Investing in Modern Cybersecurity: Threat Intelligence & Application Security
01 September 2022
Everyone understands the importance of cybersecurity for modern-day life; however, the technology and, therefore, the investment universe often remain veiled behind the curtain of numerous acronyms and technical jargon. In this five-part series, we will unveil the world of cybersecurity and highlight the investment opportunities it offers.
The modern framework
A modern cybersecurity ecosystem focuses on protecting data and code while providing real-time visibility and analytics.
Numerous megatrends drive the industry: global connectivity, the Internet of Things, growing attack surface, transition to the cloud, and astronomical costs of cyberattacks, among others.
The ecosystem, composed of cloud, application, network, data, and endpoint security, is set to generate >$300bn in revenues by 2026 with a 11% 5Y CAGR.
Threat intelligence (TI) provides real-time analytics, information, data, and insights into a firm's cyber environment to cybersecurity teams.
The threat intelligence sector represents a $17bn market opportunity by 2026, growing at a 14% 5Y CAGR.
Since TI is becoming less of a standalone option and often integrated into existing solutions - the market is consolidating. Prominent players IntSights and RiskIQ have been acquired by Rapid7 and Microsoft , respectively. Tenable, Qualys, and Rapid7 are the noteworthy listed players.
Software may be run on-premises, in the cloud, or on endpoints and needs to be secured both when developed and when deployed.
Application security includes code testing, runtime security, application firewalls, and cloud-native application protection platforms.
Growing at a 22% 5Y CAGR, mission-critical application security is led by listed Palo Alto Networks and its smaller private counterparts, e.g., Veracode, WhiteSource, and Aqua Security.
The modern framework
Securing data from "birth" to "death"
A vast cybersecurity ecosystem focuses on a complete customer's journey: from the data a customer generates and its subsequent use to its "erasure." It is essential to understand that on the cloud, data cannot be erased in a typical way, and there is no way to ensure that every copy is permanently gone. This fact further reinforces the importance of cybersecurity - you will have to protect data forever. The entire ecosystem concentrates on this, and it is not surprising that it is expected to reach a total addressable market of $310bn (2026e) and grow at an 11% 5Y CAGR. Briefly, the cybersecurity domains are:
- Application – App security includes security measures that prevent and protect the data or application code from being stolen or tampered with and the tools used to detect potential weaknesses.
- Endpoint – Focuses on securing entry points into the network, which include end-user devices (e.g., smartphones), smart and IoT devices, etc.
- Network – This vast sector includes multiple technologies to protect IT communication networks, e.g., monitor traffic, prevent & detect potential threats, and control access.
- Cloud - Cloud security protects data and processes hosted online via cloud computing platforms with various technologies and englobes most sectors listed here.
- Data – Protects digital data, mainly stored in a database, from predominantly unauthorized users' destruction or damaging actions.
- Services – Covers a vast range of services directly related to cybersecurity that rely on a qualified workforce and not necessarily on specific technologies.
Out of the sectors above, application and data security are among the highest growing sectors (~22% CAGR), albeit their addressable market remains modest compared to the more encompassing cloud and network security markets or the mammoth services market.
Undeniable mega drivers
The cybersecurity industry is driven by a myriad of megatrends and drivers, from the rising number of digital threats to growing data complexity and massive government support. Some of the most significant drivers are detailed below:
- Increasing attack surface. Global internet connectivity has led to the increasing number of "things" that may be connected to the network. Each device is an additional entry point and must be digitally secured, something not necessarily easy on low-power devices without much computing power. Modern cybersecurity must monitor and prevent attacks on more than >200bn connected devices.
- Data exponentiality. The number and quality of sensors, e.g., cameras on smartphones, and smart home systems, accelerate the amount of data produced and, thus, the data to be secured. According to IDC, global data creation will reach 181 zettabytes in 2025, corresponding to a 23% 2020-25 CAGR.
- Astronomical costs of cyberattacks. Businesses worldwide have suffered ~$6.9bn of cybercrime-induced monetary damages in 2021. This is 4x more than five years ago. The only option to decrease these losses is to invest in cybersecurity.
- Transition to "cloud-native" security. The traditional but obsolete cybersecurity framework is called "castle-and-moat": the company's internal network is protected with firewalls and other legacy solutions, e.g., VPN. However, businesses are moving their operations to the cloud, which requires entirely redesigning all the cybersecurity frameworks to benefit from the cloud advantages. The new cybersecurity model that has triggered massive investments is "cloud-native," i.e., intrinsically designed to account for a cloud environment. Some businesses choose not to do it to cut costs but end up paying a much greater price.
- Rising privacy concerns. Growing privacy concerns and digitalization of previously analog industries such as healthcare accelerate cybersecurity upgrades and adoption.
- The increasing importance of identification. The importance of identification is undeniable given the scale of cyber-phishing, -hacks, -breaches in an increasingly remote workforce, e.g., over 22bn records were compromised in 2020. Organizations are massively investing in an additional layer of security to improve their access and identity management, driving industry growth.
- AI and ML. As the threat landscape changes, security vendors are implementing AI/ML and automation to address the scale of modern security needs. AI/ML may better contextualize and analyze a greater amount of data, suggest and even take immediate actions turning modern cybersecurity from staying reactive to being proactive.
- Digitalization of war. Warfare has become network-centric, and governments are now the most targeted entities. Modern cyberwarfare targets unprotected public utilities, prisons, defense sites, and transport hubs aiming for civil unrest and disruption. Governments have no choice but to invest in cybersecurity and upgrade public infrastructure.
You may visualize the complete cybersecurity "journey" and how all the sectors are interconnected on the map we provide below. This series will cover each sector separately and explain its leading technologies, drivers, and where investment opportunities may be found in the investment universe.
In this issue, we start our journey with one sector that interconnects everything in one "cockpit" to provide analytics and real-time observability - Threat Intelligence, followed by Application Security - the father of the entire digital world.
The All-Seeing Eye of Cybersecurity
Cyber Threat Intelligence (TI) uses all available resources on all levels in the organization to understand threats to better prepare and prevent potential attacks. More precisely, TI collects data from a multitude of internal and external sources (public security databases, threat libraries, news, internal logs, previous incident reports, current network state, connection lists, etc.) and uses it to pinpoint potential threats, weak points, and unwanted IP addresses. Cybersecurity teams then use the data and insights for attack emulation, real-time analytics, and, if necessary, the incident response.
The sector is mainly driven by three factors: 1) injection of artificial intelligence/machine learning for data analysis, 2) the growing amount of data to analyze, and 3) exponentially growing attack surface. Indeed, manually analyzing a copious amount of data about all the potential threats and looking for the weakest link is a very labor-intensive process. Combining AI/ML with many data sources and connecting it to the entire company's digital ecosystem means real-time, up-to-date analytics and insights every millisecond. Not surprisingly, the demand for threat intelligence has only started to materialize.
As seen in the diagram, modern Threat Intelligence platforms consist of a platform and three "main" services and technologies:
(1) the central threat intelligence platform aggregates and analyzes information from different sources;
(2) Digital Risk Protection Services (DRPS) broadens the monitoring area to external assets (fake social media accounts, stolen brand assets, misinformation) and may automatically take down such accounts and remove sensitive data;
(3) External Attack Surface Management (EASM) ingests additional data sources and uses proprietary algorithms to present organizations with an outside "bird's eye view" of their environment for easier digital inventorization and simulations, i.e., viewing organizations through the eyes of a hacker. External Attack Surface Management scans servers, the cloud, 3rd-party software code, and everything in and beyond the perimeter. EASM may even help understand what will happen with the cybersecurity environment if two companies complete an M&A;
(4) Vulnerability Management (VM) helps security teams to prioritize specific vulnerabilities and improve cyber defenses. VM, in turn, relies on two technologies: Vulnerability Prioritization (VP) and Breach & Attack Simulation (BAS), which do precisely what their names suggest. For example, BAS will view the environment from the attacker's standpoint and simulate common attacks to test cybersecurity measures.
The investment opportunity
Even though Threat Intelligence providers must rely on different sources for comprehensive analytics, they more often than not have entered the market using only a few but unique sources. This led to the market being reasonably fragmented, and most players have remained on the "private" side. However, the consolidation started as the threat intelligence and analytics market has been gaining traction, and demand for it has increased. TI platforms have become less of a standalone option and are now often integrated into existing solutions from prominent and listed vendors, e.g., RiskIQ has been acquired by Microsoft . On the listed side, Tenable, CrowdStrike, Medtronic, Qualys, and Rapid7 (which has acquired the threat intelligence provider IntSights), provide mainly other types of cybersecurity that we will cover later, but with a threat intelligence platform on top.
The point of departure
Software is at the heart of everything. It usually provides the interface through which users interact with the digital world and is itself a building block of this digital world. It is essential to ensure application security, especially considering its early position in the chain where minor problems may quickly escalate to an unmanageable impact. The mission-critical status of application security (AppSec) results in 22% 3Y revenue and 44% 3Y EPS CAGRs.
Demand for application security is driven by several factors: 1) Digitization of previously analog activities requires new software development (e.g., software for restaurants massively boosted by COVID-19); 2) growing use of open-source software that may be more easily tampered with; 3) automation of code assessment makes it a no-brainer to pay "a machine" to test your code against thousands of well-known vulnerabilities, and finally 4) software development companies are legally responsible for testing code to remain compliant with regulatory requirements or are liable of any damage suffered by their customers originating from a flaw in their products.
Software may be developed and run on-premises, in the cloud, or on endpoints and needs to be constantly secured - while being developed and once deployed. Therefore, as shown in the diagram, there are two main "stages" with various security activities.
- The development stage focuses on testing code and looking for vulnerabilities before the code is deployed. The primary Application Security Testing (AST) techniques include:
- Dynamic AST (DAST) impersonates a user or a hacker and tries to trigger a reaction from the software by performing expected and unexpected manipulations without "seeing" the code.
- Static AST (SAST), on the opposite, accesses the source code to look for errors and scans it against known vulnerabilities.
- Interactive AST (IAST) runs the application in real time with access to the source code (unlike DAST) and pinpoints vulnerabilities to the exact line of code.
- Mobile AST (MAST), as the name suggests, focuses on mobile applications (Apple Platform, Google Android) and combines all of the above.
- Software Composition Analysis (SCA) also analyzes the code. It looks if the code depends on some other open-source code (available for all) and, if so - looks for vulnerabilities and ensures that licensing requirements are respected.
- Fuzz testing and Chaos Monkey test application resilience against unexpected failures or inputs. The first feeds invalid data to the application, and the second randomly terminates "parts" of the application.
- The post-deployment stage comes when the application is running and concentrates on threat response, code support, and tackling emerging vulnerabilities. The main Application Runtime Security (ARS) techniques include :
- Runtime Application Self-Protection (RASP) autonomously observes all activity and changes in the runtime behavior (when the application is active) to detect and respond to threats.
- Application performance monitoring (APM), like RASP, monitors activity to provide data that helps cybersecurity specialists analyze performance, reliability, and application state.
- Infrastructure-as-code scanning (IaC scanning) is needed as IaC allows programmers to define the structure of the data center via lines of code (definition files) instead of physically configuring hardware or relying on other tools. IaC scanning, as the name explains, looks if these definition files are correctly configured, e.g., if your Azure is correctly defined and has any potential vulnerabilities.
- Container security monitors if the "shells" (that we introduced in a separate article) in which applications are sometimes deployed are correctly configured or are under threat.
- Application Programming Interface (API) security ensures that APIs - a software intermediary that allows two applications to talk to each other - are correctly configured, and there are no incoming threats from the connections.
- Bot management controls the traffic coming from various bots. Like bacteria, there are good bots that help search engines see the application/website and malicious bots that steal information or overload the application.
- Penetration testing may be utilized during the development and deployment stages. It is mainly responsible for simulating attacks to identify vulnerabilities and weak spots.
It is important to note that while any application is being developed (even if it is deployed and running), it will be protected by both Application Security Testing (AST) and Application Runtime Security (ARS) tools.
The investment opportunity
As we have seen, there is an extensive list of main techniques and tools that may be used during application development. None of the tools is better than the other - each has a use case and its application. Each tool may be used depending on the overall "development recipe," application scope, distribution method, etc. There is a market for each tool, with vendors being relatively small and niche waiting either to be acquired or for opportunities to expand horizontally. For example, a private player Snyk was initially a pure Software Composition Analysis (SCA) provider (development stage security) but has expanded its offering to other tools. Another SCA player Blackduck is now part of Synopsys . Below we provide a table with private and public players. We may observe that players already mature in other cybersecurity sectors, e.g., Synopsys , Palo Alto Networks, or Cisco, are broadening their portfolios with application security tools, strategically adding application security growth to their revenues.
Favorable regulation. Following President Biden's Executive Order on cybersecurity, the Russian-Ukrainian conflict has further highlighted the importance of solid military and cyber defenses. Additional bills spurring further investments would act as a massive trigger for the industry.
A growing number of threats. The threat intelligence sector would be vital to look for and analyze the exponentially growing number of potential threats.
Digitization of previously analog industries. Demand for application security will skyrocket should a fully analog industry, e.g., construction, start to run on software.
Unmanageable cyberthreats. The whole sector may collapse if existing cybersecurity measures and solutions prove unhelpful.
Over-abundance of real-time alerts. Should the volume of real-time alerts, including false positives, overburden the security teams, threat intelligence as we know it will cease to exist unless there is a completely AI-driven system in place.
Unskilled developers. Applications are written and secured by IT specialists and developers. Until apps are written by artificial intelligence, the human factor remains the most significant source of flaws in the sector.
Companies mentioned in this article
Aqua Security (Not listed); Blackduck (Not listed); Cisco (CSCO); CrowdStrike (CRWD); IntSights (Not listed); Medtronic (MDT); Microsoft (MSFT); Palo Alto Networks (PANW); Qualys (QLYS); Rapid7 (RPD); RiskIQ (Not listed); Snyk (Not listed); Synopsys (SNPS); Tenable (TENB); Veracode (Not listed); WhiteSource (Not listed)
This report has been produced by the organizational unit responsible for investment research (Research unit) of atonra Partners and sent to you by the company sales representatives.
As an internationally active company, atonra Partners SA may be subject to a number of provisions in drawing up and distributing its investment research documents. These regulations include the Directives on the Independence of Financial Research issued by the Swiss Bankers Association. Although atonra Partners SA believes that the information provided in this document is based on reliable sources, it cannot assume responsibility for the quality, correctness, timeliness or completeness of the information contained in this report.
The information contained in these publications is exclusively intended for a client base consisting of professionals or qualified investors. It is sent to you by way of information and cannot be divulged to a third party without the prior consent of atonra Partners. While all reasonable effort has been made to ensure that the information contained is not untrue or misleading at the time of publication, no representation is made as to its accuracy or completeness and it should not be relied upon as such.
Past performance is not indicative or a guarantee of future results. Investment losses may occur, and investors could lose some or all of their investment. Any indices cited herein are provided only as examples of general market performance and no index is directly comparable to the past or future performance of the Certificate.
It should not be assumed that the Certificate will invest in any specific securities that comprise any index, nor should it be understood to mean that there is a correlation between the Certificate’s returns and any index returns.
Any material provided to you is intended only for discussion purposes and is not intended as an offer or solicitation with respect to the purchase or sale of any security and should not be relied upon by you in evaluating the merits of investing inany securities.