CRWD concern

Expressing concerns over a board favorite company is fraught with peril. I am certain that I will catch much flack for this posting because Crowdstrike is a huge favorite of this board; and even for me. At present, it’s the largest holding in my portfolio.

But I feel duty bound to this board, especially to those who have 20 and in some reported cases 30% of their portfolio wrapped up in Crowd. I’m concerned that this stock presents a unique risk quite different from most of the stocks discussed here (except other security companies). The risk is that CRWD is a one product company. By “one product”, I don’t mean it sells only one application or program. In fact, it has many of those. But all it really sells is security. If a major hack of its customers occurs, the stock will probably suffer a catastrophic loss and not recover for quite some time.

A good example is Solarwinds Corp. While never a match for CRWD, SWI was tootin’ along well in 2020 having gained 30% by December 8th of that year. And then disaster (coincidentally on the day of its year’s high). Its customers suffered a major hack and the stock fell from $23.55 to $14.18 in 8 trading days. That’s a 60% drop. Today, 6 months later, SWI trades at $17.01; down 28% from its high. And bear in mind that SWI is not a provider of security software like CRWD. Instead, it provides information technology infrastructure management software.

How to protect oneself with a one product company? An obvious move would be to lighten up in portfolios where CRWD is heavily weighted. Another move might be to diversify with other security companies like Okta or Zscaler, although a major hack of one might cause all to fall in unison. Buying a put option is an option (no tautology intended), but the premiums are high and the duration of protection is limited. If you wanted to protect the current stock price, the premium is about 15% for 7 months protection.

20 Likes

Thanks for sharing your thoughts. However, I don’t think SWI’s drop was only due to a major hack. There must be something else. You can easily tell the difference between SWI and CRWD by the numbers of revenue growth: CRWD’s revenue is growing at 70-80% pace while SWI’s is growing less than 10% annually and was growing at about 10% as well even before the hack. This simply tells that CRWD is a winner in its market while SWI is not. It’s no surprise that the market does not value a 10% grower.

There’s definitely chance that CRWD can have security accident in the future as well, but as long as its product remains the best in its market and they react timely to fix any issue popping up, I think their customers will still retain.

Remember that in 2018, there was severe data leak by Facebook disclosed and people started #deletefacebook? You could think similarly that Facebook is kind of a “One Product company” as well, since almost all their revenue comes from ads, which essentially rely on their user base. Now 3 years passed, as we can see, the monthly active users of Facebook is still growing and they’re doing just alright.

Luffy

22 Likes

Hi MagellansQuest and Luffy

First of all - they are effectively offering a platform as a service which has a range of security solutions within it. It is unlikely going to be a breach or flaw at the platform level more likely within a solution area.

Secondly, we have had 20 years of cyber security businesses providing a range of solutions from antivirus software through to encryption through to firewalls. This kind of catastrophic failure has never happened to a cybersecurity company ever as far as I can recall no matter what the breach situation. RSA, Norton, Cisco, Symantec, CheckPoint Software, Palo Alto all continue to do better than survive in their respective forms.

Thirdly - a breach like that and the company share price of SWI is only down 28%? My portfolio was down 28% from its peak for much of this year after January/February. We have to live with the prospect of an 80% probability of a 50% pull back in growth investing and that is just stock price gyrations let alone underlying fundamental challenges like a breach.

Fourthly, companies that suffer security or data breaches seem to keep going - look at Microsoft, Facebook, Intel, AMD, Equifax, Capital One etc. (As Luffy points out in the case of Facebook - another one product/platform company).

I wouldn’t be worried about this scenario as far as a “catastrophic failure” is concerned. Of course from a portfolio risk management perspective, I might be tempted to limit my exposure in any one stock and look at multiple ways to play a mega theme like cybersecurity as diversification to both drive returns and limit risk - so I am in both Crowdstrike AND Zscaler (and have been in Okta until recently) and if you want to include Elastic and Datadog I guess you could count their solutions in the cyber security arena too. Just as I am in Shopify, Global-e Online, Mercadolibre and Sea in the eCommerce space. In any event - I try to not let any one stock get passed 20% and look for multiple ways to play a mega theme without diluting performance where possible.

Anyhow - I don’t want to get into portfolio management which is off topic here.

Ant

42 Likes

Its customers suffered a major hack and the stock fell from $23.55 to $14.18 in 8 trading days. That’s a 60% drop.

Actually, a drop of $9.37 is a 40% drop.

9 Likes

When it comes to security companies, I agree that it’s worth at least a discussion about the investment risks, and also looking at some history. Back in May I posted a long security company related story here (https://discussion.fool.com/full-story-of-the-stunning-rsa-hack-… ), which got 58 likes before it was deleted by TMF for what they apparently thought was excessive quoting.

That post linked to a story in Wired magazine about a breach a decade ago at what was arguably the preeminent security company at the time: RSA. Here’s the link again: https://www.wired.com/story/the-full-story-of-the-stunning-r… It’s a good read and you don’t need to be very technical to understand it.

What happened then was that hackers got into RSA’s SecurID manufacturing network and stole the key seeds. What raised my eyebrows was that RSA executives were told by their people that their manufacturing network was air-gapped, that is with no connection to any machine that could reach the internet, but that wasn’t actually true. There was a single opening in the firewall to another RSA server that would get key seeds, encrypt them, and write them to a CD that was delivered to customers. Those keys were unfortunately kept as a backup on that server. Why that server needed internet access is not explained in the article. RSA had to replace all the SecurID fobs in existence, but they were not able to do so in time as at least Lockheed Martin was hacked as a result, and attacks were also apparently made against Northrup Grumman and L-3.

The breach actually started with an email phishing attack that exploited a flaw in Adobe Flash. Astoundingly, that email was correctly and automatically placed in the user’s Junk folder, but he sought it out and opened it anyway! A contemporaneous story on that is here: https://www.bankinfosecurity.com/tricked-rsa-worker-opened-b… in which it is described how gaining access to a low-level employee’s machine was enough for the attacker to move up the chain throughout the company.

Anyway, my point here is that whether it’s a supply-chain escalation like we saw with Solar Winds, or an internal user machine/account escalation like the RSA attack, the whole premise of perimeter security is flawed. Once you punch a hole in the firewall, that firewall is compromised - yet if you don’t punch any holes then the machines are air-gapped and not as useful since there’s no exchange of information even within your own company. And once you’re inside, the security is often pretty lax.

The SolarWinds attack was first found out when it was used against FireEye, a security company (https://www.nytimes.com/2020/12/08/technology/fireeye-hacked… ) in which a secure toolkit was stolen. Ironically, FEYE hit its ATH after that report! Some claim because it was FireEye’s internal processes that enabled it to detect the breach, which otherwise may have gone on for many months undetected. BTW, that article points out that McAfee, Symantec, Trend Micro, Kaspersky, and Symantec have all been hacked. Of course, the Solar Winds attack has been used against many other companies as well. Like the outages we’ve recently seen with CDNs from Cloudflare, Fastly, and Akamai, it appears no one is immune

Within the last decade a new security paradigm called “Zero Trust” has emerged and is gaining traction. The term was coined by a Forrester analyst named John Kindervag, with the first known widespread implementation by Google in 2014 for its own internal use, called BeyondCorp. I like to think of Zero Trust as a step beyond the Russian “Trust, but verify” concept (https://en.wikipedia.org/wiki/Trust,_but_verify#Origins ). In the perimeter/firewall model, once you’re inside the perimeter you’re assumed to be verified with only cursory controls in place to limit access. In Zero Trust, literally every transaction between machines is sent instead to a separate validation server, which determines if the transaction can proceed. Since that validation server is run by the security company, it is kept up to date and can be programmed to do whatever is desired as opposed to a simple rule-based security check.

Many of the security companies popular on this board provide Zero Trust products:
ZScaler: https://www.zscaler.com/resources/security-terms-glossary/wh…
Cloudflare: https://www.cloudflare.com/learning/security/glossary/what-i…
CrowdStrike: https://www.crowdstrike.com/cybersecurity-101/zero-trust-sec…
Okta: https://www.okta.com/zero-trust/
Paloalto Networks is not a popular investment here, but they talk about Zero Trust, too: https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-t…

It might be worth pointing out that Okta doesn’t itself provide a Zero Trust solution. They provide Identity Access Management (IAM), which is a crucial input to a Zero Trust solution. You can’t grant or deny access properly unless you absolutely know who is making the request.

Now I’m not saying Zero Trust is unhackable. There are certainly implementation flaws in some of the products, and additional flaws will be introduced by how the products are deployed. Remember, RSA’s SecurID PKI prime factorization mechanism is still pretty secure even today (https://jonathan-hui.medium.com/qc-cracking-rsa-with-shors-a… ), but successful hackers didn’t go after the mechanism directly. That will always continue to be the case, and I believe email phishing continues to be the primary attack vector (as it was in the Podesta DNC hack back in 2016). ZScaler, for instance, has a number of blogs about email phishing, such as this one: https://www.zscaler.com/blogs/security-research/microsoft-th… in which ZScaler claims its cloud blocked 2500 different kinds of email phishing attempts in early 2021.

At this point, I’m comfortable with my investments in CRWD, NET, and ZS - not because they’re hack-proof, but because they will react quickly and with professionalism, as FireEye did.

86 Likes

The SolarWinds attack was first found out when it was used against FireEye, a security company (https://www.nytimes.com/2020/12/08/technology/fireeye-hacked…… ) in which a secure toolkit was stolen. Ironically, FEYE hit its ATH after that report! Some claim because it was FireEye’s internal processes that enabled it to detect the breach, which otherwise may have gone on for many months undetected.

… err itt hit a 52 week high as it rose above 20 but its all time high was back in 2013/14 when it reached above 80 and has been on a decline down to ~10 ever since.

Ant

3 Likes