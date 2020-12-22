Making a parallel with the coronavirus, there should also be gains across the whole IT security space as the list of impacted companies grows.

While it is FireEye, an IT security company, that played a vital role in detection of the attack, Fortinet seems particularly well positioned to benefit from adoption of preventive measures.

This follows the hacking of SolarWinds' network management software and using the breach to target Microsoft, among others.

There has been a higher level of activity among IT Security plays during the last week in the stock market.

The state-sponsored hackers who breached through SolarWinds (SWI), an IT service management company, earlier this year also targeted Microsoft's (NASDAQ: MSFT) network, in an attempt to reach other companies.

During the cyber-attack, which was more specifically perpetrated against SolarWinds’ Orion platform, thousands of customers, including American Departments of Defense, State, Treasury and Internal Security, could also have been impacted. Investigations are being carried out with the list of affected organizations still growing.

Now, the financial damage suffered by organizations that are victims of a computer attack is colossal. According to CyberSecurity Ventures, global cyber-crime costs are expected to grow by 15% per year over the next five years, causing damage reaching $10.5 trillion annually by 2025, up from $3 trillion in 2015.

Figure 1: Rising threat of cyber attacks

Source: blogs.imf.org

As clarification, there has been a recent response by Microsoft concerning the issue on December 17, detailing some of the measures being taken, but given the unprecedented nature and period during which the attack was prevalent (March to December), more radical measures are required than just carrying out “by-the-book” remedial actions.

This means that, in addition to the usual product updates, antivirus and firewall tools, analytics-based solutions are required, more of a preventive nature to identify, monitor and mitigate threats in real-time.

Being critical, it is during times like this one that service providers tend to exaggerate on suitability of offerings at combating cyber-crime.

On the other hand, some do have valid solutions from which they can financially benefit, if adopted by companies inflicted by the hack.

For investors, it is important to filter out the potential beneficiaries, especially at a time when IT managers are navigating amid tight budgets.

The risks

Starting on a positive note, Microsoft found no evidence “of access to production services” or customer data being stolen as at now.

Here, investors will note that the software giant is a $1.65 trillion conglomerate with millions of users purchasing its Office range of products and millions more subscribing to Azure cloud services.

One of these subscription services is Office 365, commonly used by corporations including government agencies as an email or office productivity tool to communicate and collaborate.

SolarWinds also makes use of Office 365.

Interestingly, in addition to have seen its own Orion product hacked, SolarWinds’ email system was compromised, and as a result, some data could have been subject to leakage.

More importantly, remediation steps have been taken to address the compromise, but there is no indication that this breach is related to the attack on its Orion software.

Now, Orion software is a legitimate software sold by the IT monitoring company as a tool for managing networks and, as such, provides access to servers and storage devices throughout the company’s datacenter. According to InfoSecurity magazine, attackers appeared to have trojanized Orion.

Figure 2: SolarWinds' Orion platform

Source: Solarwinds.com

As corrective action, SolarWinds has asked customers using certain Orion platform software versions to upgrade as soon as possible to secure their IT environments.

Taking a glance at markets, despite the sophistication of the attack, Microsoft's share price seems to have been relatively spared and is only trading slightly lower compared to the wider Information Technology industry symbolized by the Vanguard Information Technology ETF (VGT). However, this was only during the last five days and things may change as the attack is still ongoing and more damage is uncovered.

For now, the market seems to have been comforted by the breach being identified, actively investigated and addressed by cyber-security teams in the public and private sectors, including Microsoft's own IT security personnel acting as first responders.

Figure 3: Microsoft, VGT, Fortinet and FireEye share price performance

Data by YCharts

Exploring further, Microsoft has identified more than 40 customers that the attackers had targeted more precisely. Also, roughly 80% of these customers are located in the United States with the rest in Canada, Mexico, Europe and the Middle East.

Figure 4: Victims of the recent cyberattack

Source: Microsoft.com

Coming back to the chart (figure 3), some investors will have noticed the upward trajectory of Fortinet's (FTNT) share price. This was despite JPMorgan having earlier downgraded the stock due to its high valuations in expectation of a rotation to value stock with vaccine recovery.

The solution

In addition to Fortinet, which is a provider of security solutions to enterprise and government, there has also been a more pronounced upside in FireEye's (NASDAQ: FEYE) stock which appreciated by 10%.

The reason, according to TechTarget is that the latter, in a joint effort with Microsoft, had played a vital role in identifying the threat and also development of a kill switch to stop propagation of the attack in some of the infected cases.

Hence, it should be in a pole position to benefit as companies are eager to identify any malicious threats on their networks, but there are other IT security plays too, including NortonLifeLock (NLOK), Palo Alto Networks (PANW) and FireEye. These four stocks appreciated by 2% to 5% during the last week.

Thinking aloud, this market includes established vendors offering firewalls, devices which lie at the boundary of corporations' own network and the public internet. These devices are considered as the first line of defense against cyber-attacks.

Firewalls now offered as a service (FWaaS) offer additional capabilities, such as intrusion detection and prevention.

Now, a look at the most prominent plays from Gartner's classification includes Palo Alto, Fortinet and Check Point (NASDAQ: CHKP) but not FireEye. One reason for this is that the magic quadrant dates back to November 2020, before FireEye had played a key role in the Orion hack.

Figure 5: Gartner's Magic Quadrant for Network Firewalls

Source: gartner.com

Now, unless an investor is ready to purchase all of the three stocks, which would not be wise, it becomes important to proceed with a financial analysis, including key past performance metrics like profitability, revenue growth and debt level. I also include FireEye as this company can simply no longer be ignored.

Figure 6: Comparison of financial metrics

Source: Seeking Alpha

Now, for debt-averse investors, Check Point with practically no debt also has superior profitability. On the other hand, its revenue growth is considerably low.

As for Palo Alto, it exhibits double-digit growth figures but a very high debt level, and while the company stands to benefit as an IT security play, there is no indication at this stage that it is likely to benefit more than peers.

FireEye has a lower revenue growth which explains its lower valuation, but this may all change depending on the way its marketing team is able to transform current fame into revenues.

Therefore, the ideal security play from a technical and financial perspective appears to be Fortinet with a low debt position and high revenue level, but some more justification is required before turning bullish.

Valuations and Key takeaways

Looking into the practical side of things, due to the sheer quantity of logs generated per day by firewalls and other security devices, it becomes painful for Security Operation Center (“SOC”) and Network Operating Center (“NOC”) teams to go through each event on a one-by-one basis.

The solution is automation whereby logs are filtered out and the most critical ones escalated for actionable decisions. This calls for solutions like Security Information and Event Management (SIEM) tools which can be envisioned as collecting security data from network devices, servers, domain controllers and aggregate it for analysis purposes.

In this context, FortiSIEM by Fortinet forms part of the first ten SIEM tools as per a listing by IT Central Station, a product review website. This better rating with respect to peers is confirmed through Trust Radius, another review site.

Also, Fortinet seems to have more commitment to an integrated approach to security by combining SOC and NOC operations with its FortiSIEM solution, in an era where cyber-attack trends appear to be geared towards gaining an entry in the network through compromising legitimate software. For this matter, some will remember the NotPetya attacks in 2017 which began through the use of an Ukrainian accounting software to deliver malware via updates.

Figure 7: FortiSIEM by Fortinet

Source: fortinet.com

Perusing further, SolarWinds currently believes that the actual number of customers that have been in possession of an installation of the compromised Orion products to be fewer than 18,000. However, this is on the high side as the vulnerability has propagated much further given the period of attack (nine months), similarly to the coronavirus.

In this case, only detection this time through IT antivirus tools can provide a clear indication whether the 18,000 companies whose networks may have been compromised could in turn have been used to attack other corporations or people.

This signifies an enlarged market for more enhanced IT security.

Looking further, Microsoft also has Defender, an antivirus solution for Office 365, but users seem more inclined to other end-points (desktop and laptop) protection tools like the ones proposed by NortonLifeLock, formerly known as Symantec.

Finally, implementation of security solutions is normally performed as projects which often take time depending on network complexity and IT teams. Enterprises and government are more likely to trust companies they already work with, including Fortinet Palo Alto and FireEye. These have automated their security management suites to respond to threats more effectively.

However, Fortinet has a cost differentiator.

In this respect, at the highest revenue growth of nearly 20%, the company not only has a better offering but also seems to propose a differentiated pricing strategy. In fact, some reviewers in Trust Radius credited it with better product prices.

Hence, similarly to biotech counterparts developing anti-COVID testing, Fortinet should benefit and grow revenues at a faster rate.

Based on the trailing Price/Sales metric, I see an upside to the $155-160 range by the end of the year.

Disclosure: I/we have no positions in any stocks mentioned, but may initiate a long position in SWI, FTNT over the next 72 hours. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.

Additional disclosure: This is an investment thesis and is intended for informational purposes. Investors are kindly requested to do additional research before investing.