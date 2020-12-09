FireEye, Inc. (NASDAQ:FEYE) UBS Global TMT Virtual Conference December 9, 2020 9:20 AM ET

Welcome to day three and our final day of the UBS Global TMT Conference. I'm your SMID software analyst, Fatima Boolani, and I have the pleasure of hosting FireEye this morning, CFO, Frank Verdecanna, but also I wanted to add a very positive addition to our lineup, to our discussion this morning. CEO, Kevin Mandia, is also joining us for our conversation. Gentlemen, thank you so much. I appreciate the time today.

Kevin Mandia

Thank you, Fatima.

Frank Verdecanna

Thank you, Fatima.

Q - Fatima Boolani

Kevin, I want to start with you. And what's top of mind for everybody and certainly me is just with regards to the circumstances that you reported in an 8-K yesterday that I wanted to just unpack a little bit. So, Kevin, I wanted to turn it over to you just to sort of walk us through sort of what happened, where you are, and sort of how should investors think about your next steps?

Kevin Mandia

Yesterday, we went public proactively about a security breach into FireEye. And we went proactive based on protecting our customers. I think that [Technical Difficulty] 25 years of responding to breaches. We were compromised, because we've been effective at thwarting the adversary. That simple.

We're in a game of security. And sometimes security is an us versus them sort of game. And when you look at geopolitical conditions, when you look at alignments, when you look at conflict, ideological differences, you're going to have a lot of things materialize in cyberspace that pit a side, Team A versus Team B. That's just the unfortunate nature of our business.

And in this case, the other team got in. It was a sniper round. And we believe in attribution, we believe in accountability. And we are a company that's always felt it's not just a technical problem. Cybersecurity does require us to impose risks or repercussions. And so, that's why for well over a decade, we're a company that catalogs forensic evidence that when we know who did something, we do expose it in hopes that we can see rules of engagement in cyberspace that, quite frankly, uphold a global economy in the most appropriate way. And that's what we do. Because we're in that business, we put a target on our chest.

But this is not an ordinary security incident. And as we go live, we've always felt security is about trust. And we're going to handle this with integrity. We're going to protect our customers. And we're going to do more than that and protect the community.

For those of you that don't know what happened, there are others that are doing attribution for this case. But I believe a foreign intelligence service from another nation broke into our organization using very novel techniques. And what they did is they took what's called our red team tools. And these are the tools that we use to assess the security of our customers. And they're common tools, but they also are tools that now that they've been exposed by an unknown third party who has not used them yet, has not leaked them yet, has not shared them potentially yet, but we recognize that our red team tools that we use to assess our customers do take someone of less capability and potentially make them pretty good on offense. So, we're doing what we've done against PLA Unit 61398 in our past. We're doing what we've done against some groups that we call APT28, APT29, APT41 or Advanced Persistent Threat 41. We're creating our tools just like that, and we're going to burn them. That's what we call this in our industry. We're going to go shields up working with other vendors to make sure FireEye's software, not zero days, not anything that people don't know about, but still tools that we use to assess security. We're going to make sure nobody's compromised by those. And that's just the right thing to do.

Fatima Boolani

Kevin, I was wondering if you can put some timeframes around it. At what point were some of the evidence and data points of the breach and the incident discovered, sort of what were the immediate steps you took to parameterize and sort of triage the situation. This is a real life example that I would love to hear sort of the life cycle of forensic analysis on.

Kevin Mandia

This is what we do for a living. We're responding to over 150 breaches right now. One of them happens to be at our organization. It's an ongoing investigation. We are going to share as many of the details as possible. But one of the things that is true is we have a lot of leads we can follow up on outside of our company, and we're working with the Federal Bureau of Investigation on that. And so, there'll be more details that emerge. But I want to make sure that our organization gets all the evidence collected and available to us, quite frankly, to make a laser point for attribution. So, that's what we're going to try to do. And because of that, we'd like to keep some of the investigative details on close hold for now. But our FireEye products will be kept better today than any other day because we recognize that we had to do a lot of work to detect our own tools that are have been stolen from us. And at the same timeframe, we've shared with other vendors, with the world, over 300 indicators, how to detect the things that were stolen from us. That's just what a security company must do when something like this happens. So, we've done that.

Fatima Boolani

Kevin, you noted in your 8-K and you were fairly explicit about this that there is no evidence that points to an exfiltration of customer information and data. I wanted to dig in on that point a little bit. Subsequent to that, maybe a question for you, Frank, is what incremental steps and steps from here are you taking to really lock down your infrastructure, your environment? Or what next steps are you taking to further protect yourself?

Kevin Mandia

What we actually said is that we recognize this is an attack that had focus. It had focused on a red team tools. There was a focus on the folks that do government work, many different governments, not just the US government. We're a global company. And that's what the focus of this breach was about. So, what we didn't see was the targeting of the systems that harbor what we – the reports and things that – the work products that we do for our customers. That's what we did not see evidence of. Still an ongoing investigation.

In regards to containment, this is something I've tried to explain to the general public for 25 years in my career, we have always had a good security program. And we always are testing ourselves. We have to recognize that this attack, in my opinion, is the top 1% of the offensive capability. And I do believe that nations with time, focus and target, over time, there's an asymmetry between offense and defense, and the offense usually carries the day. And that's what happened in this case.

So, it's something that a lot of folks in the public will say, 'Well, how could you be hacked by a modern nation with offensive cyber tools, that just is inappropriate.' It's something that, unfortunately, in cyberspace, there is an asymmetry and that it's on offense. It is easier oftentimes than to defend a multinational organization. That simple. And a modern nation with the means and the focus and the time and the order is given, they're going to find success.

Fatima Boolani

Kevin, you mentioned that this was a very proactive step that you've taken, just to alert your customers, your community, your ecosystem of partners. If I can ask you to put on Brad and Bill's hat for a second, what is the strategy that you have in place to communicate with customers and to really articulate that the process of containment for you is underway.

Kevin Mandia

We've always had an innovation cycle at FireEye. We've always felt it strategically important to respond to every breach that matters because that's how you learn how attackers are evading people's software, evading people's protections, and what the latest techniques and tools are on offense. And this is no different. We're going to treat this like every other case that our customers are going to be protected by the tools that were stolen from us, as well as every other thing we're currently seeing in cyberspace that has been highly effective on offense against companies across the world. So, we're going to do that.

This one is different, in that we have gone public. We are doing webinars. We're going to continue to share information of the TTPs of this attacker, and probably we're going to share it as much as we can when we can.

So, it's similar to many other cases that we worked on, where when we see novel techniques, we like to educate, we like to share it, we'd like to make sure everybody can do shield up against it. And that's what we'll do here.

Fatima Boolani

Fair enough. I appreciate you providing color and feedback on that very timely discussion.

Frank, maybe I'll turn it over to you. Outside of this circumstance, it has generally been a unique year, to say the least, with the pandemic and overnight move to work for home trends. Certainly, have brought new opportunities and potentially new challenges. So, to begin here, how would you characterize the impact of these dynamics to FireEye's business and how you've navigated the business through the pandemic in the last nine months?

Frank Verdecanna

I think we've done a really good job of kind of managing through this pandemic. If you looked at the initial impact at the very end of Q1 when everything kind of initially happened, we did see our spike in DSOs and we did see some contract terms coming down as customers were less willing to commit or pay upfront for longer term deals. But as we got into Q2, and as we got into Q3, our business really normalized. Our DSOs dropped down to actually the best levels that we've had over the past three or four years. Our contract lengths actually went up in Q3.

So I think if you look across the different products and solutions set, we've really had a really strong year. And we've been able manage through this process. Our services has had a record every quarter this year, and continues to be incredibly busy. Part of the pandemic, I do think nation states and criminals have taken the opportunity to attack more because of the environments are so much different. And we are as busy as ever there. But I think we've done a great job kind of managing through.

As you look across the entire company, we still have a very fast growing business on the solution side that is best in class. We have best of class detection products that are more mature, but are – have stabilized and are generating a significant amount of cash for the whole company.

Fatima Boolani

I want to double click on that point. certainly, FireEye has been through an evolution process with respect to the product portfolio. There's been a revamping of the portfolio, repackaging, and certainly enhancements from a product and capability perspective. Maybe just to remind investors, what the portfolio, your billings and revenue segmentation looks like today and some of the newer solution milestones that you've hit, and where are the areas of the most significant upside within this envelope of your billings and revenue profile?

Frank Verdecanna

If you look across the product set and solution set, we've seen very nice growth sequentially and year-over-year in our cloud products. So, think about cloud endpoint, our cloud email solution, our Helix platform. If you look on the solution side, again, we've had record revenue growth on the Mandiant services side, but we've also now introduced Mandiant Advantage, which really leverages our best-in-class intel, it leverages our new validation product, and now also we'll be leveraging the new Respond acquisition as well.

Fatima Boolani

How does this evolution of the product portfolio sort of impact your ability to drive more consistency in your billings performance? There have been a couple of puts and takes vis-à-vis transactions you did last year. Some unevenness this year. Can you help characterize what sort of is on the horizon to diminish some of that unevenness that we've seen in the billings performance?

Frank Verdecanna

I think one of the areas that we've really kind of focused on people on is ARR because if you're looking at purely billings, billings obviously has a lot of noise with movements in contract duration. Also, the timing of things like early renewals. But if you focus on ARR, you can kind of see the true kind of growth of the business and the market share we're grabbing. This last quarter, we actually had sequential growth in the more mature product or related area, as well as continued strong growth on the cloud and platform side. So, I think billings is always going to have a little bit more volatility because it's subject to contract duration. It's also subject again to timing of renewals and things like that. But we're very focused on ARR. We're very focused on continuing to grow that. And I think while we're pretty encouraged and confident as we look forward, the more mature areas of the business have really stabilized and we see continued growth on kind of the higher growth areas like platform, like our cloud products, like our solutions and Mandiant Advantage. And so, as we look forward, I think we'll see better performance from a billings perspective purely because we've now stabilized kind of the more mature areas.

Fatima Boolani

Can you talk to us a little bit about the composition in the business between your traditional core areas of competence and some of these newer pillars of growth that you're executing against?

Frank Verdecanna

They're all interrelated in the fact that our products are updated with the frontline expertise that we recognize on the thousands of incidents we handle each year. It also is updated via our hundreds of intelligence analysts throughout the world. And basically, all the sensors we have out there from endpoints to network sensors to email provide intel for our solutions side of the business. So, it really is kind of this innovation cycle in this loop that we are able to kind of feed off of each areas of the products and solution set.

Fatima Boolani

I want to come back to Mandiant Advantage. This has been an area where you've invested a ton of capabilities. You're investing around a go-to-market motion here. So, maybe at the visionary and technology level, Kevin, for you. The Mandiant Advantage platform was more or less officially launched in October as a keystone to productizing your front line intelligence and your Mandiant services. So, Kevin, I want to ask you what is the ultimate vision here.

Kevin Mandia

So, very simple. It's expertise in a box. It's a subscription to what we know and what we can do. There's no question everybody recognizes that you're always trying to automate human process with technology. And as we respond to every breach that matters, what we do for a living as a company with our services folks is we find the needle in the haystack every day. So, let's create models, let's create an intelligence around that, and allow folks to subscribe to that, overlay that technology on their security relevant data and it's like providing them the security operations capability of a team of thousand people.

So, software has always been the automation of human tasks. We are automating our expertise on the frontlines, putting it into the Respond acquisition, putting it into the Mandiant Advantage and allowing that to be a subscription to a capability you overlay on your sim as a customer or your data repository as a customer, to know what we know, to understand how we triage to really automate the tier one and tier two security operations that are often the least amount of experienced people trying to triage and figure out.

So, this is the automation of security operations. That simple. Done by an organization that has the frontline expertise, that has the capability to merge people with technology. And we have probably the largest private cyber threat intelligence capability on the planet.

You bring all that together. People always ask me, how do we know what you know, how can we secure our networks with what you know. And so, we're going to put our intel, our AI, our machine learning capabilities, our validation capabilities, and the right click ask for an expert, so we're seamless extension of our customers' teams through technology all into Mandiant Advantage.

And we want to be – also, when you think Mandiant Advantage, it is controls agnostic. We want to be the brand that people trust to really assess how good is your security today based on real world attacks, real world simulation because we can test people's security safely and simply. So, that means you can proactively continue to improve and evolve your security program, and at the same timeframe, use Mandiant Advantage to continually answer the question: Are we currently compromised, yes or no? Prioritize your alerts. And quite frankly, just put all our expertise in the software.

Fatima Boolani

Kevin, you alluded to a number of different components under the Mandiant Advantage umbrella. I'm curious, how do you see the demand while simplifying and providing a solution to a customer versus point producting your base? How do you strategize around unifying these distinct components, but at the same time extracting a lot of value from selling each one of those components under the Advantage umbrella?

Kevin Mandia

Right now, we have eight different ways into a customer, right? It could be email security, network security, or cloud-based Helix for sim and endpoint, or it's our managed defense, our services, our intelligence or our validation.

When you want to look at our differentiators, things we are the best in the world at, our intelligence, we're in the top right of the quadrants. Our incident response capabilities are in the top right. Security validation is a market that we believe in and we're crafting and shaping because we've just seen two decades of what I call threat management. And what that means is everybody's running proactive scanners to see, are we vulnerable, yes or no, and then patching products. And that's fine. But it doesn't tell you how good you are.

So, we believe the next stage of security is really going in and validating your program, validating it with the attack simulation. So, we've taken what we're the best in the world at and we're making it available in a single platform to backstop every single security operation center or security program on the planet, not just those that are using FireEye controls technology, but those environments that use other control technologies as well. Maybe a different endpoint, maybe a different network product. Because, ultimately, as we do our services, we're there to protect customers regardless of the control products they have. And so, Mandiant Advantage is, in fact, that, a controls agnostic platform that automates as many security tasks as we can with our top graded intelligence, top validation capabilities, and our top threat hunting capabilities that we do every day for hundreds of companies that have been compromised by other nations red teams.

Fatima Boolani

Frank, what is the pricing strategy and vision for Mandiant Advantage? And what type of contribution are you seeing in the model today? And what the what are the aspirations heading into 2021?

Frank Verdecanna

The base model that we launched last month was basically our expanded intel offering. And so, the pricing out of the gate for Mandiant Advantage is very similar to our subscription offerings on the intel side. As we add additional model modules and we add validation this quarter and then add managed defense and Respond next in 2021, we'll have additional modules and additional pricing. And we haven't wrapped it all together as kind of one bundle yet. But as of now, it's basically each module has its own set of pricing that's based on kind of the existing pricing for those products.

Fatima Boolani

Either for Kevin or Frank. Certainly, this notion of expertise in a box and the easy button to access your Mandiant incident response professionals is very compelling. But how should investors think about your total addressable market opportunity for Mandiant Advantage, considering there's potentially very few organizations of scale that have an entirely in-house security operations center? How would you debunk some of that perception that perhaps Mandiant Advantage is most useful for very sophisticated SOC organizations?

Kevin Mandia

I think you can overlay it. It's actually – in many ways – the exact opposite of that. As it matures, it can go down-market to the folks where, quite frankly, the IT department has a secondary task known as security. And they're using a suite of products from, say, someone like Barracuda or Fortinet, but they don't have. And there's always been a shortage of those security folks that are serious, that are very experienced top tier with the Mandiant Advantage. That's what you're going to get, an opening and an aperture to the top tier security capabilities, both in technology. So, with the technology, it's as if you hired a whole bunch of experts and with the ability to actually interact directly with their experts. So, it allows us to go to a larger market than just all the one in enterprises who will take a second set of eyes on every alert, by the way. Why not? It saves time. And it's something that is very valuable in today's world. But at the same timeframe, it can go down market for those folks who can't attract the talent or they don't have the ability to do so. And they can subscribe to us. And our technology backstopped by our experts is in fact the security shield they need.

Fatima Boolani

Frank, can you help us with some of the contours of the Mandiant Advantage – financial contours of the Mandiant Advantage offering and what are the expectations for growth and scale and how you're thinking about contribution to the model from here?

Frank Verdecanna

If you look at the standalone, kind of intel offering has had a great year this year. Our validation product has had a great year and is ending the year really strong. When we look at Mandiant Advantage, we're really leveraging a lot more into that. And so, I think we get the benefit of growth products being put into one platform, and then the synergies of having it all under one software platform and umbrella. So, our expectations from a growth perspective is we were going to get kind of standalone kind of solutions growth for validation and for intel and managed defense, but now we've got the benefit of having the synergies of a platform. And so, our expectation is that the overall growth rate will go up because we are getting Mandiant Advantage in the hands of a lot more prospective customers than we were selling the kind of point solutions individually. And I think that platforms really come together. We've seen a lot of success very early on in the process. Again, it's early, but we're really encouraged by kind of the traction we've seen and the interest we've seen. It's an area that I think people have been kind of starving for kind of wrapping that all together. So, we're really excited. I think 2021 is going to be a great year for Mandiant Advantage.

Fatima Boolani

Just on that note, how has the feedback around Mandiant Advantage been as it relates to it being a calling card for new logos and new customers and those that have never transacted with FireEye before? And how should we see Mandiant Advantage manifest in the business, whether that's better ARR growth or faster new logo growth? How do you contextualize that?

Frank Verdecanna

I think we'll see it in two different spots in two of our key metrics right away. I think we'll see it really in 2021, beginning in kind of new customer adds each quarter. I also think you'll see the platform cloud subscription category have acceleration in growth there with the help of Mandiant Advantage. Because I think you're right, it is opening up the aperture to a lot more opportunities for us. And even just in the early days, we've just seen a lot of kind of new to FireEye customers and prospective customers register and demo the solution.

Fatima Boolani

I want to flip to the investment side of the equation. So, we've talked a lot about growth, what avenues we have for growth and the excitement around the product portfolio. But I do want to drill into what specific initiatives you have in place from a reinvestment standpoint to achieve and execute against the growth. Certainly, there's been some steps you've taken to right-size the organization, to scale the go-to-market effort. Can you talk to us about what's sort of in the rearview mirror from a restructuring standpoint, as well as what's on the horizon for where you're very surgically putting investments in place?

Frank Verdecanna

We went through pretty significant transformation efforts in the first half of 2020. And we really started seeing the benefits financially from that in Q3, getting to a very solid double-digit operating margin. And as we look forward, we're going to continue to invest in the high growth areas of the business. The good news is, the more mature areas have been stabilized and are generating significant profit and cash flow. So, I think as we look forward, we will see continued investment on things like Mandiant Advantage from an R&D perspective. We are continuing to invest in our cloud endpoint solution. That's had a great year to date. And then, as we look forward, things like Mandiant Consultants, we've been maxed out, completely running full steam all year long. And so, we continue to add new consultants there to help address some of that customer demand.

Fatima Boolani

Just from a sales capacity perspective, where is your comfort level with the quota carrying rep capacity you have online today? And what are the aspirations to scale that or maybe diversify that, especially with some of the new form factors of products that are coming out the door?

Frank Verdecanna

I think we've seen a lot of additional leverage in the sales team this year. Productivity going up, partly because of the fact that we've been able to introduce some new solutions and also leveraging the fact that we are just getting more efficient as we go through the process. But I think as we look forward, we feel really good about kind of the level of sales and marketing spend. I think we believe that we'll see additional leverage through things like Mandiant Advantage, through things like seeing more channel leverage. Some of the newer products fit the channel a lot better than some of our older, more mature products.

Fatima Boolani

And around your reinvestment posture, I want to bring to light a recent partnership – financial partnership that you've struck with Blackstone. Maybe give us sort of a very quick overview of sort of the impetus of that relationship. And what this financial tie up with Blackstone brings to the table for you?

Frank Verdecanna

I think we're very focused on finding a partner that was going to be a long-term investor with us that was aligned with our vision. We were very much aligned with both Blackstone and ClearSky and kind of how to continue to kind of grow the value of this business. And as we look forward, we look at them as a great partner with a lot of experience in this space. And I think they will be really helpful as we continue on our transformation journey.

Fatima Boolani

And the capital infusion that's been put into the business, what is the priority sequence for where you see that capital and that flexibility being put to work?

Frank Verdecanna

We started, obviously, with the Respond acquisition. So, that was done kind of concurrently with the Blackstone investment. So, we used some of that cash for the Respond acquisition. I think if we find opportunities like that that are kind of a perfect fit for our platform and our solution set, then we obviously have a little bit more dry powder to act on that. But as we look at the portfolio now, I think we feel really good about all the pieces, and I think we've got exactly what we need to continue moving forward. So, it doesn't feel like we have any big holes that we need to address. So, I think we're focused on kind of the assets we have and just moving forward as quickly as possible.

Fatima Boolani

Frank and Kevin, I want to cap off the discussion with the line of conversation we began with, just around this breach. How you're going to move forward and really helping understand and helping investors understand what the milestones for you are from here, given the circumstances, and particularly how, if at all, your thought process changes around customer engagement, customer dialogue, and new product sale opportunities.

Kevin Mandia

This is Kevin speaking. We recognize that our red team tools were taken. But we also recognize that the exact tools that we use to emulate the threat group should respond to all the time, so we can, without any – it's totally binary. We can tell customers, yes, this threat group can successfully compromise or this threat group cannot based on what we know today. So, I see the impact of the breach in regards to red team tools. We're still going to use the same tools, we're still going to be able to assess our customers in the most appropriate way. And there's still tremendous value in those assessments. It's unvarnished truth about how good your security is.

I think as a security company, we were targeted by somebody who recognized that what we do in the industry is relevant, that we are constantly the ones that potentially stop or expose the folks that targeted us. That is the nature of our business. We're going to continue to do those sort of things.

So, I think that folks inside security, security conscious professionals recognize that FireEye will always be targeted by the best threat groups on the planet. And we've done a damn good job thwarting them for a long time. And we're going to continue to always bolster our defenses, and at the same timeframe, we'll continue exposing the means and methods by which folks are attacked.

Fatima Boolani

Frank, does this change the way you think about or give you some pause around how you're thinking about the complexion of the 2021 pipeline and set of opportunities?

Frank Verdecanna

No, the way we're handling this incident, I think we'll continue to build and gain that credibility and trust with our customers. So, we look at it as something that we're doing everything we can to address, and I think we're doing it the right way for the security community and for our customers, with our customers being the focus. I think this will be one of those things that we'll manage through. But, no, I don't think it changes kind of our view of the potential environment and opportunities ahead of us.

Fatima Boolani

Fair enough. Well, I want to cap it there. And I want to thank you both for a very candid and terrific dialogue and discussion. And Kevin, thank you in particular for joining us on short notice. Appreciate the time.

Kevin Mandia

Thank you, Fatima. Take care.

Frank Verdecanna

Thanks, Fatima.

Fatima Boolani

Thank you.