Cyber security investing? Anyone?

Cyber security investing? Anyone?

In reading the news lately I’ve been hearing about the large hack at Yahoo, at a massive Credit Rating company, about the Russians hacking into everything (and I read that Homeland Security just notified Congress that that the Russians had tried hacking 21 states in the last presidential election), and danger of hacking from North Korea, and on, and on, and on.

It gives me the feeling that there MUST be good investments in cyber-security. How can there not be? Yet no-one is talking about cyber-security, my past positions in some cyber stocks petered out, my impression, which may be totally wrong, is that these stocks have been going nowhere. Do any of you follow them? Can anyone give us a rundown of what the situation is? Have they become commoditized? What in the world is the problem? Logically, this should be one of the fastest growing sectors of all time. If anyone can give us any kind of a comprehensive, or even not-so-comprehensive, summary of the field, I think we’d all appreciate it.

Saul

Know very little myself but had kept this article and if you google, a fair bit comes up…and TMF have quite a few articles.

https://seekingalpha.com/article/4052530-cybersecurity-best-…

I can’t speak to the request for a comprehensive review but there is a particular cybersecurity stock I am wondering if others are looking at - OKTA - which offers Identity as a Service. The company where I work has implemented it and seems to work well. From the end user perspective, when I log into our VPN, or our SharePoint or Azure sites, OKTA handles part of the authorization. If I get directed to a potential phishing website, OKTA puts up a web screen and makes me respond to an email to make sure I am conciously going to this site. There is also an app that I needed to install authorize me to use company intranet and email on my personal iPhone.

I believe they make money on a subscription basis and TAM is large… so with recurring revenue, possibly a stock this board may be interested in.

I work at a Fortune 1000 company that is pretty tight with money right now so I figure if we bought it there is probably a good value proposition.

Fool.com had a short article in April:

https://www.fool.com/investing/2017/04/14/okta-inc-ipo-what-…

I think they are coming up on a 180 day lockup expiration for employees after their IPO. I’d be interested in hearing other peoples thoughts on this stock.

2K10

From the NY Times today:

The World Once Laughed at North Korean Cyberpower. No More.

When North Korean hackers tried to steal $1 billion from the New York Federal Reserve last year, only a spelling error stopped them. They were digitally looting an account of the Bangladesh Central Bank, when bankers grew suspicious about a withdrawal request that had misspelled “foundation” as “fandation.”

Even so, Kim Jong-un’s minions still got away with $81 million in that heist.

Then only sheer luck enabled a 22-year-old British hacker to defuse the biggest North Korean cyberattack to date, a ransomware attack last May that failed to generate much cash but brought down hundreds of thousands of computers across dozens of countries — and briefly crippled Britain’s National Health Service.

Their track record is mixed, but North Korea’s army of more than 6,000 hackers is undeniably persistent, and undeniably improving, according to American and British security officials who have traced these attacks and others back to the North.

Amid all the attention on Pyongyang’s progress in developing a nuclear weapon capable of striking the continental United States, the North Koreans have also quietly developed a cyberprogram that is stealing hundreds of millions of dollars and proving capable of unleashing global havoc.

Unlike its weapons tests, which have led to international sanctions, the North’s cyberstrikes have faced almost no pushback or punishment, even as the regime is already using its hacking capabilities for actual attacks against its adversaries in the West…

Where the heck are the cyber-security companies? Have they been left behind? Or is everyone trying to save money by not putting in the latest security?

Saul

I good question to ask on the HWTSC board.

Link: http://discussion.fool.com/Messages.asp?mid=32864098&bid=112…

Wayne

Isn’t all the hacking possible evidence that there aren’t good investments in cybersecurity?

Actually, virtually all of the hacking succeeds not because they have defeated some high end cybersecurity tool, but rather because people haven’t taken the most rudimentary steps to secure their systems. Those companies don’t need to be sold some great product; they need to care.

I believe there’s potential there. The hacks are numerous and hitting major companies as well as government agencies. I believe it poses a greater threat to U.S. Security than anything else.

I invested in FireEye FEYE a few years ago after doing some research on the company. Unfortunately, it turned out I bought when it was high…I’m still waiting for a buy out to perk it up but I think they have great people working for them.

Buying high is the investor’s lament.

Okta sounds interesting but I have my fill with FEYE.

Lucky Dog

Saul,
I haven’t kept up with the field of cyber security, though before I retired I was pretty deeply involved in it. I was not in the computer security department, but I worked closely with many who were. I had at one time worked for the guy who was a high level manager of the organization and had meetings with him and members of his group. So, while I have relevant background, I have virtually no current knowledge.

The problem is complex and manifold. First, information/data in need of protection comes in two basic forms. Data at rest and data in motion. Most cyber attacks (but certainly not all) go after data at rest - stored data. But things like intercepted emails, messages phone calls and the like attack information in motion.

I have mentioned before that I am reluctant to invest in companies like Mulesoft (I won’t bother with the list, but all cyber-security firms are in this category) that target IT as a customer. I’ve posted my reasoning earlier. But, it’s pretty much along the lines that IT is a cost center, even in companies that make and sell software, the internal IT department is still a cost center. Management always starves cost centers in that they contribute nothing to the top line and negatively impact the bottom line.

Cyber security is insurance. And, there are an abundance of items to insure: networks, servers, databases, applications and more. And each of those things break down to numerous separate departments. How much insurance is adequate? What is the appropriate allocation of insurance dollars, given the budgetary constraints? Which insurance products provide the most bang for the buck?

And, when it finally comes down to making these decisions, it comes down to people who influence and people who make the spend decisions. The people of influence (I was one these guys) seldom agree on anything. The people who make spend decisions are faced with conflicting and incomplete information. And the decisions aren’t exclusively based on technical merit. What’s the cost model? How viable is the cyber-security company? And so forth.

And this describes a big operation, like Yahoo or Equifax. In a small operation (say state election boards) the situation is even worse. In these situations there is often almost no IT budget, and what little money that is available is focused on functionality. Security is an afterthought at best.

I could elaborate further, but this morning me and my wife are taking a helicopter ride over the island of Hawai’i so I I’ll end it here due to time limitations. But given the 10,000 foot view of the landscape I’ve described, what cyber-security firm would you invest in? My choice is none.

All I can contribute is that it would have had to come through one of the screens in the first instance and the only one that has ever done so is Check Point Software (CHKP) long ago; an Israeli company which I still hold. No other has made the grade. There is an ETF, ticker HACK, about which I know nothing. I know all the names and like you, wait for opportunity to show up. I imagine there is much jockeying for position and of course, some of the big companies are in there as well.

Where the heck are the cyber-security companies? Have they been left behind? Or is everyone trying to save money by not putting in the latest security?

Basically, what brittlerock said.

The NHS attack earlier this year worked so well because there were so many computers on the system running old, out-of-date software (e.g. Windows XP).
It wouldn’t have taken an expensive security company for fix that, just some IT people to actually upgrade the system to say, windows 10, or any operating system that actively provides security updates.

This is why, if you’re still using windows xp, you should upgrade! Microsoft have stopped providing security updates, so your system is vulnerable. There will be millions of computers out there, I’m sure, still running xp. Hackers don’t need to go after people with the latest updates/security systems when there is so many low-hanging fruit about.

You used to be invested in SPLUNK. They provide some security don’t they?

Paying for a cyber-security company provides herd protection. When someone is attacked, you’re hoping for you not to be the one, and for the cyber-security company to detect it and provide protection before you get hit.

I was hoping that awareness in cyber-security would increase back in may after the NHS and worldwide ransomware attack. Didn’t know what to invest in so took a position in the ETF:HACK. However, it wasn’t going anywhere and I wanted to be more aggressive with my stock selection so sold it in September.

Blockchain technology will provide a layer of cyber-security. Forget about bitcoin and other cryptocurrencies. There will be incredible breakthroughs for functional uses for blockchains, but as of yet it’s just a punt/guess as to who or what to invest in.

I used to own CHKP years ago and sold it for some reason…that’s another investor’s lament.

LD

Saul:

I think that is a theme and it could be lucrative. But why now? or why not?

I remember when Target got the security breach there was a spike of interest in such stocks. I guess if people hear more an more about such breaches then the stocks could be a good deal now or a couple of year back…

tj

Saul,

The way IPv 6 is implemented, there is little to prevent an entity from only allowing IPv6 addresses to access a network.

Also, we already have a system of demanding finacial responsibility from an IPv6 address and a way of validating that address.

We use the system with the LTE wireless network and wider system is noy out of reach.

One day a large and powerful entity with say “enough” and the mantra of open internet will be dropped. At that time you will have to show proof of financial accountablity to communicate on the internet. Until then, we have security problems.

Cheers
Qazulight

At one time, I worked for an IT services company and we usually recommended Fortinet or Palo Alto Networks. I’m not sure if they are a good investment opportunity.
~TracyK

Palo Alto Networks seems to be pretty focused on cyber security (Ticker: PANW).

I made some money by gambling on their earnings with $130 call options back at the end of May/beginning of June (2017), but to be honest with myself that was pure luck based solely on thinking they were bound to have a good quarter after a few consecutive bad quarters. I think I have gotten most of that style of gambling on earnings out of my system in the past 3-5 months.

Here’s a link to their presentations on their investor relations page:
http://investors.paloaltonetworks.com/phoenix.zhtml?c=251350…

They had an investor day on September 27, 2017, which might have some decent info in it.

I guess if people hear more an more about such breaches then the stocks could be a good deal now or a couple of year back…

I’m not thinking about people temporarily bidding up the stocks because they hear about the breaches. This should have been a top sector for years now, but it hasn’t. I’m thinking about why all these companies, and government agencies, and political national committees, don’t protect themselves. I think Brittlerock answered it: they don’t want to spend the money, and they don’t understand the problem. (“We’ve been going along for years without being hacked so why should we spend the money?”)

I guess I won’t invest in any cyber-security stocks.

Saul

the only one that has ever done so is Check Point Software (CHKP) long ago; an Israeli company which I still hold.

That’s interesting! Check Point sells Zone Alarm, which I run at home. Zone Alarm uses the Kaspersky AV engine.

Israeli intelligence officers looked on in real time as Russian government hackers searched computers around the world for the code names of American intelligence programs.

https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-…

Israel hacked Kaspersky to do this, according to the article. The reasoning goes along the lines of: Anti-Virus software has to have all kinds of permissions to detect viruses. So hacking the AV company gives access to all sorts of interesting information. FWIW: The Russians hacked Kaspersky to get the classified documents - or Kaspersky co-operated w/ the government. Either way, it’s mostly government-scale hacking.

That said, I’ll stick with Zone Alarm at home. I’m retired and not of much interest to government hacking. Besides, Zone Alarm doesn’t require an internet connection to function, unlike some other products. (I’ve had to disinfect my husband’s PC several times over the years and it’s good to boot into safe mode w/o network connections to do a decent job.)

The way IPv 6 is implemented, there is little to prevent an entity from only allowing IPv6 addresses to access a network. Also, we already have a system of demanding finacial responsibility from an IPv6 address and a way of validating that address. We use the system with the LTE wireless network and wider system is noy out of reach. One day a large and powerful entity with say “enough” and the mantra of open internet will be dropped. At that time you will have to show proof of financial accountablity to communicate on the internet. Until then, we have security problems.

gazulight, I think you are saying something which may be really important but I don’t have a clue what it is. Could you explain it in English?

Thanks,

Saul

Palo Alto Networks seems to be pretty focused on cyber security (Ticker: PANW). I made some money by gambling on their earnings with call options back at the end of May…, but to be honest with myself that was pure luck based solely on thinking they were bound to have a good quarter after a few consecutive bad quarters.

There’s the crux of the problem: How can a company focussed on cyber security have “a few consecutive bad quarters” in this day and age. It’s incredible!

Saul

How can a company focussed on cyber security have “a few consecutive bad quarters” in this day and age. It’s incredible!

In part because we have no real dominant overall player. We have companies which have large slices of the individual AV market, mostly because they work deals to get their software installed by default on new systems, but the more sophisticated corporate stuff no one company is dominant.