Emerging technology has a tendency to go through a ‘hype cycle' when investor optimism leads to runaway valuations. The classic reference point is the dot.com bubble at the turn of the century, when tech stocks saw their price to earnings ratios spike above 60 times earnings.
With respect to cybersecurity, although the P/E ratio of stocks at the start of the year was 53 times earnings, it has since come down to 42 times earnings. That is still relatively high, from a valuation perspective, but the signs are that cybersecurity, as a sub-sector, should no longer be viewed as an emerging technology.
"We wanted to figure out where exactly in the hype cycle, produced by Gartner, cybersecurity fits in. We looked at the relative spread of cyber P/E ratios versus technology P/E ratios. What we noticed was that the relative spread peaked in 2014 where it was 65 times earnings. Since then, we've seen the relative spread drop nearly half that value to 33 times earnings.
"However, even more interesting in 2016 has been the divergence in net income figures. We have seen net income for cyber stocks in the ISE Cyber Security UCITS Index Total Net Return rise 23 per cent, while net income for technology stocks as a whole has declined 3.5 per cent.
"That confirms to us that the cybersecurity space continues to show strong profitability, with the technology sector at large looking more like a large cap laggard," comments Aneeka Gupta, Equity & Commodities Strategist, ETF Securities, whose cybersecurity ETF, ETFS ISE Cyber Security GO UCITS ETF (`ISPY') tracks the above mentioned index.
Since the index was launched in 2006, it has gained 352 per cent compared to the Nasdaq 100, which is up 135 per cent, whilst the MSCI World Index has gained 28 per cent.
There is no doubt, therefore, that cybersecurity stocks are becoming a valuable component of the technology mix.
"When we look at the reduction in relative spread (to technology stocks) and compare it to Gartner's hype cycle, we consider cybersecurity to be nearing what is known as the `plateau of productivity'. In other words, cybersecurity is no longer a new concept that everyone is getting familiar with but something that is becoming more ingrained and part of the technology ecosystem. Cybersecurity spending, for example, is forecast to rise from USD71 billion in 2015 to USD98 billion in 2018," adds Gupta.
This is encouraging news. But what are some of the more exciting and innovative companies that are operating in this space? The remainder of this chapter will profile three companies, each of which brings something unique to the table when it comes to helping organisations improve their cybersecurity posture.
FireEye
FireEye aims to prevent advanced cyber threats, data breaches and zero-day attacks by using what it calls the FireEye Adaptive Defense approach. The rise of Advanced Persistent Threats (`APTs'), which work by infiltrating an organisation's internal network to build a picture of the firm's activities over a period of months, has been pronounced in recent times.
To combat this, FireEye focuses its efforts on three key areas within its portfolio of products, services, and intelligence: detection, analysis, and response.
"The problem we try to solve is that with all the different breaches and intrusions we've seen over the last couple of years, whilst the traditional model of trying to block everything is a good start, it doesn't mitigate the risk to stopping these breaches becoming egregious and potentially damaging.
"What our portfolio of products, services and intelligence focuses on is to enable organisations to detect intrusions in a timely manner, with a low rate of false positives, before these intrusions go undetected for a period of time. The industry average is five months for a breach to be detected. We allow organisations to detect intrusions within hours and stop them from becoming breaches. This happens when an intrusion persists for months and allows the attacker to collect information within the network," explains Joshua Goldfarb, Vice President, CTO – Americas at FireEye.
In addition, FireEye provides capabilities for analysis or forensic investigations to help organisations understand what is going on at any given time within their network. The aim is to contain and remediate a threat, or any type of intrusion that is identified, and then eradicate it.
Signature-based attacks
Back in the day, firms would use signatures to identify malicious behaviour. But then people started to ask, `What if we see something for the first time, even though there's no signature for it?'
Think about airport security as an analogy. One day, somebody tried to smuggle liquid explosives onto an aircraft and the response was to ban liquids. Then somebody tried to detonate a device in their shoe so the response was to ask people to take off their shoes at the security gate.
These are all examples of signature-based detection. You're looking for something that you've seen in the past.
The above logic is flawed. It is an example of what academics would refer to as a Syllogistic Barbarism, a form of reasoning that works by using a major premise, a minor premise to produce a false conclusion i.e. All carrots are orange. Some cats are orange. Therefore, some cats are carrots.
Many people wear shoes and have no intention of blowing up an aircraft. Similarly, it doesn't help you next time you are hacked as the threat actor is going to use a different method to try and get around one's signature-based detection.
"We in the security field realised that a new approach was needed, which we call detonation. When we have a file, the best way to learn what it does is to run it in a controlled environment – a cage – where it can't do any harm to the organisation. By analysing it, we can determine that if it were to get out of the cage, whether it would be benign or malicious.
"What we are now beginning to realise is that attackers are shifting to using stolen credentials and passwords. To detect that particular layer, we need to use analytics to identify departures from expected behaviour at the user level and the system level. This is still an emerging field. We're evolving our detection capabilities and focusing heavily in this field of analytics to keep pace with the attackers," explains Goldfarb.
Goldfarb thinks there are two root causes of large breaches. The first is something he refers to as `alert fatigue'. This is where organisations have a series of detection systems deployed not specifically tailored for their risk profile, and they receive thousands of alerts, the vast majority of which are false positives. This noise makes it very difficult to pick out the signals that imply an actual intrusion is taking place.
"All of our detection technology is designed to produce a fewer number of high quality signals and very few false positives," says Goldfarb.
The second cause is lack of context. Even if you've removed the alert fatigue problem, it is hard to make a decision on whether something is good, bad or indifferent until you enrich that alert with the necessary context. This comes from using different data sources, different intelligence and other types of supporting evidence to make an informed decision.
"Those two together are the main reason for why we see so many attacks today. An attacker gets in, hides in the noise, and if someone does find the alert, they have a hard time enriching it with the necessary context to make a correct decision on whether an intrusion has happened," says Goldfarb.
Digital Shadows
London-based Digital Shadows was established by Alastair Paterson and James Chappell in 2011. Whilst FireEye focus on the threats coming in to one's network, Digital Shadows helps assess external threats, providing its clients with what it refers to as cyber situational awareness.
In short, Digital Shadows monitors the online digital footprint of organisations from a security standpoint. It aims to prevent, detect and help contain cyber-related incidents by analysing the organisation through an "attacker's eye view".
"Having a digital footprint is a good thing. When a company interacts with the Internet the trail that it leaves behind it is, for the most part, good; interacting with customers, conducting research, building insights. There are net benefits to most organisations. But there is some part of our online experience where information is relevant from a security and risk perspective. Rather than call that a digital footprint, we call it a digital shadow," explains James Chappell, CTO and Co-Founder of Digital Shadows.
There are three main elements of the digital shadow:
• Data loss – confidential documents that end up outside of an organisation's network;
• Weaknesses in the defenses of an organisation – the sort of clues that an attacker would use to focus their attacks;
• Understanding the threats by monitoring the Internet.
Digital Shadows monitors all three of the above, alerting clients whenever it spots something untoward, to mitigate the effects.
Digital Shadows Searchlight"
Digital Shadows delivers its capabilities via a platform called Digital Shadows Searchlight" which runs on a subscription model. Given that the platform monitors the Internet across a whole range of different languages and different sources – both open sources and closed sources such as the Dark Web – it is able to provide broad coverage of the threats, and sources of those threats. It is that breadth of coverage that allows it to provide cyber situational awareness.
"There are excellent solutions for clients to apply inside their network. We add to that by telling our clients what is happening outside their network. It's an important part of the cybersecurity puzzle," says Chappell.
"In security terms, you're often dealing with needles in haystacks; you're looking for that one key threat. In effect, what we have built is a large hay-removing machine. Our system delivers needle-rich haystacks to our analysts who pick through those needles and prioritise them for our clients."
Indeed, the signal:noise ratio is a big issue for the security industry. When it comes to protecting against the internal and external threats to one's network, organisations want to be given relevant information at their fingertips, not deluged with signals.
Digital Shadows will tailor its intelligence based on the three main threat vectors it monitors – data loss, vulnerability and threats posed by malicious actors.
Of course a lot of the causes for data losses and company credentials showing in places that they shouldn't are often the result of honest mistakes and happenstance. It is not as if the digital realm is awash with nasty people set against bringing down one's company. That threat is there, but it needs to be kept in context.
"What we would argue is that if an organisation knows what is going on around it from a cyber security perspective, and is able to view itself from an attacker's eye view and maintain good situational awareness, it will be more empowered to make smarter decisions about how to defend itself with limited resources. Using a tailored approach like the one we offer can help mitigate some of the problems that arise by happenstance," comments Chappell.
He goes on to explain that the types of `needles' that it looks for might include: assets showing up in places they shouldn't be (i.e. criminal forums); monitoring for vulnerabilities (i.e. passwords and network credentials being leaked out); attack strategies that might be useful to attackers, etc.
"Every day, an organisation's digital footprint might consist of many tens of thousands of different components. What we do is to reduce that footprint to the 10 most pertinent things that the organisation should be aware of to maintain good security.
"We can also give clients forecasts of what threats might be coming next to help them align their defenses," adds Chappell.
Darktrace
Darktrace was founded in Cambridge, UK, in 2013 by mathematicians and machine learning specialists from the University of Cambridge, together with world-leading intelligence experts from MI5 and GCHQ, to bring transformative technology to the challenge of cybersecurity.
Whilst FireEye and Digital Shadows provide highly effective solutions to protect against internal and external threats to one's network, Darktrace provides something altogether different. It provides an active prevention and response capability that is built on a highly sophisticated system framework that utilises the latest in machine learning capabilities.
The result is something that the Darktrace refers to as `Enterprise Immune System technology' – the only cyber defense technology that is capable of detecting anomalous behaviors within large and complex environments, without any prior knowledge of what it is looking for.
In years past, people would try to prevent attacks from happening at all but the simple fact is this is impossible. Every organisation will be breached at some point. Therefore, it one knows this, how can they possibly figure out when they've been attacked if they don't know what they are looking for?
Threat actors are using novel techniques and ways of getting inside networks. At the same time, businesses are working with smaller resources and budgets. Yet they need an effective way to police the landscape and figure out if they've been compromised.
"Imagine you are a security guard at a train station and you're trying to spot someone suspicious. It's not easy. Likewise, you can hire people to comb your organisation to look for potentially suspicious activity. The problem is that an organisation's network is extraordinarily complicated. It's got millions of pieces of data moving around, and it is almost impossible to police manually. You need technology that can act as a set of digital eyes that keeps a constant eye on the network and watch for any bad things happening.
"This is what we are trying to do at Darktrace. Technology has made huge advances in recent times, especially with respect to machine learning, such that we can now make systems that perform that sentinel function within the network," explains Andrew Tsonchev, Cyber Security Specialist at Darktrace.
In effect, what Darktrace has produced is a system that fits inside one's network where it performs the digital role of the train station security guard, constantly monitoring data flows every millisecond.
As mentioned above, FireEye looks for malicious files, programmes, that come into the network and stops them from doing damage. They look at everything – good or bad – coming into the network and decide whether it is a threat or not.
"We don't look at all the files and programmes coming in, we look at the symptoms," says Tsonchev. "If a suspicious file enters the network and infects it, we look at changes to the behaviour of computers and people within the organisation to infer that they've been infected."
The implications to this are huge. What Darktrace is doing is to turn the endless arms race that exists within cybersecurity on its head – it makes no attempt to stop the attacks from happening, as the nature of attacks continuously changes. Rather, the Enterprise Immune System technology works just like that of the human body. It doesn't react to everything that enters it. Instead, it waits to see what the symptoms are and responds accordingly.
"That is how we developed the system; not to stop something coming in but to look for changes in behaviour that triggers an immune response. Organisations need to know what is going on inside their network. It's only by knowing what's normal that they can detect when things have changed and figure out that they've been compromised," says Tsonchev.
He adds: "All we do is look for the symptoms of a potential breach within a network. And that totally changes things. Given the increased sophistication and novelty of attacks, defense is no longer just a game of preventing attacks from getting in, but one of early detection and response to threats already inside."
One might ask how the system is able to determine what constitutes a real threat and a false threat. Indeed, this is the Holy Grail. As it uses machine learning, Darktrace's solution learns about its `self' over time such that it builds intuition as to what looks like normal activity within a network, and what might constitute abnormal activity.
"The key is to look for the right things. In machine learning we refer to this as `feature selection'. We continually compare every device to every other device and build up a rich comparison of activity between all the computers in the network that allows us to look for really interesting changes, and avoid all the mundane deviations that occur in organisations every day.
"We've effectively built a super vigilent digital security guard that can look at a million computers simultaneously and work out that it has a bad feeling about one of them because the way it is behaving unusually," concludes Tsonchev.
There are incredible innovations taking place in the cybersecurity sector. And as the sector continues to grow and evolve, there will be more companies such as those profiled above over the coming years. It is, in short, one of the most fascinating areas of the technology space.
