Investing in Modern Cybersecurity: Endpoint Security
In this five-part series, we aim to explore the world of cybersecurity and its investment opportunities. We introduced the modern cybersecurity framework, threat intelligence, and application security in the previous issue. Here, we move down the chain and explore the world of endpoint security and its players.
A walk down memory lane: the rise and fall of antiviruses
Endpoint security is responsible for protecting the physical access points supporting the ecosystem.
The market is transitioning from legacy antiviruses or Endpoint Protection Platforms (EPP) to data-driven Endpoint Detection and Response (EDR) platforms.
The legacy EPP part of the market is mature and consolidating. Led by NortonLifeLock (ex Symantec), Kaspersky Lab, Avast (bought by Norton), Trend Micro, and McAfee, it offers little growth (1.5-3% YoY sales growth).
Desperate times call for real-time measures
Modern Endpoint and Extended Endpoint Detection and Response (EDR and XDR) offer real-time insights and use real-time data to block and sanitize compromised endpoints.
XDR may work alone or interlink with threat intelligence platforms for comprehensive and automated security response.
The hyper-growing XDR segment offers many opportunities for growth investors, with companies commanding high margins and strong growth in revenues and earnings.
The endpoint orchestra
Large companies may need to keep logs and detailed data to meet regulatory and compliance requirements. Security Information and Event Management (SIEM) solutions are made for that.
Companies may choose Security Orchestration Automation and Response (SOAR) tools for a completely automated response to low-level threats. SOAR includes both SIEM and XDR.
Securonix, Splunk, IBM, and Microsoft offer SIEM/SOAR solutions. They further grow and strengthen their platforms' capabilities through strategic M&A and new data source integrations.
A walk down memory lane: the rise and fall of antiviruses
In the previous issue, we introduced the modern threat intelligence sector and how it became possible to aggregate and analyze all the data for better insights thanks to the latest technological advancements. The sector we are covering today - the endpoint security market - is among the oldest cybersecurity sectors. Technically speaking, Ray Tomlinson developed the first "antivirus" in 1972, but in practice, it was a worm designed to hunt another virus. At the end of the '80s, Bernd Fix devised a method to neutralize the "Vienna Virus," which is how the first official antivirus was born.
The antivirus, otherwise known as Endpoint Protection Platform (EPP), is a signature-based solution that scans your endpoint device (PC, tablet, smartphone, etc.), checking "signatures" of everything installed on it against a database, thus recognizing only "known" threats. A virus signature is a virus's fingerprint - a set of unique data that allows it to be identified. This, however, leaves endpoints open to all unknown (and therefore not listed in the database) threats. Moreover, hackers may program malware to use codes that bypass signature-based antiviruses.
When traditional malware (trojans, adware, spyware, and worms) were unsophisticated, and their number grew slowly, antiviruses were more than enough to ensure security. Today, with the rapidly increasing connectivity and faster development of threats fueled by digitization, once-useful EPPs are no longer equipped to battle exponentially growing threats. They lack real-time visibility and are limited by hardware for processing and storing a malware database.
Around 2013, the endpoint market shed its skin when it started transitioning from the mature and traditional antivirus market to a new breed of platforms, providing a continuous global 24/7 vision of all endpoints and connections for real-time countermeasures. The next-generation protection detects and deals with all suspicious and unrecognized activities across an organization's endpoints.
In addition to the expected benefits of the antivirus, endpoint detection platforms manage an active response and contain the threat, damage, and potential spread. EDRs aim to be proactive, immediately respond, and recover normal operations as soon as possible while covering a much greater range of threats than EPPs can. Indeed, antiviruses are simple single programs designed to do just one thing. EDRs include antiviruses but also additional whitelisting, monitoring, and scanning tools.
Endpoint Detection & Response platforms can understand threats, memorize them for a faster response, and even collect forensic data for future investigations. Speaking of data that EDRs collect and analyze, it genuinely encompasses malicious files and activity across all endpoints, script execution control, all USB devices, "fileless" attack prevention, email attachments, and prediction of zero-day attacks, among others. The recent SolarWinds attack, where hackers injected malware that could blend in with legitimate activity and escape detection by antivirus software, only proves the importance of securing and containing all endpoints in the network.
As we have seen above, EDRs can do 100% of what best antiviruses can do and even more. Therefore, having both legacy antivirus and EDR is redundant. It is thus not surprising that the market is following a simple "the more and better is your offering - the more you grow" rule as organizations are transitioning to the new generation of endpoint security. We may compare the growth trajectories by analyzing some legacy players such as NortonLifeLock, Trend Micro, and Avast versus some innovative players such as CrowdStrike, Splunk, or SentinelOne. The graph below clearly shows the decoupling, with 2022 being the year when the new generation takes over the legacy players.
In atonra, we favor high-growth companies. Unsurprisingly, we have exposure to innovative players offering EDR platforms such as Crowdstrike and SentinelOne rather than legacy players such as NortonLifeLock, Avast, and Trend Micro. We believe the legacy market segment cannot escape its consolidation phase, which may potentially offer some (limited) opportunities to investors. Yet, over the longer term, growth opportunities lie in the newer and more innovative companies, showing a >30%YoY growth trajectory. Additionally, Gartner estimates that EDR platforms secure only 40% of global endpoints, leaving a significant market potential to fulfill.
Desperate times call for real-time measures
A broader approach
Now that we looked into the evolution of Endpoint Protection into Extended Detection and Response platforms, it will be easier to understand the endpoint security ecosystem. Currently, the human skill shortage is the main limiting factor in setting up the EDR and explains the still low 40% EDR adoption.
Antiviruses are reasonably easy to set up and run, while EDR platforms require the active presence of security professionals. Consequently, the market is splitting into two, as illustrated in the graph below: on one side, "managed", where an organization outsources the setup and management, and on the other side, "normal", where IT professionals are added to the workforce. Organizations may take it even further in terms of cybersecurity with more encompassing eXtended Detection and Response (XDR) platforms (that organizations can also outsource - "Managed XDR").
What differentiates the eXtended Detection and Response Platforms is that they are much broader. XDR platforms rely on multiple sources, e.g., firewalls, identity management solutions, cloud, secure gateways, and email gateways, to significantly improve the incident response and prediction, given their better visibility. Given that XDR platforms tap into the network for supplementary data and analysis, they have inherited the functionality of Network Detection and Response (NDR) - an ensemble of advanced analytical techniques, e.g., AI & ML, to detect suspicious network activity and respond to malicious traffic.
Moreover, XDR has integrated User and Entity Behaviour Analytics (UEBA) that provides real-time activity analysis to spot abnormal user behavior. They use historical data to develop a baseline for "normal" activity and look for deviations, e.g., a user has accessed something new from somewhere new or uses more traffic than usual. The benefits of XDR are evident, and the only question that remains is whether to outsource it or not.
EDR platforms, not even mentioning more powerful and complex XDR ones, depend on active monitoring by security professionals. Setting up an internal cybersecurity team may be costly for small and medium enterprises. An internal team may be more flexible and keep information inside the company, but it is hard to deny the benefits of using the services of 3rd party specialists. The skilled professionals provide 24/7/365 availability, threat detection, analytics, incident response, and human expertise to tackle particularly tough or unprecedented cases.
This has led to the emergence and adoption of Managed (eXtended) Detection and Response (MDR and MXDR) offerings when setting up and managing the platforms. A turnkey solution is particularly appealing to organizations as the only thing future customers need to do is choose the preferred platform based on the quality of data analytics, response capabilities, and customer service quality. According to Gartner, such an undeniable appeal will lead ~50% of organizations to rely on MDR/MXDR by 2025.
Most EDR players have started with antiviruses and transitioned to EDR platforms organically or through M&A. Some of them have naturally started to work on XDR solutions and offer managed services. In terms of a customer base, Microsoft is the most prominent antivirus vendor - not such a surprise, knowing that Microsoft Defender comes with every Windows system. Organizations may upgrade their subscriptions to higher levels to access XDR capabilities, usually managed by the system administrator. The fact that the solution relies on a global data lake (a repository designed to store all types of raw data from numerous sources in one place) allows even better threat hunting and data analytics.
However, more prominent players such as CrowdStrike and SentinelOne offer cloud-native platforms. Their lightweight agent installs on the hardware, consumes little to no processing resources, and is not power-hungry. AI computing, behavioral analytics, and response are done and triggered on the servers (and not on the machine). Additionally, it is much easier for these players to integrate and partner with other data providers due to their flexibility, allowing them to introduce more data sources for even better analytics.
For example, CrowdStrike acquired Humio for better log management and better XDR observability, and SentinelOne acquired log monitoring Scalyr for the same purpose. On the private side, Cyberreason, for example, uses AI and ML to produce a full attack story automatically and find its root cause.
The endpoint orchestra
The "detection and response" family is still relatively nascent compared to more well-established solutions. Some components of XDR also have certain limitations. For example, UEBA does improve analytical efficiency but only offers a narrow view. Indeed, UEBA logs are usually only enabled for a subset of users or a part of the network. More importantly, most XDR platforms only address threats and responses but do not yet adhere to specific standards (e.g., proper log retention) to comply with regulatory requirements.
However, here is where Security Information and Event Management (SIEM) comes into play. SIEM tools are designed precisely for that and are the best log collectors and aggregators today - what, when, and where it happened. They identify and categorize events so IT specialists can manually use the data for threat hunting. All while remaining compliant.
What Security Information and Event Management (SIEM) does not do is real-time analytics and contextualization, i.e., matching potential and suspicious activity with a "logical reason" to distinguish with better precision normal from malicious activity. Cybersecurity teams must manually take SIEM data and match it with Endpoint Detection and Response (EDR/XDR) data for meaningful conclusions. From these facts, it is clear that if companies, especially those large compliance-sensitive companies, need analytics and log capabilities, they must employ both the SIEM and XDR solutions.
Organizations may take it further with Security Orchestration Automation and Response (SOAR) tools. SOAR combines SIEM tools and helps manage high alert volumes by directly responding to low-level incidents. In a nutshell, SOAR tools autonomously aggregate inputs from the entire infrastructure and rely on predefined incident workflows for automatic responses and security operations. SOAR solutions are like a plane's cockpit - connecting all the systems with an autopilot.
Among the most prominent players, we note Palo Alto Networks with its Cortex platform. For customers needing a comprehensive solution, Cortex XDR can ingest data from endpoints and networks while leveraging user and entity behavior analytics (UEBA) capabilities. For larger customers looking for SIEM and logging abilities, the newly developed Extended Security Intelligence & Automation Management (XSIAM) offering can act as an autonomous security and logging platform for better data integration and compliance. Additionally, Palo Alto also offers managed services for resource-constrained customers.
More established SIEM providers include Splunk, Microsoft 's Sentinel, IBM's QRadar, and ITSM (Jira by Atlassian, ServiceNow ).
Endpoint exponentiality. As more endpoints become "smart" and connected, more endpoint security is needed.
More efficient AI and ML algorithms. Adequate endpoint security relies on analyzing all the historical security and behavioral data. Better algorithms will improve the current offering and boost the sector.
Helpful regulation. Bills supporting and mandating organizations to ensure adequate endpoint security will give enterprises no choice but to invest massively or start using modern solutions.
Shortage of skilled professionals. Setting up more advanced endpoint solutions takes skill and expertise, a lack of which could render the sector less attractive.
An invisible generation of malware. If malware inhibits actual users' behavior, spotting it with behavior analysis and other methods may prove impossible. This could either boost innovation or, more likely, make the sector useless until new solutions arrive.
Fileless malware. Not operating like traditional malware (through a file that enacts malicious code) but hijacking the native processes to run code makes it difficult to detect and may hinder trust in the sector.
Companies mentioned in this article
Atlassian (Not listed); Avast (AVST); CrowdStrike (CRWD); Cyberreason (Not listed); Humio (Not listed); IBM (IBM); Kaspersky Lab (Not listed); McAfee (Not listed); Microsoft (MSFT); NortonLifeLock (NLOK); Palo Alto Networks (PANW); Scalyr (Not listed); Securonix (Not listed); SentinelOne (S); ServiceNow (NOW); SolarWinds (SWI); Splunk (SPLK); Trend Micro (4704)
This report has been produced by the organizational unit responsible for investment research (Research unit) of atonra Partners and sent to you by the company sales representatives.
As an internationally active company, atonra Partners SA may be subject to a number of provisions in drawing up and distributing its investment research documents. These regulations include the Directives on the Independence of Financial Research issued by the Swiss Bankers Association. Although atonra Partners SA believes that the information provided in this document is based on reliable sources, it cannot assume responsibility for the quality, correctness, timeliness or completeness of the information contained in this report.
The information contained in these publications is exclusively intended for a client base consisting of professionals or qualified investors. It is sent to you by way of information and cannot be divulged to a third party without the prior consent of atonra Partners. While all reasonable effort has been made to ensure that the information contained is not untrue or misleading at the time of publication, no representation is made as to its accuracy or completeness and it should not be relied upon as such.
Past performance is not indicative or a guarantee of future results. Investment losses may occur, and investors could lose some or all of their investment. Any indices cited herein are provided only as examples of general market performance and no index is directly comparable to the past or future performance of the Certificate.
It should not be assumed that the Certificate will invest in any specific securities that comprise any index, nor should it be understood to mean that there is a correlation between the Certificate’s returns and any index returns.
Any material provided to you is intended only for discussion purposes and is not intended as an offer or solicitation with respect to the purchase or sale of any security and should not be relied upon by you in evaluating the merits of investing inany securities.