupted, or that new entrants can emerge to displace the old ones. Things can also change quickly - a well publicized breach could cripple these companies overnight. [Looking at you, Imperva.] I do recommend being vigilant with your investments, and not be so overly enamored with a name that you miss the sell signs when they come. But with the emergence of SECaaS, one huge comfort is the stickiness of these products - these services can be deeply embedded within their customer's workflows.
Drivers of hypergrowth
What differentiates success from failure? Sometimes the best tech doesn't always get picked or continue to prosper [see Infinera INFN]. This is where hypergrowth investment methods overlay the technical product analysis perfectly -- WATCH THE NUMBERS. Focus on the companies having huge success, with growing revenues, customer base, and net retention rates. Companies that are succeeding today are the ones more likely to continue to succeed, as the 'old ways' start to phase out.
What I like to see as an investor in SECaaS focuses around a few key aspects. As with any SaaS enterprise service, Land-and-Expand is the name of the game -- but it goes beyond that typical stickiness of a biz-ops SaaS. I feel that SECaaS services, in particular, can have a very strong defensive position of being EXTREMELY sticky due to these aspects:
- They must be a SECaaS service that is disrupting the status quo of traditional network security (castle-and-moat and hub-and-spoke, with its reliance on having a puzzle of task-specific hardware appliances to maintain a trusted perimeter). That means they are adopting the new paradigms of Zero Trust & CARTA, and have continual monitoring and ML/AI analytics to analyze their own and their customer base's security, and have the ability to adapt as necessary.
- They must be cloud native, so they can scale when needed, and more easily reach all systems and endpoint devices (whether on-prem or cloud-based or mobile).
- They must have a core competency within the pillars of Zero Trust and CARTA that customers trust, as seen in the proof of high revenue growth combined with high customer and $NER growth. That shows that customers are flocking to the service as new customers, and then expanding use from there. Don't guess at what technologies MAY be up-and-coming or disruptive -- the proof is in execution resulting in hypergrowth.
- They must have a platform developed around their core, that enables interoperability and orchestration, to allow customers to tie their security efforts together, and more easily integrate with other services the company may rely on. That platform also gives the provider the ability to then easily enhance their offerings in order to expand into new markets and increase TAM.
- Proof that the company is expanding into adjacent product lines and markets that the platform enables and that the customers want. You must see adjacent products appearing (or being bolted on as tuck-in acquisitions) that leverage the existing platform while expanding it into new directions. This allows new product lines to continue the hypergrowth after growth of the initial core product levels off. I think it is very helpful to map out where our companies ARE NOW but also watch the signals as to WHERE THEY ARE GOING from here.
As you can imagine, there is a LOT of competition in the network security space. From just perusing Gartner Magic Quadrants and reviews, I found:
- Network Firewalls - Palo Alto, Fortinet, Cisco, CheckPoint, Sophos, Juniper, Barracuda
- UTM (SMB Firewalls) - Fortinet, Check Point, Sophos, Cisco, Juniper, Barracuda
- WAF - Imperva, Akamai, Cloudflare, F5, Fortinet, Barracuda, Oracle, Rapid7, AWS, Citrix
- SWG - Zscaler, Broadcom/Symantec, Cisco, McAfee, Sophos, Barracuda, Trend Micro, SonicWall
- EPP - Broadcom/Symantec, CrowdStrike, Trend Micro, Sophos, McAfee, Dell/RSA, VMWare/Carbon Black, Elastic/Endgame, Blackberry/Cylance, Microsoft, Palo Alto, Cisco, FireEye, Fortinet
- EDR - Broadcom/Symantec, McAfee, Dell/RSA, CrowdStrike, VMWare/Carbon Black, Elastic/Endgame, Blackberry/Cylance, Microsoft, Palo Alto, Cisco, FireEye, Fortinet
- IDM - Okta, Microsoft, Oracle, IBM, PingID, Centrify, ForgeRock, Broadcom/CA Tech, Sailpoint, Auth0
- IGA - Sailpoint, Okta, IBM, Oracle, Broadcom/CA Tech, Dell/RSA, SAP, Microsoft
- PAM - CyberArk, Okta, BeyondTrust, Centrify, Broadcom/CA Tech, OneID
- SIEM - Splunk, IBM, LogRhythm, Dell/RSA, McAfee, Rapid7, Fortinet... or Elastic for DIY
However, within all that competition, we have certain companies that are disrupting their space and are clearly succeeding, like Okta, Zscaler, CrowdStrike, Elastic, CyberArk, Rapid7, and Splunk. Major stalwarts are trying to catch up, as there is a hell of a lot of M&A going on in this space, especially around the CARTA pillars of IAM, EPP, Outgoing Protection (SWG, CASB), and Incoming Protection (Zero Trust). Just in the past 2 years or so, we have seen:
- ...VMWare bought Carbon Black (EPP/EDR)
- ...Blackberry bought Cylance (EPP/EDR)
- ...Elastic bought Endgame (EPP)
- ...Carbonite (backup) bought Webroot (EPP)
- ...Palo Alto bought Secdo (EDR)
- ...Zscaler bought TrustPath (Intrusion ML/AI)
- ...Symantec bought Luminate (Zero Trust)
- ...Okta bought ScaleFT (Zero Trust, PAM)
- ...Cisco bought Duo (Zero Trust, IAM)
- ...Broadcom bought CA Tech (IAM & PAM amongst many other focuses)
- ...Broadcom bought Symantec enterprise-facing side (EPP/EDR, SWG, Zero Trust)
- ...Thoma Bravo (PrivEq) bought Sophos (EPP/EDR, NGFW, SWG, UTM)
- ...Thoma Bravo (PrivEq) bought Barracuda (NGFW, WAF, Email)
- ...Thoma Bravo (PrivEq) has majority stake in LogRhythm (SIEM, UEBA)
- ...Thoma Bravo (PrivEq) bought Imperva (WAF)
- ...McAfee bought Skyhigh (CASB)
- ...VMWare bought E8 (UEBA)
- ...AWS bought Sqrrl (UEBA)
- ...Splunk bought Phantom Cyber (SOAR)
- ...Palo Alto bought Demisto (SOAR)
- ...Sophos bought DarkBytes (EPP, SOAR) and Rook (MDR)
- ...Palo Alto bought Evident.io (compliance)
- ...Palo Alto bought Twistlock (container security)
- ...HP bought Bromium (Application Isolation)
- ...FireEye bought Verodin (vulnerability testing)
- ...Imperva bought Distil (DDoS prevent)
- ...Oracle bought Zenedge (WAF, DDoS mitigate)
- ...Elastic bought Perched (security training)
This amount of consolidation is a sign of a hot industry, with all players trying to catch up to the newcomer disruptors. The stalwarts, like McAfee, Cisco, and Palo Alto, are buying their way into this disruptive space, trying to be an all-in-one provider that has all the solutions. Broadcom (a chip-maker!) has bought CA Tech (IAM, IGA, PAM) and Symantec (EPP/EDR, SWG, Zero Trust) to join this market; VMware and Blackberry have also entered the EPP/EDR fray through acquisition. I believe the focused cloud-based disruptors have little to fear from these all-in-one providers rolling up new features via acquisition, especially from those whose core competency is outside of cybersecurity.
I find the disruptors' acquisitions are much more focused, for bolting complimentary services onto their platform or for bolstering necessary internal skill sets like ML/AI. Okta acquiring ScaleFT to bolt on Zero Trust & PAM capabilities over their Identity core was genius move. Zscaler acquired TrustPath to bolster their internal team skill sets for intrusion ML/AI algorithms. Elastic has continually bought itself very complementary companies to bolster core Elastic Stack, first in infrastructure monitoring and now in cybersecurity as a major focus.
A Look at Some Hypergrowth Companies
As mentioned before, companies adopt "defense in depth" by layering security solutions together. To build a multi-layered fortress, CARTA highlights needing Identity, Incoming Protection (Zero Trust), Outgoing Protection (SWG/CASB), Endpoint Protection (Devices), and Monitoring/Orchestration, with ML/AI over it all. Here are 4 companies that hit one or more of these complementary layers: Okta, Crowdstrike, Zscaler and Elastic. I guess I should consider them a "basket of Zero Trust" even though that was not the intent at the time -- I selected them first and foremost for their hypergrowth.
So let's see how these companies overlap the CARTA scheme:
- Identity mgmt = Okta
- Incoming protection (Zero Trust) = Zscaler, Okta
- Outgoing protection (SWG/CASB) = Zscaler
- Endpoint protection (Devices) = Crowdstrike, Elastic
- Monitoring = Elastic ... plus all the others being very monitoring friendly w/ integrations to 3rd party SIEM and SOAR
- ML/AI = all the above
All of these companies qualify as hypergrowth. Let's look at each in depth in terms of their products, what they provide now, and where they might go going forward. (These are each split out into separate posts.)
- Statista - Industry growth forecast
- KrebsOnSecurity - Imperva SECaaS had breach
- DarkReading - Consolidation in crowded EPP market
- Gardner - Critical Capabilities for Endpoint Protection Platforms
Originally published as a post on Saul’s Investment Discussions board on The Motley Fool forums.