When it comes to security companies, I agree that it’s worth at least a discussion about the investment risks, and also looking at some history. Back in May I posted a long security company related story here (https://discussion.fool.com/full-story-of-the-stunning-rsa-hack-… ), which got 58 likes before it was deleted by TMF for what they apparently thought was excessive quoting.
That post linked to a story in Wired magazine about a breach a decade ago at what was arguably the preeminent security company at the time: RSA. Here’s the link again: https://www.wired.com/story/the-full-story-of-the-stunning-r… It’s a good read and you don’t need to be very technical to understand it.
What happened then was that hackers got into RSA’s SecurID manufacturing network and stole the key seeds. What raised my eyebrows was that RSA executives were told by their people that their manufacturing network was air-gapped, that is with no connection to any machine that could reach the internet, but that wasn’t actually true. There was a single opening in the firewall to another RSA server that would get key seeds, encrypt them, and write them to a CD that was delivered to customers. Those keys were unfortunately kept as a backup on that server. Why that server needed internet access is not explained in the article. RSA had to replace all the SecurID fobs in existence, but they were not able to do so in time as at least Lockheed Martin was hacked as a result, and attacks were also apparently made against Northrup Grumman and L-3.
The breach actually started with an email phishing attack that exploited a flaw in Adobe Flash. Astoundingly, that email was correctly and automatically placed in the user’s Junk folder, but he sought it out and opened it anyway! A contemporaneous story on that is here: https://www.bankinfosecurity.com/tricked-rsa-worker-opened-b… in which it is described how gaining access to a low-level employee’s machine was enough for the attacker to move up the chain throughout the company.
Anyway, my point here is that whether it’s a supply-chain escalation like we saw with Solar Winds, or an internal user machine/account escalation like the RSA attack, the whole premise of perimeter security is flawed. Once you punch a hole in the firewall, that firewall is compromised - yet if you don’t punch any holes then the machines are air-gapped and not as useful since there’s no exchange of information even within your own company. And once you’re inside, the security is often pretty lax.
The SolarWinds attack was first found out when it was used against FireEye, a security company (https://www.nytimes.com/2020/12/08/technology/fireeye-hacked… ) in which a secure toolkit was stolen. Ironically, FEYE hit its ATH after that report! Some claim because it was FireEye’s internal processes that enabled it to detect the breach, which otherwise may have gone on for many months undetected. BTW, that article points out that McAfee, Symantec, Trend Micro, Kaspersky, and Symantec have all been hacked. Of course, the Solar Winds attack has been used against many other companies as well. Like the outages we’ve recently seen with CDNs from Cloudflare, Fastly, and Akamai, it appears no one is immune
Within the last decade a new security paradigm called “Zero Trust” has emerged and is gaining traction. The term was coined by a Forrester analyst named John Kindervag, with the first known widespread implementation by Google in 2014 for its own internal use, called BeyondCorp. I like to think of Zero Trust as a step beyond the Russian “Trust, but verify” concept (https://en.wikipedia.org/wiki/Trust,_but_verify#Origins ). In the perimeter/firewall model, once you’re inside the perimeter you’re assumed to be verified with only cursory controls in place to limit access. In Zero Trust, literally every transaction between machines is sent instead to a separate validation server, which determines if the transaction can proceed. Since that validation server is run by the security company, it is kept up to date and can be programmed to do whatever is desired as opposed to a simple rule-based security check.
Many of the security companies popular on this board provide Zero Trust products:
ZScaler: https://www.zscaler.com/resources/security-terms-glossary/wh…
Cloudflare: https://www.cloudflare.com/learning/security/glossary/what-i…
CrowdStrike: https://www.crowdstrike.com/cybersecurity-101/zero-trust-sec…
Okta: https://www.okta.com/zero-trust/
Paloalto Networks is not a popular investment here, but they talk about Zero Trust, too: https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-t…
It might be worth pointing out that Okta doesn’t itself provide a Zero Trust solution. They provide Identity Access Management (IAM), which is a crucial input to a Zero Trust solution. You can’t grant or deny access properly unless you absolutely know who is making the request.
Now I’m not saying Zero Trust is unhackable. There are certainly implementation flaws in some of the products, and additional flaws will be introduced by how the products are deployed. Remember, RSA’s SecurID PKI prime factorization mechanism is still pretty secure even today (https://jonathan-hui.medium.com/qc-cracking-rsa-with-shors-a… ), but successful hackers didn’t go after the mechanism directly. That will always continue to be the case, and I believe email phishing continues to be the primary attack vector (as it was in the Podesta DNC hack back in 2016). ZScaler, for instance, has a number of blogs about email phishing, such as this one: https://www.zscaler.com/blogs/security-research/microsoft-th… in which ZScaler claims its cloud blocked 2500 different kinds of email phishing attempts in early 2021.
At this point, I’m comfortable with my investments in CRWD, NET, and ZS - not because they’re hack-proof, but because they will react quickly and with professionalism, as FireEye did.